dse.ldif

Directory Server configuration file

Synopsis

Location: instance-path/config/dse.ldif

Description

Directory Server stores its configuration as directory entries under cn=config. You can therefore change the server configuration by modifying configuration entries over LDAP, rather than by editing configuration files. Configuring Directory Server in this way allows you to reconfigure a remote server while it continues to serve other directory clients.

The dse.ldif file defines the configuration for a Directory Server instance. The dse.ldif file includes a set of entries under cn=config. These entries make up the modular parts of the Directory Server instance configuration.

Directory Server stores its schema under cn=schema, not as part of the rest of the server configuration. For an introduction to the schema available under cn=schema, see Intro_6Schema(5DSSD).

Note:

Neither the dse.ldif file nor the cn=config suffix constitute a public interface for configuring a Directory Server instance. Use dsconf(1M) instead.

The dse.ldif file has the following characteristics.

The dse.ldif file is read only once at startup. Thereafter, the server configuration is based on the in-memory LDAP image of the configuration entries. Modifications to the dse.ldif file while the server is running are erased.
Modification of the configuration with Directory Service Control Center or from the command line changes the LDAP image of the configuration. Some directory features read the current configuration when invoked and do not require the server to be restarted.
Directory Server writes the dse.ldif file whenever the LDAP image of the configuration is changed. Some directory features read their configuration only when the server starts. Writing the file ensures the change is present.

The existing dse.ldif file is copied to dse.ldif.bak, and the existing dse.ldif.bak is overwritten. Therefore, any manual changes to the dse.ldif file are lost if the configuration is changed through LDAP before the server is restarted.
After every successful startup of the directory, the dse.ldif file is copied to dse.ldif.startOK in the same location. If your server cannot start because of a faulty configuration, restore the dse.ldif file from the dse.ldif.startOK file.
The following restrictions apply to modifications to the server configuration.
- Some modifications only take effect after the server is restarted. See ATTRIBUTES REQUIRING RESTART in the manual page for details.
- The cn=monitor entry cannot be modified.
- The server ignores invalid attribute values.

Extended Description

Directory Server has a modular configuration, with a number of distinct branches under the cn=config Directory Information Tree. The primary branches are below the following DNs.

cn=encryption,cn=config: Configuration attributes related to encryption
cn=features,cn=config: Access control for many server features, also configuration for internationalized matching and searching
cn=mapping tree,cn=config: Configuration for suffixes and replica
cn=Password Policy,cn=config: Default password policy configuration
cn=plugins,cn=config: Plug-in configuration entries for plug-in based server functionality, databases, indexes
cn=replication,cn=config: Default replication bind information for cn=Replication Manager, also formerly used for replication configuration
cn=suffixName,cn=config: Suffix configuration attributes
cn=tasks,cn=config: Used by the server to manage online import, backup, and so forth
cn=uniqueid generator,cn=config: Configuration attributes for providing unique IDs

About Configuration Attributes

The dse.ldif file contains all configuration information including directory specific entries created by Directory Server at startup, and directory specific entries related to the database, also created by Directory Server at startup. The file includes the Root DSE, named by "", and the entire contents of cn=config. When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.

Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.

The following example shows part of the dse.ldif file for a Directory Server instance. The example indicates, among other things, that schema checking has been turned on. This is represented by the attribute nsslapd-schemacheck, which takes the value on.

dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: on
nsslapd-localhost: myServer.example.com
nsslapd-errorlog: /local/ds/logs/errors
nsslapd-schemacheck: on
nsslapd-port: 389
nsslapd-localuser: nobody
…

See CONFIGURATION ATTRIBUTES in this manual page for a list of configuration attribute manual pages.

Access Control For Configuration Entries

When Directory Server is installed, a default set of Access Control Instructions, ACIs, is implemented for all entries under cn=config. The following extract from the dse.ldif file shows an example of these default ACIs.

aci: (targetattr != "aci") (targetscope = "base") (version 3.0;
 aci "Enable read access to rootdse for anonymous users"; 
 allow(read,search,compare) userdn="ldap:///anyone"; )
aci: (targetattr = "*") (version 3.0;  acl "Enable full access
 for Administrators group";  allow (all)(groupdn = "
 ldap:///cn=Administrators,cn=config"); )
aci: (targetattr = "userPassword") ( version 3.0;
 acl "allow userpassword self  modification";
 allow (write) userdn = "ldap:///self";)

By default, both the cn=Directory Manager user and the cn=admin,cn=Administrators,cn=config user have access to modify configuration entries. ACI syntax is covered elsewhere in the Directory Server Enterprise Edition documentation.

CONFIGURATION ATTRIBUTES

This section lists configuration attributes by their location in the configuration Directory Information Tree.

Attributes of cn=config

General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which inherits from the extensibleObject object class. For attributes to be taken into account by the server, the entry must contain the nsslapdConfig object class, the extensibleObject object class and the top object class.

See the following manual pages.

Attributes of cn=encryption,cn=config

Encryption related attributes are stored under the cn=encryption,cn=config entry. This entry is an instance of the nsEncryptionConfig object class. For encryption related attributes to be taken into account by the server, this object class, in addition to the top object class, must be present in the entry.

See the following manual pages.

Attributes of cn=mapping tree,cn=config

Configuration attributes for suffixes and replication are stored under the branch cn=mapping tree,cn=config.

Configuration attributes related to suffixes are found under the suffix subentry, which has a DN of the following form.

cn="suffixName",cn=mapping tree,cn=config

Suffix configuration entries therefore have CNs such as cn="dc=example,dc=com". Suffix configuration entries are instances of the nsMappingTree object class, which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server, these object classes, in addition to the top object class, must be present in the entry. See the following man pages about suffix configuration entry attributes.

Replication configuration attributes are stored under an entry with a DN of the following form.

cn=replica,cn="suffixName",cn=mapping tree,cn=config

Replication agreement attributes are stored under an entry with a DN of the following form.

cn=replicationAgreementName,cn=replica,cn="suffixName",
 cn=mapping tree,cn=config

See replication(5DSCONF) for details.

Attributes of cn=Password Policy

The default password policy entry for a Directory Server instance has DN cn=Password Policy,cn=config. For help configuring password policy, see the Directory Server Administration Guide.

For details concerning password policy entries, see pwpolicy(5DSSD). Entries having the object classes described in pwdPolicy(5DSOC), and in sunPwdPolicy(5DSOC) are used to configure password policy.

For instructions concerning legacy password policy functionality, see the Directory Server Migration Guide. Legacy password policy functionality is configured using entries of the object class described in passwordPolicy(5DSOC).

Plug-In Configuration Under cn=plugins

Many of the features of Directory Server are designed as discrete modules that plug into the core server. The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. The following example shows the configuration entry for the Telephone Syntax plug-in.

dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: ds-signedPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: /opt/SUNWdsee7/lib/sparcv9/syntax-plugin.so
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on
…

Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in.

Chained Suffix Plug-In Configuration

All plug-in configuration information used by the chained suffix instances is stored under the cn=chaining database,cn=plugins,cn=config entry.

The following global chained suffix configuration attributes common to all instances are stored under cn=config,cn=chaining database,cn=plugins,cn=config.

Default instance chained suffix attributes are stored under cn=default instance config,cn=chaining database,cn=plugins,cn=config.

Instance-specific chained suffix attributes are stored under cn=chainedSuffix,cn=chaining database,cn=plugins,cn=config.

The following list shows the chained suffix attributes used for monitoring activity on instances. These attributes are stored under cn=monitor,cn=dbName, cn=chaining database,cn=plugins,cn=config.

nsAddCount: Number of add operations received.
nsDeleteCount: Number of delete operations received.
nsModifyCount: Number of modify operations received.
nsRenameCount: Number of rename operations received.
nsSearchBaseCount: Number of base level searches received.
nsSearchOneLevelCount: Number of one-level searches received.
nsSearchSubtreeCount: Number of subtree searches received.
nsAbandonCount: Number of abandon operations received.
nsBindCount: Number of bind requests received.
nsUnbindCount: Number of unbinds received.
nsCompareCount: Number of compare operations received.
nsOperationConnectionCount: Number of open connections for normal operations.
nsBindConnectionCount: Number of open connections for bind operations.

Database Plug-In Configuration

Database plug-in configuration entries are stored under cn=ldbm database,cn=plugins,cn=config. That entry is a server plug-in configuration entry for databases, and therefore takes the same attributes as other plug-in entries.

Key entries beneath the plug-in configuration entry are listed as follows.

cn=attr,cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config

Configuration entries for default indexes. Notice that each individual attribute type indexed has its own entry, and that the attribute type is identified by common name, CN. See the following man pages concerning attributes for such entries.

cn=attr,cn=index,cn=dbName,cn=ldbm database, cn=plugins,cn=config

Configuration entries for indexing for attributes of the suffix whose backend database has CN dbName. Such entries take the same configuration attributes as configuration entries for default indexes.

All indexes, except system-essential ones, can be removed, but care should be taken not to cause unnecessary disruptions.

cn=config,cn=ldbm database,cn=plugins,cn=config

Global configuration information for all databases. See the following man pages concerning attributes for such entries.

cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config

Entry for read-only database performance monitoring attributes. All of the values for these attributes are 32-bit integers.

nsslapd-db-abort-rate: Number of transactions that have been aborted.
nsslapd-db-active-txns: Number of transactions that are currently active (used by the database.)
nsslapd-db-cache-hit: Requested pages found in the cache.
nsslapd-db-cache-region-wait-rate: Number of times that a thread of control was forced to wait before obtaining the region lock.
nsslapd-db-cache-size-bytes: Total cache size in bytes.
nsslapd-db-cache-try: Total cache lookups.
nsslapd-db-clean-pages: Clean pages currently in the cache.
nsslapd-db-commit-rate: Number of transactions that have been committed.
nsslapd-db-configured-locks: Configured number of locks.
nsslapd-db-configured-txns: Configured number of transactions.
nsslapd-db-current-locks: Number of locks currently used by the database.
nsslapd-db-deadlock-rate: Number of deadlocks detected.
nsslapd-db-dirty-pages: Dirty pages currently in the cache.
nsslapd-db-hash-buckets: Number of hash buckets in buffer hash table.
nsslapd-db-hash-elements-examine-rate: Total number of hash elements traversed during hash table lookups.
nsslapd-db-hash-search-rate: Total number of buffer hash table lookups.
nsslapd-db-lock-conflicts: Total number of locks not immediately available due to conflicts.
nsslapd-db-lockers: Number of current lockers.
nsslapd-db-lock-region-wait-rate: Number of times that a thread of control was forced to wait before obtaining the region lock.
nsslapd-db-lock-request-rate: Total number of locks requested.
nsslapd-db-log-bytes-since-checkpoint: Number of bytes written to this log since the last checkpoint.
nsslapd-db-log-flush-commit: The number of log flushes that contained a transaction commit record.
nsslapd-db-log-flush-count: The number of times the log has been flushed to disk.
nsslapd-db-log-max-commit-per-flush: The maximum number of commits contained in a single log flush.
nsslapd-db-log-min-commit-per-flush: The minimum number of commits contained in a single log flush that contained a commit.
nsslapd-db-log-region-wait-rate: Number of times that a thread of control was forced to wait before obtaining the region lock.
nsslapd-db-log-write-count: The number of times the log has been written to disk.
nsslapd-db-log-write-count-fill: The number of times the log has been written to disk because the in-memory log record cache filled up.
nsslapd-db-log-write-rate: Number of bytes written to the log since the last checkpoint.
nsslapd-db-longest-chain-length: Longest chain ever encountered in buffer hash table lookups.
nsslapd-db-max-locks: Maximum number of locks used by the database since the last startup.
nsslapd-db-max-txns: Maximum number of transactions used since the last startup.
nsslapd-db-page-create-rate: Pages created in the cache.
nsslapd-db-page-read-rate: Pages read into the cache.
nsslapd-db-page-ro-evict-rate: Clean pages forced from the cache.
nsslapd-db-page-rw-evict-rate: Dirty pages forced from the cache.
nsslapd-db-pages-in-use: All pages, clean or dirty, currently in use.
nsslapd-db-page-trickle-rate: Dirty pages written using the memp_trickle interface.
nsslapd-db-page-write-rate: Pages read into the cache.
nsslapd-db-txn-region-wait-rate: Number of times that a thread of control was force to wait before obtaining the region lock.

cn=dbName,cn=ldbm database,cn=plugins,cn=config

Configuration information for databases backing suffixes you define. The dbName is by default a contraction of the common name for the suffix. For example, if the suffix has CN cd=example,dc=com, the dbName might be example. See the following man pages concerning attributes for such entries.

Virtual list view, VLV, index entries are found beneath this entry.

A VLV index provides fast searches against a known result set and sort ordering. To do this, the object class vlvSearch is needed to define the VLV search, and the object class vlvIndex is needed to order the search. See the following manual pages for details on the VLV configuration entry object classes and attributes.

cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config

Configuration entry for default indexing for all suffixes. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of deployments.

cn=monitor,cn=dbName,cn=ldbm database, cn=plugins,cn=config

Entry for database monitoring attributes, listing database statistics for monitoring activity on the dbNamedatabase. These attributes are provided for each file that makes up your database.

dbentrycount: Total number of entries in the database, including entries created by replication.
dbfilename-number: This attribute indicates the name of the file and provides a sequential integer identifier, starting at 0, for the file. All associated statistics for the file are given the same numerical identifier.
dbfilecachehit: Number of times that a search requiring data from this file was performed and data successfully obtained from the cache.
dbfilecachemiss: Number of times that a search requiring data from this file was performed and that the data could not be obtained from the cache.
dbfilepagein: Number of pages brought to the cache from this file.
dbfilepageout: Number of pages for this file written from cache to disk.
entrycachehitratio: Ratio that indicates the number of entry cache tries to successful entry cache lookups.
entrycachehits: Total number of successful entry cache lookups.
ldapentrycount: Number of user entries in the database.
maxentrycachecount: Maximum number of directory entries that are allowed to be maintained in the entry cache.
maxentrycachesize: Maximum memory size allowed for entry cache, in bytes.

cn=monitor,cn=ldbm database,cn=plugins,cn=config

Entry for database monitoring attributes, listing database statistics for monitoring activity on databases.

dbcachehits: Requested pages found in the database.
dbcachetries: Total requested pages found in the database cache.
dbcachehitratio: Percentage of requested pages found in the database cache, hits/tries.
dbcachepagein: Pages read into the database cache.
dbcachepageout: Pages written from the database cache to the backing file.
dbcacheroevict: Clean pages forced from the cache.
dbcacherwevict: Dirty pages forced from the cache.

DSML Front End Plug-In Configuration Attributes

The front end plug-in enables you to access directory data by methods other than LDAP. Directory Server provides a DSML front end plug-in that enables access using DSMLv2 over HTTP/SOAP. Attributes for the DSML front end plug-in are stored under cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,cn=config. See the following manual pages for details.

Retro Changelog Plug-In Configuration

The following manual pages describe attributes used when configuring the retro changelog plug-in.

Server Plug-In Configuration Entries

All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes, in addition to the top object class, must be present in the entry.

See nsslapd-plugin(5DSCONF) for an overview of the plug-ins provided with Directory Server, including configurable options, configurable arguments, default setting, dependencies, general performance related information, and further reading.

Attributes of cn=uniqueid generator,cn=config

Unique ID generator configuration attributes are stored under the entry with DN cn=uniqueid generator,cn=config. The cn=uniqueid generator,cn=config entry is an instance of the extensibleObject object class. For unique ID generator configuration attributes to be taken into account by the server, this object class, in addition to the top object class, must be present in the entry.

The principal unique ID generator attribute is nsState(5DSCONF).

Attributes

This section lists configuration elements whose modifications cannot take effect dynamically, while the server is still running. After modifying these parameters, you must restart the server. The following list shoiws the configuration attributes concerned, with their full DNs, and provides a brief description of their functions.

Any plug-in configuration attribute: Changing plug-in settings.
cn=config:nsslapd-port: Changing the port number.
cn=config:nsslapd-secureport: Changing the secure port number.
cn=config:nsslapd-security: Enabling or disabling use of SSL, TLS, and attribute encryption.
cn=config:nsslapd-changelogdir: Modifying the change log database path.
cn=config:nsslapd-changelogsuffix: Modifying the change log suffix.
cn=config:nsslapd-return-exact-case: Modifying whether the server returns exact case matches for attribute names.
cn=config,cn=ldbm database,cn=plugins,cn=config:nsslapd-allidsthreshold: Changing the all IDs threshold value.
cn=config,cn=ldbm database,cn=plugins,cn=config:nsslapd-dbcachesize: Modifying the size of the database cache.
cn=config,cn=ldbm database,cn=plugins,cn=config:nsslapd-dbncache: Modifying whether the database cache memory is split into equally sized pieces.
cn=config,cn=ldbm database,cn=plugins,cn=config:nsslapd-directory: Changing the path to the database instance.
cn=config,cn=ldbm database,cn=plugins,cn=config:nsslapd-db-locks: Changing the number of locks available in the database.
cn=encryption,cn=config:nssslsessiontimeout: Changing the lifetime of an SSL session.
cn=encryption,cn=config:nssslclientauth: Enabling or disabling client authentication.
cn=encryption,cn=config:nssslserverauth: Enabling or disabling server authentication.
cn=encryption,cn=config:nsssl2: Enabling or disabling SSL Version 2 for Directory Server.
cn=encryption,cn=config:nsssl3: Enabling or disabling SSL Version 3 for Directory Server.
cn=RSA,cn=encryption,cn=config:nsssltoken: Changing the SSL token.
cn=RSA,cn=encryption,cn=config:nssslpersonalityssl: Changing the SSL personality.
cn=RSA,cn=encryption,cn=config:nssslactivation: Enabling or disabling the SSL encryption module.
cn=suffixName,cn=ldbm database,cn=plugins,cn=config:nsslapd-cachesize: Modifying the number of entries held in the entry cache.

Attributes

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWdsee7
Stability Level	Obsolete: Scheduled for removal as a supported interface after this release