NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | SUBCOMMAND OPERANDS | Exit Status | Examples | Attributes | See Also
install-path/dps6/bin/dpadm [subcommand] [global-options] [subcommand-options] [subcommand-operands]
The dpadm command is the administration command for the Directory Proxy Server. Use the dpadm command with one of the subcommands described in this man page.
The following subcommands are supported:
Adds a certificate to the certificate database.
Creates a self-signed certificate and adds it to the certificate database.
Enables or disables Directory Proxy Server instance startup at system boot. This command is only available if you installed with Sun Java Enterprise System or native packages, and is not available on Windows.
Creates a backup archive of the Directory Proxy Server instance.
Creates a Directory Proxy Server Instance.
Deletes an instance of Directory Proxy Server.
Disables a Directory Proxy Server from being managed as a service. This command is on Windows distributions and Solaris native package distributions only.
Enables a Directory Proxy Server instance to be managed as a service. This command is on Windows distributions and Solaris native package distributions only.
Displays the flag values for the Directory Proxy Server instance.
Imports the public and private keys of a certificate in the certificate database.
Displays information about the status and configuration of the Directory Proxy Server instance.
Lists all certificates in the certificate database.
Removes a certificate from the certificate database.
Renews a certificate in the certificate database.
Generates a certificate request.
Restarts a Directory Proxy Server instance.
Restores a Directory Proxy Server instance from a backup archive.
Sets flag values for a Directory Proxy Server instance.
Displays a certificate.
If no CERT_ALIAS is specified, the default server certificate is displayed.
Splits the LDIF file given by LDIF_FILE into multiple LDIF files according to the data distribution configured in Directory Proxy Server. One LDIF file is created for each data view defined in the LDIF_FILE file.
The LDIF files are stored in the OUTPUT_FILE_DIR directory and are automatically named after the data view, with the following format: OUTPUT_FILE_DIR.DATA_VIEW_NAME.ldif
The dpadm split-ldif command can be launched even if the Directory Proxy Server is running.
Starts a Directory Proxy Server instance.
Stops a Directory Proxy Server instance.
The following options are global, and are applicable to all commands and subcommands.
Displays instructions for accessing help.
Displays the current version of dpadm. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dpadm are not aligned, the version of each individual component is displayed.
Displays instructions for accessing verbose help.
The following options are applicable to the subcommands where they are specified.
Lists Certificate Authority certificates only. The default is to list server certificates only.
Adds L=CITY to the subject DN. Default is none.
Adds C=COUNTRY to the subject DN. The default is none.
Defines the Proxy Manager DN. The default is cn=Proxy Manager.
Starts Directory Proxy Server with the configuration used at the last successful startup.
Specifies the output format. The options are readable and ascii. The default is readable.
Specifies the group name for the owner of the server instance. The default is the name of the current group.
Does not prompt for confirmation before performing the operation.
Specifies the certificate password. The default is to prompt for a password.
Specifies the key-pair generation algorithm (DSA or RSA).
Specifies the signature algorithm used to sign the certificate. The signature algorithm depends on the underlying key-pair generation algorithm. The default signature algorithm is SHA1withDSA when the key algorithm is DSA, and MD5withRSA when the key algorithm is RSA.
Adds CN=NAME to the subject DN. The default is the hostname.
Reads the output password from the OUTPUT_FILE file. The default is a prompt for a password.
Stores the command results in the OUTPUT_FILE file. The default is stdout.
Disables the autostart of an instance of Directory Proxy Server at system boot
Adds O=ORG to the subject DN. The default is none.
Adds O=ORG-UNIT to the subject DN. The default is none.
Specifies the port for LDAP traffic. The default is 389 or 1389.
Specifies the secure SSL port for LDAP traffic. The default is 636 or 1636.
Specifies the subject DN. The default is cn=CERT_ALIAS cn=hostname.
Adds ST=STATE to the subject DN. Default is the hostname.
Service type. Can be SMF when using Solaris 10, or WIN_SERVICE when using Windows.
Specifies the user name for the owner of the server instance. The default is the name of the current user.
Reads the certificate database password from the CERT_PW_FILE file. The default is a prompt for password.
Reads the password from the PW_FILE file. The default is a prompt for password.
The following operands are supported:
Specifies the path to the backup of the Directory Proxy Server instance.
Specifies the certificate alias.
Specifies the file that contains the certificate.
Specifies a flag that represents a property operand when using the command dpadm get-flags. Possible flags: cert-pwd-prompt, jvm-args.
Specifies a flag and its value. The FLAG=VALUE operand can have the following values:
Sets the certificate database password storage mode to on. The certificate database password is stored on the file system. This is the default value.
Sets the certificate database password storage mode to off. The certificate database password is not stored on the file system. You are prompted to supply the certificate database password when needed.
These values are arguments passed to the Java Virtual Machine (JVM).
The default value is jvm-args=-Xmx250M -Xms250M.
-Xmxmemory is the maximum memory size for the JVM. The default value is -Xmx250M (250 MB).
-Xmsmemory is the startup memory size for the JVM. The default value is -Xms250M (250 MB). The startup memory size -Xmsmemory should be the same as the maximum memory size -Xmxmemory.
-XX:NewRatio=ratio is applicable to the Sun Hotspot JVM only, and is the ratio between old and young generation memory. The recommended value is -XX:NewRatio=1, which is equal old and young generation memory.
The -d flag specifies which JVM is used (32-bits or 64-bits). By default, Directory Proxy Server is launched with a 64-bit JVM, if available, and with a 32-bit JVM otherwise. If you want to override this behavior and specify the JVM, set the jvm-args flag to either d-32 or d-64, for example jvm-args=-Xmx250M -Xms250M -d32
You can use the jvm-args flag to pass a list of arguments to the JVM. For information about JVM arguments not described in this man page, see the java(1) man page.
Specifies the path to the Directory Proxy Server instance.
Specifies the LDIF file that is to be split by using the split_ldif subcommand.
Specifies the directory where LDIF files are placed after being split by the split_ldif subcommand.
The following examples show how the dpadm command is used.
The following example shows how to create a Directory Proxy Server instance.
$ dpadm create /local/dps |
The following example shows how to start a Directory Proxy Server instance.
$ dpadm start /local/dps |
The following example shows how to get information about a Directory Proxy Server instance.
$ dpadm info /local/dps |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-proxy |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | SUBCOMMAND OPERANDS | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | SUBCOMMAND OPERANDS | Description | Exit Status | Examples | Attributes | See Also
install-path/dps6/bin/dpconf subcommand [global-options] [subcommand-options] [subcommand-operands]
The dpconf command manages the configuration of Directory Proxy Server. An instance of Directory Proxy Server must be running in order for you to run the dpconf command.
The following subcommands are supported:
Add a JDBC attribute by using a SQL table.
Add a virtual transformation to a data view.
Attach one or more JDBC data sources to a JDBC data source pool.
Attach one or more LDAP data sources to an LDAP data source pool.
Create one or more new connection handlers.
Create one or more new custom search size limits for a resource limits policy.
Create a JDBC data source that corresponds to an existing JDBC database.
Create one or more JDBC data source pools.
Create a data view that enables LDAP applications to view JDBC tables.
Create a JDBC object class and attach it to a JDBC data view. At least one JDBC table, the primary table, must be specified. Additional tables can be specified if the JDBC data view is to be a join data view of more than one JDBC table.
Create a JDBC table.
Create a virtual data view that combines or aggregates two separate data views. One of these data views is the primary data view, and the other the secondary data view. Before you can create a join data view, you must define at least one join rule on the secondary data view. To define join rules, set the dn-join-rule or filter-join-rule properties of the secondary data view.
Create a new LDAP data source.
Create one or more new LDAP data source pools.
Create a new LDAP data view.
Create a new LDIF data view.
Create one or more new request filtering policies.
Create one or more new resource limits policies.
Create one or more new search data hiding rules for a request filtering policy.
Create a new user mapping.
Delete existing connection handlers.
Delete existing custom search size limit for a resource limits policy.
Delete one or more JDBC data sources.
Delete one or more JDBC data source pools.
Delete one or more JDBC data views.
Delete one or more JDBC object classes.
Delete one or more JDBC tables.
Delete a join data view.
Delete existing LDAP data sources.
Delete existing LDAP data source pools.
Delete existing LDAP data views.
Delete existing LDIF data views.
Delete existing request filtering policies.
Delete existing resource limits policies.
Delete an existing search data hiding rule.
Delete existing user mappings.
Detach JDBC data sources from a JDBC data source pool.
Detach LDAP data sources from an LDAP data source pool.
View the properties of the access log.
View the properties of an attached LDAP data source.
View the properties of a connection handler.
View the properties of custom search size limits for a resource limits policy.
View the properties of the error log.
View the properties of a JDBC attribute.
View the properties of a JDBC data source pool.
View the properties of a JDBC data source.
View the properties of a JDBC data view.
View the properties of a JDBC object class.
View the properties of a JDBC table.
View the properties of a join data view.
View the properties of an LDAP data source pool.
View the properties of an LDAP data source.
View the properties of an LDAP data view.
View the properties of the LDAP listener.
View the properties of the LDAPS listener.
View the properties of an LDIF data view.
View the properties of a request filtering policy.
View the properties of the resource limits policy
View the properties of search data hiding rules for a request filtering policy.
View the properties of a Directory Proxy Server.
View the properties of a user mapping.
View the properties of the data view defined to provide access to virtual ACIs.
View the properties of a virtual transformation. Virtual transformation properties that can be specified include action, attr-name, model, internal-value and view-value.
View information about the properties exposed by subcommands.
Display information about server configuration.
List JDBC data sources that are attached to a data source pool.
List LDAP data sources that are attached to a data source pool.
List the existing connection handlers.
List the existing custom search size limits for a resource limits policy.
List the JDBC attributes that have been defined using SQL tables.
List the existing JDBC data source pools.
List the existing JDBC data sources.
List the JDBC object classes that are attached to a JDBC data view.
List all JDBC tables.
List the existing join data views.
List the existing LDAP data source pools.
List the existing LDAP data sources.
List the existing LDAP data views.
List the existing LDIF data views.
List the existing request filtering policies.
List the existing resource limits policies.
List the existing search data hiding rules for a request filtering policy.
List the existing user mappings.
List the virtual transformations that are defined on a data view.
Delete a JDBC attribute.
Delete a virtual transformation.
Launch the rotation of a log file.
Change the properties of the access log. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of an attached LDAP data source. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a connection handler. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of custom search size limits for a resource limits policy. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of the error log. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a JDBC attribute. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a JDBC data source pool. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a JDBC data source. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a JDBC data view. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a JDBC object class. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a JDBC table. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a join data view. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of an LDAP data source pool. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of an LDAP data source. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of an LDAP data view. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of the LDAP listener. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of the LDAPS listener. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of an LDIF data view. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a request filtering policy. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a resource limits policy. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of search data hiding rules for a request filtering policy. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a Directory Proxy Server instance. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a user mapping. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of the data view defined to provide access to virtual ACIs. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Change the properties of a virtual transformation that was defined on the data view. If you do not specify a VAL, the value of the property is reset.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
The following options are global to all commands and subcommands:
Displays help information for a command or subcommand.
Does not ask for confirmation before accepting untrusted server certificates.
Binds as USER_DN. The dpconf command searches for a USER_DN value in the following order:
A USER_DN specified in the command line
A USER_DN set by using the $LDAP_ADMIN_USER environment variable
If none of these are found, the default is to bind as the cn=Proxy Manager user.
Connects over LDAP with no secure connection. To connect over a clear connection by default, set the DIR_PROXY_UNSECURED environment variable.
Connects to the proxy server on HOST. The dpconf command searches for a HOST value in the following order:
A HOST specified in the command line
A HOST set by using the $DIR_PROXY_HOST environment variable
If none of these are found, the default is to use the local host.
Does not ask for confirmation or passwords.
Does not ask for confirmation before rejecting untrusted server certificates in this session.
Connects to the proxy on PORT. The dpconf command searches for a PORT value in the following order:
A PORT specified in the command line
A PORT set by using the $DIR_PROXY_PORT environment variable
If none of these are found, the default is to use port 389.
This option is mutually exclusive with -P,--secure-port.
Connects over SSL to the proxy on PORT. The dpconf command searches for a PORT value in the following order:
A PORT specified in the command line
A PORT set by using the $DIR_PROXY_PORT environment variable
If none of these are found, the default is to use port 1636.
This option is mutually exclusive with -p,--port.
Displays help properties and their corresponding attributes in cn=config.
Displays extra information. This option is especially useful in the list subcommands. For an example of the use of the verbose option, see Example 5.
Displays the current version of dpconf. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dpconf are not aligned, the version of each individual component is displayed.
Specifies that the LDAP password is read from FILE. The dpconf command searches for a password FILE value in the following order:
A password or password file specified in the command line
A password file set by using the $LDAP_ADMIN_PWF environment variable
If none of these are found, the default is to prompt for the password.
The following options can be used with the subcommands:
The name of the JDBC database for which you create a JDBC data source.
The URL to the JDBC database for which you create a JDBC data source.
Modifies the display output to show one property value per line.
The URL to the JDBC driver.
Display time data with UNIT unit. The value for UNIT can be M, w, d, h, m, s, or ms (month, week, day, hour, minute, second, or milisecond).
The class of the JDBC driver.
Display memory size data with UNIT unit. The value for UNIT can be T, G, M, k, or b (Terabyte, Gigabyte, Megabyte, kilobyte, or byte).
The following operands can be used with the subcommands:
Describes what a transformation does to its target entry or entries. The following transformation actions are possible:
add-attr Add a new attribute. The value of the new attribute is defined by the PARAM operand.
add-attr-value Add a calculated value to an existing attribute. The value that must be added is defined by the PARAM operand.
attr-value-mapping Map one attribute to another attribute to provide the attribute value. The value is defined by the internal-value and view-value PARAM operands.
def-value Add a default value to an existing attribute. The value that must be added is defined by the PARAM operand.
remove-attr Remove an attribute.
remove-attr-value Remove a value from an existing attribute. This action is usually used in the case of multi-value attributes when one of the values should be removed.
The name of a virtual attribute or JDBC attribute to be added or removed.
The name of a column in an SQL table.
The name of an SQL table.
The pattern that should be used to construct a DN from a JDBC table.
Contacts the LDAP server on the specified host, which may be a host name or an IP address.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, pass the -h option with its argument as -h ::ffff:192.168.0.99.
The name of a JDBC data view.
The name of a join data view.
The name of a file on the Directory Proxy Server that contains the LDIF data.
The name of a custom search size limit.
The type of log, log type can be access or error.
The direction in which a transformation action will be applied. The transformation model can be one of mapping, read, or write.
A mapping transformation is applied during the request, and its inverse is applied during the response. A write transformation is applied during the request, but not during the response. A write transformation changes the physical data in storage. A read transformation is applied only during the response to a request.
The name of an object to be created or deleted, or the name of an object for which you are getting or setting properties.
The name of a JDBC object class.
The parameters to be applied to a virtual transformation. Depending on the transformation, PARAM can be one or more of the following:
value specifies the value of the virtual attribute for all transformation actions other than attrValueMapping.
internal-value:value used only with the attrValueMapping transformation action. Specifies the value of the virtual attribute that should be written to the physical data source.
view-value:value used only with the attrValueMapping transformation action. Specifies the value of the virtual attribute that should be returned to the client.
The name of the resource limits policy or request filtering policy to which limits or rules are to be applied.
The name of an existing LDAP or JDBC data source pool.
The port number of the object to be created.
The name of the primary data view that is the source for a join data view.
The name of the primary table in a JDBC database.
The name of the property. For a list of property names and values, use this command:
dpconf help-properties.
The rws and rwd keywords of a property indicate whether changes to the property require the server to be restarted. If a property has an rws (read, write, static) keyword, the server must be restarted when the property is changed. If a property has an rwd (read, write, dynamic) keyword, modifications to the property are implemented dynamically (without restarting the server).
For multi-valued properties, use the syntax PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Multi-valued properties are identified by the M keyword. For a list of multi-valued properties, use this command:
dpconf help-properties | grep " M "
The name of a search data hiding rule.
The name of the secondary data view that is the source for a join data view.
The name of the secondary table in a JDBC database.
The name of an LDAP or JDBC data source.
The DN of the suffix represented by the data view.
The name of a JDBC table.
The name of a virtual transformation.
The DN of the user to be mapped.
The name of the password file, or the value - meaning to prompt for the password.
The new value of the property. For a complete list of property names and values, use the command dpconf help-properties -v.
When the VAL operand is used for passwords, it can have the following values:
The name of the password file.
The value -, meaning to prompt for the password.
The name of a data view.
Syntax values shown in lower case or partly in lower case are literal values.
Those shown in upper case are syntax types, defined as follows:
A valid attribute type name such as cn or objectClass.
true or false.
A valid distinguished name such as ou=People,dc=example,dc=com.
A duration specified in months (M), weeks (w), days (d), hours (h), minutes (m), seconds (s), and miliseconds (ms), or some combination with multiple specifiers. For example, you can specify one week as 1w, 7d, 168h, 10080m, or 604800s. You can also specify one week as 1w0d0h0m0s.
DURATION properties typically do not each support all duration specifiers (Mwdhms). Examine the output of dsconf help-properties for the property to determine which duration specifiers are supported.
A valid e-mail address.
An IP address or host name.
A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.
An interval value of the form hhmm-hhmm 0123456, where the first element specifies the starting hour, the next element the finishing hour in 24-hour time format, from 0000-2359, and the second specifies days, starting with Sunday (0) to Saturday (6).
An IP address or range of address in one of the following formats:
IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.
A valid LDAP URL as specified by RFC 2255.
A memory size specified in gigabytes (G), megabytes (M),kilobytes (k), or bytes (b). Unlike DURATION properties, MEMORY_SIZE properties cannot combine multiple specifiers. However, MEMORY_SIZE properties allow decimal values, for example, 1.5M.
A valid cn (common name).
A three-digit, octal file permissions specifier. The first digit specifies permissions for the server user ID, the second for the server group ID, the last for other users. Each digit consists of a bitmask defining read (4), write (2), execute (1), or no access (0) permissions, thus 640 specifies read-write access for the server user, read-only access for other users of the server group, and no access for other users.
The full path to the file from which the bind password should be read.
A valid, absolute file system path.
A DirectoryString value, as specified by RFC 2252.
An SSL cipher supported by the server. See the Reference for a list of supported ciphers.
An SSL protocol supported by the server. See the Reference for a list of supported protocols.
A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.
This section contains examples of how the dpconf command is used.
This example shows how to get help for using a subcommand:
$ dpconf create-connection-handler -? Usage: dpconf create-connection-handler NAME [NAME ...] Create new connection handlers For global options, use dpconf --help. NAME The name of a connection handler For more information, see dpconf(1M). |
This example shows how to get information about the properties of the resource limits policy.
To view the properties exposed by all of the dpconf subcommands, run this command:
$ dpconf help-properties |
This example shows how to get the access log properties, specifying that the log-rotation-size property is quoted in bytes.
$ dpconf get-access-log-prop -h host -p port -Z b default-log-level : info log-file-name : logs/access log-file-perm : 600 log-level-client-connections : - log-level-client-disconnections : - log-level-client-operations : - log-level-connection-handlers : - log-level-data-sources : - log-level-data-sources-detailed : - log-rotation-frequency : 1h log-rotation-policy : size log-rotation-size : 104,857,600b log-rotation-start-day : 1 log-rotation-start-time : 0000 log-search-filters : false max-log-files : 10 |
This example shows how to define customized limits for search operations, based on the search base and search scope.
Create a custom search limit.
$ dpconf create-custom-search-size-limit -h host -p port POLICY-NAME LIMIT-NAME |
Set the criteria for the custom search limit.
$ dpconf set-custom-search-size-limit-prop -h host -p port POLICY-NAME LIMIT-NAME one-level-search-base-dn:VALUE subtree-search-base-dn:VALUE |
Define the limit for the number of results returned when a search meets one of the above criteria.
$ dpconf set-custom-search-size-limit-prop -h host -p port POLICY-NAME CUSTOM-SEARCH-LIMIT-NAME search-size-limit:VALUE |
View the properties of a custom search limit.
$ dpconf get-custom-search-size-limit-prop -h host -p port POLICY-NAME LIMIT-NAME |
This example shows how to view the properties of one connection handler and how to compare the properties of a set of connection handlers.
View all of the properties of one connection handler.
$ dpconf get-connection-handler-prop -h host -p port CONNECTION-HANDLER-NAME |
These are the default properties of a connection handler:
allowed-auth-methods : anonymous allowed-auth-methods : sasl allowed-auth-methods : simple allowed-ldap-ports : ldap allowed-ldap-ports : ldaps bind-dn-filters : any data-view-routing-custom-list : - data-view-routing-policy : all-routable description : - domain-name-filters : any enable-data-view-affinity : false ip-address-filters : any is-enabled : false is-ssl-mandatory : false priority : 99 request-filtering-policy : no-filtering resource-limits-policy : no-limits user-filter : any |
View the key properties and relative priorities of all of the connection handlers.
$ dpconf list-connection-handlers -v Name is-enabled priority description -------------------------- ---------- -------- --------------------------- anonymous false 99 unauthenticated connections myconnectionhandler true 99 - default connection handler true 100 default connection handler |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-proxy |
Stability Level |
Evolving |
dpadm(1M), dsconf(1M), and dsadm(1M)
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | SUBCOMMAND OPERANDS | Description | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Exit Status | Examples | Attributes | See Also
install-path/ds6/bin/dsadm subcommand options
The dsadm command is the local administration command for Directory Server instances. Use the dsadm command with any of the subcommands described in this man page.
dsadm must be used while the server is stopped (except subcommands dsadm info, dsadm stop and dsadm restart). It must be run from the local machine where the server instance is located. This command must be run by the username that is the Operating System owner of the server instance, or by root.
The following subcommands are supported:
Adds a certificate to the certificate database.
OR
Creates a self-signed certificate and adds it to the certificate database.
Enables or disables Directory Server instance startup at system boot. This command is only available if you installed with Sun Java Enterprise System or native packages, and is not available on Windows. This command must be run as root.
Creates a backup archive of the Directory Server instance.
Creates a Directory Server instance.
Deletes a Directory Server instance.
Disables a Directory Server instance from being managed as a service. This command is available on Windows distributions and on Solaris native package distributions only. The command must be run as root.
Enables a Directory Server instance to be managed as a service. This command is available on Windows distributions and on Solaris native package distributions only. The command must be run as root.
Exports suffix to LDIF format.
Exports an encrypted copy of the certificate and its public and private keys from the certificate database.
Generates legacy scripts in a Directory Server instance. This command is not available on Windows.
Displays the flag values for the Directory Server instance.
Populates an existing suffix with LDIF data.
Adds a new certificate and its keys to the certificate database.
Adds a new self-signed certificate and its keys to the certificate database.
Displays Directory Server instance status and some configuration information.
Lists all certificates in the certificate database.
Regenerates existing indexes.
Removes a certificate from the certificate database. The instance must be stopped before running this command.
Replaces a certificate, but keeps the existing private key. The instance must be stopped before running this command.
Renews a self-signed certificate in the certificate database. The instance must be stopped before running this command.
Repacks or compacts an existing suffix. The -b option enables you to specify the name of the back end instead of the suffix name. At least one suffix DN or one back end name must be specified. The instance must be stopped before running this command.
Generates a certificate request.
Restarts a Directory Server instance.
Restores Directory Server instance from a backup archive.
Sets flags for a Directory Server instance.
OR
Displays the contents of the access log.
Displays a certificate.
OR
Displays the contents of the error log.
Starts a Directory Server instance.
Stops a Directory Server instance.
The following options are global, and are applicable to all commands and subcommands.
Displays help information for a command or subcommand.
Displays the current version of dsadm. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dsadm are not aligned, the version of each individual component is displayed.
The following options are applicable to the subcommands where they are specified.
Specifies the maximum age of lines to be returned from the access log or the error log. For example, to search for all entries younger than 24 hours, use -A 24h.
Creates the Directory Server instance in an existing directory, specified by the INSTANCE_PATH. The existing directory must be empty. On UNIX machines, the user who runs this command must be root, or must be the owner of the existing directory. If the user is root, the instance will be owned by the owner of the existing directory.
Specifies a Certificate Authority certificate is to be used, or that the command should display information about CA certificates.
Adds L=CITY to the subject DN. Default is none.
Adds C=COUNTRY to the subject DN. The default is none.
Defines the Directory Manager DN. The default is cn=Directory Manager.
Starts Directory Server with the configuration used at the last successful startup.
Specifies output format. For dsadm request-cert, the default is der, and the other possible output format is ascii. .For dsadm show-cert, the default is readable, and other possible output formats are ascii and der.
Customized values for options.
Possible flags for the dsadm backup subcommand are as follows.
Check database integrity.
Possible flags for the dsadm export subcommand are as follows.
Perform minimal base64 encoding.
Generate multiple LDIF output files.
Do not export the unique ID generated on import.
Do not fold long lines.
Delete the initial line specifying the LDIF version, version: 1, for backward compatibility.
Do not include entry IDs in the LDIF output.
Only export from the main database file.
Possible flags for the dsadm import subcommand are as follows.
Merge chunk size.
Import LDIF generated during incremental import.
Does not create legacy scripts. If you do not use this option, command scripts that are similar to 5.x command scripts are created in the server instance.
Sets the server instance owner's group ID. The default is the user's current UNIX group. This option is not available on Windows.
Specifies the hostname. The default is the name of the current host system.
Reads the input file password in the INPUT_PW_FILE file. The default is a prompt for password.
Does not prompt for confirmation before performing the operation.
Specifies that the contents of the imported LDIF file are appended to the existing LDAP entries. If this option is not specified, the contents of the imported file replace the existing entries.
Specifies the number of lines to be returned from the access log or the error log. LAST_LINES must be an integer. For example, to return the last 50 lines, use -L 50. If no value is specified, the default number of lines returned is 20.
Specifies VLV (browsing) index.
Adds CN=NAME to the subject DN.
Reads the output password from the OUTPUT_FILE file. The default is a prompt for password.
Stores the command results in the OUTPUT_FILE file. The default is stdout, standard output.
Disables server instance startup at system boot.
Adds O=ORG to the subject DN. The default is none.
Adds O=ORG-UNIT to the subject DN. The default is none.
Specifies the secure SSL port for LDAP traffic. The default is 636 if dsadm is run by the root user, or 1636 if dsadm is run by a non-root user.
Specifies the port for LDAP traffic. The default is 389 if dsadm is run by the root user, or 1389 if dsadm is run by a non-root user.
Specifies that additional data needed for replication is not included in the export.
Specifies the subject DN. The default depends on the subcommand used, and is either CN=hostname or CN=CERT_ALIAS.
Exports data from suffix DN.
Adds ST=STATE to the subject DN. Default is none.
Service type. Can be CLUSTER when using Sun Cluster, SMF when using Solaris 10, or WIN_SERVICE when using Windows.
Specifies attribute index ATTR_INDEX
Sets the server instance owner user ID. The default is the current UNIX user name. This option is not available on Windows.
Reads certificate database password from CERT_PW_FILE. The default is to prompt for password.
Sets the password file for the Directory Manager (-D). The default is to prompt for password.
Excludes the specified DN from the command.
Decrypts encrypted attributes.
The following operands are supported:
Specifies the path to the backup of the Directory Server instance.
Certificate alias name. A user-specified name that identifies a certificate.
Specifies the file that contains the certificate.
Specifies a flag that represents a property operand when using the command dsadm get-flags. Possible flag: cert-pwd-prompt.
Specifies a property flag operand and its value when using the command dsadm set-flags.
cert-pwd-prompt flag possible values are: off on. Default: off. By default the dsadm command generates a certificate database password when creating a server instance. This password is stored, allowing dsadm to access the certificate database when necessary, for example, when the server starts listening for SSL connections. When the cert-pwd-prompt flag is changed to on, the dsadm command prompts for the certificate database password when needed.
Path of the Directory Server instance.
Filename of LDIF file.
Cluster resource group. Required for CLUSTER service, not applicable for other types of services.
Suffix DN (Distinguished name).
The following examples show how the dsadm command is used.
$ dsadm create -p 6389 -P 6636 /local/ds |
This command creates the server instance files in the directory /local/ds. The server instance is owned by the UNIX user who creates the command.
In this example, the LDAP port is specified as 6389, and the secure port is specified as 6636. If you do not specify port numbers, the default port numbers 389 and 636 (for root user) or 1389 and 1636 (for not-root user) are used. If you do not specify port numbers and the default port numbers are already being used, the dsadm create command aborts.
The server instance path is /local/ds.
$ dsadm start /local/ds |
This command shows information such as the owner, ports, and current state of the server instance. The instance path is /local/ds.
$ dsadm info /local/ds |
Import an LDIF file, specifying that no user confirmation is required, and giving the suffix DN.
$ dsadm import -i /local/ds /local/ds/ldif/example.ldif \ dc=example,dc=com |
Export a suffix to an LDIF file.
$ dsadm export -x ou=People,dc=example,dc=com /local/ds \ dc=example,dc=com /local/ds/ldif/export.ldif |
This command shows all data in the suffix dc=example,dc=com, excluding data in the subsuffix ou=People,dc=example,dc=com
This command backs up the suffix data and the configuration data. The instance path is /local/ds and the archive directory is /local/dsbackup/20060722 .
$ dsadm backup /local/ds /local/dsbackup/20060722 |
To regenerate the existing cn and uid indexes:
$ dsadm reindex -t cn -t uid /local/ds dc=example,dc=com |
Use the following command to renew an existing server certificate with a new server certificate from your Certificate Authority.
$ dsadm renew-cert /local/ds cert_alias /local/certfiles/new-cert |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Environment Variables | Exit Status | Attributes | See Also
install-path/dscc6/bin/dsccmon [subcommand] [options]
The dsccmon command is used to monitor servers registered with Directory Service Control Center. Use the dsccmon command with the subcommands described in this man page.
The following subcommands are supported:
Show monitoring information about the replication agreements between Directory Server instances.
The format of this subcommand is:
dsccmon view-repl-agmts [-d seconds] [-b] [-s suffix-dn]…
Show monitoring information about registered servers.
The format of this subcommand is:
dsccmon view-servers [-d seconds] [-t] [-E]
Show monitoring information about suffixes supported by registered servers.
The usage of this subcommand is:
dsccmon view-suffixes [-d seconds] [-b] [-G] [-s suffix-dn]…
The following options apply to all commands and subcommands:
Display usage for the command or for the specified subcommand.
Bind using the specified user-dn.
By default, the value of the environment variable LDAP_ADMIN_USER is used. If LDAP_ADMIN_USER is not defined, cn=admin,cn=Administrators,cn=dcc is used.
Display hidden suffixes or servers, such as the server and suffixes used by Directory Service Control Center to manage metainformation about the directory service.
Connect to the Directory Service Control Center registry on the specified host or IP address.
By default, the value of the environment variable DSCC_HOST is used. If DSCC_HOST is not defined, localhost is used.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, pass the -h option with its argument as -h ::ffff:192.168.0.99.
Connect to the Directory Service Control Center registry on the specified port.
By default, the value of the environment variable DSCC_PORT is used. If DSCC_PORT is not defined, 3998 is used.
Bind using cn=uid,cn=Administrators,cn=dcc.
By default, the value of the environment variable LDAP_ADMIN_USER is used. If LDAP_ADMIN_USER is not defined, cn=admin,cn=Administrators,cn=dcc is used.
Displays the current version of dsccmon. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dsccmon are not aligned, the version of each individual component is displayed.
Display extra information for debugging purposes.
Bind using the password specified in file.
By default, the value of the environment variable LDAP_ADMIN_PWF is used. If LDAP_ADMIN_PWF is not defined, dsccmon prompts for a password.
The following options apply to the subcommands where they are specified:
Display detailed server error information.
Display generation IDs.
Do not display nonessential data, such as headers and notes.
Update monitoring information each specified number of seconds.
Display information for the specified suffix only.
Display the server instance path.
The following environment variables are supported:
Bind to the registry on this host.
Bind to the registry on this port number.
Read the bind password from this file.
Bind with this user DN or uid.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-console-cli |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Environment Variables | Exit Status | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Environment Variables | Exit Status | Attributes | See Also
install-path/dscc6/bin/dsccreg [subcommand] [options]
The dsccreg command is used to register server instances on the local system with Directory Service Control Center, which may be remote. Use the dsccreg command with the subcommands described in this man page.
The following subcommands are supported:
Add a server instance to the Directory Service Control Center registry.
The format of this subcommand is:
dsccreg add-server [-B instance-user-dn] [-G instance-pwd-file] [-d desc] [-H local-host] instance-path
List server instances registered with Directory Service Control Center.
The format of this subcommand is:
dsccreg list-servers [-a] [-C]
Remove a server instance from the Directory Service Control Center registry.
The usage of this subcommand is:
dsccreg remove-server [-B instance-user-dn] [-G instance-pwd-file] [-H local-host] instance-path
The following options apply to all commands and subcommands:
Display usage for the command or for the specified subcommand.
Bind using the specified user-dn.
By default, the value of the environment variable LDAP_ADMIN_USER is used. If LDAP_ADMIN_USER is not defined, cn=admin,cn=Administrators,cn=dcc is used.
Connect to the Directory Service Control Center registry on the specified host or IP address.
By default, the value of the environment variable DSCC_HOST is used. If DSCC_HOST is not defined, localhost is used.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, pass the -h option with its argument as -h ::ffff:192.168.0.99.
Do not prompt for confirmation before restarting servers.
Connect to the Directory Service Control Center registry on the specified port.
By default, the value of the environment variable DSCC_PORT is used. If DSCC_PORT is not defined, 3998 is used.
Bind using cn=uid,cn=Administrators,cn=dcc.
By default, the value of the environment variable LDAP_ADMIN_USER is used. If LDAP_ADMIN_USER is not defined, cn=admin,cn=Administrators,cn=dcc is used.
Displays the current version of dsccreg. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dsccreg are not aligned, the version of each individual component is displayed.
Display extra information for debugging purposes.
Bind using the password specified in file.
By default, the value of the environment variable LDAP_ADMIN_PWF is used. If LDAP_ADMIN_PWF is not defined, dsccreg prompts for a password.
The following options apply to the subcommands where they are specified:
Use the specified bind DN to bind to the instance specified by instance-path.
By default, the dsccreg command uses cn=Directory Manager.
Verify that each registered server instance is accessible from Directory Service Control Center.
Use the password in the specified file to bind to the instance specified by instance-path.
By default, the dsccreg command prompts for the password.
Use the specified host name as the local host.
By default, the dsccreg command uses the local host name returned by the operating system.
Display hidden servers, such as the server used by Directory Service Control Center to manage metainformation about the directory service.
Use the specified text desc as the description for the server instance.
The following environment variables are supported:
Bind to the registry on this host.
Bind to the registry on this port number.
Read the bind password from this file.
Bind with this user DN or uid.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-console-cli |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Environment Variables | Exit Status | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Exit Status | Attributes | See Also
install-path/dscc6/bin/dsccsetup [subcommand] [options]
The dsccsetup command is used to register Directory Service Control Center with Sun Java Web Console (DSCC), and to register local agents of the administration framework. Use the dsccsetup command with the subcommands described in this man page.
The following subcommands are supported:
Initialize the DSCC registry, a local Directory Server instance for private use by DSCC to store configuration information. DSCC requires that this instance reside locally on the host where you run DSCC. Therefore, if you replicate the data in the instance for high availablity, set up one DSCC per replica host.
If you do not provide the Directory Manager password for the DSCC registry in the file passed to the -w option, the command prompts for the password.
The default port numbers used by the instance are 3998 for LDAP, and 3999 for LDAPS.
The default instance path is /var/opt/SUNWdsee/dscc6/dcc/ads on Solaris systems, /var/opt/sun/dscc6/dcc/ads on HP-UX and Red Hat systems, and C:\Program Files\Sun\DSEE\var\dscc6\dcc\ads on Windows systems.
The base DN for the suffix containing configuration information is cn=dscc. Use the dsccsetup status subcommand to read actual values for the DSCC registry instance.
Delete the Directory Server instance used by DSCC to store configuration information.
Use the -i when not using the command interactively.
Register the local DSCC agent with the Common Agent Container, cacao.
Use the -t option if you want to restart the Common Agent Container manually at a later time.
Remove the local DSCC agent registration information from cacao.
Register DSCC with the web application container, Sun Java Web Console.
Use the -i when not using the command interactively.
Use the -t option if you want to restart Sun Java Web Console manually at a later time.
Remove DSCC from Sun Java Web Console.
Use the -i when not using the command interactively.
Use the -t option if you want to restart Sun Java Web Console manually at a later time.
Dismantle the DSCC administration framework, running the cacao-unreg, console-unreg, and ads-delete subcommands.
Use the -i when not using the command interactively.
Use the -t option if you want to restart Sun Java Web Console, and the Common Agent Container manually at a later time.
Initialize the DSCC administration framework, running the ads-create, console-reg, and cacao-reg subcommands.
Use the -i when not using the command interactively.
Use the -t option if you want to restart Sun Java Web Console, or the Common Agent Container manually at a later time.
If you do not provide the Directory Manager password for the DSCC registry in the file passed to the -w option, the command prompts for the password.
Display whether DSCC has been registered with Sun Java Web Console, and with the Common Agent Container. Also, display whether the DSCC registry has been initialized.
Register the local Directory Server monitoring agent for Java Enterprise System Monitoring Framework with the Common Agent Container, cacao.
Use the -t option if you want to restart the Common Agent Container manually at a later time.
Remove the local Directory Server monitoring agent registration information from cacao.
The following options apply to all commands and subcommands:
Display usage for the command or for the specified subcommand.
Do not prompt for confirmation before performing the operation.
Displays the current version of dsccsetup. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dsccsetup are not aligned, the version of each individual component is displayed.
Display extra information for debugging purposes.
The following options apply to the subcommands where they are specified:
Do not restart the Common Agent Container or Sun Java Web Console after performing the operation.
You can restart the Common Agent Container using the cacaoadm command. You can restart the Sun Java Web Console using the smcwebserver command.
Use the Directory Service Manager password specified in file.
By default, dsccsetup prompts for a password.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-console-agent |
Stability Level |
Unstable |
cacaoadm(1M), smcwebserver(1M)
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Exit Status | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Description | EXIT STATUS | Examples | Attributes | See Also
install-path/ds6/bin/dsconf subcommand options
The dsconf command manages Directory Server configuration. It enables you to modify the configuration entries in cn=config.
The server must be running in order for you to run dsconf.
The following subcommands are supported:
Ensures the authentication properties of the destination suffix are in accord with those of the replication agreement.
Backs up Directory Server data (configuration data excluded).
Changes the remote replica pointed to by an existing replication agreement. The suffix DN and configuration of the existing agreement remain the same.
Declares that the values for an attribute are encrypted.
Declares that an attribute is indexed. The default index types for the attribute are equality and presence.
Declares a new client plugin. The plugin state is disabled.
Creates a replication agreement for existing suffix.
Creates a prioritized replication rule on a master.
Creates a suffix.
Declares that the values for an attribute are no longer encrypted.
Declares that an attribute is no longer indexed.
Declares that a plugin can not be used by the server any more.
Deletes a replication agreement.
Deletes a prioritized replication rule.
Deletes suffix configuration and data.
Demotes the role of an existing replicated suffix. A master is demoted to a hub, a hub is demoted to a consumer. To demote a master to a consumer, run the command twice.
Disables a plugin.
Disables replication for a replicated suffix.
Disables replication with another Directory Server.
Enables a plugin.
Enables replication by assigning a role to an existing suffix.
Enables replication with another Directory Server.
Exports suffix data to LDIF format.
Displays the value of an index configuration property.
Displays server log property values.
Displays plugin property values.
Displays replication agreement property values.
Displays server property values.
Displays suffix property values.
Lists properties exposed by subcommands.
Populates existing suffixes with LDIF data.
Displays information about server configuration such as port number, suffix name, server mode and task states.
Launches a total update of the remote replica from a local suffix.
Lists encrypted attributes. When used with -v, this command displays additional information related to encrypted attributes.
Lists indexed attribute configuration. When used with -v, this command displays additional information related to indexes.
Lists plugins. When used with -v, this command displays additional information related to plugins.
Lists replication agreements. When used with -v, this command displays additional information related to replication agreements.
Lists prioritized replication rules. When used with -v, this command displays additional information related to prioritized replication rules.
Lists suffixes. When used with -v, this command displays additional information related to suffixes. This includes the number of entries, the suffix role and the number of replication agreements, replication priority rules, indexes and encrypted attributes.
Promotes the role of an existing replicated suffix. A consumer is promoted to a hub, a hub is promoted to a master. To promote a consumer to a master, run the command twice.
Changes Directory Server password compatibility state.
Rebuilds index(es) of an existing suffix.
Restores Directory Server data from backup archive.
Closes and renames current log and creates fresh log.
Sets the index property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets server log property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets plugin property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets replication agreement property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets server property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets suffix property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Displays a comparison of a source and destination suffix configuration and the status of the replication agreement. When used with v, this command displays additional replication agreement information such as pending changes and delayed maximum duration.
Displays status of current directory server tasks. When used with v, this command displays additional information related to the task type.
Restarts replication updates after the destination server has been down by forcing updates to the remote replica from the local suffix.
The following options are global, and are applicable to all commands and subcommands.
Displays help information for a command or subcommand.
Does not ask for confirmation before accepting non-trusted server certificates.
Binds as USER_DN. dsconf searches for a USER_DN value in the following order: First a a USER_DN specified in the command line, then a USER_DN set by using the environment variable $LDAP_ADMIN_USER. If none of these are found, the default is to bind as the user cn=Directory Manager.
Connects over LDAP with no secure connection. To connect over a clear connection by default, set the DIRSERV_UNSECURED environment variable.
Connects to the directory on HOST. dsconf contacts the LDAP server on the specified host, which may be a host name or an IP address. dsconf searches for a HOST value in the following order: First a HOST specified on the command line, then a HOST set by using the environment variable $DIRSERV_HOST. If none of these are found, the default is to use the local host.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, specify the HOST:PORT as follows: ::ffff:192.168.0.99.
Does not prompt for confirmation before performing the operation.
Does not ask for confirmation before rejecting non-trusted server certificates (for current session only).
Connects to directory on PORT. dsconf searches for a PORT value in the following order: First aPORT specified in the command line, then a PORT set by using the environment variable $DIRSERV_PORT. If none of these are found, the default is to use port 389.
This option is mutually exclusive with -P,--secure-port.
Connects over SSL to the directory on PORT. The dpconf command searches for a PORT value in the following order:
A PORT specified in the command line
A PORT set by using the $DIR_SERV_PORT environment variable
If none of these are found, the default is to use port 636.
This option is mutually exclusive with -p,--port.
Displays extra information.
Displays the current version of dsconf. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by dsconf are not aligned, the version of each individual component is displayed.
Binds using an LDAP password is read from FILE. dsconf searches for a password FILE value in the following order: A password or password file specified in the command line. A password file set by using the environment variable $LDAP_ADMIN_PWF. If none of these are found, the default is to prompt for the password.
The following options are applicable to the subcommands where they are specified.
Sets authentication protocol for replication agreements to PROTOCOL. For the create-repl-dest subcommand, the default value is clear. Other possible values are ssl-simple and ssl-client. For the change-repl-dest subcommand, the default value is the same as that of the HOST:PORT to which you are changing.
Launches a task and returns the command line accessible immediately.
Specifies a database name.
Specifies a replication ID for a master. It is only used when ROLE = master.
Specifies a description DESC.
Modifies the display output to show one property value per line.
Sets initialization function for a plugin to INIT_FUNC.
Customizes imported or exported LDIF.
Import flags:
Sets the merge chunk size. Overrides the detection of when to start a new pass during import.
Specifies whether an output file will be generated for later use in importing to large replicated suffixes. Default is yes. Possible values are yes and no. This flag can only be used when the -K option is used. If this flag is not used, an output file will automatically be generated.
Sets the path of the generated output file for an incremental (appended) import. The output file is used for updating a replication topology. It is an LDIF file containing the difference between the replicated suffix and the LDIF file, and replication information.
Export flags:
Exports each suffix to a separate file.
Exports the main database file only.
Does not export unique id values.
Does not wrap long lines.
Does not export entry IDs.
Sets plugin argument property to ARG.
Sets plugin library path to LIB_PATH.
Binds as USER_DN on destination suffix (Default: same as the DN used for source suffix)
Specifies that the contents of the imported LDIF file are appended to the existing LDAP entries. If this option is not specified, the contents of the imported file replace the existing entries.
Specifies database directory and path.
Displays time in UNIT, where UNIT is one of: w, d, h, m, s (week, day, hour, minute, second).
Does not create a top entry for the suffix. By default, a top-level entry is created when a new suffix is created (on the condition that the suffix starts with dc=, c=, o= or ou=). This option changes the default behavior.
Does not export additional data needed for replication.
Displays help properties and their corresponding attributes in cn=config.
Exports all data under specified DN.
Displays information in a table format.
Reindexes the attribute ATTR (Default: All attributes).
Binds on a destination suffix using the password read from FILE. The default is the same FILE used for the source suffix.
Does not import or export data contained under the specified DN.
Sets plugin type to TYPE, where TYPE is one of: database, extendedop, preoperation, postoperation, matchingrule, syntax, internalpreoperation, internalpostoperation, object, pwdstoragescheme, reverpwdstoragescheme, ldbmentryfetchstore, beprecommit, archive2ldbm.
Displays memory size data in UNIT, where UNIT is one of: G, M, k, b (Gigabyte, Megabyte, kilobyte, byte).
The following operands are supported:
Directory Server instance backup archive directory.
Attribute name.
Algorithm to use for encryption. Possible values are: des, des3, rc2, rc4. These values signify respectively DES block cipher, Triple DES block cipher, RC2 block cipher, RC4 stream cipher.
Destination replicated suffix, defined by HOST and destination PORT.
Path and filename for file in LDIF format.
Type of log, where LOG_TYPE is one of: access, error, audit.
Desired mode for password compatibility policy. The default mode is DS5–compatible-mode. You can change it to to-DS6-migration-mode and then toto-DS6-mode.
Plugin name. The plugin name is defined when the plugin is created.
Name used to define or identify a prioritized replication rule.
Property name. For a list of PROP names and default values, use the command dsconf help-properties -v.
Property and corresponding value. For a list of PROP names and default values, use the command dsconf help-properties -v.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Multi-valued properties are identified by the M keyword. For a list of multi-valued properties, use the command dsconf help-properties | grep " M "
Allowed values that are too wide for the help-properties output are listed below:
LOG level (Access): acc-internal | default | acc-default_plus_referrals | acc-timing. For definitions of log levels, see the man page log(5dsconf).
LOG level (Error): default | err-function-calls | err-search-args | err-connection | err-packets | err-search-filter | err-config-file | err-acl | err-ldbm | err-entry-parsing | err-housekeeping | err-replication | err-entry-cache | err-plugins | err-dsml | err-dsml-advanced. For definitions of log levels, see the man page log(5dsconf).
PLG type and depends-on-type: database | extendedop | preoperation | postoperation | matchingrule | syntax | internalpreoperation | internalpostoperation | object | pwdstoragescheme | reverpwdstoragescheme | ldbmentryfetchstore | beprecommit | archive2ldbm
RAG transport-compression: no-compression | default-compression | best-speed | best-compression
SER dsml-client-auth-mode: client-cert-first | http-basic-only | client-cert-only
Role of the replicated suffix , where ROLE is one of: master, hub, consumer.
Suffix DN (Distinguished Name)
Syntax values shown in lower case or partly in lower case are literal values.
Those shown in upper case are syntax types, defined as follows:
A valid attribute type name such as cn or objectClass.
true or false.
A valid distinguished name such as ou=People,dc=example,dc=com.
A duration specified in months (M), weeks (w), days (d), hours (h), minutes (m), seconds (s), and miliseconds (ms), or some combination with multiple specifiers. For example, you can specify one week as 1w, 7d, 168h, 10080m, or 604800s. You can also specify one week as 1w0d0h0m0s.
DURATION properties typically do not each support all duration specifiers (Mwdhms). Examine the output of dsconf help-properties for the property to determine which duration specifiers are supported.
A valid e-mail address.
An IP address or host name.
A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.
An interval value of the form hhmm-hhmm 0123456, where the first element specifies the starting hour, the next element the finishing hour in 24-hour time format, from 0000-2359, and the second specifies days, starting with Sunday (0) to Saturday (6).
An IP address or range of address in one of the following formats:
IP address in dotted decimal form.
IP address and bits, in the form of network number/mask bits.
IP address and quad, in the form of a pair of dotted decimal quads.
All address. A catch-all for clients that are note placed into other, higher priority groups.
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
IP address of the local host.
A valid LDAP URL as specified by RFC 2255.
A memory size specified in gigabytes (G), megabytes (M),kilobytes (k), or bytes (b). Unlike DURATION properties, MEMORY_SIZE properties cannot combine multiple specifiers. However, MEMORY_SIZE properties allow decimal values, for example, 1.5M.
A valid cn (common name).
A three-digit, octal file permissions specifier. The first digit specifies permissions for the server user ID, the second for the server group ID, the last for other users. Each digit consists of a bitmask defining read (4), write (2), execute (1), or no access (0) permissions, thus 640 specifies read-write access for the server user, read-only access for other users of the server group, and no access for other users.
The full path to the file from which the bind password should be read.
A valid, absolute file system path.
A DirectoryString value, as specified by RFC 2252.
An SSL cipher supported by the server. See the Reference for a list of supported ciphers.
An SSL protocol supported by the server. See the Reference for a list of supported protocols.
A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.
The following examples show how the dsconf command is used.
$ dsconf create-suffix -h host -p port dc=example,dc=com |
In this example, non-default ports are specified.
Check to see if the suffix has been created.
$ dsconf list-suffixes -h host -p port -v |
$ dsconf import -h host -p port /local/ds/ldif/example.ldif dc=example,dc=com |
In this example, the preferredLanguage attribute is going to be indexed.
Create an index entry for the attribute. By default, the index matching types are equity and presence.
$ dsconf create-index -h host -p port dc=example,dc=com preferredLanguage |
Check that the index entry has been created
$ dsconf get-index-prop -h host -p port dc=example,dc=com preferredLanguage |
Generate the index for the attribute.
$ dsconf reindex -h host -p port -t preferredLanguage dc=example,dc=com |
$ dsconf backup -h host -p port /tmp/backupArchiveDir |
For complete backup procedures, see the Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide.
Search for the string cache within the dsconf help properties:
$ dsconf help-properties | grep cache |
Determine which property is most applicable and request more information. In the results of the preceding step, cache-mem-size seems to correspond. For additional information, use the verbose option:
$ dsconf help-properties -v | grep entry-cache-size SUF entry-cache-size rw MEMORY_SIZE (Ex: 3G,2m,200k,10000b) nsslapd-cachememsize Cache size in term of memory space: (Default: 10M) |
Use the following information to interpret the results above:
This property applies to a suffix.
The name of the property
You have read and write access to the property when using get-suffix-prop and set-suffix-prop.
Use memory size values as described in this man page.
The attribute under cn=config to which this property applies.
The default value of this property
Determine the current value of entry-cache-size:
$ dsconf get-suffix-prop -h host -p port dc=example,dc=com entry-cache-size entry-cache-size : 10M |
Change the value of entry-cache-size to 12M:
$ dsconf set-suffix-prop -h host -p port dc=example,dc=com entry-cache-size:12M |
Check that the value has been changed:
$ dsconf get-suffix-prop -h host -p port dc=example,dc=com entry-cache-size entry-cache-size : 12M |
$ dsconf export -h host -p port -f not-print-entry-ids -s ou=people,dc=example,dc=com -s ou=contractors,dc=example,dc=com dc=example,dc=com /local/ds/ldif/export.ldif |
This example shows a command that:
Uses the flag not-print-entry-ids to request that entry IDs are not exported.
Exports data from two suffixes ou=people,dc=example,dc=com and ou=contractors,dc=example,dc=com into one LDIF file /local/ds/ldif/export.ldif.
If you have a log which is getting very large, you can rotate the log. Rotation backs up the existing log file and creates a fresh log file. In this example, the access log is rotated.
Rotate the access log by using the command:
$ dsconf rotate-log-now -h host -p port access |
You can now modify the delay between log rotations for the access log.
Find the property which sets maximum log size:
$ dsconf help-properties -v | grep LOG |
The output from the previous command shows that the required property is rotation-interval.
To see the default setting for rotation-interval:
$ dsconf get-log-prop -h host -p port access rotation-interval |
The default is one day 1d.
To increase the rotation delay to two days, use the command:
$ dsconf set-log-prop -h host -p port access rotation-interval:2d |
This procedure configures replication on a topology with two severs, and both are masters. Replication is configured first on one master, then on the second master. Master 1 is located on server1.example:1389. Master 2 is located on server2.example:2389.
On server 1: Create a suffix
$ dsconf create-suffix -h server1.example -p 1389 dc=example,dc=com |
On Server 1: Populate the suffix with LDIF data
$ dsconf import -a -h server1.example -p 1389 /opt/SUNWdsee/ds6/ldif/Example.ldif dc=example,dc=com |
If the import takes a long time, you can obtain status on the import operation using:
$ dsconf info -h server1.example -p 1389 |
or
$ dsconf show-task-status -h server1.example -p 1389 -v |
Alternatively, you can view the status of the task while it is running by omitting the -a option in the command.
On Server 1: Enable replication on Master 1. This step assigns a replication role and ID to an existing suffix. It also sets the replication manager bind DN to the default replication manager DN.
$ dsconf enable-repl -h server1.example -p 1389 -d 1 master dc=example,dc=com |
On server 2: Create a suffix
$ dsconf create-suffix -h server2.example -p 2389 dc=example,dc=com |
On Server 2: Enable replication on Master 2. This step assigns a replication role and ID to an existing suffix. It also sets the replication manager bind DN to the default replication manager DN.
$ dsconf enable-repl -h server2.example -p 2389 -d 2 master dc=example,dc=com |
On Server 1: Create a replication agreement from Master 1 to Master 2.
$ dsconf create-repl-agmt -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
On Server 2: Create a replication agreement from Master 2 to Master 1
$ dsconf create-repl-agmt -h server2.example -p 2389 dc=example,dc=com server1.example:1389 |
On Server 1: Check that the replication agreement status is OK.
$ dsconf show-repl-agmt-status -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
If the status is not OK, then accord the replication agreement.
$ dsconf accord-repl-agmt -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
On Server 1: From Master 1, initialize replication on Master 2. This step initializes Master 2 with the data contained in the suffix on Master 1 and starts replication.
$ dsconf init-repl-dest -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
The replication agreements in both directions are now active and replication is running.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Description | EXIT STATUS | Examples | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | Options | Exit Status | Attributes | See Also
./dsee_deploy install -c component -i install_path [OPTIONS]
install-path/dsee6/bin/dsee_deploy uninstall -c component -i install_path [OPTIONS]
The dsee_deploy command installs Directory Server Enterprise Edition software from zip distributions rather than native packages, and registers server software with the Cacao common agent container to allow remote administration. The dsee_deploy command also removes registration information from the Cacao common agent container, and removes Directory Server Enterprise Edition software installed from the zip distribution.
Software installed from a zip distribution does not require that you have super user or administrator access to the system. The software is self-contained and need not have dependencies outside the install path you choose.
The following subcommands are supported:
Install component software.
Use the command unpacked with the product distribution.
Remove component software.
Use the command placed under install-path/dsee6/bin/ by the install subcommand.
The following options are supported:
Install or remove the specified combination of Directory Server Enterprise Edition component products. The component may be one of the following values. The default value is ALL.
Install or remove Directory Proxy Server and Directory Server software, including server administration, and LDAP client command-line tools, and Directory Server Resource Kit software.
Install or remove Directory Proxy Server software, including command-line administration tools.
Install or remove Directory Proxy Server command-line administration tools.
Install or remove Directory Proxy Server software.
Install or remove Directory Server software, including server administration and LDAP client command-line tools, and Directory Server Resource Kit software.
Install or remove Directory Server command-line administration tools.
Install or remove Directory Server Resource Kit software, including LDAP client command-line tools.
Install or remove Directory Server software.
Install or remove LDAP client command-line tools.
Display the usage message for the command.
Install in non-interactive mode, accepting the license text without confirmation. This mode is useful for silent installation.
Install or remove Directory Server Enterprise Edition software under the specified file system directory.
If the specified file system directory does not exist at installation time, the dsee_deploy command attempts to create it.
Do not use or configure the Cacao common agent container.
If specified, you may use the dsconf(1M) command to manage Directory Server and the dpconf(1M) command to manage Directory Proxy Server, but not Directory Service Control Center.
Never overwrite files during installation.
Configure the Cacao common agent container used for remote management to listen for JMX management communications on the specified port number.
If specified, the port must not be in use.
If no Cacao common agent contain port is specified, the default value is 11162.
Display extra messages during software installation and removal.
The following exit values are returned:
Successful completion.
The unzip command could not be found.
The install_path file system directory could not be created.
The install_path is not a file system directory.
Permission was denied to create the install_path file system directory.
A component_product name was not recognized.
The specified cacao_port could not be used.
There was an internal memory error.
The unzip command returned an error.
The server(s) installed could not be registered with the Cacao common agent container.
A required zip file, normally located in the dsee_data/ file system directory next to the dsee_deploy command, could not be found.
The cacaoadm command issued to configure the Cacao common agent container failed.
The number of parameters was invalid.
Make sure you have specified at least all mandatory options.
The dsee_deploy command failed to configure the Cacao common agent container.
The dsee_deploy command failed to start the Cacao common agent container.
The specified subcommand was not valid.
The Cacao common agent container could not be removed.
The specified Cacao common agent container port is already in use.
An invalid option was specified.
An option was incorrectly specified more than once.
Permission to the specified file system directory was denied.
The dsee_deploy command, necessary for uninstallation, could not be copied to under the specified install_path.
A subcommand was missing. The dsee_deploy requires that you specify a subcommand (install | uninstall).
The -N option is not for use with the uninstall subcommand.
The -O option is not for use with the uninstall subcommand.
The -p option is not for use with the uninstall subcommand.
The Cacao common agent container is already configured. Use the -N option.
The specified component is not installed in the specified location, and therefore cannot be removed.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
Zip distributions only |
Stability Level |
Evolving |
cacaoadm(1M), unzip(1)
NAME | Synopsis | Description | SUBCOMMANDS | Options | Exit Status | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | SUBCOMMAND OPERANDS | Exit Status | Examples | Attributes | See Also
install-path/ds6/bin/dsmig subcommand [options] [operands]
The dsmig command is the migration command for a single Directory Server instance. Use the dsmig command with any of the subcommands described in this man page.
dsmig migrates a Directory Server 5.1 instance to a Directory Server 6.2 instance.
dsmig must be run from the local machine on which the new instance will be located. If the new instance exists, migration subcommands are carried out on that instance. If the new instance does not exist, dsmig creates the new instance with the parameters specified in the global options.
The following subcommands are supported.
Displays information on the status of each migration step.
The format of the subcommand is:
dsmig info NEW_INSTANCE_PATH
Migrates the old instance to the new instance in a single step. This subcommand essentially combines the functionality of all the other subcommands.
The format of the subcommand is:
dsmig migrate-all [-R] [-N] [-c] [-j] [-e | -Z] [-D USER_DN] [-w PWD_FILE] [-v] OLD_INSTANCE_PATH NEW_INSTANCE_PATH
Migrates the configuration from the old instance to the new instance.
The format of the subcommand is:
dsmig migrate-config [-R] [-N] [-c] [-j] [-e | -Z] [-D USER_DN] [-w PWD_FILE] [-v] OLD_INSTANCE_PATH NEW_INSTANCE_PATH
Migrates the data from the old instance to the new instance. Migrating the change logs of the old instance is optional. Migration of the NetscapeRoot database must be specified as this database is not migrated by default.
The format of the subcommand is:
dsmig migrate-data [-R] [-N] [-v] OLD_INSTANCE_PATH NEW_INSTANCE_PATH
Migrates the schema from the old instance to the new instance.
The format of the subcommand is:
dsmig migrate-schema [-v] OLD_INSTANCE_PATH NEW_INSTANCE_PATH
Migrates the security files from the old instance to the new instance.
The format of the subcommand is:
dsmig migrate-security [-v] OLD_INSTANCE_PATH NEW_INSTANCE_PATH
The following options are global, and are applicable to all commands and subcommands.
Displays help information for a command or subcommand.
Does not request confirmation before executing the command.
The port used for LDAP traffic. The default LDAP port is 389 or 1389.
The port used for secure LDAP traffic. The default secure LDAP port is 636 or 1636.
The following options are applicable to the subcommands where they are specified.
Specifies that confirmation should not be requested before accepting non-trusted server certificates.
Defines the Directory Manager DN. The default is cn=Directory Manager.
Specifies an unsecured connection over LDAP. If this option is not used, a secure LDAP connection using StartTLS is made by default.
Specifies that confirmation should not be requested before rejecting non-trusted server certificates (for this session only.)
Specifies that data for the “o=netscapeRoot“ suffix must be migrated. If this option is used with the migrate-config subcommand, it refers to the suffix configuration data. If this option is used with the migrate-data subcommand, it refers to the netscapeRoot database. Using the option with the migrate-all subcommand means that neither the configuration data nor the database is migrated.
Specifies that replication data should be migrated. If this option is used with the migrate-config subcommand, it refers to replication configuration data. If this option is used with the migrate-data subcommand, it refers to replication changelogs. Using the option with the migrate-all subcommand means that both replication configuration data and changelogs are migrated.
Specifies that additional messages are displayed.
The file from which the Directory Manager password should be read. If this option is not specified, the command prompts for the password.
Specifies an SSL connection over LDAP.
The following operands are applicable to the subcommands where they are specified.
Specifies the path to the 5.1 instance.
Specifies the path to the 6.0 instance.
The following examples show how the dsmig command is used.
$ dsmig migrate-schema -p 6389 -P 6636 /local/ds52pX/slapd-old_52_instance /local/new_ds61_instance/ |
This command migrates the schema from the old Directory Server instance to the new 6.0 instance.
In this example, the LDAP port is specified as 6389, and the secure port is specified as 6636. If you do not specify port numbers, the default port numbers 389 and 636 (for root user) or 1389 and 1636 (for not-root user) are used. If you do not specify port numbers and the default port numbers are already being used, the dsmig command aborts.
$ dsmig migrate-config -N /local/ds52pX/slapd-old_52_instance /local/new_ds61_instance/ |
This command migrates the configuration from the old Directory Server instance to the new instance.
In this example, configuration data for the “o=netscapeRoot“ suffix and replication configuration data are migrated.
$ dsmig migrate-data -R -N /local/ds52pX/slapd-old_52_instance /local/new_ds61_instance/ |
This command migrates the data from the old Directory Server instance to the new instance.
In this example, the replication change logs are not migrated. The NetscapeRoot database is migrated.
$ dsmig migrate-all -R -N /local/ds52pX/slapd-old_52_instance /local/new_ds61_instance/ |
In this example, replication configuration data is not migrated. Data for the “o=netscapeRoot“ suffix is migrated.
$ dsmig info /local/new_ds61_instance/ Old instance path : /local/ds52pX/slapd-old_52_instance New instance path : /local/new_ds61_instance Schema Migration : Completed Security Migration : Not completed Config Migration : Completed except NetscapeRoot and Replication configuration Data Migration : Not completed |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | SUBCOMMAND OPERANDS | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | Options | Exit Status | Attributes
install-path/ds6/support_tools/bin/dsrepair subcommand [options] arguments
The dsrepair command makes it possible to repair entries that prevent replication from preceeding normally. You must enable the replication repair plug-in to use the dsrepair command.
Use the dsrepair command only under the supervision of qualified support personnel.
The dsrepair command functions only in non-secure mode, with simple authentication.
The dsrepair command is not available on Windows systems, though it can be run against a Directory Server instance on a Windows system.
The following subcommands are supported:
Adds the entry specified in the entry.ldif file to the specified suffix.
If an entry or tombstone entry having the same DN or nsUniqueID already exists, or if the parent entry does not exist, add-entry fails.
Puts the specified suffix in repair mode such that the only modify operations allowed are those performed using the dsrepair command.
Read operations continue normally while the suffix is in repair mode.
Deletes the entry specified in the entry.ldif file from the specified suffix, and any tombstone associated with the entry.
If no entry or tombstone entry having the same DN or nsUniqueID already exists, or the specified entry has child entries, delete-entry fails.
Returns the specified suffix from repair mode to its normal replication mode.
Replaces an entry in the directory with the content specified in the entry.ldif file.
If no entry having the DN or nsUniqueID exists, or the entries returned for based on the DN and nsUniqueID are different, replace-entry fails.
Replaces the maximum change sequence number (CSN) in a replication update vector (RUV) element with the specified csn string.
The following options are supported:
Use the specified bind DN to authenticate to the directory server.
The default is cn=Directory Manager.
Contact the LDAP server on the specified host, which may be a host name or an IP address.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, pass the -h option with its argument as -h ::ffff:192.168.0.99.
The default is localhost.
Contact the LDAP server on the specified port.
The default is 389.
Use the bind password in the specified file.
If this option is not specified, the dsrepair command prompts for the password.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | Options | Exit Status | Attributes
NAME | Synopsis | Description | Options | Extended Description | Exit Status | Attributes
./idsktune [-q] [-D] [-v] [-c] [-i install-path]
The idsktune command checks patch levels and kernel parameter settings for the system on which Directory Server or directory client applications run, making tuning recommendations as it performs the checks. Run the command as super user to obtain the widest range of tuning recommendations.
The idsktune command is delivered next to the dsee_deploy command with zip distribution software only.
The idsktune command suggests changes you make to the system, but does not itself make any changes. You must fix at least all ERROR conditions identified by the idsktune command.
The idsktune command reports as missing all patches recommended at the time of release and not installed on the system, even patches for packages not installed on the system.
The idsktune command supports the following options.
Display tuning recommendations only for directory client applications.
Default is to display recommendations for both directory client applications and for Directory Server.
Run in debug mode, displaying messages to showing commands the idsktune command runs internally, preceded by DEBUG.
Check the specified installation directory to ensure enough space is available.
Run in quiet mode, reporting only information about key system prerequisites and essential settings.
Display the version information about the build and exit.
The idsktune command verifies and reports on the following settings depending on the underlying system.
SolarisTM and Red Hat version numbers
Solaris kernel build date
Solaris, and HP-UX patches
Physical memory size
Swap space or swap partition size
Memory resource limits
File descriptor resource limits
Maximum threads per process for HP-UX
Maximum files for HP-UX
Many of the following are system-specific TCP tuning settings.
Listen backlog queue size
tcbhashsize, tcbhashnum and tcp_msl
sominconn and somaxconn
ipport_userreserved_min
tcp_close_wait_interval and tcp_time_wait_interval
tcp_keepalive_interval
tcp_max_listen
tcp_conn_request_max
tcp_conn_req_max_q and tcp_conn_req_max_q0
tcp_rexmit_interval_initial
net.inet.ip.portrange.hifirst and tcp_smallest_anon_port
tcp_slow_start_initial
net.inet.tcp.delayed_ack and tcp_deferred_ack_interval
link_speed on /dev/hme
Tuning system settings, especially network stack settings, involves considering potentially not just directory applications and Directory Server, but also other applications running on the system and in the environment. In general, however, implementing the recommendations optimizes directory performance whether the system is dedicated to Directory Server or shared with other applications.
The idsktune command exits with status 0 if it completes successfully and no ERRORs are found. Otherwise, it exists with non-zero status.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
Zip distribution only |
Stability Level |
Evolving |
NAME | Synopsis | Description | Options | Extended Description | Exit Status | Attributes
NAME | Synopsis | Description | Options | Exit Status | Examples | Attributes | See Also
install-path/ds6/bin/ns-accountstatus [-D rootDN] {-w password | -w - | -j filename} [-p port] [-h host] -I accountDN
The ns-accountstatus command shows whether the account corresponding to an entry is active. The command can also be used to show whether the accounts corresponding to a role are active.
The following options are supported:
Display the usage message.
Bind using the Directory Manager (directory super user) rootDN.
When this option is not specified, the default bind DN, cn=Directory Manager, is used.
Bind to the specified host on which the Directory Server instance runs.
Default: localhost.
Determine account status for the entry or role having Distinguished Name accountDN.
Read the bind password for simple authentication from filename.
Bind to the specified port on which the Directory Server instance listens.
Default: 389.
Bind with simple authentication, specifying the password interactively.
Bind with simple authentication using the specified password.
The following exit values are returned:
Successful completion.
An error occurred.
On error, verbose error messages are displayed on standard output.
The examples in this section use sample data from the Example-roles.ldif file.
The following command checks the status of Barbara Jensen's entry.
$ ./ns-accountstatus -D "cn=Directory Manager" -j /tmp/pwd.txt \ > -I uid=bjensen,ou=people,dc=example,dc=com uid=bjensen,ou=people,dc=example,dc=com activated. |
The following command checks the status of the Directory Administrators role.
$ ./ns-accountstatus -D "cn=Directory Manager" -j /tmp/pwd.txt \ > -I "cn=Directory Administrators,dc=example,dc=com" cn=Directory Administrators,dc=example,dc=com activated. |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Stable |
ns-activate(1M), ns-inactivate(1M)
NAME | Synopsis | Description | Options | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | Options | Exit Status | Examples | Attributes | See Also
install-path/ds6/bin/ns-activate [-D rootDN] {-w password | -w - | -j filename} [-p port] [-h host] -I accountDN
The ns-activate command activates an account corresponding to an entry. The command can also be used to activate accounts sharing a role.
The following options are supported:
Display the usage message.
Bind using the Directory Manager (directory super user) rootDN.
When this option is not specified, the default bind DN, cn=Directory Manager, is used.
Bind to the specified host on which the Directory Server instance runs.
Default: localhost.
Activate the account for the entry or accounts corresponding to the role having Distinguished Name accountDN.
Read the bind password for simple authentication from filename.
Bind to the specified port on which the Directory Server instance listens.
Default: 389.
Bind with simple authentication, specifying the password interactively.
Bind with simple authentication using the specified password.
The following exit values are returned:
Successful completion.
An error occurred.
On error, verbose error messages are displayed on standard output.
The examples in this section use sample data from the Example-roles.ldif file.
The following command activates Barbara Jensen's account.
$ ./ns-activate -D "cn=Directory Manager" -j /tmp/pwd.txt \ > -I uid=bjensen,ou=people,dc=example,dc=com uid=bjensen,ou=people,dc=example,dc=com activated. |
The following command activates the Directory Administrators role.
$ ./ns-activate -D "cn=Directory Manager" -j /tmp/pwd.txt \ > -I "cn=Directory Administrators,dc=example,dc=com" cn=Directory Administrators,dc=example,dc=com activated. |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Stable |
ns-accountstatus(1M), ns-inactivate(1M)
NAME | Synopsis | Description | Options | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | Options | Exit Status | Examples | Attributes | See Also
install-path/ds6/bin/ns-inactivate [-D rootDN] {-w password | -w - | -j filename} [-p port] [-h host] -I accountDN
The ns-inactivate command inactivates an account corresponding to an entry. The command can also be used to inactivate accounts sharing a role.
The following options are supported:
Display the usage message.
Bind using the Directory Manager (directory super user) rootDN.
When this option is not specified, the default bind DN, cn=Directory Manager, is used.
Bind to the specified host on which the Directory Server instance runs.
Default: localhost.
Inactivate the account for the entry or accounts corresponding to the role having Distinguished Name accountDN.
Read the bind password for simple authentication from filename.
Bind to the specified port on which the Directory Server instance listens.
Default: 389.
Bind with simple authentication, specifying the password interactively.
Bind with simple authentication using the specified password.
The following exit values are returned:
Successful completion.
An error occurred.
On error, verbose error messages are displayed on standard output.
The examples in this section use sample data from the Example-roles.ldif file.
The following command inactivates Barbara Jensen's account.
$ ./ns-activate -D "cn=Directory Manager" -j /tmp/pwd.txt \ > -I uid=bjensen,ou=people,dc=example,dc=com uid=bjensen,ou=people,dc=example,dc=com inactivated. |
The following command inactivates the Directory Administrators role.
$ ./ns-activate -D "cn=Directory Manager" -j /tmp/pwd.txt \ > -I "cn=Directory Administrators,dc=example,dc=com" cn=Directory Administrators,dc=example,dc=com inactivated. |
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Stable |
ns-accountstatus(1M), ns-activate(1M)
NAME | Synopsis | Description | Options | Exit Status | Examples | Attributes | See Also
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Extended Description | Exit Status | Attributes
install-path/ds6/support_tools/bin/replcheck subcommand options
The replcheck command allows you to diagnose and repair a replication halt. Use the replcheck command with one of the options described in this man page.
The following subcommands are supported:
Diagnoses the cause of the replication breakage and summarizes the proposed repair actions.
Fixes the replication breakage.
The following options are global, and are applicable to all commands and subcommands.
Displays help information for a command or subcommand.
Displays the current version of replcheck. The version is provided in the format year.day.time. So version number 2006.178.0035 was built on the 178th day of 2006 at 00h35. If the components used by replcheck are not aligned, the version of each individual component is displayed.
The following options are applicable to the subcommands where they are specified.
Use the specified bind DN to authenticate to the directory server.
The default is cn=Directory Manager.
Creates a replcheck.log log file in this directory.
If this option is not specified, the replcheck.log log file will be created in the home directory.
Displays additional information.
Use the bind password in the specified password-file.
If this option is not specified, the replcheck command prompts for the password.
The following operands are supported:
Specifies the path to the file that describes the replication topology.
This file contains one record for each line in the following format: hostname:port:suffix_dn[:label]. The optional label field provides a name that appears in any messages that are displayed or logged. If you do not specify a label, the hostname:port are used instead.
For example, the following topology file describes a replication topology consisting of two hosts:
host1:389:dc=example,dc=com:Paris host2:489:dc=example,dc=com:New York |
The replcheck command must access the servers in the topology using their non-secure ports. The topology file can not specify an SSL port.
I
The replcheck command diagnoses and repairs a replication halt. The replcheck diagnose subcommand compares the RUVs for each of the servers in your replication topology to determine if the masters are synchronized. If the search results show that all of the consumer replica in-memory RUVs are evolving on time or not evolving but equal to those on the supplier replicas, the tool will conclude that a replication halt is not occurring.
However, if the command determines that the consumer RUVs do not change at all over time, then the replcheck diagnose subcommand displays the repair operation it would do and exits without making the repair. Then, you can launch the replcheck fix subcommand to repair the replication halt. For example, the command determines that replication is blocked on the entry associated with CSN 24 if a supplier has a CSN of 40, while the consumer has a CSN of 23 that does not evolve at all over time.
The replcheck command can repair two types of replication halt:
The entry at which replication is halted, in our previous example CSN 24, exists on the supplier but not on the consumer. The replcheck command takes the entry from the instance that is at least more up-to-date than the consumer and then pushes it to the consumer.
The entry at which replication is halted, CSN 24, is unknown to supplier A. This can occur if a server is reinitialized or a replication agreement is deleted, resulting in a consumer becoming out of date and breaking replication . The replcheck command looks at other servers in the topology to see if the CSN is recognized. If it finds the CSN on a new supplier, such as supplier B, it creates a replication agreement with supplier B and lets replication send the entry, CSN 24, to the consumer.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Extended Description | Exit Status | Attributes
NAME | Synopsis | Description | Attributes | See Also
install-path/ds6/bin/schema_push instance-path
When schema modifications are made manually by editing the .ldif files such as 99user.ldif directly, the schema_push command should be run to update the modification time used by replication. This ensures that the modified schema are replicated to the consumers.
The instance-path argument is the path to the instance where you updated schema files, such as /local/ds.
When using the command on Windows systems, you may need to include Perl in your PATH, as shown in the following example.
C:\ds6\bin>set PATH=%PATH%;C:\dsee6\perl5\bin C:\ds6\bin>perl schema_push C:\servers\ds\ |
Once the script has been run, you must restart the server to trigger the schema replication.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory |
Stability Level |
Stable |
NAME | Synopsis | Description | Attributes | See Also