Name | Description | Attributes | See Also
The nsslapd-plugin attribute on cn=config is multi-valued, read-only attribute lists the syntaxes and matching rules loaded by the server. This manual page covers server plug-in configuration, rather than the nsslapd-plugin attribute.
This manual page provides an overview of legacy configuration information for server plug-ins. This manual page covers the individual plug-in configuration entry attributes. Also, this manual page covers the plug-ins provided with Directory Server, including configurable options, configurable arguments, default setting, dependencies, general performance related information, and further reading.
In most circumstances, you configure plug-in functionality using the dsconf(1M) command. See plugin(5dsconf) for a list of configurable properties.
The following list covers each plug-in configuration entry attribute.
This is a multivalued attribute, used to ensure that plug-ins are called by the server in the correct order. It takes a value that corresponds to the cn value of a plug-in. The plug-in whose cn value matches one of the values below it is started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start.
cn=pluginName,cn=plugins, cn=config
Plug-in name
None
DirectoryString
nsslapd-plugin-depends-on-named: Class of Service
This is a multivalued attribute, used to ensure that plug-ins are called by the server in the correct order. It takes a value that corresponds to the type of a plug-in, contained in the attribute nsslapd-pluginType, and requires that plug-ins of that type are started before the present plug-in.
cn=pluginName,cn=plugins, cn=config
Plug-in type
None
DirectoryString
nsslapd-plugin-depends-on-type: database
Provides a description of the plug-in.
cn=pluginName,cn=plugins,cn=config
Any DirectoryString
None
DirectoryString
nsslapd-pluginDescription: acl access check plug-in
Specifies whether or not the plug-in is enabled. This attribute can be changed over protocol, but will only take effect when the server is next restarted.
cn=pluginName,cn=plugins,cn=config
on | off
on
DirectoryString
nsslapd-pluginEnabled: on
Specifies the plug-in ID.
cn=pluginName,cn=plugins,cn=config
Any valid plug-in ID.
None
DirectoryString
nsslapd-pluginId: chaining database
Specifies the plug-in function to be initiated.
cn=pluginName,cn=plugins,cn=config
Any valid plug-in function.
None
DirectoryString
nsslapd-pluginInitfunc: NS7bitAttr_Init
Specifies the full path to the plug-in.
cn=pluginName,cn=plugins,cn=config
Any valid path
None
DirectoryString
nsslapd-pluginPath: /opt/SUNWdsee7/lib/sparcv9/uid-plugin.so
Specifies the plug-in type.
cn=pluginName,cn=plugins,cn=config
Any valid plug-in type.
None
DirectoryString
nsslapd-pluginType: preoperation
Specifies the vendor of the plug-in.
cn=pluginName,cn=plugins,cn=config
Any approved plug-in vendor.
Sun Microsystems, Inc.
DirectoryString
nsslapd-pluginVendor: Sun Microsystems, Inc.
Specifies the plug-in version.
cn=pluginName,cn=plugins,cn=config
Any valid plug-in version.
Product version
DirectoryString
nsslapd-pluginVersion: 7.0
Consider the following aspects of this plug-in.
7-Bit Check (NS7bitAttr)
cn=7-bit check,cn=plugins,cn=config
Checks certain attributes are seven-bit clean.
on | off
on
List of attributes, uid mail userpassword, followed by a comma, and then by the suffix or suffixes on which the check is to occur.
None
None
If your Directory Server uses non-ASCII characters such as Japanese and other languages for some attributes, remove those attributes from the list of attributes checked by this plug-in.
When adding or modifying an attribute value checked by this plug-in, and the new value violates the seven-bit check, the client receives a LDAP_CONSTRAINT_VIOLATION (19) return code, and a message such as the following: Value of attribute attr contains extended (8-bit) characters: value
Consider the following aspects of this plug-in.
ACL Plugin
cn=ACL Plugin,cn=plugins,cn=config
ACL access check plug-in
on | off
on
None
None
Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
ACL preoperation
cn=ACL preoperation,cn=plugins,cn=config
ACL access check plug-in.
on | off
on
None
Database
Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Binary Syntax
cn=Binary Syntax,cn=plugins,cn=config
Syntax for handling binary data.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Boolean Syntax
cn=Boolean Syntax,cn=plugins,cn=config
Syntax for handling booleans.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Case Exact String Syntax
cn=Case Exact String Syntax,cn=plugins,cn=config
Syntax for handling case-sensitive strings.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Case Ignore String Syntax
cn=Case Ignore String Syntax,cn=plugins,cn=config
Syntax for handling case-insensitive strings.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Chaining Database
cn=Chaining database,cn=plugins,cn=config
Syntax for handling DNs.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Class of Service
cn=Class of Service,cn=plugins,cn=config
Allows for sharing of attributes between entries.
on | off
on
Set the nsslapd-pluginarg0 attribute to:
0 (default) to enable fast lookup of classic CoS templates
1 to disable fast lookup for classic CoS template selection
2 to disable checks for ambiguous pointer and classic CoS definitions
Ambiguous definitions result when more than one value could be returned for the same attribute of the same entry. When checking remains enabled, Directory Server logs an informational message upon encountering such an ambiguity, provided you have set the log level to allow plug-ins to log informational messages.
3 to disable both
Restart Directory Server for modifications to take effect.
None
Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Country String Syntax
cn=Country String Syntax,cn=plugins,cn=config
Syntax for handling countries.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Distinguished Name Syntax
cn=Distinguished Name Syntax,cn=plugins,cn=config
Syntax for handling DNs.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Frontend
cn=DSMLv2-SOAP-HTTP,cn=frontends,cn=plugins, cn=config
Enables you to access the directory using DSML v2 over SOAP/HTTP.
on | off
off
ds-hdsml-soapschemalocation
ds-hdsml-dsmlschemalocation
None
None
Consider the following aspects of this plug-in.
Generalized Time Syntax
cn=Generalized Time Syntax,cn=plugins,cn=config
Syntax for dealing with dates, times, and time zones.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
The Generalized Time String consists of the four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication. We strongly recommend that you use the Z time zone indication (Greenwich Mean Time).
Consider the following aspects of this plug-in.
Integer Syntax
cn=Integer Syntax,cn=plugins,cn=config
Syntax for handling integers.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Internationalization Plugin
cn=Internationalization Plugin,cn=plugins,cn=config
Syntax for handling DNs.
on | off
on
None. In contrast to previous versions of Directory Server, the collation orders and locales used by the internationalization plug-in are now stored in the configuration.
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
ldbm database plug-in
cn=ldbm database plug-in,cn=plugins,cn=config
Implements local databases.
None
on
None
None
Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Multimaster Replication Plugin
cn=Multimaster Replication plugin,cn=plugins, cn=config
Enables replication between two Directory Server suffixes.
on | off
on
None
database
None
You can turn this plug-in off if you have only one server, which will never replicate.
Consider the following aspects of this plug-in.
Octet String Syntax
cn=Octet String Syntax,cn=plugins,cn=config
Syntax for handling octet strings.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
CLEAR
cn=CLEAR,cn=Password Storage Schemes,cn=plugins, cn=config
CLEAR password storage scheme used for password encryption.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
CRYPT
cn=CRYPT,cn=Password Storage Schemes,cn=plugins, cn=config
CRYPT password storage scheme used for password encryption.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
NS-MTA-MD5
cn=NS-MTA-MD5,cn=Password Storage Schemes, cn=plugins,cn=config
NS-MTA-MD5 password storage scheme for password encryption.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present, but for backward compatibility only. The data in your directory still contains passwords encrypted with the NS-MTA-MD5 password storage scheme.
This password storage scheme plug-in is used for example by the administration framework and is reserved for internal use.
Consider the following aspects of this plug-in.
SHA
cn=SHA,cn=Password Storage Schemes,cn=plugins, cn=config
SHA password storage scheme for password encryption.
on | off
on
None
None
If there are no passwords encrypted using the SHA password storage scheme, you may turn this plug-in off. If you want to encrypt your password with the SHA password storage scheme, choose SSHA instead. SSHA is a far more secure option.
Consider the following aspects of this plug-in.
SSHA
cn=SSHA,cn=Password Storage Schemes,cn=plugins, cn=config
SSHA password storage scheme for password encryption.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
When Directory Server is configured to check password quality, and this plug-in is enabled, the plug-in checks the following each time a password is added or modified.
Clear text password values contain the classes of characters specified by the configuration.
Clear text password values do not contain any sequence of four characters present in the dictionary file specified by the configuration.
Hashed password values such as {SSHA}0Ri1g2yqlH3GTZcuRQ4uS22syCQLBKAU2ypLSw== are not checked.
Consider the following aspects of this plug-in.
Strong Password Checking plug-in
cn=Strong Password Check,cn=plugins,cn=config
on | off
nsslapd-pluginarg0, which takes an integer representing a mask of values representing the character classes that must be present in a valid password. Set nsslapd-pluginarg0 to one of or a sum of the following values, not counting the special values 16 and 17.
1 means the password must contain special characters.
2 means the password must contain numeric characters.
4 means the password must contain upper case characters.
8 means the password must contain lower case characters.
16 is a special value meaning at least three of the four character classes.
17 is a special value meaning at least two of the four character classes.
The default setting is 15.
nsslapd-pluginarg1, which takes the absolute file system path to an ASCII dictionary file. If the argument is missing, the dictionary check is skipped. The plug-in does not initialize and Directory Server does not start if the value of this attribute is invalid or refers to an inaccessible file.
off
Default password file, install-path/resources/plugins/words-english-big.txt
Consider the following aspects of this plug-in.
Postal Address Syntax
cn=Postal Address Syntax,cn=plugins,cn=config
Syntax used for handling postal addresses.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
Pass Through Authentication
cn=Pass Through Authentication,cn=plugins, cn=config
Enables pass-through authentication, the mechanism that allows one directory to consult another to authenticate bind requests.
on | off
off
The LDAP URL to the configuration directory.
nsslapd-pluginarg0: ldap://config.example.com/o=example
None
Consider the following aspects of this plug-in.
Referential Integrity Postoperation
cn=Referential Integrity Postoperation, cn=plugins,cn=config
Enables the server to ensure referential integrity.
All attributes in all databases that are used by the referential integrity plug-in must be indexed. The indexes need to be created in the configuration of all the databases. When the retro change log is enabled, the cn=changelog suffix must be indexed.
All configuration and on | off
off
When enabled, the post operation Referential Integrity plug-in performs integrity updates on the member, uniquemember, owner, and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.
The following arguments are configurable:
(nsslapd-pluginarg0) Check for referential integrity
-1 = no check for referential integrity
0 = check for referential integrity is performed immediately
positive integer = request for referential integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request, at intervals corresponding to the integer specified.
(nsslapd-pluginarg1) Log file for storing the change, for example /local/dsInst/logs/referint
(nsslapd-pluginarg2) Reserved for future use.
(Other nsslapd-pluginarg* attributes) Attribute names to be checked for referential integrity.
database type
Do the following when you use the referential integrity plug-in in a multi-master replication environment:
Enable the referential integrity plug-in on all servers containing master replicas
Enable the referential integrity plug-in with the same configuration on every master
Set the first argument to a positive value, such as 10, meaning ten seconds, to ensure that work performed by this plug-in happens asynchronously, rather than synchronously.
When enabling the plug-in, also create equality indexes for all attributes configured for use with the plug-in. The plug-in uses such indexes when searching for entries to update. Without equality indexes for the attributes it uses, the plug-in must perform costly unindexed searches that have negative impact on performance.
Consider the following aspects of this plug-in.
Retro Changelog Plugin
cn=Retro Changelog Plugin,cn=plugins,cn=config
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions.
Maintains a log of all changes occurring in Directory Server. The retro change log offers the same functionality as the changelog in the 4.x versions of Directory Server.
on | off
off
The following arguments can be configured for the retro change log plug-in:
nsslapd-pluginarg0: -ignore_attributesconfigures the retro change log plug-in to ignore attributes specified by the following nsslapd-pluginarg. This argument is configured by default.
nsslapd-pluginarg1: copyingFromspecifies a list of attributes to be ignored by the preceding nsslapd-pluginarg. This argument is configured by default.
nsslapd-pluginarg2: suffixes="suffix1","suffix2" configures the retro change log to record updates to specified suffixes only
nsslapd-pluginarg3: deletedEntryAttributes=attribute1,attribute2 configures the retro change log to record specified attributes of an entry when that entry is deleted
None
May slow down Directory Server performance.
dn: cn=Retro Changelog Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: ds-signedPlugin objectClass: extensibleObject cn: Retro Changelog Plugin nsslapd-pluginPath: /opt/SUNWdsee7/lib/sparcv9/retrocl-plugin.so nsslapd-pluginInitfunc: retrocl_plugin_init nsslapd-pluginType: object nsslapd-plugin-depends-on-type: database nsslapd-pluginarg0: -ignore_attributes nsslapd-pluginarg1: copyingFrom nsslapd-pluginarg2: suffixes="ou=people","dc=example","dc=com" nsslapd-pluginarg3: deletedEntryAtrributes="objectclass","employeenumber" nsslapd-changelogdir: /local/dsInst/db/changelog nsslapd-pluginEnabled: on nsslapd-pluginId: retrocl nsslapd-pluginVersion: 7.0 nsslapd-pluginVendor: Sun Microsystems, Inc. nsslapd-pluginDescription: Retrocl Plugin ds-pluginSignatureState: valid signature
Consider the following aspects of this plug-in.
Roles Plugin
cn=Roles Plugin,cn=plugins,cn=config
Enables the use of roles in Directory Server.
on | off
on
None
State Change Plugin
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
State Change Plugin
cn=State Change Plugin,cn=plugins,cn=config
State change notification service plug-in for detecting updates, such as configuration changes, and triggering callbacks when updates happen.
This plug-in is used internally by the roles plug-in.
on | off
on
None
None
Consider the following aspects of this plug-in.
Subtree Entry Counter For ObjectClass
cn=Subtree Entry Counter for ObjectClass,cn=plugins, cn=config
Maintain a count of entries with a particular object class. The following plug-ins are provided.
Subtree entry counter for departments in domains
Subtree entry counter for domains within a domain
Subtree entry counter for mail lists
Subtree entry counter for nested departments
Subtree entry counter for total domains
Subtree entry counter for users
on | off
off
None
None
These plug-ins are provided for use with Messaging Server only, and are disabled by default. Leave these plug-ins disabled unless your Messaging Server requires them.
Either the number of departments within a domain, or the number of departments within a department (nested departments), depending on the DN of the entry.
Either the number of total domains, or the number of domains within a domain or nested domain, depending on the DN of the entry.
Number of mail lists.
Consider the following aspects of this plug-in.
Telephone Syntax
cn=Telephone Syntax,cn=plugins,cn=config
Syntax for handling telephone numbers.
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Consider the following aspects of this plug-in.
UID Uniqueness
cn=UID Uniqueness,cn=plugins,cn=config
Checks that the values of specified attributes are unique each time a modification occurs on an entry.
on | off
off
You may configure this plug-in in either of two different ways.
Specify attributes that must be unique for a series of one or more subtrees identified by DNs. For example, to specify that employeeNumber and uid attribute values must be unique across both o=org1,dc=example,dc=com and o=org2,dc=example,dc=com , configure the arguments in the configuration entry as follows:
nsslapd-pluginarg0: employeeNumber nsslapd-pluginarg1: uid nsslapd-pluginarg2: o=org1,dc=example,dc=com nsslapd-pluginarg3: o=org2,dc=example,dc=com
You specify attributes that must be unique inside congruent subtrees, optionally only on entries of a specified object class. For example, to specify that employeeNumber and uid attribute values must be unique in either o=org1,dc=example,dc=com or o=org2,dc=example,dc=com, but only on entries of the inetOrgPerson object class, configure the arguments in the configuration entry as follows:
nsslapd-pluginarg0: employeeNumber nsslapd-pluginarg1: uid nsslapd-pluginarg2: MarkerObjectClass="organization" RequiredObjectClass="inetOrgPerson"
database type
Directory Server provides the UID Uniqueness plug-in by default. To ensure unique values for other attributes, you can create instances of the UID Uniqueness plug-in for those attributes.
The UID Uniqueness plug-in may slow down Directory Server performance.
Consider the following aspects of this plug-in.
URI Syntax
cn=URI Syntax,cn=plugins,cn=config
Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators.)
on | off
on
None
None
Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
See attributes(5) for descriptions of the following attributes:
| ATTRIBUTE TYPE | ATTRIBUTE VALUE | 
|---|---|
| Availability | SUNWdsee7 | 
| Stability Level | Obsolete: Scheduled for removal after this release | 
Name | Description | Attributes | See Also