Sun Java System Directory Server Enterprise Edition 6.2 Man Page Reference

Directory Server Configuration

algorithm(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

encryption, algorithm – DS attribute encryption (ETA) properties

Description

Directory Server allows you to encrypt individual attributes to protect sensitive information stored in the directory. The encryption does not prevent client applications from reading the attributes. Instead it works at the database index file level to prevent users with access to read database index files from being able to search through the indexes for sensitive information.

For example, before attribute encryption is configured for uid attributes, a user with read access to database index files could easily find out that bjensen is a uid attribute value:

$ strings example_uid.db3 | grep bjensen
=bjensen
$

Once uid attributes are encrypted, the job is not so easy:

$ strings example_uid.db3 | grep bjensen
$

Notice however that encrypted RDN values are not fully hidden. Instead they appear in clear in the DN index:

$ strings example_entrydn.db3 | grep bjensen
=uid=bjensen,ou=people,dc=example,dc=com
=uid=bjensen,ou=people,dc=example,dc=com
$

PROPERTY: `algorithm`

Syntax	`des\|des3\|rc2\|rc4`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Directory Server uses a cipher to encrypt a specified attribute in a given suffix. This property specifies the cipher used.

The following property values are supported:

des: DES block cipher
des3: Triple-DES block cipher
rc2: RC2 block cipher
rc4: RC4 stream cipher

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

A duration specified in months (M), weeks (w), days (d), hours (h), minutes (m), seconds (s), and miliseconds (ms), or some combination with multiple specifiers. For example, you can specify one week as 1w, 7d, 168h, 10080m, or 604800s. You can also specify one week as 1w0d0h0m0s.

DURATION properties typically do not each support all duration specifiers (Mwdhms). Examine the output of dsconf help-properties for the property to determine which duration specifiers are supported.

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

An interval value of the form hhmm-hhmm 0123456, where the first element specifies the starting hour, the next element the finishing hour in 24-hour time format, from 0000-2359, and the second specifies days, starting with Sunday (0) to Saturday (6).

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

A memory size specified in gigabytes (G), megabytes (M),kilobytes (k), or bytes (b). Unlike DURATION properties, MEMORY_SIZE properties cannot combine multiple specifiers. However, MEMORY_SIZE properties allow decimal values, for example, 1.5M.

NAME

A valid cn (common name).

OCTAL_MODE

A three-digit, octal file permissions specifier. The first digit specifies permissions for the server user ID, the second for the server group ID, the last for other users. Each digit consists of a bitmask defining read (4), write (2), execute (1), or no access (0) permissions, thus 640 specifies read-write access for the server user, read-only access for other users of the server group, and no access for other users.

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

all-ids-threshold(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

all-ids-threshold – Maximum number of values per index key in an index list

Description

Syntax	`INTEGER` or `INTEGER \| inherited`
Default Value	`4000` or `inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the maximum number of values per index key that the server maintains in an index list. It can be set for an entire server instance, for an entire suffix, and for an individual attribute type. You can also set individual thresholds for equality, presence, and substring indexes.

When you do not set specific threshold values, the values at each level are inherited from the more global values. Thus the default suffix threshold value is inherited from the setting for the server instance; the default attribute type value from the setting for the suffix. In addition to inheritance of default settings, this property handles settings as follows.

inherited: The threshold value is inherited from the more global setting.
<2000: The threshold value is rounded up to 2000.
>2000: The setting is used as a guaranteed minimum threshold. Because of internal mechanisms, the real value can be slightly more than the specified value.

After you modify this property for an entire server instance or an entire suffix, import all data from LDIF to reinitialize all indexes.

If you modify this property only for a specific attribute, it is usually most expedient to use the dsconf reindex command on the attribute for which you changed the threshold. The dsconf reindex command runs a directory task to reindex the attribute while the server instance is online.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

all-ids-threshold-eq(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

index, all-ids-threshold-eq, all-ids-threshold-pres, all-ids-threshold-sub, approx-enabled, eq-enabled, matching-rule, pres-enabled, sub-enabled, system – DS attribute indexing (IDX) properties

Description

Directory Server can index attributes, making them faster to search. The dsconf command helps you configure five of the six supported index types:

Equality indexes to determine expediently whether an attribute value is equal to a specified value
Presence indexes to determine whether a specified attribute has any values
Substring indexes to determine whether a specified attribute has values containing a specified string, also used to compare regular expressions to attribute values
Approximate indexes, based on metaphone approximation and useful for English language strings only, to determine whether a specified attribute has any values that sound like the specified string
International indexes, also called matching rule indexes, to expedite sorting and searching in accordance with the language rules of a particular locale

The dsconf command does not help you configure virtual list view, also known as browsing, indexes.

The dsconf command does help you assign all IDs threshold values to indexes. As the number of entries and attribute values grows in a directory, the number of attribute values to index also grows, as does therefore the size of the indexes. In some deployments a server can end up maintaining index lists so large that the cost of rebuilding an index when attributes are modified or added outweighs the benefit the index provides for searches. All IDs thresholds limit the growth of large indexes by definining the maximum number of entry identifiers Directory Server maintains in an index list. You can define all IDs thresholds for individual indexes and for some types of indexes.

Some indexes are maintained by the server for its own use. These are called system indexes. In general, do not modify or remove systems indexes; such modifications could have severe repercussions on performance.

See Directory Server Indexing in Sun Java System Directory Server Enterprise Edition Reference for further details about indexing.

PROPERTY: `all-ids-threshold`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the maximum number of entry IDs the server maintains in an index list for the specified attribute type. By default its value is inherited from the all-ids-threshold setting for the suffix, whose default value in turn is inherited from the all-ids-threshold setting for the server, which by default is 4000. In addition to inheritance of default settings, this property handles settings as follows:

inherited: The threshold is inherited from the more global setting.
<2000: The threshold value is rounded up to 2000.
>2000: The setting is used as a guaranteed minimum threshold. Because of internal mechanisms, the real value can be slightly more than the specified value.

After you modify this property, reindex the attribute for which you changed the threshold. For example:

$ dsconf set-index-prop dc=example,dc=com uid all-ids-threshold:5000
$ dsconf reindex -t uid dc=example,dc=com

## example: Indexing attribute: uid
## example: Finished indexing.

Task completed (slapd exit code: 0).
$

PROPERTY: `all-ids-threshold-eq`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the all IDs threshold for equality indexes of the specified attribute. By default its value is inherited from the all-ids-threshold setting for the attribute type. See all-ids-threshold(5dsconf) for more information.

PROPERTY: `all-ids-threshold-pres`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the all IDs threshold for presence indexes of the specified attribute. By default its value is inherited from the all-ids-threshold setting for the attribute type. See all-ids-threshold(5dsconf) for more information.

PROPERTY: `all-ids-threshold-sub`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the all IDs threshold for substring indexes of the specified attribute. By default its value is inherited from the all-ids-threshold setting for the attribute type. See all-ids-threshold(5dsconf) for more information.

PROPERTY: `approx-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether approximate indexes are maintained for the specified attribute type. You cannot set an all IDs threshold value for approximate indexes.

PROPERTY: `desc`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Use this optional property to provide a short description of the index configuration.

PROPERTY: `eq-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether equality indexes are maintained for the specified attribute type.

PROPERTY: `matching-rule`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the matching rule indexes maintained for the specified attribute type.

Values for this property must be valid collation order object identifiers (OIDs). See Directory Server Internationalized Directory in Directory Server Enterprise Edition Reference for the OIDs corresponding to supported locales.

PROPERTY: `pres-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether presence indexes are maintained for the specified attribute type.

PROPERTY: `sub-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether substring indexes are maintained for the specified attribute type.

PROPERTY: `system`

Syntax	`true\|false`
Default Value	`false`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property identifies whether the specified index is a system index, and therefore should be left alone.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

all-ids-threshold-pres(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

index, all-ids-threshold-eq, all-ids-threshold-pres, all-ids-threshold-sub, approx-enabled, eq-enabled, matching-rule, pres-enabled, sub-enabled, system – DS attribute indexing (IDX) properties

Description

Directory Server can index attributes, making them faster to search. The dsconf command helps you configure five of the six supported index types:

Equality indexes to determine expediently whether an attribute value is equal to a specified value
Presence indexes to determine whether a specified attribute has any values
Substring indexes to determine whether a specified attribute has values containing a specified string, also used to compare regular expressions to attribute values
Approximate indexes, based on metaphone approximation and useful for English language strings only, to determine whether a specified attribute has any values that sound like the specified string
International indexes, also called matching rule indexes, to expedite sorting and searching in accordance with the language rules of a particular locale

The dsconf command does not help you configure virtual list view, also known as browsing, indexes.

See Directory Server Indexing in Sun Java System Directory Server Enterprise Edition Reference for further details about indexing.

PROPERTY: `all-ids-threshold`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

inherited: The threshold is inherited from the more global setting.
<2000: The threshold value is rounded up to 2000.
>2000: The setting is used as a guaranteed minimum threshold. Because of internal mechanisms, the real value can be slightly more than the specified value.

After you modify this property, reindex the attribute for which you changed the threshold. For example:

$ dsconf set-index-prop dc=example,dc=com uid all-ids-threshold:5000
$ dsconf reindex -t uid dc=example,dc=com

## example: Indexing attribute: uid
## example: Finished indexing.

Task completed (slapd exit code: 0).
$

PROPERTY: `all-ids-threshold-eq`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `all-ids-threshold-pres`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `all-ids-threshold-sub`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `approx-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether approximate indexes are maintained for the specified attribute type. You cannot set an all IDs threshold value for approximate indexes.

PROPERTY: `desc`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Use this optional property to provide a short description of the index configuration.

PROPERTY: `eq-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether equality indexes are maintained for the specified attribute type.

PROPERTY: `matching-rule`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the matching rule indexes maintained for the specified attribute type.

PROPERTY: `pres-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether presence indexes are maintained for the specified attribute type.

PROPERTY: `sub-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether substring indexes are maintained for the specified attribute type.

PROPERTY: `system`

Syntax	`true\|false`
Default Value	`false`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property identifies whether the specified index is a system index, and therefore should be left alone.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

all-ids-threshold-sub(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

index, all-ids-threshold-eq, all-ids-threshold-pres, all-ids-threshold-sub, approx-enabled, eq-enabled, matching-rule, pres-enabled, sub-enabled, system – DS attribute indexing (IDX) properties

Description

Directory Server can index attributes, making them faster to search. The dsconf command helps you configure five of the six supported index types:

Equality indexes to determine expediently whether an attribute value is equal to a specified value
Presence indexes to determine whether a specified attribute has any values
Substring indexes to determine whether a specified attribute has values containing a specified string, also used to compare regular expressions to attribute values
Approximate indexes, based on metaphone approximation and useful for English language strings only, to determine whether a specified attribute has any values that sound like the specified string
International indexes, also called matching rule indexes, to expedite sorting and searching in accordance with the language rules of a particular locale

The dsconf command does not help you configure virtual list view, also known as browsing, indexes.

See Directory Server Indexing in Sun Java System Directory Server Enterprise Edition Reference for further details about indexing.

PROPERTY: `all-ids-threshold`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

inherited: The threshold is inherited from the more global setting.
<2000: The threshold value is rounded up to 2000.
>2000: The setting is used as a guaranteed minimum threshold. Because of internal mechanisms, the real value can be slightly more than the specified value.

After you modify this property, reindex the attribute for which you changed the threshold. For example:

$ dsconf set-index-prop dc=example,dc=com uid all-ids-threshold:5000
$ dsconf reindex -t uid dc=example,dc=com

## example: Indexing attribute: uid
## example: Finished indexing.

Task completed (slapd exit code: 0).
$

PROPERTY: `all-ids-threshold-eq`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `all-ids-threshold-pres`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `all-ids-threshold-sub`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `approx-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether approximate indexes are maintained for the specified attribute type. You cannot set an all IDs threshold value for approximate indexes.

PROPERTY: `desc`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Use this optional property to provide a short description of the index configuration.

PROPERTY: `eq-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether equality indexes are maintained for the specified attribute type.

PROPERTY: `matching-rule`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the matching rule indexes maintained for the specified attribute type.

PROPERTY: `pres-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether presence indexes are maintained for the specified attribute type.

PROPERTY: `sub-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether substring indexes are maintained for the specified attribute type.

PROPERTY: `system`

Syntax	`true\|false`
Default Value	`false`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property identifies whether the specified index is a system index, and therefore should be left alone.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

approx-enabled(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

index, all-ids-threshold-eq, all-ids-threshold-pres, all-ids-threshold-sub, approx-enabled, eq-enabled, matching-rule, pres-enabled, sub-enabled, system – DS attribute indexing (IDX) properties

Description

Directory Server can index attributes, making them faster to search. The dsconf command helps you configure five of the six supported index types:

Equality indexes to determine expediently whether an attribute value is equal to a specified value
Presence indexes to determine whether a specified attribute has any values
Substring indexes to determine whether a specified attribute has values containing a specified string, also used to compare regular expressions to attribute values
Approximate indexes, based on metaphone approximation and useful for English language strings only, to determine whether a specified attribute has any values that sound like the specified string
International indexes, also called matching rule indexes, to expedite sorting and searching in accordance with the language rules of a particular locale

The dsconf command does not help you configure virtual list view, also known as browsing, indexes.

See Directory Server Indexing in Sun Java System Directory Server Enterprise Edition Reference for further details about indexing.

PROPERTY: `all-ids-threshold`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

inherited: The threshold is inherited from the more global setting.
<2000: The threshold value is rounded up to 2000.
>2000: The setting is used as a guaranteed minimum threshold. Because of internal mechanisms, the real value can be slightly more than the specified value.

After you modify this property, reindex the attribute for which you changed the threshold. For example:

$ dsconf set-index-prop dc=example,dc=com uid all-ids-threshold:5000
$ dsconf reindex -t uid dc=example,dc=com

## example: Indexing attribute: uid
## example: Finished indexing.

Task completed (slapd exit code: 0).
$

PROPERTY: `all-ids-threshold-eq`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `all-ids-threshold-pres`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `all-ids-threshold-sub`

Syntax	`INTEGER \| inherited`
Default Value	`inherited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `approx-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether approximate indexes are maintained for the specified attribute type. You cannot set an all IDs threshold value for approximate indexes.

PROPERTY: `desc`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Use this optional property to provide a short description of the index configuration.

PROPERTY: `eq-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether equality indexes are maintained for the specified attribute type.

PROPERTY: `matching-rule`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the matching rule indexes maintained for the specified attribute type.

PROPERTY: `pres-enabled`

Syntax	`on\|off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether presence indexes are maintained for the specified attribute type.

PROPERTY: `sub-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether substring indexes are maintained for the specified attribute type.

PROPERTY: `system`

Syntax	`true\|false`
Default Value	`false`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property identifies whether the specified index is a system index, and therefore should be left alone.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

argument(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

plugin, argument, depends-on-named, depends-on-type, feature, init-func, lib-path, type, vendor, version – DS plug-in configuration (PLG) properties

Description

Directory Server implements some key functionality as plug-ins. Plug-ins take the form of libraries loaded when the server starts, and called at different points in the processing of client application requests. When you create custom plug-ins, you must configure the server to load and use them, then restart Directory Server to load the newly configured plug-ins.

PROPERTY: `argument`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies arguments passed to the plug-in when it is loaded by Directory Server. Arguments are passed in the order you specify them. Updating the list of arguments replaces all the existing arguments previously specified when the plug-in is loaded again.

PROPERTY: `depends-on-named`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies names of plug-ins that must be available and loaded before Directory Server loads the current plug-in.

PROPERTY: `depends-on-type`

Syntax	`STRING` (See the description that follows.)
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies types of plug-ins that must be available and loaded before Directory Server loads the current plug-in. The value must be the value of a plug-in type property.

PROPERTY: `feature`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the plug-in identifier from the Slapi_PluginDesc structure.

PROPERTY: `init-func`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of function called by Directory Server to initialize the plug-in.

PROPERTY: `lib-path`

Syntax	`PATH`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the absolute file system path to the library containing plug-in.

PROPERTY: `type`

Syntax	`STRING` (See the description that follows.)
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the plug-in type. The following plug-in types are supported.

ldbmentryfetchstore: Entry store and fetch plug-in
extendedop: Extended operation plug-in
passwordcheck: Password check plug-in
postoperation: Post-operation plug-in
preoperation: Pre-operation plug-in
internalpostoperation: Internal post-operation plug-in
internalpreoperation: Internal pre-operation plug-in
matchingrule: Matching rule plug-in for extensible match search filters
object: Generic plug-in type, sometimes used to register other plug-ins
passwordcheck: Strong password check plug-in
pwdstoragescheme: Password storage scheme plug-in

PROPERTY: `vendor`

Syntax	`STRING`
Default Value	Vendor name in plug-in configuration
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the plug-in vendor from the Slapi_PluginDesc structure.

PROPERTY: `version`

Syntax	`STRING`
Default Value	Version string in plug-in configuration
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the plug-in version from the Slapi_PluginDesc structure.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Stable

attr(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

repl-priority, attr, base-dn, bind-dn, op-type – DS prioritized replication configuration (RPR) properties

Description

Prioritized replication lets you force a Directory Server supplier to assign higher priority to certain updates replicated on a Directory Server consumer. You prioritize replication operations by creating replication priority rules.

PROPERTY: `attr`

Syntax	`ATTR_NAME`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the attribute type to which the replication priority rule applies.

PROPERTY: `base-dn`

Syntax	`DN`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the DN under which the replication priority rule applies. For example, if you set base-dn:ou=administrators,dc=example,dc=com, then changes to uid=myAdmin,ou=administrators,dc=example,dc=com might be replicated with high priority, but changes to uid=bjensen,ou=people,dc=example,dc=com would not.

PROPERTY: `bind-dn`

Syntax	`DN`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a bind DN for an account whose updates might be replicated with high priority.

PROPERTY: `op-type`

Syntax	`add \| mod \| del`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a type of operation for which updates might be replicated with high priority.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

auth-bind-dn(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

repl-agmt, auth-bind-dn, auth-protocol, auth-pwd, repl-fractional-exclude-attr, repl-fractional-include-attr, repl-schedule, transport-compression, transport-group-size, transport-window-size – DS replication agreement configuration (RAG) properties

Description

A replication agreement governs how a Directory Server supplier updates a Directory Server consumer. Although this configuration element is called an agreement, it concerns the configuration only of the supplier.

PROPERTY: `auth-bind-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the bind DN used by the supplier to bind to the consumer in order to perform replication-related updates. This bind DN must be present on the consumer.

PROPERTY: `auth-protocol`

Syntax	`clear\|ssl-simple\|ssl-client`
Default Value	`clear`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the protocol used by the supplier to bind to the consumer in order to perform replication-related updates. The default is to bind with simple authentication in clear text without securing the connection, as most replications connections are made on an internal network. You may however configure replication to use SSL and simple authentication to protect the connection from malicious snooping, or SSL with client authentication to further protect the connection.

PROPERTY: `auth-pwd`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password used by the supplier to bind to the consumer. You provide it using auth-pwd-file.

PROPERTY: `auth-pwd-file`

Syntax	`PATH`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the bind password for replication is read to create the replication agreement. The file is read once on replication agreement creation, and the password is stored for future use.

PROPERTY: `repl-fractional-exclude-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the list of attributes not to replicate. This property is mutually exclusive with repl-fractional-include-attr.

PROPERTY: `repl-fractional-include-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the list of attributes to replicate. This property is mutually exclusive with repl-fractional-exclude-attr.

PROPERTY: `repl-schedule`

Syntax	`INTERVAL \| always`
Default Value	`always`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the times and days when replication can take place.

PROPERTY: `transport-compression`

Syntax	`best-compression \| best-speed \| default-compression \| no-compression`
Default Value	`no-compression`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the level of libz(3) compression used on replication updates from the supplier to the consumer. Supported settings are as follows.

no-compression: No compression
default-compression: Default zlib compression (zlib numeric value = -1)
best-speed: Fastest zlib compression (zlib numeric value = 1)
best-compression: Strongest zlib compression (zlib numeric value = 9)

If the bottleneck for replication in your environment is network bandwidth, this property can potentially help you tune the replication protocol for better performance.

PROPERTY: `transport-group-size`

Syntax	`INTEGER`
Default Value	`1`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many replication messages are grouped on the supplier before being sent to the consumer. Valid range is 1 to 255.

If the bottleneck for replication in your environment is network bandwidth, this property can potentially help you tune the replication protocol for better performance.

PROPERTY: `transport-window-size`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of replication messages sent from the supplier to the consumer before waiting for a response from the consumer to continue. Valid range is 1 to 65535.

If the bottleneck for replication in your environment is network latency or network bandwidth, this property can potentially help you tune the replication protocol for better performance.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

auth-protocol(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

PROPERTY: `auth-bind-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the bind DN used by the supplier to bind to the consumer in order to perform replication-related updates. This bind DN must be present on the consumer.

PROPERTY: `auth-protocol`

Syntax	`clear\|ssl-simple\|ssl-client`
Default Value	`clear`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `auth-pwd`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password used by the supplier to bind to the consumer. You provide it using auth-pwd-file.

PROPERTY: `auth-pwd-file`

Syntax	`PATH`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `repl-fractional-exclude-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the list of attributes not to replicate. This property is mutually exclusive with repl-fractional-include-attr.

PROPERTY: `repl-fractional-include-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the list of attributes to replicate. This property is mutually exclusive with repl-fractional-exclude-attr.

PROPERTY: `repl-schedule`

Syntax	`INTERVAL \| always`
Default Value	`always`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the times and days when replication can take place.

PROPERTY: `transport-compression`

Syntax	`best-compression \| best-speed \| default-compression \| no-compression`
Default Value	`no-compression`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the level of libz(3) compression used on replication updates from the supplier to the consumer. Supported settings are as follows.

no-compression: No compression
default-compression: Default zlib compression (zlib numeric value = -1)
best-speed: Fastest zlib compression (zlib numeric value = 1)
best-compression: Strongest zlib compression (zlib numeric value = 9)

If the bottleneck for replication in your environment is network bandwidth, this property can potentially help you tune the replication protocol for better performance.

PROPERTY: `transport-group-size`

Syntax	`INTEGER`
Default Value	`1`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many replication messages are grouped on the supplier before being sent to the consumer. Valid range is 1 to 255.

If the bottleneck for replication in your environment is network bandwidth, this property can potentially help you tune the replication protocol for better performance.

PROPERTY: `transport-window-size`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of replication messages sent from the supplier to the consumer before waiting for a response from the consumer to continue. Valid range is 1 to 65535.

If the bottleneck for replication in your environment is network latency or network bandwidth, this property can potentially help you tune the replication protocol for better performance.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

auth-pwd(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

PROPERTY: `auth-bind-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the bind DN used by the supplier to bind to the consumer in order to perform replication-related updates. This bind DN must be present on the consumer.

PROPERTY: `auth-protocol`

Syntax	`clear\|ssl-simple\|ssl-client`
Default Value	`clear`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `auth-pwd`

Syntax	`STRING`
Default Value	`None`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password used by the supplier to bind to the consumer. You provide it using auth-pwd-file.

PROPERTY: `auth-pwd-file`

Syntax	`PATH`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `repl-fractional-exclude-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the list of attributes not to replicate. This property is mutually exclusive with repl-fractional-include-attr.

PROPERTY: `repl-fractional-include-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the list of attributes to replicate. This property is mutually exclusive with repl-fractional-exclude-attr.

PROPERTY: `repl-schedule`

Syntax	`INTERVAL \| always`
Default Value	`always`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the times and days when replication can take place.

PROPERTY: `transport-compression`

Syntax	`best-compression \| best-speed \| default-compression \| no-compression`
Default Value	`no-compression`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the level of libz(3) compression used on replication updates from the supplier to the consumer. Supported settings are as follows.

no-compression: No compression
default-compression: Default zlib compression (zlib numeric value = -1)
best-speed: Fastest zlib compression (zlib numeric value = 1)
best-compression: Strongest zlib compression (zlib numeric value = 9)

If the bottleneck for replication in your environment is network bandwidth, this property can potentially help you tune the replication protocol for better performance.

PROPERTY: `transport-group-size`

Syntax	`INTEGER`
Default Value	`1`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many replication messages are grouped on the supplier before being sent to the consumer. Valid range is 1 to 255.

If the bottleneck for replication in your environment is network bandwidth, this property can potentially help you tune the replication protocol for better performance.

PROPERTY: `transport-window-size`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of replication messages sent from the supplier to the consumer before waiting for a response from the consumer to continue. Valid range is 1 to 65535.

If the bottleneck for replication in your environment is network latency or network bandwidth, this property can potentially help you tune the replication protocol for better performance.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

b(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

log, buffering-enabled, level, max-age, max-disk-space-size, max-file-count, max-size, min-free-disk-space-size, path, perm, rotation-interval, rotation-min-file-size, rotation-time, verbose-enabled – DS logging configuration (LOG) properties

Description

Directory Server writes to three main types of log files you can configure, the INSTANCE_PATH/logs/access, INSTANCE_PATH/logs/audit, and INSTANCE_PATH/logs/errors logs, where INSTANCE_PATH is the full path where the server instance is located, such as /local/ds.

When you specify one of these properties with dsconf get-log-prop or dsconf set-log-prop, you must specify which type of log configuration, access, audit, or errors, you want to examine. For example, to see whether audit logging is enabled for a server instance:

$ dsconf get-log-prop audit enabled
enabled  :  off
$

PROPERTY: `buffering-enabled`

Syntax	`on \| off`
Default Value	`on` for `access`, not applicable to `audit` and `errors` logs
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property indicates whether Directory Server writes access log entries directly to disk, or use a buffer, by default.

PROPERTY: `enabled`

Syntax	`on \| off`
Default Value	`on` for `access`, `off` for `audit`, `on` for `errors`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property indicates whether the specified log type is enabled.

PROPERTY: `level`

Syntax	See the description that follows.
Default Value	`default`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property defines which kinds of messages get logged. This property is applicable only to access, and errors logs.

access log levels

The following settings are supported:

acc-internal: Log access information for internal operations.
default: Log client access to entries.
acc-default_plus_referrals: As default, but also log access to referrals.
acc-timing: Use precise timing for microsecond resolution of elapsed times.

errors log levels

The following settings are supported:

default: Log startup, shutdown, errors, and warnings.
err-function-calls: Log when server enters or exits a function.
err-search-args: Log search arguments.
err-connection: Connection management.
err-packets: Log packets sent and received.
err-search-filter: Log search filter information.
err-config-file: Log information for changes to the configuration file dse.ldif.
err-acl: Log access control processing information.
err-ldbm: Log information from the ldbm database plugin.
err-entry-parsing: Log LDIF parsing errors.
err-housekeeping: Log event queue information.
err-replication: Log information about replication operations.
err-entry-cache: Log entry cache information.
err-plugins: Log information from server plug-ins.
err-dsml: Log information from DSML front end.
err-dsml-advanced: Debugging information for DSML.

PROPERTY: `max-age`

Syntax	`DURATION \| unlimited`
Default Value	`1M` (one month)
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the age beyond which the specified type of log file is deleted.

PROPERTY: `max-disk-space-size`

Syntax	`MEMORY_SIZE \| unlimited`
Default Value	`500M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the maximum disk space the specified type of log is allowed to consume. When the limit is reached, the server deletes the oldest log file to reclaim disk space.

PROPERTY: `max-file-count`

Syntax	`Integer`
Default Value	`10` for `access`, `2` for `errors`, `1` for `audit`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the maximum number of log files, including rotated logs, of the specified type that the server allows to be created in the log file directory. When the limit is reached, the server deletes the oldest log file to reclaim disk space.

When you set this property to 1, the specified log is not rotated.

PROPERTY: `max-size`

Syntax	`MEMORY_SIZE \| unlimited`
Default Value	`100M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the maximum file size for the specified log. When the limit is reached, the server rotates the log file, unless max-file-count is set to 1.

PROPERTY: `min-free-disk-space-size`

Syntax	`MEMORY_SIZE`
Default Value	`5M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the minimum free space allowed on the disk where the specified log is stored. When the limit is reached, the server deletes the oldest log files until enough space is available.

PROPERTY: `path`

Syntax	`PATH`
Default Value	`INSTANCE_PATH/logs/access`, `INSTANCE_PATH/logs/audit`, `INSTANCE_PATH/logs/errors`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the full path to the specified log file type.

PROPERTY: `perm`

Syntax	`OCTAL_MODE`
Default Value	`600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the read, write, and execute permissions on the specified log file.

PROPERTY: `rotation-interval`

Syntax	`DURATION \| unlimited`
Default Value	`1d` (one day) for `access`, `1w` (one week) for `audit` and `errors`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the duration between rotations of the specified log file.

PROPERTY: `rotation-min-file-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the minimum size the specified log file must have before the server rotates it.

PROPERTY: `rotation-time`

Syntax	`TIME \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property defines the time of day when the server rotates the specified log file.

PROPERTY: `verbose-enabled`

Syntax	`on\|off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property determines whether extra informational messages are written to the errors log.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

base-dn(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

repl-priority, attr, base-dn, bind-dn, op-type – DS prioritized replication configuration (RPR) properties

Description

PROPERTY: `attr`

Syntax	`ATTR_NAME`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the attribute type to which the replication priority rule applies.

PROPERTY: `base-dn`

Syntax	`DN`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `bind-dn`

Syntax	`DN`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a bind DN for an account whose updates might be replicated with high priority.

PROPERTY: `op-type`

Syntax	`add \| mod \| del`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a type of operation for which updates might be replicated with high priority.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

bind-dn(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

repl-priority, attr, base-dn, bind-dn, op-type – DS prioritized replication configuration (RPR) properties

Description

PROPERTY: `attr`

Syntax	`ATTR_NAME`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the attribute type to which the replication priority rule applies.

PROPERTY: `base-dn`

Syntax	`DN`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `bind-dn`

Syntax	`DN`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a bind DN for an account whose updates might be replicated with high priority.

PROPERTY: `op-type`

Syntax	`add \| mod \| del`
Default Value	`None`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a type of operation for which updates might be replicated with high priority.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

check-schema-enabled(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

server, check-schema-enabled, check-syntax-enabled, config-magic-number, db-batched-transaction-count, db-cache-size, db-checkpoint-interval, db-env-path, db-lock-count, db-log-buf-size, db-log-path, def-repl-manager-pwd, def-repl-manager-pwd-file, dn-cache-count, dn-cache-size, dsml-answer-size, dsml-buffer-size, dsml-client-auth-mode, dsml-enabled, dsml-max-parser-count, dsml-min-parser-count, dsml-port, dsml-relative-root-url, dsml-request-max-size, dsml-secure-port, file-descriptor-count, heap-high-threshold-size, heap-low-threshold-size, host-access-dir-path, idle-timeout, import-cache-size, instance-path, ldap-port, ldap-secure-port, listen-address, look-through-limit, max-psearch-count, max-thread-count, max-thread-per-connection-count, mod-tracking-enabled, pwd-accept-hashed-pwd-enabled, pwd-check-enabled, pwd-compat-mode, pwd-expire-no-warning-enabled, pwd-expire-warning-delay, pwd-failure-count-interval, pwd-grace-login-limit, pwd-keep-last-auth-time-enabled, pwd-lockout-duration, pwd-lockout-enabled, pwd-lockout-repl-priority-enabled, pwd-max-age, pwd-max-failure-count, pwd-max-history-count, pwd-min-age, pwd-min-length, pwd-mod-gen-length, pwd-must-change-enabled, pwd-root-dn-bypass-enabled, pwd-safe-modify-enabled, pwd-storage-scheme, pwd-strong-check-dictionary-path, pwd-strong-check-enabled, pwd-strong-check-require-charset, pwd-supported-storage-scheme, pwd-user-change-enabled, read-write-mode, ref-integrity-attr, ref-integrity-check-delay, ref-integrity-enabled, repl-user-schema-enabled, require-bind-pwd-enabled, retro-cl-deleted-entry-attr, retro-cl-enabled, retro-cl-ignored-attr, retro-cl-max-age, retro-cl-max-entry-count, retro-cl-path, retro-cl-suffix-dn, root-dn, root-pwd, root-pwd-file, root-pwd-storage-scheme, search-size-limit, search-time-limit, secure-listen-address, ssl-cipher-family, ssl-client-auth-mode, ssl-enabled, ssl-rsa-cert-name, ssl-rsa-security-device, ssl-supported-ciphers, thread-count – DS server instance configuration (SER) properties

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that attribute values being updated have valid syntax. The server logs an error message when encountering an invalid value and prevents the update. When this property is set to on, the server checks updates to attribute values defined as Boolean, DN, Directory String, Generalized Time, IA5 String, INTEGER, or Telephone Number syntax. This behavior holds both for offline import and for normal write operations.

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

Syntax is not checked on existing entries in the database. To clean up existing data, dump the database to LDIF, turn syntax checking on, and reload the database. Data that violates the syntax is visible in the errors log, and can be corrected and reloaded. You can also repair existing bad data by deleting or replacing the bad value using an LDAP client. If syntax checking is on, when a database is reloaded from LDIF, invalid syntax values are skipped and recorded in the errors log. Valid syntax values are reloaded.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many server transactions are gathered into a batch before being written to the transaction log. If writes to the transaction log are a bottleneck, you may potentially improve performance by increasing this value. Valid range is 0-30, 0 meaning that batching is turned off.

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the amount of physical memory Directory Server requests from the operating system to cache indexes for all suffixes supported by the server instance. See Directory Server Data Caching in Directory Server Enterprise Edition Reference for suggestions on sizing cache.

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a valid directory, unique to the server instance, on a tmpfs file system used to limit the time spent flushing pages for a server instance handling a high write load. There must be enough space available on the tmpfs file system to house at least the actual size of the database cache.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property lets you read the password used for replication binds performed using simple authentication. Either you specify the password before setting up replication by setting def-repl-manager-pwd-file to specify the file containing the password you want to use, or you accept the password value generated by the dsconf accord-replication subcommand.

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the DN cache in terms of number of entries. The value of dn-cache-count is unlimited by default. The value of dn-cache-count can be an integer, unlimited, and disabled and each of these has the following effect on dn-cache-size.

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the DN cache in terms of memory space. This property is set by default. The cache size must be larger than 1M. The DN cache size specified for this property is taken into account only when dn-cache-count is set to unlimited.

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of DSML parsers allocated to handle client requests. Increase the value of this property if the server must handle sustained, high numbers of DSML client requests.

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of DSML parsers allocated to handle client requests. Increase the value of this property if the server must handle sustained, high numbers of DSML client requests.

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of file descriptors the server instance attempts to use to handle client requests. Increase this value if you observe the following message in the errors log:

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies a threshold value for the dynamic memory footprint. When the threshold memory is reached, Directory Server attempts to free memory from the entry caches, and to limit memory use.

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the local directory path on the server host where hosts.allow and hosts.deny files are located. If this property is not set, or if the files are not found, Directory Server does not enable the additional connection-based access controls provided by these files.

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the amount of physical memory Directory Server requests from the operating system to cache data used when initializing a suffix from LDIF. See Directory Server Data Caching in Directory Server Enterprise Edition Reference for suggestions on sizing cache.

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port on which the server listens for LDAP client requests. The default port is 389 when the instance is created by the system super user, 1389 otherwise. Changing this property requires that you restart the server.

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port on which the server listens for LDAPS client requests using TLS or SSL. The default port is 636 when the instance is created by the system super user, 1636 otherwise. Changing this property requires that you restart the server.

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the IP address at which the server listens for LDAP client requests using the regular LDAP port. You can specify more than one listen address for the same port number. The default listen address is 0.0.0.0. Changing this property requires that you restart the server.

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of threads created at startup to process operations. When tuning server performance, try setting this to twice the number of processors or 20 plus the number of simultaneous updates expected. You can read the number of active threads in the value of threads on cn=monitor.

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password policy compatibility mode for the server. Change it using dsconf pwd-compat. See Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide for details on password policy.

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the length of the password generated by Directory Server when a password is reset using the LDAP Password Modify Extended Operation defined in RFC 3062 and no new password value is specified.

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether only schema elements with X-ORIGIN of user-defined are replicated. This can be useful when replicating between server versions with schema that are not fully compatible.

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.

PROPERTY: `search-size-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`2000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server returns for a search operation.

PROPERTY: `search-time-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`3600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of seconds allocated by the server to respond to a search request.

PROPERTY: `secure-listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the IP address at which the server listens for LDAP client requests using the secure LDAP port. You can specify more than one secure listen address for the same port number. The default secure listen address is 0.0.0.0. Changing this property requires that you restart the server.

PROPERTY: `ssl-cipher-family`

Syntax	`STRING \| all`
Default Value	`all`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the SSL ciphers the server can use for SSL communications. The default value, all, does not mean all the supported SSL ciphers, as supported ciphers with NULL key length are removed from the list.

PROPERTY: `ssl-client-auth-mode`

Syntax	`allowed \| required \| disabled`
Default Value	`allowed`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.

PROPERTY: `ssl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts SSL connnections.

PROPERTY: `ssl-rsa-cert-name`

Syntax	`STRING`
Default Value	defaultCert
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the SSL certificate for the server.

PROPERTY: `ssl-rsa-security-device`

Syntax	`STRING`
Default Value	`internal (software)`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the security device used by the server.

PROPERTY: `ssl-supported-ciphers`

Syntax	`STRING`
Default Value	Depends on underlying SSL library
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the full list of SSL ciphers the server can support.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

check-syntax-enabled(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.

PROPERTY: `search-size-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`2000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server returns for a search operation.

PROPERTY: `search-time-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`3600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of seconds allocated by the server to respond to a search request.

PROPERTY: `secure-listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-cipher-family`

Syntax	`STRING \| all`
Default Value	`all`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-client-auth-mode`

Syntax	`allowed \| required \| disabled`
Default Value	`allowed`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.

PROPERTY: `ssl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts SSL connnections.

PROPERTY: `ssl-rsa-cert-name`

Syntax	`STRING`
Default Value	defaultCert
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the SSL certificate for the server.

PROPERTY: `ssl-rsa-security-device`

Syntax	`STRING`
Default Value	`internal (software)`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the security device used by the server.

PROPERTY: `ssl-supported-ciphers`

Syntax	`STRING`
Default Value	Depends on underlying SSL library
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the full list of SSL ciphers the server can support.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

config-magic-number(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.

PROPERTY: `search-size-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`2000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server returns for a search operation.

PROPERTY: `search-time-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`3600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of seconds allocated by the server to respond to a search request.

PROPERTY: `secure-listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-cipher-family`

Syntax	`STRING \| all`
Default Value	`all`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-client-auth-mode`

Syntax	`allowed \| required \| disabled`
Default Value	`allowed`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.

PROPERTY: `ssl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts SSL connnections.

PROPERTY: `ssl-rsa-cert-name`

Syntax	`STRING`
Default Value	defaultCert
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the SSL certificate for the server.

PROPERTY: `ssl-rsa-security-device`

Syntax	`STRING`
Default Value	`internal (software)`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the security device used by the server.

PROPERTY: `ssl-supported-ciphers`

Syntax	`STRING`
Default Value	Depends on underlying SSL library
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the full list of SSL ciphers the server can support.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

controls(5dsconf)

NAME | Description

NAME

controls – LDAP controls handled by Directory Server

Description

LDAPv3 controls specify extension information sent as part of a request. An explanation of what an LDAPv3 control is can be found in RFC 2251.

Directory Server handles the LDAP controls listed here according to their interface stability. See attributes(5) for descriptions of interface stability.

INTERFACE STABILITY: STANDARD

1.2.840.113556.1.4.473: Server-side sort request, described in RFC 2891
2.16.840.1.113730.3.4.2: Manage DSA IT control, described in RFC 3296
2.16.840.1.113730.3.4.15: Authorization bind identity response control, described in RFC 3829
2.16.840.1.113730.3.4.16: Authorization bind identity request control, described in RFC 3829
2.16.840.1.113730.3.4.18: Proxied authorization (version 2) control, described in RFC 4370.

INTERFACE STABILITY: EXTERNAL

1.3.6.1.4.1.42.2.27.8.5.1: Password policy control
2.16.840.1.113730.3.4.3: Persistent search control
2.16.840.1.113730.3.4.9: Virtual list view request control

INTERFACE STABILITY: STABLE

1.3.6.1.4.1.42.2.27.9.5.2: Get effective rights request control
1.3.6.1.4.1.42.2.27.9.5.8: Account usability control
2.16.840.1.113730.3.4.4: Password expired notification control
2.16.840.1.113730.3.4.5: Password expiring notification control
2.16.840.1.113730.3.4.14: Specific backend search request control
2.16.840.1.113730.3.4.17: Real attributes only request control
2.16.840.1.113730.3.4.19: Virtual attributes only request control

INTERFACE STABILITY: PRIVATE

1.3.6.1.4.1.1466.29539.12: Chained request control
1.3.6.1.4.1.42.2.27.9.5.6: Directory Server initialization control
2.16.840.1.113730.3.4.13: Replication update information control

INTERFACE STABILITY: DEPRECATED

The following control is scheduled for removal.

2.16.840.1.113730.3.4.12: Proxied authorization (version 1) control

DS 6.2 Last Revised June 28, 2006

NAME | Description

db-batched-transaction-count(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.

PROPERTY: `search-size-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`2000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server returns for a search operation.

PROPERTY: `search-time-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`3600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of seconds allocated by the server to respond to a search request.

PROPERTY: `secure-listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-cipher-family`

Syntax	`STRING \| all`
Default Value	`all`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-client-auth-mode`

Syntax	`allowed \| required \| disabled`
Default Value	`allowed`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.

PROPERTY: `ssl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts SSL connnections.

PROPERTY: `ssl-rsa-cert-name`

Syntax	`STRING`
Default Value	defaultCert
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the SSL certificate for the server.

PROPERTY: `ssl-rsa-security-device`

Syntax	`STRING`
Default Value	`internal (software)`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the security device used by the server.

PROPERTY: `ssl-supported-ciphers`

Syntax	`STRING`
Default Value	Depends on underlying SSL library
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the full list of SSL ciphers the server can support.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

db-cache-size(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.

PROPERTY: `search-size-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`2000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server returns for a search operation.

PROPERTY: `search-time-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`3600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of seconds allocated by the server to respond to a search request.

PROPERTY: `secure-listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-cipher-family`

Syntax	`STRING \| all`
Default Value	`all`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-client-auth-mode`

Syntax	`allowed \| required \| disabled`
Default Value	`allowed`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.

PROPERTY: `ssl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts SSL connnections.

PROPERTY: `ssl-rsa-cert-name`

Syntax	`STRING`
Default Value	defaultCert
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the SSL certificate for the server.

PROPERTY: `ssl-rsa-security-device`

Syntax	`STRING`
Default Value	`internal (software)`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the security device used by the server.

PROPERTY: `ssl-supported-ciphers`

Syntax	`STRING`
Default Value	Depends on underlying SSL library
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the full list of SSL ciphers the server can support.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

db-checkpoint-interval(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.

PROPERTY: `search-size-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`2000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server returns for a search operation.

PROPERTY: `search-time-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`3600`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of seconds allocated by the server to respond to a search request.

PROPERTY: `secure-listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-cipher-family`

Syntax	`STRING \| all`
Default Value	`all`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `ssl-client-auth-mode`

Syntax	`allowed \| required \| disabled`
Default Value	`allowed`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.

PROPERTY: `ssl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts SSL connnections.

PROPERTY: `ssl-rsa-cert-name`

Syntax	`STRING`
Default Value	defaultCert
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the SSL certificate for the server.

PROPERTY: `ssl-rsa-security-device`

Syntax	`STRING`
Default Value	`internal (software)`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the name of the security device used by the server.

PROPERTY: `ssl-supported-ciphers`

Syntax	`STRING`
Default Value	Depends on underlying SSL library
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the full list of SSL ciphers the server can support.

Description

Syntax values shown in lower case or partly in lower case are literal values.

Those shown in upper case are syntax types, defined as follows:

ATTR_NAME

A valid attribute type name such as cn or objectClass.

BOOLEAN

true or false.

DN

A valid distinguished name such as ou=People,dc=example,dc=com.

DURATION

EMAIL_ADDRESS

A valid e-mail address.

HOST_NAME

An IP address or host name.

INTEGER

A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.

INTERVAL

IP_RANGE

An IP address or range of address in one of the following formats:

IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.

LDAP_URL

A valid LDAP URL as specified by RFC 2255.

MEMORY_SIZE

NAME

A valid cn (common name).

OCTAL_MODE

PASSWORD_FILE

The full path to the file from which the bind password should be read.

PATH

A valid, absolute file system path.

STRING

A DirectoryString value, as specified by RFC 2252.

SUPPORTED_SSL_CIPHER

An SSL cipher supported by the server. See the Reference for a list of supported ciphers.

SUPPORTED_SSL_PROTOCOL

An SSL protocol supported by the server. See the Reference for a list of supported protocols.

TIME

A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWldap-directory-client
Stability Level	Evolving

db-env-path(5dsconf)

NAME | Description | Description | Attributes | See Also

NAME

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: `check-schema-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: `check-syntax-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

PROPERTY: `config-magic-number`

Syntax	`STRING`
Default Value	`D-A00`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: `db-batched-transaction-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`32M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `db-checkpoint-interval`

Syntax	`DURATION`
Default Value	`60s`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: `db-env-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `db-lock-count`

Syntax	`INTEGER`
Default Value	`20000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: `db-log-buf-size`

Syntax	`MEMORY_SIZE`
Default Value	`512k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: `db-log-path`

Syntax	`PATH`
Default Value	`instance-path/db`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: `def-repl-manager-pwd`

Syntax	`STRING`
Default Value	See the description that follows.
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `def-repl-manager-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: `dn-cache-count`

Syntax	`INTEGER \| unlimited \| disabled`
Default Value	`unlimited`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

unlimited — cache is limited to the cache size specified for dn-cache-size.
disabled — caching is disabled and dn-cache-size is ignored.
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: `dn-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`10M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Changing this property requires you to restart the server.

PROPERTY: `dsml-answer-size`

Syntax	`MEMORY_SIZE`
Default Value	`64k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: `dsml-buffer-size`

Syntax	`MEMORY_SIZE`
Default Value	`8k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: `dsml-client-auth-mode`

Syntax	`clientCertOnly \| httpBasicOnly \| clientCertFirst`
Default Value	`httpBasicOnly`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly: Use credentials from the client certificate to identify the client.
httpBasicOnly: Use credentials from the HTTP authorization header to identify the client.
clientCertFirst: Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: `dsml-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts DSML requests.

PROPERTY: `dsml-max-parser-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-min-parser-count`

Syntax	`INTEGER`
Default Value	`10`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `dsml-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: `dsml-relative-root-url`

Syntax	`STRING`
Default Value	`/dsml`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: `dsml-request-max-size`

Syntax	`MEMORY_SIZE`
Default Value	`32k`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum size for DSML client requests.

PROPERTY: `dsml-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: `file-descriptor-count`

Syntax	`INTEGER`
Default Value	`1024`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Not listening for new connections -- too many fds open

PROPERTY: `heap-high-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
If heap-high-threshold-size is set, its value must be at least one gigabyte.
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: `heap-low-threshold-size`

Syntax	`MEMORY_SIZE \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

See the description for heap-high-threshold-size.

PROPERTY: `host-access-dir-path`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `idle-timeout`

Syntax	`INTEGER \| none`
Default Value	`none`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: `import-cache-size`

Syntax	`MEMORY_SIZE`
Default Value	`64M`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `instance-path`

Syntax	`PATH`
Default Value	Path set at server creation
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: `ldap-port`

Syntax	`INTEGER \| disabled`
Default Value	`389 \| 1389`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `ldap-secure-port`

Syntax	`INTEGER \| disabled`
Default Value	`636 \| 1636`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: `listen-address`

Syntax	`STRING`
Default Value	`0.0.0.0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

PROPERTY: `look-through-limit`

Syntax	`INTEGER \| unlimited`
Default Value	`5000`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: `max-psearch-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: `max-thread-count`

Syntax	`INTEGER`
Default Value	`30`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `max-thread-per-connection-count`

Syntax	`INTEGER`
Default Value	`5`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: `mod-tracking-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains modification timestamps for updated entries.

PROPERTY: `pwd-accept-hashed-pwd-enabled`

Syntax	`on \| off`
Default Value	N/A
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.

PROPERTY: `pwd-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks the quality of password values when they are modified.

PROPERTY: `pwd-compat-mode`

Syntax	`DS5-compatible-mode \| DS6-migration-mode \| DS6-mode`
Default Value	`DS5-compatible-mode`
Is readable	Yes
Is modifiable	No
Is multi-valued	No

PROPERTY: `pwd-expire-no-warning-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether a password can expire without prior warning to a client application.

PROPERTY: `pwd-expire-warning-delay`

Syntax	`DURATION \| disabled`
Default Value	`1d`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.

PROPERTY: `pwd-failure-count-interval`

Syntax	`DURATION \| disabled`
Default Value	`10m`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which password failures are purged from the failure count.

PROPERTY: `pwd-grace-login-limit`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of times an expired password can be used to authenticate.

PROPERTY: `pwd-keep-last-auth-time-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.

PROPERTY: `pwd-lockout-duration`

Syntax	`DURATION \| disabled`
Default Value	`1h`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the how long before the server unlocks an account that is locked.

PROPERTY: `pwd-lockout-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.

PROPERTY: `pwd-lockout-repl-priority-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether password lockout attributes are replicated with high priority.

PROPERTY: `pwd-max-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the age beyond which a password expires.

PROPERTY: `pwd-max-failure-count`

Syntax	`INTEGER \| disabled`
Default Value	`3`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.

PROPERTY: `pwd-max-history-count`

Syntax	`INTEGER \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.

PROPERTY: `pwd-min-age`

Syntax	`DURATION \| disabled`
Default Value	`disabled`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum duration between password modifications.

PROPERTY: `pwd-min-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.

PROPERTY: `pwd-mod-gen-length`

Syntax	`INTEGER \| disabled`
Default Value	`6`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.

PROPERTY: `pwd-must-change-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.

PROPERTY: `pwd-root-dn-bypass-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.

PROPERTY: `pwd-safe-modify-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the current password must be provided with the request to modify the password.

PROPERTY: `pwd-storage-scheme`

Syntax	`STRING`
Default Value	`SSHA`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the algorithm used to encode password values.

PROPERTY: `pwd-strong-check-dictionary-path`

Syntax	`PATH \| none`
Default Value	`install-path/ds6/plugins/words-english-big.txt`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the path to the dictionary file used for strong password checks.

PROPERTY: `pwd-strong-check-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.

PROPERTY: `pwd-strong-check-require-charset`

Syntax	`lower \| upper \| digit \| special \| any-two \| any-three`
Default Value	`lower && upper && digit && special`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the sets of characters that must be present in a password value modification.

lower: The new password must include a lower case character.
upper: The new password must include an upper case character.
digit: The new password must include a digit.
special: The new password must include a special character.
any-two: The new password must include at least one character from each of at least two of the abovementioned character sets.
any-three: The new password must include at least one character from each of at least three of the abovementioned character sets.

PROPERTY: `pwd-supported-storage-scheme`

Syntax	`STRING`
Default Value	See the following description.
Is readable	Yes
Is modifiable	No
Is multi-valued	Yes

This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.

PROPERTY: `pwd-user-change-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether users may change their own passwords.

PROPERTY: `read-write-mode`

Syntax	`read-only \| read-write \| frozen`
Default Value	`read-write`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.

PROPERTY: `ref-integrity-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies attributes for which referential integrity must be checked on update.

PROPERTY: `ref-integrity-check-delay`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the delay between referential integrity checks. The default is no delay.

PROPERTY: `ref-integrity-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether referential integrity checks are performed by the server.

PROPERTY: `repl-user-schema-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

PROPERTY: `require-bind-pwd-enabled`

Syntax	`on \| off`
Default Value	`on`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.

PROPERTY: `retro-cl-deleted-entry-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the attributes to record in the retro change log when an entry is deleted.

PROPERTY: `retro-cl-enabled`

Syntax	`on \| off`
Default Value	`off`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.

PROPERTY: `retro-cl-ignored-attr`

Syntax	`ATTR_NAME \| ""`
Default Value	`""`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the list of attributes not to record in the retro changelog when updates occur.

PROPERTY: `retro-cl-max-age`

Syntax	`DURATION \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum age of records in the retro changelog. Older records are purged.

PROPERTY: `retro-cl-max-entry-count`

Syntax	`INTEGER`
Default Value	`0`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.

PROPERTY: `retro-cl-path`

Syntax	`PATH`
Default Value	`instance-path/db/changelog`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the file system directory in which the changelog is created.

PROPERTY: `retro-cl-suffix-dn`

Syntax	`DN \| undefined`
Default Value	`undefined`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	Yes

This property specifies the suffixes for which retro changelog records are maintained.

PROPERTY: `root-dn`

Syntax	`DN`
Default Value	`cn=Directory Manager`
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.

PROPERTY: `root-pwd`

Syntax	`STRING`
Default Value	None
Is readable	Yes
Is modifiable	No
Is multi-valued	No

This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.

PROPERTY: `root-pwd-file`

Syntax	`PATH \| ""`
Default Value	`""`
Is readable	No
Is modifiable	Yes
Is multi-valued	No

This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.

PROPERTY: `root-pwd-storage-scheme`

Syntax	`STRING`
Default Value	SSHA
Is readable	Yes
Is modifiable	Yes
Is multi-valued	No

This property speci

Directory Server Configuration

algorithm(5dsconf)

NAME

Description

PROPERTY: algorithm

Description

Attributes

See Also

all-ids-threshold(5dsconf)

NAME

Description

Description

Attributes

See Also

all-ids-threshold-eq(5dsconf)

NAME

Description

PROPERTY: all-ids-threshold

PROPERTY: all-ids-threshold-eq

PROPERTY: all-ids-threshold-pres

PROPERTY: all-ids-threshold-sub

PROPERTY: approx-enabled

PROPERTY: desc

PROPERTY: eq-enabled

PROPERTY: matching-rule

PROPERTY: pres-enabled

PROPERTY: sub-enabled

PROPERTY: system

Description

Attributes

See Also

all-ids-threshold-pres(5dsconf)

NAME

Description

PROPERTY: all-ids-threshold

PROPERTY: all-ids-threshold-eq

PROPERTY: all-ids-threshold-pres

PROPERTY: all-ids-threshold-sub

PROPERTY: approx-enabled

PROPERTY: desc

PROPERTY: eq-enabled

PROPERTY: matching-rule

PROPERTY: pres-enabled

PROPERTY: sub-enabled

PROPERTY: system

Description

Attributes

See Also

all-ids-threshold-sub(5dsconf)

NAME

Description

PROPERTY: all-ids-threshold

PROPERTY: all-ids-threshold-eq

PROPERTY: all-ids-threshold-pres

PROPERTY: all-ids-threshold-sub

PROPERTY: approx-enabled

PROPERTY: desc

PROPERTY: eq-enabled

PROPERTY: matching-rule

PROPERTY: pres-enabled

PROPERTY: sub-enabled

PROPERTY: system

Description

Attributes

See Also

approx-enabled(5dsconf)

NAME

Description

PROPERTY: all-ids-threshold

PROPERTY: all-ids-threshold-eq

PROPERTY: all-ids-threshold-pres

PROPERTY: all-ids-threshold-sub

PROPERTY: approx-enabled

PROPERTY: desc

PROPERTY: eq-enabled

PROPERTY: matching-rule

PROPERTY: pres-enabled

PROPERTY: sub-enabled

PROPERTY: system

Description

PROPERTY: `algorithm`

PROPERTY: `all-ids-threshold`

PROPERTY: `all-ids-threshold-eq`

PROPERTY: `all-ids-threshold-pres`

PROPERTY: `all-ids-threshold-sub`

PROPERTY: `approx-enabled`

PROPERTY: `desc`

PROPERTY: `eq-enabled`

PROPERTY: `matching-rule`

PROPERTY: `pres-enabled`

PROPERTY: `sub-enabled`

PROPERTY: `system`

PROPERTY: `all-ids-threshold`

PROPERTY: `all-ids-threshold-eq`

PROPERTY: `all-ids-threshold-pres`

PROPERTY: `all-ids-threshold-sub`

PROPERTY: `approx-enabled`

PROPERTY: `desc`

PROPERTY: `eq-enabled`

PROPERTY: `matching-rule`

PROPERTY: `pres-enabled`

PROPERTY: `sub-enabled`

PROPERTY: `system`

PROPERTY: `all-ids-threshold`

PROPERTY: `all-ids-threshold-eq`

PROPERTY: `all-ids-threshold-pres`

PROPERTY: `all-ids-threshold-sub`

PROPERTY: `approx-enabled`

PROPERTY: `desc`

PROPERTY: `eq-enabled`

PROPERTY: `matching-rule`

PROPERTY: `pres-enabled`

PROPERTY: `sub-enabled`

PROPERTY: `system`

PROPERTY: `all-ids-threshold`

PROPERTY: `all-ids-threshold-eq`

PROPERTY: `all-ids-threshold-pres`

PROPERTY: `all-ids-threshold-sub`

PROPERTY: `approx-enabled`

PROPERTY: `desc`

PROPERTY: `eq-enabled`

PROPERTY: `matching-rule`

PROPERTY: `pres-enabled`

PROPERTY: `sub-enabled`

PROPERTY: `system`

PROPERTY: `argument`

PROPERTY: `depends-on-named`

PROPERTY: `depends-on-type`

PROPERTY: `feature`

PROPERTY: `init-func`

PROPERTY: `lib-path`

PROPERTY: `type`

PROPERTY: `vendor`

PROPERTY: `version`

PROPERTY: `attr`

PROPERTY: `base-dn`

PROPERTY: `bind-dn`

PROPERTY: `op-type`

PROPERTY: `auth-bind-dn`

PROPERTY: `auth-protocol`

PROPERTY: `auth-pwd`

PROPERTY: `auth-pwd-file`

PROPERTY: `repl-fractional-exclude-attr`

PROPERTY: `repl-fractional-include-attr`

PROPERTY: `repl-schedule`

PROPERTY: `transport-compression`

PROPERTY: `transport-group-size`

PROPERTY: `transport-window-size`

PROPERTY: `auth-bind-dn`

PROPERTY: `auth-protocol`

PROPERTY: `auth-pwd`

PROPERTY: `auth-pwd-file`

PROPERTY: `repl-fractional-exclude-attr`

PROPERTY: `repl-fractional-include-attr`

PROPERTY: `repl-schedule`

PROPERTY: `transport-compression`

PROPERTY: `transport-group-size`

PROPERTY: `transport-window-size`

PROPERTY: `auth-bind-dn`

PROPERTY: `auth-protocol`