Chapter 4   Configuration File Options


This chapter separates the IDDS configuration file options into global and backend-specific categories, describing each option and equivalent (if any) in iPlanet Directory Server. It is composed of the following sections:

• Global Options

• General Backend Options

• LDBM Backend-Specific Options

• Chaining Options

Global Options

---

Options described in this section apply to all backends of IDDS.

access      to <what> [ by <who> <accesslevel> ]+

This option grants access (specified by <accesslevel>) to a set of entries and/or attributes (specified by <what>) by one or more requesters (specified by <who>). See "Migrating Access Control" in the next chapter for more details on how this is represented in iPlanet Directory Server.

adminaddr         <address>

The value of this option is provided to clients in the administratorsAddress attribute of the root DSE. There is no direct equivalent in iPlanet Directory Server.

approximation            {soundex|metaphone}

This option specifies the algorithm by which IDDS performs approximate matching. This option is not available in iPlanet Directory Server, which only supports metaphone.

attribute         <name> [<oid>] <syntax>

This option associates a syntax with an attribute name. In iPlanet Directory Server, this information is provided in the schema files.

attribute          <name> [<oid>] sup <attrname>

This option defines an attribute as a subtype of another attribute type. In iPlanet Directory Server, this information is provided in the schema files.

disable_locking               { yes | no }

This option specifies whether the underlying disk databases should disable the file locking service. This option has no equivalent in iPlanet Directory Server.

http_port         <portno>

This option specifies the TCP port for processing HTTP requests. There is no equivalent in iPlanet Directory Server as server administration is performed through the iPlanet Console.

https_port          <portno>

This option specifies the TCP port for processing HTTPS (HTTP protected by SSL) requests. There is no equivalent in iPlanet Directory Server as server administration is performed through the iPlanet Console.

include         <filename>

This option specifies that IDDS should read additional schema configuration information from the given file before continuing with the next line of the current file. There is no equivalent in iPlanet Directory Server; schema files are read from the schema directory.

install_path <pathname>

This option specifies an alternate installation directory. There is no equivalent in iPlanet Directory Server.

ldaps_port            <portno>

This option specifies the port number for the obsolete alternate LDAP/SSL mapping. In iPlanet Directory Server, it is controlled by the nsslapd-secureport attribute.

listen_backlog         <integer>

This option specifies the maximum number of pending connections that should be queued. This option is not available in iPlanet Directory Server.

loglevel       <integer>

This option specifies the level at which debugging statements and operation statistics should be logged on UNIX. This option is not available in iPlanet Directory Server.

logpriority          <loglevel>

This option specifies the priority level to which log messages should be syslogged on UNIX. This option is not available in iPlanet Directory Server.

maxconns       <integer>

This option specifies the maximum number of simultaneous connections that IDDS will permit. On UNIX platforms this is also limited by the number of file descriptors permitted to each process. In iPlanet Directory Server, this is controlled by the nsslapd-maxdescriptors attribute.

mgrdn     <dn>

This option specifies the Distinguished Name of the global manager who is exempt from access control restrictions. In iPlanet Directory Server, this is represented by the nsslapd-rootdn attribute of cn=config.

mgrpw     <string>

This option specifies a password for the DN given above that will always work, regardless of whether an entry exists with the given DN. In iPlanet Directory Server, this is represented by the nsslapd-rootpw attribute of cn=config.

nodelay       { on | off }

This option specifies whether TCP packet delays should be disabled for returning responses. In iPlanet Directory Server, this is controlled by the nsslapd-nagle attribute.

notimeout       <dn>

This option specifies the identity of a user whose connections should not be timed out. In iPlanet Directory Server, this is represented by operational attributes of that user's entry.

objectclass          <name> ...

In iPlanet Directory Server, this information is provided in the schema files.

ops_unthreaded { yes | no }

This option specifies whether operations should be run by the same thread as the connection. This feature is not available in iPlanet Directory Server.

port    <portnumber>

This option specifies the TCP port number on which IDDS should listen for incoming connections. In iPlanet Directory Server, this is represented by the nsslapd-port attribute of cn=config.

referral       <url> [ <url> ...]

This option specifies the referral to pass back when IDDS cannot find a local database to handle a request. In iPlanet Directory Server, this is represented by the nsslapd-referral attribute of cn=config.

replogfile    <filename>

This option tells IDDS to write a log file of updates made by clients. This feature is not available in iPlanet Directory Server.

reverse_lookup             { yes | no }

This feature is not available in iPlanet Directory Server.

rewrite_rfc1274             { yes | no }

When this option is set to yes, RFC 1274 (The COSINE and Internet X.500 Schema) attribute type names provided by clients in add and modify requests are converted to LDAPv3 compatible names as described in RFC 2256 (A Summary of the X.500(96) User Schema for use with LDAPv3). The option is provided for compatibility with LDAPv2 applications, such as the Entrust CA. If this option is set, then multiple attributes with the same values will be returned to clients. In iPlanet Directory Server, this is controlled by the nsslapd-rewrite-rfc1274 attribute of cn=config.

schemacheck          { on | off }

This option turns schema checking on or off. In iPlanet Directory Server, this is controlled by the nsslapd-schemacheck attribute of cn=config.

serverdn       <dn>

This option has no equivalent in iPlanet Directory Server.

serveruid       <integer>

This option specifies a UNIX userid to which IDDS should setuid() after it has started running. In iPlanet Directory Server, this is controlled by the nsslapd-localuser attribute of cn=config.

sizelimit       <integer>

This option specifies the maximum number of entries to return from a search operation. In iPlanet Directory Server, this is represented by the nsslapd-sizelimit attribute of cn=config.

snmp_port        <integer>

This option specifies the UDP port snmpd should use. There is no direct equivalent in iPlanet Directory Server.

ssl_capath       <pathname>

This option specifies the name of a directory containing trusted CA certificates in PEM format. iPlanet Directory Server uses a different SSL certificate and key database technology, so this option has no direct equivalent. It will be necessary to import any CA certificates into the new database using the iPlanet Console.

ssl_cafile            <filename>

This option specifies the name of a file containing trusted CA certificates in PEM format. iPlanet Directory Server uses a different SSL certificate and key database technology, so this option has no direct equivalent. It will be necessary to import any CA certificates into the new database using the iPlanet Console.

ssl_cert            <filename>

This option specifies the location on disk of the file containing IDDS's own certificate. iPlanet Directory Server uses a different SSL certificate and key database technology, so this option has no direct equivalent. It will be necessary to generate a new key pair and recertify any servers when transitioning to iPlanet Directory Server.

ssl_cert_required                  { yes | no }

This option specifies whether a client must provide a certificate when negotiating SSLv3. Consult the iPlanet Directory Server Administration Guide for additional information on SSL configuration.

ssl_key         <filename>

This option specifies the location on disk of the file containing IDDS's own certificate. iPlanet Directory Server uses a different SSL certificate and key database technology, so this option has no direct equivalent. It will be necessary to generate a new key pair and recertify any servers when transitioning to iPlanet Directory Server.

ssl_version       <integer>

This option specifies what versions of SSL are supported. Consult the iPlanet Directory Server Administration Guide for additional information on SSL configuration.

stacksize_conn       <integer>

This option specifies the size in bytes of the stack for each thread maintaining the state of a connection. There is no equivalent for iPlanet Directory Server.

stacksize_op       <integer>

This option specifies the size in bytes of the stack for each thread maintaining the state of an operation. There is no equivalent for iPlanet Directory Server.

statslog full | op | conn | mods | none | off

This option specifies the kinds of operations that the directory server will log. This feature is not available in iPlanet Directory Server.

timelimit         <integer>

This option specifies the maximum number of seconds (in real time) IDDS will spend answering a search request. In iPlanet Directory Server, this is represented by the nsslapd-timelimit attribute of cn=config.

timeout         <integer>

This option specifies the maximum number of seconds that a client connection can remain idle before IDDS closes it. In iPlanet Directory Server, this is represented by the nsslapd-idletimeout attribute of cn=config.

version_override       <string>

This option overrides the implementation name in the cn=monitor entry. This feature is not available in iPlanet Directory Server.

virtual_attrs               tcl <scriptname> <objectclass>

This option specifies the location of a virtual attribute script file. This features is not available in iPlanet Directory Server. Contact iPlanet Professional Services at http://www.iplanet.com/services/pro_serv/index.html for assistance in converting virtual attribute script functionality for use with iPlanet Directory Server.

General Backend Options

---

Options in this section apply to the IDDS backend in which they are defined.

confidential       { yes | no }

This option specifies whether data stored in a backend is confidential. This feature is not available in iPlanet Directory Server.

database       <databasetype>

This option marks the beginning of a new database definition. iPlanet Directory Server stores its configuration as entries below cn=config,cn=ldbm database.

end_database

This option marks the end of a database definition. iPlanet Directory Server stores its configuration as entries.

lastmod       { on | off }

This option controls whether IDDS will automatically maintain the modifiersName, modifyTimestamp, creatorsName, and createTimestamp attributes for entries. In iPlanet Directory Server, this is represented by the nsslapd-lastmod attribute of cn=config.

mgrdn      <dn>

This option specifies the DN of an entry that is not subject to access control or administrative limit restrictions for operations on this database. This per-database manager is not available in iPlanet Directory Server.

mgrpw      <string>

This option specifies a password for the DN given above that will always work, regardless of whether an entry with the given DN exists or has a password. This option has no equivalent in iPlanet Directory Server.

readonly        { on | off }

This option puts the database into "read-only" mode. In iPlanet Directory Server, this is represented by the nsslapd-readonly attribute of cn=config.

referral         <URL>

If IDDS receives a DIT modification operation for this database from a user other than the manager or one listed as an updatedn (see below), IDDS will return a referral to another server indicated by this URL. This option has no equivalent in iPlanet Directory Server.

sizelimit        <integer>

This option specifies the maximum number of entries to return from this database. There is no direct equivalent in iPlanet Directory Server.

suffix        <dn suffix>

This option specifies the DN suffix of queries that will be passed to this backend database. iPlanet Directory Server stores its configuration in entries differently; when the database is created, the suffix is specified in the mapping tree entry below cn=config.

updatedn        <dn>

This option specifies the DN of another LDAP server allowed to make changes to the replica. Because the replication mechanism in iPlanet Directory Server is different, there is no direct equivalent.

LDBM Backend-Specific Options

---

Options in this category apply to an LDBM backend database.

cachesize        <integer>

This option specifies the size in entries of the in-memory cache maintained by the LDBM backend database instance. In iPlanet Directory Server, this is controlled by the nsslapd-cachesize attribute of the database configuration entry.

cachewrites        { yes | no }

This option specifies whether modifications to the database should be cached in memory for up to one minute. This option has no equivalent in iPlanet Directory Server.

dbcachesize        <integer>

This option specifies the size in bytes of the in-memory cache used by the Sleepycat b-tree database for each file. In iPlanet Directory Server, this is controlled by the nsslapd-dbcachesize attribute of the database configuration entry.

dbcachesize_load          <integer>

This option specifies an alternate value of dbcachesize that ldif2ldbm should use. This option has no equivalent in iPlanet Directory Server.

directory        <directory>

This option specifies the directory where the LDBM files containing the database and associated indices live. In iPlanet Directory Server, this is controlled by the nsslapd-directory attribute of the database configuration entry.

ignore_onelevel_refs { yes | no }

When set to yes, this option causes referrals to be ignored when performing one-level searches; referral entries would be treated as regular local entries. This feature is not available in iPlanet Directory Server.

ignore_refs { yes | no }

If set to yes, then referral entries cannot be used in the LDBM database. This option has no equivalent in iPlanet Directory Server.

index <attrlist> [pres,eq,approx,sub,none] [preload] [unique] [referential]

This option specifies the indices to maintain for the given attribute. In iPlanet Directory Server, there is a separate configuration entry for each attribute being indexed.

There is no equivalent in iPlanet Directory Server for the preload modifier.

In iPlanet Directory Server, the uid uniqueness and referential integrity plug-ins can be used to provide the IDDS functionality described by the unique and referential modifiers.

indexcachesize               <integer>

This option specifies the maximum size in datums of the internal cache array for each attribute index. There is no equivalent in iPlanet Directory Server.

indexonly            { yes | no }

This option specifies whether filter components in subtree and one level searches that would not make use of attribute index files should be ignored. There is no equivalent in iPlanet Directory Server.

mode      <integer>

This option specifies the file protection mode that newly created database index files should have. There is no equivalent in iPlanet Directory Server as files should always be of mode 0600.

pagesize       <integer>

This option specifies the size of each page in the underlying database files. There is no equivalent in iPlanet Directory Server.

preload_entries                  { yes | no }

This option specifies whether IDDS should load all the entries into its cache when it starts. This feature is not available in iPlanet Directory Server.

pwdhash {none|crypt|ssha}

In iPlanet Directory Server, this feature is provided by the password hashing plug-ins.

replogfile <filename>

This option tells IDDS to write a log file of updates made by clients. As iPlanet Directory Server implements its own replication without needing a log file, there is no equivalent for this option.

require_index {yes | no}

This option specifies whether search filters must make use of at least one attribute index. In iPlanet Directory Server, this is controlled by the nsslapd-require-index attribute of the database configuration entry.

Chaining Options

---

This section describes options that can be set in a backend of the chaining type.

chainto        <URL> ...

This option specifies the servers to which chained operations should be forwarded. Multiple URLs can be specified, and IDDS will try each in turn until a server can be contacted. This option is represented in iPlanet Directory Server as the nsFarmServerURL attribute.

encryptchain        { yes | no }

This option specifies whether IDDS should use SSL/TLS to encrypt the chained operations. There is no direct equivalent in iPlanet Directory Server.

ldapversion        <integer>

This specifies the version to present when binding. This option is not available in iPlanet Directory Server.

mapto      <dn>

The mapto option is not available in iPlanet Directory Server.

maxhops         <integer>

This specifies the number of times an operation can be chained. In iPlanet Directory Server, this is represented by the nsHopLimit configuration attribute.

maxwait         <integer>

This specifies the maximum number of seconds IDDS will wait for a reply from a chained operation before abandoning it. There is no direct equivalent in iPlanet Directory Server.