|
| |
| Sun Java(TM) System Directory Server 5 2004Q2 Administration Reference | |
Chapter 2
Server Configuration ReferenceDirectory Server stores configuration information as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented using Directory Server rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server via LDAP while it is still running, and avoids having to shut it down.
This chapter provides details of how the configuration is organized, how to alter it, and lists configuration attributes for both core server and plug-in configuration. This chapter is divided into the following sections:
Server Configuration OverviewWhen you install Directory Server, its default configuration is stored as a series of LDAP entries within the directory, under the subtree cn=config. When the server is started, the contents of the cn=config subtree are read from a file in LDIF format: dse.ldif. This dse.ldif file contains all of the server configuration information. It is worth noting that the latest version of this file is called dse.ldif, the version prior to the last modification is called dse.ldif.bak, and the latest file with which the server successfully started is called dse.ldif.startOK. Many of the features of Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config. For example, the configuration of the Telephone Syntax plug-in is contained in the entry:
cn=Telephone Syntax,cn=plugins,cn=config
Similarly, database-specific configuration is stored under:
cn=ldbm database,cn=plugins,cn=config and cn=chaining
database,cn=plugins,cn=configFigure 2-1 shows how the configuration data fits within the cn=config Directory Information Tree.
Figure 2-1
Configuration Data Under cn=config
This overview is divided into the following sections:
LDIF Configuration Files - Location
Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory by default:
ServerRoot/slapd-serverID/config
In this chapter, all examples use myServer for the server identifier where appropriate.
Schema Configuration Files - Location
Schema configuration is also stored in LDIF format and these files are located in the following directory:
ServerRoot/slapd-serverID/config/schema
For a full list of the LDIF configuration files that are supplied with Directory Server, refer to Table 2-9.
How the Server Configuration is Organized
The dse.ldif file contains all configuration information including directory specific entries created by Directory Server at startup, and directory specific entries related to the database, also created by Directory Server at startup. The file includes the Root DSE (named by "") and the entire contents of cn=config.When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.
This section provides an overview of configuration attributes, plug-in functionality configuration, database configuration, and index configuration.
Configuration Attributes
Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute’s configuration.
The following example shows part of the dse.ldif file for a Directory Server and indicates, amongst other things, that schema checking has been turned on. This is represented by the attribute nsslapd-schemacheck, which takes the value on.
Configuration of Plug-in Functionality
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. The following example shows the configuration entry for a plug-in, in this case the Telephone Syntax plug-in.
Code Example 2-2 Configuration Entry for Telephone Syntax Plug-in
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: ds-signedPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: ServerRoot/lib/syntax-plug-in.so
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on
...
Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in. You can check which attributes are currently being used by a plug-in by performing an ldapsearch on the cn=config subtree.
For a list of plug-ins supported by Sun Java System Directory Server 5.2, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring the server to be restarted refer to Plug-In Overview and subsequent sections.
Configuration of Databases
The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for the databases containing the o=NetscapeRoot and o=UserRoot suffixes respectively. The cn=NetscapeRoot subtree contains the configuration data used by the Sun Java System Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop). The cn=UserRoot subtree contains all the configuration data for the first user-defined database created during server installation. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user when new databases are added.
Configuration of Indexes
Configuration information for indexing is stored as entries in Directory Server under the three following information tree nodes:
For more information regarding indexes in general, refer to the Directory Server Administration Guide. For details regarding the index configuration attributes, refer to Default Index Attributes. The attributes are presented here because this node is the first to appear in the representation of the configuration attributes based on the cn=config information tree.
Migration of Pre-Directory Server 5.x Configuration Files to LDIF Format
Sun Java System Directory Server 5.2 recognizes configuration files that are in LDIF format only, which means that the slapd.conf and slapd.ldbm.conf configuration files from 4.x versions of Directory Server must be converted to LDIF format. Directory Server 4.x configurations can be migrated to the new LDIF format using the migrateInstance5 tool. For information on the attributes that are migrated with this tool, refer to the Directory Server Installation and Migration Guide.
Accessing and Modifying Server ConfigurationThis section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions on the types of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect. This section has been divided into the following parts:
Access Control for Configuration Entries
When Directory Server is installed, a default set of Access Control Instructions (ACIs) is implemented for all entries under cn=config. Code Example 2-3 shows an example of these default ACIs.
Code Example 2-3 Default ACIs in dse.ldif
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group";
allow (all)
groupdn = "ldap:///cn=Configuration Administrators,ou=Groups, ou=TopologyManagement, o=NetscapeRoot";)aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators";
allow (all) userdn = "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group";
allow (all)
groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";)aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-myServer, cn=Sun ONE Directory Server, cn=Server Group, cn=myServer.example.com, dc=example,dc=com, o=NetscapeRoot";)
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
- Members of the Configuration Administrators Group
- The user acting as the Administrator, who has the uid admin that can be configured at installation time
- Members of the local Directory Administrators Group
- The local Directory Administrator (root DN)
- The SIE (Server Instance Entry) Group that is usually assigned using the Set Access Permissions from the main topology view in the main console.
Access Control Instruction Format
An example ACI which allows all users search, read and compare permissions for all attributes would appear as follows:
aci: (targetattr = "*")(version 3.0; acl "my aci"; allow
(search,read,compare) userdn="ldap:///all";)
The permission and bind_rule portions of the ACI are set as a pair, and are also called an Access Control Rule. You can have multiple permission bind_rule pairs for every target. This allows you to efficiently set multiple access controls for any given target. For example:
target (permission bind_rule) (permissions bind_rule)...
For example, you can set a permission that allows anyone binding as Babs Jensen to write to Babs Jensen’s telephone number. The bind rule in this permission is the part that states “if you bind as Babs Jensen.” The target is Babs Jensen’s phone number, and the permission is write access.
Targets
You must decide what entry is targeted by every ACI you create in your directory. If you target a directory entry that is a directory branch point, that branch point, and all of its child entries, are included in the scope of the permission. The advantage of this is that you can place at a high level in the directory tree a general ACI that effectively applies to entries more likely to be located lower in the tree.
For example, at the level of an organizationalUnit entry or a locality entry, you could create an ACI that targets entries that include the inetorgperson object class. You can use this feature to minimize the number of ACIs in the directory tree by placing general rules at high level branch points. To limit the scope of more specific rules, you should place them as close as possible to leaf entries.
If you do not explicitly specify a target entry for the ACI, the ACI is targeted to the directory entry that contains the ACI statement. Also, the default set of attributes targeted by the ACI is any attribute available in the targeted entry’s object class structure.
For every ACI, you can target only one entry or only those entries that match a single LDAP search filter.
In addition to targeting entries, you can also target attributes on the entry. This enables you to set a permission that applies to only a subset of attribute values. You can target sets of attributes by explicitly naming the attributes that are targeted, or by explicitly naming the attributes that are not targeted. Use the latter case if you want to set a permission for all but a few attributes allowed by an object class structure. The aci attribute is multi-valued, which means that you can define several ACIs for the same entry or subtree.
Permissions
Permissions can be allowed or denied. In general, you should avoid denying permissions. You can allow or deny the following permissions:
Indicates whether the directory data can be searched. This differs from the read permission in that read allows directory data to be viewed if it is returned as part of a search operation. For example, if you allow searching for common names and read for a person’s room number, then the room number can be returned as part of the common name search, but the room number cannot, itself, be searched for. This would prevent people from searching your directory to see who occupies a particular room.
Indicates whether the data may be used in comparison operations. Compare implies the ability to search, but actual directory information is not returned from the search. Instead, a simple Boolean value is returned that indicates whether the compared values match. This is used to match userPassword attribute values during directory authentication.
Bind Rules
The bind rule usually indicates the bind DN subject to the permission. It can also specify bind attributes such as time of day or IP address.
Bind rules enable you to specify that an ACI applies only to a user’s own entry. You can use this to allow users to update their own entries without running the risk of a user updating another user’s entry.
Using bind rules, you can indicate that the ACI is applicable:
- Only if the bind operation is arriving from a specific IP address or DNS hostname. This is often used to force all directory updates to occur from a given machine or network domain.
- If the person binds anonymously. Setting a permission for anonymous bind means that the permission also applies to anyone who binds to the directory.
- For anyone who successfully binds to the directory. This allows general access while preventing anonymous access.
- Only if the client has bound as the immediate parent of the entry.
- Only if the entry that the person has bound as meets specific LDAP search criteria.
The following keywords are provided to help you express these kinds of access more easily:
The bind rule is true for everyone. This keyword is what allows or denies anonymous access.
For more information, refer to Chapter 6, “Managing Access Control” in the Directory Server Administration Guide.
Changing Configuration Attributes
You can view and change server attribute values in one of three ways: by using LDAP through Sun Java System Server Console, by performing ldapsearch and ldapmodify commands, or by manually editing the dse.ldif file.
Note
If you edit the dse.ldif file, you must stop the server beforehand, otherwise your changes will be lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. For further information, refer to Configuration Changes Requiring Server Restart.
The following sections describe how to modify entries using LDAP (both via the Sun Java System Server Console and over the command line), the restrictions to modifying entries, the restrictions to modifying attributes, and the configuration changes requiring restart.
Modifying Configuration Entries Using LDAP
The configuration entries in the directory can be searched and modified using LDAP, either via the Sun Java System Server Console or by performing ldapsearch and ldapmodify operations in the same way as other directory entries. The advantage of using LDAP to modify entries is that you can make the changes while the server is running. You must remember to specify the port number when modifying configuration entries as the server is not necessarily running on port 389. For further information refer to Chapter 2, “Creating Directory Entries” in the Directory Server Administration Guide. However, certain changes do require the server to be restarted before they are taken into account. For further information, refer to Configuration Changes Requiring Server Restart.
Note
As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config subtree, as this risks affecting Directory Server functionality.
The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree:
ldapsearch -D bindDN -w password -p port -b cn=config objectclass=*
where bindDN is the DN chosen for the Directory Manager when the server was installed and password is the password chosen for Directory Manager. For more information on using ldapsearch refer to the Directory Server Resource Kit Tools Reference.
Previously we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in was enabled. If you want to disable this feature you can use the following series of commands to implement this change.
Code Example 2-4 Disabling the Telephone Syntax Plug-in
ldapmodify -D bindDN -w password -p port
dn: cn=Telephone Syntax,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off
Restrictions to Modifying Configuration Entries
Certain restrictions apply when modifying server entries:
Restrictions to Modifying Configuration Attributes
Certain restrictions apply when modifying server attributes:
Configuration Changes Requiring Server Restart
Some configuration attributes cannot be altered dynamically while the server is running. In these cases the server needs to be shut down and restarted for the changes to take effect. The modifications should be made either through the Directory Server console or by manually editing the dse.ldif file. Table 2-10 under Configuration Quick Reference Tables contains a list of these attributes.
Core Server Configuration Attributes ReferenceThis section guides you through all the core server functionality configuration attributes. For server functionality implemented via plug-ins, refer to Plug-In Overview and subsequent sections. For implementing your own server functionality, contact Sun Professional Services.
For information on where to find the server configuration and how to change it, refer to Server Configuration Overview and Accessing and Modifying Server Configuration.
The configuration information that is stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config. This information tree is illustrated in Figure 2-1.
This section describes the configuration tree nodes within this information tree, and is divided into the following subsections:
The cn=plugins node is covered in Plug-In Overview and subsequent sections. Attributes are arranged alphabetically and a full description is provided for each, giving the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Caution
Some of the entries and attributes described in this chapter may change in future releases of the product.
cn=config
General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from the extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.
nsslapd-accesscontrol (Enable Access Control)
Turns access control on and off. If this attribute has a value off, any valid bind attempt (including an anonymous bind) results in full access to all information stored in Directory Server.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesscontrol: on
nsslapd-accesslog (Access Log)
Specifies the path and filename of the log used to record each database access. The following information is recorded in the log file by default:
For more information on turning access logging off, refer to Chapter 12, “Managing Log Files” in the Directory Server Administration Guide.
For access logging to be enabled, this attribute must have a valid path and file name and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. Table 2-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Table 2-1 Possible Value Combinations of Access Log Attributes
Attribute Pair
Value Pair
Logging Status
nsslapd-accesslog-logging-enabled
nsslapd-accesslogon
empty stringDisabled
nsslapd-accesslog-logging-enabled
nsslapd-accesslogon
filenameEnabled
nsslapd-accesslog-logging-enabled
nsslapd-accesslogoff
empty stringDisabled
nsslapd-accesslog-logging-enabled
nsslapd-accesslogoff
filenameDisabled
Property
Value
Entry DN
cn=config
Valid Range
Any valid filename.
Default Value
ServerRoot/slapd-serverID/logs/access
Syntax
DirectoryString
Example
nsslapd-accesslog: /usr/ds5/slapd-myserv/logs/access
nsslapd-accesslog-level
Controls what is logged to the access log.
Property
Value
Entry DN
cn=config
Valid Range
0—No access logging
4—Logging for internal access operations
256—Logging for access to an entry
512—Logging for access to an entry and referrals
131072—Precise timing of operation duration. This gives microsecond resolution for the Elapsed Time item in the access log.
These values can be added together to provide you with the exact type of logging you require, for example, 516 (4 + 512) to obtain internal access operation, entry access, and referral logging.
Default Value
256
Syntax
Integer
Example
nsslapd-accesslog-level: 256
nsslapd-accesslog-list
This read-only attribute cannot be set. It provides a list of access log files used in access log rotation.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-accesslog-list:accesslog2,accesslog3
nsslapd-accesslog-logbuffering (Log Buffering)
When set to off, the server writes all access log entries directly to disk.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesslog-logbuffering: off
nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-accesslog-logexpirationtime: 2
nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
Specifies the unit for the nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-accesslog-logexpirationtimeunit: week
nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
Disables and enables access log logging, but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on and the nsslapd-accesslog configuration attribute must have a valid path and filename. Table 2-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesslog-logging-enabled: off
nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting the maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647)
Default Value
500 (A value of -1 means that the disk space allowed to the access log is unlimited in size).
Syntax
Integer
Example
nsslapd-accesslog-logmaxdiskspace: 200
nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-accesslog-logminfreediskspace: 4
nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
For performance reasons, it is not recommended that you specify no log rotation as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. Refer to nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files) for more information.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited.
Default Value
1
Syntax
Integer
Example
nsslapd-accesslog-logrotationtime: 100
nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
Specifies the units for the nsslapd-accesslog-logrotationtime attribute.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
day
Syntax
DirectoryString
Example
nsslapd-accesslog-logrotationtimeunit: week
nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set the nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.
Default Value
100
Syntax
Integer
Example
nsslapd-accesslog-maxlogsize: 100
nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1, as the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, there is no log rotation. For more information, refer to nsslapd-accesslog-logrotationtime (Access Log Rotation Time).
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
10
Syntax
Integer
Example
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-attribute-name-exceptions
Allows non-standard characters in attribute names to be used for backward compatibility with older servers.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-attribute-name-exceptions: on
nsslapd-auditlog (Audit Log)
Specifies the path name and filename of the log used to record changes made to each database.
Property
Value
Entry DN
cn=config
Valid Range
Any valid filename
Default Value
ServerRoot/slapd-serverID/logs/audit
Syntax
DirectoryString
Example
nsslapd-auditlog: /ServerRoot/slapd-serverID/logs/audit
For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. Table 2-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Table 2-2 Possible Value Combinations of Audit Log Attributes
Attribute Pair
Value Pair
Logging Status
nsslapd-auditlog-logging-enabled
nsslapd-auditlogon
empty stringDisabled
nsslapd-auditlog-logging-enabled
nsslapd-auditlogon
filenameEnabled
nsslapd-auditlog-logging-enabled
nsslapd-auditlogoff
empty stringDisabled
nsslapd-auditlog-logging-enabled
nsslapd-auditlogoff
filenameDisabled
nsslapd-auditlog-list
Provides a list of audit log files.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-auditlog-list: auditlog2,auditlog3
nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
Specifies the maximum age that a log file can be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-auditlog-logexpirationtime: 1
nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-auditlog-logexpirationtimeunit: day
nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
Turns audit logging on and off.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-auditlog-logging-enabled: off
For audit logging to be enabled this attribute must be switched to on and the nsslapd-auditlog configuration attribute must have a valid path and file name. Table 2-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed for the audit log is unlimited in size.
Default Value
100
Syntax
Integer
Example
nsslapd-auditlog-logmaxdiskspace: 500
nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-auditlog-logminfreediskspace: 3
nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
Specifies the time between audit log file rotations. The audit log is rotated when this time interval is up, regardless of the current size of the audit log, but only if an update operation, such as an add, delete, modify or modify RDN, has caused Directory Server to write information to the audit file. If nothing has been written to the audit log, the log is not rotated.
This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.
For performance reasons, it is not recommended that you specify no log rotation, as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server checks the nsslapd-auditlog-logrotationtime attribute. Refer to nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) for more information.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotations is unlimited.
Default Value
1
Syntax
Integer
Example
nsslapd-auditlog-logrotationtime: 100
nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
Specifies the units for the nsslapd-auditlog-logrotationtime attribute.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
week
Syntax
DirectoryString
Example
nsslapd-auditlog-logrotationtimeunit: day
nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size.
Default Value
100
Syntax
Integer
Example
nsslapd-auditlog-maxlogsize: 50
nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, you need to check the nsslapd-auditlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. Refer to nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) for more information.
Property
Value
Entry DN
cn=config
Valid range
1 to the maximum 32 bit integer value (2147483647)
Default value
1
Syntax
Integer
Example
nsslapd-auditlog-maxlogsperdir: 10
nsslapd-certmap-basedn (Certificate Map Search Base)
This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in certmap.conf. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. Note that if the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. For further information, refer to Chapter 11, “Implementing Security” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=config
Valid Range
The DN of an entry in the directory
Default Value
N/A
Syntax
DN
Example
nsslapd-certmap-basedn: ou=people,dc=example,dc=com
nsslapd-config
This read-only attribute is the config DN.
Property
Value
Entry DN
cn=config
Valid Range
Any valid config DN.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-config:cn=config
nsslapd-ds4-compatible-schema
Makes the schema in cn=schema compatible with 4.x versions of Directory Server.
Note
When this attribute is set to on, Directory Server can read schema from 4.x configuration files, which use syntax for attribute types and object classes that differs from the standard syntax defined by RFC 2252 and used in Directory Server 5. As a result, when this attribute is set to on, schema cannot be modified through the console, but must instead be modified manually.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-ds4-compatible-schema: off
nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
Controls whether the quoting in the objectclasses attributes contained in the cn=schema entry conforms to the quoting specified by internet draft RFC 2252. By default, Directory Server does not place single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.
That is, Directory Server publishes objectclasses attributes in the cn=schema entry as follows:
objectclasses: ( 2.5.6.6 NAME ’person’ DESC ’Standard ObjectClass’ SUP ’top’ MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
However, RFC 2252 indicates that this attribute should be published as follows:
objectclasses: ( 2.5.6.6 NAME ’person’ DESC ’Standard ObjectClass’ SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
Notice the absence of single quotes around the word top.
Turning this attribute on means that the Directory Server Resource Kit LDAP Clients will no longer function, as they require the schema as defined in RFC 2252.
Turning this attribute off causes Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients. Specifically, any client written using the Sun Java System Directory SDK for Java 4.x will no longer be able to correctly read and modify schema. This includes the 4.x version of the Sun Java System Server Console. Note that turning this attribute on or off does not affect the 5.x Sun Java System Server Console.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-enquote-sup-oc: off
nsslapd-errorlog (Error Log)
Specifies the path name and filename of the log used to record error messages generated by Directory Server. These messages can describe error conditions, but more often they contain informative conditions such as:
This log contains varying amounts of information depending on the current setting of the Log Level attribute. Refer to nsslapd-errorlog-level (Error Log Level) for more information.
Property
Value
Entry DN
cn=config
Valid Range
Any valid filename
Default Value
ServerRoot/slapd-serverID/logs/error
Syntax
DirectoryString
Example
nsslapd-errorlog: /ServerRoot/slapd-serverID/logs/error
For error logging to be enabled, this attribute must have a valid path and file name and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. Table 2-3 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
Table 2-3 Possible Value Combinations of Error Log Attributes
Attribute Pair
Value Pair
Logging Status
nsslapd-errorlog-logging-enabled
nsslapd-errorlogon
empty stringDisabled
nsslapd-errorlog-logging-enabled
nsslapd-errorlogon
filenameEnabled
nsslapd-errorlog-logging-enabled
nsslapd-errorlogoff
empty stringDisabled
nsslapd-errorlog-logging-enabled
nsslapd-errorlogoff
filenameDisabled
nsslapd-errorlog-level (Error Log Level)
Specifies the level of logging to be used by Directory Server.
Note
This attribute has been deprecated in Directory Server 5.2. It is still supported for backward compatibility but has been replaced by the nsslapd-infolog-area (Information Log Area) and nsslapd-infolog-level (Information Log Level) attributes.
nsslapd-errorlog-list (Error Log List)
This read-only attribute provides a list of error log files.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-errorlog-list:errorlog2,errorlog3
nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-errorlog-logexpirationtime: 1
nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
Specifies the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-errorlog-logexpirationtimeunit: week
nsslapd-errorlog-logging-enabled (Enable Error Logging)
Turns error logging on and off.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size.
Default Value
100
Syntax
Integer
Example
nsslapd-errorlog-logmaxdiskspace: 500
nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-errorlog-logminfreediskspace: 5
nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit attribute.
For performance reasons, it is not recommended that you specify no log rotation as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. Refer to nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) for more information.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited).
Default Value
1
Syntax
Integer
Example
nsslapd-errorlog-logrotationtime: 100
nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
Specifies the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
week
Syntax
DirectoryString
Example
nsslapd-errorlog-logrotationtimeunit: day
nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-errorlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
Property
Value
Entry DN
cn=config
Valid Range
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.
Default Value
100
Syntax
Integer
Example
nsslapd-errorlog-maxlogsize: 100
nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. If this attribute is set to 1, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-errorlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1 then there is no log rotation. Refer to nsslapd-errorlog-logrotationtime (Error Log Rotation Time) for more information.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
2
Syntax
Integer
Example
nsslapd-errorlog-maxlogsperdir: 10
nsslapd-groupevalnestlevel
Specifies the number of levels of nesting that the access control system will perform for group evaluation.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 64-bit integer value
Default Value
0
Syntax
Integer
Example
nsslapd-groupevalnestlevel:5
nsslapd-idletimeout (Idle Timeout)
Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value (2147483647)
Default Value
0
Syntax
Integer
Example
nsslapd-IdleTimeout: 0
nsslapd-infolog-area (Information Log Area)
Specifies the component for which logging information should be provided. Each component is identified as an area, whose value is a decimal translation of the hex values in slapi-plugin.h.
The log area is additive; for example, to enable logging on Search filter processing (32) and Config file processing (64), you would set this attribute to 96 (32+64).
If you are writing plug-ins for Directory Server, refer to the Directory Server Plug-In Developer’s Guide for more information on using this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 = Trace function calls. Logs a message when the server enters and exits a function.
2 = Debug packet handling
4 = Heavy trace output debugging
8 = Connection management
16 = Print out packets sent/received
32 = Search filter processing
64 = Config file processing
128 = Access control list processing
2048 = Log entry parsing debugging
4096 = Housekeeping thread debugging
8192 = Replication debugging
16384 = Default logging area, used for critical errors and other messages that are always written to the error log, for example server startup messages. Messages at this level are always included in the error log regardless of the nsslapd-infolog-level setting.
32768 = Database cache debugging.
65536 = Server plug-in debugging. An entry is written to the log file when a server plug-in calls slapi_log_info_ex().
Default Value
0
Syntax
Integer
Example
nsslapd-infolog-area: 0
nsslapd-infolog-level (Information Log Level)
Specifies the level of logging information that should be returned for the server component defined by the nsslapd-infolog-area attribute. A value of 0 means that only default logging information is returned for the selected area. Setting this attribute to 1 enables additional logging information to be returned for the selected area.
Property
Value
Entry DN
cn=config
Valid Range
0 | 1
Default Value
0
Syntax
Integer
Example
nsslapd-infolog-level: 0
nsslapd-instancedir (Instance Directory)
Specifies the full path to the directory where this server instance is installed. The hostname is the default serverID given at installation time. Do not change this value after installation.
Property
Value
Entry DN
cn=config
Valid Range
Any valid file path.
Default Value
ServerRoot/slapd-serverID
Syntax
DirectoryString
Example
nsslapd-instancedir: /usr/ds5/slapd-myServer
nsslapd-ioblocktimeout (IO Block Time Out)
Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value (2147483647)
Default Value
1800000
Syntax
Integer
Example
nsslapd-ioblocktimeout: 1800000
nsslapd-lastmod (Track Modification Time)
Specifies whether Directory Server maintains the modification attributes for Directory Server entries. These attributes include:
- modifiersname—The distinguished name of the person who last modified the entry.
- modifytimestamp—The timestamp, in GMT format, for when the entry was last modified.
- creatorsname—The distinguished name of the person who initially created the entry.
- createtimestamp—The timestamp for when the entry was created in GMT format.
nsslapd-listenhost (Listen to IP Address)
Allows multiple Directory Server instances to run on a multihomed machine, and makes it possible to limit listening to one or more interfaces of a multihomed machine. Provide the hostname or hostnames corresponding to the IP interface(s) you want to specify as values for this attribute. Directory Server responds only to requests sent to the interface(s) corresponding to the hostname(s) specified. This prevents other programs from using the same port as Directory Server on the specified interfaces.
Property
Value
Entry DN
cn=config
Valid Range
Any hostname or hostnames
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-listenhost: host_name
nsslapd-localhost (Local Host)
This read-only attribute specifies the host machine on which Directory Server runs.
Property
Value
Entry DN
cn=config
Valid Range
Any fully qualified hostname.
Default Value
Hostname of installed machine.
Syntax
DirectoryString
Example
nsslapd-localhost:myServer.example.com
nsslapd-localuser (Local User)
Specifies the user under which Directory Server runs. The group under which the user runs is derived from this attribute, by examining the groups that the user is a member of. Should the user change, all the files in the installation directory must be owned by this user.
Property
Value
Entry DN
cn=config
Valid Range
Any valid user on the local system.
Default Value
To run as the same user who started Directory Server.
Syntax
DirectoryString
Example
nsslapd-localuser: nobody
nsslapd-maxbersize (Maximum Message Size)
Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry, and the entry in the request is larger than two megabytes, then the add request is denied. Care should be taken when changing this attribute and we recommend contacting Sun Professional Services before doing so.
Property
Value
Entry DN
cn=config
Valid Range
0 - 2GB (2,147,483,647 bytes) where a value of 0 indicates that the default value should be used.
Default Value
2097152
Syntax
Integer
Example
nsslapd-maxbersize: 2097152
nsslapd-maxconnections (Maximum Number of Connections)
This attribute limits the number of simultaneous connections the server can manage. The value of this attribute is not set by default. If it is not set manually, its implicit value is the maximum number of file descriptors a process can open on the system.
You can use this attribute to limit the amount of memory used by Directory Server. Directory Server allocates n*512 bytes of data, where n is equal to the value of nsslapd-maxconnections, if set, or to the maximum number of file descriptors a process can open on the system.
For example, on Solaris 9 systems, the maximum number of file descriptors is 64000. If nsslapd-maxconnections is not set, Directory Server allocates 35 MB of data, which may cause problems for some deployments. Setting nsslapd-maxconnections to a suitable value can help to alleviate this problem.
Property
Value
Entry DN
cn=config
Valid Range
nsslapd-reservedescriptors +1 to maxdescriptors.
If the maxdescriptors attribute is not set, the maximum value of nsslapd-maxconnections is the maximum number of file descriptors a process can open on the system.
Default Value
N/A
Syntax
Integer
Example
nsslapd-maxconnections: 4096
nsslapd-maxdescriptors (Maximum File Descriptors)
This attribute sets the maximum, platform-dependent number of file descriptors that Directory Server will try to use. A file descriptor is used whenever a client connects to the server. It is also used for some server activities such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server for non-client connections, such as index management and managing replication, as specified in the nsslapd-reservedescriptors attribute. For details, refer to nsslapd-reservedescriptors (Reserved File Descriptors).
The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the ns-slapd process to use. This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process. Refer to your operating system documentation for details on file descriptor limits and configuration. It is worth noting that the included idsktune program can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. You should consider increasing the value on this attribute if Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server errors log file:
Not listening for new connections -- too many fds open
Note
UNIX shells usually have configurable limits on the number of file descriptors. Refer to your operating system documentation for further information regarding limit and ulimit as these limits can often cause problems.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
Maximum number of file descriptors allowed for a process
Syntax
Integer
Example
nsslapd-maxdescriptors: 8192
nsslapd-maxpsearch (Maximum Persistent Searches)
Defines the maximum number of persistent searches that can be performed on Directory Server. The persistent search mechanism provides an active channel through which entries that change (and information about the changes that occur) can be communicated. Because each persistent search operation uses one thread, limiting the number of simultaneous persistent searches prevents certain kinds of denial of service attacks.
Property
Value
Entry DN
cn=config
Valid Range
1 to maximum thread number
Default Value
30
Syntax
Integer
Example
nsslapd-maxpsearch: 30
nsslapd-maxthreadsperconn (Maximum Threads Per Connection)
Defines the maximum number of threads that a connection should use. For normal operations where a client binds and performs only one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations.
Property
Value
Entry DN
cn=config
Valid Range
1 to maximum threadnumber
Default Value
5
Syntax
Integer
Example
nsslapd-maxthreadsperconn: 5
nsslapd-nagle
When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies. That is, the sending of data is delayed, in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for Ethernet).
Property
Value
Entry DN
cn=config
Valid range
on | off
Default value
off
Syntax
DirectoryString
Example
nsslapd-nagle: off
nsslapd-plugin
This multi-valued, read-only attribute lists the syntaxes and matching rules loaded by the server.
nsslapd-port (Port Number)
TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port, you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024 requires Directory Server to run as super user.
Note
Be aware when changing this port number of other applications whose configurations you may have to modify to reflect the change.
When changing the port number through the command line, you must also update nsServerPort on cn=slapd-serverID, cn=Sun Java(TM) System Directory Server, cn=Server Group, cn=hostname, ou=domainname, o=NetscapeRoot in the configuration directory.
In addition, when you change the port number of a configuration directory server you must close the console, stop all Administration Servers using the configuration directory, and modify the LDAP URL for the configuration directory in each Administration Server’s ServerRoot/shared/config/dbswitch.conf before restarting the Administration Server.
You must restart the server for the port number change to be taken into account.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
389
Syntax
Integer
Example
nsslapd-port: 389
nsslapd-privatenamespaces
Contains the list of the private naming contexts cn=config, cn=schema,and cn=monitor.
Property
Value
Entry DN
cn=config
Valid Range
cn=config, cn=schema ,and cn=monitor
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-privatenamespaces: cn=config
nsslapd-readonly (Read Only)
Specifies whether the whole server is in read-only mode, meaning that neither data in the database(s) nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-readonly: off
nsslapd-referral (Referral)
This multi-valued attribute specifies the LDAP URL(s) to be returned by the suffix, when the server receives a request for an entry not belonging to the local tree, that is, an entry whose suffix does not match the value specified on any of the suffix attributes. For example, suppose the database contains only the entries:
ou=People, dc=example,dc=com
but the request is for:
ou=Groups, dc=example,dc=com
In this case, the referral is returned so the client may contact the corresponding directory for the requested entry. Although only one referral is allowed per Directory Server instance, this referral can have multiple values.
Note
If you want to use SSL and TLS communications, the Referral attribute should be in the following form:
ldaps://serverHost
Start TLS does not support referrals.
For more information on managing referrals, refer to “Setting Referrals” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=config
Valid Range
Valid LDAP URL in the following format: ldap://serverHost
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-referral: ldap://alternate.example.com
nsslapd-referralmode (Referral Mode)
When set, this attribute will send back the referral for any request on any suffix.
Property
Value
Entry DN
cn=config
Valid Range
Valid LDAP URL in the following format: ldap://serverHost
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-referralmode: ldap://backup.example.com
nsslapd-reservedescriptors (Reserved File Descriptors)
This read-only attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections. For details, refer to nsslapd-maxdescriptors (Maximum File Descriptors).
Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true:
- The server is replicating to a large number of consumer servers (more than 10) and/or the server is maintaining a large number of index files (more than 30).
- The server is servicing a large number of LDAP connections.
- You get error messages reporting that the server is unable to open file descriptors (the actual error message will differ depending on the operation that the server is attempting to perform), but these error messages are NOT related to managing client LDAP connections.
Increasing the value on this attribute may result in more LDAP clients being unable to access your directory. Therefore, when you increase the value on this attribute, increase the value on the nsslapd-maxdescriptors attribute also. Note that you may not be able to increase the nsslapd-maxdescriptors value if your server is already using the maximum number of file descriptors that your operating system allows a process to use. Refer to your operating system documentation for details. If this is the case, then reduce the load on your server by causing LDAP clients to search alternative directory replicas.
To assist you in computing the number of file descriptors you set for this attribute, we suggest you use the following formula:
nsslapd-reservedescriptor =
20 + (NumBackends * 4) + NumGlobalIndexes + ReplicationDescriptors +
ChainingBackendDescriptors + PTADescriptors + SSLDescriptorswhere the terms are given in the following table:
Table 2-4 Terms for Computing the Value of nsslapd-reservedescriptor
Term
Definition
NumldbmBackends
Number of ldbm databases.
NumGlobalIndexes
Total number of configured indexes for all databases including system indexes. By default, there are 8 system indexes and 17 additional indexes per database.
ReplicationDescriptors
NumSupplierReplicas + 8
Where NumSupplierReplicas is number of replicas in the server that can act as a supplier (hub or master).
ChainingBackendDescriptors
NumChainingBackends * nsOperationConnectionsLimit
Where nsOperationConnectionsLimit is defined in the chained suffix configuration and 10 by default.
PTADescriptors
3 if PTA is configured, 0 if PTA is not configured.
SSLDescriptors
5 (4 files + 1 listen socket) if SSL is configured, 0 if SSL is not configured.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
64
Syntax
Integer
Example
nsslapd-reservedescriptors: 64
nsslapd-return-exact-case (Return Exact Case)
Returns the exact case of attribute names, as defined in the schema.
Attribute names are case-insensitive by default. However, when an attribute is returned by Directory Server (as the result of a search operation) some client applications require attribute names to match the case of the attribute as it is listed in the schema. Other client applications require attribute names to be returned in lower case (the default behavior in Directory Server 4.x).
nsslapd-return-exact-case is enabled by default. You should disable this attribute if you have legacy clients that expect attribute names to be returned in lower case (for backward compatibility with Directory Server 4.x). You must stop and restart the server for changes to this attribute to be taken into account.
Note that if the attribute name is specified in the search, it is returned in the case in which it is specified, regardless of the value of nsslapd-return-exact-case.
For example, the following search command
ldapsearch -b "cn=config" -s base objectclass=* "PassWordMinAGe"
returns the attribute as "PassWordMinAGe=0", whether nsslapd-return-exact-case is set to on or off.
If nsslapd-return-exact-case is set to on, the following search command
ldapsearch -b "cn=config" -s base objectclass=*
returns the attribute as "passwordMinAge=0", which is how this attribute is defined in the schema.
If nsslapd-return-exact-case is set to off, the same search command
ldapsearch -b "cn=config" -s base objectclass=*
returns the attribute as "passwordminage=0" (in lower case).
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-return-exact-case: on
nsslapd-rootdn (Manager DN)
Specifies the distinguished name of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory or resource limits in general. The attributes nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-schemacheck do not apply to this DN either. nsslapd-idletimeout does however apply to connections opened by this DN.
For information on changing the Root DN, refer to “Creating Directory Entries” in the Directory Server Administration Guide.
.
Property
Value
Entry DN
cn=config
Valid Range
Any valid distinguished name
Default Value
N/A
Syntax
DN
Example
nsslapd-rootdn: cn=Directory Manager
nsslapd-rootpw (Root Password)
Allows you to specify the password associated with the "Manager DN". When you provide the root password, it will be encrypted according to the encryption method you selected for nsslapd-rootpwstoragescheme (Root Password Storage Scheme). When viewed from the server console, this attribute shows the value:***** When viewed from the dse.ldif file, this attribute shows the encryption method followed by the encrypted string of the password. Please note that the example below is what you view, not what you type.
Caution
If you configure a root DN at server installation time, you must also provide a root password. However, it is possible for the root password to be deleted from dse.ldif by direct editing of the file. In this situation, the root DN can only obtain the same access to your directory as you allow for anonymous access. Always make sure that a root password is defined in dse.ldif when a root DN is configured for your database.
Property
Value
Entry DN
cn=config
Valid Range
Any valid password encrypted by any one of the encryption methods that are described in passwordStorageScheme (Password Storage Scheme).
Default Value
N/A
Syntax
DirectoryString: {encryption_method} encrypted_password
Example
nsslapd-rootpw: {SSHA}9Eko69APCJfF
nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
Available only from the server console. This attribute indicates the encryption method used for the root password.
Property
Value
Entry DN
cn=config
Valid Range
Any encryption method as described in passwordStorageScheme (Password Storage Scheme).
Default Value
SSHA
Syntax
DirectoryString
Example
nsslapd-rootpwstoragescheme: SSHA
nsslapd-schema-repl-useronly
This attribute allows you to have greater control over the schema that is replicated. The attribute is off by default, implying that the entire schema is replicated. If the attribute is set to on, only schema with an X-ORIGIN of user-defined is replicated. This setting greatly improves the performance of schema replication.
If you are replicating from a 5.2 Directory Server to a 5.1 server, you must set this attribute to on. Otherwise the 5.2 schema will be pushed to the 5.1 server and the 5.1 server will be unable to restart, due to duplicate objects.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-schema-repl-useronly: off
nsslapd-schemacheck (Schema Checking)
Specifies whether the database schema will be enforced during entry insertion or modification. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database. You can extend the default schema using the objectclasses and attribute types. For information on how to extend your schema using Directory Server console, refer to Chapter 9, “Extending the Directory Schema” in the Directory Server Administration Guide.
Note
Schema checking works by default when database modifications are made using an LDAP client, such as ldapmodify, the Directory Server console, or when importing a database from LDIF using directoryserver ldif2db.
If you turn schema checking off, you will have to verify manually that your entries conform to the schema. If schema checking is turned on, the server sends an error message to inform you of the entries that do not match the schema. Make sure that the attributes and object classes you create in your LDIF statements are both spelled correctly and identified in dse.ldif. You will need to create a file in LDIF format in the schema directory or add the elements to 99user.ldif.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-schemacheck: on
nsslapd-securelistenhost
Allows multiple Directory Server instances to run on a multihomed machine, using secure SSL/TLS connections, and makes it possible to limit listening to one or more interfaces of a multihomed machine. Provide the hostname or hostnames corresponding to the IP interface(s) you want to specify as the values for this attribute. Directory Server responds only to requests sent to the interface(s) corresponding to the hostname(s) specified. This prevents other programs from using the same port as Directory Server on the interfaces specified.
Property
Value
Entry DN
cn=config
Valid Range
Any secure hostname or hostnames
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-securelistenhost:secure_host_name
nsslapd-securePort (Encrypted Port Number)
TCP/IP port number used for SSL/TLS communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024 requires that Directory Server runs as super user.
Note
Be aware when changing this port number of other applications whose configurations you may have to modify to reflect the change.
When changing the port number through the command line, you must also update nsSecureServerPort on cn=slapd-serverID, cn=Sun Java(TM) System Directory Server, cn=Server Group, cn=hostname, ou=domainname, o=NetscapeRoot in the configuration directory.
In addition, when you change the port number of a configuration directory server you must close the console, stop all Administration Servers using the configuration directory, and modify the LDAP URL for the configuration directory in each Administration Server’s ServerRoot/shared/config/dbswitch.conf before restarting the Administration Server.
The default value 636 is only used if the server has been configured with a private key and a certificate; otherwise it does not listen on this port.
You must restart the server for the port number change to be taken into account.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
636
Syntax
Integer
Example
nsslapd-securePort: 636
nsslapd-security (Security)
Enables the use of security features (SSL/TLS and attribute encryption) in Directory Server. If you require secure connections, or the use of the attribute encryption feature, this attribute should be set to on.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-security: off
nsslapd-sizelimit (Size Limit)
Specifies the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.
When no limit is set, ns-slapd will return every matching entry to the client regardless of the number found. To set a no limit value whereby Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file.
This limit applies to everyone regardless of their organization.
Property
Value
Entry DN
cn=config
Valid Range
-1 to the maximum 32 bit integer value (2147483647)
Default Value
2000
Syntax
Integer
Example
nsslapd-sizelimit: 2000
nsslapd-threadnumber (Thread Number)
Defines the number of operation threads that Directory Server will create during startup. The nsslapd-threadnumber value should be increased if you have many directory clients performing time-consuming operations such as add or modify. This ensures that there are other threads available for servicing short-lived operations such as simple searches.
Property
Value
Entry DN
cn=config
Valid Range
1 to the number of threads supported by your system
Default Value
30
Syntax
Integer
Example
nsslapd-threadnumber: 60
nsslapd-timelimit (Time Limit)
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.
When no limit is set, ns-slapd will return every matching entry to the client regardless of the time it takes. To set a no limit value whereby Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second.
Property
Value
Entry DN
cn=config
Valid range
-1 to the maximum 32 bit integer value (2147483647) in seconds
Default value
3600
Syntax
Integer
Example
nsslapd-timelimit: 3600
nsslapd-versionstring (Version String)
Specifies the server version number.
Property
Value
Entry DN
cn=config
Valid range
Any valid server version number.
Default value
N/A
Syntax
DirectoryString
Example
nsslapd-versionstring:SunONE-Directory/5.2
cn=changelog5
Multi-master replication changelog configuration entries are stored under the cn=changelog5 entry. The replication changelog behaves much like a database. The cn=changelog5,cn=config entry is an instance of the extensibleObject object class. For attributes to be taken into account by the server, this object class (and the top object class) must be present in the entry.
It is worth noting that two different types of change logs are maintained by Sun Java System Directory Server 5.2. The first type, which is stored here and referred to as changelog, is used by multi-master replication; the second change log, which is actually a plug-in and referred to as retro changelog, is intended for use by Sun Java System Meta Directory. Refer to Retro Changelog Plug-In Attributes for further information regarding the Retro Changelog Plug-in. Multi-master replication changelog attributes are presented in this section.
nsslapd-cachesize (Cache Size)
Specifies the replication changelog cache size, in terms of the number of entries it can hold. Note that it is simpler to limit the cache by memory size only (using the nsslapd-cachememsize attribute). If you attempt to set a value that is not an integer or is too big for a 64-bit unsigned integer (32-bit unsigned integer for 32-bit installations), you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=changelog5,cn=config
Valid Range
1 to 2,147,483,647 (or -1 which means unlimited) entries
Default Value
-1
Syntax
Integer
Example
nsslapd-cachesize: -1
nsslapd-cachememsize (Cache Memory Size)
Specifies the changelog cache size, in terms of the available memory space. Limiting cachesize in terms of memory occupied is the simplest method. If automatic cache resizing is activated, this attribute is overridden. If you attempt to set a value that is not an integer or is too big for a 64-bit unsigned integer (32-bit unsigned integer for 32-bit installations), you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=changelog5,cn=config
Valid Range
200KB to 264-1 Bytes (200KB to 232-1 Bytes for 32-bit installations)
Default Value
10 485 760 (10Mb)
Syntax
Integer
Example
nsslapd-cachememsize:10
nsslapd-changelogdir (Changelog Directory)
This required attribute specifies the name of the directory in which the change log database will be created. Whenever a change log configuration entry is created it must contain a valid directory or the operation will be rejected. The GUI proposes by default that this database be stored under:
ServerRoot/slapd-serverID/changelogdb
Note
For performance reasons, it is recommended that you store this database on a different physical disk.
If you change this value after enabling replication, the old changelog is deleted and a new changelog is created. Therefore, you should not change the value of this attribute after replication has been enabled and consumers intialized.
Property
Value
Entry DN
cn=changelog5,cn=config
Valid Range
Any valid path to the directory storing the change log
Default Value
None
Syntax
DirectoryString
Example
nsslapd-changelogdir:
/usr/myhome/slapd-local/changelogdbnsslapd-changelogmaxage (Max Changelog Age)
Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed. If this attribute is absent, there is no age limit on change log records. For information on the change log, refer to nsslapd-changelogdir (Changelog Directory).
Property
Value
Entry DN
cn=changelog5,cn=config
Valid Range
0 (meaning that entries are not removed according to their age) to maximum integer (2147483647)
Default Value
0
Syntax
DirectoryString IntegerAgeID
where AgeID is “s” for seconds, “m” for minutes, “h” for hours, “d” for days, or “w” for weeks.
Example
nsslapd-changelogmaxage: 30d
nsslapd-changelogmaxentries (Max Changelog Records)
Specifies the maximum number of records the change log may contain. If this attribute is absent, there is no maximum number of records the change log can contain. For information on the change log, refer to nsslapd-changelogdir (Changelog Directory).
Property
Value
Entry DN
cn=changelog5,cn=config
Valid Range
0 (meaning that the only maximum limit is the disk size) to maximum integer (2147483647)
Default Value
0
Syntax
Integer
Example
nsslapd-changelogmaxentries: 5000
cn=encryption
Encryption related attributes are stored under the cn=encryption,cn=config entry. This entry is an instance of the nsEncryptionConfig object class. For encryption related attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Encryption configuration attributes are presented in this section.
nsSSLSessionTimeout
Specifies the lifetime duration of an SSL session for both SSLv2 and SSLv3. The minimum timeout value is 5 seconds and if you enter a value below this, it is automatically replaced by 5 seconds. Values outside the valid ranges are replaced by the default value of 100 seconds (SSLv2).
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
(SSLv2) 5 seconds to 100 seconds
(SSLv3) 5 seconds to 24 hoursDefault Value
0 (which translates to 100 seconds if you are running SSLv2 and 24 hours if you are running SSLv3).
Syntax
Integer
Example
nsSSLSessionTimeout: 5
nsSSLClientAuth
In an SSL connection, this attribute specifies whether a client certificate is allowed, required, or should not be sent (off) to the SSL server.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
off | allowed | required
Default Value
allowed
Syntax
DirectoryString
Example
nsSSLClientAuth: allowed
nsSSLServerAuth
Specifies the action that the SSL client should take on the server certificate sent by the SSL server in an SSL connection.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
weak - make no attempt to verify whether the server certificate is from a trusted certificate authority
cert - verify whether the server certificate is from a trusted certificate authority
cncheck - verify whether the server certificate is from a trusted certificate authority and verify the DN contained in the server certificate (to avoid man-in-the middle attacks on the server)
Default Value
cert
Syntax
DirectoryString
Example
nsSSLServerAuth: cert
nsSSL2 (SSL 2)
Supports SSL version 2.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsSSL2: on
nsSSL3 (SSL 3)
Supports SSL version 3.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsSSL3: on
nsSSL3ciphers
This multi-valued attribute specifies the set of encryption ciphers Directory Server will use during SSL communications. For more information on the ciphers supported by Directory Server, refer to Chapter 11, “Managing SSL”, in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=encryption,cn=config
Valid Range
For domestic versions, any combination of the following:
For SSLv3
rsa_null_md5
rsa_rc4_128_md5
rsa_rc4_40_md5
rsa_rc2_40_md5
rsa_des_sha
rsa_fips_des_sha
rsa_3des_sha
rsa_fips_3des_shaFor TLS
tls_rsa_export1024_with_rc4_56_sha
tls_rsa_export1024_with_des_cbc_shaDefault Value
N/A
Syntax
DirectoryString
+ symbol to enable or - symbol to disable followed by the cipher(s). It is important to note that blank spaces are not allowed in the list of ciphers.
To enable all ciphers (except rsa_null_md5 which must be specifically called) you can specify +all.
Example
nsslapd-SSL3ciphers:
+RSA_NULL_MD5,+RC4_56_SHA,-RC4_56_SHA
If you are using the Directory Server console to set the cipher preferences, the values on the SSL 3.0 tab of the Cipher Preference dialog box correspond to the following:
Table 2-5 SSLv3 Ciphers
Cipher in Console
Corresponding SSLv3 Cipher
None
rsa_null_md5
RC4
rsa_rc4_128_md5
RC4 (Export)
rsa_rc4_40_md5
RC2(Export)
rsa_rc2_40_md5
DES
rsa_des_sha
DES (FIPS)
rsa_fips_des_sha
Triple-DES
rsa_3des_sha
Triple-DES (FIPS)
rsa_fips_3des_sha
If you are using the Directory Server console to set the cipher preferences, the values on the TLS tab of the Cipher Preference dialog box correspond to the following:
Table 2-6 TLS Ciphers
Cipher in Console
Corresponding TLS Cipher
RC4 (Export)
tls_rsa_export1024_with_rc4_56_sha
DES (Export)
tls_rsa_export1024_with_des_cbc_sha
cn=features
The cn=features,cn=config entry is an instance of the nsContainer object class. It offers access controls for features such as VLV, persistent search, getEffectiveRights, and online import, configuration for internationalized (refer to Table 5-1 for more information) matching and searching, and configuration attributes for the filtering service (used by the partial replication feature), under the cn=filtering service,cn=features,cn=config entry.
The filtering service subtree contains two nodes: cn=sets and cn=elements.
cn=elements contains all defined filtering units. A filtering unit is the minimum filtering concept that the filtering service can understand in a particular subtree.
cn=sets contains combinations and unions of the filtering units under cn=elements to extend the filtering definition.
For more information on the filtering service, refer to the Directory Server Administration Guide.
cn=elements,cn=filtering service,cn=features,
cn=configObjects in this subtree are of type dsFilterSPFractionElement.
dsFilterSPType
Specifies the type of partial replication.
Property
Value
Entry DN
cn="elementName",cn=elements,cn=filtering service,
cn=features,cn=configValid Range
fractional_include | fractional_exclude
Default Value
N/A
Example
filterSPType: fractional_include
dsFilterSPFractionAttr
If the dsFilterSPType attribute is set to fractional_include, this attribute contains the list of attributes to be included for replication.
If the dsFilterSPType attribute is set to fractional_exclude, this attribute contains the list of attributes to be excluded for replication.
Property
Value
Entry DN
cn="elementName",cn=elements,cn=filtering service,
cn=features,cn=configValid Range
Any attribute name defined in the schema.
Default Value
N/A
Example
dsFilterSPFractionAttr: cn
cn=sets,cn=filtering service,cn=features,
cn=configObjects in this subtree are of type dsFilterSPConfigSet.
dsFilterSPConfigDefinition
This single-valued attribute may contain any AND or OR combination of any number of Configuration Elements entries located in the configuration directory. The value of this attribute must conform to the following syntax:
dsFilterSPConfigDefinition: SUBSET(1) || SUBSET(2) ||...|| SUBSET(N)
Here SUBSET(x) is written as (subtree_configuration && sparse_configuration && fractional_configuration). For Directory Server 5.2, subtree_configuration and sparse_configuration must be any. fractional_configuration is an RDN value part referring to the entry that specifies the attribute types to include or exclude.
Property
Value
Entry DN
cn="setName",cn=sets,cn=filtering service,
cn=features,cn=configValid Range
Any string.
Default Value
N/A
Syntax
DirectoryString
Example
dsFilterSPConfigDefinition:
(any && any && include_cn_sn)
cn=mapping tree
Configuration attributes for suffixes and replication are stored under cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentry
cn="suffixName",cn=mapping tree,cn=config.
Replication configuration attributes are stored under
cn=replica,cn="suffixName",cn=mapping tree,cn=config.
Replication agreement attributes are stored under
cn=replicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree, cn=config.
Suffix Configuration Attributes Under cn="suffixName"
Suffix configuration attributes are stored under the cn="suffixName" entry, for example cn="dc=example,dc=com". This entry is an instance of the nsMappingTree object class, which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server, these object classes (in addition to the top object class) must be present in the entry. Suffix configuration attributes are presented in this section.
nsslapd-backend
Gives the name of the suffix or chained suffix used to process requests. This attribute can be multi-valued if you are using a custom distribution plug-in, with one suffix name per value. In this case, you must also specify the nsslapd-distribution-plugin and nsslapd-distribution-funct attributes.
This attribute is required when the value of the nsslapd-state attribute is set to backend or referral on update.
Property
Value
Entry DN
cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid partition name.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-backend: NetscapeRoot
nsslapd-distribution-plugin
Specifies the full path and filename of the shared library for the custom distribution plugin. This attribute is required along with nsslapd-distribution-funct when you have specified more than one suffix in the nsslapd-backend attribute.
Contact Sun Professional Services for information on how to create distribution logic for Directory Server.
Property
Value
Entry DN
cn="suffixName",cn=mapping tree,cn=config
Valid Range
The full path and filename of the plug-in library.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-distribution-plugin: ServerRoot/plugins/custom/myDistrib.so
Note
Once you have distributed entries, you cannot redistribute them. The following restrictions apply:
- You cannot change your distribution function once you have deployed entry distribution.
- You cannot use the LDAP modrDN or ldapmodify commands to change an entry if that would cause them to be distributed into a different database.
- You cannot replicate databases that are distributed over multiple databases.
Violating these restrictions prevents Sun Java System Directory Server from correctly locating and returning entries.
nsslapd-distribution-funct
Specifies the name of your distribution function within the library named by nsslapd-distribution-plugin. This attribute is required along with nsslapd-distribution-plugin when you have specified more than one database in the nsslapd-backend attribute.
Contact Sun Professional Services for information on how to create distribution logic for your Directory Server.
Property
Value
Entry DN
cn="suffixName",cn=mapping tree,cn=config
Valid Range
The name of the distribution function.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-distribution-funct: alphabeticalDistrib
nsslapd-referral
Lists the servers to which updates are referred. This attribute can be multi-valued, with one server per value. This attribute is required when the value of the nsslapd-state attribute is set to referral.
Property
Value
Entry DN
cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid LDAP URL.
Default Value
Defined by the Replication Agreement.
Syntax
DirectoryString
Example
nsslapd-referral: ldap://myServer.example.com:389
nsslapd-state
Determines how the suffix handles operations.
Property
Value
Entry DN
cn="suffixName",cn=mapping tree,cn=config
Valid Range
Backend = the backend (database) is used to process all operations.
Disabled = the database is not available for processing operations. The server returns a “No such search object” error in response to requests made by client applications.
Referral = a referral is returned for requests made to this suffix.
Referral on update = the database is used for all operations except update requests, which receive a referral.
Default Value
backend
Syntax
DirectoryString
Example
nsslapd-state: backend
Replication Attributes Under cn=replica, cn="suffixName",cn=mapping tree,cn=config
Replication configuration attributes are stored under
cn=replica,cn="suffixName",cn=mapping tree,cn=config.
The cn=replica entry is an instance of the nsDS5Replica object class. For replication configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication configuration attributes are presented in this section. For further information regarding replication, refer to Chapter 8, “Managing Replication” in the Directory Server Administration Guide.
cn
This attribute is used to name the replica. Once it has been set, it cannot be modified.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid suffix name.
Default Value
cn=replica
Syntax
DirectoryString
Example
cn: "cn=replica"
ds5BeginReplicaAcceptUpdates
Enables you to specify that the replica should accept client updates instead of referring them.
Property
Value
Entry DN
cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
stop | start
Default Value
N/A
Syntax
DirectoryString
Example
ds5BeginReplicaAcceptUpdates: start
ds5ReferralDelayAfterInit
Enables you to specify the delay after which a recently initialized replica will start accepting client updates instead of referring them.
Property
Value
Entry DN
cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 to any 64-bit integer (seconds)
Default Value
0 (infinite)
Syntax
DirectoryString
Example
ds5ReferralDelayAfterInit: 100
nsDS5Flags
This attribute enables you to specify replica properties you have previously defined in flags. At present only two flags exist. One enables you to specify whether changes are logged. The second enables you to overwrite automatic referrals.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
0 = no changes are logged and automatic referrals are not overwritten
1 = changes are logged and automatic referrals are not overwritten
4 = no changes are logged and automatic referrals are overwritten
5 = changes are logged and automatic referrals are overwrittenDefault Value
0 (no changes are logged and automatic referrals are not overwritten)
Syntax
Integer
Example
nsDS5Flags: 0
nsDS5ReplicaBindDN
This multi-valued attribute specifies the DN to use when binding. The value can either be the DN of the local entry on the consumer server or, in the case of an SSL connection, the certificate identity associated with the same DN.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid DN.
Default Value
cn=replication manager, cn=replication,cn=config
Syntax
DirectoryString
Example
nsDS5ReplicaBindDN: cn=replication manager, cn=replication,cn=config
nsDS5ReplicaChangeCount (Replica Change Count)
This read-only attribute informs you of the total number of entries in the change log (whether they still remain to be replicated or not). The change log is purged according to settings for attributes described in nsslapd-changelogmaxage (Max Changelog Age) and nsslapd-changelogmaxentries (Max Changelog Records).
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
-1 to maximum 32-bit integer (2147483647)
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaChangeCount: 675
nsDS5ReplicaId (Replica ID)
Specifies the unique ID for masters in a given replication environment. Consumer services always have the same replica id : 65535.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
1 to 65534
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaId: 1
nsDS5ReplicaLegacyConsumer
If this attribute is absent or has a value of false, then the replica is not a legacy consumer.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
true | false
Default Value
false
Syntax
DirectoryString
Example
nsDS5ReplicaLegacyConsumer: false
nsDS5ReplicaName
This read-only attribute specifies the name of the replica with a unique identifier for internal operations. This unique identifier is allocated by the server when the replica is created. This attribute is for internal use only.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
DirectoryString (a UID identifies the replica)
Example
nsDS5ReplicaName: 66a2b699-1dd211b2-807fa9c3-a58714648
nsDS5ReplicaPurgeDelay
Specifies the maximum time period for keeping tombstone entries—entries that have been marked for deletion but not yet removed—and replication state information. When setting this attribute, ensure that the purge delay is longer than the longest replication cycle in your replication policy, to avoid incurring conflict resolution problems and server divergence.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
0 (keep forever) to maximum integer (2147483647)
Default Value
604800 (1 week : 60x60x24x7)
Syntax
Integer
Example
nsDS5ReplicaPurgeDelay: 604800
nsDS5ReplicaReferral
This multi-valued attribute specifies the user-defined referrals. This should be defined on a consumer only. User referrals are only returned when a client attempts to modify data on a read-only consumer.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
Any valid LDAP URL.
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5ReplicaReferral: ldap://ldap.aceindustry.com
nsDS5ReplicaRoot
Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated. It cannot be modified.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
Suffix of the database being replicated.
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5ReplicaRoot: "dc=example,dc=com"
nsDS5ReplicaTombstonePurgeInterval
Specifies the time interval in seconds between purge operation cycles. When setting this attribute, bear in mind that the purge operation is time consuming.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
0 to maximum integer (2147483647) in seconds
Default Value
3600 (1 hour)
Syntax
Integer
Example
nsDS5ReplicaTombstonePurgeInterval: 3600
nsDS5ReplicaType
Defines the type of replication relationship that exists between this replica and the others.
Property
Value
Entry DN
cn=replica,cn="suffixName",cn=mapping tree,cn=config
Valid Range
0 = unknown (do not use)
1 = primary (not yet used)
2 = consumer (read-only)
3 = consumer/supplier (updateable)
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaType: 2
Replication Attributes Under cn=ReplicationAgreementName,cn=replica, cn="suffixName", cn=mapping tree,cn=config
The replication attributes that concern the replication agreement are stored under
cn=ReplicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree,cn=config.
The cn=ReplicationAgreementName entry is an instance of the nsDS5ReplicationAgreement object class. For replication agreement configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication agreements are configured only on supplier replicas. The replication agreement configuration attributes are presented in this section.
cn
This attribute defines the replication agreement name. Once this attribute has been set it cannot be modified.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Any valid suffix name.
Default Value
cn=replica
Syntax
DirectoryString
Example
cn: "cn=ReplicationAgreement1"
description
Free form text description of the replication agreement. This attribute can be modified.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Any string.
Default Value
N/A
Syntax
DirectoryString
Example
description: Replication Agreement between Server A and Server B.
ds5AgreementEnable
Specifies whether a replication agreement is enabled or disabled.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
ds5agreementEnable: on
ds5ReplicaChangesSentDuringLastUpdate
This read-only attribute specifies the number of entries that were replicated in the last update session.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
Integer
Example
ds5ReplicaChangesSentDuringLastUpdate: 0
ds5ReplicaPendingChanges
This multi-valued, read-only attribute identifies the operations (ADD, DEL, MOD) not yet sent to the specified consumer, the DN of the entry affected, and the change sequence number (CSN).
The attribute must be specifically requested in an ldapsearch operation. If the ds5agreementEnable attribute is set to off, the value of this attribute has no meaning.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A.
Default Value
N/A
Syntax
DirectoryString
Example
ds5ReplicaPendingChanges: DEL DNOfEntryToDelete CSN
ds5ReplicaPendingChanges: ADD DNOfEntryToAdd CSN
ds5ReplicaPendingChangesCount
This read-only attribute provides the number of changes not yet sent to the specified consumer. The attribute must be specifically requested in an ldapsearch operation. If the ds5agreementEnable attribute is set to off, the value of this attribute has no meaning.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
Integer
Example
ds5ReplicaPendingChangesCount: 2
ds5ReplicaTransportCompressionLevel
This attribute specifies the level of compression used in transporting updates to a consumer.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0-3
0 = No compression
1 = Default Zlib compression (Zlib numeric value = -1)
2 = Best speed (Zlib numeric value = 1)
3 = Best compression (Zlib numeric value = 9)Default Value
0
Syntax
Integer
Example
ds5ReplicaTransportCompressionLevel: 0
ds5ReplicaTransportGroupSize
The number of updates (for an incremental update) or entries (for a total update) that the supplier will group together before sending the changes to the consumer.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 to 100
Default Value
1
Syntax
Integer
Example
ds5ReplicaTransportGroupSize: 1
ds5ReplicaTransportWindowSize
The number of updates (for an incremental update) or entries (for a total update) that the supplier will send before waiting for a reply from the consumer.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
1 to 1000
Default Value
10
Syntax
Integer
Example
ds5ReplicaTransportWindowSize: 10
dsFilterSPConfigchecksum
The checksum for partial replication configuration.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
(on supplier replica)cn=replica,cn="suffixName",cn=mapping tree,cn=config
(on consumer replica)Valid Range
This attribute is for internal use and must not be modified.
Default Value
N/A
Syntax
DirectoryString
nsDS5BeginReplicaRefresh
Allows you to initialize a replica. This attribute is absent by default. However, if you add this attribute with a value of start, the server reinitializes the replica and removes the attribute value.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
stop | start
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5BeginReplicaRefresh: start
nsDS5ReplicaBindDN
Specifies the DN to use when binding. The value of this attribute must be the same as the one in cn=replica on the consumer replica. A default DN of "cn=replication manager" is created when you set up a replication agreement. This can be modified. This attribute may be empty if certificate-based authentication is used.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Any valid DN.
Default Value
cn=replication manager,cn=replication,cn=config
Syntax
DirectoryString
Example
nsDS5ReplicaBindDN: cn=replication manager, cn=replication,cn=config
nsDS5ReplicaBindMethod
Specifies the method to use for binding. This attribute can be modified. SIMPLE binds, for example, require a DN and password.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
SIMPLE or SSLCLIENTAUTH
Default Value
SIMPLE
Syntax
DirectoryString
Example
nsDS5ReplicaBindMethod: SIMPLE
nsDS5ReplicaChangesSentSinceStartup
This read-only attribute provides you with the number of changes sent to this replica since the server started.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 to maximum 32-bit integer (2147483647)
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaChangesSentSinceStartup: 647
nsDS5ReplicaCredentials
Specifies the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. When certificate-based authentication is used, this attribute may not have a value. The example below shows the encrypted password you can view as the result of a search, given the appropriate access to the entry.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Any valid password that will be encrypted using the DES reversible password encryption schema.
Default Value
N/A
Syntax
DirectoryString {DES} encrypted_password
Example
nsDS5ReplicaCredentials: {DES} 9Eko69APCJfFReplica
nsDS5ReplicaHost
Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set it cannot be modified.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Any valid host server name.
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5ReplicaHost: MyServer
nsDS5ReplicaLastInitEnd
This optional, read-only attribute states when the initialization of the consumer replica ended.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
GeneralizedTime
Example
nsDS5ReplicaLastInitEnd: YYYYMMDDhhmmssZ (19711223113229)
nsDS5ReplicaLastInitStart
This optional, read-only attribute states when the initialization of the consumer replica started.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
GeneralizedTime
Example
nsDS5ReplicaLastInitStart: YYYYMMDDhhmmssZ (20000902160000)
nsDS5ReplicaLastInitStatus
This optional, read-only attribute provides status for the initialization of the consumer.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 (Consumer Initialization Succeeded) followed by any other status message.
Default Value
N/A
Syntax
String
Example
nsDS5ReplicaLastUpdateStatus: 0 Consumer Initialization Succeeded
nsDS5ReplicaLastUpdateEnd
This read-only attribute states when the most recent replication schedule update ended.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 (Consumer Initialization succeeded.)
Default Value
N/A
Syntax
GeneralizedTime
Example
nsDS5ReplicaLastUpdateEnd: YYYYMMDDhhmmssZ (20000902160000)
nsDS5ReplicaLastUpdateStart
This read-only attribute states when the most recent replication schedule update started.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
GeneralizedTime
Example
nsDS5ReplicaLastUpdateStart: YYYYMMDDhhmmssZ (20000902160000)
nsDS5ReplicaLastUpdateStatus
This read-only attribute provides the status for the most recent replication schedule updates.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 (no replication sessions started) followed by any other error or status message.
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5ReplicaLastUpdateStatus: 0 replica acquired successfully
nsDS5ReplicaPort
Specifies the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Port number for the remote server containing the replica.
Default Value
N/A
Syntax
Integer
Example
nsDS5ReplicaPort: 389
nsDS5ReplicaRoot
Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated. It cannot be modified.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Suffix of the database being replicated.
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5ReplicaRoot: "dc=example,dc=com"
nsDS5ReplicaTimeout
This allowed attribute specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. If you see "Warning: timed out waiting" messages in the error log file, then you should increase the value of this attribute.
You can find out the amount of time the operation actually lasted by examining the access log on the remote machine. You can then set the nsDS5ReplicaTimout attribute accordingly to optimize performance.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
0 to maximum integer value (2147483647) in seconds
Default Value
600
Syntax
Integer
Example
nsDS5ReplicaTimeout: 600
nsDS5ReplicaTransportInfo
Specifies the type of transport used for transporting data to and from the replica. The attribute values can either be SSL, which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used. If this attribute is absent, regular LDAP connections are used. This attribute cannot be modified once set.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
SSL | LDAP
Default Value
LDAP
Syntax
DirectoryString
Example
nsDS5ReplicaTransportInfo: LDAP
nsDS5ReplicaUpdateInProgress
This read-only attribute states whether or not a replication schedule update is in progress.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
true | false
Default Value
N/A
Syntax
DirectoryString
Example
nsDS5ReplicaUpdateInProgress:true
nsDS5ReplicaUpdateSchedule
This multi-valued attribute specifies the replication schedule. It can be modified.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Time schedule presented as XXXX-YYYY 0123456 where XXXX is the starting hour, YYYY is the finishing hour and the numbers 0123456 are the days of the week, starting with Sunday.
If you want to configure a time that runs through midnight, you must configure replication to stop at 2359, then start at 0000 the next day.
Default Value
0000-2359 0123456 (all the time)
Syntax
Integer
Example
nsDS5ReplicaUpdateSchedule: 0000-2359 0123456
nsDS50ruv
This attribute is responsible for managing the internal state of the replica via the replication update vector. It is always present and must not be changed.
ds5PartialReplConfiguration
Specifies the partial replication configuration entry point for the Replication Agreement. The value of this attribute is the value part of the RDN of the entry, which stores the filtering information required by the partial replication module. Such entries are under the cn=sets, cn=filtering service,cn=features,cn=config entry.
Property
Value
Entry DN
cn=ReplicationAgreementName,cn=replica,cn="suffixName", cn=mapping tree,cn=config
Valid Range
Any string
Default Value
None
Syntax
DirectoryString
Example
ds5PartialReplConfiguration: include_people_cn
Note
The example provided references an entry with DN cn=include_people_cn,cn=sets, cn=filtering service,cn=features,cn=config, and having attributes such as dsFilterSPConfigDefinition, dsFilterSPFractionAttr, dsFilterSPType.
cn=Password Policy
Configurable password policy attributes are stored under cn=Password Policy,cn=config. For a description of the operational or state attributes related to password policy, refer to Chapter 11, "Operational Attributes."
Configurable password attributes fall into one of the following categories:
Password Policy Attributes
The following attributes determine the password policy.
passwordChange (Password Change)
Indicates whether users may change their passwords. If this attribute is not present, a value of on is assumed (users can change their passwords).
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
passwordChange: on
passwordCheckSyntax (Check Password Syntax)
Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets the password minimum length requirement and that the string does not contain any “trivial” words, such as the user’s name or user ID or any attribute value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user’s directory entry.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordCheckSyntax: off
passwordExp (Password Expiration)
Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. If password expiration is enabled, you can set the number of seconds after which the password will expire using the passwordMaxAge attribute.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordExp: on
passwordExpireWithoutWarning (Password Expire Without Warning)
Indicates whether a password can expire regardless of whether the user was warned about the expiration date.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordExpireWithoutWarning: on
passwordInHistory (Number of Passwords to Remember)
Indicates the number of passwords Directory Server stores in history. Passwords that are stored in history cannot be reused by users. The password history feature is disabled by default (the passwordInHistory attribute has a value of 0). This implies that Directory Server does not store any old passwords and users can reuse passwords.
To prevent users from rapidly cycling through a number of passwords, use the passwordMinAge attribute.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
0 to 24 passwords
Default Value
0
Syntax
Integer
Example
passwordInHistory: 6
passwordMaxAge (Password Maximum Age)
Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the passwordExp attribute.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value
8640000 (100 days)
Syntax
Integer
Example
passwordMaxAge: 100
passwordMinAge (Password Minimum Age)
Specifies the number of seconds that must elapse between password modifications. Use this attribute in conjunction with the passwordInHistory attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
0 to 2147472000 seconds (24,855 days)
Default Value
0
Syntax
Integer
Example
passwordMinAge: 86400
passwordMinLength (Password Minimum Length)
Specifies the minimum number of characters that must be used in a password. Syntax checking is performed against this attribute, if the passwordCheckSyntax attribute is set to on.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
2 to 512 characters
Default Value
6
Syntax
Integer
Example
passwordMinLength: 6
passwordMustChange (Password Must Change)
Indicates whether users must change their passwords when they first bind to Directory Server, or when the password has been reset by the administrator. If this attribute is set to on, users are required to change their passwords.
For users to be able to change their passwords, the passwordChange attribute must also be set to on.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordMustChange: off
passwordRootDNMayBypassModsChecks
Allows the root DN to modify passwords, even if the modification violates the password policy.
When this attribute is set to on, the Directory Manager can make modifications to passwords that violate the password policy. This allows exceptions to the password policy, and can be used, for example, in the case of applications that reset passwords to the same default value. If the Directory Manager changes a password and the server detects that the new password violates the minimum length or the password history, a warning is logged, but the modification proceeds.
This attribute is set to off by default, which means that the server rejects password modifications by the Directory Manager if they violate the password policy.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordRootdnMayBypassModsChecks: off
passwordStorageScheme (Password Storage Scheme)
Specifies the algorithm used to encrypt Directory Server passwords. The default password storage scheme is the Salted Secure Hash Algorithm (SSHA).
The following encryption types are supported by Directory Server 5.2:
If this attribute is set to CLEAR, passwords are not encrypted and appear in plain text.
You can modify how Directory Server stores password attributes by writing your own password storage scheme plug-in. For more information refer to Chapter 11, "Writing Password Storage Scheme Plug-Ins" in the Directory Server Plug-In Developer’s Guide.
Note
You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for backward compatibility.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid range
Any of the following password storage schema: SSHA|SHA|CRYPT|CLEAR
Default value
SSHA
Syntax
DirectoryString
Example
passwordStorageScheme: SSHA
passwordWarning (Send Warning)
Specifies the number of seconds before a user’s password expires, that a warning is returned in response to a client bind request. The client receives a password expiration warning on attempting to authenticate to the directory. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is returned.
Note
Directory Server does not send the warning to the end user, but instead returns a warning to the client application performing the bind. In other words, end users do not automatically receive email or other notification as a result of passwordWarning being set to on in the directory.
As the end user probably needs to take action when a warning is received, make sure the warning received by the client application is appropriately delivered to the end user.
If this attribute is not present, or if the value of the attribute is 0, no warning messages are sent. For password expiration to be enabled, the passwordExp attribute must be set to on.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value
86400 (1 day)
Syntax
Integer
Example
passwordWarning: 86400
Account Lockout Attributes
The following attributes determine the account lockout policy.
passwordLockout (Account Lockout)
Enables the account lockout mechanism. If this attribute is set to on, users will be locked out of the directory (for the length of time specified in the passwordLockoutDuration attribute) once the maximum number of consecutive failed bind attempts has been reached. The maximum number of consecutive bind attempts is specified by the passwordMaxFailure attribute.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
passwordLockout: off
passwordLockoutDuration (Lockout Duration)
If the account lockout feature is enabled (passwordLockout is set to on), this attribute specifies the length of time (in seconds) during which users will be locked out of the directory. The account is locked when the maximum number of consecutive failed bind attempts (specified by passwordMaxFailure) has been reached.
If this attribute is not present, or if it is set to 0, the account will remain locked until it is reset by the administrator.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value
3600
Syntax
Integer
Example
passwordLockoutDuration: 3600
passwordMaxFailure (Maximum Password Failures)
If the account lockout feature is enabled (passwordLockout is set to on), this attribute specifies the number of consecutive failed bind attempts after which a user will be locked out of the directory. Each time an invalid password is sent from the user’s account, the password failure counter is incremented. The value of this counter is stored in the operational attribute, passwordRetryCount.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to 32767
Default Value
3
Syntax
Integer
Example
passwordMaxFailure: 3
passwordResetFailureCount (Reset Password Failure Counter)
Each time an invalid password is sent from the user’s account, the password failure counter is incremented. The value of this counter is stored in the operational attribute, passwordRetryCount. This attribute specifies the length of time (in seconds) after which passwordRetryCount is reset to 0 (even if no successful authentication occurs).
If passwordResetFailureCount is set to 0, the failure counter is reset only when a successful bind occurs.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647) in seconds
Default Value
600
Syntax
Integer
Example
passwordResetFailureCount: 600
passwordUnlock (Unlock Account)
If the account lockout mechanism is enabled, (passwordLockout is set to on), this attribute specifies whether user accounts will be unlocked after a period of time. The period of time is specified in the passwordLockoutDuration attribute.
If passwordUnlock is set to on and the value of the passwordMaxFailure attribute has been reached, the account will be unlocked after the number of seconds specified in the passwordLockoutDuration attribute. However, if passwordUnlock is set to off, and the value of the passwordMaxFailure attribute has been reached, the account will remain locked until the administrator resets it.
For more information on password policies, refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=Password Policy,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
passwordUnlock: off
cn=replication
A default replication bind DN (cn=replication manager) is created when you set up a replication agreement. This can be modified.
When configuring legacy replication, configuration attributes are stored under this cn=replication,cn=config node, which serves as a placeholder.
cn=SNMP
SNMP configuration attributes are stored under cn=SNMP,cn=config. The cn=SNMP entry is an instance of the nsSNMP object class. For SNMP configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. SNMP configuration attributes are presented in this section.
nssnmpenabled
Specifies whether SNMP is enabled or not.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nssnmpenabled: off
nssnmporganization
Specifies the organization to which Directory Server belongs.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Organization name
Default Value
N/A
Syntax
DirectoryString
Example
nssnmporganization: Sun Java System
nssnmplocation
Specifies the location within the company or organization where Directory Server resides.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Location
Default Value
N/A
Syntax
DirectoryString
Example
nssnmplocation: B14
nssnmpcontact
Specifies the E-mail address of the person responsible for maintaining Directory Server.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Contact E-mail address
Default Value
N/A
Syntax
DirectoryString
Example
nssnmpcontact: ITdept@example.com
nssnmpdescription
Provides a unique description of the Directory Server instance.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Description
Default Value
N/A
Syntax
DirectoryString
Example
nssnmpdescription: Employee directory instance
nssnmpmasterhost
This required attribute specifies the hostname of the machine on which the master agent is installed.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Machine hostname or local host.
Default Value
localhost
Syntax
DirectoryString
Example
nssnmpmasterhost: localhost
nssnmpmasterport
Specifies the port number used to communicate with the master agent.
Property
Value
Entry DN
cn=SNMP,cn=config
Valid Range
Operating System dependent port number. Refer to your Operating System documentation for further information.
Default Value
199
Syntax
Integer
Example
nssnmpmasterport: 199
cn=tasks
No specific configuration attributes.
cn=uniqueid generator
The uniqueid generator configuration attributes are stored under cn=uniqueid generator,cn=config. The cn=uniqueid generator entry is an instance of the extensibleObject object class. For uniqueid generator configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Uniqueid generator configuration attributes are presented in this section.
nsState
This attribute stores information on the state of the clock. It is intended for internal use only, to ensure that the server cannot generate a change sequence number (CSN) inferior to existing ones required for detecting backward clock errors. Do not edit this attribute.
Property
Value
Entry DN
cn=uniqueid generator,cn=config
Valid Range
N/A
Default Value
N/A
Syntax
DirectoryString
Example
nsstate:AbId0c3oMIDUntiLCyYNGgAAAAAAAAAA
Monitoring AttributesRead-only monitoring information is stored under the cn=monitor entry.
cn=monitor
The cn=monitor entry is an instance of the extensibleObject object class. For cn=monitor configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. The cn=monitor read-only attributes are presented in this section.
backendMonitorDN
DN for each Directory Server backend.
For further database monitoring information, refer to Database Monitoring Attributes, Database Performance Attributes, Database Monitoring Attributes Under cn=NetscapeRoot, and Chained Suffix Monitoring Attributes.
bytesSent
Number of bytes sent by Directory Server.
cache-avail-bytes
The number of bytes available for caching.
connection
List of open connections given in the following format:
connection=31:20010201164808Z:45:45::cn=directory manager:LDAP
where 31 is the connection number, 20010201164808Z is the date the connection was opened, 45 is the number of operations received, 45 is the number of completed operations, and cn=directory manager is the bind DN.
connectionPeak
Maximum number of simultaneous connections since server startup.
currentConnections
Number of current Directory Server connections.
currentTime
Current time usually given in Greenwich Mean Time (indicated by GeneralizedTime syntax Z notation, for example 20010202131102Z).
dTableSize
Size of the Directory Server descriptor table.
entriesSent
Number of entries sent by Directory Server.
nbackEnds
Number of Directory Server backends.
opsCompleted
Number of Directory Server operations completed.
opsInitiated
Number of Directory Server operations initiated.
request-que-backlog
The number of requests waiting to be processed by a thread. Each request received by the server is accepted, then placed in a queue until a thread is available to process it. The queue backlog should always be small, (0 or close to 0). If the queue backlog is large, use the nsslapd-threadnumber attribute to increase the number of threads available in the server.
readWaiters
Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
startTime
Directory Server start time.
threads
Number of operation threads Directory Server creates during startup. This attribute can be set using the nsslapd-threadnumber (Thread Number) attribute under cn=config. The nsslapd-threadnumber attribute is not present in the dse.ldif file by default, but can be added.
totalConnections
Total number of Directory Server connections.
version
Directory Server version and build number.
cn=disk,cn=monitor
The cn=disk entry enables you to monitor disk conditions over LDAP. This entry is an instance of the extensibleObject object class. A cn=disknumber,cn=disk,cn=monitor entry exists for each disk. The following disk monitoring attributes appear under each of these individual disk entries.
disk-dir
Specifies the pathname of a directory used by the server on disk. Where several database instances reside on the same disk or an instance refers to several directories on the same disk, the short pathname is displayed. The disk numbering is arbitrary.
disk-free
Indicates the amount of free disk space available to the server, in MB.
Note
The disk space available to the server process may be less than the total free disk space. For example, on some platforms a process that is not running as superuser may not have all the free disk space available to it.
disk-state
Indicates the state of the disk, based on the available free space and on the thresholds set for disk low and disk full (with the configuration parameters nsslapd-disk-low-threshold and nsslapd-disk-full-threshold). Possible values are normal, low, and full.
cn=counters,cn=monitor
This entry holds counter information for the various subtree entry counter plug-ins, if they are enabled. For more information on these plug-ins, refer to Subtree Entry Counter Plug-Ins.
cn=monitor,cn=Class of Service,cn=plugins,
cn=configThis entry holds counters related to the Class of Service plug-in. This entry is an instance of the extensibleObject object class.
Refer to Class of Service Plug-In for details on configuration of that plug-in itself.
classicHashAvgClashListLength
When the CoS plug-in uses the hash table for fast lookup, if more than one classic CoS template corresponds to the hash key used, the plug-in next checks for matches in what is called the clash list, a list of templates sharing an identical hash key. The value of this attribute provides the average length across all hash tables of classic CoS template clash lists, giving some indication of how much linear searching the plug-in must perform after using the hash table during fast lookup.
classicHashAvgClashPercentagePerHash
The average number of clashes per hash table. That is, the average percentage per hash of classic CoS templates sharing an identical hash key.
classicHashMemUsage
The memory overhead in bytes to hold hash tables for fast classic CoS template lookups.
classicHashValuesMemUsage
The memory in bytes used to hold hash values for fast classic CoS template lookups.
numClassicDefinitions
The number of classic CoS definition entries in use.
numClassicHashTables
The number of hash tables created for fast lookup where more than 10 classic CoS templates apply for a single CoS definition. Hash tables are not created for smaller lists of templates.
numClassicTemplates
The number of classic CoS template entries in use.
numCoSAttributeTypes
The number of distinct attributes with values calculated through CoS.
numIndirectDefinitions
The number of indirect CoS definition entries in use.
numPointerDefinitions
The number of pointer CoS definition entries in use.
numPointerTemplates
The number of pointer CoS template entries in use.
cn=snmp,cn=monitor
The cn=snmp entry enables you to monitor Directory Server access, operations, and errors. This entry is an instance of the extensibleObject object class.
addentryops
The number of add operations serviced by this directory since server startup.
anonymousbinds
The number of anonymous binds to the directory since server startup.
bindsecurityerrors
The number of bind requests that have been rejected by the directory due to authentication failures or invalid credentials since server startup.
bytesrecv
The number of bytes received by this directory since server startup.
bytessent
The number of bytes sent to clients by this directory since server startup.
cacheentries
The number of entries cached in the directory. This number remains 0 when the Directory Server instance is handling multiple backends.
cachehits
The number of operations serviced from the locally held cache since application startup. This number remains 0 when the Directory Server instance is handling multiple backends.
chainings
The number of chaining operations returned by this directory in response to client requests since server startup.
compareops
The number of compare operations serviced by this directory since server startup.
connections
The number of current open connections.
connectionseq
The number of connections handled by the directory since server startup.
copyentries
The number of directory entries for which this directory contains a consumer copy. The value of this object will always be 0 (as no updates are currently performed).
entriesreturned
The number of entries returned by this directory in response to client requests since server startup.
errors
The number of requests that could not be serviced due to errors (other than security or referral errors). Errors include name errors, update errors, attribute errors, and service errors. Partially serviced requests are not counted as errors.
inops
The number of operations forwarded to this directory from another directory since server startup.
listops
The number of list operations serviced by this directory since server startup. The value of this object will always be 0 because LDAP implements list operations indirectly via the search operation.
masterentries
The number of directory entries for which this directory contains the master entry. The value of this object will always be 0 (as no updates are currently performed).
modifyentryops
The number of modify operations serviced by this directory since server startup.
modifyrdnops
The number of modify RDN operations serviced by this directory since server startup.
onelevelsearchops
The number of one-level search operations serviced by this directory since server startup.
readops
The number of read operations serviced by this directory since application start. The value of this object will always be 0 because LDAP implements read operations indirectly via the search operation.
referrals
The number of referrals returned by this directory in response to client requests since server startup.
referralsreturned
The number of referrals returned by this directory in response to client requests since server startup.
removeentryops
The number of delete operations serviced by this directory since server startup.
searchops
The total number of search operations serviced by this directory since server startup.
securityerrors
The number of operations forwarded to this directory that did not meet security requirements.
simpleauthbinds
The number of binds to the directory that were established using a simple authentication method (such as password protection) since server startup.
slavehits
The number of operations that were serviced from locally held replications (shadow entries). The value of this object will always be 0.
strongauthbinds
The number of binds to the directory that were established using a strong authentication method (such as SSL or an SASL mechanism like Kerberos) since server startup.
unauthbinds
The number of unauthenticated binds to the directory since server startup.
wholesubtreesearchops
The number of whole subtree search operations serviced by this directory since server startup.
SNMP Monitoring Objects and Interactions
In addition to the attributes on cn=snmp,cn=monitor, Directory Server supports managed objects related to the interactions between the monitored server and its peer servers. Table 2-7 covers these.
Table 2-7 Interactions Table of Supported SNMP Managed Objects
Managed Object
Description
dsTimeOfCreation
The value of system “up” time when the entry containing interaction details of (attempted) interaction between the Directory Server and a peer Directory Server was created. If the entry was created before the management network subsystem was initialized, this object will contain a value of zero.
dsTimeOfLastAttempt
The value of system “up” time when the last attempt was made to contact this Directory Server. If the last attempt was made before the network management subsystem was initialized, this object will contain a value of zero.
dsTimeOfLastSuccess
The value of system “up” time when the last attempt made to contact this Directory Server was successful. If none of the attempts have been successful, this object will have a value of zero. If the last successful attempt was made before the network management subsystem was initialized, this object will contain a value of zero.
dsFailuresSinceLastSuccess
The number of failures since the last successful attempt to contact this Directory Server. If there have been no successful attempts, this object will contain the number of failures since this entry was created.
dsFailures
Cumulative failures to contact the peer Directory Server since the creation of this entry.
dsSuccesses
Cumulative successes since the creation of this entry.
dsURL
URL of the peer Directory Server.
Directory Server also supports entity related managed objects, containing information about the current server installation. These managed objects are listed in Table 2-8.
Table 2-8 Entity Table of SNMP Supported Managed Objects
Managed Object
Description
dsEntityDescr
A general textual description of the installed Directory Server.
dsEntityVers
Directory Server version.
dsEntityOrg
Organization responsible for this installation of Directory Server.
dsEntityLocation
Physical location of this Directory Server. For example: hostname, building, number, laboratory number, etc.
dsEntityContact
Contact person responsible for the installed Directory Server and their contact details.
dsEntityName
Name assigned to the installation of Directory Server by the installation site.
Configuration Quick Reference TablesThis section provides quick reference tables for LDIF configuration files supplied with Directory Server, object classes and schema used in server configuration, and attributes requiring server restart.
LDIF Configuration Files
Table 2-9 lists all the configuration files that are supplied with Directory Server, including those for the schema of other Sun Java System and legacy servers. Each file is preceded by a number that indicates the order in which they should be loaded (in ascending numerical and then alphabetical order). refer to LDIF Files for information on where these files are stored.
Table 2-9 Directory Server Configuration LDIF Files
Configuration Filename
Purpose
dse.ldif
Contains front-end Directory Specific Entries created by the directory at server startup. These include the Root DSE (""), and the contents of cn=config and cn=monitor.
00core.ldif
Contains LDAPv3 standard operational schema, such as “subschemaSubentry,” the LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521), inetOrgPerson and other widely-used attributes, and the operational attributes used by Sun Java System Directory Server 5.2 configuration. Modifying this file will cause interoperability problems. User defined attributes should be added using Sun Java System Server Console.
05rfc2247.ldif
Schema from RFC 2247 and related pilot schema: “Using Domains in LDAP/X500 Distinguished Names.”
05rfc2927.ldif
Schema from RFC 2927: “MIME Directory Profile for LDAP Schema.” Contains the ldapSchemas operational attribute required for the attribute to show up in the subschema subentry.
11rfc2307.ldif
Schema from RFC 2307: “An Approach for Using LDAP as a Network Information Service.”
20subscriber.ldif
Contains new schema elements and the Nortel subscriber interoperability specification. Also contains the adminRole and memberOf attributes and inetAdmin object class previously stored in 50ns-delegated-admin.ldif file.
25java-object.ldif
Schema from RFC 2713: “Schema for Representing Java(tm) Objects in an LDAP Directory.”
28pilot.ldif
Contains pilot directory schema from FRC 1274 that is no longer recommended for new deployments. Please note that future RFCs that succeed RFC 1274 may deprecate some or all of 28pilot.ldif attribute types and classes.
30ns-common.ldif
Schema that contains objects classes and attributes common to the Sun Java System Server Console framework.
50ns-admin.ldif
Schema used by Sun Java System Administration Services.
50ns-calendar.ldif
Schema used by Sun Java System Calendar Server.
50ns-certificate.ldif
Schema for Sun Java System Certificate Management System.
50ns-compass.ldif
Schema used by Netscape Compass Server to define personal interest profiles.
50ns-delegated-admin.ldif
Schema used by Delegated Administrator 4.5.
50ns-directory.ldif
Contains additional configuration schema used by Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to Sun Java System Directory Server 5.2. This schema is required for replicating between Directory Server 4.12 and Sun Java System Directory Server 5.2.
50ns-legacy.ldif
Legacy schema used by Sun Java System Administration Server for legacy servers.
50ns-mail.ldif
Schema used by Sun Java System Messaging Server to define mail users and mail groups.
50ns-mcd-browser.ldif
Schema used by Mission Control Desktop to hold browser client preferences.
50ns-mcd-config.ldif
Schema used by Mission Control Desktop to set MCD "config()" preferences.
50ns-mcd-li.ldif
Schema used by Mission Control Desktop to define location independence.
50ns-mcd-mail.ldif
Schema used by Mission Control Desktop to hold mail client and messenger security preferences.
50ns-media.ldif
Schema used for Media Server.
50ns-mlm.ldif
Schema used by Messaging Server 4.0 for mailing list management.
50ns-msg.ldif
Schema used for Web Mail.
50ns-netshare.ldif
Schema used for Netshare.
50ns-news.ldif
Schema used for Collabra Server to hold news group preferences.
50ns-proxy.ldif
Schema used for Sun Java System Proxy Server.
50ns-value.ldif
Schema for Sun Java System servers’ value item schema.
50ns-wcal.ldif
Schema for Sun Java System Web Calendaring.
50ns-web.ldif
Schema for Sun Java System Web Server.
99user.ldif
User-defined schema maintained by Directory Server replication consumers that contains the attributes and object classes from the suppliers.
Configuration Changes Requiring Server Restart
Table 2-10 lists the configuration attributes that cannot take effect dynamically, while the server is still running. After modifying these parameters through the console or the ldapmodify command, the server must be stopped and restarted for them to take effect. The table lists the configuration attributes concerned, with their full DNs, and provides a brief description of their functions.
Table 2-10 Configuration Changes Requiring Server Restart
Configuration Attribute
Action Requiring Restart
cn=changelog5,cn=config:nsslapd-changelogsuffix
Modifying the change log suffix.
cn=changelog5,cn=config:nsslapd-db*
Modifying any of the changelog database parameters.
cn=Class of Service,cn=plugins,cn=config:
nsslapd-pluginarg0Modifying the mechanism for handling attribute values calculated using classic CoS.
cn=config,cn=ldbm database,cn=plugins,cn=config:
nsslapd-dbcachesizeModifying the dbcachesize attribute.
cn=config,cn=ldbm database,cn=plugins,cn=config:
nsslapd-dbncacheModifying the database cache.
cn=config:nsslapd-port
Changing the port number.
cn=config:nsslapd-secureport
Changing the secure port number.
cn=encryption,cn=config:nsssl2
Enabling or disabling SSL Version 2 for Directory Server.
cn=encryption,cn=config:nsssl3
Enabling or disabling SSL Version 3 for Directory Server.
cn=encryption,cn=config:nssslclientauth
Enabling or disabling client authentication.
cn=encryption,cn=config:nssslsessiontimeout
Changing the lifetime of an SSL session.
cn=suffixName,cn=ldbm database,cn=plugins,cn=config:
nsslapd-cachesizeModifying the cachesize attribute.
Plug-In OverviewThe configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. A second look at Code Example 2-2 (configuration entry for the Telephone Syntax plug-in) described in Chapter 2, "Server Configuration Reference," shows some of the plug-in configuration attributes:
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsSlapdPlugin
cn: Telephone Syntax
nsslapd-pluginPath: ServerRoot/lib/syntax-plugin.so
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.
Object Classes for Plug-In Configuration
All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:extensibleObject
objectclass:nsSlapdPlugin
Server Plug-In Functionality ReferenceThe following tables provide an overview of the plug-ins provided with Sun Java System Directory Server 5.2, along with their configurable options, configurable arguments, default setting, dependencies, general performance related information, and further reading. These tables will enable you to compare plug-in performance gains and costs and choose the optimal settings for your deployment. A reference to additional information on the plug-ins is provided where this is available.
7-Bit Check Plug-In
Plug-In Name
7-Bit Check (NS7bitAttr)
DN of Config Entry
cn=7-bit check,cn=plugins,cn=config
Description
Checks certain attributes are 7-bit clean.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
List of attributes (uid mail userpassword) followed by , (a comma) and then suffix(es) on which the check is to occur.
Dependencies
None
Performance Related Information
None
Further Information
If your Directory Server uses non-ASCII characters such as Japanese and other languages for some attributes, remove those attributes from the list of attributes checked by this plug-in.
When adding or modifying an attribute value checked by this plug-in, and the new value violates the 7-Bit check, the client receives a LDAP_CONSTRAINT_VIOLATION (19) return code, and a message such as:
Value of attribute attr contains extended (8-bit) characters: value
ACL Plug-In
Plug-In Name
ACL Plugin
DN of Config Entry
cn=ACL Plugin,cn=plugins,cn=config
Description
ACL access check plug-in
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 6, “Managing Access Control” in the Directory Server Administration Guide.
ACL Preoperation Plug-In
Plug-In Name
ACL preoperation
DN of Config Entry
cn=ACL preoperation,cn=plugins,cn=config
Description
ACL access check plug-in.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
Database
Performance Related Information
It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 6, “Managing Access Control” in the Directory Server Administration Guide.
Binary Syntax Plug-In
Plug-In Name
Binary Syntax
DN of Config Entry
cn=Binary Syntax,cn=plugins,cn=config
Description
Syntax for handling binary data.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Boolean Syntax Plug-In
Plug-In Name
Boolean Syntax
DN of Config Entry
cn=Boolean Syntax,cn=plugins,cn=config
Description
Syntax for handling booleans.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Case Exact String Syntax Plug-In
Plug-In Name
Case Exact String Syntax
DN of Config Entry
cn=Case Exact String Syntax,cn=plugins,cn=config
Description
Syntax for handling case-sensitive strings.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Case Ignore String Syntax Plug-In
Plug-In Name
Case Ignore String Syntax
DN of Config Entry
cn=Case Ignore String Syntax,cn=plugins,cn=config
Description
Syntax for handling case-insensitive strings.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chaining Database Plug-In
Plug-In Name
Chaining Database
DN of Config Entry
cn=Chaining database,cn=plugins,cn=config
Description
Syntax for handling DNs.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
“Creating Chained Suffixes” in Chapter 3 of the Directory Server Administration Guide.
Class of Service Plug-In
Plug-In Name
Class of Service
DN of Config Entry
cn=Class of Service,cn=plugins,cn=config
Description
Allows for sharing of attributes between entries.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
Set the nsslapd-pluginarg0 attribute to:
- 0 (default) to enable fast lookup of classic CoS templates
- 1 to disable fast lookup for classic CoS template selection
- 2 to disable checks for ambiguous pointer and classic CoS definitions
Ambiguous definitions result when more than one value could be returned for the same attribute of the same entry. When checking remains enabled, Directory Server logs an informational message upon encountering such an ambiguity, provided you have set the log level to allow plug-ins to log informational messages.- 3 to disable both
Restart Directory Server for modifications to take effect.
Dependencies
None
Performance Related Information
It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 5, “Advanced Entry Management” in the Directory Server Administration Guide.
For monitoring information, refer to cn=monitor,cn=Class of Service,cn=plugins, cn=config.
Country String Syntax Plug-In
Plug-In Name
Country String Syntax
DN of Config Entry
cn=Country String Syntax,cn=plugins,cn=config
Description
Syntax for handling countries.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Distinguished Name Syntax Plug-In
Plug-In Name
Distinguished Name Syntax
DN of Config Entry
cn=Distinguished Name Syntax,cn=plugins,cn=config
Description
Syntax for handling DNs.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
DSML Frontend Syntax Plug-In
Plug-In Name
Frontends
DN of Config Entry
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configDescription
Enables you to access the directory using DSMLv2 over SOAP/HTTP.
Configurable Options
on | off
Default Setting
off
Configurable Arguments
ds-hdsml-soapschemalocation
ds-hdsml-dsmlschemalocation
Dependencies
None
Performance Related Information
None
Generalized Time Syntax Plug-In
Plug-In Name
Generalized Time Syntax
DN of Config Entry
cn=Generalized Time Syntax,cn=plugins,cn=config
Description
Syntax for dealing with dates, times, and time zones.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
The Generalized Time String consists of the four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication. We strongly recommend that you use the Z time zone indication (Greenwich Mean Time).
Integer Syntax Plug-In
Plug-In Name
Integer Syntax
DN of Config Entry
cn=Integer Syntax,cn=plugins,cn=config
Description
Syntax for handling integers.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Internationalization Plug-In
Plug-In Name
Internationalization Plugin
DN of Config Entry
cn=Internationalization Plugin,cn=plugins,cn=config
Description
Syntax for handling DNs.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None. In contrast to previous versions of Directory Server, the collation orders and locales used by the internationalization plug-in are now stored in the dse.ldif file.
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
Refer to Chapter 5, "Directory Internationalization Reference."
ldbm Database Plug-In
Plug-In Name
ldbm database plug-in
DN of Config Entry
cn=ldbm database plug-in,cn=plugins,cn=config
Description
Implements local databases.
Configurable Options
N/A
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Refer to Database Plug-In Attributes for further information on database configuration. It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 2, “Creating Your Directory Tree” in the Directory Server Administration Guide.
Legacy Replication Plug-In
Plug-In Name
Legacy Replication plug-in
DN of Config Entry
cn=Legacy Replication plug-in,cn=plugins,
cn=configDescription
Enables Sun Java System Directory Server 5.2 to be a consumer of a 4.x supplier.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None.
Dependencies
database
Performance Related Information
None
Further Information
This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server. Refer to Chapter 8, “Managing Replication” in the Directory Server Administration Guide for more information.
Multimaster Replication Plug-In
Plug-In Name
Multimaster Replication Plugin
DN of Config Entry
cn=Multimaster Replication plugin,cn=plugins,
cn=configDescription
Enables replication between two 5.x Directory Servers.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
database
Performance Related Information
N/A
Further Information
You can turn this plug-in off if you have only one server, which will never replicate. Refer to Chapter 8, “Managing Replication” in the Directory Server Administration Guide for more information.
Octet String Syntax Plug-In
Plug-In Name
Octet String Syntax
DN of Config Entry
cn=Octet String Syntax,cn=plugins,cn=config
Description
Syntax for handling octet strings.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
CLEAR Password Storage Plug-In
Plug-In Name
CLEAR
DN of Config Entry
cn=CLEAR,cn=Password Storage Schemes,cn=plugins,
cn=configDescription
CLEAR password storage scheme used for password encryption.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 7, “User Account Management” in the Directory Server Administration Guide.
CRYPT Password Storage Plug-In
Plug-In Name
CRYPT
DN of Config Entry
cn=CRYPT,cn=Password Storage Schemes,cn=plugins,
cn=configDescription
CRYPT password storage scheme used for password encryption.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 7, “User Account Management” in the Directory Server Administration Guide.
NS-MTA-MD5 Password Storage Scheme Plug-In
Plug-In Name
NS-MTA-MD5
DN of Config Entry
cn=NS-MTA-MD5,cn=Password Storage Schemes,
cn=plugins,cn=configDescription
NS-MTA-MD5 password storage scheme for password encryption.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present, but for backward compatibility only (the data in your directory still contains passwords encrypted with the NS-MTA-MD5 password storage scheme.) Refer to Chapter 7, “User Account Management” in the Directory Server Administration Guide.
SHA Password Storage Scheme Plug-In
Plug-In Name
SHA
DN of Config Entry
cn=SHA,cn=Password Storage Schemes,cn=plugins,
cn=configDescription
SHA password storage scheme for password encryption.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
If there are no passwords encrypted using the SHA password storage scheme, you may turn this plug-in off. If you want to encrypt your password with the SHA password storage scheme, we recommend that you choose SSHA instead, as SSHA is a far more secure option.
Further Information
Chapter 7, “User Account Management” in the Directory Server Administration Guide.
SSHA Password Storage Scheme Plug-In
Plug-In Name
SSHA
DN of Config Entry
cn=SSHA,cn=Password Storage Schemes,cn=plugins,
cn=configDescription
SSHA password storage scheme for password encryption.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 7, “User Account Management” in the Directory Server Administration Guide.
Postal Address String Syntax Plug-In
Plug-In Name
Postal Address Syntax
DN of Config Entry
cn=Postal Address Syntax,cn=plugins,cn=config
Description
Syntax used for handling postal addresses.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
PTA Plug-In
Plug-In Name
Pass Through Authentication
DN of Config Entry
cn=Pass Through Authentication,cn=plugins,
cn=configDescription
Enables pass-through authentication, the mechanism that allows one directory to consult another to authenticate bind requests.
Configurable Options
on | off
Default Setting
off
Configurable Arguments
The LDAP URL to the configuration directory.
nsslapd-pluginarg0: ldap://config.example.com/o=NetscapeRootDependencies
None
Further Information
Chapter 14, “Using the Pass-Through Authentication Plug-in” in the Directory Server Administration Guide.
Note that the PTA plug-in is not listed in Directory Server console or in the dse.ldif file if you use the same server instance for your user directory and your configuration directory.
Referential Integrity Postoperation Plug-In
Plug-In Name
Referential Integrity Postoperation
DN of Config Entry
cn=Referential Integrity Postoperation,
cn=plugins,cn=configDescription
Enables the server to ensure referential integrity.
Configurable Options
All configuration and on | off
Default Setting
off
Configurable Arguments
When enabled, the post operation Referential Integrity plug-in performs integrity updates on the member, uniquemember1, owner and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.
The following arguments are configurable:
1. (nsslapd-pluginarg0) Check for referential integrity
-1 = no check for referential integrity
0 = check for referential integrity is performed immediately
positive integer = request for referential integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request, at intervals corresponding to the integer specified.
2. (nsslapd-pluginarg1) Log file for storing the change, for example ServerRoot/slapd-serverID/logs/referint
3. (nsslapd-pluginarg2) Reserved for future use.
4. (Other nsslapd-pluginarg* attributes) Attribute names to be checked for referential integrity.
Dependencies
database type
Limitations
Observe the following limitations when you use the referential integrity plug-in in a multi-master replication environment:
- Enable the referential integrity plug-in on all servers containing master replicas
- Enable the referential integrity plug-in with the same configuration on every master
Further Information
Refer to “Maintaining Referential Integrity” in Chapter 2 of the Directory Server Administration Guide.
Example Configuration Entry
The following example configures the plug-in to check for referential integrity immeditately, store logs in ServerRoot/slapd-serverID/logs/referint, and cover attribute types member, uniqueMember, owner, seeAlso, and nsroledn.
dn: cn=referential integrity postoperation,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: ds-signedPlugin
objectClass: extensibleObject
cn: referential integrity postoperation
nsslapd-pluginPath: ServerRoot/lib/referint-plugin.so
nsslapd-pluginInitfunc: referint_postop_init
nsslapd-pluginType: postoperation
nsslapd-pluginEnabled: on
nsslapd-pluginarg0: 0
nsslapd-pluginarg1: ServerRoot/slapd-serverID/logs/referint
nsslapd-pluginarg2: 0
nsslapd-pluginarg3: member
nsslapd-pluginarg4: uniquemember
nsslapd-pluginarg5: owner
nsslapd-pluginarg6: seeAlso
nsslapd-pluginarg7: nsroledn
nsslapd-plugin-depends-on-type: database
ds-pluginDigest:: base64EncodedDigest
ds-pluginSignature:: base64EncodedSignature
nsslapd-pluginId: referint
nsslapd-pluginVersion: 5.2_Patch_2
nsslapd-pluginVendor: Sun Microsystems, Inc.
nsslapd-pluginDescription: referential integrity plugin
1If uniqueMember values contain optional hashes (#) followed by unique identifiers, this attribute cannot be used with the referential integrity plug-in.
Retro Changelog Plug-In
Plug-In Name
Retro Changelog Plugin
DN of Config Entry
cn=Retro Changelog Plugin,cn=plugins,cn=config
Description
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.
Configurable Options
on | off
Default Setting
off
Configurable Arguments
Refer to Retro Changelog Plug-In Attributes for further information on the two configuration attributes for this plug-in.
Dependencies
None
Performance Related Information
May slow down Directory Server performance.
Further Information
Chapter 8, “Managing Replication” in the Directory Server Administration Guide.
Roles Plug-In
Plug-In Name
Roles Plugin
DN of Config Entry
cn=Roles Plugin,cn=plugins,cn=config
Description
Enables the use of roles in Directory Server.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
State Change Plugin
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Further Information
Chapter 5, “Advanced Entry Management” in the Directory Server Administration Guide.
State Change Plug-In
Plug-In Name
State Change Plugin
DN of Config Entry
cn=State Change Plugin,cn=plugins,cn=config
Description
State change notification service plug-in for detecting updates, such as configuration changes, and triggering callbacks when updates happen.
‘This plug-in is used internally by the roles plug-in.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Subtree Entry Counter Plug-Ins
Plug-In Name
Subtree Entry Counter For ObjectClass
DN of Config Entry
cn=Subtree Entry Counter for ObjectClass,cn=plugins,
cn=configDescription
Maintain a count of entries with a particular object class. The following plug-ins are provided:
- Subtree entry counter for departments in domains
- Subtree entry counter for domains within a domain
- Subtree entry counter for mail lists
- Subtree entry counter for nested departments
- Subtree entry counter for total domains
- Subtree entry counter for usersConfigurable Options
on | off
Default Setting
off
Configurable Arguments
None
Dependencies
None
Performance Related Information
These plug-ins are provided for use with Messaging Server only, and are disabled by default. It is recommended that you leave these plug-ins disabled unless your Messaging Server requires them.
Telephone Syntax Plug-In
Plug-In Name
Telephone Syntax
DN of Config Entry
cn=Telephone Syntax,cn=plugins,cn=config
Description
Syntax for handling telephone numbers.
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
UID Uniqueness Plug-In
Plug-In Name
UID Uniqueness
DN of Config Entry
cn=UID Uniqueness,cn=plugins,cn=config
Description
Checks that the values of specified attributes are unique each time a modification occurs on an entry.
Configurable Options
on | off
Default Setting
off
Configurable Arguments
You may configure this plug-in in either of two different ways.
1. You specify attributes that must be unique for a series of one or more subtrees identified by DNs.
For example, to specify that employeeNumber and uid attribute values must be unique across both o=org1,dc=example,dc=com and o=org2,dc=example,dc=com, configure the arguments in the configuration entry as follows:nsslapd-pluginarg0: employeeNumber
nsslapd-pluginarg1: uid
nsslapd-pluginarg2: o=org1,dc=example,dc=com
nsslapd-pluginarg3: o=org2,dc=example,dc=com2. You specify attributes that must be unique inside congruent subtrees, optionally only on entries of a specified object class.
For example, to specify that employeeNumber and uid attribute values must be unique across in either o=org1,dc=example,dc=com or o=org2,dc=example,dc=com, but only on entries of the inetOrgPerson objectclass, configure the arguments in the configuration entry as follows:nsslapd-pluginarg0: employeeNumber
nsslapd-pluginarg1: uid
nsslapd-pluginarg2: MarkerObjectClass="organization"
RequiredObjectClass="inetOrgPerson"Dependencies
database type
Performance Related Information
Sun Java System Directory Server 5.2 provides the UID Uniqueness plug-in by default. To ensure unique values for other attributes, you can create instances of the UID Uniqueness plug-in for those attributes.
The UID Uniqueness plug-in may slow down Directory Server performance.
Further Information
Chapter 15, “Using the UID Uniqueness Plug-in” in the Directory Server Administration Guide.
URI Plug-In
Plug-In Name
URI Syntax
DN of Config Entry
cn=URI Syntax,cn=plugins,cn=config
Description
Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators.)
Configurable Options
on | off
Default Setting
on
Configurable Arguments
None
Dependencies
None
Performance Related Information
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Attributes Common to All Plug-InsThis list provides a brief attribute description, the Entry DN, valid range, default value, syntax, and an example for each attribute.
nsslapd-pluginPath
Specifies the full path to the plug-in.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
Any valid path
Default Value
None
Syntax
DirectoryString
Example
nsslapd-pluginPath: /usr/ds5/lib/uid-plugin.so
nsslapd-pluginInitfunc
Specifies the plug-in function to be initiated.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
Any valid plug-in function.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-pluginInitfunc: NS7bitAttr_Init
nsslapd-pluginType
Specifies the plug-in type. Refer to nsslapd-plugin-depends-on-type for further information.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
Any valid plug-in type.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled
Specifies whether or not the plug-in is enabled. This attribute can be changed over protocol, but will only take effect when the server is next restarted.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-pluginEnabled: on
nsslapd-pluginId
Specifies the plug-in ID.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
Any valid plug-in ID.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-pluginId: chaining database
nsslapd-pluginVersion
Specifies the plug-in version.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
Any valid plug-in version.
Default Value
Product version
Syntax
DirectoryString
Example
nsslapd-pluginVersion: 5.0b1
nsslapd-pluginVendor
Specifies the vendor of the plug-in.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
Any approved plug-in vendor.
Default Value
Sun Microsystems, Inc.
Syntax
DirectoryString
Example
nsslapd-pluginVendor: Sun Microsystems, Inc.
nsslapd-pluginDescription
Provides a description of the plug-in.
Property
Value
Entry DN
cn=plug-inName,cn=plugins,cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-pluginDescription: acl access check plug-in
Attributes Allowed by Certain Plug-Insnsslapd-plugin-depends-on-type
Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value that corresponds to the type of a plug-in, contained in the attribute nsslapd-pluginType. For details, refer to nsslapd-pluginType. All plug-ins whose type value matches one of the values in the following valid range will be started by the server prior to this plug-in. The following example shows that the database plug-in will be started prior to the postoperation Referential Integrity plug-in.
Property
Value
Entry DN
cn=referential integrity postoperation,cn=plugins,
cn=configValid Range
Database
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-plugin-depends-on-type: database
nsslapd-plugin-depends-on-named
Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value that corresponds to the cn value of a plug-in. The plug-in whose cn value matches one of the values below it will be started by the server prior to this plug-in. If the plug-in does not exist, the server will fail to start. The following example shows that the Class of Service plug-in will be started prior to the postoperation Referential Integrity plug-in. If the Class of Service plug-in does not exist, the server will fail to start.
Property
Value
Entry DN
cn=referential integrity postoperation,cn=plugins,cn=config
Valid Range
Class of Service
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-plugin-depends-on-named: Class of Service
Database Plug-In AttributesThe database plug-in is also organized in an information tree as shown in the following diagram:
All plug-in technology used by the database instances is stored in the cn=ldbm database plug-in node. This section presents the additional attribute information for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree.
Database Configuration Attributes
Global configuration attributes common to all database instances are stored in the cn=config,cn=ldbm database,cn=plugins,cn=config tree node.
nsLookthroughLimit
This performance-related attribute specifies the maximum number of entries that Directory Server will check when examining candidate entries in response to a search request. If you bind as the directory manager DN, unlimited is set by default and overrides any other settings you may specify here.
Binder based resource limits work for this limit, which means that if a value for the operational attribute nsLookThroughlimit is present in the entry used to bind, the default limit is overridden. If you attempt to set a value that is not a number or is too big for a 64-bit signed integer, you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
-1 to the maximum number of entries (where -1 is unlimited)
Default Value
5000
Syntax
Integer
Example
nsLookthroughLimit: 5000
nsslapd-allidsthreshold
This performance-related attribute is present by default. It specifies the number of entry IDs that can be maintained for an index key, before the server sets the All IDs token and stops maintaining a list of IDs for that specific key. If you attempt to set a value that is not a number or is too big for a 64-bit signed integer, you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
However, as tuning this attribute is a complex task and can severely degrade performance, it is advisable to keep the default value. For a more detailed explanation of the All IDs Threshold refer to Chapter 10,“Managing Indexes” in the Directory Server Administration Guide, and to information on indexing in the Directory Server Performance Tuning Guide.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
100 to the maximum 64-bit integer value entry IDs
Default Value
4000
Syntax
Integer
Example
nsslapd-allidsthreshold: 4000
nsslapd-cache-autosize
This performance tuning related attribute is turned off by default. It specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory is claimed for the cache. If you plan to run other servers on the machine, then the value will be lower. Setting the value to 0 turns off the cache autosizing and uses the normal nsslapd-cachememsize and nsslapd-dbcachesize attributes.
When possible, use nsslapd-cachememsize and nsslapd-dbcachesize instead.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 (turns cache autosizing off) to 100
Default Value
0
Syntax
Integer
Example
nsslapd-cache-autosize: 80
nsslapd-cache-autosize-split
This performance-related attribute specifies the percentage of cache space to allocate to the database cache. For example, setting this to “60” would give the database cache 60 percent of the cache space and divide the remaining 40 percent between the backend entry caches. That is, if there were 2 databases, each of them would receive 20 percent. This attribute applies only when the nsslapd-cache-autosize attribute has a non-zero value.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 - 100
Default Value
66 (This will not necessarily optimize your operations.)
Syntax
Integer
Example
nsslapd-cache-autosize-split: 66
nsslapd-dbcachesize
This performance tuning related attribute specifies database cache size. Note that this is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute, by replacing these values with its own guessed values at a later stage of the server startup.
If you attempt to set a value that is not a number or is too big for a 32-bit or 64-bit signed integer, you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
500KB to 4GB for 32-bit platforms and 500KB to 2^64-1 for 64-bit platforms
Default Value
10 MB
Syntax
Integer
Example
nsslapd-dbcachesize: 10 MB
Note
On Solaris platforms, the actual cache used may be significantly higher than what is specified in the nsslapd-cachememsize and and nsslapd-dbcachesize attributes. It is therefore recommended that you do not specify a total cache size of more than 2 GB for 32-bit servers.
nsslapd-db-checkpoint-interval
The amount of time in seconds after which Directory Server sends a checkpoint record to the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. A checkpoint record indicates which database operations have been physically written to the directory database. The checkpoint records are used to determine where in the database transaction log to begin recovery after a system failure. The nsslapd-db-checkpoint-interval attribute is absent from dse.ldif. To change the checkpoint interval, you add the attribute to dse.ldif. This attribute can be dynamically modified using ldapmodify. For further information on modifying this attribute, refer to the section on “Transaction Logging” in the Directory Server Performance Tuning Guide.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Sun engineering staff and Sun Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause Directory Server to be unstable.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
10 to 300 seconds
Default Value
60
Syntax
Integer
Example
nsslapd-db-checkpoint-interval: 120
nsslapd-db-circular-logging
Specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed, and are kept renamed as old log transaction files. Turning circular logging off can severely degrade server performance. It should therefore only be modified with the guidance of Sun engineering staff and Sun Professional Services.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
on or off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-db-circular-logging: on
nsslapd-db-durable-transactions
Indicates whether database transaction log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only.
With durable transactions enabled, every directory change is physically recorded in the log file and is therefore able to be recovered in the event of a system failure. However, the durable transactions feature may also slow down the performance of Directory Server. With durable transactions disabled, all transactions are logically written to the database transaction log but may not be physically written to disk immediately. If there is a system failure before a directory change is physically written to disk, that change is not recoverable.
Note
In previous versions of Directory Server, this attribute could not be modified dynamically. In Directory Server 5.2, this attribute can be modified dynamically using ldapmodify, without stopping the server.
For more information on database transaction logging, refer to Chapter 12, “Managing Log Files” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-db-durable-transactions: on
nsslapd-db-home-directory
Used to fix a situation where the operating system endlessly flushes pages. This flushing can be so excessive that performance of the entire system is severely degraded.
This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes. In particular, this situation should not occur if the database cache size is less than 100 MB.
For example, if your Solaris host seems excessively slow and your database cache size is around 100 MB or more, then you can use the iostat utility to diagnose the problem. Use iostat to monitor the activity of the disk where the Directory Server’s database files are stored. If all of the following conditions are true:
then you should use the nsslapd-db-home-directory attribute to specify a subdirectory of a tempfs type file system.
Note
The directory referenced by the nsslapd-db-home-directory attribute must be a subdirectory of a file system of type tempfs (such as /tmp).
If you have multiple Directory Servers on the same machine, their nsslapd-db-home-directory attributes must be configured with different directories. Failure to do so will result in the databases for both directories becoming corrupted.
Finally, use of this attribute causes internal Directory Server database files to be moved to the directory referenced by the attribute. It is possible, but unlikely, that the server will no longer start after the files have been moved because not enough memory can be committed. This is a symptom of an overly large database cache size being configured for your server. If this happens, reduce the size of your database cache size to a value where the server will start again.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
Any valid directory name in a tempfs file system, such as /tmp.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-db-home-directory: /tmp/slapd-dirserv
nsslapd-db-idl-divisor
Specifies the index block size in terms of the number of blocks per database page. The block size is calculated by dividing the database page size by the value of this attribute. A value of 1 makes the block size exactly equal to the page size. The default value of 0 sets the block size to the page size minus an estimated allowance for internal database overhead. Before modifying the value of this attribute export all databases using the db2ldif script. Once the modification has been made, reload the databases using the ldif2db script.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 to 8
Default Value
0
Syntax
Integer
Example
nsslapd-db-idl-divisor: 2
nsslapd-db-locks
Specifies the number of locks that can be used by the database. Increase the value of this attribute if you observe the following error:
libdb: Lock table is out of available locks
The current number of locks being used, the number of locks configured, and the maximum number of locks reached during the life of the process can be checked using the attributes nsslapd-db-current-locks, nsslapd-db-configured-locks, and nsslapd-db-max-locks respectively, under the entry cn=database,cn=monitor,cn=ldbm dababase,cn=plugins,cn=config.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
1 to maximum integer
Default Value
20000
Syntax
Integer
Example
nsslapd-db-locks: 20000
nsslapd-db-logbuf-size
Specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can significantly increase throughput in the presence of highly concurrent applications, or transactions producing large amounts of data. The nsslapd-db-logbuf-size attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on.
Note
You must be prepared to export all databases to LDIF, remove existing databases, and reimport all databases from LDIF when modifying this attribute.
Refer to the Directory Server Performance Tuning Guide for instructions.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0, 32768 to 2097152 bytes (limited by the transaction log file size, which is 10 MB by default)
0 is equivalent to 32768 bytes
Default Value
524288 for new instances
Syntax
Integer
Example
nsslapd-db-logbuf-size: 524288
nsslapd-db-logdirectory
The path to the directory containing the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. By default, the database transaction log is stored in the same directory as the directory entries themselves:
ServerRoot/slapd-serverID/db
For fault-tolerance and performance reasons, you may want to move this log file to another physical disk. The nsslapd-db-logdirectory attribute is absent from dse.ldif. To change the location of the database transaction log, add the attribute to dse.ldif.
Note
You must be prepared to export all databases to LDIF, remove existing databases, and reimport all databases from LDIF when modifying this attribute.
For more information on database transaction logging, refer to Chapter 12, “Managing Log Files” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
Any valid path and directory name.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-db-logdirectory: /logs/txnlog
nsslapd-db-logfile-size
Specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size of 10 MB is used. The maximum size is an unsigned 4-byte value. The value of this attribute can have significant impact on performance, as it can be tuned to avoid extensive log switching in the event of heavy entries.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 to unsigned 4-byte integer
Default Value
10 (MB)
Syntax
Integer
Example
nsslapd-db-logfile-size: 10
nsslapd-db-page-size
Specifies the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes and the maximum size is 64K bytes. If the page size is not explicitly set, Directory Server defaults to a page size of 8K bytes. Changing this default value can have significant performance impact. If the page size is too small, it results in extensive page splitting and copying, whereas if the page size is too large, it can waste disk space.
Note
You must be prepared to export all databases to LDIF, remove existing databases, and reimport all databases from LDIF when modifying this attribute.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
512 bytes to 64 KB
Default Value
8 (KB)
Syntax
Integer
Example
nsslapd-db-page-size: 8
nsslapd-db-transaction-batch-val
Specifies how many transactions will be batched before being committed. You can use this attribute to improve update performance when full transaction durability is not required. This attribute can be dynamically modified using ldapmodify.
If you do not define this attribute or set it to a value of 0, transaction batching will be turned off and it will be impossible to make remote modifications to this attribute via LDAP. However, setting this attribute to a value greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value. A value greater than 0 also allows you to modify this attribute remotely via LDAP. A value of 1 for this attribute allows you to modify the attribute setting remotely via LDAP, but results in no batching behavior. A value of 1 at server startup is therefore useful for maintaining normal durability, while also allowing transaction batching to be turned on and off remotely when desired. Bear in mind that the value you choose for this attribute may require you to modify the nsslapd-db-logbuf-size attribute to ensure sufficient log buffer size for accommodating your batched transactions.
Note
The nsslapd-db-transaction-batch-val attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on.
For more information on database transaction logging, refer to Chapter 12, “Managing Log Files” in the Directory Server Administration Guide.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 to 30
Default Value
0 (or turned off)
Syntax
Integer
Example
nsslapd-db-transaction-batch-val: 5
nsslapd-db-tx-max
Specifies the maximum number of concurrent transactions that can be handled by the database. Increase the value of this attribute if you observe the following error:
Serious Error---Failed in dblayer_txn_begin, err=12 (Not enough space)
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
1 to maximum integer
Default Value
200
Syntax
Integer
Example
nsslapd-db-tx-max: 200
nsslapd-dbncache
This attribute allows you to split the ldbm cache into equally sized separate pieces of memory. It is possible to specify caches that are large enough so that they cannot be allocated contiguously on some architectures. For example, some releases of Solaris limit the amount of memory that may be allocated contiguously by a process. If nsslapd-dbncache is 0 or 1, the cache will be allocated contiguously in memory. If it is greater than 1, the cache will be broken up into ncache equally sized separate pieces of memory.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Sun engineering staff and Sun Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause Directory Server to be unstable.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
Positive integer or 0
Default Value
0
Syntax
Integer
Example
nsslapd-dbncache: 0
nsslapd-import-cachesize
This performance tuning related attribute determines the size of the database cache used in the bulk import process. By setting this attribute value so that the maximum available system physical memory is used for the database cache during bulk importing, you can optimize bulk import speed. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Note
A cache is created for each load that occurs. For example, if the user sets the nsslapd-import-cachesize attribute to 1 GB, then 1 GB is used when loading one database, 2 GB is used when loading 2 databases, and so forth.
Ensure that you have sufficient physical memory to prevent swapping from occurring, as this results in performance degradation.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
20 MB to 4 GB for 32-bit platforms and 20 MB to 2^64-1 for 64-bit platforms
Default Value
20971520 (20 MB)
Syntax
Integer
Example
nsslapd-import-cachesize: 20971520
nsslapd-mode
Specifies the permissions used for newly created index files.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
Any four-digit octal number. However, mode 0600 is recommended. This allows read and write access for the owner of the index files (which is the user that ns-slapd runs as), and no access for other users.
Default Value
0600
Syntax
Integer
Example
nsslapd-mode: 0600
nsslapd-exclude-from-export
Specifies a list of attributes that will be excluded when the database is exported.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
N/A
Default Value
entrydn entryid dncomp parentid numSubordinates
Syntax
DirectoryString
Example
nsslapd-exclude-from-export: entrydn entryid
nsslapd-disk-low-threshold
Specifies the “low” free space on the disk (in MB). When the available free space on any one of the disks used by a database instance falls below the value specified by this attribute, protocol updates on that instance are permitted only by the directory manager.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 to unsigned 4-byte integer
Default Value
100
Syntax
Integer
Example
nsslapd-disk-low-threshold: 100
nsslapd-disk-full-threshold
When the minimum free space on the disk (in MB). When the available free space on any one of the disks used by a database instance falls below the value specified by this attribute, no updates are permitted and the server returns an LDAP_UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
0 to unsigned 4-byte integer
Default Value
10
Syntax
Integer
Example
nsslapd-disk-full-threshold: 10
Database Monitoring Attributes
Table 2-11 lists the global read-only attributes containing database statistics for monitoring activity on databases. These attributes are stored under cn=monitor,cn=ldbm database,cn=plugins,cn=config. For more information on these monitoring read-only entries refer to Chapter 12, “Managing Log Files” in the Directory Server Administration Guide.
Table 2-11 Database Monitoring Attributes
Attribute
Description
dbcachehits
Requested pages found in the database.
dbcachetries
Total requested pages found in the database cache.
dbcachehitratio
Percentage of requested pages found in the database cache (hits/tries).
dbcachepagein
Pages read into the database cache.
dbcachepageout
Pages written from the database cache to the backing file.
dbcacheroevict
Clean pages forced from the cache.
dbcacherwevict
Dirty pages forced from the cache.
Database Configuration Attributes Under cn=NetscapeRoot and cn=UserRoot
The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for the databases containing the o=NetscapeRoot and o="suffixname" suffixes, respectively. The cn=NetscapeRoot subtree contains the configuration data used by the Sun Java System Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop). The cn=UserRoot subtree contains all the configuration data for the user-defined database. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user when new databases are added.
The following attributes are common to both the cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config and cn=UserRoot,cn=ldbm database,cn=plugins,cn=config subtrees.
nsslapd-cachesize
This performance tuning related attribute specifies the cache size in terms of the entries it can hold. However, it is worth noting that it is simpler to limit by memory size only (using the nsslapd-cachememsize attribute). If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=suffixName,cn=ldbm database,cn=plugins,cn=config
Valid Range
1 to 2,147,483,647 (or -1 which means limitless) entries
Default Value
-1
Syntax
Integer
Example
nsslapd-cachesize: -1
nsslapd-cachememsize
This performance tuning related attribute specifies the cache size in terms of available memory space. Limiting cachesize in terms of memory occupied is the simplest method. By activating automatic cache resizing, you override this attribute, replacing these values with its own guessed values at a later stage of the server startup. If you attempt to set a value that is not a number or is too big for a 64-bit (32-bit for 32-bit installations) signed integer, you receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Property
Value
Entry DN
cn=suffixName,cn=ldbm database,cn=plugins,cn=config
Valid Range
200KB to 264-1 (232-1 for 32-bit installations)
Default Value
10 485 760 (10Mb)
Syntax
Integer
Example
nsslapd-cachememsize:10
nsslapd-directory
Specifies the absolute path to the database instance. If the database instance is created manually, this attribute must be included. It is set by default in the Sun Java System Server Console and can be modified. Once the database instance has been created, do not modify this path as any changes risk preventing the server from accessing data.
Property
Value
Entry DN
cn=config,cn=ldbm database,cn=plugins,cn=config
Valid Range
Any valid absolute path to the database instance.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-directory: /ServerRoot/slapd-serverID/db
nsslapd-readonly
Specifies read only permission. When this attribute is set to on, directory entries can be viewed but cannot be modified. This is useful, for example, when you are performing a backup of the directory.
Property
Value
Entry DN
cn=suffixName,cn=ldbm database,cn=plugins,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-readonly: off
nsslapd-require-index
When switched to on, this attribute allows you to refuse non-indexed or allids searches. This performance related attribute avoids saturating the server with erroneous searches.
Property
Value
Entry DN
cn=suffixName,cn=ldbm database,cn=plugins,cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-require-index: off
nsslapd-suffix
Specifies the chained suffix. This is a single-valued attribute as each database instance can have only one suffix. Previously, it was possible to have more than one suffix on a single database instance but this is no longer the case. Any changes made to this attribute after the entry has been created take effect only after you restart the server containing the chained suffix.
Property
Value
Entry DN
cn=suffixName,cn=ldbm database,cn=plugins,cn=config
Valid Range
Any valid DN
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-suffix: o=Netscaperoot
Database Performance Attributes
Table 2-12 lists the read-only database performance attributes. These attributes are stored under cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config. All of the values for these attributes are 32-bit integers.
Table 2-12 Database Performance Attributes
Attribute
Description
nsslapd-db-abort-rate
Number of transactions that have been aborted.
nsslapd-db-active-txns
Number of transactions that are currently active (used by the database.)
nsslapd-db-cache-hit
Requested pages found in the cache.
nsslapd-db-cache-region-wait-rate
Number of times that a thread of control was forced to wait before obtaining the region lock.
nsslapd-db-cache-size-bytes
Total cache size in bytes.
nsslapd-db-cache-try
Total cache lookups.
nsslapd-db-clean-pages
Clean pages currently in the cache.
nsslapd-db-commit-rate
Number of transactions that have been committed.
nsslapd-db-configured-locks
Configured number of locks.
nsslapd-db-configured-txns
Configured number of transactions.
nsslapd-db-current-locks
Number of locks currently used by the database.
nsslapd-db-deadlock-rate
Number of deadlocks detected.
nsslapd-db-dirty-pages
Dirty pages currently in the cache.
nsslapd-db-hash-buckets
Number of hash buckets in buffer hash table.
nsslapd-db-hash-elements-examine-rate
Total number of hash elements traversed during hash table lookups.
nsslapd-db-hash-search-rate
Total number of buffer hash table lookups.
nsslapd-db-lock-conflicts
Total number of locks not immediately available due to conflicts.
nsslapd-db-lockers
Number of current lockers.
nsslapd-db-lock-region-wait-rate
Number of times that a thread of control was forced to wait before obtaining the region lock.
nsslapd-db-lock-request-rate
Total number of locks requested.
nsslapd-db-log-bytes-since-checkpoint
Number of bytes written to this log since the last checkpoint.
nsslapd-db-log-flush-commit
The number of log flushes that contained a transaction commit record.
nsslapd-db-log-flush-count
The number of times the log has been flushed to disk.
nsslapd-db-log-max-commit-per-flush
The maximum number of commits contained in a single log flush.
nsslapd-db-log-min-commit-per-flush
The minimum number of commits contained in a single log flush that contained a commit.
nsslapd-db-log-region-wait-rate
Number of times that a thread of control was forced to wait before obtaining the region lock.
nsslapd-db-log-write-count
The number of times the log has been written to disk.
nsslapd-db-log-write-count-fill
The number of times the log has been written to disk because the in-memory log record cache filled up.
nsslapd-db-log-write-rate
Number of bytes written to the log since the last checkpoint.
nsslapd-db-longest-chain-length
Longest chain ever encountered in buffer hash table lookups.
nsslapd-db-max-locks
Maximum number of locks used by the database since the last startup.
nsslapd-db-max-txns
Maximum number of transactions used since the last startup.
nsslapd-db-page-create-rate
Pages created in the cache.
nsslapd-db-page-read-rate
Pages read into the cache.
nsslapd-db-page-ro-evict-rate
Clean pages forced from the cache.
nsslapd-db-page-rw-evict-rate
Dirty pages forced from the cache.
nsslapd-db-pages-in-use
All pages, clean or dirty, currently in use.
nsslapd-db-page-trickle-rate
Dirty pages written using the memp_trickle interface.
nsslapd-db-page-write-rate
Pages read into the cache.
nsslapd-db-txn-region-wait-rate
Number of times that a thread of control was force to wait before obtaining the region lock.
Default Index Attributes
The set of default indexes is stored under cn=default indexes,cn=config, cn=ldbm database,cn=plugins,cn=config. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of deployments.
All indexes, except system-essential ones, can be removed, but care should be taken not to cause unnecessary disruptions. This section presents four required indexing attributes and one optional indexing attribute. For further information on indexes refer to Chapter 10, “Managing Indexes” in the Directory Server Administration Guide.
nsSystemIndex
This mandatory attribute specifies whether the index is a system index, that is, an index that is vital for Directory Server operations. If this attribute has a value of true, it is system essential. System indexes must not be removed as this will seriously disrupt server functionality.
Property
Value
Entry DN
cn=default indexes,cn=config,cn=ldbm database,
cn=plugins,cn=configValid Range
true | false
Default Value
N/A
Syntax
DirectoryString
Example
nssystemindex: true
nsIndexType
This optional, multi-valued attribute specifies the types of index used in Directory Server operations and the values of the attributes to be indexed. Each index type must be entered on a separate line.
Property
Value
Entry DN
cn=default indexes,cn=config,cn=ldbm database,
cn=plugins,cn=configValid Range
pres = presence index
eq = equality index
approx = approximate index
sub = substring index
matching rule= international index
index browse = browsing indexDefault Value
N/A
Syntax
DirectoryString
Example
nsindextype: eq
nsMatchingRule
This optional, multi-valued attribute specifies the collation order object identifier (OID) required for Directory Server to operate international indexing.
Property
Value
Entry DN
cn=default indexes,cn=monitor,cn=ldbm database,
cn=plugins,cn=configValid Range
Any valid collation order object identifier (OID)
Default Value
None
Syntax
DirectoryString
Example
nsMatchingRule: 1.3.6.1.4.1.42.2.27.9.4.23.1
(For Bulgarian)
cn
Provides the name of the attribute to be indexed.
Property
Value
Entry DN
cn=default indexes,cn=monitor,cn=ldbm database,
cn=plugins,cn=configValid Range
Any valid index cn.
Default Value
None
Syntax
DirectoryString
Example
cn: aci
description
This optional attribute provides a free-hand text description of what the index actually performs.
Property
Value
Entry DN
cn=default indexes,cn=monitor,cn=ldbm database,
cn=plugins,cn=configValid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
description: substring index
Database Monitoring Attributes Under cn=NetscapeRoot
Table 2-13 lists the global, read-only entries for monitoring activity on the NetscapeRoot database, stored under cn=monitor,cn=Netscaperoot,cn=ldbm database, cn=plugins,cn=config. These attributes contain database statistics and are provided for each file that makes up your database. For further information refer to Chapter 12, “Managing Log Files” in the Directory Server Administration Guide.
Table 2-13 Database Monitoring Attributes Under cn=NetscapeRoot
Attribute
Description
dbfilename-number
This attribute indicates the name of the file and provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given the same numerical identifier.
dbfilecachehit
Number of times that a search requiring data from this file was performed and data successfully obtained from the cache.
dbfilecachemiss
Number of times that a search requiring data from this file was performed and that the data could not be obtained from the cache.
dbfilepagein
Number of pages brought to the cache from this file.
dbfilepageout
Number of pages for this file written from cache to disk.
Database Index Attributes Under cn=NetscapeRoot and cn=UserRoot
In addition to the set of default indexes that are stored under cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config, custom indexes can be created for o=Netscaperoot, o=UserRoot, and manually created databases. These custom indexes are stored under the cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config and cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config entries, respectively. Each indexed attribute represents a subentry under the above cn=config information tree nodes, as shown in the following figure:
For example, the index file for the aci attribute under o=UserRoot will appear in Directory Server as follows:
dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=confi
objectclass:top
objectclass:nsIndex
cn=aci
nssystemindex:true
nsindextype:pres
Note that the aci attribute is an operational attribute and is not returned in a search unless you explicitly request it.
For details on the five possible indexing attributes, refer to the section Default Index Attributes. For further information about indexes refer to Chapter 10, “Managing Indexes” in the Directory Server Administration Guide.
VLV Index Object Classes
A VLV (virtual list view) index provides fast searches against a known result set and sort ordering. To do this, the object class vlvSearch is needed to define the VLV search, and the object class vlvIndex is needed to order the search. VLV index object classes are stored under cn=MCCsuffixName, cn=userRoot, cn=ldbm database,cn=plugins,cn=config.
vlvIndex
Used to define the sort criteria of a Virtual List View index. Each VLV index specification defines the sort order to be imposed on the result set defined in the VLV search entry. A set of VLV index entries may appear below the VLV search entry. The cn (commonName) attribute is used as the naming component for the entry.
Property
Value
Entry DN
cn=MCCsuffixName, cn=userRoot, cn=ldbm database,
cn=plugins, cn=configSuperior Class
top
OID
2.16.840.1.113730.3.2.42
Required Attributes
cn, objectClass, vlvSort
Allowed Attributes
vlvEnabled, vlvUses
vlvSearch
Used to define a VLV search. Specifies the entry result set to be VLV indexed.
Property
Value
Entry DN
cn=MCCsuffixName, cn=userRoot, cn=ldbm database,
cn=plugins, cn=configSuperior Class
top
OID
2.16.840.1.113730.3.2.38
Required Attributes
cn, objectClass, vlvBase, vlvFilter, vlvScope
Allowed Attributes
multiLineDescription
VLV Index Attributes
VLV Index Attributes are stored under cn=MCCsuffixName,cn=userRoot,
cn=ldbm database,cn=plugins,cn=config.vlvBase
Defines the base DN of a VLV search.
Property
Value
Entry DN
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
Valid Range
N/A
Default Value
N/A
Syntax
DN
Example
vlvBase:o=example.com
vlvEnabled
Used by the server to signal whether the index is available or unavailable. When VLV indexes are created offline, new vlvSearch entries are enabled when the indexes are rebuilt. VLV indexes can also be created while the server is running in read-only mode. This attribute is read-only and single-valued.
Property
Value
Entry DN
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
Valid Range
0
Default Value
N/A
Syntax
Integer
Example
vlvEnabled:0
vlvFilter
Defines the filter for a VLV search.
Property
Value
Entry DN
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
Valid Range
Default Value
N/A
Syntax
IA5String
Example
vlvFilter:(uid>=r)
vlvScope
Defines the scope of a VLV search.
Property
Value
Entry DN
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
Valid Range
0=base search
1=one level search
2=subtree searchDefault Value
N/A
Syntax
Integer
Example
vlvScope:1
vlvSort
Defines the sort specification for a VLV search. Consists of a list of comma-delimited attribute names. A minus sign is used to denote a reverse sort. The example below will result in a sort by uid, then by reverse common name.
Property
Value
Entry DN
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
Valid Range
N/A
Default Value
N/A
Syntax
DirectoryString
Example
vlvSort:uid, -cn
vlvUses
This read-only attribute displays the number of times the VLV index was used. This number resets after a restart of the server.
Property
Value
Entry DN
cn=userRoot, cn=ldbm database, cn=plugins, cn=config
Valid Range
1-x
Default Value
N/A
Syntax
Integer
Example
vlvUses:7
Chained Suffix Plug-In AttributesThe chained suffix plug-in is organized in an information tree as shown below:
All plug-in technology used by the chained suffix instances is stored in the cn=chaining database plug-in node. This section presents the additional attribute information for the three nodes marked in bold in the cn=chaining database,cn=plugins,cn=config information tree. For more information on the chaining backend, refer to “Creating Chained Suffixes” in Chapter 3 of the Directory Server Administration Guide.
Chained Suffix Attributes
Global chained suffix configuration attributes common to all instances are stored under cn=config,cn=chaining database,cn=plugins,cn=config.
nsActiveChainingComponents
Lists the components using chaining. A component is any functional unit in the server. The value of this attribute overrides the value in the global configuration attribute. To disable chaining on a particular database instance, use the value None.
This attribute also allows you to alter the components used to chain. By default, no components are allowed to chain. For this reason, this attribute does not appear in a list of cn=config,cn=chaining database,cn=config attributes, as LDAP considers empty attributes to be non-existent.
Property
Value
Entry DN
cn=config,cn=chaining database,cn=plugins,cn=config
Valid Range
Any valid component entry.
Default Value
None
Syntax
DirectoryString
Example
nsActiveChainingComponents: cn=uid uniqueness,cn=plugins,cn=config
nsMaxResponseDelay
This error detection, performance related attribute specifies the maximum period of time it can take a remote server to respond to an LDAP operation request made by a chained suffix before an error is suspected. Once this delay period has been met, the chained suffix tests the connection with the remote server.
Property
Value
Entry DN
cn=config,cn=chaining database,cn=plugins,cn=config
Valid Range
Any valid delay period in seconds.
Default Value
60 seconds
Syntax
Integer
Example
nsMaxResponseDelay: 60
nsMaxTestResponseDelay
This error detection, performance related attribute specifies the duration of the test issued by the chained suffix to check whether the remote server is responding. If a response from the remote server is not returned within this period, the chained suffix assumes the remote server is down and the connection is not used for subsequent operations.
Property
Value
Entry DN
cn=config,cn=chaining database,cn=plugins,cn=config
Valid Range
Any valid delay period in seconds.
Default Value
15 seconds
Syntax
Integer
Example
nsMaxTestResponseDelay: 15
nsTransmittedControls
This attribute, which can be both a global (and thus dynamic) configuration or an instance (cn=chained suffix instance,cn=chaining database, cn=plugins,cn=config) configuration attribute, allows you to alter the controls that the chained suffix forwards. The following controls are forwarded by default:
Default Instance Chained Suffix Attributes
Default instance chained suffix attributes are stored under cn=default instance config,cn=chaining database,cn=plugins,cn=config.
nsAbandonedSearchCheckInterval
The number of seconds that pass before the server checks for abandoned operations.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
0 to 2147483647 seconds
Default Value
2
Syntax
Integer
Example
nsabandonedsearchcheckinterval: 10
nsBindConnectionsLimit
Maximum number of TCP connections the chained suffix establishes with the remote server.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
1 to 50 connections
Default Value
3
Syntax
Integer
Example
nsbindconnectionslimit: 3
nsBindRetryLimit
Number of times a chained suffix attempts to bind with the remote server if the initial bind attempt is unsuccessful. A value of 0 here indicates that the chained suffix will only attempt to bind once only.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
0 to 5
Default Value
3
Syntax
Integer
Example
nsbindretrylimit: 3
nsBindTimeout
Period of time before the bind attempt times out. There is no real Valid Range for this attribute, except reasonable patience limits.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
0 to 60 seconds
Default Value
15
Syntax
Integer
Example
nsbindtimeout:15
nsCheckLocalACI
Reserved for advanced use only. Controls whether ACIs are evaluated on the chained suffix as well as the remote data server. Changes to this attribute only take effect once the server has been restarted.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nschecklocalaci: on
nsConcurrentBindLimit
The maximum number of concurrent bind operations per TCP connection.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
1 to 25 binds
Default Value
10
Syntax
Integer
Example
nsconcurrentbindlimit:10
nsConcurrentOperationsLimit
The maximum number of concurrent operations allowed.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
1 to 50 operations
Default Value
50
Syntax
Integer
Example
nsconcurrentoperationslimit: 50
nsConnectionLife
Specifies the connection lifetime. You can keep connections between the chained suffix and the remote server open for an unspecified time, or you can close them after a specific period of time. Keeping the connections open is faster, but uses more resources. When the value is 0 and a list of failover servers is provided in the nsFarmServerURL attribute, the “main” server is never contacted after failover to the alternate server.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
0 to limitless seconds (where 0 means forever)
Default Value
0
Syntax
Integer
Example
nsconnectionlife: 0
nsOperationConnectionsLimit
Maximum number of LDAP connections the chained suffix establishes with the remote server.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
1 to 20 connections
Default Value
10
Syntax
Integer
Example
nsoperationconnectionslimit:10
nsProxiedAuthorization
Reserved for advanced use only, this attribute permits you to disable proxied authorization. A value of off means that proxied authorization is disabled, and that all binds for chained operations are executed as the user specified in nsMultiplexorBindDN.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsproxiedauthorization: on
nsReferralOnScopedSearch
Controls whether referrals are returned for searches with scope of one level or subtree. When nsReferralOnScopedSearch is set to on, Directory Server returning referrals for such searches, instead of chaining the searches, allowing clients that can handle referrals to access the appropriate directory directly.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsreferralonscopedsearch: off
nsslapd-sizelimit
Specifies the size limit of an entry for the chained suffix, in entries.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
-1 (no limit) to 2147483647 entries
Default Value
2000
Syntax
Integer
Example
nsslapd-sizelimit: 2000
nsslapd-timelimit
Specifies the default search time limit for the chained suffix.
Property
Value
Entry DN
cn=default instance config,cn=chaining database,
cn=plugins,cn=configValid Range
-1 to 2147483647 seconds
Default Value
3600
Syntax
Integer
Example
nsslapd-timelimit: 3600
Instance-Specific Chained Suffix Attributes
Instance-specific chained suffix attributes are stored under cn=chained suffix instance name,cn=chaining database,cn=plugins,cn=config.
nsFarmServerURL
The LDAP URL of the remote server. A farm server is contains data in one or more databases. This attribute can contain optional servers for failover, separated by spaces. For cascading chaining, this URL can point to another chained suffix.
Refer to the Directory Server Administration Guide for details on configuring cascading chaining.
Property
Value
Entry DN
cn=chained suffix instance name,cn=chaining database,
cn=plugins,cn=configValid Range
Any valid remote server LDAP URL.
Default Value
N/A
Syntax
DirectoryString
Example
nsFarmServerURL: ldap://epdiote.example.com:alternate_server:3333
nsMultiplexorBindDN
DN of the administrative entry used to communicate with the remote server. The multiplexor is the server that contains the chained suffix and communicates with the farm server. This bind DN cannot be the Directory Manager. If this attribute is not specified, the chained suffix binds as anonymous.
Property
Value
Entry DN
cn=chained suffix instance name,cn=chaining database,
cn=plugins,cn=configValid Range
N/A
Default Value
DN of the multiplexor.
Syntax
DirectoryString
Example
nsMultiplexorBindDN: cn=proxy manager
nsMultiplexorCredentials
Password for the administrative user, in plain text. If no password is provided, users can bind as anonymous. The password is encrypted in the configuration file. Please note that the example below is what you view, not what you type.
Property
Value
Entry DN
cn=chained suffix instance name,cn=chaining database,c
n=plugins,cn=configValid Range
Any valid password (that is encrypted using the DES reversible password encryption schema.)
Default Value
N/A
Syntax
DirectoryString
Example
nsMultiplexorCredentials: {DES} 9Eko69APCJfF
nshoplimit
Specifies the maximum number of times a suffix is allowed to chain, that is, the number of times a request can be forwarded from one chained suffix to another.
Property
Value
Entry DN
cn=chained suffix instance name,cn=chaining database,
cn=plugins,cn=configValid Range
1 to an appropriate upper limit for your deployment.
Default Value
10
Syntax
Integer
Example
nsHopLimit: 3
Chained Suffix Monitoring Attributes
Table 2-14 lists the chained suffix attributes used for monitoring activity on instances. These attributes are stored under cn=monitor,cn=database instance name, cn=chaining database,cn=plugins,cn=config.
Table 2-14 Chained Suffix Monitoring Attributes
Attribute
Description
nsAddCount
Number of add operations received.
nsDeleteCount
Number of delete operations received.
nsModifyCount
Number of modify operations received.
nsRenameCount
Number of rename operations received.
nsSearchBaseCount
Number of base level searches received.
nsSearchOneLevelCount
Number of one-level searches received.
nsSearchSubtreeCount
Number of subtree searches received.
nsAbandonCount
Number of abandon operations received.
nsBindCount
Number of bind requests received.
nsUnbindCount
Number of unbinds received.
nsCompareCount
Number of compare operations received.
nsOperationConnectionCount
Number of open connections for normal operations.
nsBindConnectionCount
Number of open connections for bind operations.
Frontend Plug-In AttributesThe frontend plug-in enables you to access directory data by methods other than LDAP. Sun Java System Directory Server 5.2 provides a DSML frontend plug-in that enables access using DSMLv2 over HTTP/SOAP. Attributes for the DSML frontend plug-in are stored under cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,cn=config.
ds-hdsml-clientauthmethod
Defines how the server will identify a client on a secure (SSL) connection.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
clientCertOnly: the server uses the credentials from the client certificate to identify the client.
httpBasicOnly: the server uses the credentials from the HTTP authorization header to identify the client.
clientCertFirst: the server attempts to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.
Default Value
clientCertFirst
Syntax
DirectoryString
Example
ds-hdsml-clientauthmethod: clientCertFirst
ds-hdsml-dsmlschemalocation
The path to the DSMLv2 schema. This is generated automatically and should not be changed.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
Any valid path to the directory storing the DSML schema.
Default Value
ServerRoot/lib/DSMLv2.xsd
Syntax
DirectoryString
Example
ds-hdsml-dsmlschemalocation:
/var/ds5/slapd-myServer/lib/DSMLv2.xsd
ds-hdsml-iobuffersize
The size of the buffer in which the DSML request is stored. If Directory Server receives many large DSML requests, such as large modify requests, then increasing this value may allow fewer buffers to be passed from the HTTP front end to the DSML parsers.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
1 to an appropriate upper limit for your deployment, with a maximum of 2147483647 (231-1). The value must be a multiple of 256.
Default Value
8192
Syntax
Integer
Example
ds-hdsml-buffersize: 8192
ds-hdsml-poolmaxsize
The maximum number of DSML parsers kept ready to handle DSML requests. If you expect sustained traffic of many concurrent DSML requests, you may choose to increase the value of this attribute.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins
cn=configValid Range
1 to an appropriate upper limit for your deployment, with a maximum of 2147483647 (231-1).
Default Value
10
Syntax
Integer
Example
ds-hdsml-poolmaxsize: 10
ds-hdsml-poolsize
The minimum, default number of DSML parsers kept ready to handle DSML requests. If you expect sustained traffic of many concurrent DSML requests, you may choose to increase the value of this attribute.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
1 to an appropriate upper limit for your deployment, with a maximum of 2147483647 (231-1).
Default Value
5
Syntax
Integer
Example
ds-hdsml-poolsize: 5
ds-hdsml-port
The HTTP port used for DSML communications. The selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024 requires Directory Server to run as super user.
Note that you must restart the server for a port number change to be taken into account.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
1-65535
Default Value
80
Syntax
Integer
Example
ds-hdsml-port: 8080
ds-hdsml-requestmaxsize
The maximum size of a DSML request. If the request is larger than this value, the server responds with the error message REQUEST_ENTITY_TOO_LARGE and closes the connection to prevent the client from continuing the request.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
1-2147483647 (231-1)
Default Value
32768
Syntax
Integer
Example
ds-hdsml-requestmaxsize: 32768
ds-hdsml-responsemsgsize
The maximum size of a server response to a DSML request (or a fraction of the maximum response size in the case of intermediate search responses). If the response is larger than the size specified here
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
1-2147483647 (231-1)
Default Value
65536
Syntax
Integer
Example
ds-hdsml-responsemsgsize: 65536
ds-hdsml-rooturl
The root URL used in the HTTP POST request to indicate the request is DSML. On the client side, this corresponds to the first line of the post, such as:
POST /dsml HTTP/1.1
Client applications must post to the value of this attribute.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
Any valid URL.
Default Value
/dsml
Syntax
DirectoryString
Example
ds-hdsml-rooturl: /dsml
ds-hdsml-secureport
The port number used for secure DSML communications (over SSL). The selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024 requires Directory Server to run as super user. Note that you must restart the server for a port number change to be taken into account.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
1-65535
Default Value
None
Syntax
Integer
Example
ds-hdsml-secureport: 1443
ds-hdsml-soapschemalocation
The path to the SOAP schema. This is generated automatically and should not be changed.
Property
Value
Entry DN
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins,
cn=configValid Range
Any valid path to the directory storing the SOAP schema.
Default Value
ServerRoot/lib/soap-env.xsd
Syntax
DirectoryString
Example
ds-hdsml-soapschemalocation:
/var/ds5/slapd-myServer/lib/soap-eng.xsd
Implementation of the DSMLv2 Standard
The complete DSMLv2 specification and supporting documentation can be found at the following locations:
http://www.oasis-open.org/committees/dsml/docs/DSMLv2.xsd
http://www.oasis-open.org/committees/dsml/docs/DSMLv2.doc
The Sun Java System Directory Server implementation of this specification is complete, with the following restrictions:
Content of the HTTP Header
Sun Java System Directory Server supports only the HTTP POST operation. The following example shows the minimum fields required to send a DSML request to the server over HTTP:
POST /dsml HTTP/1.1
content-length: 450
HOST: hostMachine
SOAPAction: ""
Content-Type: text/xml
Connection: closeThe Connection field is optional. In HTTP 1.0, the default value of this field is close. In HTTP 1.1, however, the default value is keep-alive. It is therefore recommended that you include this field with a value of close in your last request if you are using HTTP 1.1, to accelerate the dialog.
Additional fields may be included in the HTTP header. If they are supported by Directory Server, their values will override the defaults. If the fields are not supported, the request will not be rejected by the server but the fields will be ignored.
Retro Changelog Plug-In AttributesTwo different types of changelogs are maintained by Sun Java System Directory Server 5.2. The first type, referred to as changelog, is used by multi-master replication and the second changelog, which is in fact a plug-in referred to as retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory Server 4.x versions.
This Retro Changelog plug-in is used to record modifications made to a supplier server. When the supplier server’s directory is modified, an entry is written to the Retro Changelog that contains:
It is through the Retro Changelog plug-in that you access the changes performed to Directory Server using searches to “cn=changelog,cn=config” file.
nsslapd-changelogdir
This attribute specifies the name of the directory in which the changelog database is created the first time the plug-in is run. By default the database is stored with all the other databases under:
ServerRoot/slapd-serverID/db/changelog
Note
For performance reasons you will probably want to store this database on a different physical disk.
Property
Value
Entry DN
cn=Retro Changelog Plugin,cn=plugins,cn=config
Valid Range
Any valid path to the directory.
Default Value
None
Syntax
DirectoryString
Example
nsslapd-changelogdir: /var/slapd-serverID/changelog
nsslapd-changelogmaxage (Max Changelog Age)
Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed. If this attribute is absent, there is no age limit on change log records, which is the default behavior as this attribute is not present by default.
Property
Value
Entry DN
cn=Retro Changelog Plugin,cn=plugins,cn=config
Valid Range
0 (meaning that entries are not removed according to their age) to the maximum 32 bit integer value (2147483647).
Default Value
0
Syntax
DirectoryString IntegerAgeID
where AgeID is “s” for seconds, “m” for minutes, “h” for hours, “d” for days, or “w” for weeks.
Example
nsslapd-changelogmaxage: 30d
nsslapd-changelogmaxentries (Max Changelog Entries)
Specifies the maximum number of entries in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers.
Property
Value
Entry DN
cn=Retro Changelog Plugin,cn=plugins,cn=config
Valid Range
0 (no limit to the number of entries) to the maximum 32 bit integer value (2147483647).
Default Value
0
Syntax
Integer
Example
nsslapd-changelogmaxentries: 0
Subtree Entry Counter Plug-In AttributesThe subtree entry counter plug-ins maintain a count of entries with a particular object class. The counter attributes are listed in Table 2-15.
Table 2-15 Subtree Entry Counter Plug-In Attributes
Attribute
Definition
nsNumDepts
Either the number of departments within a domain, or the number of departments within a department (nested departments), depending on the DN of the entry.
nsNumDomains
Either the number of total domains, or the number of domains within a domain (nested domains), depending on the DN of the entry.
nsNumMailLists
Number of mail lists.
