Sun Java(TM) System Directory Server 5 2004Q2 Administration Reference |
Chapter 1
Command-Line Tools ReferenceThis chapter contains reference information on the command-line tools provided with Directory Server. This chapter is divided into the following sections:
Paths to Command-Line ToolsThis section covers the following:
Locations and Brief Descriptions
After configuration is complete, Directory Server command-line tools include the directoryserver wrapper to the other tools (/usr/sbin/directoryserver on Solaris systems, and /opt/sun/sbin/directoryserver on Red Hat systems), and many individual standalone tools under the ServerRoot directory where Directory Server instances are located (by default /var/opt/mps/serverroot, but typically customized during configuration). Table 1-1 lists the subcommands and what they do. For a list of options for the directoryserver wrapper itself, refer to directoryserver.
LDAP client commands, ldapcompare, ldapdelete, ldapmodify, ldapsearch, are provided as part of the Directory Server Resource Kit. Refer to the Directory Server Resource Kit Tools Reference for details.
Table 1-1 Command-Line Tools Quick Reference
Command
Brief Description
prefix/sbin/directoryserver account-activate1
Activates an entry or group of entries
prefix/sbin/directoryserver account-inactivate
Inactivates an entry or group of entries
prefix/sbin/directoryserver account-status
Establishes account status
prefix/sbin/directoryserver admin_ip
Changes Administration Server IP address
prefix/sbin/directoryserver bak2db
Restores a database from backup
prefix/sbin/directoryserver bak2db-task
Restores a database from backup online
prefix/sbin/directoryserver configure
Configures a Directory Server instance
prefix/sbin/directoryserver db2bak
Creates a database backup archive
prefix/sbin/directoryserver db2bak-task
Creates a database backup archive online
prefix/sbin/directoryserver db2index-task
Creates and generates indexes online
prefix/sbin/directoryserver db2ldif
Exports database contents to LDIF
prefix/sbin/directoryserver db2ldif-task
Exports database contents to LDIF online
prefix/sbin/directoryserver idsktune
Checks patches and verifies system tuning
prefix/sbin/directoryserver ldif
Base64 encodes data for inclusion in LDIF
prefix/sbin/directoryserver ldif2db
Imports database contents from LDIF
prefix/sbin/directoryserver ldif2db-task
Imports database contents from LDIF online
prefix/sbin/directoryserver ldif2ldap
Imports data from LDIF over LDAP online
prefix/sbin/directoryserver magt
Starts the master SNMP agent
prefix/sbin/directoryserver mmldif
Combines multiple LDIF files
prefix/sbin/directoryserver monitor
Retrieves performance monitoring information
prefix/sbin/directoryserver nativetoascii
Converts one language encoding to another
prefix/sbin/directoryserver pwdhash
Prints the encrypted form of a password
prefix/sbin/directoryserver restart
Restarts a Directory Server instance
prefix/sbin/directoryserver restart-admin
Restarts Administration Server
prefix/sbin/directoryserver restoreconfig
Restores the Administration Server configuration
prefix/sbin/directoryserver sagt
Starts the proxy SNMP agent
prefix/sbin/directoryserver saveconfig
Saves the Administration Server configuration
prefix/sbin/directoryserver start
Starts a Directory Server instance
prefix/sbin/directoryserver start-admin
Starts Administration Server
prefix/sbin/directoryserver startconsole
Starts Server Console
prefix/sbin/directoryserver stop
Stops a Directory Server instance
prefix/sbin/directoryserver stop-admin
Stops Administration Server
prefix/sbin/directoryserver suffix2instance
Maps a suffix to a backend name
prefix/sbin/directoryserver sync-cds
Updates version in configuration directory server
prefix/sbin/directoryserver unconfigure
Removes a Directory Server instance
prefix/sbin/directoryserver vlvindex
Creates virtual list view indexes
ServerRoot/bin/slapd/admin/bin/migrateInstance5
Migrates data from a previous version
ServerRoot/bin/slapd/server/ns-slapd db2index
Creates and generates indexes
ServerRoot/sbin/entrycmp
Compares the same entry in multiple replicas
ServerRoot/sbin/fildif
Creates a filtered version of an LDIF file
ServerRoot/sbin/insync
Indicates synchronization between multiple replicas
ServerRoot/sbin/repldisc
Discovers a replication topology
ServerRoot/slapd-serverID/schema_push.pl2
Updates schema modification time stamps
1Here prefix is, by default, /usr on Solaris systems, /opt/sun on Red Hat systems.
2Here serverID reflects the name of the Directory Server instance defined during configuration.
Table of Correspondences
Many standalone tools have subcommand counterparts under the directoryserver wrapper command. Table 1-2 lists individual tool command names next to the corresponding tools wrapped by the directoryserver command.
Table 1-2 Command-Line Tools Table of Correspondences
Standalone Tool
Wrapper and Subcommand
none
directoryserver nativetoascii
ServerRoot/bin/slapd/admin/bin/migrateInstance5
none
ServerRoot/bin/slapd/server/idsktune
directoryserver idsktune
ServerRoot/bin/slapd/server/ldif
directoryserver ldif
ServerRoot/bin/slapd/server/mmldif
directoryserver mmldif
ServerRoot/bin/slapd/server/ns-slapd db2index
none
ServerRoot/bin/slapd/server/pwdhash
directoryserver pwdhash
ServerRoot/plugins/snmp/magt/magt
directoryserver magt
ServerRoot/plugins/snmp/sagt/sagt
directoryserver sagt
ServerRoot/restart-admin
directoryserver restart-admin
ServerRoot/sbin/entrycmp
none
ServerRoot/sbin/fildif
none
ServerRoot/sbin/insync
none
ServerRoot/sbin/repldisc
none
ServerRoot/shared/bin/admin_ip.pl
directoryserver admin_ip
ServerRoot/slapd-serverID/bak2db
directoryserver bak2db
ServerRoot/slapd-serverID/bak2db.pl
directoryserver bak2db-task
ServerRoot/slapd-serverID/db2bak
directoryserver db2bak
ServerRoot/slapd-serverID/db2bak.pl
directoryserver db2bak-task
ServerRoot/slapd-serverID/db2index.pl
directoryserver db2index-task
ServerRoot/slapd-serverID/db2ldif
directoryserver db2ldif
ServerRoot/slapd-serverID/db2ldif.pl
directoryserver db2ldif-task
ServerRoot/slapd-serverID/ldif2db
directoryserver ldif2db
ServerRoot/slapd-serverID/ldif2db.pl
directoryserver ldif2db-task
ServerRoot/slapd-serverID/ldif2ldap
directoryserver ldif2ldap
ServerRoot/slapd-serverID/monitor
directoryserver monitor
ServerRoot/slapd-serverID/ns-accountstatus.pl
directoryserver account-status
ServerRoot/slapd-serverID/ns-activate.pl
directoryserver account-activate
ServerRoot/slapd-serverID/ns-inactivate.pl
directoryserver account-inactivate
ServerRoot/slapd-serverID/restart-slapd
directoryserver restart
ServerRoot/slapd-serverID/restoreconfig
directoryserver restoreconfig
ServerRoot/slapd-serverID/saveconfig
directoryserver saveconfig
ServerRoot/slapd-serverID/schema_push.pl
none
ServerRoot/slapd-serverID/start-slapd
directoryserver start
ServerRoot/slapd-serverID/stop-slapd
directoryserver stop
ServerRoot/slapd-serverID/suffix2instance
directoryserver suffix2instance
ServerRoot/slapd-serverID/vlvindex
directoryserver vlvindex
ServerRoot/start-admin
directoryserver start-admin
ServerRoot/startconsole
directoryserver startconsole
ServerRoot/stop-admin
directoryserver stop-admin
setup (no longer extant)1
directoryserver configure
uninstall (no longer extant)2
directoryserver unconfigure
1Installation and configuration currently are separate operations. Earlier versions performed both as part of the setup process.
2Unconfiguration and uninstallation currently are separate operations. Earlier versions performed both as part of uninstallation.
Local Character Sets and UTF-8
Where possible, use iconv(1), to convert to UTF-8 before importing LDIF into Directory Server, and before viewing LDIF exported or output from Directory Server.
You can also use ldapsearch, described in the Directory Server Resource Kit Tools Reference. If you set the LANG environment variable to reflect the appropriate locale, and use ldapsearch with the -i charset and -e options, Directory Server accepts your local character set and also minimizes base64 encoding of values returned by the search.
Tools ReferenceThis section covers the command-line tools in detail, in alphabetical order by command or subcommand name. Refer to Table 1-1 and Table 1-2 for information on where to find each tool, and for brief descriptions.
account-activate
Activates an entry or group of entries. For details on inactivating and activating accounts, refer to the Directory Server Administration Guide.
Syntax
directoryserver account-activate [-D rootDN]
{-w password | -w - | -j filename }[-h host] [-p port] -I DNStandalone
ns-activate.pl
Options
account-inactivate
Inactivates, and thus locks, an entry or group of entries. For details on inactivating and activating accounts, refer to the Directory Server Administration Guide.
Standalone
ns-inactivate.pl
Syntax
directoryserver account-inactivate [-D rootDN]
{-w password | -w - | -j filename } [-h host] [-p port] -I DNOptions
account-status
Provides account status information to establish whether an entry or group of entries is inactivated or not. For details on inactivating and activating accounts, refer to the Directory Server Administration Guide.
Syntax
directoryserver account-status [-D rootDN]
{-w password | -w - | -j filename } [-h host] [-p port] -I DNStandalone
ns-accountstatus.pl
Options
admin_ip
When your system’s IP address changes, you must update the local Administration Server configuration file and the configuration directory. If you do not enter the new IP address in these locations, you will not be able to start the Administration Server. admin_ip changes the IP address for an instance of Administration Server in both the local.conf file and the configuration directory.
Standalone
admin_ip.pl
Usage
Enter the following
directoryserver admin_ip Directory_Manager_DN Directory_Manager_password old_IP new_IP [port]
The old IP address is saved in a file called local.conf.old.
bak2db
Restores the database from the most recent archived backup. Stop Directory Server before running this subcommand.
Syntax
directoryserver bak2db backup_directory
Standalone
bak2db
For more information on restoring databases, refer to Chapter 4, “Backing Up and Restoring Data” in the Directory Server Administration Guide.
bak2db-task
bak2db-task creates an entry in the directory that launches this dynamic task. An entry is generated based upon the values you provide for each option. Directory Server must be running for this tool to work.
Syntax
directoryserver bak2db-task [-v] -D rootDN {-w password | -w - | -j filename }
-a backup_directory [-t databasetype]Standalone
bak2db.pl
Options
configure
Configures a Directory Server instance. The configure subcommand has two modes of operation. You can invoke it with a curses-based interaction to gather input. Alternatively, you can provide input in a configuration file using the -f option.
Syntax
directoryserver configure [-f configuration_file]
Standalone
None.
Options
Table 1-7 configure Options
Option
Meaning
-f
Specifies the configuration file for silent installation.
db2bak
Creates a backup of the current database contents. This tool can be executed while the server is running.
Syntax
directoryserver db2bak [backup_directory]
Standalone
db2bak
The default backup_directory is ServerRoot/slapd-serverID/bak. The backup file is named according to the year-month-day-hour format (YYYY_MM_DD_hhmmss).
db2bak-task
db2bak-task creates an entry in the directory that launches this dynamic task. An entry is generated based upon the values you provide for each option. Directory Server must be running for this tool to work.
Syntax
directoryserver db2bak-task [-v] -D rootDN {-w password | -w - | -j filename }
-a backup_directory [-t databasetype]Standalone
db2bak.pl
Options
db2index-task
Creates and generates the new set of indexes to be maintained following the modification of indexing entries in the cn=config configuration file. Note that indexes are generated only for those attributes that are present in the database configuration as index attributes. Directory Server must be running for this tool to work.
Syntax
directoryserver db2index-task [-v] -D rootDN
{-w password | -w - | -j filename } -n backend_instance [-t attributeName]Standalone
db2index.pl
Options
Note
This tool creates an entry in the directory that launches this dynamic task. An entry is generated based upon the values you provide for each option.
There is no task available for VLV indexes.
db2ldif
Exports the contents of the database to LDIF. This tool can be executed while the server is still running.
Syntax
directoryserver db2ldif {-n backend_instance}* | {-s includesuffix}*
[{-x excludesuffix}*] [-r] [-C] [-u] [-U] [-m] [-M] [-a outputfile] [-1] [-N]
[-Y keydb-pwd] [-y keydb-pwd-file]Standalone
db2ldif
Options
db2ldif-task
Exports the contents of the database to LDIF. This tool creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option. The * indicates that multiple occurrences are allowed.
Directory Server must be running and you must specify either -n backend_instance or -s includesuffix for this tool to work.
Syntax
directoryserver db2ldif-task [-v] -D rootDN
{-w password | -w - | -j filename } {-n backend_instance}* | {-s includesuffix}*
[{-x excludesuffix}*] [-a outfile] [-N] [-r] [-C] [-u] [-U] [-m] [-o] [-1] [M]
[-Y keydb-pwd] [-y keydb-pwd-file]Standalone
db2ldif.pl
Options
directoryserver
This command wraps many of the tools as subcommands, setting command paths and library paths as necessary so you can use the subcommands without having to remember where the standalone tools reside.
For details on each subcommand, refer to the individual entries in this chapter.
Syntax
directoryserver help [subcommand]
directoryserver -g|-getdefaultversion
directoryserver -l|-listversions
directoryserver {-s|-server} serverID subcommand
directoryserver -s|-setdefaultversion
directoryserver -u|-useversion version subcommand
Options and Arguments
entrycmp
The entrycmp tool compares the same entry on two or more different servers, used to troubleshoot replication of a particular entry present in two different Directory Server instances. An entry is retrieved from the master and the entry’s nsuniqueid is used to retrieve the same entry from a specified consumer. All the attributes and values of the two entries are compared. If they are identical, the entries are considered to be the same.
Background
Before describing how this tool works, it is important that you understand the following general replication information.
A Replication Update Vector (RUV) is maintained on each replica. The RUV identifies each master replica within the topology, its Replica ID, and the latest change on each master, expressed as a Change Sequence Number (CSN). A CSN identifies each change made to a master server. A CSN consists of a timestamp, a sequence number, the master Replica ID, and a subsequence number.
The node on which you are running the insync and entrycmp tools must be able to reach all the specified hosts. If the hosts are unreachable due to a firewall, VPN, or other network setup reasons, you will encounter difficulties using these tools. For the same reason, you should ensure that all the servers are up and running before attempting to use the replication monitoring tools.
This replication monitoring tool connects to the server(s) via LDAP and relies on access to cn=config to obtain the replication status. You must therefore have read access to the data under cn=config. This should be taken into account particularly when replication is configured over SSL.
Syntax
You must run this tool from the directory where it resides.
cd ServerRoot/sbin/
./entrycmp [-D binddn] [-w password] [-n] [-p port] [-e SSL port] [-j file]
[-J file] [-W keypasswd] [-K keydbpath] [-N certname] [-P certdbpath]
ServerSpec entryDNNote that the ServerSpec option includes the -s and -c options.
Options
entrycmp takes the following options:
Note
When identifying hosts, you must use either symbolic names or IP addresses for all hosts. Using a combination of the two can cause problems.
SSL Options
You can use the following options to specify use of LDAPS when communicating with Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured. For more information on certificate-based authentication and how to create a certificate database for use with LDAP clients, refer to Chapter 11, “Managing SSL” in the Directory Server Administration Guide.
You must specify the Directory Server’s encrypted port when you use the SSL options:
Caution
When running the replication monitoring tools over SSL, the server on which you are running the tools must have a copy of all the certificates used by the other servers in the topology.
Examples
- Basic example
# ./entrycmp -s "cn=directory manager:password@portugal:1389"
-c "cn=directory manager:password@france:2389" "ou=people,dc=example,dc=com"
entrycmp: france:2389 - entries match
- SSL example
# ./entrycmp -n -K ServerRoot/alias/slapd-S1-key3.db
-P ServerRoot/alias/slapd-S1-cert7.db -W password -N "MyCertificate" -S "portugal:24211" -C "france:24213" "ou=people,dc=example,dc=com"
fildif
This utility enables you to create a filtered version of any LDIF input file. fildif does not require Directory Server to be running, but you must run this tool from the directory where it resides.
fildif takes a configuration file as an input parameter. This configuration file must conform to the configuration rules of the Filtering Service included as part of Directory Server, and must contain the specific set and element entries that define these rules. The configuration rules can be defined using the Server Console or at the command line. For more information on the Filtering Service and how it is configured, refer to Chapter 8, “Managing Replication” in the Directory Server Administration Guide.
Directory Server allows you to configure the following filtering rules:
A filtering service configuration is accessed through a pointer entry. The pointer entry is provided to fildif with the -b parameter. A pointer attribute within this entry (provided by the -a parameter) determines the RDN of the filtering service configuration entry to be used for the filtering.
Syntax
cd ServerRoot/sbin/
./fildif -i input_file [-f] [-o output_file] [-c config_file] -b pointer_entry [-a pointer_attr]Options
Exit Status
The following exit values are returned:
On error, verbose error messages are output to standard output.
Example
# ./fildif -i data.ldif -o filt_data.ldif -f -c config_fildif.ldif
-b "cn=conf_20,cn=sets,cn=filtering service,cn=features,cn=config"
-a ds5PartialReplConfigurationidsktune
Provides an easy and reliable way of checking the patch levels and kernel parameter settings for your system. You must install Directory Server before you can run idsktune. It gathers information about the operating system, kernel, and TCP stack to make tuning recommendations.
Syntax
directoryserver idsktune [-c] [-D] [-i installdir] [-q] [-v]
Standalone
idsktune
Options
insync
The insync tool indicates the synchronization state between a master replica and one or more consumer replicas. insync compares the RUVs of replicas and displays the time difference or delay (in seconds) between the servers.
Background
Before describing how this tool works, it is important that you understand the following general replication information.
A Replication Update Vector (RUV) is maintained on each replica. The RUV identifies each master replica within the topology, its Replica ID, and the latest change on each master, expressed as a Change Sequence Number (CSN). A CSN identifies each change made to a master server. A CSN consists of a timestamp, a sequence number, the master Replica ID, and a subsequence number.
The node on which you are running the insync and entrycmp tools must be able to reach all the specified hosts. If the hosts are unreachable due to a firewall, VPN, or other network setup reasons, you will encounter difficulties using these tools. For the same reason, you should ensure that all the servers are up and running before attempting to use the replication monitoring tools.
This replication monitoring tool connects to the server(s) via LDAP and relies on access to cn=config to obtain the replication status. You must therefore have read access to the data under cn=config. This should be taken into account particularly when replication is configured over SSL.
Syntax
You must run this tool from the directory where it resides.
cd ServerRoot/sbin/
./insync [-D binddn] [-w password] [-n] [-d] [-t] [-p port] [-e SSL port]
[-j file] [-J file] [-W keypasswd] [-K keydbpath] [-N certname] [-P certdbpath]
[-b ReplicaRoot] ServerSpec [interval]Note that the ServerSpec option includes the -s and -c options.
Options
insync takes the following options:
Note
When identifying hosts, you must use either symbolic names or IP addresses for all hosts. Using a combination of the two can cause problems.
SSL Options
You can use the following options to specify use of LDAPS when communicating with Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured. For more information on certificate-based authentication and how to create a certificate database for use with LDAP clients, refer to Chapter 11, “Managing SSL” in the Directory Server Administration Guide.
You must specify the Directory Server’s encrypted port when you use the SSL options:
Caution
When running the replication monitoring tools over SSL, the server on which you are running the tools must have a copy of all the certificates used by the other servers in the topology.
Examples
- Specifying one supplier, one consumer, and a repetition interval of 30 seconds. Note that the delay changes to 2, indicating that the consumer is 2 seconds behind the supplier at this point.
# ./insync -s "cn=directory manager:password@portugal:1389"
-c "cn=directory manager:password@france:2389" 30ReplicaDn Consumer Supplier Delay
l=Europe,o=example.com france:2389 portugal:1389 0
l=States,o=example.com france:2389 portugal:1389 0
l=Europe,o=example.com france:2389 portugal:1389 2
l=States,o=example.com france:2389 portugal:1389 2
l=Europe,o=example.com france:2389 portugal:1389 0
l=States,o=example.com france:2389 portugal:1389 0
- Requesting the date of the last change and restricting the output data to the DN o=example.com:
# ./insync -s "cn=directory manager:password@portugal:1389" -b o=example.com -d
ReplicaDn Consumer Supplier Delay Last Update
l=Europe,o=example.com france:2389 portugal:1389 0 05/12/2002 16:05:08
l=States,o=example.com france:2389 portugal:1389 0 05/12/2002 16:05:08
- Using certificate-based authentication
# ./insync -n -K ServerRoot/alias/slapd-S1-key3.db
-P ServerRoot/alias/slapd-S1-cert7.db -W password -N "MyCertificate" -S "portugal:24211" -C "france:24213"
ldif
The ldif subcommand formats input by adding base 64 encoding to make it suitable for inclusion in an LDIF file. This makes it easy to include binary data, such as JPEG images, along with other textual attribute values. In an LDIF file, base 64 encoded attribute values are indicated by a :: after the attribute name, for example:
jpegPhoto:: encoded data
In addition to binary data, other values that must be base 64 encoded include:
The ldif command-line utility takes any input and formats it with the correct line continuation and appropriate attribute information.
To undo base 64 encodings in LDIF files, you can use the ldifxform utility in the Directory Server Resource Kit (DSRK), with the -c nob64 option. Note, however, that the resulting file may not be reparsable as LDIF. For more information on the tools provided with the DSRK, refer to the Directory Server Resource Kit Tools Reference.
Syntax
directoryserver ldif [-b] [attrtypes]
Standalone
ldif
Options
ldif2db
Imports directory contents from LDIF. To run this tool Directory Server must be stopped.
NoteS
1. ldif2db supports LDIF version 1 specifications. You can load an attribute using the :< URL specifier notation. For example:
jpegphoto:< file:///tmp/myphoto.jpg
Although the official notation requires three ///, the use of one / is tolerated. For more information on the LDIF format, refer to Chapter 7, "LDAP Data Interchange Format Reference."2. The default behavior of a read-write replica that has been initialized either online or offline from a backup or an LDIF file, is NOT to accept client update requests. The replica will remain in read-only mode and refer any updated operations to other suppliers in the topology until the administrator does one of the following:
- changes the duration of the read-only mode default period using the ds5referralDelayAfterInit attribute
- manually resets the server to read-write mode using the ds5BeginReplicaAcceptUpdates attribute (once the replica has completely converged with the other suppliers in the topology)
The second option is advised because it does not present non-convergence risks. For more information, refer to Chapter 8, “Managing Replication” in the Directory Server Administration Guide.
Syntax
directoryserver ldif2db -n backend_instance | {-s includesuffix}*
[{-x excludesuffix}*] {-i ldif-file}* [-O] [-Y keydb-pwd] [-y keydb-pwd-file]Standalone
ldif2db
Options
ldif2db-task
ldif2db-task creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option. Directory Server must be running for this tool to work.
Syntax
directoryserver ldif2db-task [-v] -D rootDN {-w password | -w - | -j filename }
-n backend_instance | {-s includesuffix}* [{-x excludesuffix}*] [-O] [-c] [-g string]
[-G namespace_id] {-i filename}*Standalone
ldif2db.pl
Options
ldif2ldap
Performs an import operation over LDAP to Directory Server. Directory Server must be running for this tool to work.
Syntax
directoryserver ldif2ldap -D rootDN -w password -f filename
Standalone
ldif2ldap
Options
Table 1-21 ldif2ldap Options
Option
Meaning
-D
User DN with root permissions, such as Directory Manager.
-f
File name of the file to be imported.
-w
Password associated with the user DN.
magt
Start SNMP master agent. By default, the CONFIG and INIT files are located in basedir/plugins/snmp/magt. For details, refer to the Directory Server Administration Guide.
Syntax
directoryserver magt CONFIG INIT
Standalone
magt
Arguments
migrateInstance5
The migrateInstance5 Perl script (note that this is a Perl script despite the fact that it does not have the .pl extension) migrates database content, configuration data, and schema from a Directory Server instance created using an earlier version of the product to a Directory Server instance using the current version of the product. Both instances must be installed on the same host system.
For complete information on upgrade and migration, refer to the Directory Server Installation and Migration Guide.
Before performing the migration, check that the user-defined variables contain the following associated values:
Syntax
migrateInstance5 -D rootDN {-w password | -w - | -j filename}
-n backend_instance -p port -o oldInstancePath -n newInstancePath [-t] [-L]Options
mmldif
Combine multiple LDIF files into a single authoritative set of entries. Typically each LDIF file is from a master server cooperating in a multi master replication agreement (for example, masters that refuse to sync up for whatever reason). Optionally, it can generate LDIF change files that could be applied to the original to bring it up to date with the authoritative version. At least two input files must be specified.
Syntax
directoryserver mmldif [-c] [-D] [-o out.ldif] inputfile ...
Standalone
mmldif
Options
monitor
Retrieves performance monitoring information using the ldapsearch command-line utility. Directory Server must be running for this tool to work.
Syntax
directoryserver monitor
Standalone
monitor
Options
There are no options for this tool.
For more information on the ldapsearch command-line utility, refer to the Directory Server Resource Kit Tools Reference.
nativetoascii
This subcommand is deprecated. Use iconv(1) instead.
ns-slapd db2index
Creates and regenerates indexes.
Syntax
ns-slapd db2index -D instancedir [-d debug_level] -n backend_name {-t attribute_type}*
{-T VLVSearchName}*Options
Option
Meaning
-d
Specifies the debug level to use during index creation. For further information refer to nsslapd-errorlog-level (Error Log Level).
-D
Specifies the server configuration directory that contains the configuration information for the index creation process. You must specify the full path to the slapd-serverID directory.
-n
Specifies the name of the backend containing the entries to index.
-t
Specifies the attribute to be indexed as well as the types of indexes to create and matching rules to apply (if any). If you want to specify a matching rule, you must specify an index type. You cannot use this option with option -T.
-T
Specifies the VLV tag to use to create VLV indexes. You can use the console to specify VLV tags for each database supporting your directory tree. You can also define additional VLV tags by creating them in LDIF, and adding them to the Directory Server configuration. You cannot use this option with option -t.
pwdhash
pwdhash prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, you can use this command to compare the user's password to the password stored in the directory.
Syntax
directoryserver pwdhash -D instance_dir [-H] [-c comparepwd | -s scheme] password...
Standalone
pwdhash
Options
pwdhash takes the following options
:
Example
# directoryserver pwdhash -D ServerRoot/slapd-serverID -s SSHA myPassword
{SSHA}mtHyZSHfhOZ4FHmvQe09FQjvLZpnW1wbmw05cw==# directoryserver pwdhash -D ServerRoot/slapd-serverID -c
"{SSHA}mtHyZSHfhOZ4FHmvQe09FQjvLZpnW1wbmw05cw==" aPassword
/usr/ds/v5.2/bin/slapd/server/pwdhash: password does not match.repldisc
The repldisc utility enables you to “discover” a replication topology. Topology discovery starts with one server and constructs a graph of all known servers (using the RUVs and Replication Agreements). repldisc then prints an adjacency matrix describing the topology.
Background
Before describing how this tool works, it is important that you understand the following general replication information.
A Replication Update Vector (RUV) is maintained on each replica. The RUV identifies each master replica within the topology, its Replica ID, and the latest change on each master, expressed as a Change Sequence Number (CSN). A CSN identifies each change made to a master server. A CSN consists of a timestamp, a sequence number, the master Replica ID, and a subsequence number.
The node on which you are running the tool must be able to reach all the specified hosts. If the hosts are unreachable due to a firewall, VPN, or other network setup reasons, you will encounter difficulties using this tool. For the same reason, you should ensure that all the servers are up and running before attempting to use the tool.
This replication monitoring tool connects to the server(s) via LDAP and relies on access to cn=config to obtain the replication status. You must therefore have read access to the data under cn=config. This should be taken into account particularly when replication is configured over SSL.
Syntax
You must run this tool from the directory where it resides.
cd ServerRoot/sbin
./repldisc [-D binddn] [-w password] [-n] [-a] [-t] [-p port] [-e SSL port]
[-j file] [-J file] [-W keypasswd] [-K keydbpath] [-N certname] [-P certdbpath]
[-b ReplicaRoot] -s/-S HostSpec
Note
repldisc takes the host specification from the replication agreement, unless otherwise specified at the command line.
Note that the HostSpec option includes the -s option
Options
repldisc takes the following options:
Note
When identifying hosts, you must use either symbolic names or IP addresses for all hosts. Using a combination of the two can cause problems.
SSL Options
You can use the following options to specify use of LDAPS when communicating with Directory Server. You also use these options if you want to use certificate-based authentication. These options are valid only when LDAPS has been turned on and configured. For more information on certificate-based authentication and how to create a certificate database for use with LDAP clients, refer to Chapter 11, “Managing SSL” in the Directory Server Administration Guide.
You must specify the Directory Server’s encrypted port when you use the SSL options:
Caution
When running the replication monitoring tools over SSL, the server on which you are running the tools must have a copy of all the certificates used by the other servers in the topology.
Examples
- repldisc output in a single master replication scenario.
# ./repldisc -D "cn=directory manager" -w mypword -b o=rtest -s myserver:1389
Topology for suffix: o=rtest
Legend:
^ : Host on row sends to host on column.
v : Host on row receives from host on column.
x : Host on row and host on column are in MM mode.
H1 : france.example.com:1389
H2 : spain:1389
H3 : portugal:389
| H1 | H2 | H3 |
===+===============
H1 | | ^ | |
---+---------------
H2 | v | | ^ |
---+---------------
H3 | | v | |
---+---------------- The same example as above, but using the -a and -t options.
# ./repldisc -D "cn=directory manager" -w mypword -b o=rtest
-s myserver:1389 -a -tTopology for suffix: o=rtest
Legend:
The direction of the replication is indicated with arrows.
Single-master: suppliers appear on left, consumers on right (->).
Multi-master : servers are shown linked by a double arrow (<->).france.example.com:1389 -> spain:1389 CLEAR
spain:1389 -> portugal:389 CLEAR
- SSL example
# ./repldisc -n -K ServerRoot/alias/slapd-S1-key3.db
-P ServerRoot/alias/slapd-S1-cert7.db -W password -N
"MyCertificate" -S "portugal:24211" -a -tTopology for suffix: o=rtest
Legend:
The direction of the replication is indicated with arrows.
Single-master: suppliers appear on left, consumers on right (->).
Multi-master : servers are shown linked by a double arrow (<->).spain:24210 -> portugal:24211 SSL
restart
Restarts Directory Server.
Syntax
directoryserver restart
Standalone
restart-slapd
Options
There are no options for this tool.
Exit Status
0: Server restarted successfully.
1: Server could not be started.
2: Server restarted successfully but was already stopped.
3: Server could not be stopped.
restart-admin
Restarts Administration Server.
Syntax
directoryserver restart-admin
Standalone
restart-admin
restoreconfig
By default, restores the most recently saved Administration Server configuration information to the NetscapeRoot suffix under the following directory:
ServerRoot/slapd-serverID/config
To restore the Administration Server configuration:
Syntax
directoryserver restoreconfig
Standalone
restoreconfig
Options
There are no options for this tool.
sagt
Start SNMP proxy agent. For details, refer to the Directory Server Administration Guide.
Syntax
directoryserver sagt [-c CONFIG]
Standalone
sagt
Options
saveconfig
Saves the Administration Server configuration information to the following directory:
ServerRoot/slapd-serverID/confbak
Directory Server must be running for this tool to work.
Syntax
directoryserver saveconfig
Standalone
saveconfig
Options
There are no options for this tool.
schema_push.pl
When schema modifications are made manually (by editing the .ldif files directly), this script should be run to update the modification time used by replication. This ensures that the modified schema are replicated to the consumers. Once the script has been run, you must restart the server to trigger the schema replication.
Syntax
ServerRoot/slapd-serverID/schema_push.pl
start
Starts Directory Server.
Syntax
directoryserver start
Standalone
start-slapd
Options
There are no options for this tool.
Exit Status
0: Server started successfully.
1: Server could not be started.
2: Server was already started.
start-admin
Restarts Administration Server.
Syntax
directoryserver start-admin
Standalone
start-admin
startconsole
Starts Server Console, enabling GUI-based management of compliant servers, such as Administration Server and Directory Server.
Syntax
directoryserver startconsole
Standalone
startconsole
stop
Stops Directory Server.
Syntax
directoryserver stop
Standalone
stop-slapd
Options
There are no options for this tool.
Exit Status
0: Server stopped successfully.
1: Server could not be stopped.
2: Server was already stopped.
stop-admin
Stops Administration Server.
Syntax
directoryserver stop-admin
Standalone
stop-admin
suffix2instance
Maps a suffix to a backend name.
Syntax
directoryserver suffix2instance {-s suffix}
Standalone
suffix2instance
Options
sync-cds
Synchronizes the Directory Server product version information with the configuration directory server after upgrade.
Syntax
directoryserver sync-cds [-f credentials_file] | [-l log_file]
Standalone
None.
Options
unconfigure
Removes all Directory Server instances and configuration, including any changes made following configuration.
Syntax
directoryserver unconfigure
Standalone
None.
vlvindex
To run vlvindex , Directory Server must be stopped. The vlvindex tool creates virtual list view (VLV) indexes, known in the Directory Server console as Browsing Indexes. VLV indexes introduce flexibility in the way you view search results. Using VLV indexes, you can organize search results alphabetically or in reverse alphabetical order, and you can scroll through the list of results. VLV index configuration must already exist prior to running this tool.
Syntax
directoryserver vlvindex [-d debug_level] [-n backend_instance] [-s suffix] [-T VLVTag]
Standalone
vlvindex
Options
Table 1-31 vlvindex Options
Option
Meaning
-d
Specifies the debug level to use during index creation. Debug levels are defined in nsslapd-errorlog-level (Error Log Level).
-n
Name of the database containing the entries to index.
-s
Name of the suffix containing the entries to index.
-T
VLV index identifier to use to create VLV indexes. You can use the console to specify VLV index identifier for each database supporting your directory tree, as described in the Directory Server Administration Guide. You can define additional VLV tags by creating them in LDIF, and adding them to the Directory Server configuration, as described in the Directory Server Administration Guide. In any case, we recommend you use the DN of the entry for which you want to accelerate the search sorting.