install-path/ds6/bin/dsadm subcommand options
The dsadm command is the local administration command for Directory Server instances. Use the dsadm command with any of the subcommands described in this man page.
dsadm must be used while the server is stopped (except subcommands dsadm info, dsadm stop and dsadm restart). It must be run from the local machine where the server instance is located. This command must be run by the username that is the Operating System owner of the server instance, or by root.
The following subcommands are supported:
Adds a certificate to the certificate database.
Creates a self-signed certificate and adds it to the certificate database.
Enables or disables Directory Server instance startup at system boot. This command is only available if you installed with Sun Java Enterprise System or native packages, and is not available on Windows. This command must be run as root.
Creates a backup archive of the Directory Server instance.
Creates a Directory Server instance.
Deletes a Directory Server instance.
Disables a Directory Server instance from being managed as a service. This command is available on Windows distributions and on Solaris native package distributions only. The command must be run as root.
Enables a Directory Server instance to be managed as a service. This command is available on Windows distributions and on Solaris native package distributions only. The command must be run as root.
Exports suffix to LDIF format.
Exports an encrypted copy of the certificate and its public and private keys from the certificate database.
Generates legacy scripts in a Directory Server instance. This command is not available on Windows.
Displays the flag values for the Directory Server instance.
Populates an existing suffix with LDIF data.
Adds a new certificate and its keys to the certificate database.
Adds a new self-signed certificate and its keys to the certificate database.
Displays Directory Server instance status and some configuration information.
Lists all certificates in the certificate database.
Regenerates existing indexes.
Removes a certificate from the certificate database. The instance must be stopped before running this command.
Replaces a certificate, but keeps the existing private key. The instance must be stopped before running this command.
Renews a self-signed certificate in the certificate database. The instance must be stopped before running this command.
Repacks or compacts an existing suffix. The -b option enables you to specify the name of the back end instead of the suffix name. At least one suffix DN or one back end name must be specified. The instance must be stopped before running this command.
Generates a certificate request.
Restarts a Directory Server instance.
Restores Directory Server instance from a backup archive.
Sets flags for a Directory Server instance.
Displays the contents of the access log.
Displays a certificate.
Displays the contents of the error log.
Starts a Directory Server instance.
Stops a Directory Server instance.
The following options are global, and are applicable to all commands and subcommands.
Displays help information for a command or subcommand.
Displays the current version of dsadm. The version is provided in the format year.monthday.time DISTRIB/ZIP/NAT. So version number 2007.1204.0035 was built on December 4th, 2007 at 00h35. DISTRIB indicates the distribution type. NAT refers to the package version, installed through the Java Enterprise System. ZIP refers to the ZIP version. If the components used by dsadm are not aligned, the version of each individual component is displayed.
Displays instructions for accessing verbose help.
The following options are applicable to the subcommands where they are specified.
Specifies the maximum age of lines to be returned from the access log or the error log. For example, to search for all entries younger than 24 hours, use -A 24h.
Creates the Directory Server instance in an existing directory, specified by the INSTANCE_PATH. The existing directory must be empty. On UNIX machines, the user who runs this command must be root, or must be the owner of the existing directory. If the user is root, the instance will be owned by the owner of the existing directory.
Specifies a Certificate Authority certificate is to be used, or that the command should display information about CA certificates.
Adds L=CITY to the subject DN. Default is none.
Adds C=COUNTRY to the subject DN. The default is none.
Defines the Directory Manager DN. The default is cn=Directory Manager.
Starts Directory Server with the configuration used at the last successful startup.
Specifies output format. For dsadm request-cert, the default is der, and the other possible output format is ascii. .For dsadm show-cert, the default is readable, and other possible output formats are ascii and der.
Customized values for options.
Possible flags for the dsadm backup subcommand are as follows.
Check database integrity.
Possible flags for the dsadm export subcommand are as follows.
Perform minimal base64 encoding.
Generate multiple LDIF output files.
Do not export the unique ID generated on import.
Do not fold long lines.
Delete the initial line specifying the LDIF version, version: 1, for backward compatibility.
Do not include entry IDs in the LDIF output.
Only export from the main database file.
Possible flags for the dsadm import subcommand are as follows.
Merge chunk size.
Import LDIF generated during incremental import.
Purge the Change Sequence Number (CSN). The purge-csn flag is set to off by default. Setting the purge-csn to on prevents old CSN data from being imported by the dsadm import operation. This reduces the size of entries by removing traces of previous updates.
Does not create legacy scripts. If you do not use this option, command scripts that are similar to 5.x command scripts are created in the server instance.
Sets the server instance owner's group ID. The default is the user's current UNIX group. This option is not available on Windows.
Specifies the hostname. The default is the name of the current host system.
Reads the input file password in the INPUT_PW_FILE file. The default is a prompt for password.
Does not prompt for confirmation before performing the operation.
Specifies that the contents of the imported LDIF file are appended to the existing LDAP entries. If this option is not specified, the contents of the imported file replace the existing entries.
Specifies the number of lines to be returned from the access log or the error log. LAST_LINES must be an integer. For example, to return the last 50 lines, use -L 50. If no value is specified, the default number of lines returned is 20.
Specifies VLV (browsing) index.
Adds CN=NAME to the subject DN.
Reads the output password from the OUTPUT_FILE file. The default is a prompt for password.
Stores the command results in the OUTPUT_FILE file. The default is stdout, standard output.
Disables server instance startup at system boot.
Adds O=ORG to the subject DN. The default is none.
Adds O=ORG-UNIT to the subject DN. The default is none.
Specifies the secure SSL port for LDAP traffic. The default is 636 if dsadm is run by the root user, or 1636 if dsadm is run by a non-root user.
Specifies the port for LDAP traffic. The default is 389 if dsadm is run by the root user, or 1389 if dsadm is run by a non-root user.
Specifies that additional data needed for replication is not included in the export.
Specifies the subject DN. The default depends on the subcommand used, and is either CN=hostname or CN=CERT_ALIAS.
Exports data from suffix DN.
Adds ST=STATE to the subject DN. Default is none.
Service type. Can be CLUSTER when using Sun Cluster, SMF when using Solaris 10, or WIN_SERVICE when using Windows.
Specifies attribute index ATTR_INDEX
Sets the server instance owner user ID. The default is the current UNIX user name. This option is not available on Windows.
Reads certificate database password from CERT_PW_FILE. The default is to prompt for password.
Sets the password file for the Directory Manager (-D). The default is to prompt for password.
Excludes the specified DN from the command.
Decrypts encrypted attributes.
The following operands are supported:
Specifies the path to the backup of the Directory Server instance.
Certificate alias name. A user-specified name that identifies a certificate.
Specifies the file that contains the certificate.
Specifies a flag that represents a property operand when using the command dsadm get-flags. Possible flag: cert-pwd-prompt.
Specifies a property flag operand and its value when using the command dsadm set-flags.
cert-pwd-prompt flag possible values are: off on. Default: off. By default the dsadm command generates a certificate database password when creating a server instance. This password is stored, allowing dsadm to access the certificate database when necessary, for example, when the server starts listening for SSL connections. When the cert-pwd-prompt flag is changed to on, the dsadm command prompts for the certificate database password when needed.
Path of the Directory Server instance.
Filename of LDIF file.
Cluster resource group. Required for CLUSTER service, not applicable for other types of services.
Suffix DN (Distinguished name).
The following examples show how the dsadm command is used.
$ dsadm create -p 6389 -P 6636 /local/ds
This command creates the server instance files in the directory /local/ds. The server instance is owned by the UNIX user who creates the command.
In this example, the LDAP port is specified as 6389, and the secure port is specified as 6636. If you do not specify port numbers, the default port numbers 389 and 636 (for root user) or 1389 and 1636 (for not-root user) are used. If you do not specify port numbers and the default port numbers are already being used, the dsadm create command aborts.
The server instance path is /local/ds.
$ dsadm start /local/ds
This command shows information such as the owner, ports, and current state of the server instance. The instance path is /local/ds.
$ dsadm info /local/ds
Import an LDIF file, specifying that no user confirmation is required, and giving the suffix DN.
$ dsadm import -i /local/ds /local/ds/ldif/example.ldif \ dc=example,dc=com
Export a suffix to an LDIF file.
$ dsadm export -x ou=People,dc=example,dc=com /local/ds \ dc=example,dc=com /local/ds/ldif/export.ldif
This command shows all data in the suffix dc=example,dc=com, excluding data in the subsuffix ou=People,dc=example,dc=com
This command backs up the suffix data and the configuration data. The instance path is /local/ds and the archive directory is /local/dsbackup/20060722 .
$ dsadm backup /local/ds /local/dsbackup/20060722
To regenerate the existing cn and uid indexes:
$ dsadm reindex -t cn -t uid /local/ds dc=example,dc=com
Use the following command to renew an existing server certificate with a new server certificate from your Certificate Authority.
$ dsadm renew-cert /local/ds cert_alias /local/certfiles/new-cert
See attributes(5) for descriptions of the following attributes: