Chapter 15
Administering Directory Server Plug-Ins
Directory Server plug-ins extend the functionality of the server. iPlanet Directory Server ships with several plug-ins to help you manage your directory. This chapter contains general information on the types of plug-ins available, and how to enable or disable them. This chapter is divided into the following sections:
Server Plug-in Functionality Reference
The following tables provide you with a quick overview of the plug-ins provided with iPlanet Directory Server 5.1, along with their configurable options, configurable arguments, default setting, dependencies, general performance related information and further reading. These tables will allow you to weigh up plug-in performance gains and costs and choose the optimal settings for your deployment. The Further Information heading cross references further reading where this is available.
7-bit Check Plug-In
Plug-in Name
|
7-bit check (NS7bitAtt)
|
DN of Configuration Entry
|
cn=7-bit check,cn=plugins,cn=config
|
Description
|
Checks certain attributes are 7-bit clean
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
list of attributes (uid mail userpassword) followed by "," and then suffix(es) on which the check is to occur
|
Dependencies
|
None
|
Performance Related Information
|
None
|
Further Information
|
If your Directory Server uses non-ASCII characters, for example, Japanese, turn this plug-in off.
|
ACL Plug-In
Plug-in Name
|
ACL Plugin
|
DN of Configuration Entry
|
cn=ACL Plugin,cn=plugins,cn=config
|
Description
|
ACL access check plug-in
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
N/A
|
Further Information
|
Chapter 6, "Managing Access Control."
|
ACL Preoperation Plug-In
Plug-in Name
|
ACL preoperation
|
DN of Configuration Entry
|
cn=ACL preoperation,cn=plugins,cn=config
|
Description
|
ACL access check plug-in
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
database
|
Performance Related Information
|
None
|
Further Information
|
Chapter 6, "Managing Access Control."
|
Binary Syntax Plug-In
Plug-in Name
|
Binary Syntax
|
DN of Configuration Entry
|
cn=Binary Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling binary data
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Boolean Syntax Plug-In
Plug-in Name
|
Boolean Syntax
|
DN of Configuration Entry
|
cn=Boolean Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling booleans
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Case Exact String Syntax Plug-In
Plug-in Name
|
Case Exact String Syntax
|
DN of Configuration Entry
|
cn=Case Exact String Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling case-sensitive strings
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Case Ignore String Syntax Plug-In
Plug-in Name
|
Case Ignore String Syntax
|
DN of Configuration Entry
|
cn=Case Ignore String Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling case-insensitive strings
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Chaining Database Plug-In
Plug-in Name
|
Chaining Database
|
DN of Configuration Entry
|
cn=Chaining database,cn=plugins,cn=config
|
Description
|
Syntax for handling DNs
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
Chapter 3, "Configuring Directory Databases."
|
Class of Service Plug-In
Plug-in Name
|
Class of Service
|
DN of Configuration Entry
|
cn=Class of Service,cn=plugins,cn=config
|
Description
|
Allows for sharing of attributes between entries
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
Chapter 5 "Advanced Entry Management."
|
Country String Syntax Plug-In
Plug-in Name
|
Country String Syntax Plug-in
|
DN of Configuration Entry
|
cn=Country String Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling countries
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Distinguished Name Syntax Plug-In
Plug-in Name
|
Distinguished Name Syntax
|
DN of Configuration Entry
|
cn=Distinguished Name Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling DNs
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Generalized Time Syntax Plug-In
Plug-in Name
|
Generalized Time Syntax
|
DN of Configuration Entry
|
cn=Generalized Time Syntax,cn=plugins,cn=config
|
Description
|
Syntax for dealing with dates, times and time zones
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
The Generalized Time String consists of the following:
four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second and a time zone indication. We strongly recommend that you use the Z time zone indication which stands for Greenwich Mean Time.
|
Integer Syntax Plug-In
Plug-in Name
|
Integer Syntax
|
DN of Configuration Entry
|
cn=Integer Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling integers
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Internationalization Plug-In
Plug-in Name
|
Internationalization Plugin
|
DN of Configuration Entry
|
cn=Internationalization Plugin,cn=plugins,cn=config
|
Description
|
Syntax for handling DNs
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
The Internationalization plug-in has one argument which must not be modified:
installDir/slapd-serverID/config/slapd-collations.conf
This directory stores the collation orders and locales used by the internationalization plug-in.
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
See Appendix D, "Internationalization."
|
ldbm Database Plug-In
Legacy Replication Plug-In
Plug-in Name
|
Legacy Replication plug-in
|
DN of Configuration Entry
|
cn=Legacy Replication plug-in,cn=plugins,cn=config
|
Description
|
Enables iPlanet Directory Server 5.1 to be a consumer of a 4.1 supplier
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.1 server.
|
Dependencies
|
database
|
Performance Related Information
|
None
|
Further Information
|
Chapter 8, "Managing Replication."
|
Multimaster Replication Plug-In
Plug-in Name
|
Multimaster Replication Plugin
|
DN of Configuration Entry
|
cn=Multimaster Replication plugin,cn=plugins, cn=config
|
Description
|
Enables replication between two 5.0 Directory Servers
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
database
|
Performance Related Information
|
N/A
|
Further Information
|
You can turn this plug-in off if you only have one server which will never replicate. See also Chapter 8, "Managing Replication."
|
Octet String Syntax Plug-in
Plug-in Name
|
Octet String Syntax
|
DN of Configuration Entry
|
cn=Octet String Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling octet strings
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
CLEAR Password Storage Plug-In
Plug-in Name
|
CLEAR
|
DN of Configuration Entry
|
cn=CLEAR,cn=Password Storage Schemes,cn=plugins, cn=config
|
Description
|
CLEAR password storage scheme used for password encryption
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
Chapter 7, "User Account Management."
|
CRYPT Password Storage Plug-In
Plug-in Name
|
CRYPT
|
DN of Configuration Entry
|
cn=CRYPT,cn=Password Storage Schemes,cn=plugins, cn=config
|
Description
|
CRYPT password storage scheme used for password encryption
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
Chapter 7, "User Account Management."
|
NS-MTA-MD5 Password Storage Plug-In
Plug-in Name
|
NS-MTA-MD5
|
DN of Configuration Entry
|
cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins, cn=config
|
Description
|
NS-MTA-MD5 password storage scheme for password encryption
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. iPlanet recommends that you leave this plug-in running at all times.
|
Further Information
|
You cannot choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is present in iPlanet Directory Server 5.1 but only for reasons of backward compatibility with earlier versions of Directory Server. See Chapter 7, "User Account Management."
|
SHA Password Storage Plug-In
Plug-in Name
|
SHA
|
DN of Configuration Entry
|
cn=SHA,cn=Password Storage Schemes,cn=plugins,cn=config
|
Description
|
SHA password storage scheme for password encryption
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
If your directory does not contain passwords encrypted using the SHA password storage scheme, you may turn this plug-in off. You should choose SSHA preferably than SHA because SSHA is a far more secure option.
|
Further Information
|
Chapter 7, "User Account Management."
|
SSHA Password Storage Plug-in
Plug-in Name
|
SSHA
|
DN of Configuration Entry
|
cn=SSHA,cn=Password Storage Schemes,cn=plugins,cn=config
|
Description
|
SSHA password storage scheme for password encryption
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
Chapter 7, "User Account Management."
|
Postal Address String Syntax Plug-In
Plug-in Name
|
Postal Address Syntax
|
DN of Configuration Entry
|
cn=Postal Address Syntax,cn=plugins,cn=config
|
Description
|
Syntax used for handling postal addresses
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
PTA Plug-In
Plug-in Name
|
Pass-Through Authentication Plugin
|
DN of Configuration Entry
|
cn=Pass Through Authentication,cn=plugins,cn=config
|
Description
|
Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. This plug-in is not listed in Directory Server Console if you use the same server for your user directory and configuration directory.
|
Configurable Options
|
on | off
|
Default Setting
|
off
|
Configurable Arguments
|
ldap://iplanet.com:389/o=iplanet
|
Dependencies
|
None
|
Performance Related Information
|
Chapter 16, "Using the Pass-Through Authentication Plug-In."
|
Further Information
|
Chapter 16, "Using the Pass-Through Authentication Plug-In."
|
Referential Integrity Postoperation Plug-In
Plug-in Name
|
Referential Integrity Postoperation
|
DN of Configuration Entry
|
cn=Referential Integrity Postoperation,cn=plugins, cn=config
|
Description
|
Enables the server to ensure referential integrity
|
Configurable Options
|
All configuration and on | off
|
Default Setting
|
off
|
Configurable Arguments
|
When enabled the post operation Referential Integrity plug-in performs integrity updates on the member, uniquemember, owner and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.
Configurable arguments are as follows:
Check for referential integrity
-1 = no check for referential integrity
0 = check for referential integrity is performed immediately
positive integer = request for referential integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request, at intervals corresponding to the integer specified.
Log file for storing the change, such as installDir/slapd-serverID/logs/referint
All the additional attribute names you want to be checked for referential integrity.
|
Dependencies
|
database
|
Performance Related Information
|
You should enable the Referential Integrity plug-in on only one master in a multimaster replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers you must be sure to analyze your performance resource and time needs as well as your integrity needs.
|
Further Information
|
See "Maintaining Referential Integrity," on page 70.
|
Retro Change Log Plug-In
Plug-in Name
|
Retro Changelog Plugin
|
DN of Configuration Entry
|
cn=Retro Changelog Plugin,cn=plugins,cn=config
|
Description
|
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.
|
Configurable Options
|
on | off
|
Default Setting
|
off
|
Configurable Arguments
|
See iPlanet Directory Server Configuration, Command, and File Reference for further information on the two configuration attributes for the retro change log plug-in.
|
Dependencies
|
None
|
Performance Related Information
|
May slow down Directory Server performance.
|
Further Information
|
Chapter 8, "Managing Replication."
|
Roles Plug-In
Plug-in Name
|
Roles Plugin
|
DN of Configuration Entry
|
cn=Roles Plugin,cn=plugins,cn=config
|
Description
|
Enables the use of roles in the Directory Server
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
Chapter 5 "Advanced Entry Management."
|
Telephone Syntax Plug-In
Plug-in Name
|
Telephone Syntax
|
DN of Configuration Entry
|
cn=Telephone Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling telephone numbers
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
UID Uniqueness Plug-in
Plug-in Name
|
UID Uniqueness plug-in
|
DN of Configuration Entry
|
cn=UID Uniqueness,cn=plugins,cn=config
|
Description
|
Checks that the values of specified attributes are unique each time a modification occurs on an entry.
|
Configurable Options
|
on | off
|
Default Setting
|
off
|
Configurable Arguments
|
Enter the following arguments:
uid
"DN"
"DN"...
if you want to check for uid attribute uniqueness in all listed subtrees.
However, enter the following arguments:
attribute="uid"
MarkerObjectclass = "ObjectClassName"
and optionally
requiredObjectClass = "ObjectClassName"
if you want to check for uid attribute uniqueness when adding or updating entries with the requiredObjectClass, starting from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute.
|
Dependencies
|
N/A
|
Performance Related Information
|
This plug-in may slow down Directory Server performance.
In a multimaster replication environment, the UID Uniqueness plug-in will not work at all and should therefore not be enabled.
If you try to add a new entry to a server where the UID Uniqueness plug-in is enabled and a referral has been created in a subtree, then the UID Uniqueness plug-in will not work. It will not work because if it sees any other error apart from noSuchObject (meaning that the entry does not already exist), which it will do if a referral is created, then it will return an operations error preventing you from adding your new entry. To prevent being blocked by such an operations error, disable the plug-in on the server where you created the referral. If, however, you still want to run a UID Uniqueness check, make sure that you only activate the plug-in on the last of the referred to servers to prevent it from blocking the referral mechanism.
|
Further Information
|
Chapter 17, "Using the Attribute Uniqueness Plug-In."
|
URI Plug-in
Plug-in Name
|
URI Syntax
|
DN of Configuration Entry
|
cn=URI Syntax,cn=plugins,cn=config
|
Description
|
Syntax for handling URIs (Unique Resource Identifiers) including URLs (Unique Resource Locators)
|
Configurable Options
|
on | off
|
Default Setting
|
on
|
Configurable Arguments
|
None
|
Dependencies
|
None
|
Performance Related Information
|
Do not modify the configuration of this plug-in. You should leave this plug-in running at all times.
|
Further Information
|
|
Enabling and Disabling Plug-Ins From the Server Console
To enable and disable plug-ins over LDAP using the Directory Server Console:
On the Directory Server Console, select the Configuration tab.
Double-click the Plug-ins folder in the navigation tree.
Select the plug-in from the Plug-ins list.
To disable the plug-in, clear the "Enabled" checkbox. To enable the plug-in, check this checkbox.
Click Save.
Restart the directory server.