Chapter 8 Command-Line Scripts

This chapter provides information on the scripts you can use to manage your directory, such as backing-up and restoring your database. Scripts are a shortcut way of executing the ns-slapd interface commands that are documented in Appendix A, "Using the ns-slapd and slapd.exe Command-Line Utilities."

This chapter contains the following sections:

Finding and Executing Command-Line Scripts

By default all scripts are stored in the following directory:

serverRoot/slapd-serverID

Be sure to refer to Command-Line Scripts Quick Reference for the exact location of each script.

When scripts request either a directory name or a file name, always provide the absolute path. The scripts assume that you want to use the dse.ldif file located in this directory:

serverRoot/slapd-serverID/config

Note

In order to execute the Perl scripts, you must change to the directory where the scripts are stored. Although it is possible to set command-path and library-path variables to execute the scripts, it is not recommended because you run the risk, particularly when you have more than one server version installed, of disrupting the correct execution of other utilities. There's also the risk of compromising the security of the system.

(The same procedure also applies to the command-line utilities discussed in chapter 7, "Command-Line Utilities.")

Also, when you are running the Perl scripts on Windows machines, you must make sure that the path environment variable contains the Perl executable (perl.exe) file. For this reason, make sure to run the scripts from the following directory on these machines: serverRoot\bin\slapd\admin\bin

Command-Line Scripts Quick Reference

Table 8-1 Commonly Used Command-Linne Shell and Batch Scripts


Command-Line Script	Description	Location
bak2db	Restores the database from the most recent archived backup.	serverRoot/slapd-serverID
db2bak	Creates a backup of the current database contents.	serverRoot/slapd-serverID
db2ldif	Exports the contents of the database to LDIF.	serverRoot/slapd-serverID
db2dsml	Exports the contents of the database to DSML.	serverRoot/slapd-serverID
db2index	Reindexes the database index files.	serverRoot/slapd-serverID
dsml2db	Imports DSML file to the database.	serverRoot/slapd-serverID
getpwenc	Prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, you can use this script to compare the user's password to the password stored in the directory.	serverRoot/slapd-serverID
ldif2db	Imports LDIF files to the database. Runs the slapd (Windows) or ns-slapd (Unix) command-line utility with the ldif2db keyword. By default, the script first saves and then merges any existing configuration tree (o=NetscapeRoot) with any files to be imported.	serverRoot/slapd-serverID
ldif2ldap	Performs an import operation over LDAP to the Directory Server.	serverRoot/slapd-serverID
monitor	Retrieves performance monitoring information using the ldapsearch command-line utility.	serverRoot/slapd-serverID
restart-slapd	Restarts Directory Server.	serverRoot/slapd-serverID
restoreconfig	Restores by default the most recently saved Administration Server configuration to NetscapeRoot partition.	serverRoot/slapd-serverID
saveconfig	Saves Administration Server configuration stored in the NetscapeRoot partition to the serverRoot/slapd-serverID/confbak directory.	serverRoot/slapd-serverID
start-slapd	Starts Directory Server.	serverRoot/slapd-serverID
stop-slapd	Stops Directory Server.	serverRoot/slapd-serverID
suffix2instance	Maps a suffix to a backend name.	serverRoot/slapd-serverID
vlvindex	Creates and generates virtual list view (VLV) indexes.	serverRoot/slapd-serverID

Table 8-2 Commonly Used Command-Line Perl Scripts


Command-Line Perl Script	Description	Location
bak2db.pl	Restores the database from the most recent archived backup.	serverRoot/slapd-serverID
db2bak.pl	Creates a backup of the current database contents.	serverRoot/slapd-serverID
db2index.pl	Creates and regenerates indexes.	serverRoot/slapd-serverID
db2ldif.pl	Exports the contents of the database to LDIF.	serverRoot/slapd-serverID
ldif2db.pl	Imports LDIF files to database. Runs the slapd (Windows) or ns-slapd (Unix) command-line utility with the ldif2db keyword. By default, the script first saves and then merges any existing configuration tree (o=NetscapeRoot), with any files to be imported.	serverRoot/slapd-serverID
logconv.pl	Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events.	serverRoot/bin/slapd/server
migrateInstance7	Migrates a 6.x version of Directory Server to the 7.x version.	serverRoot/bin/slapd/admin/bin
ns-accountstatus.pl	Provides account status information to establish whether an entry or group of entries is locked or not.	serverRoot/slapd-serverID
ns-activate.pl	Activates an entry or a group of entries by unlocking it (them).	serverRoot/slapd-serverID
ns-inactivate.pl	Inactivates an entry or a group of entries.	serverRoot/slapd-serverID
ns-newpwpolicy.pl	Adds relevant entries required for the fine-grained (user- and subtree-level) password policy.	serverRoot/slapd-serverID
template-cl-dump.pl	Dumps and decodes the change log.	serverRoot/bin/slapd/admin/scripts
template-repl-monitor.pl	Provides in-progress status of replication.	serverRoot/bin/slapd/admin/scripts

Shell and Batch Scripts

This section covers the following scripts:

Some of the shell and batch scripts can be executed while the server is running. For others, the server must be stopped. The description of each script below indicates whether the server must be stopped or if it can continue to run while you execute the script.

When a shell or batch script has a Perl equivalent, there is a cross-reference to the section describing the equivalent Perl script.

Note

When using the batch scripts on Windows, the -s option may not function correctly because of a bug in the Windows command-line interpreter. The command-line interpreter removes the double quotes and treats values as separate in some cases.

bak2db (Restore database from backup)

Restores the database from the most recent archived backup. To run this script, the server must be stopped.

Syntax

Shell script (UNIX):	bak2db [backupDirectory]
Batch file (Windows):	bak2db [backupDirectory]

For information on the equivalent Perl script, see bak2db.pl (Restore database from backup). For more information on restoring databases, see chapter 4, "Populating Directory Databases," in the Netscape Directory Server Administrator's Guide.

db2bak (Create backup of database)

Creates a backup of the current database contents. This script can be executed while the server is still running.

Syntax

Shell script (UNIX):	db2bak [backupDirectory]
Batch file (Windows):	db2bak [backupDirectory]

For information on the equivalent Perl script, refer to db2bak.pl (Create backup of database).

db2ldif (Export database contents to LDIF)

Exports the contents of the database to LDIF. This script can be executed while the server is still running.

For information on the equivalent Perl script, see db2ldif.pl (Export database contents to LDIF).

For the shell and batch scripts, the script runs the slapd (Windows) or ns-slapd (UNIX) command-line utility with the ldif2db keyword.

Syntax

Shell script (UNIX):	db2ldif {-n backendInstance}* \| {-s includeSuffix}* [{-x excludeSuffix}] [-r] [-C] [-u] [-U] [-m] [M] [-a outputFile*] [-1] [-N] [-E]
Batch file (Windows):	db2ldif {-n backendInstance}* \| {-s includeSuffix}* [{-x excludeSuffix}] [-r] [-C] [-u] [-U] [-m] [M] [-a outputFile*] [-1] [-N] [-E]

Options

You must specify either the -n or the -s option. By default, the output LDIF will be stored in one file. Should you want to specify the use of several files, then use the option -M.

Option	Parameter	Description
-a	outputFile	Name of the output LDIF file.
-n	backendInstance	Instance to be exported.
-s	includeSuffix	Suffixes to be included or the subtrees to be included if -n has been used.
-x	excludeSuffix	Suffixes to be excluded.
-r		Export replica.
-C		Only the main db file is used.
-u		Request that the unique id is not exported.
-U		Request that the output LDIF is not folded.
-m		Minimal base-64 encoding.
-M		Use of several files for storing the output LDIF, with each instance stored in instance filename (where filename is the filename specified for -a option).
-1		Delete, for reasons of backward compatibility, the first line of the LDIF file which gives the version of the LDIF standard.
-N		Specifies that the entry IDs are not to be included in the LDIF output. The entry IDs are necessary only if the db2ldif output is to be used as input to db2index.
-E		Decrypts encrypted data during export. This option is used only if database encryption is enabled.

db2dsml (Export database contents to DSML)

Exports the contents of the database to DSML version 1.0. This script can be executed while the server is still running.

Syntax

Shell script (UNIX):	db2dsml {-n backendInstance}* \| {-s includeSuffix}* [{-x excludeSuffix}] [-u] [-a outputFile*]
Batch file (Windows):	db2dsml {-n backendInstance}* \| {-s includeSuffix}* [{-x excludeSuffix}] [-u] [-a outputFile*]

Options

You must specify either the -n or -s option.

Option	Parameter	Description
-n	backendInstance	Instance to be exported.
-s	includeSuffix	Suffixes to be included or to specify the subtrees to be included if -n has been used.
-x	excludeSuffix	Suffixes to be excluded.
-u		Request that the the unique ID be not exported.
-a	outputFile	Name of the output DSML file.

db2index (Reindex database index files)

Reindexes the database index files.

For information on the equivalent Perl script, see db2index.pl (Create and generate indexes).

Syntax

Shell script (UNIX):	db2index [-n backendInstance \| {-s includeSuffix}* -t attributeName -T vlvAttribute]
Batch file (Windows):	db2index [-n backend_instance \| {-s includeSuffix}* -t attributeName -T vlvAttribute]

Usage

Here are a few sample commands:

To reindex all the database index files:

$ db2index
To reindex cn and givenname in the database instance userRoot:

$ db2index -n userRoot -t cn -t givenname
To reindex cn in the database where the root suffix is dc=example,dc=com:

$ db2index -s "dc=example,dc=com" -t cn

Options

Option	Parameter	Description
-n	backendInstance	Instance to be reindexed.
-s	includeSuffix	Suffixes to be included or the subtrees to be included if -n has been used.
-t	attributeName	Name(s) of the attributes to be reindexed.
-T	vlvAttribute	Name(s) of the VLV attributes to be reindexed.

dsml2db (Import DSML document contents into database)

Imports the contents of the DSML version 1.0 document into the database. To run this script, the server must be stopped.

Syntax

Shell script (UNIX):	dsml2db -n backendInstance \| {-s includeSuffix}* [{-x excludeSuffix}] {-i dsmlFile*}
Batch file (Windows):	dsml2db -n backendInstance \| {-s includeSuffix}* [{-x excludeSuffix}] {-i dsmlFile*}

Options

Option	Parameter	Description
-n	backendInstance	Instance to be exported.
-s	includeSuffix	Suffix(es) to be included or to specify the subtree(s) to be included if -n has been used.
-x	excludeSuffix	Suffix(es) to be excluded.
-i	dsmlFile	Name of the input DSML file.

getpwenc (Print encrypted password)

Prints the encrypted form of a password using one of the server's encryption algorithms. If a user cannot log in, you can use this script to compare the user's password to the password stored in the directory.

Syntax

Shell script (UNIX):	getpwenc storagescheme clearpassword
Batch file (Windows):	getpwenc storageScheme clearpassword

Options

There are no options for this script.

For more information on the different storage schemes, such as SSHA, SHA, CRYPT, and CLEAR, see the Netscape Directory Server Administrator's Guide.

ldif2db (Import)

Runs the slapd (Windows) or ns-slapd (Unix) command-line utility with the ldif2db keyword. To run this script, the server must be stopped.

For information on the equivalent Perl script, refer to ldif2db.pl (Import).

Note

ldif2db supports LDIF version 1 specifications. You can load an attribute using the :< URL specifier notation; for example:

jpegphoto:< file:///tmp/myphoto.jpg

Although the official notation requires three ///, the use of one / is tolerated. For further information on the LDIF format, see chapter 4, "Managing Directory Entries," in the Netscape Directory Server Administrator's Guide.

Syntax

Shell script (UNIX):	ldif2db -n backendInstance \| {-s includeSuffix}* [{-x excludeSuffix}] {-i ldifFile} [-O] [-g string] [-G namespaceId] [-E]
Batch file (Windows):	ldif2db -n backendInstance \| {-s includeSuffix}* [{-x excludeSuffix}] {-i ldifFile} [-O] [-g string] [-G namespaceId] [-E]

Options

Option	Parameter	Description
-n	backendInstance	Instance to be imported. Ensure that you specify an instance that corresponds to the suffix contained by the LDIF file because, otherwise, the data contained by the database is deleted, and the import fails.
-s	includeSuffix	Suffixes to be included or to specify the subtrees to be included if -n has been used.
-x	excludeSuffix	Suffixes to be excluded.
-i	ldifFile	Names of the input LDIF files. When you import multiple files, they are imported in the order in which you specify them on the command-line.
-O		Request that only the core db is created without attribute indexes.
-g	string	Generation of a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use as follows: -g deterministic namespace_id where namespace_id is a string of characters in the following format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx Use this option if you want to import the same LDIF file into two different Directory Servers and you want the contents of both directories to have the same set of unique IDs. If unique IDs already exist in the LDIF file you are importing, then the existing IDs are imported to the server, regardless of the options you have specified.
-G	namespaceId	Generates a namespace ID as a name-based unique ID. This is the same as specifying the -g deterministic option.
-c		Merge chunk size.
-E		Encrypts data during import. This option is used only if database encryption is enabled.

ldif2ldap (Perform import operation over LDAP)

Performs an import operation over LDAP to the Directory Server. To run this script, the server must be running.

Syntax

Shell script (UNIX):	ldif2ldap -D rootdn -w password -f filename
Batch file (Windows):	ldif2ldap -D rootdn -w password -f filename

Options

Option	Parameter	Description
-D	rootdn	User DN with root permissions, such as Directory Manager.
-w	password	Password associated with the user DN.
-f	filename	Name of the file to be imported. When you import multiple files, they are imported in the order in which you specify them on the command-line.

monitor (Retrieve monitoring information)

Retrieves performance monitoring information using the ldapsearch command-line utility.

Syntax

Shell script (UNIX):	monitor
Batch file (Windows):	monitor

Options

There are no options for this script.

For more information on the ldapsearch command-line utility, see section ldif in chapter 7.

restart-slapd (Restart the Directory Server)

Restarts the Directory Server.

Syntax

Shell script (UNIX):	restart-slapd
Batch file (Windows):	restart-slapd

Options

There are no options for this script.

Exit Status

0	Server restarted successfully.
1	Server could not be started.
2	Server restarted successfully but was already stopped.
3	Server could not be stopped.

restoreconfig (Restore Administration Server Configuration)

Restores, by default, the most recently saved Administration Server configuration information to the NetscapeRoot partition under the following directory:

serverRoot/slapd-serverID/config

To restore the Administration Server configuration:

Stop the Directory Server.
Run the restoreconfig script.
Restart the Directory Server.
Restart the Administration Server for the changes to be taken into account.

Syntax

Shell script (UNIX):	restoreconfig
Batch file (Windows):	restoreconfig

Options

There are no options for this script.

saveconfig (Save Administration Server Configuration)

Saves Administration Server configuration information to the following directory:

serverRoot/slapd-serverID/confbak

This script will only run if the server is running.

Syntax

Shell script (UNIX):	saveconfig
Batch file (Windows):	saveconfig

Options

There are no options for this script.

start-slapd (Start the Directory Server)

Starts the Directory Server. It might be a good idea to check whether the server has been effectively started using the ps command because it could sometimes be that the script returned while the startup process was still on-going, resulting in a confusing message.

Syntax

Shell script (UNIX):	start-slapd
Batch file (Windows):	start-slapd

Options

There are no options for this script.

Exit Status

0	Server started successfully.
1	Server could not be started.
2	Server was already started.

stop-slapd (Stop the Directory Server)

Stops the Directory Server. It might be a good idea to check whether the server has been effectively stopped using the ps command because it could sometimes be that the script returned while the shutdown process was still on-going, resulting in a confusing message.

Syntax

Shell script (UNIX):	stop-slapd
Batch file (Windows):	stop-slapd

Options

There are no options for this script.

Exit Status

0	Server stopped successfully.
1	Server could not be stopped.
2	Server was already stopped.

suffix2instance (Map suffix to backend name)

Maps a suffix to a backend name.

Syntax

Shell script (UNIX):	suffix2instance {-s suffix}
Batch file (Windows):	suffix2instance {-s suffix}

Options

-s	Suffix to be mapped to the backend.

vlvindex (Create virtual list view indexes)

To run the vlvindex script, the server must be stopped. The vlvindex script creates virtual list view (VLV) indexes, known in the Directory Server Console as browsing indexes. VLV indexes introduce flexibility in the way you view search results. Using VLV indexes, you can organize search results alphabetically or in reverse alphabetical order, and you can scroll through the list of results. VLV index configuration must already exist prior to running this script.

Syntax

Shell script (UNIX):	vlvindex [-d debugLevel] [-n backendInstance] [-s suffix [-T vlvTag]
Batch file (Windows):	vlvindex [-d debugLevel] -n backendInstance [-s suffix [-T vlvTag]

Options

You must specify either the -n or the -s option.

Option	Parameter	Description
-d	debugLevel	Specifies the debug level to use during index creation. Debug levels are defined in nsslapd-errorlog-level (Error Log Level).
-D		Specifies the server configuration directory that contains the configuration information for the index creation process. You must specify the full path to the slapd-serverID directory.
-n	backendInstance	Name of the database containing the entries to index.
-s	suffix	Name of the suffix containing the entries to index.
-T	vlvTag	VLV index identifier to use to create VLV indexes. You can use the console to specify VLV index identifier for each database supporting your directory tree, as described in the NNetscape Directory Server Administrator's Guide. You can define additional VLV tags by creating them in LDIF and adding them to Directory Server's configuration, as described in the Netscape Directory Server Administrator's Guide. In any case, we recommend you use the DN of the entry for which you want to accelerate the search sorting.

Perl Scripts

This section covers the following scripts:

Note

The Perl scripts that are bundled with Directory Server require the use of nsPerl, which is included in the serverRoot/bin/slapd/admin/bin directory. Be sure to change to this directory before you run any of the Perl scripts:

cd serverRoot/bin/slapd/admin/bin
./perl PerlScriptName Arguments

bak2db.pl (Restore database from backup)

Restores a database from a backup.

Syntax

Perl script (UNIX and Windows):

bak2db.pl [-v] -D rootdn -w password [-a backupDirectory] [-t databaseType]

Options

The script bak2db.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option.

Option	Parameter	Description
-D	rootdn	The user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config.
-w	password	The password associated with the user DN.
-a	backupDirectory	The directory of the backup files.
-v		Verbose mode.
-t	databaseType	The database type. Currently, the only possible database type is ldbm.

db2bak.pl (Create backup of database)

Creates a backup of the database.

Syntax

Perl script (UNIX and Windows):

db2bak.pl [-v] -D rootdn -w password [-a dirName]

Options

The script db2bak.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option. Currently, the only possible database type is ldbm.

Option	Parameter	Description
-D	rootdn	The user DN with root permissions, such as Directory Manager. The default is the DN of the Directory Manager, which is read from the nsslapd-root attribute under cn=config.
-w	password	The password associated with the user DN.
-a	dirName	The directory where the backup files will be stored. By default it is under serverRoot/slapd-serverID/bak The backup file is named according to the year-month-day-hour format (YYYY_MM_DD_hhmmss).
-v		Verbose mode.
-t		The database type. Currently, the only possible database type is ldbm.

db2index.pl (Create and generate indexes)

Creates and generates the new set of indexes to be maintained following the modification of indexing entries in the cn=config configuration file.

Syntax

Perl script (UNIX and Windows):

db2index.pl [-v] -D rootdn { -w password | -j filename} [-n backendInstance] [-t attributeName]

Options

The script db2index.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option.

Option	Parameter	Description
-v		Verbose mode.
-D	rootdn	The user DN with root permissions, such as Directory Manager.
-w	password	The password associated with the user DN.
-n	backendInstance	The instance to be indexed. If the instance is not specified, the script reindexes all instances.
-t	attributeName	The name of the attribute to be indexed. If omitted, all the indexes defined for the specified instance are generated.
-j	filename	The name of the file containing the password.

db2ldif.pl (Export database contents to LDIF)

Exports the contents of the database to LDIF. This script creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option. The * indicates that multiple occurrences are allowed.

Syntax

Perl script (UNIX and Windows):

db2ldif.pl [-v] -D rootdn -w password {-n backendInstance}* | {-s includeSuffix}* [{-x excludeSuffix}*] [-a outputFile] [-N] [-r] [-C] [-u] [-U] [-m] [-o] [-1] [M]

Options

To run this script, the server must be running, and either -n backend_instance or -s includesuffix is required.

This Perl script db2ldif.pl creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option.

Option	Parameter	Description
-v		Verbose mode.
-D	rootdn	The user DN with root permissions, such as Directory Manager.
-w	password	The password associated with the user DN.
-n	backendInstance	The instance to be exported.
-s	includeSuffix	Suffixes to be included or the subtrees to be included if -n has been used.
-x	excludeSuffix	Suffixes to be excluded.
-a	outputFile	The filename of the output LDIF file.
-N		Suppress printing sequential number.
-r		Export replica.
-C		Only the main db file is used.
-u		Request that the unique id is not exported.
-U		Request that the output LDIF is not folded.
-m		Minimal base-64 encoding.
-o		The output LDIF to be stored in one file by default with each instance stored in instance_filename.
-1		Delete, for reasons of backward compatibility the first line of the LDIF file that gives the version of the LDIF standard.
-M		Output LDIF is stored in multiple files.

ldif2db.pl (Import)

To run this script, the server must be running. The script creates an entry in the directory that launches this dynamic task. The entry is generated based upon the values you provide for each option.

Syntax

Perl script (UNIX and Windows):

ldif2db.pl [-v] -D rootdn -w password -n backendInstance | {-s includeSuffix}* [{-x excludeSuffix}*] [-O] [-c] [-g string] [-G namespaceId] {-i filename}*

Options

Option	Parameter	Description
-D	rootdn	Specifies the user DN with root permissions, such as Directory Manager.
-w	password	Specifies the password associated with the user DN.
-n	backendInstance	Specifies the instance to be imported.
-s	includeSuffix	Specifies the suffixes to be included or specifies the subtrees to be included if -n has been used.
-x	excludeSuffix	Specifies the suffixes to be excluded.
-O		Requests that only the core db is created without attribute indexes.
-c		Merges chunk size.
-g	string	Generates a unique ID. Type none for no unique ID to be generated and deterministic for the generated unique ID to be name-based. By default, a time-based unique ID is generated. If you use the deterministic generation to have a name-based unique ID, you can also specify the namespace you want the server to use as follows: -g deterministic namespaceId where namespaceId is a string of characters in the following format: 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx Use this option if you want to import the same LDIF file into two different Directory Servers and you want the contents of both directories to have the same set of unique IDs. If unique IDs already exist in the LDIF file you are importing, then the existing IDs are imported to the server, regardless of the options you have specified.
-G	namespaceId	Generates a namespace ID as a name-based unique ID. This is the same as specifying the -g deterministic option.
-i	filename	Specifies the filename of the input LDIF files. When you import multiple files, they are imported in the order in which you specify them on the command-line.
-v		Specifies verbose mode.

logconv.pl (Log converter)

Analyzes the access logs of a Directory Server to extract usage statistics and count the occurrences of significant events. It is compatible with log formats from previous releases of Directory Server. For information on access logs, see chapter 5, "Access Log and Connection Code Reference."

The tool will extract the following information from access logs:

Number of restarts

Total number of connections
Total operations requested
Total results returned
Results to requests ratio

Number of searches
Number of modifications
Number of adds
Number of deletes
Number of modified RDNs

Persistent searches
Internal operations (with verbose logs)
Entry operations (with verbose logs)
Extended operations
Abandoned requests
Smart referrals received (verbose logs)

VLV (virtual list view) operations
VLV unindexed searches
Server-side sorting operations
SSL connections

Performance lowering operations:
Entire database searches
Unindexed searches (details optional)

FDs (file descriptors) taken
FDs returned
Highest FD taken

Disruptions:
Broken pipes
Connections reset by peer
Unavailable resources (and detail)

Total binds and types of binds

Most frequent occurrence lists (optional):
Error and return codes
Failed logins
Connection codes
Client IP addresses and connection codes
Bind DNs
Base DNs for searching
Search filters
Etimes (elapsed operation time)
Longest etimes
Nentries (number of entries in result)
Largest Nentries
Extended operations
Most requested attributes
Abandoned operation details (Directory Server 4.15)

Recommendations (optional)

The logconv.pl tool displays two types of statistics useful for monitoring and optimizing directory usage:

Simple counts of events such as the total number of binds and the total number of searches provide overall usage information. This is the basic information that the tool will always print.
Lists of the most frequently occurring parameters in LDAP requests provide insight into how the directory information is being accessed. For example, lists of the top ten bind DNs, base DNs, filter strings, and attributes returned can help administrators optimize the directory for its users. These lists are optional because they are computation intensive: specify only the command-line options for those you need (see Options).

Some information that is extracted by the logconv.pl script is available only in logs from current releases of Directory Server; the corresponding values will be zero when analyzing logs from older versions. In addition, some information will only be present in the logs if verbose logging is enabled in your Directory Server. For more information, see nsslapd-accesslog-level.

The following issues will affect the output and performance of this tool:

Some data extracted from logs depend on connection and operation numbers that are reset and no longer unique after a server restarts. Therefore, to obtain the most accurate counts, the logs to be analyzed should not span the restart of the Directory Server.
Due to changes in access logs formats in current releases of Directory Server that affected operation numbers, the tool will be more accurate logs from current versions when processing large amounts of access logs.
For performance reasons, it is not recommended to run more than one gigabyte of access logs through the script at any one time.

If you customize the logconv.pl script for added functionality, we encourage you to share your work with other LDAP users. Please post a message to the netscape.dev.directory public newsgroup with your ideas or your code.

Syntax

Perl script (UNIX and Windows):

logconv.pl [options] [-efcibaltnxgju] accessLog...

Where:

options and [-efcibaltnxgju] are the command-line options described in the next section.
accessLog is the name of a file that contains the access log of your Directory Server. You may use wildcards in the filename or specify multiple filenames. However, the statistics are computed over the set of all logs, so all logs should pertain to the same Directory Server. The tool will ignore any file with the name access.rotationinfo.

The logconv.pl -h command will display the usage help text that briefly describes all options.

Options

The logconv.pl command-line options are described in the following table.

The parameters without a preceding dash ( - ) at the end of the table will enable the optional lists of occurrences. Specify only those you need to limit the output and improve execution speed. You may specify any number of these parameters in any order, but they must all be given together as a single option on the command-line; for example: -abcefg.

Regardless of the order of options on the command-line, the lists will appear in the output in the order they are listed in this table. Use the -V option to display all optional output. Also, use the -s number option to control the length of these lists.

Option	Parameter	Description
-S	startTimestamp	Specifies the start timestamp; the timestamp must follow the exact format as specified in the access log.
-E	endTimestamp	Specifies the end timestamp; the timestamp must follow the exact format as specified in the access log.
-d	mgrDN	Specifies the distinguished name (DN) of the directory manger in the logs being analyzed. This allows the tool to collect statistics for this special user. The mgrDN parameter should be given in double quotes ("") for the shell. When this parameter is omitted, logconv.pl will use the default manager DN of Directory Server Server: "cn=Directory Manager".
-X	ipAddress	Specifies the IP address of a client to exclude from the statistics. This client will not appear in lists of IP addresses (the i flag), and the connection codes it generates will not be tallied in the total connections (default statistic) nor in the connection code details (the c flag). For example, you may wish to ignore the effect of a load balancer that connects to the Directory Server at regular intervals. This option may be repeated to exclude multiple IP addresses.
-v		Displays the version number of the logconv.pl script.
-h		Displays the usage help text that briefly describes all options.
-s	number	Specifies the number of items in each of the list options below. The default is 20 when this parameter is omitted. For example, -s 10 -i will list the ten client machines that access the Directory Server most often. This parameter will apply to all lists that are enabled, and it will have no effect if none are displayed.
-V		Enables the most verbose output. With this option, logconv.pl will compute and display all of the optional lists described below.
-y		Lists connection latency details (gives you an idea about the overall connection latency).
-p		Lists open connection ID statistics (gives you an idea about the FDs that are not yet closed).
e		Lists the most frequent error and return codes.
f		Lists the bind DNs with the most failed logins (invalid password).
c		Lists the number of occurrences for each type of connection code.
i		Lists the IP addresses and connection codes of the clients with the most connections, which detects clients that may be trying to compromise security.
b		Lists the most frequently used bind DNs.
a		Lists the most frequent base DNs when performing operations.
l		Lists the most frequently used filter strings for searches.
t		Lists the longest and most frequent etimes (elapsed operation time).
n		Lists the largest and most frequent nentries (entries per result).
x		Lists the number and OID of all extended operations.
r		Lists the names of the most requested attributes.
g		Lists the details of all abandoned operations.
j		Gives recommendations based on data collected from the log file.
u		Gives operation details about unindexed searches.

migrateInstance7 (Migrate to Directory Server 7.x)

The migrateInstance7 script (this is a Perl script despite the fact that it does not have the .pl extension) migrates an instance of previous releases of Directory Server to Directory Server 7.x.

When you run this script, it migrates the configuration files or configuration entries, database instances, and schema with minimum manual intervention. The migrateInstance7 script calls on the migrate6To7 script, which then executes the migration.

For complete information on the configuration parameters and attributes that are migrated, refer to chapter 6, "Migration from Earlier Versions." For migration procedure, refer to the Netscape Directory Server Installation Guide.

Before performing the migration, check that the user-defined variables contain the following associated values, where server7Root is the path to where Netscape Directory Server 7.x is installed:

$PERL5LIB	server7Root/bin/slapd/admin/bin
PATH	server7Root/bin/slapd/admin/bin

Syntax

Perl script (UNIX and Windows):

migrateInstance7 -D rootdn -w password -p port -o oldInstancePath -n newInstancePath [-t] [-L]

Options

Option	Parameter	Description
-D	rootdn	Specifies the Directory Server 7.x user DN with root permissions, such as Directory Manager.
-w	password	Specifies the password associated with the Directory Server 7.x user DN.
-p	port	Specifies the port number of Directory Server 7.x.
-o	oldInstancePath	Specifies the path to the legacy Directory Server instance. For example: /usr/netscape/server6/slapd-phonebook.
-n	newInstancePath	Specifies the path to the new (7.x) Directory Server instance. For example: /usr/netscape/servers/slapd-phonebook.
-t		Specifies the trace level. The trace level is set to 0 by default, with a valid range of 0 to 3.
-L		Specifies the file in which to log the migration report. By default, the migration report is stored under serverRoot/slapd-serverID/logs/Migration _ ddmmyyy_hhmmss.log. A sample log might read /usr/netscape/servers/slapd-phonebook/logs/Migration_20122004_153604.log for a log created on 20 December, 2004, at 15.36:04.

ns-accountstatus.pl (Establish account status)

Provides account status information to establish whether an entry or group of entries is inactivated.

Syntax

Perl script (UNIX and Windows):

ns-accountstatus.pl [-D rootdn] -w password [-p port] [-h host] -I DN

Options

Option	Parameter	Description
-D	rootdn	Specifies the Directory Server user DN with root permissions, such as Directory Manager.
-w	password	Specifies the password associated with the user DN.
-p	port	Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time.
-h	host	Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed.
-I	DN	Specifies the entry DN or role DN whose status is required.

ns-activate.pl (Activate an entry or group of entries)

Activates an entry or group of entries.

Syntax

Perl script (UNIX and Windows):

ns-activate.pl [-D rootdn] -w password [-p port] [-h host] -I DN

Options

Option	Parameter	Description
-D	rootdn	Specifies the Directory Server user DN with root permissions, such as Directory Manager.
-w	password	Specifies the password associated with the user DN.
-p	port	Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time.
-h	host	Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed.
-I	DN	Specifies the entry DN or role DN to activate.

ns-inactivate.pl (Inactivate an entry or group of entries)

Inactivates and thus locks an entry or group of entries.

Syntax

Perl script (UNIX and Windows):

ns-inactivate.pl [-D rootdn] -w password [-p port] [-h host] -I DN

Options

Option	Parameter	Description
-D	rootdn	Specifies the Directory Server user DN with root permissions, such as Directory Manager.
-w	password	Specifies the password associated with the user DN.
-p	port	Specifies the Directory Server's port. The default value is the LDAP port of Directory Server specified at installation time.
-h	host	Specifies the host name of the Directory Server. The default value is the full host name of the machine where Directory Server is installed.
-I	DN	Specifies the entry DN or role DN to inactivate.

ns-newpwpolicy.pl (Add attributes for fine-grained password policy)

Adds entries required for implementing the user- and subtree-level password policy. For an overview of user- and subtree-level password policy, check the Netscape Directory Server Deployment Guide. For instructions to enable this feature, check the Netscape Directory Server Administrator's Guide.

Syntax

Perl script (UNIX and Windows):

ns-newpwpolicy.pl [-D rootdn] {-w password | -w - | -j filename} [-p port] [-h host] -U userDN -S suffixDN

Options

Option	Parameter	Description
-D	rootdn	Specifies the Directory Server user DN with root permissions, such as Directory Manager . The default value is cn=directory manager .
-w	password	Specifies the password associated with the user DN.
-w	-	Prompts for the password associated with the user DN.
-j	filename	Specifies the path, including the file name, to the file that contains the password associated with the user DN.
-p	port	Specifies the Directory Server's port. The default value is 389, or the LDAP port of Directory Server specified at installation time.
-h	host	Specifies the host name of the Directory Server. The default value is localhost , or the full host name of the machine where Directory Server is installed.
-U	userDN	Specifies the DN of the user entry that needs to be updated with user-level password policy attributes.
-S	suffixDN	Specifies the DN of the suffix entry that needs to be updated with subtree-level password policy attributes.

template-cl-dump.pl (Dump and decode changelog)

Troubleshoots replication-related problems.

Syntax

Perl script (UNIX and Windows):	template-cl-dump.pl [-h host] [-p port] [-D bindDn] -w bindPassword \| -P bindCert [-r replicaRoots] [-o outputFile] [-c] [-v]
	template-cl-dump.pl -i changelogFile [-o outputFile] [-c]

Options

In the absence of the -i option, the script must be run when the Directory Server is running and from a location from which the server's change-log directory is accessible.

Option	Parameter	Description
-h	host	Specifies the Directory Server's host. Defaults to the server where the script is running.
-p	port	Specifies the Directory Server's port. The default value is 389.
-D	bindDn	Specifies the Directory Server's bind DN. Defaults to cn=Directory Manager if the option is omitted.
-w	bindPassword	Specifies the password for the bind DN.
-P	bindCert	Specifies the path, including the filename, to the certificate database that contains the certificate used for binding.
-r	replicaRoots	Specifies the replica-roots whose changelog you want to dump. When specifying multiple roots, use commas to separate roots. If the option is omitted, all the replica roots will be dumped.
-o	outputFile	Specifies the path, including the filename, for the final result. Defaults to STDOUT if omitted.
-i	changelogFile	Specifies the path to the changelog file. If you have a change-log file and if certain changes in that file are base-64 encoded, use this option to decode that changelog.
-c		Dumps and interprets CSN only. This option can be used with or without the -i option.
-v		Prints the version of the script.

template-repl-monitor.pl (Monitor replication status)

Shows in-progress status of replication.

Syntax

Perl script (UNIX and Windows):

template-repl-monitor.pl -h host -p port -f configFile [-u refreshUrl] [-t refreshInterval] [-r] [-v]

Options

Option	Parameter	Description
-h	host	Specifies the initial replication supplier's host. The default value is the current hostname.
-p	port	Specifies the initial replication supplier's port. The default value is 389.
-f	configFile	Specifies the absolute path to the configuration file, which defines the connection parameters used to connect to LDAP servers to get replication information. For more information about the configuration file, see Configuration File Format that follows this table.
-u	refreshUrl	Specifies the refresh URL. The output HTML file may invoke a CGI program periodically. If this CGI program in turn calls this script, the effect is that the output HTML file would automatically refresh itself. This is useful for continuous monitoring. See also the -t option. The script has been integrated into Netscape Administration Express, enabling you to monitor replication status via that interface.
-t	refreshInterval	Specifies the refresh interval in seconds. The default value is 300 seconds. This option must be jointly used with the -u option.
-r		If specified, the -r option causes the routine to be entered without printing the HTML header information. This is suitable when making multiple calls to this routine (for example, when specifying multiple, different, "unrelated" supplier servers) and expecting a single HTML output.
-v		Prints the version of this script.

Configuration File Format

The configuration file defines the following:

The connection parameters for connecting to the LDAP servers to get replication information; specifying this information is mandatory.
The server alias for more readable server names; specifying this information is optional.
The color thresholds for time lags; specifying this information is optional.

The format for the configuration file is shown below.

[connection]
host:port:binddn:bindpwd:bindcert
host:port:binddn:bindpwd:bindcert
...
[alias]
alias = host:port
alias = host:port
...
[color]lowmark = color
lowmark = color

In the connection section, you specify how this tool may connect to each LDAP server in your replication topology to get the replication-agreement information. The default binddn is cn=Directory Manager . Simple bind will be used unless bindcert is specified with the path of a certificate database.

A server may have a dedicated or shared entry in the connection section. The script will find out the most matched entry for a given server. For example, if all the LDAP servers except host1 share the same binddn and bindpassword, the connection section will need to contain just two entries:

[connection]

*:*:binddn:bindpassword:
host1:*:binddn1:bindpassword1:

In the optional alias section, you may use aliases such as Supplier1, Supplier2, Hub1, and so on, to identify the servers in the replication topology. If used, the output will show these aliases, instead of http(s)://hostname:port.

You may also choose to display CSN time lags between suppliers and consumers in different colors based on their range. The default color set is green for 0-5 minutes lag, yellow for 5-60 minutes lag, and pink for a lag of 60 minutes or more.

The connection parameters for all the servers in a replication topology must be specified within one configuration file. One configuration file, however, may contain information for multiple replication topology.

Because of the connection parameters, the replication monitoring tool does not need to do DES decryption of the credentials stored in the Directory Server. Each line in this file could either be a comment started with the # character or a connection entry of the format:

host:port:binddn:bindpwd:bindcert

where

host, port, and binddn can be replaced with relevant values or * , or omitted altogether. If host is null or * , the entry may apply to any host that does not have a dedicated entry in the file. If port is null or * , the port will default to the port stored in the current replication agreement. If binddn is null or * , it defaults to cn=Directory Manager.
bindcert can be replaced with the full path to the certificate database, null, or *. If bindcert is omitted or replaced with * , the connection will be simple bind.

For example, your configuration file may look like the example shown below.

#Configuration File for Monitoring Replication Via Admin Express
[connection]
*:*:*:mypassword

[alias]
M1 = host1.example.com:10011
C1 = host4.example.com:10021
C2 = host2.example.com:10022

[color]
0 = #ccffcc
5 = #FFFFCC
60 = #FFCCCC

Contents

Index

DocHome

© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.
Read the Full Copyright and Third-Party Acknowledgments.

last updated November 26, 2004