Previous     Contents     Index     DocHome     Next     
iPlanet Directory Server Configuration, Command, and File Reference



Chapter 2   Core Server Configuration Reference


The configuration information for iPlanet Directory Server 5.1 is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server via LDAP while it is still running, and avoids having to shut it down.

This chapter gives details of how the configuration is organized, how to alter it, and provides an alphabetical reference for all attributes. The material is divided into the following sections:



Server Configuration - Overview

When you install the iPlanet Directory Server 5.1, its default configuration is stored as a series of LDAP entries within the directory, under the subtree cn=config. When the server is started, the contents of the cn=config subtree are read from a file in LDIF format: dse.ldif. This dse.ldif file contains all of the server configuration information. It is worth noting that the latest version of this file is called dse.ldif, the version prior to the last modification is called dse.ldif.bak, and the latest file with which the server successfully started is called dse.ldif.startOK. Many of the features of the iPlanet Directory Server 5.1 are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config. For example, the configuration of the Telephone Syntax plug-in is contained in the entry:

cn=Telephone Syntax,cn=plugins,cn=config

Similarly, database-specific configuration is stored under:

cn=ldbm database,cn=plugins,cn=config and cn=chaining database,cn=plugins,cn=config

The following diagram shows how the configuration data fits within the cn=config Directory Information Tree.



This overview is divided into the following sections:


LDIF Configuration Files - Location

The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory by default:

Solaris 9 platform

/var/ds5/slapd-serverID/config

Other platforms

/usr/iplanet/servers/slapd-serverID/config

where serverID is the server identifier that you defined when you installed your Directory Server. In this chapter, all examples use phonebook for the server identifier where appropriate.


Schema Configuration Files - Location

Schema configuration is also stored in LDIF format and these files are located in the following directory:

Solaris 9 platform

/var/ds5/slapd-serverID/config/schema

Other platforms

/usr/iplanet/servers/slapd-serverID/config/schema

For a full list of the LDIF configuration files that are supplied with Directory Server, see Table 2-7 under Configuration Quick Reference Tables at the end of this chapter.


How the Server Configuration is Organized

The dse.ldif file contains all configuration information including directory specific entries created by the directory at server startup, and directory specific entries related to the database, also created by the directory at server startup. The file includes the Root DSE (named by "") and the entire contents of cn=config.When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.

This section provides an overview of configuration attributes, plug-in functionality configuration, database configuration, and index configuration.


Configuration Attributes

Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.

The following cod example gives an example of part of the dse.ldif file for a Directory Server and shows, amongst other things, that schema checking has been turned on. This is represented by the attribute nsslapd-schemacheck, which takes the value on.

Code Example 2-1    Extract of dse.ldif File
dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: on
nsslapd-localhost: phonebook.siroe.com
nsslapd-errorlog: installDir/slapd-phonebook/logs/errors
nsslapd-schemacheck: on
nsslapd-store-state-info: on
nsslapd-port: 389
nsslapd-localuser: nobody
...


Configuration of Plug-in Functionality

The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. The following code example shows an example of the configuration entry for a plug-in, in this case the Telephone Syntax plug-in.

Code Example 2-2    Configuration Entry for Telephone Syntax Plug-in
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: installDir/lib/syntax-plug-in.so
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.

For a list of plug-ins supported by iPlanet Directory Server 5.1, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart see Chapter 3 "Plug-in Implemented Server Functionality Reference".


Configuration of Databases

The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for the databases containing the o=NetscapeRoot and o=UserRoot suffixes respectively. The cn=NetscapeRoot subtree contains the configuration data used by the iPlanet Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop). The cn=UserRoot subtree contains all the configuration data for the first user-defined database created during server installation. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user when new databases are added.


Configuration of Indexes

Configuration information for indexing is stored as entries in the Directory Server under the three following information tree nodes:

  • cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config

  • cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config

  • cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config

For more information regarding indexes in general, see the iPlanet Directory Server Administrator's Guide and for information regarding the index configuration attributes, see "Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config" on page 153. The attributes are presented here because this node is the first to appear in the representation of the configuration attributes based on the cn=config information tree.


Migration of Pre-Directory Server 5.1 Configuration Files to LDIF Format

The iPlanet Directory Server 5.1 only recognizes configuration files that are in LDIF format, which means that the slapd.conf and slapd.ldbm.conf configuration files from 4.x versions of Netscape Directory Server must be converted to LDIF format. Netscape Directory Server 4.x configurations can be migrated to the new LDIF format using the tool migrateInstance5 tool.For more information, see Chapter 5, "Migrating From Previous Versions" in the iPlanet Directory Server Installation Guide and the Innosoft Distributed Directory Server Transition Guide.



Accessing and Modifying Server Configuration


This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions on the types of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect. This section has been divided into the following parts:


Access Control For Configuration Entries

When the Directory Server is installed, a default set of Access Control Instructions (ACIs) is implemented for all entries under cn=config. Code Example 2-3 shows an example of these default ACIs.

Code Example 2-3    Default ACIs in dse.ldif
aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrators Group";
 allow (all)
 groupdn = "ldap:///cn=Configuration Administrators,ou=Groups,  ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration  Adminstrator";
 allow (all) userdn =  "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Adminstrators Group";
 allow (all)
 groupdn = "ldap:///ou=Directory Administrators, dc=Siroe,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group";
 allow(all)
 groupdn = "ldap:///cn=slapd-phonebook, cn=Netscape Directory Server,
 cn=Server Group, cn=phonebook.siroe.com, dc=Siroe,dc=com, o=NetscapeRoot";)

These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:

  • Members of the Configuration Administrators Group

  • The user acting as the Administrator, who has the uid admin that can be configured at installation time

  • Members of local Directory Administrators Group

  • The local Directory Administrator (root DN)

  • The SIE (Server Instance Entry) Group that is usually assigned using the Set Access Permissions from the main topology view in the main console.

For more information on Access Control, see Chapter 5 of the iPlanet Directory Server Administrator's Guide.


Changing Configuration Attributes

You can view and change server attribute values in one of three ways: by using LDAP through iPlanet Console, by performing ldapsearch and ldapmodify commands, or by manually editing the dse.ldif file.


Note If you edit the dse.ldif file, you must stop the server beforehand, otherwise your changes will be lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. For further information, see "Configuration Changes Requiring Server Restart".


The following sections describe how to modify entries using LDAP (both via iPlanet Console and over the command line), the restrictions to modifying entries, the restrictions to modifying attributes and the configuration changes requiring restart.


Modifying Configuration Entries Using LDAP

The configuration entries in the directory can be searched and modified using LDAP, either via the iPlanet Console or by performing ldapsearch and ldapmodify operations in the same way as other Directory entries. The advantage of using LDAP to modify entries is that you can make the changes while the server is running. You must remember to specify the port number when modifying configuration entries as the server is not necessarily running on port 389. For further information see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide. However, certain changes do require the server to be restarted before they are taken into account. For further information, see "Configuration Changes Requiring Server Restart".


Note As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config subtree, as this risks affecting iPlanet Directory Server functionality.


The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree:

ldapsearch -b cn=config -D bindDN -w password

where bindDN is the DN chosen for the Directory Manager when the server was installed and password is the password chosen for Directory Manager. For more information on using ldapsearch see Chapter 7 "Command-Line Utilities."

Previously we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in was enabled. If you want to disable this feature you can use the following series of commands to implement this change.

Code Example 2-4    Disabling the Telephone Syntax Plug-in

ldapmodify -D bindDN -w password
dn: cn=Telephone Syntax,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off


Restrictions to Modifying Configuration Entries

Certain restrictions apply when modifying server entries:

  • The dse.ldif cn=monitor entry and its child entries are read-only and cannot be modified.


Restrictions to Modifying Configuration Attributes

Certain restrictions apply when modifying server attributes:

  • If an attribute is added to cn=config, the server will ignore it.

  • If an invalid value is entered for an attribute, the server will ignore it.

  • Since ldapdelete is used for deleting entire entries, you should use ldapmodify if you want to remove an attribute from an entry.


Configuration Changes Requiring Server Restart

Some configuration attributes cannot be altered dynamically while the server is running. In these cases the server needs to be shut down and restarted for the changes to take effect. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file. Table 2-8 under Configuration Quick Reference Tables at the end of this chapter contains a list of these attributes.



Core Server Configuration Attributes Reference


This section guides you through all the core server functionality configuration attributes. For server functionality implemented via plug-ins, see the section "Configuration Quick Reference Tables". For implementing your own server functionality, contact iPlanet Professional Services.

For information on where to find the server configuration and how to change it, see "Server Configuration - Overview" and "Accessing and Modifying Server Configuration". For a list of the server features that are plug-ins and the attributes that apply to them, see Table 2-1, under Configuration Quick Reference Tables at the end of this chapter.

The configuration information which is stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config as shown below:



The list of configuration tree nodes covered in this section is as follows:

  • cn=config

  • cn=changelog5

  • cn=encryption

  • cn=features

  • cn=mapping tree

  • cn=monitor

  • cn=replica

  • cn=replication

  • cn=SNMP

  • cn=tasks

  • cn=uniqueid generator

The cn=plugins node is covered in the "Configuration Quick Reference Tables" section. We arrange the attributes alphabetically and provide a full description for each, giving the DN of its directory entry, its default value, the valid range of values, and an example of its use.


Caution

Some of the entries and attributes described in this chapter may change in future releases of the product.



cn=config

General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.


nsIdleTimeout (Idle Timeout)

Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.

Entry DN

cn=config

Valid Range

0 to the maximum 32 bit integer value (2147483647)

Default Value

0

Syntax

Integer

Example

nsIdleTimeout: 0


nsslapd-accesscontrol (Enable Access Control)

Turns access control on and off. If this attribute has a value off, any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesscontrol: off


nsslapd-accesslog (Access Log)

Specifies the path and filename of the log used to record each database access. The following information is recorded in the log file by default:

  • IP address of the client machine that accessed the database

  • operations performed (for example, search, add, modify)

  • result of the access (for example, the number of entries returned)

For more information on turning access logging off, see Chapter 13, "Monitoring Logging and Statistics" in the iPlanet Directory Server Administrator's Guide.

For access logging to be enabled, this attribute must have a valid path and file name and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.


Table 2-1    Possible Value Combinations of Access Log Attributes

Attribute Pair

Value Pair

Logging Status

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

on
empty string  

Disabled  

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

on
filename  

Enabled  

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

off
empty string  

Disabled  

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

off
filename  

Disabled  

Entry DN

cn=config

Valid Range

Any valid filename.

Default Value

installDir/slapd-serverID/logs/access

Syntax

DirectoryString

Solaris 9 Example

nsslapd-accesslog:
 /var/ds5/slapd-serverID/logs/access

Other Platform Example

nsslapd-accesslog:
 /usr/iplanet/servers/slapd-serverID/logs/access


nsslapd-accesslog-level

Controls what is logged to the access log.

Entry DN

cn=config

Valid Range

0—No access logging

4—Logging for internal access operations

256—Logging for access to an entry

512—Logging for access to an entry and referrals.

These values can be added together to provide you with the exact type of logging you require, for example 516 (4 + 512) to obtain internal access operation, entry access and referral logging.

Default Value

256

Syntax

Integer

Example

nsslapd-accesslog-level: 256


nsslapd-accesslog-list

This read-only attribute cannot be set. It provides a list of access log files used in access log rotation.

Entry DN

cn=config

Valid Range

N/A

Default Value

None

Syntax

DirectoryString

Example

nsslapd-accesslog-list:accesslog2,accesslog3


nsslapd-accesslog-logbuffering (Log Buffering)

When set to off, the server writes all access log entries directly to disk.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesslog-logbuffering: off


nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)

Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-accesslog-logexpirationtime: 2


nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)

Specifies the unit for the nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.

Entry DN

cn=config

Valid Range

month | week | day

Default Value

month

Syntax

DirectoryString

Example

nsslapd-accesslog-logexpirationtimeunit: week


nsslapd-accesslog-logging-enabled (Access Log Enable Logging)

Disables and enables accesslog logging, but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.

For access logging to be enabled, this attribute must be switched to on and the nsslapd-accesslog configuration attribute must have a valid path and filename. Table 2-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesslog-logging-enabled: off


nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)

Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647)

Default Value

500 (A value of -1 means that the disk space allowed to the access log is unlimited in size).

Syntax

Integer

Example

nsslapd-accesslog-logmaxdiskspace: 200


nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)

Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

nsslapd-accesslog-logminfreediskspace: 4


nsslapd-accesslog-logrotationtime (Access Log Rotation Time)

Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.

For performance reasons, it is not recommended to specify no log rotation as the log will grow indefinitely. However, you have two ways of specifying this. Either you set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See "nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)" on page 40 for more information.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-accesslog-logrotationtime: 100


nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)

Specifies the units for the nsslapd-accesslog-logrotationtime attribute.

Entry DN

cn=config

Valid Range

month | week | day | hour | minute

Default Value

day

Syntax

DirectoryString

Example

nsslapd-accesslog-logrotationtimeunit: week


nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)

Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set the nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-accesslog-maxlogsize: 100


nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)

Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1, as the server will not rotate the log and it will grow indefinitely.

If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, there is no log rotation. For more information, see "nsslapd-accesslog-logrotationtime (Access Log Rotation Time)" on page 38.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

10

Syntax

Integer

Example

nsslapd-accesslog-maxlogsperdir: 10


nsslapd-attribute-name-exceptions

Allows non-standard characters in attribute names to be used for backwards compatibility with older servers.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-attribute-name-exceptions: on


nsslapd-auditlog (Audit Log)

Specifies the pathname and filename of the log used to record changes made to each database.

Entry DN

cn=config

Valid Range

Any valid filename

Default Value

installDir/slapd-serverID/logs/audit

Syntax

DirectoryString

Solaris 9

Example

nsslapd-auditlog:
 /var/ds5/slapd-serverID/logs/audit

Other Platform Example

nsslapd-auditlog:
 /usr/iplanet/servers/slapd-serverID/logs/audit

For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.


Table 2-2    Possible Value Combinations of Audit Log Attributes

Attribute Pair

Value Pair

Logging Status

nsslapd-auditlog-logging-enabled
nsslapd-auditlog  

on
empty string  

Disabled  

nsslapd-auditlog-logging-enabled
nsslapd-auditlog  

on
filename  

Enabled  

nsslapd-auditlog-logging-enabled
nsslapd-auditlog  

off
empty string  

Disabled  

nsslapd-accesslog-logging-enabled
nsslapd-auditlog  

off
filename  

Disabled  


nsslapd-auditlog-list

Provides a list of audit log files.

Entry DN

cn=config

Valid Range

N/A

Default Value

None

Syntax

DirectoryString

Example

nsslapd-auditlog-list: auditlog2,auditlog3


nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)

Specifies the maximum age that a log file can be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-auditlog-logexpirationtime: 1


nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)

Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.

Entry DN

cn=config

Valid Range

month | week | day

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditlog-logexpirationtimeunit: day


nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)

Turns audit logging on and off.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-auditlog-logging-enabled: off

For audit logging to be enabled this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. Table 2-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.


nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)

Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size.

Default Value

500

Syntax

Integer

Example

nsslapd-auditlog-logmaxdiskspace: 500


nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)

Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

nsslapd-auditlog-logminfreediskspace: 3


nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)

Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.

For performance reasons, it is not recommended to specify no log rotation, as the log will grow indefinitely. However, you have two ways of specifying this. Either you set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See "nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)" on page 46 for more information.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-auditlog-logrotationtime: 100


nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)

Specifies the units for the nsslapd-auditlog-logrotationtime attribute.

Entry DN

cn=config

Valid Range

month | week | day | hour | minute

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditlog-logrotationtimeunit: day


nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)

Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-auditlog-maxlogsize: 50


nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)

Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.

If the value for this attribute is higher than 1, then you need to check the nsslapd-auditlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See "nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)" on page 44 for more information.

Entry DN

cn=config

Valid range

1 to the maximum 32 bit integer value (2147483647)

Default value

1

Syntax

Integer

Example

nsslapd-auditlog-maxlogsperdir: 10


nsslapd-certmap-basedn (Certificate Map Search Base)

This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in certmap.conf. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. Note that if the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. For further information, see Chapter 11, "Managing SSL" in the iPlanet Directory Server Administrator's Guide.


nsslapd-config

This read-only attribute is the config DN.

Entry DN

cn=config

Valid Range

Any valid config DN.

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-config:cn=config


nsslapd-ds4-compatible-schema

Makes the schema in cn=schema compatible with 4.x versions of Directory Server.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-ds4-compatible-schema: off


nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)

Controls whether the quoting in the objectclasses attributes contained in the cn=schema entry conforms to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.

That is, the Directory Server publishes objectclasses attributes in the cn=schema entry as follows:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )

However, RFC 2252 indicates that this attribute should be published as follows:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )

Notice the absence of single quotes around the word top.

Turning this attribute on means that the Directory Server Resource Kit LDAP clients will no longer function, as they require the schema as defined in RFC 2252.

Turning this attribute off causes the Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients. Specifically, any client written using the iPlanet LDAP SDK for Java 4.x will no longer be able to correctly read and modify schema. This includes the 4.x version of the iPlanet Console. Please note that turning this attribute on or off does not affect the 5.0 iPlanet Console.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-enquote-sup-oc: off


nsslapd-errorlog (Error Log)

Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they will contain informative conditions such as:

  • server startup and shutdown times

  • port number the server uses

This log will contain differing amounts of information depending on the current setting of the Log Level attribute. See "nsslapd-errorlog-level (Error Log Level)" for more information.

Entry DN

cn=config

Valid Range

Any valid filename

Default Value

installDir/slapd-serverID/logs/error

Syntax

DirectoryString

Solaris 9 Example

nsslapd-errorlog:
 /var/ds5/slapd-serverID/logs/error

Other Platform Example

nsslapd-errorlog:
 /usr/iplanet/servers/slapd-serverID/logs/error

For error logging to be enabled, this attribute must have a valid path and file name and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.


Table 2-3    Possible Value Combinations of Error Log Attributes

Attribute Pair

Value Pair

Logging Status

nsslapd-errorlog-logging-enabled
nsslapd-errorlog  

on
empty string  

Disabled  

nsslapd-errorlog-logging-enabled
nsslapd-errorlog  

on
filename  

Enabled  

nsslapd-errorlog-logging-enabled
nsslapd-errorlog  

off
empty string  

Disabled  

nsslapd-errorlog-logging-enabled
nsslapd-errorlog  

off
filename  

Disabled  


nsslapd-errorlog-level (Error Log Level)

Specifies the level of logging to be used by the Directory Server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed.

To turn logging off, remove the nsslapd-errorlog-level attribute from dse.ldif and restart the Directory Server.

Entry DN

cn=config

Valid Range

1 = Trace function calls. Logs a message when the server enters and exits a function.

2 = Debug Packet handling

4 = Heavy trace output debugging

8 = Connection management

16 = Print out packets sent/received

32 = Search filter processing

64 = Config file processing

128 = Access control list processing

2048 = Log entry parsing debugging

Valid Range

4096 = Housekeeping thread debugging

8192 = Replication debugging

16384 = Default level of logging used for critical errors and other messages that are always written to the error log, for example server startup messages. Messages at this level are always included in the error log regardless of the log level setting.

32768 = Database cache debugging.

65536 = Server plug-in debugging. It writes an entry to the log file when a server plug-in calls slapi-log-error.

Default Value

Logging is turned off (the nsslapd-errorlog-level attribute is not included in the dse.ldif file).

Syntax

Integer

Example

nsslapd-errorlog-level: 8192


nsslapd-errorlog-list

This read-only attribute provides a list of error log files.

Entry DN

cn=config

Valid Range

N/A

Default Value

None

Syntax

DirectoryString

Example

nsslapd-errorlog-list:errorlog2,errorlog3


nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)

Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-errorlog-logexpirationtime: 1


nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)

Specifies the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.

Entry DN

cn=config

Valid Range

month | week | day

Default Value

month

Syntax

DirectoryString

Example

nsslapd-errorlog-logexpirationtimeunit: week


nsslapd-errorlog-logging-enabled (Enable Error Logging)

Turns error logging on and off.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-errorlog-logging-enabled: on


nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)

Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size.

Default Value

500

Syntax

Integer

Example

nsslapd-errorlog-logmaxdiskspace: 500


nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)

Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

nsslapd-errorlog-logminfreediskspace: 5


nsslapd-errorlog-logrotationtime (Error Log Rotation Time)

Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.

For performance reasons, it is not recommended to specify no log rotation as the log will grow indefinitely. However, you have two ways of specifying this. Either you set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See "nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)" on page 54 for more information.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited).

Default Value

1

Syntax

Integer

Example

nsslapd-errorlog-logrotationtime: 100


nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)

Specifies the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, the log will never expire.

Entry DN

cn=config

Valid Range

month | week | day | hour | minute

Default Value

week

Syntax

DirectoryString

Example

nsslapd-errorlog-logrotationtimeunit: day


nsslapd-errorlog-maxlogsize (Maximum Error Log Size)

Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-errorlog-maxlogsperdir to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-errorlog-maxlogsize: 100


nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)

Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.

If the value for this attribute is higher than 1, then you need to check the nsslapd-errorlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1 then there is no log rotation. See "nsslapd-errorlog-logrotationtime (Error Log Rotation Time)" on page 53 for more information.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-errorlog-maxlogsperdir: 10


nsslapd-groupevalnestlevel

Specifies the number of levels of nesting that the access control system will perform for group evaluation.

Entry DN

cn=config

Valid Range

0 to 5

Default Value

5

Syntax

Integer

Example

nsslapd-groupevalnestlevel:5


nsslapd-instancedir (Instance Directory)

Specifies the full path to the directory where this server instance is installed. The hostname is the default serverID given at installation time.

Entry DN

cn=config

Valid Range

Any valid file path.

Default Value

installDir/slapd-serverID

Syntax

DirectoryString

Solaris 9 Example

nsslapd-instancedir:
 /var/ds5/slapd-phonebook

Other Platform Example

nsslapd-instancedir:
 /usr/iplanet/servers/slapd-phonebook


nsslapd-ioblocktimeout (IO Block Time Out)

Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

Entry DN

cn=config

Valid Range

0 to the maximum 32 bit integer value (2147483647) in ticks

Default Value

1800000

Syntax

Integer

Example

nsslapd-ioblocktimeout: 1800000


nsslapd-lastmod (Track Modification Time)

Specifies whether the Directory Server maintains the modification attributes for Directory Server entries. These attributes include:

  • modifiersname—The distinguished name of the person who last modified the entry.

  • modifytimestamp—The timestamp, in GMT format, for when the entry was last modified.

  • creatorsname—The distinguished name of the person who initially created the entry.

  • createtimestamp—The timestamp for when the entry was created in GMT format.

    Entry DN

    cn=config

    Valid Range

    on | off

    Default Value

    on

    Syntax

    DirectoryString

    Example

    nsslapd-lastmod: off


nsslapd-listenhost (Listen to IP Address)

Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.

Entry DN

cn=config

Valid Range

Any hostname

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-listenhost: host_name


nsslapd-localhost (Local Host)

This read-only attribute specifies the host machine on which the Directory Server runs.

Entry DN

cn=config

Valid Range

Any fully qualified hostname.

Default Value

Hostname of installed machine.

Syntax

DirectoryString

Example

nsslapd-localhost:phonebook.siroe.com


nsslapd-localuser (Local User)

UNIX installations only. Specifies the user under which the Directory Server runs. The group under which the user runs is derived from this attribute, by examining the groups that the user is a member of. Should the user change, then all the files in the installation directory need to be owned by this user.

Entry DN

cn=config

Valid Range

Any valid user on the local UNIX machine.

Default Value

To run as the same user who started the Directory Server.

Syntax

DirectoryString

Example

nsslapd-localuser: nobody


nsslapd-maxbersize (Maximum Message Size)

Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.

The limit applies to the total size of the LDAP request. For example, if the request is to add an entry, and the entry in the request is larger than two megabytes, then the add request is denied. Care should be taken when changing this attribute and we recommend contacting iPlanet Professional Services before doing so.

Entry DN

cn=config

Valid Range

0 - 2GB (2,147,483,647 bytes) where a value of 0 indicates that the default value should be used.

Default Value

2097152

Syntax

Integer

Example

nsslapd-maxbersize: 2097152


nsslapd-maxdescriptors (Maximum File Descriptors)

Not applicable to directory installations on NT and AIX.

This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server. It is also used for some server activities such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server for non-client connections, such as index management and managing replication, as specified in the nsslapd-reservedescriptors attribute. (see "nsslapd-reservedescriptors (Reserved File Descriptors)" on page 62).

The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the ns-slapd process to use. This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process. See your operating system documentation for details on file descriptor limits and configuration. It is worth noting that the included idsktune program can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. You should consider increasing the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:

Not listening for new connections -- too many fds open


Note UNIX shells usually have configurable limits on the number of file descriptors. See your operating system documentation for further information regarding limit and ulimit as these limits can often cause problems.


Entry DN

cn=config

Valid Range

1 to 65535

Default Value

1024

Syntax

Integer

Example

nsslapd-maxdescriptors: 1024


nsslapd-maxthreadsperconn (Maximum Threads Per Connection)

Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations. This attribute is not available from the server console.

Entry DN

cn=config

Valid Range

1 to maximum threadnumber

Default Value

5

Syntax

Integer

Example

nsslapd-maxthreadsperconn: 5


nsslapd-nagle

When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies. That is, the sending of data is delayed, in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for Ethernet).

Entry DN

cn=config

Valid range

on | off

Default value

off

Syntax

DirectoryString

Example

nsslapd-nagle: off


nsslapd-plug-in

This read-only attribute lists the syntaxes and matching rules loaded by the server.


nsslapd-port (Port Number)

TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port, you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. On UNIX systems, specifying a port number of less than 1024 requires the Directory Server to run as root.

If you are changing the port number for a configuration directory, you must also update the corresponding Server Instance Entry in the configuration directory. Please note that you need to restart the server for the port number change to be taken into account.

Entry DN

cn=config

Valid Range

1 to 65535

Default Value

389

Syntax

Integer

Example

nsslapd-port: 389


nsslapd-privatenamespaces

Contains the list of the private naming contexts cn=config, cn=schema and cn=monitor.

Entry DN

cn=config

Valid Range

cn=config, cn=schema and cn=monitor

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-privatenamespaces: cn=config


nsslapd-readonly (Read Only)

Specifies whether the whole server is in read-only mode, meaning that neither data in the database(s) nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-readonly: off


nsslapd-referral (Referral)

This multi valued attribute specifies the LDAP URL(s) to be returned by the suffix, when the server receives a request for an entry not belonging to the local tree, that is, an entry whose suffix does not match the value specified on any of the suffix attributes. For example, suppose the database contains only the entries:

ou=People, dc=siroe,dc=com

but the request is for:

ou=Groups, dc=siroe,dc=com

In this case, the referral is returned so the client may the corresponding directory for the requested entry. Although only one referral is allowed per Directory Server instance, this referral can have multiple values.


Note If you want to use SSL and TLS communications, the Referral attribute should be in the following form:

ldaps://serverHost

Start TLS does not support referrals.


For more information on managing referrals, see Chapter 2, "Configuring Directory Databases" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

Valid LDAP URL in the following format: ldap://serverHost

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-referral: ldap://alternate.siroe.com


nsslapd-referralmode (Referral Mode)

When set, this attribute will send back the referral for any request on any suffix.

Entry DN

cn=config

Valid Range

Valid LDAP URL in the following format: ldap://serverHost

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-referralmode: ldap://backup.siroe.com


nsslapd-reservedescriptors (Reserved File Descriptors)

Not applicable to directory installations on NT and AIX.

This read-only attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (see "nsslapd-maxdescriptors (Maximum File Descriptors)" on page 58).

Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true:

  • The server is replicating to a large number of consumer servers (more than 10) and/or the server is maintaining a large number of index files (more than 30).

  • The server is servicing a large number of LDAP connections.

  • You get error messages reporting that the server is unable to open file descriptors (the actual error message will differ depending on the operation that the server is attempting to perform), but these error messages are NOT related to managing client LDAP connections.

Increasing the value on this attribute may result in more LDAP clients being unable to access your directory. Therefore, when you increase the value on this attribute, increase the value on the nsslapd-maxdescriptors attribute also. Note that you may not be able to increase the nsslapd-maxdescriptors value if your server is already using the maximum number of file descriptors that your operating system allows a process to use (see your operating system documentation for details). If this is the case, then reduce the load on your server by causing LDAP clients to search alternative directory replicas.

To assist you in computing the number of file descriptors you set for this attribute, we suggest you use the following formula:

nsslapd-reservedescriptor =
  20 + (NumBackends * 4) + NumGlobalIndexes + ReplicationDescriptors +
  ChainingBackendDescriptors + PTADescriptors + SSLDescriptors

where the terms are given in the following table:


Table 2-4    Terms for computing the value of nsslapd-reservedescriptor

Term

Definition

NumldbmBackends

 

Number of ldbm databases.  
NumGlobalIndexes

 

Total number of configured indexes for all databases including system indexes. By default, there are 8 system indexes and 17 additional indexes per database.  
ReplicationDescriptors

 

NumSupplierReplicas + 8

Where NumSupplierReplicas is number of replicas in the server that can act as a supplier (hub or master).  
ChainingBackendDescriptors

 

NumChainingBackends * nsOperationConnectionsLimit

Where nsOperationConnectionsLimit is defined in the database link configuration and 10 by default.  
PTADescriptors

 

3 if PTA is configured, 0 if PTA is not configured.  
SSLDescriptors

 

5 (4 files + 1 listen socket) if SSL is configured, 0 if SSL is not configured.  

Entry DN

cn=config

Valid Range

1 to 65535

Default Value

64

Syntax

Integer

Example

nsslapd-reservedescriptors: 64


nsslapd-return-exact-case (Return Exact Case)

Returns the exact case of attribute type names as requested by the client. Some client applications require attribute names to exactly match the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server, as the result of a search or modify operation. However, most client applications ignore the case of attributes. This attribute is therefore disabled by default. Do not modify it unless you have legacy clients that can check the case of attribute names in results returned from the server.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-return-exact-case: off


nsslapd-rootdn (Manager DN)

Specifies the distinguished name of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory or resource limits in general. The attributes nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-schemacheck do not apply to this DN either.

For information on changing the Root DN, see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide

.

Entry DN

cn=config

Valid Range

Any valid distinguished name

Default Value

N/A

Syntax

DN

Example

nsslapd-rootdn: cn=Directory Manager


nsslapd-rootpw (Root Password)

Allows you to specify the password associated with the "Manager DN". When you provide the root password, it will be encrypted according to the encryption method you selected for "nsslapd-rootpwstoragescheme (Root Password Storage Scheme)" on page 66. When viewed from the server console, this attribute shows the value:***** When viewed from the dse.ldif file, this attribute shows the encryption method followed by the encrypted string of the password. Please note that the example below is what you view, not what you type.


Caution

If you configure a root DN at server installation time, you must also provide a root password. However, it is possible for the root password to be deleted from dse.ldif by direct editing of the file. In this situation, the root DN can only obtain the same access to your directory as you allow for anonymous access. Always make sure that a root password is defined in dse.ldif when a root DN is configured for your database.


Entry DN

cn=config

Valid Range

Any valid password encrypted by any one of the encryption methods which are described in "passwordStorageScheme (Password Storage Scheme)".

Default Value

N/A

Syntax

DirectoryString {encryption_method} encrypted_Password

Example

nsslapd-rootpw: {SSHA}9Eko69APCJfF


nsslapd-rootpwstoragescheme (Root Password Storage Scheme)

Available only from the server console. This attribute indicates the encryption method used for the root password.

Entry DN

cn=config

Valid Range

Any encryption method as described in "passwordStorageScheme (Password Storage Scheme)" on page 77.

Default Value

CLEAR

Syntax

DirectoryString

Example

nsslapd-rootpwstoragescheme: SSHA


nsslapd-schemacheck (Schema Checking)

Specifies whether the database schema will be enforced during entry insertion or modification. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified.The database schema defines the type of information allowed in the database. You can extend the default schema using the objectclasses and attribute types. For information on how to extend your schema using the Directory Server Console, see Chapter 9, "Extending the Directory Schema" in the iPlanet Directory Server Administrator's Guide.


Note Schema checking works by default when database modifications are made using an LDAP client, such as ldapmodify, the Directory Server Console, or when importing a database from LDIF using ldif2db (directoryserver ldif2db on Solaris 9 platforms).

If you turn schema checking off, you will have to verify manually that your entries conform to the schema. If schema checking is turned on, the server sends an error message to inform you of the entries which do not match the schema. Make sure that the attributes and object classes you create in your LDIF statements are both spelled correctly and identified in dse.ldif. You will need to create a file in LDIF format in the schema directory or add the elements to 99user.ldif.


Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-schemacheck: on


nsslapd-securelistenhost

Allows multiple Directory Server instances to run on a multihomed machine, using secure SSL / TLS connections (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.

Entry DN

cn=config

Valid Range

Any secure hostname.

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-securelistenhost:secure_host_name


nsslapd-securePort (Encrypted Port Number)

TCP/IP port number used for SSL/TLS communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. For UNIX systems, specifying a port number of less than 1024 requires that Directory Server runs as root.

The default value 636 is only used if the server has been configured with a private key and a certificate; otherwise it does not listen on this port.

Entry DN

cn=config

Valid Range

1 to 65535

Default Value

636

Syntax

Integer

Example

nsslapd-securePort: 636


nsslapd-security (Security)

Specifies whether the Directory Server is to accept SSL/TLS communications on its encrypted port. If you want secure connections, this attribute should be set to on.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-security: off


nsslapd-sizelimit (Size Limit)

Specifies the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.

When no limit is set, ns-slapd will return every matching entry to the client regardless of the number found. To set a no limit value whereby the Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file.

This limit applies to everyone regardless of their organization.


Note A value of -1 on this attribute in the dse.ldif is the same as leaving the attribute blank in the server console, in that it causes no limit to be used. Please note, however, that you cannot specify a negative integer for this field in the server console. You cannot specify a null value in dse.ldif either, as it is not a valid integer.


Entry DN

cn=config

Valid Range

-1 to the maximum 32 bit integer value (2147483647)

Default Value

2000

Syntax

Integer

Example

nsslapd-sizelimit: 2000


nsslapd-threadnumber (Thread Number)

Defines the number of operation threads that the Directory Server will create during startup. The nsslapd-threadnumber value should be increased if you have many directory clients performing time-consuming operations such as add or modify. This ensures that there are other threads available for servicing short-lived operations such as simple searches. This attribute is not available from the server console.

Entry DN

cn=config

Valid Range

1 to the number of threads supported by your system

Default Value

30

Syntax

Integer

Example

nsslapd-threadnumber: 60


nsslapd-timelimit (Time Limit)

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.

When no limit is set, ns-slapd will return every matching entry to the client regardless of the time it takes. To set a no limit value whereby Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second.


Note A value of -1 on this attribute in the dse.ldif is the same as leaving the attribute blank in the server console, in that it causes no limit to be used. Please note, however, that you cannot specify a negative integer for this field in the server console. You cannot specify a null value in dse.ldif either, as it is not a valid integer.


Entry DN

cn=config

Valid range

-1 to the maximum 32 bit integer value (2147483647) in seconds

Default value

3600

Syntax

Integer

Example

nsslapd-timelimit: 3600


nsslapd-versionstring

Specifies the server version number.

Entry DN

cn=config

Valid range

Any valid server version number.

Default value

N/A

Syntax

DirectoryString

Example

nsslapd-versionstring:iPlanet-Directory/5.1


passwordChange (Password Change)

Indicates whether users may change their passwords.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

passwordChange: on


passwordCheckSyntax (Check Password Syntax)

Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any "trivial" words, such as the user's name or user ID or any attribute value stored in the uid, cn, sn, givenName, ou or mail attributes of the user's directory entry.

For more information on password policies see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

passwordCheckSyntax: off


passwordExp (Password Expiration)

Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the passwordMaxAge attribute.

For more information on password policies see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

passwordExp: on


passwordHistory (Password History)

Enables password history. Password history refers to whether users are allowed to reuse passwords or not. By default, password history is disabled and users can reuse passwords. If you set this attribute to on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. You set the number of old passwords the Directory Server stores using the passwordInHistory attribute.

For more information on password policies see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

passwordHistory: on


passwordInHistory (Number of Passwords to Remember)

Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the Directory Server does not store any old passwords and so users can reuse passwords. You can enable password history by using the passwordHistory attribute.

To prevent users from rapidly cycling through the number of passwords that you are tracking, use the passwordMinAge attribute.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

2 to 24 passwords

Default Value

6

Syntax

Integer

Example

passwordInHistory: 7


passwordLockout (Account Lockout)

Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

passwordLockout: off


passwordLockoutDuration (Lockout Duration)

Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the passwordLockout attribute.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647) in seconds

Default Value

3600

Syntax

Integer

Example

passwordLockoutDuration: 3600


passwordMaxAge (Password Maximum Age)

Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the passwordExp attribute.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647) in seconds

Default Value

8640000 (100 days)

Syntax

Integer

Example

passwordMaxAge: 100


passwordMaxFailure (Maximum Password Failures)

Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the passwordLockout attribute.

For more information on password policies see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

1 to maximum integer bind failures

Default Value

3

Syntax

Integer

Example

passwordMaxFailure: 3


passwordMinAge (Password Minimum Age)

Indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the passwordInHistory (Number of Passwords to Remember) attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.


passwordMinLength (Password Minimum Length)

Specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

2 to 512 characters

Default Value

6

Syntax

Integer

Example

passwordMinLength: 6


passwordMustChange (Password Must Change)

Indicates whether users must change their passwords when they first bind to the Directory Server, or when the password has been reset by the "Manager DN".

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

passwordMustChange: off


passwordResetFailureCount (Reset Password Failure Count After)

Indicates the amount of time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout attribute is set to on, users will be locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute (within 600 seconds by default). After the amount of time specified by the passwordLockoutDuration attribute, the failure counter is reset to zero (0).

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647) in seconds

Default Value

600

Syntax

Integer

Example

passwordResetFailureCount: 600


passwordStorageScheme (Password Storage Scheme)

Specifies the type of encryption used to store Directory Server passwords. Entering the password in CLEAR for this attribute indicates that the password will appear in plain text.

The following encryption types are supported by the Directory Server 5.1:

  • SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure.

  • SHA (Secure Hash Algorithm). This is the method supported by 4.x Directory Servers.

  • CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.


    Note You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility.


For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.


passwordUnlock (Unlock Account)

Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. If this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0, then the account will be locked indefinitely.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

passwordUnlock: off


passwordWarning (Send Warning)

Indicates the number of seconds before a user's password expires that the user will receive a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.

For more information on password policies, see Chapter 7, "User Account Management" in the iPlanet Directory Server Administrator's Guide.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647) in seconds

Default Value

86400 (1 day)

Syntax

Integer

Example

passwordWarning: 86400


cn=changelog5

Multi-master replication change log configuration entries are stored under the cn=changelog5 entry. The changelog behaves much like a database, and it has many of attributes also used by the ldbm databases. The changelog entry supports the following attributes with the same meaning as for databases:

The cn=changelog5,cn=config entry is an instance of the extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry.

It is worth noting that two different types of change logs are maintained by iPlanet Directory Server 5.1. The first type, which is stored here and referred to as changelog, is used by multi-master replication; the second change log, which is actually a plug-in and referred to as retro changelog, is intended for use by iPlanet Meta Directory. See "Retro Changelog Plug-in" on page 126 of Chapter 3 "Plug-in Implemented Server Functionality Reference" for further information regarding the Retro Changelog Plug-in. Multi-master replication changelog attributes are presented in this section.


nsslapd-changelogdir

This required attribute specifies the name of the directory in which the change log database will be created. Whenever a change log configuration entry is created it must contain a valid directory or the operation will be rejected. The GUI proposes by default that this database be stored under:

Solaris 9 platform

/var/ds5/slapd-serverID/changelogdb

Other platforms

/usr/iplanet/servers/slapd-serverID/changelogdb


Note For performance reasons, it is recommended that you store this database on a different physical disk.


Entry DN

cn=changelog5,cn=config

Valid Range

Any valid path to the directory storing the changelog

Default Value

None

Syntax

DirectoryString

Example

nsslapd-changelogdir:
 /usr/myhome/slapd-local/changelogdb


nsslapd-changelogmaxage (Max Changelog Age)

Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed. If this attribute is absent, there is no age limit on change log records. For information on the change log, see "nsslapd-changelogdir."

Entry DN

cn=changelog5,cn=config

Valid Range

0 (meaning that entries are not removed according to their age) to maximum integer (2147483647)

Default Value

0

Syntax

DirectoryString IntegerAgeID

where AgeID is "s" for seconds, "m" for minutes, "h" for hours, "d" for days, or "w" for weeks.

Example

nsslapd-changelogmaxage: 30d


nsslapd-changelogmaxentries (Max Changelog Records)

Specifies the maximum number of records the change log may contain. If this attribute is absent, there is no maximum number of records the change log can contain. For information on the change log, see "nsslapd-changelogdir".

Entry DN

cn=changelog5,cn=config

Valid Range

0 (meaning that the only maximum limit is the disk size) to maximum integer (2147483647)

Default Value

0

Syntax

Integer

Example

nsslapd-changelogmaxentries: 5000


cn=encryption

Encryption related attributes are stored under the cn=encryption,cn=config entry. The cn=encryption,cn=config entry is an instance of the nsslapdEncryptionConfig object class. For encryption related attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Encryption configuration attributes are presented in this section.


nssslsessiontimeout

Specifies the lifetime duration of an SSL session for both SSLv2 and SSLv3. The minimum timeout value is 5 seconds and if you enter a value below this, then it is automatically replaced by 5 seconds. Values outside the valid ranges are replaced by the default value of 100 seconds (SSLv2).

Entry DN

cn=encryption,cn=config

Valid Range

SSLv2 5 seconds to 100 seconds

SSLv3 5 seconds to 24 hours

Default Value

0 which stands for 100 seconds in you are running SSLv2 and 24 hours if you are running SSLv3

Syntax

Integer

Example

nssslsessiontimeout: 5


nssslclientauth

Specifies whether client authentication uses SSL or not.

Entry DN

cn=encryption,cn=config

Valid Range

off | allowed | required

Default Value

allowed

Syntax

DirectoryString

Example

nssslclientauth: allowed


nsssl2

Supports SSL version 2.

Entry DN

cn=encryption,cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsssl2: on


nsssl3

Supports SSL version 3.

Entry DN

cn=encryption,cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsssl3: on


nsssl3ciphers

This multi-valued attribute specifies the set of encryption ciphers the Directory Server will use during SSL communications. For more information on the ciphers supported by the Directory Server, see Chapter 11, "Managing SSL", in the iPlanet Directory Server Administrator's Guide

Entry DN

cn=config

Valid Range

For domestic versions, any combination of the following:
For SSLv3

rsa_null_md5
rsa_rc4_128_md5
rsa_rc4_40_md5
rsa_rc2_40_md5
rsa_des_sha
rsa_fips_des_sha
rsa_3des_sha
rsa_fips_3des_sha
For TLS

tls_rsa_export1024_with_rc4_56_sha
tls_rsa_export1024_with_des_cbc_sha

Default Value

N/A

Syntax

DirectoryString

+ symbol to enable or - symbol to disable followed by the cipher(s). It is important to note that blank spaces are not allowed in the list of ciphers.

To enable all ciphers (except rsa_null_md5 which must be specifically called) you can specify +all.

Example

nsslapd-SSL3ciphers:
 +RSA_NULL_MD5,+RC4_56_SHA,-RC4_56_SHA

If you are using the Directory Server Console to set the cipher preferences, the values on the SSL 3.0 tab of the Cipher Preference dialog box correspond to the following:


Table 2-5    SSLv3 Ciphers

Cipher in Console

Corresponding SSLv3 Cipher

None  

rsa_null_md5  

RC4  

rsa_rc4_128_md5  

RC4 (Export)  

rsa_rc4_40_md5  

RC2(Export)  

rsa_rc2_40_md5  

DES  

rsa_des_sha  

DES (FIPS)  

rsa_fips_des_sha  

Triple-DES  

rsa_3des_sha  

Triple-DES (FIPS)  

rsa_fips_3des_sha  

If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following:


Table 2-6    TLS Ciphers

Cipher in Console

Corresponding TLS Cipher

RC4 (Export)  

tls_rsa_export1024_with_rc4_56_sha  

DES (Export)  

tls_rsa_export1024_with_des_cbc_sha  


cn=features

No attributes to document


cn=mapping tree

Configuration attributes for suffixes and replication are stored under cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentry

cn="suffixName",cn=mapping tree,cn=config.

Replication configuration attributes are stored under cn=replica,cn="suffixName",cn=mapping tree,cn=config

with the replication agreement attributes under cn=replicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree, cn=config.


Suffix Configuration Attributes Under cn="suffixName"

Suffix configuration attributes are stored under the cn="suffixName" entry, for example cn="dc=siroe,dc=com". This entry is an instance of the nsMappingTree object class which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server these object classes (in addition to the top object class) must be present in the entry. Suffix configuration attributes are presented in this section.


nsslapd-state

Determines how the suffix handles operations.

Entry DN

cn="suffixName",cn=mapping tree,cn=config

Valid Range

backend = the backend (database) is used to process all operations

disabled = the database is not available for processing operations. The server returns a "No such search object" error in response to requests made by client applications.

referral = a referral is returned for requests made to this suffix.

referral on update = the database is used for all operations except update requests, which receive a referral.

Default Value

disabled

Syntax

DirectoryString

Example

nsslapd-state: backend


nsslapd-backend

Gives the name of the database or database link used to process requests. This attribute can be multi valued, with one database or database link per value. This attribute is required when the value of the nsslapd-state attribute is set to backend or referral on update.

Entry DN

cn="suffixName",cn=mapping tree,cn=config

Valid Range

Any valid partition name

Default Value

None

Syntax

DirectoryString

Example

nsslapd-backend: NetscapeRoot


Replication Attributes Under cn=replica, cn="suffixName",cn=mapping tree,cn=config

Replication configuration attributes are stored under cn=replica,cn="suffixName",cn=mapping tree,cn=config. The cn=replica entry is an instance of the nsDS5Recplia object class. For replication configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication configuration attributes are presented in this section. For further information regarding replication, see Chapter 8, "Managing Replication" in the iPlanet Directory Server Administrator's Guide.


cn

This attribute is used for naming. Once this attribute has been set it cannot be modified.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

Any valid suffix name

Default Value

cn=replica

Syntax

DirectoryString

Example

cn: "cn=replica"


nsDS5Flags

This attribute allows you to specify replica properties you have previously defined in flags. At present only one flag exists, which allows you to specify whether your log changes or not.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

Changelog activation

0 = no changes are logged

1 = changes are logged

Default Value

0 (no changes are logged)

Syntax

Integer

Example

nsDS5Flags: 0


nsDS5ReplicaBindDN

This multivalued attribute specifies the DN to use when binding. Although you can have more than one value in this cn=replica entry, you can only have one supplier bind DN per replication agreement.The value can either be the DN of the local entry on the consumer server or, in the case of an SSL connection, the certificate identity associated with same DN.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

Any valid DN

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaBindDN: cn=replication manager, cn=config


nsDS5ReplicaChangeCount

This read-only attribute informs you of the total number of entries in the change log (whether they still remain to be replicated or not). When the change log is purged, only the entries that are still to be replicated are left. See "nsDS5ReplicaPurgeDelay" and "nsDS5ReplicaTombstonePurgeInterval" for more information regarding purge operation properties.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

-1 to maximum integer (2147483647)

Default Value

N/A

Syntax

Integer

Example

nsDS5ReplicaChangeCount: 675


nsDS5ReplicaId

Specifies the unique ID for masters in a given replication environment.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

0 to 254

Default Value

N/A

Syntax

Integer

Example

nsDS5ReplicaId: 1


nsDS5ReplicaLegacyConsumer

If this attribute is absent or has a value of false, then the replica is not a legacy consumer.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

true | false

Default Value

false

Syntax

DirectoryString

Example

nsDS5ReplicaLegacyConsumer: false


nsDS5ReplicaName

This read-only attribute specifies the name of the replica with a unique identifier for internal operations. This unique identifier is allocated by the server when the replica is created.This attribute is destined for internal use only.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

N/A

Default Value

N/A

Syntax

DirectoryString (a UID identifies the replica)

Example

nsDS5ReplicaName: 66a2b699-1dd211b2-807fa9c3-a58714648


nsDS5ReplicaPurgeDelay

This multi-valued attribute specifies the period of time in seconds after which internal purge operations will be performed on the change log. When setting this attribute, ensure that the purge delay is longer than the longest replication cycle in your replication policy, to avoid incurring conflict resolution problems and server divergence.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

0 (keep forever) to maximum integer (2147483647)

Default Value

604800 (1 week (60x60x24x7)

Syntax

Integer

Example

nsDS5ReplicaPurgeDelay: 604800


nsDS5ReplicaReferral

This multi valued attribute specifies the user-defined referrals. This should only be defined on a consumer. User referrals are only returned when a client attempts to modify data on a read-only consumer.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

Any valid LDAP URL

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaReferral: ldap://ldap.aceindustry.com


nsDS5ReplicaRoot

Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated. It cannot be modified.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

Suffix of the database being replicated

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaRoot: "dc=siroe,dc=com"


nsDS5ReplicaTombstonePurgeInterval

Specifies the time interval in seconds between purge operation cycles. When setting this attribute, bear in mind that the purge operation is time consuming.

Entry DN

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Valid Range

0 to maximum integer (2147483647) in seconds

Default Value

3600 (1 hour)

Syntax

Integer

Example

nsDS5ReplicaTombstonePurgeInterval: 3600


nsDS5ReplicaType

Defines the type of replication relationship that exists between this replica and the others.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config

Valid Range

0 = unknown

1 = primary (not yet used)

2 = consumer (read-only)

3 = consumer/supplier (updateable)

Default Value

N/A

Syntax

Integer

Example

nsDS5ReplicaType: 2


nsState

This attribute stores information on the state of the clock. It is destined for internal use only, to ensure that the server cannot generate a change sequence number (csn) inferior to existing ones required for detecting backward clock errors.


Replication Attributes Under cn=ReplicationAgreementName,cn=replica, cn="suffixName", cn=mapping tree,cn=config

The replication attributes that concern the replication agreement are stored under cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config. Like the cn=replica entry, the cn=ReplicationAgreementName entry is an instance of the nsDS5Replica object class. For replication agreement configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication Agreements are configured only on supplier replicas. The replication agreement configuration attributes are presented in this section.


description

Free form text description of the replication agreement. This attribute can be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Any string.

Default Value

N/A

Syntax

DirectoryString

Example

description: Replication Agreement between Server A and Server B.


nsDS5ReplicaBindDN

Specifies the DN to use when binding. The value of this attribute must be the same as the one in cn=replica on the consumer replica. This may be empty if certificate based authentication is used. This can also be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Any valid DN

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaBindDN: cn=replication manager,cn=config


nsDS5ReplicaBindMethod

Specifies the method to use for binding. This attribute can be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

SIMPLE (This bind method requires a DN and password) SSLCLIENTAUTH

Default Value

SIMPLE

Syntax

DirectoryString

Example

nsDS5ReplicaBindMethod: SIMPLE


nsDS5ReplicaChangesSentSinceStartup

This read-only attribute provides you with the number of changes sent to this replica since the server started.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

0 to maximum integer (2147483647)

Default Value

N/A

Syntax

Integer

Example

nsDS5ReplicaChangesSentSinceStartup: 647


nsDS5ReplicaCredentials

Specifies the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. Please note that when certificate based authentication is used, this attribute may not have a value. Please note that the example below is what you view, not what you type.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Any valid password which will then by encrypted using the DES reversible password encryption schema.

Default Value

N/A

Syntax

DirectoryString {DES} encrypted_password

Example

nsDS5ReplicaCredentials: {DES} 9Eko69APCJfFReplica


nsDS5ReplicaHost

Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set it cannot be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Any valid host server name

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaHost: MyServer


nsDS5ReplicaLastInitEnd

This optional, read-only attribute states when the initialization of the consumer replica ended.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

N/A

Default Value

N/A

Syntax

GeneralizedTime

Example

nsDS5ReplicaLastInitEnd: YYYYMMDDhhmmssZ (19711223113229)


nsDS5ReplicaLastInitStart

This optional, read-only attribute states when the initialization of the consumer replica started.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

N/A

Default Value

N/A

Syntax

GeneralizedTime

Example

nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000)


nsDS5ReplicaLastInitStatus

This optional, read-only attribute provides status for the initialization of the consumer.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

0 (Consumer Initialization Succeeded) followed by any other status message.

Default Value

N/A

Syntax

String

Example

nsDS5ReplicaLastUpdateStatus: 0 Consumer Initialization Succeeded


nsDS5ReplicaLastUpdateEnd

This read-only attribute states when the most recent replication schedule update ended.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

0 = meaning that the Consumer Initialization has succeeded

Default Value

N/A

Syntax

GeneralizedTime

Example

nsDS5ReplicaLastUpdateEnd: YYYYMMDDhhmmssZ (20000902160000)


nsDS5ReplicaLastUpdateStart

This read-only attribute states when the most recent replication schedule update started.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

N/A

Default Value

N/A

Syntax

GeneralizedTime

Example

nsDS5ReplicaLastUpdateStart: YYYYMMDDhhmmssZ (20000902160000)


nsDS5ReplicaLastUpdateStatus

This read-only attribute provides the status for the most recent replication schedule updates.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

0 (no replication sessions started) followed by any other error or status message

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully


nsDS5ReplicaPort

Specifies the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Port number for the remote server containing the replica.

Default Value

N/A

Syntax

Integer

Example

nsDS5ReplicaPort: 389


nsDS5ReplicaRefresh

Allows you to initialize your replica. This attribute is absent by default. However, if you add this attribute with a value of start, the server reinitializes the replica and removes the attribute value.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

stop | start

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaRefresh: start


nsDS5ReplicaRoot

Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated. It cannot be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Suffix of the database being replicated

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaRoot: "dc=siroe,dc=com"


nsDS5ReplicaTimeout

This allowed attribute specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. If you see "Warning: timed out waiting" messages in the error log file, then you should increase the value of this attribute.

You can find out the amount of time the operation actually lasted by examining the access log on the remote machine. You can then set the nsDS5ReplicaTimout attribute accordingly to optimize performance.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

0 to maximum integer value (2147483647) in seconds

Default Value

600

Syntax

Integer

Example

nsDS5ReplicaTimeout: 600 seconds


nsDS5ReplicaTransportInfo

Specifies the type of transport used for transporting data to and from the replica. The attribute values can either be SSL which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used. If this attribute is absent, regular LDAP connections are used. This attribute cannot be modified once set.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

SSL | LDAP

Default Value

absent

Syntax

DirectoryString

Example

nsDS5ReplicaTransportInfo: LDAP


nsDS5ReplicaUpdateInProgress

This read-only attribute states whether or not a replication schedule update is in progress.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

true | false

Default Value

N/A

Syntax

DirectoryString

Example

nsDS5ReplicaUpdateInProgress:true


nsDS5ReplicaUpdateSchedule

This multi valued attribute specifies the replication schedule. It can be modified.

Entry DN

cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree, cn=config

Valid Range

Time schedule presented as XXXX-YYYY 012345 where XXXX is the starting hour, YYYY is the finishing hour and the numbers 0123456 are the days of the week starting with Sunday.

Default Value

0000-2359 0123456 (all the time)

Syntax

Integer

Example

nsDS5ReplicaUpdateSchedule: 0000-2359 0123456


nsDS50ruv

This attribute is responsible for managing the internal state of the replica via the replication update vector. It is always present and must not be changed.


cn=monitor

Monitoring read-only information is stored under cn=monitor,cn=config.The cn=monitor entry is an instance of the extensibleObject object class. For cn=monitor configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. The cn=monitor read-only attributes are presented in this section.


connection

List of open connections given in the following format:

connection=31:20010201164808Z:45:45::cn=directory manager, where

31 is the connection number, 20010201164808Z is the date the connection was opened, 45 is the number of operations received, 45 is the number of completed operations, and cn=directory manager is the bind DN.


currentConnections

Number of current Directory Server connections.


totalConnections

Total number of Directory Server connections.


dTableSize

Size of the Directory Server descriptor table.


readWaiters

Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.


opsInitiated

Number of Directory Server operations initiated.


opsCompleted

Number of Directory Server operations completed.


entriesSent

Number of entries sent by Directory Server.


bytesSent

Number of bytes sent by Directory Server.


currentTime

Current time usually given in Greenwich Mean Time (indicated by GeneralizedTime syntax Z notation, for example 20010202131102Z).


startTime

Directory Server start time.


nbackEnds

Number of Directory Server backends.


backendMonitorDN

DN for each Directory Server backend.

For further database monitoring information, see "Database Attributes Under cn=monitor,cn=ldbm database, cn=plugins,cn=config" on page 145, "Database Attributes Under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config" on page 150, "Database Attributes Under cn=monitor,cn=Netscaperoot,cn=ldbm database,cn=plugins,cn=config" on page 156, and "Database Link Attributes Under cn=monitor,cn=database instance name,cn=chaining database, cn=plugins,cn=config" on page 171.


cn=replication

No attributes to document. When configuring legacy replication, it will be stored under this cn=replication node, which serves as a placeholder.


cn=SNMP

SNMP configuration attributes are stored under cn=SNMP,cn=config. The cn=SNMP entry is an instance of the nsSNMP object class. For SNMP configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. SNMP configuration attributes are presented in this section.


nssnmpenabled

Specifies whether SNMP is enabled or not.

Entry DN

cn=SNMP,cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nssnmpenabled: off


nssnmporganization

Specifies the organization to which the Directory Server belongs.

Entry DN

cn=SNMP,cn=config

Valid Range

Organization name

Default Value

N/A

Syntax

DirectoryString

Example

nssnmporganization: iplanet


nssnmplocation

Specifies the location within the company or organization where the Directory Server resides.

Entry DN

cn=SNMP,cn=config

Valid Range

Location

Default Value

N/A

Syntax

DirectoryString

Example

nssnmplocation: B14


nssnmpcontact

Specifies the E-mail address of the person responsible for maintaining the Directory Server.

Entry DN

cn=SNMP,cn=config

Valid Range

Contact E-mail address

Default Value

N/A

Syntax

DirectoryString

Example

nssnmpcontact: ITdept@siroe.com


nssnmpdescription

Provides a unique description of the Directory Server instance

Entry DN

cn=SNMP,cn=config

Valid Range

Description

Default Value

N/A

Syntax

DirectoryString

Example

nssnmpdescription: Employee directory instance


nssnmpmasterhost

This required attribute specifies the hostname of the machine on which the master agent is installed. For UNIX only.

Entry DN

cn=SNMP,cn=config

Valid Range

machine hostname or local host

Default Value

localhost

Syntax

DirectoryString

Example

nssnmpmasterhost: localhost


nssnmpmasterport

Specifies the port number used to communicate with the master agent. For UNIX only.

Entry DN

cn=SNMP,cn=config

Valid Range

Operating System dependent port number. Refer to your Operating System documentation for further information.

Default Value

199

Syntax

Integer

Example

nssnmpmasterport: 199


cn=tasks

No attributes to document.


cn=uniqueid generator

The uniqueid generator configuration attributes are stored under cn=uniqueid generator,cn=config. The cn=uniqueid generator entry is an instance of the extensible object class. For uniqueid generator configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Uniqueid generator configuration attributes are presented in this section.


nsstate

Saves the state of the uniqueid generator across server restarts. This attribute is maintained by the server. Do not edit it.

Entry DN

cn=uniqueid generator,cn=config

Valid Range

N/A

Default Value

N/A

Syntax

DirectoryString

Example

nsstate:AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA



Configuration Quick Reference Tables


This section provides quick reference tables for LDIF configuration files supplied with the Directory Server, object classes and schema used in server configuration, and attributes requiring server restart.


LDIF Configuration Files

Table 2-7 lists all the configuration files which are supplied with the Directory Server, including those for the schema of other iPlanet and Netscape servers. Each file is preceded by a number which indicates the order in which they should be loaded (in ascending numerical and then alphabetical order). See "LDIF Configuration Files - Location" on page 25 for information on where these files are stored.


Table 2-7    Directory Server Configuration LDIF Files

Configuration Filename

Purpose

dse.ldif  

Contains front-end Directory Specific Entries created by the directory at server startup. These include the Root DSE (""), and the contents of cn=config and cn=monitor.  

00core.ldif  

Contains LDAPv3 standard operational schema, such as "subschemaSubentry," the LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521), inetOrgPerson and other widely-used attributes, and the operational attributes used by iPlanet Directory Server 5.1 configuration. Modifying this file will cause interoperability problems. User defined attributes should be added using iPlanet Console.  

05rfc2247.ldif  

Schema from RFC 2247 and related pilot schema: "Using Domains in LDAP/X500 Distinguished Names."  

05rfc2927.ldif  

Schema from RFC 2927: "MIME Directory Profile for LDAP Schema." Contains the ldapSchemas operational attribute required for the attribute to show up in the subschema subentry.  

10rfc2307  

Schema from RFC 2307: "An Approach for Using LDAP as a Network Information Service".  

20subscriber.ldif  

Contains new schema elements and the Nortel subscriber interoperability specification. Also contains the adminRole and memberOf attributes and inetAdmin object class previously stored in 50ns-delegated-admin.ldif file.  

25java-object.ldif  

Schema from RFC 2713: "Schema for Representing Java(tm) Objects in an LDAP Directory."  

28pilot.ldif  

Contains pilot directory schema from FRC 1274 which is no longer recommended for new deployments. Please note that future RFCs which succeed RFC 1274 may deprecate some or all of 28pilot.ldif attribute types and classes.  

30ns-common.ldif  

Schema that contains objects classes and attributes common to the iPlanet Console framework.  

50ns-admin.ldif  

Schema used by iPlanet Administration Services.  

50ns-calendar.ldif  

Schema used by iPlanet Calendar Server.  

50ns-certificate.ldif  

Schema for iPlanet Certificate Management System.  

50ns-compass.ldif  

Schema used by Netscape Compass Server to define personal interest profiles.  

50ns-delegated-admin.ldif  

Schema used by iPlanet Delegated Administrator 4.5.  

50ns-directory.ldif  

Contains additional configuration schema used by iPlanet Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to iPlanet Directory Server 5.1. This schema is required for replicating between iPlanet Directory Server 4.12 and iPlanet Directory Server 5.1.  

50ns-legacy.ldif  

Legacy Netscape Schema used by iPlanet Administration Server for legacy servers.  

50ns-mail.ldif  

Schema used by iPlanet Messaging Server to define mail users and mail groups.  

50ns-mcd-browser.ldif  

Schema used by Netscape Mission Control Desktop to hold browser client preferences.  

50ns-mcd-config.ldif  

Schema used by Netscape Mission Control Desktop to set MCD "config()" preferences.  

50ns-mcd-li.ldif  

Schema used by Mission Control Desktop to define location independence.  

50ns-mcd-mail.ldif  

Schema used by Mission Control Desktop to hold mail client and messenger security preferences.  

50ns-media.ldif  

Schema used for Netscape Media Server.  

50ns-mlm.ldif  

Schema used by iPlanet Messaging Server 4.0 for mailing list management.  

50ns-msg.ldif  

Schema used for iPlanet Web Mail.  

50ns-netshare.ldif  

Schema used for iPlanet Netshare.  

50ns-news.ldif  

Schema used for iPlanet Collabra Server to hold news group preferences.  

50ns-proxy.ldif  

Schema used for iPlanet Proxy Server.  

50ns-value.ldif  

Schema for iPlanet servers' "value item" schema.  

50ns-wcal.ldif  

Schema for iPlanet Web Calendering.  

50ns-web.ldif  

Schema for iPlanet Web Server.  

99user.ldif  

User-defined schema maintained by Directory Server replication consumers which contains the attributes and object classes from the suppliers.  


Configuration Changes Requiring Server Restart

Table 2-8 lists the configuration attributes that cannot take effect dynamically, while the server is still running. After modifying these parameters through the console or the ldapmodify command, the server must be stopped and restarted for them to take effect. The table lists the configuration attributes concerned, with their full DNs, and provides a brief description of their functions.


Table 2-8    Configuration Changes Requiring Server Restart

Configuration attribute

Action requiring restart

cn=config,cn=ldbm:nsslapd-cachesize  

Modifying the cachesize attribute.  

cn=config,cn=ldbm:nsslapd-dbcachesize  

Modifying the dbcachesize attribute.  

cn=config,cn=ldbm:nsslapd-dbncache  

Modifying the database cache  

cn=config,cn=ldbm:nsslapd-plug-in  

Enabling or disabling a database plug-in.  

cn=config:nsslapd-changelogdir  

Modifying the change log directory.  

cn=config:nsslapd-changelogmaxage  

Modifying the maximum age limit of the change log.  

cn=config:nsslapd-changelogmaxentries  

Modifying the maximum number of entries supported by the change log.  

cn=config:nsslapd-changelogsuffix  

Modifying the change log suffix.  

cn=config:nsslapd-port  

Changing the port number.  

cn=config:nsslapd-secureport  

Changing the secure port number.  

cn=changelog5,cn=config:nsslapd-db*  

Modifying any of the changelog database parameters.  

cn=encryption,cn=config:nsssl2  

Enabling or disabling SSL Version 2 for Directory Server.  

cn=encryption,cn=config:nsssl3  

Enabling or disabling SSL Version 3 for Directory Server.  

cn=encryption,cn=config:nssslclientauth  

Enabling or disabling client authentication.  

cn=encryption,cn=config:nssslsessiontimeout  

Changing the lifetime of an SSL session.  


Previous     Contents     Index     DocHome     Next     
Copyright © 2001 Sun Microsystems, Inc. Some preexisting portions Copyright © 2001 Netscape Communications Corp. All rights reserved.

Last Updated October 29, 2001