 |
Configuration,
Command, and File Reference Netscape Directory Server |
| Previous |
Contents |
Index |
DocHome | Next |
This chapter contains reference information on Netscape Directory Server (Directory Server) server plug-ins. The chapter is divided into the following sections:
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. Code Example 2-2, which you saw in chapter 2, "Core Server Configuration Reference," shows some of the plug-in configuration attributes.
|
|
|
dn: cn=Telephone
Syntax,cn=plugins,cn=config |
|
|
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.
All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry, as shown in the following example:
|
|
|
dn:cn=ACL
Plugin,cn=plugins,cn=config |
|
|
The tables that follow provide you with a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance related information, and further reading. Information in these tables will help you to weigh plug-in performance gains and costs and choose the optimal settings for your deployment. The "Further Information" row cross references further reading where this is available.
|
Chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide. |
|
Chapter 6, "Managing Access Control," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
Chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
Chapter 5, "Advanced Entry Management," in the Netscape Directory Server Administrator's Guide. |
|
The Internationalization has one argument, which must not be modified: serverRoot/slapd-serverID/config/slapd-collations.conf This directory stores the collation orders and locale s used by the internationalization plug-in. |
|
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
See Appendix D, "Internationalization," in the Netscape Directory Server Administrator's Guide. |
|
See Database Plug-in Attributes for further information on database configuration. |
|
|
Chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide. |
|
Enables a current version Directory Server to be a consumer of a 4.x supplier |
|
|
None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server. |
|
|
Chapter 8, "Managing Replication," in the Netscape Directory Server Administrator's Guide. |
|
You can turn this plug-in off if you only have one server which will never replicate. See also chapter 8, "Managinng Replication," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
Chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
Chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide. |
|
cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=config |
|
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility; i.e. if the data in your directory still contains passwords encrypted with the NS-MTA-MD5 password storage scheme. See chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide. |
|
If there are not passwords encrypted using the SHA password storage scheme, you may turn this plug-in off. If you want to encrypt your password with the SHA password storage scheme, we recommend that you choose SSHA instead, as SSHA is a far more secure option. |
|
|
Chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
Chapter 7, "User Account Management," in the Netscape Directory Server Administrator's Guide. |
|
Chapter 18, "Configuring IM Presence Informtion," in the Netscape Directory Server Administrator's Guide. |
|
Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. |
|
|
Chapter 16, "Using the Pass-though Authentication Plug-in," in the Netscape Directory Server Administrator's Guide. |
|
When enabled, the post operation Referential Integrity plug-in performs integrity updates on the member, uniquemember, owner, and seeAlso attributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes. Configurable arguments are as follows:
|
|
|
You should enable the Referential Integrity plug-in on only one supplier in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, you must be sure to analyze your performance resource and time needs as well as your integrity needs. Note that integrity checks can be time-consuming and draining on memory/CPU. |
|
|
See chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide. |
|
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. |
|
|
See Retro Changelog Plug-in Attributes for further information on the two configuration attributes for this plug-in. |
|
|
Chapter 8, "Managing Replication," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
Chapter 5, "Advanced Entry Management," in the Netscape Directory Server Administrator's Guide. |
|
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times. |
|
|
This plug-in enables the Directory Server to support space and case insensitive values. Applications can now search the directory using entries with ASCII space characters. For example, applications that use AOL Screen Names can search the Directory Server using filters that contain Screen Names--a search or compare operation that uses jOHN Doe will match entries that contain any of the following Screen Name values: johndoe, john doe, and John Doe. For more information about finding directory entries, see Appendix B, "Finding Directory Entries," in the Netscape Directory Server Administrator's Guide. The nsAIMID attribute type, which is a part of the Presence schema, uses this syntax. For details, see "Schema for the Presence Plug-in" in the Netscape Directory Server Administrator's Guide. |
|
Checks that the values of specified attributes are unique each time a modification occurs on an entry. |
|
|
Enter the following arguments: if you want to check for UID attribute uniqueness in all listed subtrees. However, enter the following arguments: attribute="uid" requiredObjectClass= "ObjectClassName" if you want to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, starting from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute. |
|
|
Directory Server provides the UID Uniqueness plug-in by default. If you want to ensure unique values for other attributes, you can create instances of the UID Uniqueness plug-in for those attributes. See chapter 17, "Using the Attribute Uniqueness Plug-in," in the Netscape Directory Server Administrator's Guide for more information about the Attribute Uniquenss plug-in. The UID Uniqueness plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance. |
|
|
Chapter 17, "Using the Attribute Uniqueness Plug-in," in the Netscape Directory Server Administrator's Guide. |
This list provides a brief attribute description, the Entry DN, valid range, default value, syntax, and an example for each attribute.
Specifies the plug-in type. See nsslapd-plugin-depends-on-type for further information.
Specifies whether or not the plug-in is enabled. This attribute can be changed over protocol but will only take effect when the server is next restarted.
Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the type number of a plug-in, contained in the attribute nsslapd-pluginType. See nsslapd-pluginType for further information. All plug-ins whose type value matches one of the values in the following valid range will be started by the server prior to this plug-in. The following post operation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the post operation Referential Integrity Plug-in.
Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn value of a plug-in. The plug-in whose cn value matches one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server will fail to start. The following post operation Referential Integrity Plug-in example shows that the Class of Service plug-in will be started prior to the post operation Referential Integrity Plug-in. If the Class of Service plug-in does not exist, then the server will fail to start.
The database plug-in is also organized in an information tree as shown in Figure 3-1.
All plug-in technology used by the database instances is stored in the cn=ldbm database plug-in node. This section presents the additional attribute information for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config information tree.
Global configuration attributes common to all instances are stored in the cn=config,cn=ldbm database,cn=plugins,cn=config tree node.
This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request. If you bind as the directory manager DN, however, unlimited is set by default and overrides any other settings you may specify here. It is worth noting that binder-based resource limits work for this limit, which means that if a value for the operational attribute nsLookThroughlimit is present in the entry you bind as, the default limit will be overridden. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
This performance-related attribute, present by default, specifies the number of entry IDs that are searched during a search operation. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you will receive an LDAP_UNWILLING_TO_PERFORM error message, with additional error information explaining the problem.
It is advisable to keep the default value to improve search performance. For a more detailed explanation of the effect of ID lists on search performance, see chapter 10, "Managing Indexes," in the Netscape Directory Server Administrator's Guide.
This performance tuning-related attribute, which is turned off by default, specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory would be claimed for the cache. If you plan to run other servers on the machine, then the value will be lower. Setting the value to 0 turns off the cache autosizing and uses the normal nsslapd-cachememsize and nsslapd-dbcachesize attributes.
This performance tuning-related attribute specifies the percentage of cache space to allocate to the database cache. For example, setting this to 60 would give the database cache 60 percent of the cache space and split the remaining 40 percent between the backend entry caches. That is, if there were 2 databases, each of them would receive 20 percent. This attribute only applies when the nsslapd-cache-autosize attribute has a value of 0.
This performance tuning-related attribute specifies database cache size. This is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute, by replacing these values with its own guessed values at a later stage of the server startup.
If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
The amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. A checkpoint entry indicates which database operations have been physically written to the directory database. The checkpoint entries are used to determine where in the database transaction log to begin recovery after a system failure. The nsslapd db-checkpoint-interval attribute is absent from dse.ldif. To change the checkpoint interval, you add the attribute to dse.ldif. This attribute can be dynamically modified using ldapmodify. For further information on modifying this attribute, see chapter 14, "Tuning Directory Server Performance," in the Netscape Directory Server Administrator's Guide.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape Technical Support or Netscape Professional Services . Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
For more information on database transaction logging, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
Specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed and are kept renamed as old log transaction files. Turning circular logging off can severely degrade server performance and, as such, should only be modified with the guidance of Netscape Technical Support or Netscape Professional Services.
Specifies whether additional error information is to be reported to Directory Server. To report error information, set the parameter to on. This parameter is meant for troubleshooting; enabling the parameter may slow down the Directory Server.
Indicates whether database transaction log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. With durable transactions enabled, every directory change will always be physically recorded in the log file and, therefore, able to be recovered in the event of a system failure. However, the durable transactions feature may also slow the performance of the Directory Server. When durable transactions is disabled, all transactions are logically written to the database transaction log but may not be physically written to disk immediately. If there were a system failure before a directory change was physically written to disk, that change would not be recoverable. The nsslapd-db-durable-transactions attribute is absent from dse.ldif. To disable durable transactions, you add the attribute to dse.ldif.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape Technical Support or Netscape Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
For more information on database transaction logging, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
Applicable to Solaris only. Used to fix a situation in Solaris where the operating system endlessly flushes pages. This flushing can be so excessive that performance of the entire system is severely degraded.
This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes. In particular, this situation should not occur if the database cache size is less than 100MB.
If your Solaris host seems excessively slow and your database cache size is around 100MB or more, then you can use the iostat utility to diagnose the problem. Use iostat to monitor the activity of the disk where the Directory Server's database files are stored. If all of the following conditions are true,
then you should use the
nsslapd-db-home-directory
attribute to specify a subdirectory of a tempfs type
file system.
Specifies the index block size in terms of the number of blocks per database page. The block size is calculated by dividing the database page size by the value of this attribute. A value of 1 makes the block size exactly equal to the page size. The default value of 0 sets the block size to the page size minus an estimated allowance for internal database overhead.
Before modifying the value of this attribute, export all databases using the db2ldif script. Once the modification has been made, reload the databases using the ldif2db script.
Specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can signficantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data.
The nsslapd-db-logbuf-size attribute is only valid if the nsslapd-db-durable-transactions attribute is set to on.
Specifies the path and directory name of the directory containing the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. By default, the database transaction log is stored in the same directory as the directory entries themselves, serverRoot/slapd-serverID/db. For fault-tolerance and performance reasons, you may want to move this log file to another physical disk. The nsslapd-db-logdirectory attribute is absent from dse.ldif. To change the location of the database transaction log, you add the attribute to dse.ldif.
For more information on database transaction logging, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
Specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size of 10 MB is used. The maximum size is an unsigned 4-byte value. The value of this attribute can have significant impact on performance, as it can be tuned to avoid extensive log switching in the event of heavy entries.
Specifies the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes, and the maximum size is 64K bytes. If the page size is not explicitly set, Directory Server defaults to a page size of 8Kbytes. Changing this default value can have signficant performance impact. If the page size is too small, it results in extensive page splitting and copying, whereas if the page size is too large it can waste disk space.
Before modifying the value of this attribute, export all databases using the db2ldif script. Once the modification has been made, reload the databases using the ldif2db script.
Specifies the number of times that test-and-set mutexes should spin without blocking.
Specifies how many transactions will be batched before being committed. You can use this attribute to improve update performance when full transaction durability is not required. This attribute can be dynamically modified using ldapmodify. For further information on modifying this attribute, see chapter 14, "Tuning Directory Server Performance," in the Netscape Directory Server Administrator's Guide.
If you do not define this attribute or set it to a value of 0, transaction batching will be turned off, and it will be impossible to make remote modifications to this attribute via LDAP. However, setting this attribute to a value greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value. A value greater than 0 also allows you to modify this attribute remotely via LDAP. A value of 1 for this attribute allows you to modify the attribute setting remotely via LDAP but results in no batching behavior. A value of 1 at server startup is therefore useful for maintaining normal durability while also allowing transaction batching to be turned on and off remotely when desired. Remember that the value you choose for this attribute may require you to modify the nsslapd-db-logbuf-size attribute to ensure sufficient log buffer size for accommodating your batched transactions.
Also, the nsslapd-db-transaction-batch-val attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on.
For more information on database transaction logging, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
Specifies whether transaction logging is on or off. Turning transaction logging off can considerably improve Directory Server performance but at the risk of data loss and/or database corruption in the event of a system crash. If turned off, it would be necessary to set up other database recovery procedures.
Ensures that at least the specified percentage of pages in the shared-memory pool are clean by writing dirty pages to their backing files. This is to ensure that a page is always available for reading in new information without having to wait for a write.
Specifies whether to record additional informational and debugging messagses when searching the log for checkpoints, doing deadlock detection, and performing recovery. This parameter is meant for troubleshooting and that enabling the parameter may slow down the Directory Server.
This attribute allows
you to split the ldbm
cache into equally sized separate pieces of memory. It is possible to
specify caches that are large enough so that they cannot be allocated
contiguously on some architectures; for example, some releases of
Solaris limit the amount of memory that may be allocated contiguously
by a process. If
nsslapd-dbncache is 0 or 1, the
cache will be allocated
contiguously in memory. If it is greater than 1, the
cache will be
broken up into ncache, equally sized separate pieces of memory.
To configure a dbcache size larger than 4Gbytes,
you need to add the nsslapd-dbncache
attribute to cn=config,cn=ldbm
database,cn=plugins,cn=config between the nsslapd-dbcachesize
and nsslapd-db-logdirectory
attribute lines.
Set this value to an integer that is one-quarter (1/4) the amount of
memory you want in Gbyte. For example, if you have a 12Gbyte system,
set the nsslapd-dbncache value to 3; for an 8Gbyte system, set it to 2.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape Technical Support or Netscape Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
This performance
tuning-related attribute
determines the size of the database cache used in the bulk import
process. Setting this attribute value so that the maximum available
system physical memory is used for the database cache during bulk
importing optimizes bulk import speed. If you attempt to set a value
that is not a number or is too big for a 32-bit signed integer, you
will receive an
LDAP_UNWILLING_TO_PERFORM error message, with additional error
information explaining the problem.
This performance tuning-related attribute automatically sets the size of the import cache (importCache) to be used during the command-line-based import process of LDIF files to the database (the ldif2db operation).
In Directory Server, the import operation can be run as a server task or exclusively on the command-line. In the task mode, the import operation runs as a general Directory Server operation. The nsslapd-import-cache-autosize attribute enables you to set importCache automatically to a predetermined size when the import operation is run on the command-line. The attribute can also used by Directory Server during the task mode import for allocating a specified percentage of free memory for importCache.
By default, the nsslapd-import-cache-autosize attribute is enabled and is set to a value of -1. This value autosizes importCache for the ldif2db operation only, automatically allocating fifty percent (50%) of the free physical memory for importCache. The percentage value (50%) is hardcoded and cannot be changed.
You can set the attribute value to 50 (nsslapd-import-cache-size:50) to have the same effect on performance during an ldif2db operation. However, such a setting will have the same effect on performance when the import operation is run as a Directory Server task. The -1 value autosizes importCache just for the ldif2db operation and not for any, including import, general Directory Server tasks.
Setting the nsslapd-import-cache-autosize attribute value to 0 turns off the importCache autosizing feature -- that is, no autosizing occurs during either mode of the import operation. Instead, Directory Server uses the nsslapd-import-cachesize attribute for import cache size, the default for which is 20,000,000.
Keep in mind that there are three caches in the context of Directory Server, dbCache, entryCache, and importCache. importCache is only used during the import operation. The attribute nsslapd-cache-autosize, which is used for autosizing entryCache and dbCache, is used during the Directory Server operations only and not during the ldif2db command-line operation; the attribute value is the percentage of free physical memory to be allocated for entryCache and dbCache.
While running Directory Server with both the
autosizing attributes,
nsslapd-cache-autosize and
nsslapd-import-cache-autosize, enabled, ensure that their sum is
less than 100.
Global read-only attributes containing database statistics for monitoring activity on your databases are stored in the cn=monitor,cn=ldbm database, cn=plugins,cn=config tree node. For more information on these monitoring read-only entries, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for, or the definition of, the databases containing the o=NetscapeRoot and o=France.Sun suffixes, respectively. The cn=NetscapeRoot subtree contains the configuration data used by the Netscape Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop), and the cn=UserRoot subtree contains all the configuration data for the user-defined database. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded and, given the fact that there will be multiple database instances, this name will be changed and defined by the user as and when new databases are added. The following attributes are common to both the cn=NetscapeRoot, cn=ldbm database,cn=plugins,cn=config and cn=UserRoot, cn=ldbm database,cn=plugins,cn=config subtrees.
This performance tuning-related attribute specifies the cache size in terms of the entries it can hold. However, it is worth noting that it is simpler to limit by memory size only (see nsslapd-cachememsize attribute). If you attempt to set a value that is not a number or is too big for a 32-bit signed integer, you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
This performance tuning-related attribute specifies the cache size in terms of available memory space. Limiting cachesize in terms of memory occupied is the simplest method. By activating automatic cache resizing you override this attribute, replacing these values with its own guessed values at a later stage of the server startup. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer you will receive an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Specifies absolute path to database instance. If your database instance is manually created then this attribute must be included, something which is set by default (and modifiable) in the Netscape Console. Once your database instance is created, do not modify this path as any changes risk preventing the server from accessing data. This attribute is related to server5.
Specifies Read Only permission rights. If this attribute has a value of off, then the user has all read, write, and execute permissions.
When switched to on, this attribute allows you to refuse unindexed searches. This performance related attribute avoids saturating the server with erroneous searches.
Specifies the suffix of the database link. This is a mono-valued attribute as each database instance can have only one suffix. Previously it was possible to have more than one suffix on a single database instance but this is no longer the case. As a result this attribute is mono-valued to enforce the fact that each database instance can only have one suffix entry. Any changes made to this attribute after the entry has been created take effect only after you restart the server containing the database link.
The attributes in this tree node entry are all read-only, database performance counters. All of the values for these attributes are 32-bit integers.
Number of times that a thread of control was forced to wait before obtaining the region lock.
Total number of hash elements traversed during hash table lookups.
Number of times that a thread of control was forced to wait before obtaining the region lock.
Number of bytes written to this log since the last checkpoint.
The set of default indexes is stored here. Default indexes are configured per backend in order to optimize Directory Server functionality for the majority of setup scenarios. All indexes, except system-essential ones, can be removed, but care should be taken so as not to cause unnecessary disruptions. This section presents four required indexing attributes and one optional indexing attribute. For further information on indexes, see chapter 10, "Managing Indexes," in the Netscape Directory Server Administrator's Guide.
This mandatory attribute specifies whether or not the index is a system index, an index which is vital for Directory Server operations. If this attribute has a value of true, then it is system-essential. System indexes should not be removed, as this will seriously disrupt server functionality.
This optional multivalued attribute specifies the type of index for Directory Server operations and takes the values of the attributes to be indexed. Each desired index type has to be entered on a separate line.
This optional, multivalued attribute specifies the collation order object identifier (OID) required for the Directory Server to operate international indexing.
Global, read-only entries for monitoring activity on the NetscapeRoot database. These attributes containing database statistics are given for each file that makes up your database. For further information, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
This attribute indicates the name of the file and provides a sequential integer identifier (starting at 0) for the file. All associated statistics for the file are given this same numerical identifier.
Number of times that a search requiring data from this file was performed and that the data was successfully obtained from the cache.
In addition to the set of default indexes that are stored under cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config, custom indexes can be created for o=NetscapeRoot and o=UserRoot and are stored under cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config and cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config, respectively. Each indexed attribute represents a subentry under the above cn=config information tree nodes, as shown in Figure 3-2.
For example, the index file for the aci attribute under o=UserRoot will appear in the Directory Server as follows:
|
|
|
dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm
database,cn=plugins,cn=config |
|
|
For details regarding the five possible indexing attributes, see the section Database Attributes under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config. For further information about indexes, see chapter 10, "Managing Indexes," in the Netscape Directory Server Administrator's Guide.
The nsAttributeEncryption object class allows encryption of attributes, within a database, that the Directory Manager selects manually. Extremely sensitive information such as credit card numbers and government identification numbers may not be protected enough by routine access control measures and can be encrypted within the database by using database encryption. This object class has one attribute, nsEncryptionAlgorithm, which sets the type of encryption used for the attribute. Each encrypted attribute represents a subentry under the above cn=config information tree nodes, as shown in Figure 3-3.
For example, the database encryption file for the userPassword attribute under o=UserRoot would appear in the Directory Server as follows:
|
|
|
dn:
cn=userPassword,cn=encrypted attributes,o=UserRoot,cn=ldbm
database,cn=plugins,cn=config |
|
|
To configure database encryption, see "Database Encryption," in chapter 3, "Configuring Directory Databases," in the Netscape Directory Server Administrator's Guide. For more information about indexes, see in chapter 10, "Managing Indexes," in the Netscape Directory Server Administrator's Guide.
nsEncryptionAlgorithm selects the cipher used by nsAttributeEncryption. The algorithm can be set per encrypted attribute.
|
Entry DN: |
cn=attributeName,cn=encrypted attributes, cn=databaseName,cn=ldbm database,cn=plugins,cn=config |
|
Valid Values: |
The following are supported ciphers: Advanced Encryption Standard Block Cipher -- AESTriple Data Encryption Standard Block Cipher -- 3DES |
|
Default Value: |
N/A |
|
Syntax: |
DirectoryString |
|
Example: |
nsEncryptionAlgorithm:
AES |
The Database Link Plug-in is also organized in an information tree, as shown in Figure 3-4.
All plug-in technology used by the database link instances is stored in the cn=chaining database plug-in node. This section presents the additional attribute information for the three nodes marked in bold in the cn=chaining database,cn=plugins,cn=config information tree.
Global configuration attributes common to all instances are stored in the cn=config,cn=chaining database,cn=plugins,cn=config tree node.
Lists the components using chaining. A component is any functional unit in the server. The value of this attribute overrides the value in the global configuration attribute. To disable chaining on a particular database instance, use the value None This attribute also allows you to alter the components used to chain. By default, no components are allowed to chain, which explains why this attribute will probably not appear in a list of cn=config,cn=chaining database,cn=config attributes, as LDAP considers empty attributes to be non-existent.
This error detection, performance-related attribute specifies the maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected. Once this delay period has been met, the database link tests the connection with the remote server.
This error detection, performance-related attribute specifies the duration of the test issued by the database link to check whether the remote server is responding. If a response from the remote server is not returned before this period has passed, the database link assumes the remote server is down, and the connection is not used for subsequent operations.
This attribute, which can be both a global (and thus dynamic) configuration or an instance (i.e., cn=database link instance,cn=chaining database,cn=plugins,cn=config) configuration attribute, allows you to alter the controls the database link forwards. The following controls are forwarded by default by the database link:
Default instance configuration attributes for instances are housed in the cn=default instance config,cn=chaining database,cn=plugins,cn=config tree node.
Number of seconds that pass before the server checks for abandoned operations.
Maximum number of TCP connections the database link establishes with the remote server.
Contrary to what the name suggests, this attribute does not specify the number of times a database link re tries to bind with the remote server but the number of times it tries to bind with the remote server. A value of 0 here indicates that the database link will only attempt to bind once.
Amount of time before the bind attempt times out. There is no real Valid Range for this attribute, except reasonable patience limits.
Reserved for advanced use only. Controls whether ACIs are evaluated on the database link as well as the remote data server. Changes to this attribute only take effect once the server has been restarted.
Specifies connection lifetime. You can keep connections between the database link and the remote server open for an unspecified time, or you can close them after a specific period of time. It is faster to keep the connections open, but it uses more resources. When the value is 0 and you provide a list of failover servers in the nsFarmServerURL attribute, the "main" server is never contacted after failover to the alternate server.
Maximum number of LDAP connections the database link establishes with the remote server.
Reserved for advanced use only. Allows you to disable proxied authorization, where a value of off means proxied authorization is disabled.
Controls whether or not referrals are returned by scoped searches. This attribute allows you to optimize your directory because returning referrals in response to scoped searches is more efficient.
This information node stores the attributes concerning the server containing the data. A farm server is a server which contains data on databases. This attribute can contain optional servers for failover, separated by spaces. For cascading chaining, this URL can point to another database link.
Gives the LDAP URL of the remote server. A farm server is a server containing data in one or more databases. This attribute can contain optional servers for failover, separated by spaces. If using cascading changing, this URL can point to another database link.
Gives the DN of the administrative entry used to communicate with the remote server. The multiplexor is the server that contains the database link and communicates with the farm server. This bind DN cannot be the Directory Manager, and, if this attribute is not specified, the database link binds as anonymous.
Password for the administrative user, given in plain text. If no password is provided, it means that users can bind as anonymous.The password is encrypted in the configuration file. Please note that the example below is what you view, not what you type.
Two different types of changelogs are maintained by Directory Server. The first type, referred to as changelog, is used by multi-master replication, and the second changelog, which is in fact a plug-in referred to as retro changelog, is intended for use by LDAP clients for maintaining application compatibility with Directory Server 4.x versions.
This Retro Changelog plug-in is used to record modifications made to a supplier server. When the supplier server's directory is modified, an entry is written to the Retro Changelog that contains both
It is through the Retro Changelog plug-in that you access the changes performed to the Directory Server using searches to cn=changelog,cn=config file.
This attribute specifies
the name of the
directory in which the changelog database is created the first time the
plug-in is run. By default, the database is stored with all the other
databases under
serverRoot/slapd-serverID/db/changelog
|
|
|
|
For performance reasons, you will probably want to store this database on a different physical disk.
|
|
|
|
|
Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute will be removed. If this attribute is absent, there is no age limit on change log records, which is the default behavior as this attribute is not present by default.
| Previous |
Contents |
Index |
DocHome | Next |