retro-cl-enabled(5dsconf)
NAME | Description | Description | Attributes | See Also
NAME
- server, check-schema-enabled, check-syntax-enabled, config-magic-number, db-batched-transaction-count, db-cache-size, db-checkpoint-interval, db-env-path, db-lock-count, db-log-buf-size, db-log-path, def-repl-manager-pwd, def-repl-manager-pwd-file, dn-cache-count, dn-cache-size, dsml-answer-size, dsml-buffer-size, dsml-client-auth-mode, dsml-enabled, dsml-max-parser-count, dsml-min-parser-count, dsml-port, dsml-relative-root-url, dsml-request-max-size, dsml-secure-port, file-descriptor-count, heap-high-threshold-size, heap-low-threshold-size, host-access-dir-path, idle-timeout, import-cache-size, instance-path, ldap-port, ldap-secure-port, listen-address, look-through-limit, max-psearch-count, max-thread-count, max-thread-per-connection-count, mod-tracking-enabled, pwd-accept-hashed-pwd-enabled, pwd-check-enabled, pwd-compat-mode, pwd-expire-no-warning-enabled, pwd-expire-warning-delay, pwd-failure-count-interval, pwd-grace-login-limit, pwd-keep-last-auth-time-enabled, pwd-lockout-duration, pwd-lockout-enabled, pwd-lockout-repl-priority-enabled, pwd-max-age, pwd-max-failure-count, pwd-max-history-count, pwd-min-age, pwd-min-length, pwd-mod-gen-length, pwd-must-change-enabled, pwd-root-dn-bypass-enabled, pwd-safe-modify-enabled, pwd-storage-scheme, pwd-strong-check-dictionary-path, pwd-strong-check-enabled, pwd-strong-check-require-charset, pwd-supported-storage-scheme, pwd-user-change-enabled, read-write-mode, ref-integrity-attr, ref-integrity-check-delay, ref-integrity-enabled, repl-user-schema-enabled, require-bind-pwd-enabled, retro-cl-deleted-entry-attr, retro-cl-enabled, retro-cl-ignored-attr, retro-cl-max-age, retro-cl-max-entry-count, retro-cl-path, retro-cl-suffix-dn, root-dn, root-pwd, root-pwd-file, root-pwd-storage-scheme, search-size-limit, search-time-limit, secure-listen-address, ssl-cipher-family, ssl-client-auth-mode, ssl-enabled, ssl-rsa-cert-name, ssl-rsa-security-device, ssl-supported-ciphers, thread-count – DS server instance configuration
(SER) properties
Description
The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.
PROPERTY: check-schema-enabled
|
Syntax |
on | off |
|
Default Value |
on |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server checks that entries being updated still conform to the server schema.
PROPERTY: check-syntax-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server checks that attribute values being updated have valid syntax. The server logs an error message when encountering an invalid value and prevents the update. When this property is set to on, the server checks updates to attribute values defined as Boolean, DN, Directory String, Generalized Time, IA5 String, INTEGER, or Telephone Number syntax. This behavior holds both for offline import and for normal write operations.
By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.
Syntax is not checked on existing entries in the database. To clean up existing data, dump the database to LDIF, turn syntax checking on, and reload the database. Data that violates the syntax is visible in the errors log, and can be corrected and reloaded. You can also repair existing bad data by deleting or replacing the bad value using an LDAP client. If syntax checking is on, when a database is reloaded from LDIF, invalid syntax values are skipped and recorded in the errors log. Valid syntax values are reloaded.
PROPERTY: config-magic-number
|
Syntax |
STRING |
|
Default Value |
D-A00 |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
No |
This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.
PROPERTY: db-batched-transaction-count
|
Syntax |
INTEGER |
|
Default Value |
0 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies how many server transactions are gathered into a batch before being written to the transaction log. If writes to the transaction log are a bottleneck, you may potentially improve performance by increasing this value. Valid range is 0-30, 0 meaning that batching is turned off.
PROPERTY: db-cache-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
32M |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the amount of physical memory Directory Server requests from the operating system to cache indexes for all suffixes supported by the server instance. See Directory Server Data Caching in Directory Server Enterprise Edition Reference for suggestions on sizing cache.
PROPERTY: db-checkpoint-interval
|
Syntax |
DURATION |
|
Default Value |
60s |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the interval between checkpoints recorded in the database transaction log.
PROPERTY: db-env-path
|
Syntax |
PATH |
|
Default Value |
instance-path/db |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies a valid directory, unique to the server instance, on a tmpfs file system used to limit the time spent flushing pages for a server instance handling a high write load. There must be enough space available on the tmpfs file system to house at least the actual size of the database cache.
When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.
PROPERTY: db-lock-count
libdb: Lock table is out of available locks
PROPERTY: db-log-buf-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
512k |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.
After changing this property, you must restart the server in order to take the change into account.
PROPERTY: db-log-path
|
Syntax |
PATH |
|
Default Value |
instance-path/db |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the file system directory containing the database transaction log.
When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.
PROPERTY: def-repl-manager-pwd
|
Syntax |
STRING |
|
Default Value |
See the description that follows. |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
No |
This property lets you read the password used for replication binds performed using simple authentication. Either you specify the password before setting up replication by setting def-repl-manager-pwd-file to specify the file containing the password you want to use, or you accept the password value generated by the dsconf accord-replication subcommand.
PROPERTY: def-repl-manager-pwd-file
|
Syntax |
PATH | "" |
|
Default Value |
"" |
|
Is readable |
No |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the file from which the default replication password is read and stored for future use when setting up replication.
PROPERTY: dn-cache-count
-
unlimited — cache is limited to the cache size specified for dn-cache-size.
-
disabled — caching is disabled and dn-cache-size is ignored.
-
INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.
|
Syntax |
INTEGER | unlimited | disabled |
|
Default Value |
unlimited |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the size of the DN cache in terms of number of entries. The value of dn-cache-count is unlimited by default. The value of dn-cache-count can be an integer, unlimited, and disabled and each of these has the following effect on dn-cache-size.
Changing this property requires you to restart the server.
PROPERTY: dn-cache-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
10M |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the size of the DN cache in terms of memory space. This property is set by default. The cache size must be larger than 1M. The DN cache size specified for this property is taken into account only when dn-cache-count is set to unlimited.
Changing this property requires you to restart the server.
PROPERTY: dsml-answer-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
64k |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.
PROPERTY: dsml-buffer-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
8k |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.
PROPERTY: dsml-client-auth-mode
- clientCertOnly
-
Use credentials from the client certificate to identify the client.
- httpBasicOnly
-
Use credentials from the HTTP authorization header to identify the client.
- clientCertFirst
-
Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.
|
Syntax |
clientCertOnly | httpBasicOnly | clientCertFirst |
|
Default Value |
httpBasicOnly |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies how the server identifies a client application. The following settings are supported.
PROPERTY: dsml-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server accepts DSML requests.
PROPERTY: dsml-max-parser-count
|
Syntax |
INTEGER |
|
Default Value |
5 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of DSML parsers allocated to handle client requests. Increase the value of this property if the server must handle sustained, high numbers of DSML client requests.
PROPERTY: dsml-min-parser-count
|
Syntax |
INTEGER |
|
Default Value |
10 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the minimum number of DSML parsers allocated to handle client requests. Increase the value of this property if the server must handle sustained, high numbers of DSML client requests.
PROPERTY: dsml-port
|
Syntax |
INTEGER | disabled |
|
Default Value |
disabled |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.
PROPERTY: dsml-relative-root-url
|
Syntax |
STRING |
|
Default Value |
/dsml |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the root URL HTTP clients should specify in their POST requests.
PROPERTY: dsml-request-max-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
32k |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum size for DSML client requests.
PROPERTY: dsml-secure-port
|
Syntax |
INTEGER | disabled |
|
Default Value |
disabled |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.
PROPERTY: file-descriptor-count
|
Syntax |
INTEGER |
|
Default Value |
1024 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of file descriptors the server instance attempts to use to handle client requests. Increase this value if you observe the following message in the errors log:
Not listening for new connections -- too many fds open
PROPERTY: heap-high-threshold-size
-
When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.
-
When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.
-
If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.
-
If heap-high-threshold-size is set, its value must be at least one gigabyte.
-
If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
-
If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
-
If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.
|
Syntax |
MEMORY_SIZE | undefined |
|
Default Value |
undefined |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies a threshold value for the dynamic memory footprint. When the threshold memory is reached, Directory Server attempts to free memory from the entry caches, and to limit memory use.
heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.
The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.
PROPERTY: heap-low-threshold-size
|
Syntax |
MEMORY_SIZE | undefined |
|
Default Value |
undefined |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
See the description for heap-high-threshold-size.
PROPERTY: host-access-dir-path
|
Syntax |
PATH | "" |
|
Default Value |
"" |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the local directory path on the server host where hosts.allow and hosts.deny files are located. If this property is not set, or if the files are not found, Directory Server does not enable the additional connection-based access controls provided by these files.
PROPERTY: idle-timeout
|
Syntax |
INTEGER | none |
|
Default Value |
none |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.
PROPERTY: import-cache-size
|
Syntax |
MEMORY_SIZE |
|
Default Value |
64M |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the amount of physical memory Directory Server requests from the operating system to cache data used when initializing a suffix from LDIF. See Directory Server Data Caching in Directory Server Enterprise Edition Reference for suggestions on sizing cache.
PROPERTY: instance-path
|
Syntax |
PATH |
|
Default Value |
Path set at server creation |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
No |
This property specifies the file system directory under which the server instance was created using the dsadm create command.
PROPERTY: ldap-port
|
Syntax |
INTEGER | disabled |
|
Default Value |
389 | 1389 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the port on which the server listens for LDAP client requests. The default port is 389 when the instance is created by the system super user, 1389 otherwise. Changing this property requires that you restart the server.
If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.
PROPERTY: ldap-secure-port
|
Syntax |
INTEGER | disabled |
|
Default Value |
636 | 1636 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the port on which the server listens for LDAPS client requests using TLS or SSL. The default port is 636 when the instance is created by the system super user, 1636 otherwise. Changing this property requires that you restart the server.
If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.
PROPERTY: listen-address
|
Syntax |
STRING |
|
Default Value |
0.0.0.0 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
Yes |
This property specifies the IP address at which the server listens for LDAP client requests using the regular LDAP port. You can specify more than one listen address for the same port number. The default listen address is 0.0.0.0. Changing this property requires that you restart the server.
PROPERTY: look-through-limit
|
Syntax |
INTEGER | unlimited |
|
Default Value |
5000 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.
PROPERTY: max-psearch-count
|
Syntax |
INTEGER |
|
Default Value |
30 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.
PROPERTY: max-thread-count
|
Syntax |
INTEGER |
|
Default Value |
30 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the number of threads created at startup to process operations. When tuning server performance, try setting this to twice the number of processors or 20 plus the number of simultaneous updates expected. You can read the number of active threads in the value of threads on cn=monitor.
PROPERTY: max-thread-per-connection-count
|
Syntax |
INTEGER |
|
Default Value |
5 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of concurrent threads used to process operations on a single connection.
PROPERTY: mod-tracking-enabled
|
Syntax |
on | off |
|
Default Value |
on |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server maintains modification timestamps for updated entries.
PROPERTY: pwd-accept-hashed-pwd-enabled
|
Syntax |
on | off |
|
Default Value |
N/A |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server accepts modifications with hashed password values without checking their content. This property takes effect only when pwd-check-enabled is on.
PROPERTY: pwd-check-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server checks the quality of password values when they are modified.
PROPERTY: pwd-compat-mode
|
Syntax |
DS5-compatible-mode | DS6-migration-mode | DS6-mode |
|
Default Value |
DS5-compatible-mode |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
No |
This property specifies the password policy compatibility mode for the server. Change it using dsconf pwd-compat. See Sun Java System Directory Server Enterprise Edition 6.2 Administration Guide for details on password policy.
PROPERTY: pwd-expire-no-warning-enabled
|
Syntax |
on | off |
|
Default Value |
on |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether a password can expire without prior warning to a client application.
PROPERTY: pwd-expire-warning-delay
|
Syntax |
DURATION | disabled |
|
Default Value |
1d |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the duration preceding password expiration during which the server returns warnings about the password expiring to client applications binding using the password.
PROPERTY: pwd-failure-count-interval
|
Syntax |
DURATION | disabled |
|
Default Value |
10m |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the age beyond which password failures are purged from the failure count.
PROPERTY: pwd-grace-login-limit
|
Syntax |
INTEGER | disabled |
|
Default Value |
disabled |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the number of times an expired password can be used to authenticate.
PROPERTY: pwd-keep-last-auth-time-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether to record authentication times in the pwdLastAuthTime operational attribute on user entries.
PROPERTY: pwd-lockout-duration
|
Syntax |
DURATION | disabled |
|
Default Value |
1h |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the how long before the server unlocks an account that is locked.
PROPERTY: pwd-lockout-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server locks accounts after a specified number, pwd-max-failure-count, of consecutive failed attempts to bind.
PROPERTY: pwd-lockout-repl-priority-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether password lockout attributes are replicated with high priority.
PROPERTY: pwd-max-age
|
Syntax |
DURATION | disabled |
|
Default Value |
disabled |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the age beyond which a password expires.
PROPERTY: pwd-max-failure-count
|
Syntax |
INTEGER | disabled |
|
Default Value |
3 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the number of consecutive failed bind attempts after which the password may not be used to authenticate to the server.
PROPERTY: pwd-max-history-count
|
Syntax |
INTEGER | disabled |
|
Default Value |
disabled |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the number of password values stored in the password history of the entry. These values cannot be used again until they are no longer present in the history.
PROPERTY: pwd-min-age
|
Syntax |
DURATION | disabled |
|
Default Value |
disabled |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the minimum duration between password modifications.
PROPERTY: pwd-min-length
|
Syntax |
INTEGER | disabled |
|
Default Value |
6 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the minimum number of characters allowed in a password value when quality checking has been enabled.
PROPERTY: pwd-mod-gen-length
|
Syntax |
INTEGER | disabled |
|
Default Value |
6 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the length of the password generated by Directory Server when a password is reset using the LDAP Password Modify Extended Operation defined in RFC 3062 and no new password value is specified.
Although the syntax for this property is integer, its value must be between 6 and 512, inclusive.
PROPERTY: pwd-must-change-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the password must be changed after the initial client bind after the password has been set or reset by another user.
PROPERTY: pwd-root-dn-bypass-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the directory super user is allowed to update passwords with values that violate password policy.
PROPERTY: pwd-safe-modify-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the current password must be provided with the request to modify the password.
PROPERTY: pwd-storage-scheme
|
Syntax |
STRING |
|
Default Value |
SSHA |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the algorithm used to encode password values.
PROPERTY: pwd-strong-check-dictionary-path
|
Syntax |
PATH | none |
|
Default Value |
install-path/ds6/plugins/words-english-big.txt |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the path to the dictionary file used for strong password checks.
PROPERTY: pwd-strong-check-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server checks new password values to ensure they match with pwd-strong-check-require-charset settings, and do not match records in the dictionary file.
PROPERTY: pwd-strong-check-require-charset
- lower
-
The new password must include a lower case character.
- upper
-
The new password must include an upper case character.
- digit
-
The new password must include a digit.
- special
-
The new password must include a special character.
- any-two
-
The new password must include at least one character from each of at least two of the abovementioned character sets.
- any-three
-
The new password must include at least one character from each of at least three of the abovementioned character sets.
|
Syntax |
lower | upper | digit | special | any-two | any-three |
|
Default Value |
lower && upper && digit && special |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
Yes |
This property specifies the sets of characters that must be present in a password value modification.
PROPERTY: pwd-supported-storage-scheme
|
Syntax |
STRING |
|
Default Value |
See the following description. |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
Yes |
This property specifies the set of encryption storage schemes supported for Directory Server user passwords. Supported storage schemes include CRYPT, SHA, SSHA, NS-MTA-MD5, and CLEAR.
PROPERTY: pwd-user-change-enabled
|
Syntax |
on | off |
|
Default Value |
on |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether users may change their own passwords.
PROPERTY: read-write-mode
|
Syntax |
read-only | read-write | frozen |
|
Default Value |
read-write |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the suffixes and configuration data on the server can be modified. Use frozen when quiescing a server for online file system backup.
PROPERTY: ref-integrity-attr
|
Syntax |
ATTR_NAME | "" |
|
Default Value |
"" |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies attributes for which referential integrity must be checked on update.
PROPERTY: ref-integrity-check-delay
|
Syntax |
DURATION | undefined |
|
Default Value |
undefined |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the delay between referential integrity checks. The default is no delay.
PROPERTY: ref-integrity-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether referential integrity checks are performed by the server.
PROPERTY: repl-user-schema-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether only schema elements with X-ORIGIN of user-defined are replicated. This can be useful when replicating between server versions with schema that are not fully compatible.
PROPERTY: require-bind-pwd-enabled
|
Syntax |
on | off |
|
Default Value |
on |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server rejects simple authentication attempts to bind that do not include a password.
PROPERTY: retro-cl-deleted-entry-attr
|
Syntax |
ATTR_NAME | "" |
|
Default Value |
"" |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
Yes |
This property specifies the attributes to record in the retro change log when an entry is deleted.
PROPERTY: retro-cl-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server maintains a retro changelog of all changes occurring on the server instance.
PROPERTY: retro-cl-ignored-attr
|
Syntax |
ATTR_NAME | "" |
|
Default Value |
"" |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the list of attributes not to record in the retro changelog when updates occur.
PROPERTY: retro-cl-max-age
|
Syntax |
DURATION | undefined |
|
Default Value |
undefined |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum age of records in the retro changelog. Older records are purged.
PROPERTY: retro-cl-max-entry-count
|
Syntax |
INTEGER |
|
Default Value |
0 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of records in the retro changelog. Older records are purged. The value 0 corresponds to an unlimited number.
PROPERTY: retro-cl-path
|
Syntax |
PATH |
|
Default Value |
instance-path/db/changelog |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the file system directory in which the changelog is created.
PROPERTY: retro-cl-suffix-dn
|
Syntax |
DN | undefined |
|
Default Value |
undefined |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
Yes |
This property specifies the suffixes for which retro changelog records are maintained.
PROPERTY: root-dn
|
Syntax |
DN |
|
Default Value |
cn=Directory Manager |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the Distinguished Name of the Directory Manager user, a user not subject to access controls.
PROPERTY: root-pwd
|
Syntax |
STRING |
|
Default Value |
None |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
No |
This property specifies the password for the Directory Manager user. It is show hashed according to the password storage scheme used.
PROPERTY: root-pwd-file
|
Syntax |
PATH | "" |
|
Default Value |
"" |
|
Is readable |
No |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the file containing the password for the Directory Manager user. The file is read once, and the password is stored for future use.
PROPERTY: root-pwd-storage-scheme
|
Syntax |
STRING |
|
Default Value |
SSHA |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the algorithm used to encrypt the password for the Directory Manager user. It must be one of the schemes specified by the pwd-supported-storage-scheme property.
PROPERTY: search-size-limit
|
Syntax |
INTEGER | unlimited |
|
Default Value |
2000 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of entries the server returns for a search operation.
PROPERTY: search-time-limit
|
Syntax |
INTEGER | unlimited |
|
Default Value |
3600 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the maximum number of seconds allocated by the server to respond to a search request.
PROPERTY: secure-listen-address
|
Syntax |
STRING |
|
Default Value |
0.0.0.0 |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
Yes |
This property specifies the IP address at which the server listens for LDAP client requests using the secure LDAP port. You can specify more than one secure listen address for the same port number. The default secure listen address is 0.0.0.0. Changing this property requires that you restart the server.
PROPERTY: ssl-cipher-family
|
Syntax |
STRING | all |
|
Default Value |
all |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
Yes |
This property specifies the SSL ciphers the server can use for SSL communications. The default value, all, does not mean all the supported SSL ciphers, as supported ciphers with NULL key length are removed from the list.
PROPERTY: ssl-client-auth-mode
|
Syntax |
allowed | required | disabled |
|
Default Value |
allowed |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server allows, requires, or does not allow SSL client authentication, in which the client application authenticates sending its SSL certificate to the server.
PROPERTY: ssl-enabled
|
Syntax |
on | off |
|
Default Value |
off |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies whether the server accepts SSL connnections.
PROPERTY: ssl-rsa-cert-name
|
Syntax |
STRING |
|
Default Value |
defaultCert |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the name of the SSL certificate for the server.
PROPERTY: ssl-rsa-security-device
|
Syntax |
STRING |
|
Default Value |
internal (software) |
|
Is readable |
Yes |
|
Is modifiable |
Yes |
|
Is multi-valued |
No |
This property specifies the name of the security device used by the server.
PROPERTY: ssl-supported-ciphers
|
Syntax |
STRING |
|
Default Value |
Depends on underlying SSL library |
|
Is readable |
Yes |
|
Is modifiable |
No |
|
Is multi-valued |
No |
This property specifies the full list of SSL ciphers the server can support.
Description
- ATTR_NAME
-
A valid attribute type name such as cn or objectClass.
- BOOLEAN
-
true or false.
- DN
-
A valid distinguished name such as ou=People,dc=example,dc=com.
- DURATION
-
A duration specified in months (M), weeks (w), days (d), hours (h), minutes (m), seconds (s), and miliseconds (ms), or some combination with multiple specifiers. For example, you can specify one week as 1w, 7d, 168h, 10080m, or 604800s. You can also specify one week as 1w0d0h0m0s.
DURATION properties typically do not each support all duration specifiers (Mwdhms). Examine the output of dsconf help-properties for the property to determine which duration specifiers are supported.
- EMAIL_ADDRESS
-
A valid e-mail address.
- HOST_NAME
-
An IP address or host name.
- INTEGER
-
A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.
- INTERVAL
-
An interval value of the form hhmm-hhmm 0123456, where the first element specifies the starting hour, the next element the finishing hour in 24-hour time format, from 0000-2359, and the second specifies days, starting with Sunday (0) to Saturday (6).
- IP_RANGE
-
An IP address or range of address in one of the following formats:
-
IP address in dotted decimal form.
-
IP address and bits, in the form of network number/mask bits.
-
IP address and quad, in the form of a pair of dotted decimal quads.
-
All address. A catch-all for clients that are note placed into other, higher priority groups.
-
0.0.0.0. This address is for groups to which initial membership is not considered. For example, for groups that clients switch to after their initial bind.
-
IP address of the local host.
-
- LDAP_URL
-
A valid LDAP URL as specified by RFC 2255.
- MEMORY_SIZE
-
A memory size specified in gigabytes (G), megabytes (M),kilobytes (k), or bytes (b). Unlike DURATION properties, MEMORY_SIZE properties cannot combine multiple specifiers. However, MEMORY_SIZE properties allow decimal values, for example, 1.5M.
- NAME
-
A valid cn (common name).
- OCTAL_MODE
-
A three-digit, octal file permissions specifier. The first digit specifies permissions for the server user ID, the second for the server group ID, the last for other users. Each digit consists of a bitmask defining read (4), write (2), execute (1), or no access (0) permissions, thus 640 specifies read-write access for the server user, read-only access for other users of the server group, and no access for other users.
- PASSWORD_FILE
-
The full path to the file from which the bind password should be read.
- PATH
-
A valid, absolute file system path.
- STRING
-
A DirectoryString value, as specified by RFC 2252.
- SUPPORTED_SSL_CIPHER
-
An SSL cipher supported by the server. See the Reference for a list of supported ciphers.
- SUPPORTED_SSL_PROTOCOL
-
An SSL protocol supported by the server. See the Reference for a list of supported protocols.
- TIME
-
A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.
Syntax values shown in lower case or partly in lower case are literal values.
Those shown in upper case are syntax types, defined as follows:
Attributes
See attributes(5) for descriptions of the following attributes:
|
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
|---|---|
|
Availability |
SUNWldap-directory-client |
|
Stability Level |
Evolving |
See Also
dsconf(1M), all-ids-threshold(5dsconf), db-path(5dsconf), moddn-enabled(5dsconf), referral-url(5dsconf)
NAME | Description | Description | Attributes | See Also
- © 2010, Oracle Corporation and/or its affiliates