 |
Configuration,
Command, and File Reference Netscape Directory Server |
| Previous |
Contents |
Index |
DocHome | Next |
Chapter 2 Core Server Configuration Reference
The configuration information for Netscape Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server via LDAP while it is still running, thus avoiding the need to shut the server down.
This chapter gives details on how the configuration is organized and how to alter it. The chapter also provides an alphabetical reference for all attributes. The chapter is divided into the following sections:
- Server
Configuration - Overview
- Accessing and Modifying Server Configuration
- Core Server Configuration Attributes Reference
- Configuration Quick Reference Tables
When you install the Directory Server, its default configuration is stored as a series of LDAP entries within the directory, under the subtree cn=config. When the server is started, the contents of the cn=config subtree are read from a file (dse.ldif) in LDIF format. This dse.ldif file contains all of the server configuration information. Note that the latest version of this file is called dse.ldif, the version prior to the last modification is called dse.ldif.bak, and the latest file with which the server successfully started is called dse.ldif.startOK.
Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config. For example, the configuration of the Telephone Syntax plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
Similarly, database-specific configuration is stored under
cn=ldbm database,cn=plugins,cn=config and cn=chaining database,cn=plugins,cn=config
Figure 2-1 shows how the configuration data fits within the cn=config Directory Information Tree.
The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory:
serverRoot/slapd-serverID/config
Thus, if you specified a server identifier of phonebook, then, in a default installation, your configuration LDIF files are all stored under:
Schema configuration is also stored in LDIF format, and these files are located in the following directory:
serverRoot/slapd-serverID/config/schema
For a full list of the LDIF configuration files that are supplied with Directory Server, see Table 2-3 under Configuration Quick Reference Tables at the end of this chapter.
How the Server Configuration Is Organized
The dse.ldif file contains all configuration information including directory specific entries created by the directory at server startup, as well as directory specific entries related to the database, also created by the directory at server startup. The file includes the Root DSE (named by "") and the entire contents of cn=config. When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.
Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.
Code Example 2-1 gives an example of part of the dse.ldif file for a Directory Server. The example shows, among other things, that schema checking has been turned on; this is represented by the attribute nsslapd-schemacheck, which takes the value on.
|
|
|
dn: cn=config |
|
|
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. Code Example 2-2 shows the configuration entry for an example plug-in, the Telephone Syntax plug-in.
|
|
|
dn: cn=Telephone
Syntax,cn=plugins,cn=config |
|
|
Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.
For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart, see chapter 3, "Plug-in Implemented Server Functionality Reference."
The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for the databases containing the o=NetscapeRoot and o=UserRoot suffixes.
- The
cn=NetscapeRoot
subtree contains the configuration data used by the Netscape
Administration Server for authentication and all actions that cannot be
performed through LDAP (such as start/stop).
- The cn=UserRoot subtree contains all the configuration data for the first user-defined database created during server installation. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user at the time new databases are added.
Configuration information for indexing is stored as entries in the Directory Server under the following information-tree nodes:
- cn=index,cn=NetscapeRoot,cn=ldbm
database,cn=plugins,cn=config
- cn=index,cn=UserRoot,cn=ldbm
database,cn=plugins,cn=config
- cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
For more information regarding indexes in general, see Netscape Directory Server Administrator's Guide. For information regarding the index configuration attributes, see Database Attributes under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config. The attributes are presented here because this node is the first to appear in our representation of the configuration attributes that is based on the cn=config information tree.
This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.
When the Directory Server is installed, a default set of Access Control Instructions (ACIs) is implemented for all entries under cn=config. Code Example 2-3 shows an example of these default ACIs.
|
|
|
aci: (targetattr
= "*")(version 3.0; acl "Configuration Adminstrators Group"; allow
(all) aci:
(targetattr = "*")(version 3.0;
acl "Configuration Adminstrator"; allow (all) aci:
(targetattr = "*")(version 3.0;
acl "Local Directory Adminstrators Group"; allow (all) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-phonebook, cn=Netscape Directory Server, cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";) |
|
|
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
- Members of the
Configuration
Administrators Group.
- The user acting as
the Administrator, who
has the UID
admin that can be configured at installation time.
- Members of local
Directory Administrators
Group.
- The local Directory
Administrator (root
DN).
- The SIE (Server Instance Entry) Group, usually assigned using the Set Access Permissions from the main topology view in the main console.
For more information on Access Control, see the Netscape Directory Server Administrator's Guide.
You can view and change
server attribute
values in one of three ways. You make the changes by using LDAP through
Netscape Console, by performing
ldapsearch and
ldapmodify commands, or by manually editing the
dse.ldif file.
|
|
|
|
If you edit the dse.ldif file, you must stop the server beforehand; otherwise, your changes will be lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. See Configuration Changes Requiring Server Restart for further information.
|
|
|
|
|
The following sections describe how to modify entries using LDAP (both via Netscape Console and over the command-line), the restrictions to modifying entries, the restrictions to modifying attributes, and the configuration changes requiring restart.
The configuration entries
in the directory
can be searched and modified using LDAP either via the Netscape Console
or by performing
ldapsearch and
ldapmodify operations in the same way as other directory
entries.
The advantage of using LDAP to modify entries is that you can make the
changes while the server is running. You must remember to specify the
port number when modifying configuration entries since the server is
not necessarily running on port 389. For further information, see
chapter 2, "Creating Directory Entries," in the
Netscape Directory Server Administrator's Guide. However,
certain
changes do require the server to be restarted before
they are taken into account. See Configuration Changes Requiring Server Restart
for further information.
|
|
|
|
As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config subtree as this risks affecting Directory Server functionality.
|
|
|
|
|
The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree:
ldapsearch -b cn=config -D bindDN -w password
where bindDN is the DN chosen for the Directory Manager when the server was installed and password is the password chosen for Directory Manager. For more information on using ldapsearch, see ldapsearch.
Previously, we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in is enabled. If you wanted to disable this feature, you might use the following series of commands to implement this change.
Certain restrictions apply when modifying server entries and attributes:
- The
cn=monitor entry and its child entries are read-only and cannot
be
modified.
- If an attribute is
added to
cn=config, the server will ignore it.
- If an invalid value
is entered for an
attribute, this will be ignored by the server.
- Because ldapdelete is used for deleting an entire entry, you should use ldapmodify if you want to remove an attribute from an entry.
Some configuration attributes cannot be altered dynamically while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file. Table 2-4 under Configuration Quick Reference Tables at the end of this chapter contains a list of these attributes.
This section contains reference information on the configuration attributes that are relevant to the core server functionality. For information on changing server configuration, see Accessing and Modifying Server Configuration. For a list of server features that are implemented as plug-ins, see section Server Plug-in Functionality Reference. For implementing your own server functionality, contact Netscape Professional Services.
The configuration information stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config, as shown in Figure 2-2.
The list of configuration tree nodes covered in this section are as follows:
- cn=config
- cn=changelog5
- cn=encryption
- cn=features
- cn=mapping tree
- cn=monitor
- cn=replication
- cn=SNMP
- cn=tasks
- cn=uniqueid generator
The
cn=plugins node is covered in the chapter
3, "Plug-in
Implemented Server
Functionality Reference." The description of each
attribute contains details such as the DN of its directory entry, its
default value, the valid range of values, and an example of its use.
|
|
|
|
Some of the entries and attributes described in this chapter may change in future releases of the product.
|
|
|
|
|
General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.
Turns access control on and off. If this attribute has a value off, then any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.
Specifies the path and filename of the log used to record each database access. The following information is recorded by default in the log file:
- IP address of the
client machine that
accessed the database.
- Operations performed
(for example:
search, add, modify).
- Result of the access (for example: the number of entries returned).
For more information on turning access logging off, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
For access logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
|
nsslapd-accesslog: /usr/netscape/servers/slapd-phonebook/logs/access |
Controls what is logged to the access log.
This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation.
When set to off, the server writes all access log entries directly to disk.
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.
Specifies the units for nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, then the log will never expire.
Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and filename. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the access log is unlimited in size. |
|
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Specifies whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, such as midnight to midnight everyday. This makes analysis of the log files much easier because they then map directly to the calendar.
For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate access log files everyday at midnight, enable this attribute by setting its value to on and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0.
Specifies the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsyncmin attributes.
Specifies the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsynchour attributes.
Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
Although it is not recommended for performance reasons to specify no log rotation since the log will grow indefinitely, you have two ways of specifying this. Either you set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first, and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files) for more information.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited. |
|
Specifies the units for the nsslapd-accesslog-logrotationtime attribute.
Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If you set nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
|
Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, then each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1 because the server will not rotate the log, and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, then there is no log rotation. See nsslapd-accesslog-logrotationtime (Access Log Rotation Time) for more information.
Specifies the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:
0 - None
1 -
Execute only
2 -
Write only
3 -
Write and execute
4 -
Read only
5 -
Read and execute
6 -
Read and write
7 -
Read, write, and execute
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, keep in mind that 000 will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode will only affect new logs that are created; the mode will be set when the log rotates to a new file.
Allows non-standard characters in attribute names to be used for backwards compatibility with older servers.
Specifies the pathname and filename of the log used to record changes made to each database.
|
nsslapd-auditlog: /usr/netscape/servers/slapd-phonebook/logs/audit |
For audit logging to be enabled, this attribute must have a valid path and file name, and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on . The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
Specifies the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.
Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log will never expire.
Turns audit logging on and off.
For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size. |
|
Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.
Specifies whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, such as midnight to midnight everyday. This makes analysis of the log files much easier because they then map directly to the calendar.
For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate audit log files everyday at midnight, enable this attribute by setting its value to on and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attributes to 0.
Specifies the hour of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsyncmin attributes.
|
None (because nsslapd-auditlog-logrotationsync-enabled is off) |
|
Specifies the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsynchour attributes.
|
None (because nsslapd-auditlog-logrotationsync-enabled is off) |
|
Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.
Although it is not recommended for performance reasons to specify no log rotation, as the log will grow indefinitely, you have two ways of specifying this. Either you set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) for more information.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited. |
|
Specifies the units for the nsslapd-auditlog-logrotationtime attribute.
Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
|
Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log, and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-auditlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See nsslapd-auditlog-logrotationtime (Audit Log Rotation Time) for more information.
Specifies the access mode or file permissions with which audit log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:
0 - None
1 -
Execute only
2 -
Write only
3 -
Write and execute
4 -
Read only
5 -
Read and execute
6 -
Read and write
7 -
Read, write, and execute
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, keep in mind that 000 will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode will only affect new logs that are created; the mode will be set when the log rotates to a new file.
This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in the certmap.conf file. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. If the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. For further information, see chapter 11, "Managing SSL and SASL," in the Netscape Directory Server Administrator's Guide.
Specifies the connection table size, which determines the total number of connections supported by the server.
|
On Windows 2000, the default value is 4093, a prime number, to hash into the table. On UNIX, the default value is the system's max descriptors, which can be configured using the nsslapd-maxdescriptors (Maximum File Descriptors) attribute. |
|
Consider increasing the value of this attribute if Directory Server is refusing connections because it is out of connection slots. When this occurs, the following message is written to the Directory Server's error log file: Not listening for new connections -- too many fds open.
Specifies whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.
Makes the schema in cn=schema compatible with 4.x versions of Directory Server.
Controls whether quoting in the objectclasses attributes contained in the cn=schema entry will conform to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.
That is, the Directory Server publishes objectclasses attributes in the cn=schema entry as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
However, RFC 2252 indicates that this attribute should be published as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
Notice the absence of single quotes around the word top.
Turning this attribute on will cause the Directory Server Resource Kit LDAP clients no longer to function, as they require the schema as defined in RFC 2252.
Turning this attribute off causes the Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients. Specifically, any client written using the Netscape Java LDAP SDK 4.x will no longer be able to correctly read and modify schema. This includes the 4.x version of the Netscape Console. Please note that turning this attribute on or off does not affect current versions of Netscape Console.
Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they will contain informative conditions such as these:
This log will contain differing amounts of information depending on the current setting of the Log Level attribute. See nsslapd-errorlog-level (Error Log Level), for more information.
|
nsslapd-errorlog: /usr/netscape/servers/slapd-phonebook/logs/error |
For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
|
nsslapd-errorlog-logging-enabled |
||
|
nsslapd-errorlog-logging-enabled |
||
|
nsslapd-errorlog-logging-enabled |
||
|
nsslapd-errorlog-logging-enabled |
Specifies the level of logging to be used by the Directory Server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed.
To turn logging off, remove the nsslapd-errorlog-level attribute from dse.ldif and restart the Directory Server.
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.
Specifies the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, then the log will never expire.
Turns error logging on and off.
| DirectoryString | |
Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size. |
|
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
Specifies whether error log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, such as midnight to midnight everyday. This makes analysis of the log files much easier because they then map directly to the calendar.
For error log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate error log files everyday at midnight, enable this attribute by setting its value to on and then set the values of the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attributes to 0.
Specifies the hour of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsyncmin attributes.
Specifies the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsynchour attributes.
Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.
Although it is not recommended for performance reasons to specify no log rotation, as the log will grow indefinitely, you have two ways of specifying this. Either you set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) for more information.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited). |
|
Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.
Although it is not recommended for performance reasons to specify no log rotation, as the log will grow indefinitely, you have two ways of specifying this. Either you set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files) for more information.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited). |
|
Specifies the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log will never expire.
Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated, and the server starts writing log information to a new log file. If you set nsslapd-errorlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. |
|
Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log, and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-errorlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1, then there is no log rotation. See nsslapd-errorlog-logrotationtime (Error Log Rotation Time) for more information.
Specifies the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0 through 7:
0 - None
1 -
Execute only
2 -
Write only
3 -
Write and execute
4 -
Read only
5 -
Read and execute
6 -
Read and write
7 -
Read, write, and execute
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, keep in mind that 000 will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode will only affect new logs that are created; the mode will be set when the log rotates to a new file.
nsslapd-groupevalnestlevel
Specifies the number of
levels of nesting
that the access-control system will perform for group evaluation.
The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to specify the number of levels of nesting that access control will perform for group evaluation. Instead, the number of levels of nesting is hardcoded as 5.
Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections. You can use the nsIdleTimeout operational attribute, which can be added to user entries, to override the value assigned to this attribute. For details, see "Setting Resource Limits Based on the Bind DN" in the Netscape Directory Server Administrator's Guide.
Specifies the full path to the directory where this server instance is installed. The serverID from installation time is the default ID.
Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Specifies whether the Directory Server maintains the modification attributes for Directory Server entries. These attributes include:
- modifiersname
-- The distinguished name
of the person who last modified the
entry.
- modifytimestamp
-- The timestamp, in
GMT format, for when the entry was last
modified.
- creatorsname
-- The distinguished name of the person who initially created the entry.
- createtimestamp -- The timestamp for when the entry was created in GMT format.
Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.
This read-only attribute specifies the host machine on which the Directory Server runs.
Applicable to Directory Server installations on Unix machines.
Specifies the user that the Directory Server runs as. The group that the user runs as is derived from this attribute by examining the groups of which the user is a member. Should the user change, then all the files in the installation directory will need to be owned by this user.
Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than two megabytes, then the add request is denied. Care should be taken when changing this attribute, and we recommend contacting Netscape Professional Services before doing so.
|
0 - 2GB (2,147,483,647 bytes) where a value of 0 indicates that the default value should be used. |
|
Not applicable to Directory Server installations on Windows and AIX machines.
This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server and for some server activities, such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server as specified in the nsslapd-reservedescriptors attribute for non-client connections, such as index management and managing replication. [See nsslapd-reservedescriptors (Reserved File Descriptors)].
The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the ns-slapd process to use. This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process. See your operating-system documentation for details on file descriptor limits and configuration. The dsktune program (explained in the Netscape Directory Server Installation Guide) can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. You should consider increasing the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:
Not listening
for new connections -- too many fds open
Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations. This attribute is not available from the server console.
When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies; namely, the sending of data is delayed in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for Ethernet).
This attribute limits the I/O wait time for all outbound LDAP connections. The default is 300000 milliseconds (5 minutes). A value of 0 indicates that the server will impose no limit on I/O wait time.
This read-only attribute lists the syntaxes and matching rules loaded by the server.
TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port, you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. On UNIX systems, specifying a port number of less than 1024 requires the Directory Server to run as root.
If you are changing the port number for a configuration directory, you must also update the corresponding Server Instance Entry in the configuration directory. Note that you need to restart the server for the port number change to be taken into account.
Contains the list of the private naming contexts cn=config, cn=schema, and cn=monitor.
Turns fine-grained (subtree- and user-level) password policy on and off.
If this attribute has a value off, all entries (except for cn=Directory Manager) in the directory will be subjected to the global password policy; the server will ignore any defined subtree/user level password policy.
If this attribute has a value on, the server will check for password policies at the subtree- and user-level and enforce those policies.
Specifies whether the whole server is in read-only mode, meaning that neither data in the database(s) nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
This multi-valued attribute specifies the LDAP URL(s) to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes. For example, assume the database contains only entries:
but the request is for this entry:
In this case, the referral would be
passed back to the client in an attempt to allow the LDAP client to
locate a database that contains the requested entry. Although only one
referral is allowed per Directory Server instance, this referral can
have multiple values.
|
|
|
|
If you want to use SSL and TLS communications, the referral attribute should be in the following form: ldaps://server-location Start TLS does not support referrals.
|
|
|
|
|
For more information on managing referrals, see chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide.
|
Valid LDAP URL in the following format: ldaps://server-location |
|
When set, this attribute will send back the referral for any request on any suffix.
|
Valid LDAP URL in the following format: ldap://server-location |
|
Not applicable to Directory Server installations on Windows and AIX machines.
This read-only attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections [see nsslapd-maxdescriptors (Maximum File Descriptors)].
Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true:
- The server is
replicating to a large
number of consumer servers (more than 10), and/or the server is
maintaining a large number of index files (more than 30).
- The server is
servicing a large number of
LDAP connections.
- You are seeing error messages reporting that the server is unable to open file descriptors (the actual error message will differ depending on the operation that the server is attempting to perform), but these error messages are NOT related to managing client LDAP connections.
Increasing the value on this attribute may result in more LDAP clients being unable to access your directory. Therefore, when you increase the value on this attribute, you should also increase the value on the nsslapd-maxdescriptors attribute. Note that you may not be able to increase the nsslapd-maxdescriptors value if your server is already using the maximum number of file descriptors that your operating system allows a process to use (see your operating system documentation for details). If this is the case, then reduce the load on your server by causing LDAP clients to search alternative directory replicas.
To assist you in computing the number of file descriptors you set for this attribute, we suggest you use the following formula:
nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex + ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors
| NldbmBackends | Number of ldbm databases. |
| NglobalIndex | Total number of
configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database). |
| ReplicationDescriptor | NSupplierReplica
+ 8 [where NSupplierReplica is number of replicas in the server that can act as a supplier (hub or supplier).] |
| ChainingBackendDescriptors | NchainingBackend
*
nsOperationConnectionsLimit [where nsOperationConnectionsLimit is configurable in database link ( chaining ) configuration and 10 by default.] |
| PTADescriptors | 3 if PTA is configured, 0 if PTA is not configured. |
| SSLDescriptors | 5 (4 files + 1 listensocket) if SSL is configured, 0 if SSL is not configured. |
Returns the exact case of attribute type names as requested by the client. Some client applications require attribute names to match exactly the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server as the result of a search or modify operation. However, most client applications ignore the case of attributes; therefore, by default, this attribute is disabled. Do not modify it unless you have legacy clients that can check the case of attribute names in results returned from the server.
Specifies the distinguished name (DN) of an entry that is not subject to access-control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general. The attributes nsslapd-sizelimit, nsslapd-timelimit, and nsslapd-schemacheck do not apply to this DN, either.
For information on changing the root DN, see chapter 2, "Creating Directory Entries," in the Netscape Directory Server Administrator's Guide.
Allows you to specify the
password
associated with the Manager DN. When you provide the root password, it
will be encrypted according to
the encryption method you selected for nsslapd-rootpwstoragescheme (Root Password Storage
Scheme). When viewed from the server console, this attribute shows
the value:
*****
When viewed from the
dse.ldif file, this attribute shows the encryption method
followed
by the encrypted string of the password. Note that the example below is
what you
view,
not what you type.
|
Any valid password encrypted by any one of the encryption methods which are described in passwordStorageScheme (Password Storage Scheme). |
|
Available only from the server console. This attribute indicates the encryption method used for the root password.
|
Any encryption method as described in passwordStorageScheme (Password Storage Scheme). |
|
Ignores trailing spaces in object class names. By default, the attribute is turned off. If your directory contains entries with object class values that end in one or more spaces, you should turn this attribute on. (It is preferrable to remove the trailing spaces because the LDAP standards do not allow them).
For performance reasons, server restart is required for changes to take effect .
Previous releases of Directory Server (6.0, 6.01, 6.02, 6.1, and 6.11) allowed object classes that included trailing spaces to be added to entries. In current releases of the server, an error is returned by default when such an object class is used. Additionally, during operations such as add, modify, and import (when object classes are expanded and missing superiors are added) trailing spaces are ignored, if appropriate. This means that even when nsslapd-schema-ignore-trailing-spaces is on, a value such as top will not be added if top is already there. An error message is logged and returned to the client if an object class is not found and it contains trailing spaces.
Specifies whether the
database schema will
be enforced during entry insertion or modification. When this attribute
has a value of on, Directory Server will not check the schema of
existing entries until they are modified. The database
schema defines the type of information allowed in the database. You can
extend the default schema using the object classes and attribute types.
For information on how to
extend your schema using the Directory Server Console, see chapter 9,
"Extending the Directory Schema," in the
Netscape Directory Server Administrator's Guide.
Determines whether modify operations that replace attribute values are allowed on the cn=schema entry.
Allows multiple Directory Server instances to run, using secure SSL/TLS connections, on a multihomed machine or makes it possible to limit listening to one interface of a multihomed machine. Provide the hostname that corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.
TCP/IP port number used for SSL/TLS communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. For UNIX systems, specifying a port number of less than 1024 requires that Directory Server runs as root.
The default value 636 is only used if the server has been configured with a private key and a certificate; otherwise, it does not listen on this port.
Specifies whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to on, if you want secure connections.
Specifies the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.
When no limit is set, ns-slapd will return every matching entry to the client regardless of the number found. To set a no limit value whereby the Directory Server will wait indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file.
This limit applies to everyone, regardless of
their organization.
Specifies whether an SSL-enabled Directory Server (with certificate based client authentication turned on) should verify authenticity of a request by matching the hostname against the value assigned to the common name (cn) attribute of the subject name in the certificate being presented. By default, the attribute is set to off. If it is on and if the hostname does not match the cn attribute of the certificate, appropriate error and audit messages are logged. For example, in a replicated environment, messages similar to these are logged in the supplier server's log files if it finds that the peer server's hostname doesn't match the name specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=to ultra60 client auth" (ultra60:1924): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)
It is recommended that you turn this attribute on to protect Directory Server's outbound SSL connections against a Man In The Middle (MITN) attack.
Defines the number of operation threads that the Directory Server will create during startup. The nsslapd-threadnumber value should be increased if you have many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches. This attribute is not available from the server console.
Specifies the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.
When no limit is set,
ns-slapd will return every matching entry to the client
regardless
of the time it takes. To set a no limit value whereby Directory Server
will wait indefinitely for the search to complete, specify a value of
-1 for
this attribute in the
dse.ldif file. A value of zero (0) causes
no time to be allowed
for searches. The smallest time limit is 1 second.
|
-1 to the maximum 32 bit integer value (2147483647) in seconds |
|
Indicates whether users may change their passwords.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user's name or user ID or any attribute value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user's directory entry.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates whether user passwords will expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of seconds after which the password will expire using the passwordMaxAge attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled, and users can reuse passwords. If you set this attribute to on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. You set the number of old passwords the Directory Server stores using the passwordInHistory attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled, meaning that the Directory Server does not store any old passwords, and, so, users can reuse passwords. You can enable password history by using the passwordHistory attribute.
To prevent users from rapidly cycling through the number of passwords that you are tracking, use the passwordMinAge attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the passwordMaxFailure attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates the amount of time in seconds during which users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the passwordLockout attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
|
1 to the maximum 32 bit integer value (2147483647) in seconds |
|
Indicates the number of seconds after which user passwords will expire. To use this attribute, you must enable password expiration using the passwordExp attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
|
1 to the maximum 32 bit integer value (2147483647) in seconds |
|
Indicates the number of failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the passwordLockout attribute.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the passwordInHistory (Number of Passwords to Remember) attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) indicates that the user can change the password immediately.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack but short enough that users can remember the password without writing it down.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Manager DN.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates the amount of time in seconds after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout attribute is set to on, users will be locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute (within 600 seconds by default). After the amount of time specified by the passwordLockoutDuration attribute, the failure counter is reset to zero (0).
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
|
1 to the maximum 32 bit integer value (2147483647) in seconds |
|
Specifies the type of encryption used to store Directory Server passwords. Enter the password in CLEAR for this attribute, which indicates that the password will appear in plain text.
The following encryption types are supported by the Directory Server:
- SSHA (Salted Secure
Hash Algorithm) is
the recommended method as it is the most secure.
- SHA (Secure Hash
Algorithm). This is the
method is included only for backward compatibility with 4.x Directory
Servers; do not use this algorithm.
- CRYPT is the UNIX
crypt algorithm. It is
provided for compatibility with UNIX passwords.
|
|
|
|
You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility.
|
|
|
|
|
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates whether users will be locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. If this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0, then the account will be locked indefinitely.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
Indicates the number of seconds before a user's password is due to expire that the user will receive a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
For more information on password policies, see chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide.
|
1 to the maximum 32 bit integer value (2147483647) in seconds |
|
Multi-master replication change log configuration entries are stored under the cn=changelog5 entry. The change log behaves much like a database, and it has many of attributes also used by the ldbm databases. The change log entry supports the following attributes with the same meaning as for databases:
- nsslapd-dbcachesize
- nsslapd-db-checkpoint-interval
- nsslapd-db-circular-logging
- nsslapd-db-debug
- nsslapd-db-durable-transactions
- nsslapd-db-logfile-size
- nsslapd-db-page-size
- nsslapd-db-spin-count
- nsslapd-db-trickle-percentage
- nsslapd-db-verbose
- nsslapd-cachesize
- nsslapd-cachememsize
The default values for the cache-related memory parameters (tuned for a single backend replicated to a single consumer) are as follows:
nsslapd-cachesize:
3000 (3000 entries)
nsslapd-cachememsize: 10000000 (10 MB)
When more backends are replicated or when you need to replicate one backend to more than one consumers, consider tuning the parameters as below:
nsslapd-cachesize
=
2000*#repl_agreements_initiated_from_this_server
nsslapd-cachememsize
=
5000000*#repl_agreements_initiated_from_this_server
Also, the relationship between the values assigned to the nsslapd-dbcachesize and nsslapd-cachememsize parameters should be the same as the relationship that is described in the database-tuning section.
The cn=changelog5,cn=config entry is an instance of the extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry.
It is worth noting that two different types of change logs are maintained by Directory Server. The first type, which is stored here and referred to as changelog, is used by multi-master replication; the second change log, which is actually a plug-in and referred to as the retro changelog, is intended for use by Netscape Meta Directory. See section Retro Changelog Plug-in in chapter 3 for further information regarding the Retro Changelog Plug-in. Multi-master replication change log attributes are presented in this section.
This required attribute specifies the name of the directory in which the change log database will be created. Whenever a change log configuration entry is created, it must contain a valid directory; otherwise, the operation will be rejected. The GUI proposes by default that this database be stored under:
serverRoot/slapd-serverID/changelogdb
|
|
|
|
For performance reasons, you will probably want to store this database on a different physical disk.
|
|
|
|
|
|
nsslapd-changelogdir: /usr/netscape/servers/slapd-phonebook/changelogdb |
Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed. If this attribute is absent, there is no age limit on change log records. For information on the change log, see nsslapd-changelogdir.
|
0 (meaning that entries are not removed according to their age) to maximum 32-bit integer (2147483647) |
|
|
where
AgeID is s
for seconds, m
for minutes, h
for hours, d
for days, and w
for weeks |
|
Specifies the maximum number of records the change log may contain. If this attribute is absent, there is no maximum number of records the change log can contain. For information on the change log, see nsslapd-changelogdir.
|
0 (meaning that the only maximum limit is the disk size) to maximum 32-bit integer (2147483647) |
|
Encryption related attributes are stored under the cn=encryption,cn=config entry. The cn=encryption,cn=config entry is an instance of the nsslapdEncryptionConfig object class. For encryption related attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Encryption configuration attributes are presented in this section.
Specifies the lifetime duration of an SSL session for both SSLv2 and SSLv3. The minimum timeout value is 5 seconds, and, if you enter a value below this, then it is automatically replaced by 5 seconds. Values outside the valid ranges are replaced by the default value of 100 seconds (SSLv2).
|
0, which stands for 100 seconds if you are running SSLv2 and 24 hours if you are running SSLv3. |
|
This multi-valued attribute specifies the set of encryption ciphers the Directory Server will use during SSL communications. For more information on the ciphers supported by the Directory Server, refer to chapter 11, "Managing SSL and SASL," in the Netscape Directory Server Administrator's Guide.
If you are using the Directory Server
Console to set the cipher preferences, the values on the SSL 3.0 tab of
the Cipher Preference dialog box correspond to the following:
Table
2-1 SSLv3 Ciphers
If you are using the Directory Server
Console to set the cipher preferences, the values on the TLS tab of the
Cipher Preference dialog box correspond to the following:
Table 2-2
TLS Ciphers
Configuration attributes for suffixes and replication are stored under cn=mapping tree,cn=config. Configuration attributes related to suffixes are found under the suffix subentry
cn="suffixName",cn=mapping tree,cn=config (for example, a suffixName may look like dc=example,dc=com)
Replication configuration attributes are stored under cn=replica,cn="suffixName",cn=mapping tree,cn=config with the replication agreement attributes under cn=replicationAgreementName,cn=replica,cn="suffixName",cn=mapping tree,cn=config.
Suffix configuration attributes are stored under the cn="suffixName" entry. The cn="suffixName"entry is an instance of the nsMappingTree object class which inherits from the extensibleObject object class. For suffix configuration attributes to be taken into account by the server, these object classes (in addition to the top object class) must be present in the entry. Suffix configuration attributes are presented in this section.
Determines how the suffix handles operations.
Replication configuration attributes are stored under cn=replica,cn="suffixName",cn=mapping tree,cn=config. The cn=replica entry is an instance of the nsDS5Replica object class. For replication configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication configuration attributes are presented in this section. For further information regarding replication, see chapter 8, "Managing Replication," in the Netscape Directory Server Administrator's Guide.
This attribute allows you to specify replica properties you will have previously defined in flags. At present only one flag exists, which allows you to specify whether your log changes or not.
This multi-valued attribute specifies the DN to use when binding. Although you can have more than one value in this cn=replica entry, you can only have one supplier bind DN per replication agreement.The value can either be the DN of the local entry on the consumer server or, in the case of an SSL connection, the certificate identity associated with same DN.
This read-only attribute informs you of the total number of entries in the change log, whether they still remain to be replicated or not. When the change log is purged, only the entries that are still to be replicated will be left. See nsDS5ReplicaPurgeDelay and nsDS5ReplicaTombstonePurgeInterval for more information regarding purge operation properties.
If this attribute is absent or has a value of false, then it means that the replica is not a legacy consumer.
This read-only attribute specifies the name of the replica with a unique identifier for internal operations. This unique identifier is allocated by the server when the replica is created. This attribute is destined for internal use only.
This multi-valued attribute specifies the period of time in seconds after which internal purge operations will be performed on the change log. When setting this attribute, ensure that the purge delay is longer than the longest replication cycle in your replication policy to avoid incurring conflict resolution problems and server divergence.
This multi-valued attribute specifies the user-defined referrals. This should only be defined on a consumer. User referrals are only returned when a client attempts to modify data on a read-only consumer.
Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified.
Specifies the time interval in seconds between purge operation cycles. When setting this attribute, remember that the purge operation is time-consuming.
The replication attributes that concern the replication agreement are stored under cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config. Like the cn=replica entry, the cn=ReplicationAgreementName entry is an instance of the nsDS5Replica object class. For replication agreement configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. Replication agreements are configured only on supplier replicas. The replication agreement configuration attributes are presented in this section.
Free form text description of the replication agreement. This attribute can be modified.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
|
description: Replication Agreement between Server A and Server B. |
Specifies the DN to use when binding. The value of this attribute must be the same as the one in cn=replica on the consumer replica. This may be empty if certificate-based authentication is used. This can also be modified.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Specifies the method to use for binding. This attribute can be modified.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Specifies the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access. The default value is 3 seconds. If you set the attribute to a negative value, Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code.
The nsDS5ReplicaBusyWaitTime attribute works in conjunction with the nsDS5ReplicaSessionPauseTime attribute. The two attributes are designed so that the nsDS5ReplicaSessionPauseTime interval will always be at least 1 second longer than the interval specified for nsDS5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can reaccess the consumer.
You can set the nsDS5ReplicaBusyWaitTime attribute at any time by using changetype:modify with the replace operation. The change takes effect for the next update session if one is already in progress.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This read-only attribute provides you with the number of changes sent to this replica since the server started.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Specifies the credentials for the bind DN (specified in the nsDS5ReplicaBindDN attribute) on the remote server containing the consumer replica. The value for this attribute can be modified. Please note that when certificate-based authentication is used, this attribute may not have a value. Please note that the example below is what you view, not what you type.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
|
Any valid password, which will then by encrypted using the DES reversible password encryption schema. |
|
Specifies the hostname for the remote server containing the consumer replica. Once this attribute has been set, it cannot be modified.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This optional, read-only attribute states when the initialization of the consumer replica ended.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This optional, read-only attribute states when the initialization of the consumer replica started.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This optional, read-only attribute provides status for the initialization of the consumer.
This read-only attribute states when the most recent replication schedule update ended.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This read-only attribute states when the most recent replication schedule update started.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
|
nsDS5ReplicaLastUpdateStart: YYYYMMDDhhmmssZ (20000902160000) |
This read-only attribute provides the status for the most recent replication schedule updates.
Specifies the port number for the remote server containing the replica. Once this attribute has been set, it cannot be modified.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This read-only attribute specifies whether the background task that removes old tombstones (deleted entries) from the database is active. A value of zero (0) indicates that the task is inactive, and a value of 1 indicates that the task is active. If you try to set the value, the server will ignore the modify request.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Allows you to initialize your replica. This attribute is absent by default. However, if you add this attribute with a value of start, then the server will initialize the replica and remove the attribute value.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Specifies the DN at the root of a replicated area. This attribute must have the same value as the suffix of the database being replicated and cannot be modified.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Specifies the amount of time in seconds a supplier should wait between update sessions. The default value is 0. If you set the attribute to a negative value, Directory Server sends the client a message and an LDAP_UNWILLING_TO_PERFORM error code.
The nsDS5ReplicaSessionPauseTime attribute works in conjunction with the nsDS5ReplicaBusyWaitTime attribute. The two attributes are designed so that the nsDS5ReplicaSessionPauseTime interval will always be at least 1 second longer than the interval specified for nsDS5ReplicaBusyWaitTime. The longer interval gives waiting suppliers a better chance to gain consumer access before the previous supplier can reaccess the consumer.
- If either attribute
is specified but not
both,
nsDS5ReplicaSessionPauseTime is set automatically to 1 second
more
than
nsDS5ReplicaBusyWaitTime.
- If both attributes are specified, but nsDS5ReplicaSessionPauseTime is less than or equal to nsDS5ReplicaBusyWaitTime, nsDS5ReplicaSessionPauseTime is set automatically to 1 second more than nsDS5ReplicaBusyWaitTime.
When setting the values, ensure that the nsDS5ReplicaSessionPauseTime interval is at least 1 second longer than the interval specified for nsDS5ReplicaBusyWaitTime. You may increase the interval as needed until you reach an acceptable distribution of consumer access among the suppliers.
You can set the nsDS5ReplicaSessionPauseTime attribute at any time by using changetype:modify with the replace operation. The change takes effect for the next update session if one is already in progress.
If Directory Server has to reset the value of nsDS5ReplicaSessionPauseTime automatically, the value is changed internally only. The change is not visible to clients, and it not saved to the configuration file. From an external viewpoint, the attribute value appears as originally set.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This allowed attribute specifies the number of seconds outbound LDAP operations will wait for a response from the remote replica before timing out and failing. If you see "Warning: timed out waiting" messages in the error log file, then you should increase the value of this attribute.
You can find out the amount of time the operation actually lasted by examining the access log on the remote machine, and then set the nsDS5ReplicaTimout attribute accordingly to optimize performance.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
Specifies the type of transport used for transporting data to and from the replica. The attribute values can either be SSL, which means that the connection is established over SSL, or LDAP, which means that regular LDAP connections are used. If this attribute is absent, then regular LDAP connections are used. This attribute cannot be modified once it is set.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This read-only attribute states whether or not a replication schedule update is in progress.
|
cn=ReplicationAgreementName,cn="suffixName",cn=mapping tree,cn=config |
|
This multi-valued attribute specifies the replication schedule and can be modified.
Monitoring read-only information is stored under cn=monitor,cn=config. The cn=monitor entry is an instance of the extensibleObject object class. For cn=monitor configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. The cn=monitor read-only attributes are presented in this section.
Lists open connections given in the following format:
connection=31:20010201164808Z:45:45::cn=directory manager
where 31 is the connection number, 20010201164808Z is the date the connection was opened, 45 is the number of operations received, 45 is the number of completed operations, and cn=directory manager is the bind DN.
Number of connections where some requests are pending and not currently being serviced by a thread in Directory Server.
Current time usually given in Greenwich Mean Time (indicated by GeneralizedTime syntax Z notation; for example, 20010202131102Z).
DN for each Directory Server backend. For further information on monitoring the database, see these sections:
- Database Attributes under
cn=attributeName,
cn=encrypted attributes, cn=database_name, cn=ldbm database,
cn=plugins, cn=config
- Database Attributes under
cn=database,cn=monitor,cn=ldbm database, cn=plugins,cn=config
- Database Attributes under
cn=monitor,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
- Database Link Attributes
under cn=monitor,cn=database
instance name,cn=chaining database, cn=plugins,cn=config
No attributes to document. When configuring legacy replication, it will be stored under this cn=replication node, which serves as a placeholder.
SNMP configuration attributes are stored under cn=SNMP,cn=config. The cn=SNMP entry is an instance of the nsSNMP object class. For SNMP configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. SNMP configuration attributes are presented in this section.
Specifies the location within the company or organization where the Directory Server resides.
Specifies the email address of the person responsible for maintaining the Directory Server.
This mandatory attribute specifies the hostname of the machine on which the master agent is installed. For UNIX only.
The uniqueid generator configuration attributes are stored under cn=uniqueid generator,cn=config. The cn=uniqueid generator entry is an instance of the extensibleObject object class. For uniqueid generator configuration attributes to be taken into account by the server, this object class (in addition to the top object class) must be present in the entry. The uniqueid generator configuration attribute is presented in this section.
This section provides quick reference tables for LDIF configuration files supplied with the Directory Server, object classes and schema used in server configuration, and attributes requiring server restart.
Table
2-3 lists all the
configuration files which are supplied with the Directory Server,
including those for the schema of other Netscape servers. Each file is
preceded by a number which indicates the order in which they should be
loaded (in ascending numerical and then alphabetical order). See LDIF Configuration Files -
Location for information on where these files are stored.
Table 2-3
Directory Server Configuration LDIF Files
Table
2-4 lists the
configuration attributes that cannot be altered dynamically, while the
server is still running. They require that the server be stopped and
restarted to take effect. The table lists the configuration attributes
concerned with their full DNs and provides a brief description of their
functions.
Table 2-4 Configuration
Changes Requiring Server Restart
|
Modifying the maximum number of entries supported by the change log. |
|