The Global Configuration contains properties that affect the overall operation of the Oracle Unified Directory .
The following components have a direct AGGREGATION relation FROM Global Configurations :
A description of each property follows.
bind-with-dn-requires-password
Description | Indicates whether the Directory Server should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password. |
---|---|
Default Value | true |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the name of the certificate mapper that should be used to match client certificates to user entries. |
---|---|
Default Value | None |
Allowed Values | The DN of any Certificate Mapper. The referenced certificate mapper must be enabled when the Global Configuration is enabled. |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the name of the password policy that is in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). |
---|---|
Default Value | None |
Allowed Values | The DN of any Password Policy. |
Multi-valued | No |
Required | Yes |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the name of a privilege that should not be evaluated by the server. If a privilege is disabled, then it is assumed that all clients (including unauthenticated clients) have that privilege. |
---|---|
Default Value | If no values are defined, then the server enforces all privileges. |
Allowed Values | backend-backup - Allows the user to request that the server process backup tasks. backend-restore - Allows the user to request that the server process restore tasks. bypass-acl - Allows the associated user to bypass access control checks performed by the server. bypass-lockdown - Allows the associated user to bypass server lockdown mode. cancel-request - Allows the user to cancel operations in progress on other client connections. config-read - Allows the associated user to read the server configuration. config-write - Allows the associated user to update the server configuration. The CONFIG_READ privilege is also required. disconnect-client - Allows the user to terminate other client connections. jmx-notify - Allows the associated user to subscribe to receive JMX notifications. jmx-read - Allows the associated user to perform JMX read operations. jmx-write - Allows the associated user to perform JMX write operations. ldif-export - Allows the user to request that the server process LDIF export tasks. ldif-import - Allows the user to request that the server process LDIF import tasks. modify-acl - Allows the associated user to modify the server's access control configuration. password-reset - Allows the user to reset user passwords. privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. server-restart - Allows the user to request that the server perform an in-core restart. server-shutdown - Allows the user to request that the server shut down. subentry-write - Allows the associated user to perform LDAP subentry write operations. unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes. update-schema - Allows the user to make changes to the server schema. |
Multi-valued | Yes |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Indicates whether or not to preload the entry cache on startup. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | Restart the server |
Advanced Property | No |
Read-only | No |
Description | Specifies the resolution to use for operation elapsed processing time (etime) measurements. |
---|---|
Default Value | milliseconds |
Allowed Values | milliseconds - Use millisecond resolution. nanoseconds - Use nanosecond resolution. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies a set of generic identity mappers that will be used by Global Configuration for mapping an identity while performing all the operations except GSSAPI/SASL binds. |
---|---|
Default Value | None |
Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Global Configuration is enabled. |
Multi-valued | Yes |
Required | Yes |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the name of the identity mapper to map authentication and authorization ID values provided in a GSSAPI/SASL bind to the corresponding user entry. |
---|---|
Default Value | None |
Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled. |
Multi-valued | Yes |
Required | Yes |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the maximum length of time that a client connection may remain established since its last completed operation. A value of "0 seconds" indicates that no idle time limit is enforced. |
---|---|
Default Value | 0 seconds |
Allowed Values | A duration Syntax. Lower limit is 0 milliseconds. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
import-big-entries-memory-percent
Description | Specifies the maximum memory usage for the big entries as a percentage of the available memory at the time an import is performed. |
---|---|
Default Value | 10 |
Allowed Values | An integer value. Lower value is 0. Upper value is 100 . |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Indicates whether the Directory Server should reject all connections and requests unless they are from loopback clients with the CONFIG_WRITE or BYPASS_LOCKDOWN privilege. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the maximum number of entries that the Directory Server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute. |
---|---|
Default Value | 5000 |
Allowed Values | An integer value. Lower value is 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
max-allowed-client-connections
Description | Specifies the maximum number of client connections that may be established at any given time A value of 0 indicates that unlimited client connection is allowed. |
---|---|
Default Value | 0 |
Allowed Values | An integer value. Lower value is 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Defines the maximum number of concurrent persistent searches that can be performed on Directory Server The persistent search mechanism provides an active channel through which entries that change, and information about the changes that occur, can be communicated. Because each persistent search operation consumes resources, limiting the number of simultaneous persistent searches keeps the performance impact minimal. A value of -1 indicates that there is no limit on the persistent searches. |
---|---|
Default Value | -1 |
Allowed Values | An integer value. Lower value is 0. A value of "-1" or "unlimited" for no limit. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Indicates whether the directory server will accept a simple bind request that may contain a value with non-dn syntax. With this option enabled, the server accepts a simple bind request that may contain a uid,mail or any such attribute. As an example, an active directory client that uses userPrinicpalName in the simple bind may still work against directory server as the userPrincipalName defaults to the mail attribute. This example assumes that an identity mapper has been defined with mail attribute. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
reject-unauthenticated-requests
Description | Indicates whether the Directory Server should reject any request (other than bind or StartTLS requests) received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages appears only in the server's access log. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
save-config-on-successful-startup
Description | Indicates whether the Directory Server should save a copy of its configuration whenever the startup process completes successfully. This ensures that the server provides a "last known good" configuration, which can be used as a reference (or copied into the active config) if the server fails to start with the current "active" configuration. |
---|---|
Default Value | true |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the maximum number of entries that can be returned to the client during a single search operation. A value of 0 indicates that no size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute. |
---|---|
Default Value | 1000 |
Allowed Values | An integer value. Lower value is 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the address (and optional port number) for a mail server that can be used to send email messages via SMTP. It may be an IP address or resolvable hostname, optionally followed by a colon and a port number. |
---|---|
Default Value | If no values are defined, then the server cannot send email via SMTP. |
Allowed Values | A hostname, optionally followed by a ":" followed by a port number. |
Multi-valued | Yes |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the maximum length of time that should be spent processing a single search operation. A value of 0 seconds indicates that no time limit is enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute. |
---|---|
Default Value | 60 seconds |
Allowed Values | A duration Syntax. Lower limit is 0 seconds. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Specifies the kinds of write operations the Directory Server can process. |
---|---|
Default Value | enabled |
Allowed Values | disabled - The Directory Server rejects all write operations that are requested of it, regardless of their origin. enabled - The Directory Server attempts to process all write operations that are requested of it, regardless of their origin. internal-only - The Directory Server attempts to process write operations requested as internal operations or through synchronization, but rejects any such operations requested from external clients. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | No |
Read-only | No |
Description | Indicates whether the Directory Server should automatically add any attribute values contained in the entry's RDN into that entry when processing an add request. |
---|---|
Default Value | true |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
allow-attribute-name-exceptions
Description | Indicates whether the Directory Server should allow underscores in attribute names and allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards). |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Specifies the fully-qualified name of a Java class that may be invoked in the server. Any attempt to invoke a task not included in the list of allowed tasks is rejected. |
---|---|
Default Value | If no values are defined, then the server does not allow any tasks to be invoked. |
Allowed Values | A String |
Multi-valued | Yes |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Indicates whether schema enforcement is active. When schema enforcement is activated, the Directory Server ensures that all operations result in entries are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server. |
---|---|
Default Value | true |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
invalid-attribute-syntax-behavior
Description | Specifies how the Directory Server should handle operations whenever an attribute value violates the associated attribute syntax. |
---|---|
Default Value | reject |
Allowed Values | accept - The Directory Server silently accepts attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected. reject - The Directory Server rejects attribute values that are invalid according to their associated syntax. warn - The Directory Server accepts attribute values that are invalid according to their associated syntax, but also logs a warning message to the error log. Matching operations targeting those values may not behave as expected. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Indicates whether or not the server should maintain authenticated users. Authenticated users can be maintained by the server to prevent stale sessions which can occur due to delete or modify operations performed on authenticated users entries. Doing so enforces a stricter security by keeping authentication information of existing sessions up to date and disconnecting deleted users or updating authentication data of modified users but has additional cost to bind operations performance. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Specifies the maximum number of members that the Directory Server should "look through" in the course of processing an operation on a static group. A value of 0 indicates that no limit is enforced. |
---|---|
Default Value | 100000 |
Allowed Values | An integer value. Lower value is 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Indicates whether the Directory Server should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Indicates whether the server should, for LDAP V2 clients, ignore that an attribute is specified as operational and process it as a user attribute. Operational attributes are specified by LDAP V3. For LDAP V3 clients, OUD supports operational attributes, means return them only on demand. For LDAP V2, when set to false, OUD supports operational attribute the same way as for LDAP V3. When set to true, OUD processes operational like non operational attributes. This helps compatibility with old or other servers. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Indicates whether the server should, for LDAP V2 clients, returns options while it normally merges all options. Attributes options are specified by LDAP V3. For LDAP V3 clients, OUD supports attributes option and returns them to the client. For LDAP V2, when set to false, OUD merges all options into the attribute with no option. When set to true, OUD returns options as for LDAPv3. This helps compatibility with old or other servers. |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
return-lowercase-attribute-type
Description | Specifies whether attribute types are returned as lowercase or as defined by the schema. By default search operation returns entries with attribute type and objectclass values as defined in the schema. When setting this flags both attributes types and schema as returned as lowercase. According to LDAP standard, applications must ignore case in attribute type and objectclass values so this flag should be turned on only if legacy buggy applications are used. ( Typically on some rare migration scenario ). |
---|---|
Default Value | false |
Allowed Values | true false |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
returned-attribute-value-limit
Description | Specifies the maximum number of values for an attribute that the Directory Server can return per entry while processing a search request. A value of 0 indicates that no limit is enforced. |
---|---|
Default Value | 100000 |
Allowed Values | An integer value. Lower value is 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
Description | Specifies the numeric value of the result code when request processing fails due to an internal server error. |
---|---|
Default Value | 80 |
Allowed Values | An integer value. Lower value is 0. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |
single-structural-objectclass-behavior
Description | Specifies how the Directory Server should handle operations whenever an entry does not contain a structural object class or contains multiple structural classes. |
---|---|
Default Value | reject |
Allowed Values | accept - The Directory Server silently accepts entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected. reject - The Directory Server rejects entries that do not contain exactly one structural object class. warn - The Directory Server accepts entries that do not contain exactly one structural object class, but also logs a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected. |
Multi-valued | No |
Required | No |
Admin Action Required | None |
Advanced Property | Yes |
Read-only | No |