Sun ONE Directory Server 5.2 Reference Manual |
Chapter 4 Core Server Configuration Attributes
This chapter provides an alphabetical reference of the attributes used to configure and monitore core server functionality. It is divided into the following sections:
- Core Server Configuration Attributes Reference
- Monitoring Attributes
- Configuration Quick Reference Tables
Core Server Configuration Attributes Reference
This section guides you through all the core server functionality configuration attributes. For server functionality implemented via plug-ins, see the section "Plug-In Implemented Server Functionality". For implementing your own server functionality, contact Sun ONE Professional Services.
For information on where to find the server configuration and how to change it, see "Server Configuration Overview" and "Accessing and Modifying Server Configuration".
The configuration information that is stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config. This information tree is illustrated in Figure 3-1.
This section describes the configuration tree nodes within this information tree, and is divided into the following subsections:
- cn=config
- cn=changelog5
- cn=encryption
- cn=features
- cn=mapping tree
- cn=Password Policy
- cn=replica
- cn=ReplicationAgreementName
- cn=replication
- cn=SNMP
- cn=tasks
- cn=uniqueid generator
The cn=plugins node is covered in Chapter 5 "Plug-In Implemented Server Functionality." Attributes are arranged alphabetically and a full description is provided for each, giving the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Caution
Some of the entries and attributes described in this chapter may change in future releases of the product.
cn=config
General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from the extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.
ds-start-tls-enabled (Enable startTLS)
Enables startTLS (Windows installations only). startTLS facilitates dynamic changing to a secured connection. To enable startTLS, security must also be enabled (by setting the nsslapd-security attribute to on).
Because startTLS has a performance impact on Windows installations, it is disabled by default and should only be enabled if required.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
ds-start-tls-enabled: off
nsslapd-accesscontrol (Enable Access Control)
Turns access control on and off. If this attribute has a value off, any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesscontrol: off
nsslapd-accesslog (Access Log)
Specifies the path and filename of the log used to record each database access. The following information is recorded in the log file by default:
- IP address of the client machine that accessed the database
- operations performed (for example, search, add, modify)
- result of the access (for example, the number of entries returned)
For more information on turning access logging off, see Chapter 12, "Managing Log Files" in the Sun ONE Directory Server Administration Guide.
For access logging to be enabled, this attribute must have a valid path and file name and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. Table 4-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
nsslapd-accesslog-level
Controls what is logged to the access log.
nsslapd-accesslog-list
This read-only attribute cannot be set. It provides a list of access log files used in access log rotation.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-accesslog-list:accesslog2,accesslog3
nsslapd-accesslog-logbuffering (Log Buffering)
When set to off, the server writes all access log entries directly to disk.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesslog-logbuffering: off
nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-accesslog-logexpirationtime: 2
nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
Specifies the unit for the nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-accesslog-logexpirationtimeunit: week
nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
Disables and enables access log logging, but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on and the nsslapd-accesslog configuration attribute must have a valid path and filename. Table 4-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesslog-logging-enabled: off
nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting the maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-accesslog-logminfreediskspace: 4
nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
For performance reasons, it is not recommended that you specify no log rotation as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See "nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)" on page 94 for more information.
nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
Specifies the units for the nsslapd-accesslog-logrotationtime attribute.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
day
Syntax
DirectoryString
Example
nsslapd-accesslog-logrotationtimeunit: week
nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set the nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1, as the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, there is no log rotation. For more information, see "nsslapd-accesslog-logrotationtime (Access Log Rotation Time)" on page 93.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
10
Syntax
Integer
Example
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-attribute-name-exceptions
Allows non-standard characters in attribute names to be used for backward compatibility with older servers.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-attribute-name-exceptions: on
nsslapd-auditlog (Audit Log)
Specifies the pathname and filename of the log used to record changes made to each database.
For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. Table 4-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
nsslapd-auditlog-list
Provides a list of audit log files.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-auditlog-list: auditlog2,auditlog3
nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
Specifies the maximum age that a log file can be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-auditlog-logexpirationtime: 1
nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-auditlog-logexpirationtimeunit: day
nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
Turns audit logging on and off.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-auditlog-logging-enabled: off
For audit logging to be enabled this attribute must be switched to on and the nsslapd-auditlog configuration attribute must have a valid path and file name. Table 4-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.
nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-auditlog-logminfreediskspace: 3
nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.
For performance reasons, it is not recommended that you specify no log rotation, as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server checks the nsslapd-auditlog-logrotationtime attribute. See "nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)" on page 101 for more information.
nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
Specifies the units for the nsslapd-auditlog-logrotationtime attribute.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
week
Syntax
DirectoryString
Example
nsslapd-auditlog-logrotationtimeunit: day
nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.
nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, you need to check the nsslapd-auditlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See "nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)" on page 99 for more information.
Property
Value
Entry DN
cn=config
Valid range
1 to the maximum 32 bit integer value (2147483647)
Default value
1
Syntax
Integer
Example
nsslapd-auditlog-maxlogsperdir: 10
nsslapd-certmap-basedn (Certificate Map Search Base)
This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in certmap.conf. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. Note that if the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. For further information, see Chapter 11, "Implementing Security" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=config
Valid Range
The DN of an entry in the directory
Default Value
N/A
Syntax
DN
Example
nsslapd-certmap-basedn: ou=people,dc=example,dc=com
nsslapd-config
This read-only attribute is the config DN.
Property
Value
Entry DN
cn=config
Valid Range
Any valid config DN.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-config:cn=config
nsslapd-ds4-compatible-schema
Makes the schema in cn=schema compatible with 4.x versions of Directory Server.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-ds4-compatible-schema: off
nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
Controls whether the quoting in the objectclasses attributes contained in the cn=schema entry conforms to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.
That is, the Directory Server publishes objectclasses attributes in the cn=schema entry as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
However, RFC 2252 indicates that this attribute should be published as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
Notice the absence of single quotes around the word top.
Turning this attribute on means that the Directory Server Resource Kit LDAP Clients will no longer function, as they require the schema as defined in RFC 2252.
Turning this attribute off causes the Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients. Specifically, any client written using the Sun ONE LDAP SDK for Java 4.x will no longer be able to correctly read and modify schema. This includes the 4.x version of the Sun ONE Server Console. Please note that turning this attribute on or off does not affect the 5.x Sun ONE Server Console.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-enquote-sup-oc: off
nsslapd-errorlog (Error Log)
Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions such as:
- server startup and shutdown times
- port number the server uses
This log contains varying amounts of information depending on the current setting of the Log Level attribute. See "nsslapd-errorlog-level (Error Log Level)" for more information.
For error logging to be enabled, this attribute must have a valid path and file name and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. Table 4-3 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
nsslapd-errorlog-level (Error Log Level)
Specifies the level of logging to be used by the Directory Server.
Note This attribute has been deprecated in Directory Server 5.2. It is still supported for backward compatibility but has been replaced by the nsslapd-infolog-area (Information Log Area) and nsslapd-infolog-level (Information Log Level) attributes.
nsslapd-errorlog-list (Error Log List)
This read-only attribute provides a list of error log files.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-errorlog-list:errorlog2,errorlog3
nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-errorlog-logexpirationtime: 1
nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
Specifies the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-errorlog-logexpirationtimeunit: week
nsslapd-errorlog-logging-enabled (Enable Error Logging)
Turns error logging on and off.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-errorlog-logminfreediskspace: 5
nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit attribute.
For performance reasons, it is not recommended that you specify no log rotation as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See "nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)" on page 109 for more information.
nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
Specifies the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
week
Syntax
DirectoryString
Example
nsslapd-errorlog-logrotationtimeunit: day
nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-errorlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. If this attribute is set to 1, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-errorlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1 then there is no log rotation. See "nsslapd-errorlog-logrotationtime (Error Log Rotation Time)" on page 108 for more information.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
2
Syntax
Integer
Example
nsslapd-errorlog-maxlogsperdir: 10
nsslapd-groupevalnestlevel
Specifies the number of levels of nesting that the access control system will perform for group evaluation.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 64-bit integer value
Default Value
0
Syntax
Integer
Example
nsslapd-groupevalnestlevel:5
nsslapd-hash-filters
Enables experimental code that attempts to speed up filter comparisons by using a hash. This attribute would be used if search tune in the database instance is set to include the VLV_INDEX flag.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-hash-filters: off
nsslapd-idletimeout (Idle Timeout)
Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value (2147483647)
Default Value
0
Syntax
Integer
Example
nsslapd-IdleTimeout: 0
nsslapd-infolog-area (Information Log Area)
Specifies the component for which logging information should be provided. Each component is identified as an area, whose value is a decimal translation of the hex values in slapi-plugin.h.
The log area is additive; for example, to enable logging on Search filter processing (32) and Config file processing (64), you would set this attribute to 96 (32+64).
If you are writing plug-ins for the Directory Server, refer to the Sun ONE Directory Server Plug-In API Programming Guide for more information on using this attribute.
nsslapd-infolog-level (Information Log Level)
Specifies the level of logging information that should be returned for the server component defined by the nsslapd-infolog-area attribute. A value of 0 means that only default logging information is returned for the selected area. Setting this attribute to 1 enables additional logging information to be returned for the selected area.
Property
Value
Entry DN
cn=config
Valid Range
0 | 1
Default Value
0
Syntax
Integer
Example
nsslapd-infolog-level: 0
nsslapd-instancedir (Instance Directory)
Specifies the full path to the directory where this server instance is installed. The hostname is the default serverID given at installation time.
Property
Value
Entry DN
cn=config
Valid Range
Any valid file path.
Default Value
ServerRoot/slapd-serverID
Syntax
DirectoryString
Example
nsslapd-instancedir: /ServerRoot/slapd-myServer
nsslapd-ioblocktimeout (IO Block Time Out)
Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value (2147483647) in ticks
Default Value
1800000
Syntax
Integer
Example
nsslapd-ioblocktimeout: 1800000
nsslapd-lastmod (Track Modification Time)
Specifies whether the Directory Server maintains the modification attributes for Directory Server entries. These attributes include:
- modifiersnameThe distinguished name of the person who last modified the entry.
- modifytimestampThe timestamp, in GMT format, for when the entry was last modified.
- creatorsnameThe distinguished name of the person who initially created the entry.
- createtimestampThe timestamp for when the entry was created in GMT format.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-lastmod: off
nsslapd-listenhost (Listen to IP Address)
Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.
Property
Value
Entry DN
cn=config
Valid Range
Any hostname.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-listenhost: host_name
nsslapd-localhost (Local Host)
This read-only attribute specifies the host machine on which the Directory Server runs.
Property
Value
Entry DN
cn=config
Valid Range
Any fully qualified hostname.
Default Value
Hostname of installed machine.
Syntax
DirectoryString
Example
nsslapd-localhost:myServer.example.com
nsslapd-localuser (Local User)
UNIX and Linux installations only. Specifies the user under which the Directory Server runs. The group under which the user runs is derived from this attribute, by examining the groups that the user is a member of. Should the user change, all the files in the installation directory must be owned by this user.
nsslapd-maxbersize (Maximum Message Size)
Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry, and the entry in the request is larger than two megabytes, then the add request is denied. Care should be taken when changing this attribute and we recommend contacting Sun ONE Professional Services before doing so.
nsslapd-maxconnections (Maximum Number of Connections)
This attribute limits the number of simultaneous connections the server can manage. The value of this attribute is not set by default. If it is not set manually, its implicit value is the maximum number of file descriptors a process can open on the system.
You can use this attribute to limit the amount of memory used by Directory Server. Directory Server allocates n*512 bytes of data, where n is equal to the value of nsslapd-maxconnections, if set, or to the maximum number of file descriptors a process can open on the system.
For example, on Solaris 9 systems, the maximum number of file descriptors is 64000. If nsslapd-maxconnections is not set, Directory Server will allocate 35MB of data, which may cause problems for some deployments. Setting nsslapd-maxconnections to a suitable value can help to alleviate this problem.
nsslapd-maxdescriptors (Maximum File Descriptors)
Not applicable to directory installations on Windows and AIX.
This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server. It is also used for some server activities such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server for non-client connections, such as index management and managing replication, as specified in the nsslapd-reservedescriptors attribute (see "nsslapd-reservedescriptors (Reserved File Descriptors)" on page 123.)
The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the ns-slapd process to use. This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process. See your operating system documentation for details on file descriptor limits and configuration. It is worth noting that the included idsktune program can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. You should consider increasing the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:
Not listening for new connections -- too many fds open
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
1024
Syntax
Integer
Example
nsslapd-maxdescriptors: 1024
nsslapd-maxpsearch (Maximum Persistent Searches)
Defines the maximum number of persistent searches that can be performed on the Directory Server. The persistent search mechanism provides an active channel through which entries that change (and information about the changes that occur) can be communicated. Because each persistent search operation uses one thread, limiting the number of simultaneous persistent searches prevents certain kinds of denial of service attacks.
Property
Value
Entry DN
cn=config
Valid Range
1 to maximum threadnumber
Default Value
30
Syntax
Integer
Example
nsslapd-maxpsearch: 30
nsslapd-maxthreadsperconn (Maximum Threads Per Connection)
Defines the maximum number of threads that a connection should use. For normal operations where a client binds and performs only one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations.
Property
Value
Entry DN
cn=config
Valid Range
1 to maximum threadnumber
Default Value
5
Syntax
Integer
Example
nsslapd-maxthreadsperconn: 5
nsslapd-nagle
When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies. That is, the sending of data is delayed, in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for Ethernet).
Property
Value
Entry DN
cn=config
Valid range
on | off
Default value
off
Syntax
DirectoryString
Example
nsslapd-nagle: off
nsslapd-plugin
This multi-valued, read-only attribute lists the syntaxes and matching rules loaded by the server.
nsslapd-port (Port Number)
TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port, you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. On UNIX systems, specifying a port number of less than 1024 requires the Directory Server to run as root.
If you are changing the port number for a configuration directory, you must also update the corresponding Server Instance Entry in the configuration directory. Please note that you need to restart the server for the port number change to be taken into account.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
389
Syntax
Integer
Example
nsslapd-port: 389
nsslapd-privatenamespaces
Contains the list of the private naming contexts cn=config, cn=schema,and cn=monitor.
Property
Value
Entry DN
cn=config
Valid Range
cn=config, cn=schema ,and cn=monitor
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-privatenamespaces: cn=config
nsslapd-readonly (Read Only)
Specifies whether the whole server is in read-only mode, meaning that neither data in the database(s) nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-readonly: off
nsslapd-referral (Referral)
This multi-valued attribute specifies the LDAP URL(s) to be returned by the suffix, when the server receives a request for an entry not belonging to the local tree, that is, an entry whose suffix does not match the value specified on any of the suffix attributes. For example, suppose the database contains only the entries:
ou=People, dc=example,dc=com
but the request is for:
ou=Groups, dc=example,dc=com
In this case, the referral is returned so the client may contact the corresponding directory for the requested entry. Although only one referral is allowed per Directory Server instance, this referral can have multiple values.
Note If you want to use SSL and TLS communications, the Referral attribute should be in the following form:
ldaps://serverHost
Start TLS does not support referrals.
For more information on managing referrals, see "Setting Referrals" in Chapter 2 of the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=config
Valid Range
Valid LDAP URL in the following format: ldap://serverHost
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-referral: ldap://alternate.example.com
nsslapd-referralmode (Referral Mode)
When set, this attribute will send back the referral for any request on any suffix.
nsslapd-reservedescriptors (Reserved File Descriptors)
Not applicable to directory installations on Windows and AIX.
This read-only attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (see "nsslapd-maxdescriptors (Maximum File Descriptors)" on page 118).
Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true:
- The server is replicating to a large number of consumer servers (more than 10) and/or the server is maintaining a large number of index files (more than 30).
- The server is servicing a large number of LDAP connections.
- You get error messages reporting that the server is unable to open file descriptors (the actual error message will differ depending on the operation that the server is attempting to perform), but these error messages are NOT related to managing client LDAP connections.
Increasing the value on this attribute may result in more LDAP clients being unable to access your directory. Therefore, when you increase the value on this attribute, increase the value on the nsslapd-maxdescriptors attribute also. Note that you may not be able to increase the nsslapd-maxdescriptors value if your server is already using the maximum number of file descriptors that your operating system allows a process to use (see your operating system documentation for details). If this is the case, then reduce the load on your server by causing LDAP clients to search alternative directory replicas.
To assist you in computing the number of file descriptors you set for this attribute, we suggest you use the following formula:
nsslapd-reservedescriptor =
20 + (NumBackends * 4) + NumGlobalIndexes + ReplicationDescriptors +
ChainingBackendDescriptors + PTADescriptors + SSLDescriptorswhere the terms are given in the following table:
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
64
Syntax
Integer
Example
nsslapd-reservedescriptors: 64
nsslapd-return-exact-case (Return Exact Case)
Returns the exact case of attribute names, as defined in the schema.
Attribute names are case-insensitive by default. However, when an attribute is returned by the Directory Server (as the result of a search operation) some client applications require attribute names to match the case of the attribute as it is listed in the schema. Other client applications require attribute names to be returned in lower case (the default behavior in Directory Server 4.x).
nsslapd-return-exact-case is enabled by default. You should disable this attribute if you have legacy clients that expect attribute names to be returned in lower case (for backward compatibility with Directory Server 4.x). You must stop and restart the server for changes to this attribute to be taken into account.
Note that if the attribute name is specified in the search, it is returned in the case in which it is specified, regardless of the value of nsslapd-return-exact-case.
For example, the following search command
ldapsearch -b "cn=config" -s base objectclass=* "PassWordMinAGe"
returns the attribute as "PassWordMinAGe=0", whether nsslapd-return-exact-case is set to on or off.
If nsslapd-return-exact-case is set to on, the following search command
ldapsearch -b "cn=config" -s base objectclass=*
returns the attribute as "passwordMinAge=0", which is how this attribute is defined in the schema.
If nsslapd-return-exact-case is set to off, the same search command
ldapsearch -b "cn=config" -s base objectclass=*
returns the attribute as "passwordminage=0" (in lower case).
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-return-exact-case: on
nsslapd-rootdn (Manager DN)
Specifies the distinguished name of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory or resource limits in general. The attributes nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-schemacheck do not apply to this DN either.
For information on changing the Root DN, see Chapter 2, "Creating Directory Entries" in the Sun ONE Directory Server Administration Guide.
.
Property
Value
Entry DN
cn=config
Valid Range
Any valid distinguished name
Default Value
N/A
Syntax
DN
Example
nsslapd-rootdn: cn=Directory Manager
nsslapd-rootpw (Root Password)
Allows you to specify the password associated with the "Manager DN". When you provide the root password, it will be encrypted according to the encryption method you selected for "nsslapd-rootpwstoragescheme (Root Password Storage Scheme)" on page 127. When viewed from the server console, this attribute shows the value:***** When viewed from the dse.ldif file, this attribute shows the encryption method followed by the encrypted string of the password. Please note that the example below is what you view, not what you type.
Property
Value
Entry DN
cn=config
Valid Range
Any valid password encrypted by any one of the encryption methods that are described in "passwordStorageScheme (Password Storage Scheme)".
Default Value
N/A
Syntax
DirectoryString {encryption_method} encrypted_Password
Example
nsslapd-rootpw: {SSHA}9Eko69APCJfF
nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
Available only from the server console. This attribute indicates the encryption method used for the root password.
Property
Value
Entry DN
cn=config
Valid Range
Any encryption method as described in "passwordStorageScheme (Password Storage Scheme)" on page 170.
Default Value
SSHA
Syntax
DirectoryString
Example
nsslapd-rootpwstoragescheme: SSHA
nsslapd-schema-repl-useronly
This attribute allows you to have greater control over the schema that is replicated. The attribute is off by default, implying that the entire schema is replicated. If the attribute is set to on, only schema with an X-ORIGIN of user-defined is replicated. This setting greatly improves the performance of schema replication.
If you are replicating from a 5.2 Directory Server to a 5.1 server, you must set this attribute to on. Otherwise the 5.2 schema will be pushed to the 5.1 server and the 5.1 server will be unable to restart, due to duplicate objects.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-schema-repl-useronly: off
nsslapd-schemacheck (Schema Checking)
Specifies whether the database schema will be enforced during entry insertion or modification. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database. You can extend the default schema using the objectclasses and attribute types. For information on how to extend your schema using Directory Server console, see Chapter 9, "Extending the Directory Schema" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-schemacheck: on
nsslapd-securelistenhost
Allows multiple Directory Server instances to run on a multihomed machine, using secure SSL/TLS connections (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.
Property
Value
Entry DN
cn=config
Valid Range
Any secure hostname.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-securelistenhost:secure_host_name
nsslapd-securePort (Encrypted Port Number)
TCP/IP port number used for SSL/TLS communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. For UNIX systems, specifying a port number of less than 1024 requires that Directory Server runs as root.
The default value 636 is only used if the server has been configured with a private key and a certificate; otherwise it does not listen on this port.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
636
Syntax
Integer
Example
nsslapd-securePort: 636
nsslapd-security (Security)
Enables the use of security features (SSL/TLS and attribute encryption) in Directory Server. If you require secure connections, or the use of the attribute encryption feature, this attribute should be set to on.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-security: off
nsslapd-sizelimit (Size Limit)
Specifies the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.
When no limit is set, ns-slapd will return every matching entry to the client regardless of the number found. To set a no limit value whereby the Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file.
This limit applies to everyone regardless of their organization.
Property
Value
Entry DN
cn=config
Valid Range
-1 to the maximum 32 bit integer value (2147483647)
Default Value
2000
Syntax
Integer
Example
nsslapd-sizelimit: 2000
nsslapd-threadnumber (Thread Number)
Defines the number of operation threads that the Directory Server will create during startup. The nsslapd-threadnumber value should be increased if you have many directory clients performing time-consuming operations such as add or modify. This ensures that there are other threads available for servicing short-lived operations such as simple searches.
Property
Value
Entry DN
cn=config
Valid Range
1 to the number of threads supported by your system
Default Value
30
Syntax
Integer
Example
nsslapd-threadnumber: 60
nsslapd-timelimit (Time Limit)
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.
When no limit is set, ns-slapd will return every matching entry to the client regardless of the time it takes. To set a no limit value whereby Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second.
Property
Value
Entry DN
cn=config
Valid range
-1 to the maximum 32 bit integer value (2147483647) in seconds
Default value
3600
Syntax
Integer
Example
nsslapd-timelimit: 3600
nsslapd-versionstring (Version String)
Specifies the server version number.
Property
Value
Entry DN
cn=config
Valid range
Any valid server version number.
Default value
N/A
Syntax
DirectoryString
Example
nsslapd-versionstring:SunONE-Directory/5.2
cn=changelog5
Multi-master replication changelog configuration entries are stored under the cn=changelog5 entry. The replication changelog behaves much like a database. The cn=changelog5,cn=config entry is an instance of the extensibleObject object class. For attributes to be taken into account by the server, this object class (and the top object class) must be present in the entry.
It is worth noting that two different types of change logs are maintained by Sun ONE Directory Server 5.2. The first type, which is stored here and referred to as changelog, is used by multi-master replication; the second change log, which is actually a plug-in and referred to as retro changelog, is intended for use by Sun ONE Meta Directory. See "Retro Changelog Plug-In" on page 208 of Chapter 5 "Plug-In Implemented Server Functionality" for further information regarding the Retro Changelog Plug-in. Multi-master replication changelog attributes are presented in this section.
nsslapd-cachesize (Cache Size)
Specifies the replication changelog cache size, in terms of the number of entries it can hold. Note that it is simpler to limit the cache by memory size only (see the nsslapd-cachememsize attribute). If you attempt to set a value that is not an integer or is too big for a 64-bit unsigned integer (32-bit unsigned integer for 32-bit installations), you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=changelog5,cn=config
Valid Range
1 to 2,147,483,647 (or -1 which means unlimited) entries
Default Value
-1
Syntax
Integer
Example
nsslapd-cachesize: -1
nsslapd-cachememsize (Cache Memory Size)
Specifies the changelog cache size, in terms of the available memory space. Limiting cachesize in terms of memory occupied is the simplest method. If automatic cache resizing is activated, this attribute is overridden. If you attempt to set a value that is not an integer or is too big for a 64-bit unsigned integer (32-bit unsigned integer for 32-bit installations), you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
nsslapd-changelogdir (Changelog Directory)
This required attribute specifies the name of the directory in which the change log database will be created. Whenever a change log configuration entry is created it must contain a valid directory or the operation will be rejected. The GUI proposes by default that this database be stored under:
ServerRoot/slapd-serverID/changelogdb
Note For performance reasons, it is recommended that you store this database on a different physical disk.
nsslapd-changelogmaxage (Max Changelog Age)
Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed. If this attribute is absent, there is no age limit on change log records. For information on the change log, see "nsslapd-changelogdir."
nsslapd-changelogmaxentries (Max Changelog Records)
Specifies the maximum number of records the change log may contain. If this attribute is absent, there is no maximum number of records the change log can contain. For information on the change log, see "nsslapd-changelogdir (Changelog Directory)".
cn=encryption
Encryption related attributes are stored under the cn=encryption,cn=config entry. This entry is an instance of the nsEncryptionConfig object class. For encryption related attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Encryption configuration attributes are presented in this section.
nsSSLSessionTimeout
Specifies the lifetime duration of an SSL session for both SSLv2 and SSLv3. The minimum timeout value is 5 seconds and if you enter a value below this, it is automatically replaced by 5 seconds. Values outside the valid ranges are replaced by the default value of 100 seconds (SSLv2).
nsSSLClientAuth
In an SSL connection, this attribute specifies whether a client certificate is allowed, required, or should not be sent (off) to the SSL server.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
off | allowed | required
Default Value
allowed
Syntax
DirectoryString
Example
nsSSLClientAuth: allowed
nsSSLServerAuth
Specifies the action that the SSL client should take on the server certificate sent by the SSL server in an SSL connection.
nsSSL2 (SSL 2)
Supports SSL version 2.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsSSL2: on
nsSSL3 (SSL 3)
Supports SSL version 3.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsSSL3: on
nsSSL3ciphers
This multi-valued attribute specifies the set of encryption ciphers the Directory Server will use during SSL communications. For more information on the ciphers supported by the Directory Server, see Chapter 11, "Managing SSL", in the Sun ONE Directory Server Administration Guide.
If you are using the Directory Server Console to set the cipher preferences, the values on the SSL 3.0 tab of the Cipher Preference dialog box correspond to the following:
If you are using the Directory Server Console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following:
Table 4-6    TLS Ciphers
Cipher in Console
Corresponding TLS Cipher
RC4 (Export)
tls_rsa_export1024_with_rc4_56_sha
DES (Export)
tls_rsa_export1024_with_des_cbc_sha
cn=features
The cn=features,cn=config entry is an instance of the nsContainer object class. Configuration attributes for the filtering service (used by the partial replication feature) are stored here, under the cn=filtering service,cn=features,cn=config entry. The filtering service subtree contains two nodes: cn=sets and cn=elements.rlo
cn=elements contains all defined filtering units. A filtering unit is the minimum filtering concept that the filtering service can understand in a particular subtree.
cn=sets contains combinations and unions of the filtering units under cn=elements to extend the filtering definition.
For more information on the filtering service, see the Sun ONE Directory Server Administration Guide.
cn=mapping tree
Configuration attributes for suffixes and replication are stored under cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentry
cn="suffixName",cn=mapping tree,cn=config.
Replication configuration attributes are stored under
cn=replica,cn="suffixName",cn=mapping tree,cn=config.
Replication agreement attributes are stored under
cn=replicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree, cn=config.
Suffix Configuration Attributes Under cn="suffixName"
Suffix configuration attributes are stored under the cn="suffixName" entry, for example cn="dc=example,dc=com". This entry is an instance of the nsMappingTree object class, which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server, these object classes (in addition to the top object class) must be present in the entry. Suffix configuration attributes are presented in this section.
nsslapd-backend
Gives the name of the suffix or chained suffix used to process requests. This attribute can be multi-valued if you are using a custom distribution plug-in, with one suffix name per value. In this case, you must also specify the nsslapd-distribution-plugin and nsslapd-distribution-funct attributes.
This attribute is required when the value of the nsslapd-state attribute is set to backend or referral on update.
Property
Value
Entry DN
cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid partition name.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-backend: NetscapeRoot
nsslapd-distribution-plugin
Specifies the full path and filename of the shared library for the custom distribution plugin. This attribute is required along with nsslapd-distribution-funct when you have specified more than one suffix in the nsslapd-backend attribute.
Contact Sun ONE Professional Services for information on how to create distribution logic for your directory server.
nsslapd-distribution-funct
Specifies the name of your distribution function within the library named by nsslapd-distribution-plugin. This attribute is required along with nsslapd-distribution-plugin when you have specified more than one database in the nsslapd-backend attribute.
Contact Sun ONE Professional Services for information on how to create distribution logic for your directory server.
nsslapd-referral
Lists the servers to which updates are referred. This attribute can be multi-valued, with one server per value. This attribute is required when the value of the nsslapd-state attribute is set to referral.
nsslapd-state
Determines how the suffix handles operations.
Replication Attributes Under cn=replica, cn="suffixName",cn=mapping tree,cn=config
Replication configuration attributes are stored under
cn=replica,cn="suffixName",cn=mapping tree,cn=config.
The cn=replica entry is an instance of the nsDS5Replica object class. For replication configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication configuration attributes are presented in this section. For further information regarding replication, see Chapter 8, "Managing Replication" in the Sun ONE Directory Server Administration Guide.
cn
This attribute is used to name the replica. Once it has been set, it cannot be modified.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid suffix name.
Default Value
cn=replica
Syntax
DirectoryString
Example
cn: "cn=replica"
nsDS5Flags
This attribute enables you to specify replica properties you have previously defined in flags. At present only two flags exist. One enables you to specify whether changes are logged. The second enables you to overwrite automatic referrals.
nsDS5ReplicaBindDN
This multi-valued attribute specifies the DN to use when binding. The value can either be the DN of the local entry on the consumer server or, in the case of an SSL connection, the certificate identity associated with the same DN.
nsDS5ReplicaChangeCount (Replica Change Count)
This read-only attribute informs you of the total number of entries in the change log (whether they still remain to be replicated or not). When the change log is purged, only the entries that are still to be replicated are left. See "nsDS5ReplicaPurgeDelay" and "nsDS5ReplicaTombstonePurgeInterval" for more information regarding purge operation properties.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
-1 to maximum integer (2147483647)
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaChangeCount: 675
nsDS5ReplicaId (Replica ID)
Specifies the unique ID for masters in a given replication environment. Consumer services always have the same replica id : 65535.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
1 to 65534
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaId: 1
nsDS5ReplicaLegacyConsumer
If this attribute is absent or has a value of false, then the replica is not a legacy consumer.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
true | false
Default Value
false
Syntax
DirectoryString
Example
nsDS5ReplicaLegacyConsumer: false
nsDS5ReplicaName
This read-only attribute specifies the name of the replica with a unique identifier for internal operations. This unique identifier is allocated by the server when the replica is created. This attribute is for internal use only.
nsDS5ReplicaPurgeDelay
Specifies the period of time in seconds after which internal purge operations will be performed on the change log. When setting this attribute, ensure that the purge delay is longer than the longest replication cycle in your replication policy, to avoid incurring conflict resolution problems and server divergence.
nsDS5ReplicaReferral
This multi-valued attribute specifies the user-defined referrals. This should be defined on a consumer only. User referrals are only returned when a client attempts to modify data on a read-only consumer.
nsDS5ReplicaRoot
Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated. It cannot be modified.
nsDS5ReplicaTombstonePurgeInterval
Specifies the time interval in seconds between purge operation cycles. When setting this attribute, bear in mind that the purge operation is time consuming.
nsDS5ReplicaType
Defines the type of replication relationship that exists between this replica and the others.
Replication Attributes Under cn=ReplicationAgreementName,cn=replica, cn="suffixName", cn=mapping tree,cn=config
The replication attributes that concern the replication agreement are stored under
cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree,cn=config.
The cn=ReplicationAgreementName entry is an instance of the nsDS5ReplicationAgreement object class. For replication agreement configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication agreements are configured only on supplier replicas. The replication agreement configuration attributes are presented in this section.
cn
This attribute defines the replication agreement name. Once this attribute has been set it cannot be modified.
description
Free form text description of the replication agreement. This attribute can be modified.
ds5AgreementEnable
Specifies whether a replication agreement is enabled or disabled.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
ds5agreementEnable: on
ds5BeginReplicaAcceptUpdates
Enables you to specify that the replica should accept client updates instead of referring them.
ds5ReferralDelayAfterInit
Enables you to specify the delay after which a recently initialized replica will start accepting client updates instead of referring them.
ds5ReplicaAutomaticInit
An On/Off flag that enables a consumer that is out of sync to be reinitialized automatically.
ds5ReplicaChangesSentDuringLastUpdate
This read-only attribute specifies the number of entries that were replicated in the last update session.
ds5ReplicaPendingChanges
This read-only attribute lists the changes not yet sent to the specified consumer. The attribute must be specifically requested in an ldapsearch operation. If the ds5agreementEnable attribute is set to off, this information is returned in an ldapsearch operation on ds5ReplicaPendingChanges.
ds5ReplicaPendingChangesCount
This read-only attribute provides the number of changes not yet sent to the specified consumer. The attribute must be specifically requested in an ldapsearch operation. If the ds5agreementEnable attribute is set to off, this information is returned in an ldapsearch operation on ds5ReplicaPendingChangesCount.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
Integer
Example
ds5ReplicaPendingChangesCount: 2
ds5ReplicaTransportCompressionLevel
Available on Solaris and Linux platforms only, this attribute specifies the level of compression used in transporting updates to a consumer.
ds5ReplicaTransportGroupSize
The number of updates (for an incremental update) or entries (for a total update) that the supplier will group together before sending the changes to the consumer.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 to 100
Default Value
1
Syntax
Integer
Example
ds5ReplicaTransportGroupSize: 1
ds5ReplicaTransportWindowSize
The number of updates (for an incremental update) or entries (for a total update) that the supplier will send before waiting for a reply from the consumer.
filterSPConfChecksum
The checksum for partial replication configuration.
filterSPConfDefinition
This single-valued attribute may contain any AND or OR combination of any number of Configuration Elements entries located in the configuration directory. The value of this attribute must conform to the following syntax:
filterSPConfDefinition: SUBSET(1) || SUBSET(2) || .... || SUBSET(N)
filterSPConfEnabled
Activates or deactivates a specified Configuration Set without the need to remove the complete definition. If this attribute is set to off, clients are unable to use the Configuration Set to apply any kind of filtering.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
filterspconfenabled: on
filterSPFrcAttr
If the filterSPType attribute is set to fractional_include, this attribute contains the list of attributes to be included for replication.
If the filterSPType attribute is set to fractional_exclude, this attribute contains the list of attributes to be excluded for replication.
filterSPType
Specifies the type of partial replication.
nsDS5BeginReplicaRefresh
Allows you to initialize a replica. This attribute is absent by default. However, if you add this attribute with a value of start, the server reinitializes the replica and removes the attribute value.
nsDS5ReplicaBindDN
Specifies the DN to use when binding. The value of this attribute must be the same as the one in cn=replica on the consumer replica. A default DN of "cn=replication manager" is created when you set up a replication agreement. This can be modified. This attribute may be empty if certificate-based authentication is used.
nsDS5ReplicaBindMethod
Specifies the method to use for binding. This attribute can be modified.
nsDS5ReplicaChangesSentSinceStartup
This read-only attribute provides you with the number of changes sent to this replica since the server started.
nsDS5ReplicaCredentials
Specifies the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. When certificate-based authentication is used, this attribute may not have a value. The example below is what you view, not what you type.
nsDS5ReplicaHost
Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set it cannot be modified.
nsDS5ReplicaLastInitEnd
This optional, read-only attribute states when the initialization of the consumer replica ended.
nsDS5ReplicaLastInitStart
This optional, read-only attribute states when the initialization of the consumer replica started.
nsDS5ReplicaLastInitStatus
This optional, read-only attribute provides status for the initialization of the consumer.
nsDS5ReplicaLastUpdateEnd
This read-only attribute states when the most recent replication schedule update ended.
nsDS5ReplicaLastUpdateStart
This read-only attribute states when the most recent replication schedule update started.
nsDS5ReplicaLastUpdateStatus
This read-only attribute provides the status for the most recent replication schedule updates.
nsDS5ReplicaPort
Specifies the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified.
nsDS5ReplicaRoot
Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated. It cannot be modified.
nsDS5ReplicaTimeout
This allowed attribute specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. If you see "Warning: timed out waiting" messages in the error log file, then you should increase the value of this attribute.
You can find out the amount of time the operation actually lasted by examining the access log on the remote machine. You can then set the nsDS5ReplicaTimout attribute accordingly to optimize performance.
nsDS5ReplicaTransportInfo
Specifies the type of transport used for transporting data to and from the replica. The attribute values can either be SSL, which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used. If this attribute is absent, regular LDAP connections are used. This attribute cannot be modified once set.
nsDS5ReplicaUpdateInProgress
This read-only attribute states whether or not a replication schedule update is in progress.
nsDS5ReplicaUpdateSchedule
This multi-valued attribute specifies the replication schedule. It can be modified.
nsDS50ruv
This attribute is responsible for managing the internal state of the replica via the replication update vector. It is always present and must not be changed.
partialReplConfiguration
Specifies the partial replication configuration entry point, as defined in the Replication Agreement. The value of this attribute is the RDN of the cn=sets, cn=filtering service,cn=features,cn=config entry, which stores the filtering information required by the partial replication module.
cn=Password Policy
Configurable password policy attributes are stored under cn=Password Policy,cn=config. For a description of the operational or state attributes related to password policy, refer to "Operational Attributes".
Configurable password attributes fall into one of the following categories:
- attributes that determine the password policy itself
- attributes that determine the account lockout policy
Note In previous versions of Directory Server, configurable password policy attributes were stored directly under cn=config.
Password Policy Attributes
The following attributes determine the password policy.
passwordChange (Password Change)
Indicates whether users may change their passwords. If this attribute is not present, a value of on is assumed (users can change their passwords).
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
passwordChange: on
passwordCheckSyntax (Check Password Syntax)
Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets the password minimum length requirement and that the string does not contain any "trivial" words, such as the user's name or user ID or any attribute value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user's directory entry.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordCheckSyntax: off
passwordExp (Password Expiration)
Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. If password expiration is enabled, you can set the number of seconds after which the password will expire using the passwordMaxAge attribute.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordExp: on
passwordExpireWithoutWarning (Password Expire Without Warning)
Indicates whether a password can expire regardless of whether the user was warned about the expiration date.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordExpireWithoutWarning: on
passwordInHistory (Number of Passwords to Remember)
Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. The password history feature is disabled by default (the passwordInHistory attribute has a value of 0). This implies that the Directory Server does not store any old passwords and users can reuse passwords.
To prevent users from rapidly cycling through a number of passwords, use the passwordMinAge attribute.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
0 to 24 passwords
Default Value
0
Syntax
Integer
Example
passwordInHistory: 6
passwordMaxAge (Password Maximum Age)
Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the passwordExp attribute.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
passwordMinAge (Password Minimum Age)
Specifies the number of seconds that must elapse between password modifications. Use this attribute in conjunction with the passwordInHistory attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
0 to 2147472000 seconds (24,855 days)
Default Value
0
Syntax
Integer
Example
passwordMinAge: 86400
passwordMinLength (Password Minimum Length)
Specifies the minimum number of characters that must be used in a password. Syntax checking is performed against this attribute, if the passwordCheckSyntax attribute is set to on.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
2 to 512 characters
Default Value
6
Syntax
Integer
Example
passwordMinLength: 6
passwordMustChange (Password Must Change)
Indicates whether users must change their passwords when they first bind to the Directory Server, or when the password has been reset by the administrator. If this attribute is set to on, users are required to change their passwords.
For users to be able to change their passwords, the passwordChange attribute must also be set to on.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordMustChange: off
passwordRootDNMayBypassModsChecks
Allows the root DN to modify passwords, even if the modification violates the password policy.
When this attribute is set to on, the Directory Manager can make modifications to passwords that violate the password policy. This allows exceptions to the password policy, and can be used, for example, in the case of applications that reset passwords to the same default value. If the Directory Manager changes a password and the server detects that the new password violates the minimum length or the password history, a warning is logged, but the modification proceeds.
This attribute is set to off by default, which means that the server rejects password modifications by the Directory Manager if they violate the password policy.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordRootdnMayBypassModsChecks: off
passwordStorageScheme (Password Storage Scheme)
Specifies the algorithm used to encrypt Directory Server passwords. The default password storage scheme is the Salted Secure Hash Algorithm (SSHA).
The following encryption types are supported by Directory Server 5.2:
- SSHA (Salted Secure Hash Algorithm) is the recommended method as it is the most secure.
- SHA (Secure Hash Algorithm). This is the method supported by 4.x Directory Servers.
- CRYPT is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.
If this attribute is set to CLEAR, passwords are not encrypted and appear in plain text.
You can modify how the Directory Server stores password attributes by writing your own password storage scheme plug-in. For more information see Chapter 11, "Writing Password Storage Scheme Plug-Ins" in the Sun ONE Directory Server Plug-In API Programming Guide.
Note You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for backward compatibility.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
passwordWarning (Send Warning)
Specifies the number of seconds before a user's password expires, that a warning is sent. The user will receive a password expiration warning on attempting to authenticate to the directory. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
If this attribute is not present, or if the value of the attribute is 0, no warning messages are sent. For password expiration to be enabled, the passwordExp attribute must be set to on.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Account Lockout Attributes
The following attributes determine the account lockout policy.
passwordLockout (Account Lockout)
Enables the account lockout mechanism. If this attribute is set to on, users will be locked out of the directory (for the length of time specified in the passwordLockoutDuration attribute) once the maximum number of consecutive failed bind attempts has been reached. The maximum number of consecutive bind attempts is specified by the passwordMaxFailure attribute.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordLockout: off
passwordLockoutDuration (Lockout Duration)
If the account lockout feature is enabled (passwordLockout is set to on), this attribute specifies the length of time (in seconds) during which users will be locked out of the directory. The account is locked when the maximum number of consecutive failed bind attempts (specified by passwordMaxFailure) has been reached.
If this attribute is not present, or if it is set to 0, the account will remain locked until it is reset by the administrator.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value
3600
Syntax
Integer
Example
passwordLockoutDuration: 3600
passwordMaxFailure (Maximum Password Failures)
If the account lockout feature is enabled (passwordLockout is set to on), this attribute specifies the number of consecutive failed bind attempts after which a user will be locked out of the directory. Each time an invalid password is sent from the user's account, the password failure counter is incremented. The value of this counter is stored in the operational attribute, passwordRetryCount.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to 32767
Default Value
3
Syntax
Integer
Example
passwordMaxFailure: 3
passwordResetFailureCount (Reset Password Failure Counter)
Each time an invalid password is sent from the user's account, the password failure counter is incremented. The value of this counter is stored in the operational attribute, passwordRetryCount. This attribute specifies the length of time (in seconds) after which passwordRetryCount is reset to 0 (even if no successful authentication occurs).
If passwordResetFailureCount is set to 0, the failure counter is reset only when a successful bind occurs.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value
600
Syntax
Integer
Example
passwordResetFailureCount: 600
passwordUnlock (Unlock Account)
If the account lockout mechanism is enabled, (passwordLockout is set to on), this attribute specifies whether user accounts will be unlocked after a period of time. The period of time is specified in the passwordLockoutDuration attribute.
If passwordUnlock is set to on and the value of the passwordMaxFailure attribute has been reached, the account will be unlocked after the number of seconds specified in the passwordLockoutDuration attribute. However, if passwordUnlock is set to off, and the value of the passwordMaxFailure attribute has been reached, the account will remain locked until the administrator resets it.
For more information on password policies, see Chapter 7, "User Account Management" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
passwordUnlock: off
cn=replication
A default replication bind DN (cn=replication manager) is created when you set up a replication agreement. This can be modified.
When configuring legacy replication, configuration attributes are stored under this cn=replication,cn=config node, which serves as a placeholder.
cn=SNMP
SNMP configuration attributes are stored under cn=SNMP,cn=config. The cn=SNMP entry is an instance of the nsSNMP object class. For SNMP configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. SNMP configuration attributes are presented in this section.
nssnmpenabled
Specifies whether SNMP is enabled or not.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nssnmpenabled: off
nssnmporganization
Specifies the organization to which the Directory Server belongs.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Organization name
Default Value
N/A
Syntax
DirectoryString
Example
nssnmporganization: Sun ONE
nssnmplocation
Specifies the location within the company or organization where the Directory Server resides.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Location
Default Value
N/A
Syntax
DirectoryString
Example
nssnmplocation: B14
nssnmpcontact
Specifies the E-mail address of the person responsible for maintaining the Directory Server.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Contact E-mail address
Default Value
N/A
Syntax
DirectoryString
Example
nssnmpcontact: ITdept@example.com
nssnmpdescription
Provides a unique description of the Directory Server instance.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Description
Default Value
N/A
Syntax
DirectoryString
Example
nssnmpdescription: Employee directory instance
nssnmpmasterhost
This required attribute specifies the hostname of the machine on which the master agent is installed. For UNIX only.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Machine hostname or local host.
Default Value
localhost
Syntax
DirectoryString
Example
nssnmpmasterhost: localhost
nssnmpmasterport
Specifies the port number used to communicate with the master agent. For UNIX only.
cn=tasks
No specific configuration attributes.
cn=uniqueid generator
The uniqueid generator configuration attributes are stored under cn=uniqueid generator,cn=config. The cn=uniqueid generator entry is an instance of the extensibleObject object class. For uniqueid generator configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Uniqueid generator configuration attributes are presented in this section.
nsState
This attribute stores information on the state of the clock. It is intended for internal use only, to ensure that the server cannot generate a change sequence number (CSN) inferior to existing ones required for detecting backward clock errors. Do not edit this attribute.
Property
Value
Entry DN
cn=uniqueid generator,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
DirectoryString
Example
nsstate:AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA
Monitoring Attributes
Read-only monitoring information is stored under the cn=monitor entry.
cn=monitor
The cn=monitor entry is an instance of the extensibleObject object class. For cn=monitor configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. The cn=monitor read-only attributes are presented in this section.
backendMonitorDN
DN for each Directory Server backend.
For further database monitoring information, see "Database Monitoring Attributes" on page 231, "Database Performance Attributes" on page 236, "Database Monitoring Attributes Under cn=NetscapeRoot" on page 240, and "Chained Suffix Monitoring Attributes" on page 256.
bytesSent
Number of bytes sent by Directory Server.
cache-avail-bytes
The number of bytes available for caching.
connection
List of open connections given in the following format:
connection=31:20010201164808Z:45:45::cn=directory manager:LDAP
where 31 is the connection number, 20010201164808Z is the date the connection was opened, 45 is the number of operations received, 45 is the number of completed operations, and cn=directory manager is the bind DN.
connectionPeak
Maximum number of simultaneous connections since server startup.
currentConnections
Number of current Directory Server connections.
currentTime
Current time usually given in Greenwich Mean Time (indicated by GeneralizedTime syntax Z notation, for example 20010202131102Z).
dTableSize
Size of the Directory Server descriptor table.
entriesSent
Number of entries sent by Directory Server.
nbackEnds
Number of Directory Server backends.
opsCompleted
Number of Directory Server operations completed.
opsInitiated
Number of Directory Server operations initiated.
request-que-backlog
The number of requests waiting to be processed by a thread. Each request received by the server is accepted, then placed in a queue until a thread is available to process it. The queue backlog should always be small, (0 or close to 0). If the queue backlog is large, use the nsslapd-threadnumber attribute to increase the number of threads available in the server.
This attribute applies to UNIX and Linux only.
readWaiters
Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
startTime
Directory Server start time.
threads
Number of operation threads Directory Server creates during startup. This attribute can be set using the nsslapd-threadnumber (Thread Number) attribute under cn=config. The nsslapd-threadnumber attribute is not present in the dse.ldif file by default, but can be added.
totalConnections
Total number of Directory Server connections.
version
Directory Server version and build number.
cn=disk,cn=monitor
The cn=disk entry enables you to monitor disk conditions over LDAP. This entry is an instance of the extensibleObject object class. A cn=disknumber,cn=disk,cn=monitor entry exists for each disk. The following disk monitoring attributes appear under each of these individual disk entries.
disk-dir
Specifies the pathname of a directory used by the server on disk. Where several database instances reside on the same disk or an instance refers to several directories on the same disk, the short pathname is displayed. The disk numbering is arbitrary.
disk-free
Indicates the amount of free disk space available to the server, in MB.
disk-state
Indicates the state of the disk, based on the available free space and on the thresholds set for disk low and disk full (with the configuration parameters nsslapd-disk-low-threshold and nsslapd-disk-full-threshold). Possible values are normal, low, and full.
cn=counters,cn=monitor
This entry holds counter information for the various subtree entry counter plug-ins, if they are enabled. For more information on these plug-ins, see "Subtree Entry Counter Plug-Ins" on page 209.
cn=snmp,cn=monitor
The cn=snmp entry enables you to monitor Directory Server access, operations, and errors. This entry is an instance of the extensibleObject object class.
addentryops
The number of add operations serviced by this directory since server startup.
anonymousbinds
The number of anonymous binds to the directory since server startup.
bindsecurityerrors
The number of bind requests that have been rejected by the directory due to authentication failures or invalid credentials since server startup.
bytesrecv
The number of bytes received by this directory since server startup.
bytessent
The number of bytes sent to clients by this directory since server startup.
cacheentries
The number of entries cached in the directory.
cachehits
The number of operations serviced from the locally held cache since application startup.
chainings
The number of chaining operations returned by this directory in response to client requests since server startup.
compareops
The number of compare operations serviced by this directory since server startup.
connections
The number of current open connections.
connectionseq
The number of connections handled by the directory since server startup.
copyentries
The number of directory entries for which this directory contains a consumer copy. The value of this object will always be 0 (as no updates are currently performed).
entriesreturned
The number of entries returned by this directory in response to client requests since server startup.
errors
The number of requests that could not be serviced due to errors (other than security or referral errors). Errors include name errors, update errors, attribute errors, and service errors. Partially serviced requests are not counted as errors.
inops
The number of operations forwarded to this directory from another directory since server startup.
listops
The number of list operations serviced by this directory since server startup. The value of this object will always be 0 because LDAP implements list operations indirectly via the search operation.
masterentries
The number of directory entries for which this directory contains the master entry. The value of this object will always be 0 (as no updates are currently performed).
modifyentryops
The number of modify operations serviced by this directory since server startup.
modifyrdnops
The number of modify RDN operations serviced by this directory since server startup.
onelevelsearchops
The number of one-level search operations serviced by this directory since server startup.
readops
The number of read operations serviced by this directory since application start. The value of this object will always be 0 because LDAP implements read operations indirectly via the search operation.
referrals
The number of referrals returned by this directory in response to client requests since server startup.
referralsreturned
The number of referrals returned by this directory in response to client requests since server startup.
removeentryops
The number of delete operations serviced by this directory since server startup.
searchops
The total number of search operations serviced by this directory since server startup.
securityerrors
The number of operations forwarded to this directory that did not meet security requirements.
simpleauthbinds
The number of binds to the directory that were established using a simple authentication method (such as password protection) since server startup.
slavehits
The number of operations that were serviced from locally held replications (shadow entries). The value of this object will always be 0.
strongauthbinds
The number of binds to the directory that were established using a strong authentication method (such as SSL or an SASL mechanism like Kerberos) since server startup.
unauthbinds
The number of unauthenticated binds to the directory since server startup.
wholesubtreesearchops
The number of whole subtree search operations serviced by this directory since server startup.
Configuration Quick Reference Tables
This section provides quick reference tables for LDIF configuration files supplied with the Directory Server, object classes and schema used in server configuration, and attributes requiring server restart.
LDIF Configuration Files
Table 4-7 lists all the configuration files that are supplied with the Directory Server, including those for the schema of other Sun ONE and legacy servers. Each file is preceded by a number that indicates the order in which they should be loaded (in ascending numerical and then alphabetical order). See "LDIF Configuration Files - Location" on page 76 for information on where these files are stored.
Configuration Changes Requiring Server Restart
Table 4-8 lists the configuration attributes that cannot take effect dynamically, while the server is still running. After modifying these parameters through the console or the ldapmodify command, the server must be stopped and restarted for them to take effect. The table lists the configuration attributes concerned, with their full DNs, and provides a brief description of their functions.