server

, check-schema-enabled

, check-syntax-enabled

, compat-flag

, config-magic-number

, db-batched-transaction-count

, db-cache-size

, db-checkpoint-interval

, db-env-path

, db-lock-count

, db-log-buf-size

, db-log-path

, def-repl-manager-pwd

, def-repl-manager-pwd-file

, dn-cache-count

, dn-cache-size

, dsml-answer-size

, dsml-buffer-size

, dsml-client-auth-mode

, dsml-enabled

, dsml-max-parser-count

, dsml-min-parser-count

, dsml-port

, dsml-relative-root-url

, dsml-request-max-size

, dsml-secure-port

, file-descriptor-count

, heap-high-threshold-size

, heap-low-threshold-size

, host-access-dir-path

, idle-timeout

, import-cache-size

, instance-path

, ldap-port

, ldap-secure-port

, listen-address

, look-through-limit

, max-psearch-count

, max-thread-count

, max-thread-per-connection-count

, mod-tracking-enabled

, polling-thread-count

, pwd-accept-hashed-pwd-enabled

, pwd-check-enabled

, pwd-compat-mode

, pwd-expire-no-warning-enabled

, pwd-expire-warning-delay

, pwd-failure-count-interval

, pwd-grace-login-limit

, pwd-keep-last-auth-time-enabled

, pwd-lockout-duration

, pwd-lockout-enabled

, pwd-lockout-repl-priority-enabled

, pwd-max-age

, pwd-max-failure-count

, pwd-max-history-count

, pwd-min-age

, pwd-min-length

, pwd-mod-gen-length

, pwd-must-change-enabled

, pwd-root-dn-bypass-enabled

, pwd-safe-modify-enabled

, pwd-storage-scheme

, pwd-strong-check-dictionary-path

, pwd-strong-check-enabled

, pwd-strong-check-require-charset

, pwd-supported-storage-scheme

, pwd-user-change-enabled

, read-write-mode

, ref-integrity-attr

, ref-integrity-check-delay

, ref-integrity-enabled

, repl-user-schema-enabled

, require-bind-pwd-enabled

, retro-cl-deleted-entry-attr

, retro-cl-enabled

, retro-cl-ignored-attr

, retro-cl-max-age

, retro-cl-max-entry-count

, retro-cl-path

, retro-cl-suffix-dn

, root-dn

, root-pwd

, root-pwd-file

, root-pwd-storage-scheme

, search-size-limit

, search-time-limit

, secure-listen-address

, ssl-cipher-family

, ssl-client-auth-mode

, ssl-enabled

, ssl-rsa-cert-name

, ssl-rsa-security-device

, ssl-supported-ciphers

, thread-count

- DS server instance configuration (SER) properties

Description

The behavior of a Directory Server instance is configured according to server properties documented here and in the documentation specified under the SEE ALSO section.

PROPERTY: check-schema-enabled

This property specifies whether the server checks that entries being updated still conform to the server schema.

PROPERTY: check-syntax-enabled

This property specifies whether the server checks that attribute values being updated have valid syntax. The server logs an error message when encountering an invalid value and prevents the update. When this property is set to on, the server checks updates to attribute values defined as Boolean, DN, Directory String, Generalized Time, IA5 String, INTEGER, or Telephone Number syntax. This behavior holds both for offline import and for normal write operations.

By default, syntax checking is off. When syntax checking is on, all import and update operations are checked. Directory Manager (directory super user) cannot bypass syntax checking.

Syntax is not checked on existing entries in the database. To clean up existing data, dump the database to LDIF, turn syntax checking on, and reload the database. Data that violates the syntax is visible in the errors log, and can be corrected and reloaded. You can also repair existing bad data by deleting or replacing the bad value using an LDAP client. If syntax checking is on, when a database is reloaded from LDIF, invalid syntax values are skipped and recorded in the errors log. Valid syntax values are reloaded.

PROPERTY: compat-flag

Flag which forces server to behave as in previous releases, for compatibility reasons.

The following values are accepted:

• none

  The server behavior is not altered.

• no-rfc4511

  RFC 4511 specifies that a search filter (such as (&(attr>=v1)(attr<=v2)) should return entries that have one value that is greater than or equal to v1 and one value that is less than or equal to v2. In previous versions of Directory Server, this filter was interpreted as entries with values in the range v1...v2 (which is more restrictive when the attribute is multi-valued. The Directory Server now implements the RFC 4511 behavior by default, unless compat-flag is set to no-rfc4511.

• no-rfc4522

  RFC 4522 clarifies the usage of the binary qualifier in attribute names. It states that an LDAP search response should always append the binary qualifier to the attribute name whenever its syntax allows the binary option and also when the attribute is requested without the binary qualifier. By default, version 7 implements RFC 4522 behavior. If compat-flag is set to no-rfc4522, the software implements version 6 behavior.

PROPERTY: config-magic-number

This property specifies a value used by the Directory Server administration framework and tools to determine the capabilities of a server instance.

PROPERTY: db-batched-transaction-count

This property specifies how many server transactions are gathered into a batch before being written to the transaction log. If writes to the transaction log are a bottleneck, you may potentially improve performance by increasing this value. Valid range is 0-30, 0 meaning that batching is turned off.

PROPERTY: db-cache-size

This property specifies the amount of physical memory Directory Server requests from the operating system to cache indexes for all suffixes supported by the server instance. See Directory Server Data Caching in Directory Server Enterprise Edition Reference for suggestions on sizing cache.

PROPERTY: db-checkpoint-interval

This property specifies the interval between checkpoints recorded in the database transaction log.

PROPERTY: db-env-path

This property specifies a valid directory, unique to the server instance. There must be enough space available on the file system to house at least the actual size of the database cache.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: db-lock-count

This property specifies the number of locks available to the server instance database. Increase this value if you observe the following message in the errors log:

libdb: Lock table is out of available locks

PROPERTY: db-log-buf-size

This property specifies the transaction log buffer size. Valid range is 0 to the size of the transaction log, which is 10M by default.

After changing this property, you must restart the server in order to take the change into account.

PROPERTY: db-log-path

This property specifies the file system directory containing the database transaction log.

When changing this property, you must stop the server, delete the existing database, and reimport all suffixes from LDIF, before restarting the server.

PROPERTY: def-repl-manager-pwd

This property lets you read the password used for replication binds performed using simple authentication. Either you specify the password before setting up replication by setting def-repl-manager-pwd-file to specify the file containing the password you want to use, or you accept the password value generated by the dsconf accord-replication subcommand.

PROPERTY: def-repl-manager-pwd-file

This property specifies the file from which the default replication password is read and stored for future use when setting up replication.

PROPERTY: dn-cache-count

This property specifies the size of the DN cache in terms of number of entries. The value of dn-cache-count is unlimited by default. The value of dn-cache-count can be an integer, unlimited, and disabled and each of these has the following effect on dn-cache-size.

• unlimited — cache is limited to the cache size specified for dn-cache-size.

• disabled — caching is disabled and dn-cache-size is ignored.

• INTEGER — cache is limited to the number of DNs specified by the value that you provide and dn-cache-size is ignored. The value must be 1 or greater than 1.

Changing this property requires you to restart the server.

PROPERTY: dn-cache-size

This property specifies the size of the DN cache in terms of memory space. This property is set by default. The cache size must be larger than 1M. The DN cache size specified for this property is taken into account only when dn-cache-count is set to unlimited.

Changing this property requires you to restart the server.

PROPERTY: dsml-answer-size

This property specifies the maximum size of a server response to a DSML request. Larger responses are chunked.

PROPERTY: dsml-buffer-size

This property specifies the size of the buffer used to store DSML requests. If the server receives many DSML requests larger than this limit, increase the buffer size.

PROPERTY: dsml-client-auth-mode

This property specifies how the server identifies a client application. The following settings are supported.

clientCertOnly

Use credentials from the client certificate to identify the client.

httpBasicOnly

Use credentials from the HTTP authorization header to identify the client.

clientCertFirst

Attempt to use the client certificate credentials to identify the client. If there are no client certificate credentials, credentials from the HTTP authorization header are used.

PROPERTY: dsml-enabled

This property specifies whether the server accepts DSML requests.

PROPERTY: dsml-max-parser-count

This property specifies the maximum number of DSML parsers allocated to handle client requests. Increase the value of this property if the server must handle sustained, high numbers of DSML client requests.

PROPERTY: dsml-min-parser-count

This property specifies the minimum number of DSML parsers allocated to handle client requests. Increase the value of this property if the server must handle sustained, high numbers of DSML client requests.

PROPERTY: dsml-port

This property specifies the port number on which the server listens for DSML requests. Changing the value requires that you restart the server.

PROPERTY: dsml-relative-root-url

This property specifies the root URL HTTP clients should specify in their POST requests.

PROPERTY: dsml-request-max-size

This property specifies the maximum size for DSML client requests.

PROPERTY: dsml-secure-port

This property specifies the port number on which the server listens for DSML requests over HTTPS. Changing the value requires that you restart the server.

PROPERTY: file-descriptor-count

This property specifies the maximum number of file descriptors the server instance attempts to use to handle client requests. Increase this value if you observe the following message in the errors log:

Not listening for new connections -- too many fds open

PROPERTY: heap-high-threshold-size

This property specifies a threshold value for the dynamic memory footprint. When the threshold memory is reached, Directory Server attempts to free memory from the entry caches, and to limit memory use.

• When heap-low-threshold-size is reached, Directory Server attempts to free memory concurrently with other operations.

• When heap-high-threshold-size is reached, Directory Server prevents operations on the cache while memory is freed.

heap-high-threshold-size and heap-low-threshold-size must be configured in conjunction with each other, as follows.

• If heap-high-threshold-size is set to undefined or is not set, heap-low-threshold-size is ignored.

• If heap-high-threshold-size is set, its value must be at least one gigabyte.

• If heap-high-threshold-size is set, the value of heap-low-threshold-size must be less than that of heap-high-threshold-size. If not, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

• If heap-high-threshold-size is set to a value other than undefined, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

• If heap-high-threshold-size and heap-low-threshold-size are both set to a value other than undefined, heap-low-threshold-size must be greater than or equal to (heap-high-threshold-size + minheap)/2, where minheap is the amount of heap memory used by the server at startup. If this condition is not met, heap-low-threshold-size is automatically set by default to 7/8 of the value of heap-high-threshold-size.

The number of times the memory thresholds have been exceeded can be monitored by using the heapmaxhighhits and heapmaxlowhits attributes on cn=monitor.

PROPERTY: heap-low-threshold-size

See the description for heap-high-threshold-size.

PROPERTY: host-access-dir-path

This property specifies the local directory path on the server host where hosts.allow and hosts.deny files are located. If this property is not set, or if the files are not found, Directory Server does not enable the additional connection-based access controls provided by these files.

PROPERTY: idle-timeout

This property specifies how many seconds the server waits for traffic on an idle LDAP client connection before closing the connection.

PROPERTY: import-cache-size

This property specifies the amount of physical memory Directory Server requests from the operating system to cache data used when initializing a suffix from LDIF. See Directory Server Data Caching in Directory Server Enterprise Edition Reference for suggestions on sizing cache.

PROPERTY: instance-path

This property specifies the file system directory under which the server instance was created using the dsadm create command.

PROPERTY: ldap-port

This property specifies the port on which the server listens for LDAP client requests. The default port is 389 when the instance is created by the system super user, 1389 otherwise. Changing this property requires that you restart the server.

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: ldap-secure-port

This property specifies the port on which the server listens for LDAPS client requests using TLS or SSL. The default port is 636 when the instance is created by the system super user, 1636 otherwise. Changing this property requires that you restart the server.

If you set both ldap-port and ldap-secure-port to disabled, you can no longer use dsconf to configure the server.

PROPERTY: listen-address

This property specifies the IP address at which the server listens for LDAP client requests using the regular LDAP port. You can specify more than one listen address for the same port number. The default listen address is 0.0.0.0. Changing this property requires that you restart the server.

PROPERTY: look-through-limit

This property specifies the maximum number of entries the server examines when checking candidates to respond to a search request.

PROPERTY: max-psearch-count

This property specifies the maximum number persistent searches allowed. You can read the number of active persistent searches in the value of currentpsearches on cn=monitor.

PROPERTY: max-thread-count

This property specifies the number of threads created at startup to process operations. When tuning server performance, try setting this to twice the number of processors or 20 plus the number of simultaneous updates expected. You can read the number of active threads in the value of threads on cn=monitor.

PROPERTY: max-thread-per-connection-count

This property specifies the maximum number of concurrent threads used to process operations on a single connection.

PROPERTY: mod-tracking-enabled