NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Description | EXIT STATUS | Examples | Attributes | See Also
install-path/ds6/bin/dsconf subcommand options
The dsconf command manages Directory Server configuration. It enables you to modify the configuration entries in cn=config.
The server must be running in order for you to run dsconf.
The following subcommands are supported:
Ensures the authentication properties of the destination suffix are in accord with those of the replication agreement.
Backs up Directory Server data (configuration data excluded).
Changes the remote replica pointed to by an existing replication agreement. The suffix DN and configuration of the existing agreement remain the same.
Declares that the values for an attribute are encrypted.
Declares that an attribute is indexed. The default index types for the attribute are equality and presence.
Declares a new client plugin. The plugin state is disabled.
Creates a replication agreement for existing suffix.
Creates a prioritized replication rule on a master.
Creates a suffix.
Declares that the values for an attribute are no longer encrypted.
Declares that an attribute is no longer indexed.
Declares that a plugin can not be used by the server any more.
Deletes a replication agreement.
Deletes a prioritized replication rule.
Deletes suffix configuration and data.
Demotes the role of an existing replicated suffix. A master is demoted to a hub, a hub is demoted to a consumer. To demote a master to a consumer, run the command twice.
Disables a plugin.
Disables replication for a replicated suffix.
Disables replication with another Directory Server.
Enables a plugin.
Enables replication by assigning a role to an existing suffix.
Enables replication with another Directory Server.
Exports suffix data to LDIF format.
Displays the value of an index configuration property.
Displays server log property values.
Displays plugin property values.
Displays replication agreement property values.
Displays server property values.
Displays suffix property values.
Lists properties exposed by subcommands.
Populates existing suffixes with LDIF data.
Displays information about server configuration such as port number, suffix name, server mode and task states.
Launches a total update of the remote replica from a local suffix.
Lists encrypted attributes. When used with -v, this command displays additional information related to encrypted attributes.
Lists indexed attribute configuration. When used with -v, this command displays additional information related to indexes.
Lists plugins. When used with -v, this command displays additional information related to plugins.
Lists replication agreements. When used with -v, this command displays additional information related to replication agreements.
Lists prioritized replication rules. When used with -v, this command displays additional information related to prioritized replication rules.
Lists suffixes. When used with -v, this command displays additional information related to suffixes. This includes the number of entries, the suffix role and the number of replication agreements, replication priority rules, indexes and encrypted attributes.
Promotes the role of an existing replicated suffix. A consumer is promoted to a hub, a hub is promoted to a master. To promote a consumer to a master, run the command twice.
Changes Directory Server password compatibility state.
Rebuilds index(es) of an existing suffix.
Restores Directory Server data from backup archive.
Closes and renames current log and creates fresh log.
Sets the index property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets server log property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets plugin property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets replication agreement property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets server property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Sets suffix property value.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Displays a comparison of a source and destination suffix configuration and the status of the replication agreement. When used with v, this command displays additional replication agreement information such as pending changes and delayed maximum duration.
Displays status of current directory server tasks. When used with v, this command displays additional information related to the task type.
Restarts replication updates after the destination server has been down by forcing updates to the remote replica from the local suffix.
The following options are global, and are applicable to all commands and subcommands.
Displays help information for a command or subcommand.
Does not ask for confirmation before accepting non-trusted server certificates.
Binds as USER_DN. dsconf searches for a USER_DN value in the following order: First a a USER_DN specified in the command line, then a USER_DN set by using the environment variable $LDAP_ADMIN_USER. If none of these are found, the default is to bind as the user cn=Directory Manager.
Connects over LDAP with no secure connection. To connect over a clear connection by default, set the DIRSERV_UNSECURED environment variable.
Connects to the directory on HOST. dsconf contacts the LDAP server on the specified host, which may be a host name or an IP address. dsconf searches for a HOST value in the following order: First a HOST specified on the command line, then a HOST set by using the environment variable $DIRSERV_HOST. If none of these are found, the default is to use the local host.
For example, when mapping the IPv4 address 192.168.0.99 to IPv6, specify the HOST:PORT as follows: ::ffff:192.168.0.99.
Does not prompt for confirmation before performing the operation.
Does not ask for confirmation before rejecting non-trusted server certificates (for current session only).
Connects to directory on PORT. dsconf searches for a PORT value in the following order: First aPORT specified in the command line, then a PORT set by using the environment variable $DIRSERV_PORT. If none of these are found, the default is to use port 389.
This option is mutually exclusive with -P,--secure-port.
Connects over SSL to the directory on PORT. The dpconf command searches for a PORT value in the following order:
A PORT specified in the command line
A PORT set by using the $DIR_SERV_PORT environment variable
If none of these are found, the default is to use port 636.
This option is mutually exclusive with -p,--port.
Displays extra information.
Displays the current version of dsconf. The version is provided in the format year.monthday.time. So version number 2007.1204.0035 was built on December 4th, 2007 at 00h35. If the components used by dsconf are not aligned, the version of each individual component is displayed.
Binds using an LDAP password is read from FILE. dsconf searches for a password FILE value in the following order: A password or password file specified in the command line. A password file set by using the environment variable $LDAP_ADMIN_PWF. If none of these are found, the default is to prompt for the password.
Decrypts encrypted attributes. The --decrypt-attr option is a boolean and is optional.
The following options are applicable to the subcommands where they are specified.
Sets authentication protocol for replication agreements to PROTOCOL. For the create-repl-dest subcommand, the default value is clear. Other possible values are ssl-simple and ssl-client. For the change-repl-dest subcommand, the default value is the same as that of the HOST:PORT to which you are changing.
Launches a task and returns the command line accessible immediately.
Specifies a database name.
Reads certificate database password from FILE. The default is to prompt for password.
Specifies a replication ID for a master. It is only used when ROLE = master.
Specifies a description DESC.
Modifies the display output to show one property value per line.
Sets initialization function for a plugin to INIT_FUNC.
Customizes imported or exported LDIF.
Import flags:
Sets the merge chunk size. Overrides the detection of when to start a new pass during import.
Specifies whether an output file will be generated for later use in importing to large replicated suffixes. Default is yes. Possible values are yes and no. This flag can only be used when the -K option is used. If this flag is not used, an output file will automatically be generated.
Sets the path of the generated output file for an incremental (appended) import. The output file is used for updating a replication topology. It is an LDIF file containing the difference between the replicated suffix and the LDIF file, and replication information.
Export flags:
Exports each suffix to a separate file.
Exports the main database file only.
Does not export unique id values.
Does not wrap long lines.
Does not export entry IDs.
Sets plugin argument property to ARG.
Sets plugin library path to LIB_PATH.
Binds as USER_DN on destination suffix (Default: same as the DN used for source suffix)
For use with the create-repl-agmt and change-repl-dest subcommands. When the --no-accord option is used with either create-repl-agmt and change-repl-dest subcommands, the accord-repl-agmt subcommand is not performed.
When creating a new replication agreement or when changing the destination server of a replication agreement, dsconf tries to run the accord-repl-agmt operation to ensure the authentication properties of the destination suffix are in accord with those of replication agreement. If the destination server is unavailable or takes time to respond, the time to operate the command would be longer than necessary unless the --no-accord subcommand option is used.
Specifies that the contents of the imported LDIF file are appended to the existing LDAP entries. If this option is not specified, the contents of the imported file replace the existing entries.
Specifies database directory and path.
Displays time in UNIT, where UNIT is one of: w, d, h, m, s (week, day, hour, minute, second).
Does not create a top entry for the suffix. By default, a top-level entry is created when a new suffix is created (on the condition that the suffix starts with dc=, c=, o= or ou=). This option changes the default behavior.
Does not export additional data needed for replication.
Displays help properties and their corresponding attributes in cn=config.
Exports all data under specified DN.
Displays information in a table format.
Reindexes the attribute ATTR (Default: All attributes).
Binds on a destination suffix using the password read from FILE. The default is the same FILE used for the source suffix.
Does not import or export data contained under the specified DN.
Sets plugin type to TYPE, where TYPE is one of: database, extendedop, preoperation, postoperation, matchingrule, syntax, internalpreoperation, internalpostoperation, object, pwdstoragescheme, reverpwdstoragescheme, ldbmentryfetchstore, beprecommit, archive2ldbm.
Displays memory size data in UNIT, where UNIT is one of: G, M, k, b (Gigabyte, Megabyte, kilobyte, byte).
The following operands are supported:
Directory Server instance backup archive directory.
Attribute name.
Algorithm to use for encryption. Possible values are: des, des3, rc2, rc4. These values signify respectively DES block cipher, Triple DES block cipher, RC2 block cipher, RC4 stream cipher.
Destination replicated suffix, defined by HOST and destination PORT.
Path and filename for file in LDIF format.
Type of log, where LOG_TYPE is one of: access, error, audit.
Desired mode for password compatibility policy. The default mode is DS5–compatible-mode. You can change it to to-DS6-migration-mode and then toto-DS6-mode.
Plugin name. The plugin name is defined when the plugin is created.
Name used to define or identify a prioritized replication rule.
Property name. For a list of PROP names and default values, use the command dsconf help-properties -v.
Property and corresponding value. For a list of PROP names and default values, use the command dsconf help-properties -v.
For multi-valued properties, use PROP+:VAL to add a value, and PROP-:VAL to remove a value.
Multi-valued properties are identified by the M keyword. For a list of multi-valued properties, use the command dsconf help-properties | grep " M "
Allowed values that are too wide for the help-properties output are listed below:
LOG level (Access): acc-internal | default | acc-default_plus_referrals | acc-timing. For definitions of log levels, see the man page log(5dsconf).
LOG level (Error): default | err-function-calls | err-search-args | err-connection | err-packets | err-search-filter | err-config-file | err-acl | err-ldbm | err-entry-parsing | err-housekeeping | err-replication | err-entry-cache | err-plugins | err-dsml | err-dsml-advanced. For definitions of log levels, see the man page log(5dsconf).
PLG type and depends-on-type: database | extendedop | preoperation | postoperation | matchingrule | syntax | internalpreoperation | internalpostoperation | object | pwdstoragescheme | reverpwdstoragescheme | ldbmentryfetchstore | beprecommit | archive2ldbm
RAG transport-compression: no-compression | default-compression | best-speed | best-compression
SER dsml-client-auth-mode: client-cert-first | http-basic-only | client-cert-only
Role of the replicated suffix , where ROLE is one of: master, hub, consumer.
Suffix DN (Distinguished Name)
Syntax values shown in lower case or partly in lower case are literal values.
Those shown in upper case are syntax types, defined as follows:
A valid attribute type name such as cn or objectClass.
A valid distinguished name such as ou=People,dc=example,dc=com.
A duration specified in months (M), weeks (w), days (d), hours (h), minutes (m), seconds (s), and miliseconds (ms), or some combination with multiple specifiers. For example, you can specify one week as 1w, 7d, 168h, 10080m, or 604800s. You can also specify one week as 1w0d0h0m0s.
DURATION properties typically do not each support all duration specifiers (Mwdhms). Examine the output of dsconf help-properties for the property to determine which duration specifiers are supported.
A positive integer value between 0 and the maximum supported integer value in the system address space. On 32-bit systems, 2147483647. On 64-bit systems, 9223372036854775807.
An interval value of the form hhmm-hhmm 0123456, where the first element specifies the starting hour, the next element the finishing hour in 24-hour time format, from 0000-2359, and the second specifies days, starting with Sunday (0) to Saturday (6).
A valid LDAP URL as specified by RFC 2255.
A memory size specified in gigabytes (G), megabytes (M),kilobytes (k), or bytes (b). Unlike DURATION properties, MEMORY_SIZE properties cannot combine multiple specifiers. However, MEMORY_SIZE properties allow decimal values, for example, 1.5M.
A three-digit, octal file permissions specifier. The first digit specifies permissions for the server user ID, the second for the server group ID, the last for other users. Each digit consists of a bitmask defining read (4), write (2), execute (1), or no access (0) permissions, thus 640 specifies read-write access for the server user, read-only access for other users of the server group, and no access for other users.
A valid, absolute file system path.
A DirectoryString value, as specified by RFC 2252.
A time of the form hhmm in 24-hour format, where hh stands for hours and mm stands for minutes.
The following examples show how the dsconf command is used.
$ dsconf create-suffix -h host -p port dc=example,dc=com |
In this example, non-default ports are specified.
Check to see if the suffix has been created.
$ dsconf list-suffixes -h host -p port -v |
$ dsconf import -h host -p port /local/ds/ldif/example.ldif dc=example,dc=com |
In this example, the preferredLanguage attribute is going to be indexed.
Create an index entry for the attribute. By default, the index matching types are equity and presence.
$ dsconf create-index -h host -p port dc=example,dc=com preferredLanguage |
Check that the index entry has been created
$ dsconf get-index-prop -h host -p port dc=example,dc=com preferredLanguage |
Generate the index for the attribute.
$ dsconf reindex -h host -p port -t preferredLanguage dc=example,dc=com |
$ dsconf backup -h host -p port /tmp/backupArchiveDir |
For complete backup procedures, see the Sun Java System Directory Server Enterprise Edition Administration Guide.
Search for the string cache within the dsconf help properties:
$ dsconf help-properties | grep cache |
Determine which property is most applicable and request more information. In the results of the preceding step, cache-mem-size seems to correspond. For additional information, use the verbose option:
$ dsconf help-properties -v | grep entry-cache-size SUF entry-cache-size rw MEMORY_SIZE (Ex: 3G,2m,200k,10000b) nsslapd-cachememsize Cache size in term of memory space: (Default: 10M) |
Use the following information to interpret the results above:
This property applies to a suffix.
The name of the property
You have read and write access to the property when using get-suffix-prop and set-suffix-prop.
Use memory size values as described in this man page.
The attribute under cn=config to which this property applies.
The default value of this property
Determine the current value of entry-cache-size:
$ dsconf get-suffix-prop -h host -p port dc=example,dc=com entry-cache-size entry-cache-size : 10M |
Change the value of entry-cache-size to 12M:
$ dsconf set-suffix-prop -h host -p port dc=example,dc=com entry-cache-size:12M |
Check that the value has been changed:
$ dsconf get-suffix-prop -h host -p port dc=example,dc=com entry-cache-size entry-cache-size : 12M |
$ dsconf export -h host -p port -f not-print-entry-ids -s ou=people,dc=example,dc=com -s ou=contractors,dc=example,dc=com dc=example,dc=com /local/ds/ldif/export.ldif |
This example shows a command that:
Uses the flag not-print-entry-ids to request that entry IDs are not exported.
Exports data from two suffixes ou=people,dc=example,dc=com and ou=contractors,dc=example,dc=com into one LDIF file /local/ds/ldif/export.ldif.
If you have a log which is getting very large, you can rotate the log. Rotation backs up the existing log file and creates a fresh log file. In this example, the access log is rotated.
Rotate the access log by using the command:
$ dsconf rotate-log-now -h host -p port access |
You can now modify the delay between log rotations for the access log.
Find the property which sets maximum log size:
$ dsconf help-properties -v | grep LOG |
The output from the previous command shows that the required property is rotation-interval.
To see the default setting for rotation-interval:
$ dsconf get-log-prop -h host -p port access rotation-interval |
The default is one day 1d.
To increase the rotation delay to two days, use the command:
$ dsconf set-log-prop -h host -p port access rotation-interval:2d |
This procedure configures replication on a topology with two severs, and both are masters. Replication is configured first on one master, then on the second master. Master 1 is located on server1.example:1389. Master 2 is located on server2.example:2389.
On server 1: Create a suffix
$ dsconf create-suffix -h server1.example -p 1389 dc=example,dc=com |
On Server 1: Populate the suffix with LDIF data
$ dsconf import -a -h server1.example -p 1389 /opt/SUNWdsee/ds6/ldif/Example.ldif dc=example,dc=com |
If the import takes a long time, you can obtain status on the import operation using:
$ dsconf info -h server1.example -p 1389 |
or
$ dsconf show-task-status -h server1.example -p 1389 -v |
Alternatively, you can view the status of the task while it is running by omitting the -a option in the command.
On Server 1: Enable replication on Master 1. This step assigns a replication role and ID to an existing suffix. It also sets the replication manager bind DN to the default replication manager DN.
$ dsconf enable-repl -h server1.example -p 1389 -d 1 master dc=example,dc=com |
On server 2: Create a suffix
$ dsconf create-suffix -h server2.example -p 2389 dc=example,dc=com |
On Server 2: Enable replication on Master 2. This step assigns a replication role and ID to an existing suffix. It also sets the replication manager bind DN to the default replication manager DN.
$ dsconf enable-repl -h server2.example -p 2389 -d 2 master dc=example,dc=com |
On Server 1: Create a replication agreement from Master 1 to Master 2.
$ dsconf create-repl-agmt -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
On Server 2: Create a replication agreement from Master 2 to Master 1
$ dsconf create-repl-agmt -h server2.example -p 2389 dc=example,dc=com server1.example:1389 |
On Server 1: Check that the replication agreement status is OK.
$ dsconf show-repl-agmt-status -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
If the status is not OK, then accord the replication agreement.
$ dsconf accord-repl-agmt -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
On Server 1: From Master 1, initialize replication on Master 2. This step initializes Master 2 with the data contained in the suffix on Master 1 and starts replication.
$ dsconf init-repl-dest -h server1.example -p 1389 dc=example,dc=com server2.example:2389 |
The replication agreements in both directions are now active and replication is running.
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWldap-directory-client |
Stability Level |
Evolving |
NAME | Synopsis | Description | SUBCOMMANDS | GLOBAL OPTIONS | SUBCOMMAND OPTIONS | Operands | Description | EXIT STATUS | Examples | Attributes | See Also