Chapter 17 Configuration Parameters

Directory server runtime activities are controlled using configuration parameters. This chapter details the configuration parameters used with the directory server and includes the following topics:

• "Changing Configuration Parameter Values"
• "General Server Parameters"
• "Database Parameters"

Changing Parameter Values Using the Server Console

You can change most server parameter values from the Directory Server Console. Unlike previous versions of the directory server, there is no longer a single place that you can go in the server console that allows you to view all server parameters from a single form. Instead, individual server parameters are viewed and set in areas of the UI specific to that task. That is, to change parameters related to the access log, you would go to the Configuration|Logs|Access Log tab on the Directory Server Console.

Changing Parameter Values Using slapd.conf

The slapd.conf file is a text (UTF-8) file that is read only when the directory server is started. slapd.conf contains all of the server parameters that are not related to the server's database. You should not manually edit this file while the server is running because any changes made through the server console cause the server to rewrite the file and may overwrite your manual changes. For a list of these parameters, see Table  17.1.

To modify this file:

1. Stop the server.
2. Edit the file with the text editor of your choice.
3. Stop and then restart the directory server.

slapd.conf File Format

The slapd.conf file begins with several include statements that include the standard attribute and object class definitions. The remainder of slapd.conf consists of a series of general configuration parameters that apply to the directory server as a whole, followed by a database definition that contains information specific to the database.

Note. General parameters may be repeated within the database definition. The last instance of any repeated parameter takes precedence over all other duplicated parameters. The only restriction is that all non-database parameters must appear in the file before any database-specific parameters.

Comment lines begin with a pound symbol (#). Blank lines and comment lines are ignored by the directory server. A line beginning with white space is considered a continuation of the previous line.

Note. Comments are not preserved if the server rewrites the configuration files.

Entry arguments are separated by white space. If a parameter value contains white space, then it must be enclosed in double quotation marks (for example, "like this"). If a parameter value contains a double quotation mark (") or a backslash (\), the character must be preceded (escaped) by a backslash character.

Also, file paths contained in the config file must be delimited using a forward slash (/). Backslashes (\) are not supported. For example, an include directive on an NT system should be written as follows:

include c:/usr/ns-home/slapd-phonebook/config/slapd.at.conf

The format of the slapd.conf file is:

# comment - slapd.at.conf contains common attribute

# definitions, slapd.oc.conf contains common

# object class definitions.

include /usr/ns-home/slapd-phonebook/config/slapd.at.conf

include /usr/ns-home/slapd-phonebook/config/slapd.oc.conf

# The first parameters apply to the directory server as a whole

<general parameter>

<general parameter>

...

# The dynamicconf parameter that follows includes the file that contains

# the server's database parameters.

dynamicconf /usr/ns-home/slapd-phonebook/config/slapd.ldbm.conf

Changing Parameter Values Using slapd.ldbm.conf

The slapd.ldbm.conf file is used to contain the directory server's database parameters. This file is included into slapd.conf using the dynamicconf parameter. For a list of the database parameters, see Table  17.2.

slapd.ldbm.conf is a text (UTF-8) file.

Table 17.1 Directory server general parameters  

Parameter	Description
Access Log	String specifying the file used to log information about each database access.
Access Log Enable Logging	Boolean specifying whether access logging is on.
Access Log Expiration Time	Integer specifying the maximum age of a log file.
Access Log Expiration Time Unit	Keyword specifying the unit for the Access Log Expiration Time parameter.
Access Log Maximum Disk Space	Integer specifying the maximum amount of disk space that the access logs can use.
Access Log Maximum Log Size	Integer specifying the maximum size of an access log file.
Access Log Maximum Number of Log Files	Integer specifying the total number of access log files that can be in the access log directory.
Access Log Minimum Free Disk Space	Integer specifying the minimum amount of free disk space allowed before old log files are deleted.
Access Log Rotation Time	Integer indicating the amount of time between log file rotations.
Access Log Rotation Time Unit	Keyword specifying the units for the Access Log Rotation parameter.
accessloglevel	Reserved for future use.
Account Lockout	Boolean indicating whether users will be locked out of the directory after a given number of failed bind attempts.
Attribute	String associating a syntax with an attribute name. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server console.
Audit Log	String specifying the file used to store changes made to each database as well as the machine data area.
Audit Log Enable Logging	Boolean specifying whether audit logging is on.
Audit Log Expiration Time	Integer specifying the maximum age of a log file.
Audit Log Expiration Time Unit	Keyword specifying the unit for the Audit Log Expiration Time parameter.
Audit Log Maximum Disk Space	Integer specifying the maximum amount of disk space that the audit logs can use.
Audit Log Maximum Log Size	Integer specifying the maximum size of a audit log file.
Audit Log Maximum Number of Log Files	Integer specifying the total number of audit log files that can be in the audit log directory.
Audit Log Minimum Free Disk Space	Integer specifying the minimum amount of free disk space allowed before old log files are deleted.
Audit Log Rotation Time	Integer indicating the amount of time between log file rotations.
Audit Log Rotation Time Unit	Keyword specifying the units for the Audit Log Rotation parameter.
Certificate and Key Directory	String specifying the path to the SSL directory. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server console.
Changelog DB Directory	String specifying the suffix for the change log database.
Changelog Suffix	String displaying the suffix for the change log database.
Check Password Syntax	Boolean indicating whether the password syntax will be checked before the password is saved.
Enable Access Control	Boolean indicating whether access control checking is turned off.
Enable Online Consumer Creation	Indicates whether a server will automatically use online consumer (replica) creation in the event that an inconsistency is detected between the databases on the supplier and the consumer servers.
Enable Superior Object Class Enquoting	Boolean specifying whether object classes in the cn=schema tree will conform to quoting as specified in RFC 2252.
Encrypted Port Number	Integer specifying the TCP/IP port number used for SSL communications.
Encryption Alias	String representing the encryption alias for this server's certificate.
Encryption Ciphers	String specifying the type of encryption supported by this server.
Error Log	String specifying the file used to log error messages generated by the directory server.
Error Log Enable Logging	Boolean specifying whether error logging is on.
Error Log Expiration Time	Integer specifying the maximum age of a log file.
Error Log Expiration Time Unit	Keyword specifying the unit for the Error Log Expiration Time parameter.
Error Log Maximum Disk Space	Integer specifying the maximum amount of disk space that the error logs can use.
Error Log Maximum Log Size	Integer specifying the maximum size of an error log file.
Error Log Maximum Number of Log Files	Integer specifying the total number of error log files that can be in the error log directory.
Error Log Minimum Free Disk Space	Integer specifying the minimum amount of free disk space allowed before old log files are deleted.
Error Log Rotation Time	Integer indicating the amount of time between log file rotations.
Error Log Rotation Time Unit	Keyword specifying the units for the Error Log Rotation parameter.
Idle Timeout	Seconds after which idle LDAP client connections are closed.
Instance Directory	String providing the path to the server's installation directory.
IO Block Time Out	Milliseconds after which the connection to a stalled LDAP client that has not made any I/O progress for read or write is closed.
Listen to IP Address	IP address that the directory server listens to. Used on multihomed systems only.
Local User	String indicating the user that the directory server runs as. Used by Unix installations only.
Lockout Duration	Integer representing the amount of time in minutes that users will be locked out of the directory after an account lockout.
Log Buffering	Forces all access log entries to write through the buffer and direct to disk.
Log Level	Integer representing the level at which debugging statements and operation statistics will be logged.
Max Changelog Age	Integer and ID specifying the maximum allowable age of any entry in the change log.
Max Changelog Records	Integer representing the maximum number of records the change log may contain.
Maximum File Descriptors	Specifies the number of file descriptors available to the directory server. Not applicable to NT and AIX installations of the directory server.
Maximum Message Size	Maximum size of any add or modification request that can be written to the server over LDAP.
Maximum Password Failures	Integer representing the number failed bind attempts after which a user will be locked out of the directory.
Maximum Threads Per Connection	Maximum number of threads allowed for use by each connection. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server console.
nagle	Reserved for future use.
NLS	String that displays the directory where the files to support internationalization are kept.
NT Synchronization Service Enabled	Turns on the NT Synchronization Service server plug-ins.
NT Synchronization Service Port Number	Indicates the port that the directory server will use to for non-LDAP communications with the NT Synchronization Service.
NT Synchronization Service Use SSL	Indicates whether the server will use SSL when communicating with the NT Synchronization Service.
Number of Passwords to Remember	Integer representing the number of passwords the directory server stores in history.
Object Class	List of strings defining a new object class to be added to the database schema. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server console.
Password Change	Keyword indicating whether users can change their passwords.
Password Expiration	Boolean indicating whether user passwords will expire after a given number of days.
Password History	Boolean indicating whether users can reuse passwords.
Password Maximum Age	Integer representing the number of days after which user passwords will expire.
Password Minimum Age	Integer representing the minimum number of seconds that must pass before a user can change their password.
Password Minimum Length	Integer representing the minimum number of characters that must be used in directory server passwords.
Password Must Change	Keyword indicating whether users must change their passwords when they first bind to the directory server.
Password Storage Scheme	String specifying the type of encryption used for password storage.
Port Number	Integer specifying the TCP/IP port number used for non-SSL communications.
Referral	String specifying an LDAP URL to pass back to a client when ns-slapd cannot find a local database to handle a request.
Reserved File Descriptors	Specifies the number of file descriptors reserved by the directory server for non-connection uses. Not applicable to NT and AIX installations of the directory server.
Reset Password Failure Count After	Integer representing the amount of time in minutes after which the password failure counter will be reset.
result_tweak	Reserved for future use.
Return Exact Case	Boolean indicating whether the server should return attribute names with the exact capitalization specified in slapd.at.conf to clients.
Root DN	String specifying the distinguished name of an entry that is not subject to access control or administrative limit restrictions for operations on the database.
Root Password	String displaying the current root password.
Root Password Storage Scheme	String displaying the current root password encryption method used for the root password.
Schema Checking	Boolean indicating whether the schema will be enforced during entry insertion or modification.
Security	Boolean specifying whether the server is to use SSL communications.
Send Warning	Integer representing the number days before a user's password is due to expire that the user will be sent a warning message.
Size Limit	Integer specifying the maximum number of entries to return from a search operation.
Supplier DN	String specifying the distinguished name used to update local replicated entries.
Supplier Password	String specifying the password the consumer server expects the supplier server to use when binding.
Supplier SSL Clients	String specifying the subject name(s) or the certificate(s) that correspond to the supplier DN defined for the consumer server.
Thread Number	Number of threads obtained by the directory server at startup time. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server console.
Time Limit	Integer specifying the maximum number of seconds the directory server will spend performing a search request.
Track Modification Time	Boolean indicating whether ns-slapd will maintain modification attributes for entries.
Unlock Account	Boolean indicating whether users will be locked out of the directory until the administrator resets the password after an account lockout.
User-Defined Attributes File	String providing the path to the file containing the user-defined attributes.
User-Defined Object Class File	String providing the path to the file containing the user-defined object classes.

Specifies the path and filename of the log used to record each database access. The following information is recorded by default in the log file:

• IP address of the client machine that accessed the database
• operations performed (for example, search, add, modify)
• result of the access (for example, the number of entries returned)

Default value

<NSHOME>/slapd-<serverID>/logs/access

Valid range

Any valid filename

slapd.conf Syntax

accesslog <filename>

Example

accesslog "/usr/ns-home/slapd-<serverID>/logs/access"

Access Log Enable Logging

Turns access logging on and off.

Default value

on

Valid range

on | off

slapd.conf Syntax

accesslog-logging-enabled <Boolean>

Example

accesslog-logging-enabled on

Access Log Expiration Time

Specifies the maximum age that a log file is allowed to be before it is deleted. This parameter supplies only the number of units. The units (day, week, month, and so forth) are given by the Access Log Expiration Time Unit parameter.

Default value

1

Valid range

-1 | 1 to 65535

A value of -1 means that an access log will never be deleted due to its age.

slapd.conf Syntax

accesslog-logexpirationtime <integer>

Example

accesslog-logexpirationtime 1

Access Log Expiration Time Unit

Specifies the units for Access Log Expiration Time.

Default value

week

Valid range

month | week | day | hour | minute

slapd.conf Syntax

accesslog-logexpirationtimeunit <keyword>

Example

accesslog-logexpirationtimeunit day

Access Log Maximum Disk Space

Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the directory server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.

Default value

500

Valid range

-1 | 1 to 65535

A value of -1 means that the disk space allowed to the access log is unlimited in size.

slapd.conf Syntax

accesslog-maxlogdiskspace <integer>

Example

accesslog-maxlogdiskspace 500

Access Log Maximum Log Size

Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set "Access Log Maximum Number of Log Files" to 1, the server ignores this parameter.

Default value

100

Valid range

-1 | 1 to 65535

A value of -1 means the log file is unlimited in size. When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the directory server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.

slapd.conf Syntax

accesslog-maxlogsize <integer>

Example

accesslog-maxlogsize 100

Access Log Maximum Number of Log Files

Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, then each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this parameter, then the oldest version of the log file is deleted. Do not set this value to 1. If you do, the server will not rotate the log and it will grow indefinitely.

Default value

10

Valid range

1 to 65535

slapd.conf Syntax

accesslog-maxNumOfLogsPerDir <integer>

Example

accesslog-maxNumOfLogsPerDir 10

Access Log Minimum Free Disk Space

Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this parameter, the oldest access log is deleted until enough disk space is freed to satisfy this parameter.

Default value

5

Valid range

1 to 65535

slapd.conf Syntax

accesslog-minfreediskspace <integer>

Example

accesslog-minfreediskspace 5

Access Log Rotation Time

Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This parameter supplies only the number of units. The units (day, week, month, and so forth) are given by the Access Log Rotation Time Unit parameter. If you set "Access Log Maximum Number of Log Files" to 1, the server ignores this parameter.

Default value

1

Valid range

-1 | 1 to 65535

A value of -1 means that the time between access log file rotation is unlimited.

slapd.conf Syntax

accesslog-logrotationtime <integer>

Example

accesslog-logrotationtime 100

Access Log Rotation Time Unit

Specifies the units for Access Log Rotation Time.

Default value

day

Valid range

month | week | day | hour | minute

slapd.conf Syntax

accesslog-logrotationtimeunit <keyword>

Example

accesslog-logrotationtimeunit day

accessloglevel

Reserved for future use. Do not change or remove. Doing so can have unpredictable results.

Account Lockout

Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the Maximum Password Failures parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

On

Valid Range

On|Off

slapd.conf Syntax

pw_lockout <Boolean>

Example

pw_lockout off

Attribute

Associates a syntax with an attribute name. By default, an attribute is assumed to have syntax cis. This parameter also allows you to specify one or more optional alternate names for the attribute.

This parameter is intended to allow the extension of the standard schema when schema checking is turned on.

For details on extending the schema using the Directory Server Console, refer to Chapter  3, "Extending the Directory Schema."

This parameter is not available from the server console.

Valid range

Possible syntaxes are:

• bin—binary
• ces—case exact string (case must be matched during comparison)
• cis—case ignore string (case is ignored during comparison)
• tel—telephone number (identical to cis, but blanks and dashes [-] are ignored during comparisons)
• dn—distinguished name
• int—integer

attribute <name> [<name2> <syntax>]

Example

attribute commonName cn cis

Audit Log

Specifies the pathname and filename of the log used to record changes made to each database as well as to the machine data area.

Default value

<NSHOME>/slapd-<serverID>/logs/audit

Valid range

Any valid filename

slapd.conf Syntax

auditfile <filename>

Example

auditfile /usr/ns-home/slapd-<serverID>/logs/audit

Audit Log Enable Logging

Turns audit logging on and off.

Default value

on

Valid range

on | off

slapd.conf Syntax

auditlog-logging-enabled <Boolean>

Example

auditlog-logging-enabled on

Audit Log Expiration Time

Specifies the maximum age that a log file is allowed to be before it is deleted. This parameter supplies only the number of units. The units (day, week, month, and so forth) are given by the Audit Log Expiration Time Unit parameter.

Default value

1

Valid range

-1 | 1 to 65535

A value of -1 means that an audit log will never be deleted due to its age.

slapd.conf Syntax

auditlog-logexpirationtime <integer>

Example

auditlog-logexpirationtime 1

Audit Log Expiration Time Unit

Specifies the units for Audit Log Expiration Time.

Default value

week

Valid range

month | week | day | hour | minute

slapd.conf Syntax

auditlog-logexpirationtimeunit <keyword>

Example

auditlog-logexpirationtimeunit day

Audit Log Maximum Disk Space

Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the directory server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.

Default value

500

Valid range

-1 | 1 to 65535

A value of -1 means that the disk space allowed to the audit log is unlimited in size.

slapd.conf Syntax

auditlog-maxlogdiskspace <integer>

Example

auditlog-maxlogdiskspace 500

Audit Log Maximum Log Size

Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set "Audit Log Maximum Number of Log Files" to 1, the server ignores this parameter.

Default value

100

Valid range

-1 | 1 to 65535

A value of -1 means the log file is unlimited in size. When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the directory server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.

slapd.conf Syntax

auditlog-maxlogsize <integer>

Example

auditlog-maxlogsize 100

Audit Log Maximum Number of Log Files

Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this parameter, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.

Default value

1

Valid range

1 to 65535

slapd.conf Syntax

auditlog-maxNumOfLogsPerDir <integer>

Example

auditlog-maxNumOfLogsPerDir 10

Audit Log Minimum Free Disk Space

Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this parameter, the oldest audit log is deleted until enough disk space is freed to satisfy this parameter.

Default value

5

Valid range

1 to 65535

slapd.conf Syntax

auditlog-minfreediskspace <integer>

Example

auditlog-minfreediskspace 5

Audit Log Rotation Time

Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This parameter supplies only the number of units. The units (day, week, month, and so forth) are given by the Audit Log Rotation Time Unit parameter. If you set "Audit Log Maximum Number of Log Files" to 1, the server ignores this parameter.

Default value

1

Valid range

-1 | 1 to 65535

A value of -1 means that the time between audit log file rotation is unlimited.

slapd.conf Syntax

auditlog-logrotationtime <integer>

Example

auditlog-logrotationtime 100

Audit Log Rotation Time Unit

Specifies the units for Audit Log Rotation Time.

Default value

day

Valid range

month | week | day | hour | minute

slapd.conf Syntax

auditlog-logrotationtimeunit <keyword>

Example

auditlog-logrotationtimeunit day

Certificate and Key Directory

Specifies the location of the SSL directory. This directory contains Secure Socket Layer-related files. This parameter is configurable only from slapd.conf; it is not configurable from the server console.

Default value

<NSHOME>/slapd-<serverID>/ssl

Valid range

Currently this directory must be set to the default.

slapd.conf Syntax

security-path <string>

Example

security-path /usr/ns-home/slapd-directory/ssl

Changelog DB Directory

Specifies the name of the directory in which the change log database is stored. Netscape recommends that this database be stored in:

<NSHOME>/slapd-<serverID>/changelogdb

The change log is used to record modifications made to a supplier server's database. When the supplier server's directory is modified, and entry is written to the change log that contains:

• A number that uniquely identifies the modification. This number is sequential with respect to other entries in the change log.
• The modification action; that is, exactly how the directory was modified.

This parameter must be set to a valid directory name before replication can occur. For more information on replication, refer to Chapter  13, "Managing Replication."

Default value

null string

Valid range

Any valid file name

slapd.conf Syntax

changelogdir <directory>

Example

changelogdir /usr/ns-home/slapd-local/changelogdb

Changelog Suffix

Specifies the suffix used for the change log directory. For information on the change log directory, see "Changelog DB Directory".

Default value

null string

Valid range

Any valid string

slapd.conf Syntax

changelogsuffix <suffix>

Example

changelogsuffix cn=changelog

Check Password Syntax

Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any "trivial" words, such as the user's name or user ID or any attribute value stored in the user's directory entry.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

Off

Valid Range

On|Off

slapd.conf Syntax

pw_syntax <Boolean>

Example

pw_syntax off

Enable Access Control

Turns access control on and off. If this parameter is set to off, then any valid bind attempt (including anonymous binds) results in full access to all information stored in the directory server.

Default Value

on

Valid Range

on | off

slapd.conf Syntax

accesscontrol <Boolean>

Example

accesscontrol off

Enable Online Consumer Creation

Indicates whether a server will automatically use online consumer (replica) creation in the event that an inconsistency is detected between the databases on the supplier and the consumer servers. If this parameter is missing from slapd.conf, or if this parameter is set to anything other than on, then online consumer creation is turned off.

Online consumer creation applies to both supplier-initiated replication and consumer-initiated replication. If supplier-initiated replication is used, then online consumer creation is either turned on or off for all consumer servers. Similarly, if consumer-initiated replication is used then online consumer creation is either turned on or off for all supplier servers.

Caution should be used before turning this feature on. For more information, see "Initializing Consumers".

This parameter is not available from the server console.

Default Value

off

Valid Range

on | off

slapd.conf Syntax

orcauto <Boolean>

Example

ntsynch-port on

Enable Superior Object Class Enquoting

Controls whether quoting in the objectclasses attributes contained in the cn=schema entry will conform to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.

That is, the Directory Server publishes objectclasses attributes in the cn=schema entry as follows:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )

However, RFC 2252 indicates that this attribute should be published as follows:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )

Notice the lack of single quotes around the word top.

Turning this parameter off causes the Directory Server to conform to RFC 2252, but doing so may interfere with an LDAP client's ability to modify schema. Specifically, any client written using the Netscape Java LDAP SDK will no longer be able to correctly read and modify schema. This includes the 4.x version of the Netscape Console.

In addition, any LDAP clients that use the C LDAP SDK may no longer be able to correctly manage schema (unlike the Java LDAP SDK, the C SDK does not include standard routines for schema management, so the effects of this parameter on C SDK-based clients will vary depending on the actual implementation).

Default value

on

Valid range

on | off

slapd.conf Syntax

enquote_sup_oc <Boolean>

Example

enquote_sup_oc on

Encrypted Port Number

TCP/IP port number used for SSL communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. For UNIX systems, specifying a port number of less than 1024 requires that the administration server run as root, because it must start the directory server with root privileges.

Default value

636

Valid range

1 to 65535

slapd.conf Syntax

secure-port <integer>

Example

secure-port 636

Encryption Alias

The encryption alias you want to use for this server's certificate. You create the encryption alias when you create your server's certificate database. For more information on creating certificate databases, see the "Enabling SSL Encryption" section in Managing Servers with Netscape Console.

Default value

none

Valid range

Any valid string

slapd.conf Syntax

encryption-alias <string>

Example

encryption-alias secure-LDAP

Encryption Ciphers

Specifies the type of encryption the directory server will use when using SSL communications. For more information on the ciphers supported by the directory server, refer to Chapter  11, "Managing SSL."

Default value

N/A

Valid range

For domestic versions, any combination of the following:

• RC4-40 MD5
• RC2-40 MD5
• RC4-128 MD5
• FIPS DES-56 SHA
• Triple DES-168 SHA
• FIPS Triple DES-168 SHA
• DES-56 SHA
• clear MD5

• RC4-40 MD5
• RC2-40 MD5
• clear MD5

SSL3ciphers <cipher>[,<cipher>, <cipher>, . . .]

where <cipher> is any of the following:

• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
• SSL_RSA_WITH_RC4_128_MD5
• SSL_RSA_WITH_FIPS_DES_56_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_WITH_FIPS_3DES_168_SHA
• SSL_RSA_WITH_DES_CBC_SHA
• SSL_RSA_WITH_NULL_MD5

• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
• SSL_RSA_WITH_NULL_MD5

Example

SSL3cipher SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_
EXPORT_WITH_RC2_CBC_40_MD5

Error Log

Specifies the pathname and filename of the log used to record error messages generated by the directory server. These messages can describe error conditions, but more often they will contain informative conditions such as:

• server startup and shutdown times
• port number the server uses

Default value

<NSHOME>/slapd-<serverID>/logs/error

Valid range

Any valid filename

slapd.conf Syntax

errorlog <filename>

Example

errorlog /usr/ns-home/slapd-<serverId>/logs/error

Error Log Enable Logging

Turns error logging on and off.

Default value

on

Valid range

on | off

slapd.conf Syntax

errorlog-logging-enabled <Boolean>

Example

errorlog-logging-enabled on

Error Log Expiration Time

Specifies the maximum age that a log file is allowed to be before it is deleted. This parameter supplies only the number of units. The units (day, week, month, and so forth) are given by the Error Log Expiration Time Unit parameter.

Default value

1

Valid range

-1 | 1 to 65535

A value of -1 means that an error log will never be deleted due to its age.

slapd.conf Syntax

errorlog-logexpirationtime <integer>

Example

errorlog-logexpirationtime 1

Error Log Expiration Time Unit

Specifies the units for Error Log Expiration Time.

Default value

week

Valid range

month | week | day | hour | minute

slapd.conf Syntax

errorlog-logexpirationtimeunit <keyword>

Example

errorlog-logexpirationtimeunit day

Error Log Maximum Disk Space

Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the directory server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.

Default value

500

Valid range

-1 | 1 to 65535

A value of -1 means that the disk space allowed to the error log is unlimited in size.

slapd.conf Syntax

errorlog-maxlogdiskspace <integer>

Example

errorlog-maxlogdiskspace 500

Error Log Maximum Log Size

Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file. If you set "Error Log Maximum Number of Log Files" to 1, the server ignores this parameter.

Default value

100

Valid range

-1 | 1 to 65535

A value of -1 means the log file is unlimited in size. When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the directory server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.

slapd.conf Syntax

errorlog-maxlogsize <integer>

Example

errorlog-maxlogsize 100

Error Log Maximum Number of Log Files

Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this parameter, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.

Default value

1

Valid range

1 to 65535

slapd.conf Syntax

errorlog-maxNumOfLogsPerDir <integer>

Example

errorlog-maxNumOfLogsPerDir 10

Error Log Minimum Free Disk Space

Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this parameter, the oldest error log is deleted until enough disk space is freed to satisfy this parameter.

Default value

5

Valid range

1 to 65535

slapd.conf Syntax

errorlog-minfreediskspace <integer>

Example

errorlog-minfreediskspace 5

Error Log Rotation Time

Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This parameter supplies only the number of units. The units (day, week, month, and so forth) are given by the Error Log Rotation Time Unit parameter. If you set "Error Log Maximum Number of Log Files" to 1, the server ignores this parameter.

Default value

1

Valid range

-1 | 1 to 65535

A value of -1 means that the time between error log file rotation is unlimited.

slapd.conf Syntax

errorlog-logrotationtime <integer>

Example

errorlog-logrotationtime 100

Error Log Rotation Time Unit

Specifies the units for Error Log Rotation Time.

Default value

day

Valid range

month | week | day | hour | minute

slapd.conf Syntax

errorlog-logrotationtimeunit <keyword>

Example

errorlog-logrotationtimeunit day

Idle Timeout

Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.

Default Value

0

Valid Range

0 - maximum integer

slapd.conf Syntax

idletimeout <integer>

Example

idletimeout 0

Instance Directory

Specifies the full path to the directory where this server instance is installed.

Default Value

<NSHOME>/slapd-<server ID>

Valid Range

Any valid file path.

slapd.conf Syntax

instancedir "<file path>"

Example

instancedir "/user/netscape/slapd-phonebook"

IO Block Time Out

Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

Default Value

1800000 (30 minutes)

Valid Range

0 - maximum integer

slapd.conf Syntax

ioblocktimeout <integer>

Example

ioblocktimeout 1800000

Listen to IP Address

Used only on multihomed machines. The directory server will only respond to requests sent to the interface that correspond to the IP address provided on this parameter.

Default Value

N/A

Valid Range

Any IP address configured for the local host.

slapd.conf Syntax

listenhost <IP address>

Example

listenhost 111.11.111.1

Local User

Unix installations only. Specifies the user that the directory server runs as. The group that the user runs as is derived from this parameter by examining the groups that the user is a member of.

Default Value

N/A

Valid Range

Any valid user on the local Unix machine.

slapd.conf Syntax

localuser <string>

Example

localuser nobody

Lockout Duration

Indicates the amount of time in seconds that users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the Account Lockout parameter. Instead of locking out users for a specified amount of time, you can choose to lock users out until the administrator resets the password using the Unlock Account parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

3600 seconds

Valid Range

1 to maximum integer

slapd.conf Syntax

pw_lockoutduration <integer>

Example

pw_lockoutduration 3600

Log Buffering

When this option is set to "off", the server writes all access log entries directly to disk.

Default value

None

Valid range

On | Off

slapd.conf Syntax

logbuffering <Boolean>

Example

logbuffering off

Log Level

Specifies the level of logging to be used by the directory server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed.

To turn off logging, remove the loglevel parameter from slapd.conf and restart the directory server.

Default value

Logging is turned off (the loglevel parameter is not included in slapd.conf).

Valid range

1—Trace function calls. Creates an entry when the server enters and exits a function.

2—Debug Packet handling

4—Heavy trace output debugging

8—Connection management

16—Print out packets sent/received

32—Search filter processing

64—Config file processing

128—Access control list processing

1024—Log communications with shell backends

2048—Log entry parsing debugging

4096—Housekeeping thread debugging

8192—Replication debugging

16386—Generic debugging; a catch all for the debugging that does not fit in any of the other categories.

32768—Database cache debugging.

65536— Server plug-in debugging; writes an entry to the log file when a server plug-in calls slapi_log_error. For information on server plugins, see the Netscape Directory Server Programmer's Guide.

slapd.conf Syntax

loglevel <integer>

Example

loglevel 8192

Max Changelog Age

Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this parameter will be removed. If this parameter is absent, there is no age limit on change log records. For information on the change log, see "Changelog DB Directory."

Default

none

Valid range

0 to maximum integer

slapd.conf Syntax

changelogmaxage <integer><Age ID>

where Age ID is "s" for seconds, "m" for minutes, "h" for hours, "d" for days, or "w" for weeks.

Example

changelogmaxage 30d

Max Changelog Records

Specifies the maximum number of records the change log may contain. If this parameter is absent, there is no maximum number of records the change log can contain. For information on the change log, see "Changelog DB Directory."

Default value

none

Valid range

0 to 65535

slapd.conf Syntax

changelogmaxentries <integer>

Example

changelogmaxentries 5000

Maximum File Descriptors

Not applicable to directory installations on NT and AIX.

This parameter sets the maximum number of file descriptors that the directory server will try to use. A file descriptor is used whenever a client connects to the server, and for some server activities such as index maintenance.

The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the ns-slapd process to use. This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process. See your operating system documentation for details on file descriptor limits and configuration.

You should consider increasing the value on this parameter if the directory server is refusing connections because it is out of file descriptors. When this condition occurs, the following message is written to the directory server's error log file:

Not listening for new connections -- too many fds open

Default Value

1024

Valid Range

1 to 65535

slapd.conf Syntax

maxdescriptors <integer>

Example

maxdescriptors 1024

Maximum Message Size

Defines the maximum size in bytes allowed by an incoming message. This limits the size of write operations to the directory server. Limiting the size of write operations prevents some kinds of denial of service attacks.

The write applies to the total size of the add or modify. For example, if a new entry contains five attributes and the sum of those five attributes exceeds this limit, then the add is denied.

Do not change this parameter value unless told to do so by Netscape support personnel.

A value of 0 indicates that the default value should be used.

Default Value

2097152

Valid Range

0 - 2³²

slapd.conf Syntax

maxbersize <bytes>

Example

maxbersize 2097152

Maximum Password Failures

Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the Account Lockout parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

3 bind failures

Valid Range

1 to maximum integer

slapd.conf Syntax

pw_maxfailure <integer>

Example

pw_maxfailure 3

Maximum Threads Per Connection

Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and does many operations, you should increase this value to allow each connection enough resources to perform all the operations.

A value of 0 turns off maxthreadsperconn and causes the server to allow each connection to obtain as many threads as the connection requires, up to the value set by Thread Number.

This parameter is not available from the server console.

Default value

5

Valid range

0 to threadnumber

slapd.conf Syntax

maxthreadsperconn <number of threads>

Example

maxthreadsperconn 5

nagle

Reserved for future use. Do not change or remove. Doing so can have unpredictable results.

NLS

Used to define the directory where the internationalization files are kept.

This parameter is not available from the server console.

Default value

<NSHOME>/nls

Valid range

N/A

slapd.conf Syntax

NLS "<directory>"

Example

NLS "/usr/ns-home/nls"

NT Synchronization Service Enabled

Indicates whether the NT Synchronization Service plug-ins are used by the directory server. These plug-ins cause the directory server to validate all NT Directory Data with the appropriate NT primary domain controller. These plug-ins also transfer NT user and group changes to the synchronization service for inclusion on NT user and group accounts.

For more information on the NT synchronization service, see Chapter  15, "NT Directory Synchronization."

Default Value

No

Valid Range

Yes | No

slapd.conf Syntax

ntsynch on|off

Example

ntsynch on

NT Synchronization Service Port Number

Specifies the port number that directory server will use for non-LDAP communications with the NT Synchronization Service. This port is used to validate directory changes with the NT domain, and to transfer directory changes to NT. For UNIX systems, specifying a port number of less than 1024 requires that administration server run as root, because it must start the directory server with root privileges.

For more information on the NT synchronization service, see Chapter  15, "NT Directory Synchronization."

Default Value

5005

Valid Range

1 to 65535

slapd.conf Syntax

ntsynch-port <integer>

Example

ntsynch-port 5005

NT Synchronization Service Use SSL

Indicates whether the directory server will use SSL when communicating with the NT synchronization service. This parameter applies to both LDAP and non-LDAP communications.

If you change this parameter, make sure you make the corresponding change in the NT Synchronization Service Configuration tool. Also, if this parameter is set to Off and you turn it on, make sure that your directory server is configured for use with SSL.

Default Value

on

Valid Range

on | off

slapd.conf Syntax

ntsynchusessl <Boolean>

Example

ntsynchusessl on

Number of Passwords to Remember

Indicates the number of passwords the directory server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the directory server does not store any old passwords and so users can reuse passwords. You can enable password history by using the Password History parameter.

To prevent users from rapidly cycling through the number of passwords that you are tracking, use the Password Minimum Age parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

6 passwords

Valid Range

2 to 24 passwords

slapd.conf Syntax

pw_inhistory <integer>

Example

pw_inhistory 6

Object Class

Used to define the schema rules for the specified object class. This parameter is intended to allow the extension of the standard schema when schema checking is turned on.

This parameter is not available from the server console.

slapd.conf Syntax

objectClass <name>
   oid <oid number>
   superior <superior object class>
   requires <list of attributes>
   allows <list of attributes>

Example

objectClass person
   requires
       objectClass,
       sn,
       cn

   allows
       description,
       seeAlso,
       telephoneNumber,
       userPassword,
       subtreeACI

Password Change

Indicates whether users may change their passwords.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

on

Valid Range

on | off

slapd.conf Syntax

pw_change <Boolean>

Example

pw_change on

Password Expiration

Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the Password Maximum Age parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

Off

Valid Range

On|Off

slapd.conf Syntax

pw_exp <Boolean>

Example

pw_exp on

Password History

Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled and users can reuse passwords. If you set this parameter to be on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. You set the number of old passwords the directory server stores using the Number of Passwords to Remember parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

Off

Valid Range

On|Off

slapd.conf Syntax

pw_history <Boolean>

Example

pw_history on

Password Maximum Age

Indicates the number of seconds after which user passwords will expire. To use this parameter, you must enable password expiration using the Password Expiration parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

8640000 seconds (100 days)

Valid Range

1 to maximum integer

slapd.conf Syntax

pw_maxage <integer>

Example

pw_maxage 100

Password Minimum Age

Indicates the number of seconds that must pass before a user can change their password. Use this parameter in conjunction with the Number of Passwords to Remember parameter to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

0

Valid Range

0 to 2147472000 seconds (24,855 days)

slapd.conf Syntax

pw_minage <integer>

Example

pw_minage 86400

Password Minimum Length

Specifies the minimum number of characters that must be used in directory server passwords. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

6 characters

Valid Range

2 to 512 characters

slapd.conf Syntax

pw_minlength <integer>

Example

pw_minlength 6

Password Must Change

Indicates whether users must change their passwords when they first bind to the directory server.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

off

Valid Range

on | off

slapd.conf Syntax

pw_must_change <Boolean>

Example

pw_must_change off

Password Storage Scheme

Specifies the type of encryption used to store directory server passwords. Entering clear indicates that passwords are to be stored in plain text.

The following encryption types are available:

• sha is the Secure Hash Algorithm. It is the most secure of the choices and is the one Netscape recommends.
• crypt is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.

Default value

sha

Valid range

crypt|sha|clear

slapd.conf Syntax

pw_storagescheme <string>

Example

pw_storagescheme sha

Port Number

TCP/IP port number used for non-SSL communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. On UNIX systems, specifying a port number of less than 1024 requires that the administration server run as root, because it must start the directory server with root privileges.

If you are changing the port number for a configuration directory, you must also update the corresponding SIE in the configuration directory.

Default value

389

Valid range

1 to 65535

slapd.conf Syntax

port <integer>

Example

port 389

Referral

Specifies the default LDAP URL to pass back when the receives a request for an entry that is not a member of the local tree, that is, an entry whose suffix does not match the value specified on any of the Suffix parameters. For example, suppose the local database contains only entries:

ou=People, o=Airius.com

but the request is for this entry:

ou=Groups, o=Airius.com

In this case, the referral would be passed back to the client in an attempt to allow the LDAP client to locate a database that contains the requested entry.

If a smart referral can be found to return as a result of the request, the server will return that referral instead of the value specified on this parameter.

Only one referral is allowed per directory server instance.

For more information on managing referrals, see Chapter  14, "Managing Referrals."

Default value

null string

Valid range

Any LDAP URL of the form:

ldap://<server location>

If you want to use SSL communications, the Referral parameter should be of the form:

ldaps://<server location>

slapd.conf Syntax

referral <url>

Example

referral ldap://ldap.aceindustry.com

Reserved File Descriptors

Not applicable to directory installations on NT and AIX.

This parameter sets the number of file descriptors that the directory server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that you reserve for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (see "Maximum File Descriptors").

Most installations of the directory server should never need to change this parameter. However, consider increasing the value on this parameter if all of the following are true:

• The server is replicating to a large number of consumer servers (more than 10) and/or the server is maintaining a large number of index files (more than 30).
• The server is servicing a large number of LDAP connections
• You are seeing error messages reporting that the server is unable to open file descriptors (the actual error message will differ depending on the operation that the server is attempting to perform), but these error messages are NOT related to managing client LDAP connections.

Default Value

64

Valid Range

1 to 65535

slapd.conf Syntax

reservedescriptors <integer>

Example

reservedescriptors 64

Reset Password Failure Count After

Indicates the amount of time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the account lockout feature is enabled, users will be locked out of the directory when the counter reaches the number of failures specified by the Maximum Password Failures parameter within 600 seconds by default. After 600 seconds, the failure counter will be reset to zero (0). You enable or disable the account lockout feature using the Account Lockout parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

600 seconds

Valid Range

1 to maximum integer

slapd.conf Syntax

pw_resetfailurecount <integer>

Example

pw_resetfailurecount 600

result_tweak

Reserved for future use. Do not change or remove. Doing so can have unpredictable results.

Return Exact Case

Some client applications require attribute names to exactly match the case of the attribute as it is listed in slapd.at.conf when the attribute is returned by the Directory Server as the result of a search or modify operation. Do not modify this parameter unless you have legacy clients that cannot handle case-insensitive attribute names in results returned from the server.

Default value

off

Valid range

on|off

slapd.conf Syntax

return_exact_case <Boolean>

Example

return_exact_case off

Root DN

Specifies the distinguished name of an entry that is not subject to access control or administrative limit restrictions for operations on the database. Size Limit, Time Limit, and Schema Checking also do not apply to this DN.

For information on changing the Root DN, see "Managing the Root DN".

Valid range

Any valid distinguished name.

slapd.conf Syntax

rootdn <"string">

Example

rootdn "cn=Directory Manager, o=airius.com"

Root Password

When viewed from the server console, this parameter shows the value: "Not Displayed." When viewed from the slapd.conf file, this parameter shows the encryption method followed by the encrypted string.

Warning

If you configure a root DN at server installation time, you must also provide a root password. However, it is possible for the root password to be deleted from slapd.conf by direct editing of the file. In this situation, the root DN can only obtain the same access to your directory as you allow for anonymous access. Always make sure that a root password is defined in slapd.conf when a root DN is configured for your database.

Valid range

Any valid password. Possible encryption methods are described in "Password Storage Scheme".

slapd.conf Syntax

rootpw <{encryption method}encrypted password>

Example

rootpw {crypt}9Eko69APCJfF

Root Password Storage Scheme

Available only from the server console. This parameter indicates the encryption method used for the root password.

Default value

Clear text

Valid range

Any encryption method as described in "Password Storage Scheme".

slapd.conf Syntax

rootpw {encryption method}encrypted password

Example

rootpw {crypt}9Eko69APCJfF

Schema Checking

Specifies whether the database schema will be enforced during entry insertion or modification. The database schema defines the type of information allowed in the database. You can extend the default schema using the objectclass and attribute parameters. For information on how to extend your schema using the Directory Server Console, see Chapter  3, "Extending the Directory Schema."

Note. Schema checking works by default when database modifications are made using an LDAP client, such as ldapmodify, the directory server gateway, or when importing a database from LDIF using ldif2db. If you turn schema checking off, you will manually have to verify that your entries conform to the schema. Make sure that the attributes and object classes you create in your LDIF statements are both spelled correctly and are identified in slapd.conf, slapd.at.conf, or slapd.oc.conf, or a custom schema file that you are including into slapd.conf.

Default value

on

Valid range

on|off

slapd.conf Syntax

schemacheck <Boolean>

Example

schemacheck on

Security

Specifies whether the directory server is to accept SSL communications on its encrypted port.

Default value

off

Valid range

on | off

slapd.conf Syntax

security <Boolean>

Example

security off

Send Warning

Indicates the number seconds before a user's password is due to expire that the user will be sent a warning message. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

86400 seconds (1 day)

Valid Range

1 to maximum integer

slapd.conf Syntax

pw_warning <integer>

Example

pw_warning 86400

Size Limit

Specifies the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.

A null string on this parameter causes no limit to be used; ns-slapd will return every matching entry to the client regardless of the number found. To set this no limit value from within slapd.conf, specify a negative value on the parameter. A value of zero (0) causes no entries to be returned for searches.

Default value

2000

Valid range

-1 to 65535

A value of -1 on this parameter in slapd.conf is the same as leaving the parameter blank in the server console; it causes no limit to be used. However, you cannot specify a negative integer for this field in the server console; nor can you specify a null value in slapd.conf.

slapd.conf Syntax

sizelimit <integer>

Example

sizelimit 2000

Supplier DN

Specifies the distinguished name that supplier servers use to update your server with replicated data. For more information on replication, refer to Chapter  13, "Managing Replication".

Default value

null string

Valid range

Any valid distinguished name representing an entry in the local directory tree.

slapd.conf Syntax

updatedn <"DN">

Example

updatedn "cn=Replication Admin, o=Airius.com"

Supplier Password

The password the consumer server expects the supplier server to use when binding. The supplier password is only required if the consumer server is not configured to accept certificate-based authentication.

Default value

null string

Valid range

Any valid password of 8 or more characters. Possible Encryption methods are described in "Password Storage Scheme".

slapd.conf Syntax

updatepw <{encryption method} encrypted password>

Example

updatepw {crypt} 9EKo74BXRKnL

Supplier SSL Clients

The subject name(s) of the certificate(s) that correspond to the supplier DN defined for the consumer server. If a client sends a certificate with a subject name that matches any of the subject names configured for this parameter, the client is automatically authenticated as the supplier DN. This parameter is only used when the consumer server is configured to accept certificate-based authentication and when a supplier DN is defined. The value of this parameter must match the certificate subject name exactly; differences in case or whitespace are significant.

Default value

null string

Valid range

Any valid certificate subject DN.

slapd.conf Syntax

updateSSLclient <certificate subject DN>

Example

updateSSLclient "cn=master.airius.com, o=airius.com"

Thread Number

Defines the number of operation threads that the directory server will create during start up.

This parameter is not available from the server console.

Default value

20

Valid range

1 to the number of threads supported by your system

slapd.conf Syntax

threadnumber <number threads>

Example

threadnumber 20

Time Limit

Specifies the maximum number of seconds allocated for a search request. If this limit is reached, the directory server returns any entries it has located that match the search request, as well as an exceeded time limit error.

A null string on this parameter causes no limit to be used; the directory server will wait indefinitely for the search to complete. To set this no limit value from within slapd.conf, specify a negative value on the parameter. A value of zero (0) causes no time to be allowed for searches.

Default value

3600

Valid range

-1 to 65535

A value of -1 on this parameter in slapd.conf is the same as leaving the parameter blank in the server console; it causes no limit to be used. However, you cannot specify a negative integer for this field in the server console; nor can you specify a null value in slapd.conf.

slapd.conf Syntax

timelimit <integer>

Example

timelimit 3600

Track Modification Time

Specifies whether the directory server maintains the modification attributes for directory server entries. These attributes include:

• modifiersname—The distinguished name of the person who last modified the entry.
• modifytimestamp—The timestamp for when the entry was last modified in GMT format.
• creatorsname—The distinguished name of the person who initially created the entry.
• createtimestamp—The timestamp for when the entry was created in GMT format.

Default value

on

Valid range

on|off

slapd.conf Syntax

lastmod <Boolean>

Example

lastmod off

Unlock Account

Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the Account Lockout parameter. Instead of locking users out forever, you can choose to lock users out for a specified amount of time using the Lockout Duration parameter.

For more information on password policies, see Chapter  6, "Managing Password and Account Lockout Policies".

Default Value

On

Valid Range

On|Off

slapd.conf Syntax

pw_unlock <Boolean>

Example

pw_unlock off

User-Defined Attributes File

Provides the full path name to the locally-defined attributes. Use this file when extending the attributes in your schema.

Default Value

<NSHOME>/slapd-<server ID>/config/slapd.user_at.conf

Valid Range

Any valid file path.

slapd.conf Syntax

userat "<file path>"

Example

userat "/user/netscape/slapd-phonebook/config/slapd.user_at.conf"

User-Defined Object Class File

Provides the full path name to the locally-defined attributes. Use this file when extending the object classes in your schema.

Default Value

<NSHOME>/slapd-<server ID>/config/slapd.user_oc.conf

Valid Range

Any valid file path.

slapd.conf Syntax

useroc "<file path>"

Example

userat "/user/netscape/slapd-phonebook/config/slapd.user_at.conf"

Table 17.2 Directory server database parameters  

Parameter	Description
All IDs Threshold	Specifies the total number of entry IDs that an index key is allowed to manage before the all IDs token is set.
Attribute to be Indexed	String specifying the indexes to maintain for a given attribute.
Database	String marking the beginning of a new database instance definition within slapd.ldbm.conf.
Database Checkpoint Interval	The amount of time in seconds after which the directory server sends a checkpoint entry to the database transaction log.
Database Configuration File	Specifies the path to the file containing database parameters.
Database Directory	String specifying the directory that contains the database and associated indexes.
Database Durable Transactions	Indicates whether database transaction log entries are immediately written to the disk.
Database Transaction Log Directory	Specifies the path and directory name of the directory containing the database transaction log.
db_home_directory	Solaris-only parameter used for a fix to a Solaris page flushing problem.
Look Through Limit	Integer specifying the maximum number of entries that the directory server will check before returning a resource limit error.
Maximum Cache Size	Integer specifying the size in bytes of the in-memory cache.
Maximum Entries in Cache	Integer specifying the number of entries to be contained in the in-memory cache.
Mode	Integer specifying the file protection used for newly created database index files.
Read-only	Boolean indicating whether the database is in read-only mode.
Suffix	String specifying the distinguished name suffix used for the local database.

Specifies the number of entry IDs that can be maintained for an index key before the server sets the all IDs token. This value should be roughly 5% of the total number of directory entries stored on your server.

For information about all IDs threshold, see "Managing All IDs Threshold".

Default value

4000

Valid range

100 to maximum integer

slapd.ldbm.conf Syntax

allidsthreshold <integer>

Example

allidsthreshold 4000

Attribute to be Indexed

Specifies the indexes to maintain for the specified attribute(s). If only a list of attributes is provided, all possible indexes are maintained. If a value of default is provided in the place of a list of attributes, all attributes are indexed.

Valid indexes include:

• pres
• eq
• approx
• sub
• none

Default value

Only default indexing is performed.

Valid range

Any valid attribute and any valid index type. For a list of the commonly used attributes, see the Netscape Directory Server Schema Reference Guide.

slapd.ldbm.conf Syntax

index [<attribute list>|default] [<list of indexes>]

Example

index cn

index sn,uid eq,sub,approx

index default none

This example causes all indexes to be maintained for the cn attribute; equality, substring, and approximate indexes for the sn and uid attributes; and no indexes for all other attributes.

Database

Marks the beginning of the database definition in the slapd.ldbm.conf file. This parameter is not available from the server console.

Default value

ldbm

Valid range

Currently only ldbm is supported.

slapd.ldbm.conf Syntax

database ldbm

Database Checkpoint Interval

The amount of time in seconds after which the directory server sends a checkpoint entry to the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. A checkpoint entry indicates which database operations have been physically written to the directory database. The checkpoint entries are used to determine where in the database transaction log to begin recovery after a system failure. The db_checkpoint_interval parameter is absent from slapd.conf. To change the checkpoint interval, you add the parameter to slapd.conf.

For more information on database transaction logging, see "Managing Database Transaction Logging".

Default Value

60 seconds

Valid Range

10 to 300 seconds

Slapd.ldbm.conf Syntax

db_checkpoint_interval <integer>

Example

db_checkpoint_interval 120

Database Configuration File

Specifies the path to slapd.ldbm.conf, which is a file that contains slapd.conf server parameters that can be changed dynamically. Currently only the index parameter is supported in slapd.ldbm.conf.

For more information about slapd.ldbm.conf, see "Changing Parameter Values Using slapd.ldbm.conf".

Default Value

<NSHOME>/slapd-<serverID>/config/slapd.ldbm.conf

Valid Range

Any valid path and directory name.

Slapd.ldbm.conf Syntax

dynamicconf <filename>

Example

dynamicconf /usr/ns-home/slapd-fire/config/slapd.ldbm.conf

Database Directory

Specifies the directory containing the database and associated index files.

Default value

<NSHOME>/slapd-<serverID>/db

Valid range

N/A

slapd.ldbm.conf Syntax

directory <string>

Example

directory /usr/ns-home/slapd-myserver/db

Database Durable Transactions

Indicates whether database transaction log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. With durable transactions enabled, every directory change will always be physically recorded in the log file and therefore be able to be recovered in the event of a system failure. However, the durable transactions feature may also slow the performance of the directory server. When durable transactions is disabled, all transactions are logically written to the database transaction log but may not be physically written to disk immediately. If there was a system failure before a directory change was physically written to disk, that change would not be recoverable. The db_durable_transactions parameter is absent from slapd.conf. To disable durable transactions, you add the parameter to slapd.conf.

For more information on database transaction logging, see "Managing Database Transaction Logging".

Default Value

On

Slapd.ldbm.conf Syntax

db_durable_transactions on|off

Example

db_durable_transactions off

Database Transaction Log Directory

Specifies the path and directory name of the directory containing the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. By default, the database transaction log is stored in the same directory as the directory entries themselves, <NSHOME>/slapd-<serverID>/db. For fault-tolerance and performance reasons you may want to move this log file to another physical disk. The db_logdirectory parameter is absent from slapd.conf. To change the location of the database transaction log, you add the parameter to slapd.conf.

For more information on database transaction logging, see "Managing Database Transaction Logging".

Default Value

<NSHOME>/slapd-<serverID>/db

Valid Range

Any valid path and directory name.

Slapd.ldbm.conf Syntax

db_logdirectory "<directory name>"

Example

db_logdirectory "/logs/txnlog"

db_home_directory

Solaris only. Used to fix a situation in Solaris where the operating system endlessly flushes pages. This flushing can be so excessive that performance of the entire system is severely degraded.

This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning parameters. In particular, this situation should not occur if the database cache size is less than 100mb.

If your Solaris host seems excessively slow and your database cache size is around 100mb or more, then you can use the iostat utility to diagnose the problem. Use iostat to monitor the activity of the disk where the directory server's database files are stored. If all of the following conditions are true, then you should set the db_home_directory parameter:

• The disk is heavily used (more than 1mb per second of data transfer)
• There is a long service time (more than 100ms)
• There is mostly write activity

Note:. The directory referenced by db_home_directory must be a subdirectory of a filesystem of type tempfs (such as /tmp). However, the directory server does not create the subdirectory referenced by this parameter. You must create the directory either manually or by using a script. Failure to create the directory referenced on the db_home_directory parameter will result in the directory server being unable to start.

Also, if you have multiple directory server's on the same machine, their db_home_directory parameters must be configured with different directories. Failure to do so will result in the databases for both directories becoming corrupted.

Finally, use of this parameter causes internal directory server database files to be moved to the directory referenced by the parameter. It is possible, but unlikely, that the server will no longer start after the files have been moved because enough memory cannot be committed. This is a symptom of an overly large database cache size being configured for your server. If this happens, reduce the size of your database cache size to a value where the server will start again.

Default value

N/A

Valid range

Any valid directory name in a tempfs filesystem, such as /tmp.

slapd.ldbm.conf Syntax

db_home_directory /tmp/<subdirectory>

Example

db_home_directory /tmp/slapd-phonebook

Look Through Limit

Specifies the maximum number of entries that the directory server will check when seeking candidate entries in response for a search request. If this limit is reached, the server returns any entries it has located that match the search request, as well as an exceeded size limit error. For a general discussion of the searching algorithm, refer to "The Searching Algorithm".

A null string on this parameter causes no limit to be used; the directory server will check every candidate entry it can find. To set this no limit value from within slapd.conf, specify a negative value on the parameter. A value of zero (0) causes no candidate entries to be checked for searches.

Default value

5000

Valid range

-1 to 65535

A value of -1 on this parameter in slapd.conf is the same as leaving the parameter blank in the server console; it causes no limit to be used. However, you cannot specify a negative integer for this field in the server console, nor can you specify a null value in slapd.conf.

slapd.ldbm.conf Syntax

lookthroughlimit <integer>

Example

lookthroughlimit 5000

Maximum Cache Size

Specifies the size in bytes of the in-memory cache. Increasing this number uses more memory but can substantially improve server performance, especially during modifications or when the indexes are being built. Do not increase this number beyond the available resources for your machine.

For more information on this parameter, see the Entry cache hit Ratio field description in "Summary Information Table".

Default value

10000000

Valid range

1 to maximum integer

slapd.ldbm.conf Syntax

dbcachesize <integer>

Example

dbcachesize 10000000

Maximum Entries in Cache

Specifies the number of entries the directory server will maintain in cache. Increasing this number uses more memory but can substantially improve search performance. The actual amount of memory required per additional entry depends on the nature of the data stored within the directory server. However, as a general guideline, you can estimate that each entry maintained in cache requires approximately 1 KB (1024 bytes) of memory.

For more information on this parameter, see the Entry cache hit Ratio field description in "Summary Information Table".

Default value

1000

Valid range

1 to the total number of database entries.

slapd.ldbm.conf Syntax

cachesize <integer>

Example

cachesize 1000

Mode

Specifies the permissions used for newly created index files. This parameter is not available from the server console.

Default value

0600

Valid range

Any four-digit octal number. However, mode 0600 is recommended. This allows read and write access for the owner of the index files (which is the user that ns-slapd runs as), and no access for other users.

slapd.ldbm.conf Syntax

mode <protection mode>

Example

mode 0600

Read-only

Specifies whether the database is in read-only mode. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.

Default value

off

Valid range

on|off

slapd.ldbm.conf Syntax

readonly <Boolean>

Example

readonly off

Suffix

Specifies the distinguished name suffix used for the local database. Incoming queries must have a suffix matching this value. Queries for entries using a suffix other than the value specified in this parameter will be referred to the LDAP server identified on the Referral parameter.

Multiple suffixes can be configured for your local database if multiple root points are used in your database. Two suffixes always exist for a directory server database. The first is the suffix you configure when you initially install the directory server, and this suffix represents your directory tree's root point. The second suffix is used for machine data. See  "Machine data" for more information.

A suffix must always be set for your directory tree in order for clients to successfully access the tree.

For information on setting suffixes for your directory, see "Setting Suffixes for Your Database".

Valid range

Any valid distinguished name.

slapd.ldbm.conf Syntax

suffix <string>

Example

suffix "o=airius.com"

If the suffix DN contains a comma, the comma must be escaped by a single backslash (on NT) or double backslashes (on Unix). For example, to set a suffix of Airius Bolivia, S.A., you would enter

suffix "o=Airius Bolivia\, S.A."

on NT or

suffix "o=Airius Bolivia\\, S.A."

on Unix.