Red Hat SummitDieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 6. Plug-in implemented server functionality reference
The plug-in implemented server functionality stores under cn=plugins,cn=config in Red Hat Directory Server defines the configuration attributes used to manage the modular features that extend core directory operations. Understanding these overarching plug-in settings helps you to customize server capabilities.
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config.
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: libsyntax-plugin
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes a given plug-in uses by performing an ldapsearch on the cn=config subtree.
All plug-ins are instances of the nsSlapdPlugin object class inherited from the extensibleObject object class. Server takes into account plug-in configuration attributes when both object classes (in addition to the top object class) are present in the entry, as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:nsSlapdPlugin
objectclass:extensibleObject6.1. List of attributes common to all plugins
Each Red Hat Directory Server plugin belongs to the nsslapdPlugin object class that is defined in Red Hat Directory Server. The list of common attributes provides a brief attribute description, the entry DN, valid range, default value, syntax, and an example for each attribute.
Superior Class
top
OID
2.16.840.1.113730.3.2.41
| Attribute | Definition |
|---|---|
| Provides the object classes assigned to the entry. | |
| Provides the common name of the entry. | |
| Identifies the plugin library name (without the library suffix). | |
| Identifies an initialization function of the plugin. | |
| Identifies the type of plugin. | |
| Identifies the plugin ID. | |
| Identifies the version of plugin. | |
| Identifies the vendor of plugin. | |
| Identifies the description of the plugin. | |
| Identifies whether or not the plugin is enabled. | |
| Sets the priority for the plugin in the execution order. |
6.1.1. nsslapd-logAccess
The nsslapd-logAccess attribute controls whether a plugin logs search operations to access logs (nsslapd-accesslog).
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-logAccess: Off |
6.1.2. nsslapd-logAudit
The nsslapd-logAudit attribute controls whether a plugin logs and audits database modifications.
Successful modification events are logged in the audit log, if the nsslapd-auditlog-logging-enabled parameter is enabled in cn=config. To log failed modification database operations by a plug-in, enable the nsslapd-auditfaillog-logging-enabled attribute in cn=config.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-logAudit: Off |
6.1.3. nsslapd-pluginDescription
The nsslapd-pluginDescription attribute provides a description of the plugin.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginDescription: acl access check plug-in |
6.1.4. nsslapd-pluginEnabled
The nsslapd-pluginEnabled attribute controls whether the plugin is enabled.
The attribute change requires the server restart.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-pluginEnabled: on |
6.1.5. nsslapd-pluginId
The nsslapd-pluginId attribute specifies the plugin ID.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid plug-in ID |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginId: chaining database |
6.1.6. nsslapd-pluginInitfunc
The nsslapd-pluginInitfunc attribute specifies the plugin initialization function.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid plug-in function |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginInitfunc: NS7bitAttr_Init |
6.1.7. nsslapd-pluginPath
The nsslapd-pluginPath attribute specifies the full path to the plugin.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid path |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginPath: uid-plugin |
6.1.8. nsslapd-pluginPrecedence
The nsslapd-pluginPrecedence attribute sets the execution order priority for the plugin.
Precedence defines the execution order of plugins, which allows more complex environments or interactions since it can enable a plugin to wait for a completed operation before being executed. This is more important for pre-operation and post-operation plugins.
Plugins with a value of 1 have the highest priority and are run first. Plugins with a value of 99 have the lowest priority. The default is 50.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | 1 to 99 |
| Default Value | 50 |
| Syntax | Integer |
| Example | nsslapd-pluginPrecedence: 3 |
6.1.9. nsslapd-pluginType
The nsslapd-pluginType attribute specifies the plugin type.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid plugin type |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-pluginType: preoperation |
6.1.10. nsslapd-pluginVendor
The nsslapd-pluginVendor attribute specifies the vendor of the plugin.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any approved plug-in vendor |
| Default Value | Red Hat, Inc. |
| Syntax | DirectoryString |
| Example | nsslapd-pluginVendor: Red Hat, Inc. |
6.1.11. nsslapd-pluginVersion
The nsslapd-pluginVersion attribute specifies the plugin version.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid plug-in version |
| Default Value | Product version number |
| Syntax | DirectoryString |
| Example | nsslapd-pluginVersion: 2.4.5 |
6.2. Optional attributes of certain plug-ins
The optional plug-in attributes in Red Hat Directory Server store supplementary configuration settings used to customize the behavior of specific server plug-ins. For example, you can tune plug-in loading and dependencies.
6.2.1. nsslapd-dynamic-plugins
You can enable some Red Hat Directory Server plug-ins dynamically without the instance restart for testing purposes. Enable the nsslapd-dynamic-plugins attribute in Red Hat Directory Server to allow the dynamic plug-ins that are disabled by default.
Red Hat Directory Server does not support dynamic plug-ins. Use it only for testing and debugging purposes.
You cannot configure some plug-ins as dynamic. To enable such plug-ins, restart the instance.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-dynamic-plugins: on |
6.2.2. nsslapd-pluginConfigArea
The nsslapd-pluginConfigArea attribute in Red Hat Directory Server defines the specific directory entry or subtree that contains the configuration parameters for a server plugin in a replicated part of your directory.
Some plugin entries are container entries, and multiple instances of the plugin are created beneath this container in cn=plugins,cn=config. However, the cn=plugins,cn=config is not replicated, which means that the plugin configurations beneath those container entries must be configured manually, in some way, on every Red Hat Directory Server instance.
The nsslapd-pluginConfigArea attribute points to another container entry, in the main database area, which contains the plugin instance entries. This container entry can be in a replicated database, which allows the plugin configuration to be replicated.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DN |
| Example | nsslapd-pluginConfigArea: cn=managed entries container,ou=containers,dc=example,dc=com |
6.2.3. nsslapd-plugin-depends-on-named
The nsslapd-plugin-depends-on-named multi-valued attribute defines a specific execution order for Red Hat Directory Server plugins.
The attribute takes a value which corresponds to the cn value of a plug-in. The plug-in with a cn value matching one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start.
For example, to configure Directory Server to start the Roles plugin after the Views plugin, add the nsslapd-plugin-depends-on-named attribute with the value Views to the cn=Roles Plugin,cn=plugins,cn=config Roles plugin configuration entry.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid plugin ID |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-plugin-depends-on-named: Views |
6.2.4. nsslapd-plugin-depends-on-type
The nsslapd-plugin-depends-on-type multi-valued attribute defines a specific execution order for Red Hat Directory Server plugins.
The attribute takes a value which corresponds to the type of a plugin, contained in the nsslapd-pluginType attribute. See nsslapd-pluginType for more details. Red Hat Directory Server starts all plugins with the type value that matches one of the values in the following valid range prior to the plugin.
For example, to configure Directory Server to start the Referential Integrity plugin after the Database plugin, add the nsslapd-plugin-depends-on-type attribute with database value to the cn=referential integrity postoperation,cn=plugins,cn=config entry.
| Plugin Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | Any valid plugin type |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-plugin-depends-on-type: database |
6.2.5. nsslapd-pluginLoadGlobal
The nsslapd-pluginLoadGlobal attribute controls the visibility of the symbols in dependent libraries. Set the value to true to make these symbols available to the entire executable and all shared objects, or use false to restrict visibility to the plugin’s local scope.
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | DirectoryString |
| Example | nsslapd-pluginLoadGlobal: false |
6.2.6. nsslapd-pluginLoadNow
The nsslapd-pluginLoadNow attribute specifies whether to load all of the symbols used by a plugin immediately (true), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false).
| Plug-in Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_name>,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | false |
| Syntax | DirectoryString |
| Example | nsslapd-pluginLoadNow: false |
6.3. Server plug-in functionality reference
The server plugin functionality reference in Red Hat Directory Server describes the modular features that extend the core capabilities of your directory.
Review the plugins provided with Red Hat Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information.
6.3.1. 7-bit Check plugin
The 7-bit Check plugin validates that specified attributes contain only 7-bit ASCII characters to ensure compatibility with systems that do not support extended character sets.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | NS7bitAtt |
| DN of Configuration Entry | cn=7-bit check,cn=plugins,cn=config |
| Description | Checks certain attributes are 7-bit clean |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments |
List of attributes ( |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information | If Red Hat Directory Server uses non-ASCII characters, such as Japanese, turn this plugin off. |
6.3.2. Account Policy plugin
The Account Policy plugin defines configuration attributes for enforcing user access rules and automating account lifecycle management. These settings help you implement security measures like tracking login times and locking inactive accounts.
Account policies can be set to automatically lock an account after a certain amount of time. For example, when you create temporary accounts that are only valid for a preset amount of time or to lock users who have been inactive for a certain amount of time.
The Account Policy plugin itself only accept on argument, which points to a plugin configuration entry.
dn: cn=Account Policy Plugin,cn=plugins,cn=config
...
nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=configThe account policy configuration entry defines, for the entire server, what attributes to use for account policies. Most of the configuration defines attributes to use to evaluate account policies and expiration times, but the configuration also defines what object class to use to identify subtree-level account policy definitions.
dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config
... attributes for evaluating accounts ...
alwaysRecordLogin: yes
stateattrname: lastLoginTime
altstateattrname: createTimestamp
... attributes for account policy entries ...
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimitOne the plugin is configured globally, account policy entries can be created within the user subtrees, and then these policies can be applied to users and to roles through classes of service.
Example 6.1. Account Policy Definition
dn: cn=AccountPolicy,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
# 86400 seconds per day * 30 days = 2592000 seconds
accountInactivityLimit: 2592000
cn: AccountPolicyAny entry, both individual users and roles or CoS templates, can be an account policy subentry. Every account policy subentry has its creation and login times tracked against any expiration policy.
Example 6.2. User Account with Account Policy
dn: uid=scarter,ou=people,dc=example,dc=com
...
lastLoginTime: 20060527001051Z
acctPolicySubentry: cn=AccountPolicy,dc=example,dc=com| Plugin Parameter | Description |
|---|---|
| Plugin ID | none |
| DN of Configuration Entry | cn=Account Policy Plugin,cn=plugins,cn=config |
| Description | Defines a policy to lock user accounts after a certain expiration period or inactivity period. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | A pointer to a configuration entry which contains the global account policy settings. |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information |
This plugin configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the |
6.3.2.1. altstateattrname
The altstateattrname attribute provides an additional attribute for the server to check the expiration time if the last login time for a user does not exist.
Account expiration policies rely on timed criteria for the account. For example, for an inactivity policy, the primary criteria might be the last login time, lastLoginTime. However, there might be instances where that attribute does not exist on an entry, such as a user who never authenticated.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | altstateattrname: createTimeStamp |
6.3.2.2. alwaysRecordLogin
Use the alwaysRecordLogin attribute to set that every entry records its last login time. With this, Red Hat Directory Server can apply classes of service (CoS) and roles to account policies.
By default, Red Hat Directory Server only tracks login times for entries which have an account policy directly applied to them, such as entries with the acctPolicySubentry attribute. If account policies are applied through CoS or roles, then the acctPolicySubentry attribute is on the template or container entry, not the user entries themselves.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | yes | no |
| Default Value | no |
| Syntax | DirectoryString |
| Example | alwaysRecordLogin: no |
6.3.2.3. alwaysRecordLoginAttr
The Account Policy plug-in uses the attribute name set in the alwaysRecordLoginAttr parameter to store the time of the last successful login in this attribute in the user’s directory entry.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any valid attribute name |
| Default Value | stateAttrName |
| Syntax | DirectoryString |
| Example | alwaysRecordLoginAttr: lastLoginTime |
6.3.2.4. lastLoginHistSize
To maintain a history of successful logins, you can use the lastLoginHistSize attribute that determines the number of logins to store and stores the last five successful logins by default.
For the lastLoginHistSize attribute to stores the last logins, you must enable the alwaysRecordLogin attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | 0 (Disable) to the maximum 32 bit integer value (2147483647) |
| Default Value | 5 |
| Syntax | Integer |
| Example | lastloginhistorysize: 10 |
6.3.2.5. limitattrname
The limitattrname attribute in the Account Policy plugin defines which attribute within the policy to use for the account inactivation limit. Red Hat Directory Server applies limitattrname globally to all account policies.
The account policy entry in the user directory defines the time limit for the account lockout policy. You can set this time limit in any time-based attribute, and a policy entry could have multiple time-based attributes.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | limitattrname: accountInactivityLimit |
6.3.2.6. specattrname
The specattrname attribute in Red Hat Directory Server specifies the operational attribute that links a user entry to a specific account policy or class of service (CoS) definition.
Red Hat Directory Server maintains account policy configuration at two levels: global settings within the plugin configuration entry and user or subtree level settings in an entry within the user directory. You can set an account policy directly on a user entry or as part of a CoS or role configuration. The plugin recognize which entries are account policy configuration entries by identifying a specific attribute on the entry that flags it as an account policy. This attribute in the plugin configuration is specattrname and its usually set to acctPolicySubentry.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | specattrname: acctPolicySubentry |
6.3.2.7. stateattrname
Account expiration policies are based on timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. The primary time attribute used to evaluate an account policy is set in the stateattrname attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=Account Policy Plugin,cn=plugins,cn=config |
| Valid Range | Any time-based entry attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | stateattrname: lastLoginTime |
6.3.3. Account Usability plugin
The Account Usability plugin checks the authentication status of user accounts without performing actual authentication to help administrators verify account availability.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | acctusability |
| DN of Configuration Entry | cn=Account Usability Plugin,cn=plugins,cn=config |
| Description | Checks the authentication status, or usability, of an account without actually authenticating as the given user |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Dependencies | Database |
| Performance-Related Information | None |
6.3.4. ACL plugin
The ACL plugin enforces access control lists in Red Hat Directory Server to protect directory data from unauthorized access.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | acl |
| DN of Configuration Entry | cn=ACL Plugin,cn=plugins,cn=config |
| Description | ACL access check plugin |
| Type | accesscontrol |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Access control incurs a minimal performance hit. Leave this plugin enabled since it is the primary means of access control for the server. |
6.3.5. ACL Preoperation plugin
The ACL Preoperation plugin performs access control checks before operations execute to prevent unauthorized directory modifications.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | acl |
| DN of Configuration Entry | cn=ACL preoperation,cn=plugins,cn=config |
| Description | ACL access check plugin |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Access control incurs a minimal performance hit. Leave this plugin enabled since it is the primary means of access control for the server. |
6.3.6. AD DN plug-in
The Active Directory (AD) DN plug-in in Red Hat Directory Server defines the configuration attributes used to process and format Active Directory distinguished names. The AD DN plug-in supports multiple domain configurations. Create one configuration entry for each domain.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | addn |
| DN of Configuration Entry | cn=addn,cn=plugins,cn=config |
| Description |
Enables the usage of Active Directory-formatted user names, such as |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments |
|
| Dependencies | None |
| Performance-Related Information | None |
6.3.6.1. addn_base
The addn_base sets the base DN under which Red Hat Directory Server searches the user’s DN.
| Parameter | Description |
|---|---|
| Entry DN | cn=<domain_name>,cn=addn,cn=plugins,cn=config |
| Valid Entry | Any valid DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | addn_base: ou=People,dc=example,dc=com |
6.3.6.2. addn_filter
The addn_filter attribute sets the search filter. Red Hat Directory Server replaces the %s variable automatically with the non-domain part of the authenticating user.
For example, if the user name in the bind is user_name@example.com, the filter searches the corresponding DN which is (&(objectClass=account)(uid=user_name)).
| Parameter | Description |
|---|---|
| Entry DN | cn=domain_name,cn=addn,cn=plugins,cn=config |
| Valid Entry | Any valid DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | addn_filter: (&(objectClass=account)(uid=%s)) |
6.3.6.3. cn
The cn attribute sets the domain name for a specific configuration entry. The plugin uses the domain name from the authenticating user name to select the corresponding configuration entry.
| Parameter | Description |
|---|---|
| Entry DN | cn=<domain_name>,cn=addn,cn=plugins,cn=config |
| Valid Entry | Any string |
| Default Value | None |
| Syntax | DirectoryString |
| Example | cn: example.com |
6.3.7. Alias Entries plugin
The Alias Entries plugin enables directory entries to reference other entries as aliases to simplify directory navigation and provide alternative access paths.
The Alias Entries plugin checks the base entry for the object class alias and the aliasedObjectName attribute that contains a DN to another entry (an alias to another entry). During a search, the plugin modifies the search base DN to this aliased DN.
The Alias Entries plugin supports only base level searches. Use the ldapsearch -a find command to retrieve entries with aliases.
For the plugin to return the aliased entry, the base entry must contain the following information:
-
The
aliasobject class. -
The
aliasedObjectNameattribute (known as thealiasedEntryNameattribute in X.500) with a DN value pointing to another entry.
Red Hat Directory Server can return to the client the following errors:
-
Error 32 (no such object)if the alias DN is missing. -
Error 53 (unwilling to perform)if the search is a non-base level search.
Dereferencing is the conversion of an alias name to an object name. The process may require the examination of more than one alias entry. An alias entry may point to an entry that is not a leaf entry. An entry in the DIT may have multiple alias names, and several alias entries may point to the same entry.
Example 6.3. An Entry with an alias
dn: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com
objectClass: top
objectClass: alias
objectClass: extensibleObject
cn: Barbara Jensen
aliasedObjectName: cn=Barbara Smith,ou=Engineering,dc=example,dc=com| Plugin Parameter | Description |
|---|---|
| Plugin ID | Alias Entries |
| DN of Configuration Entry | cn=Alias Entries, cn=plugins, cn=config |
| Description |
Checks the base entry for |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments |
Alias entries belong to the
The |
| Dependencies | Database |
| Performance-Related Information |
Every alias entry must belong to the |
| Further Information |
The
The |
6.3.8. Attribute Uniqueness plug-in
The Attribute Uniqueness plug-in in Red Hat Directory Server ensures that the value of an attribute is unique across the directory or subtree.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | NSUniqueAttr |
| DN of Configuration Entry | cn=Attribute Uniqueness,cn=plugins,cn=config |
| Description | Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments |
To check for UID attribute uniqueness in all listed subtrees, enter |
| Dependencies | Database |
| Performance-Related Information | Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes. The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-supplier replication environment. Turning the plug-in on may slow down Directory Server performance. |
6.3.8.1. cn
The cn attribute sets the name of the Attribute Uniqueness plugin configuration entry. You can use any string, however consider naming the configuration entry as attribute_name Attribute Uniqueness, for example, Mail Attribute Uniqueness.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | Any valid string |
| Default Value | None |
| Syntax | DirectoryString |
| Example | cn: mail Attribute Uniqueness |
6.3.8.2. uniqueness-across-all-subtrees
In the Attribute Uniqueness plugin configuration, if enabled (on), the plugin checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | uniqueness-across-all-subtrees: off |
6.3.8.3. uniqueness-attribute-name
The uniqueness-attribute-name attribute of the Attribute Uniqueness plugin sets the name of the attribute whose values must be unique. This attribute is multi-valued.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | Any valid attribute name |
| Default Value | None |
| Syntax | DirectoryString |
| Example | uniqueness-attribute-name: mail |
6.3.8.4. uniqueness-exclude-subtrees
The uniqueness-exclude-subtrees attribute of the Attribute Uniqueness plugin sets the distinguished name (DN) under which the plugin skips uniqueness verification of the attribute’s value. This attribute is multi-valued.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | Any valid subtree DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | uniqueness-exclude-subtrees: dc=private,dc=people,dc=example,dc=com |
6.3.8.5. uniqueness-subtree-entries-oc
Optionally, when using the uniqueness-top-entry-oc parameter, you can configure the Attribute Uniqueness plugin to verify if an attribute is unique, if the entry contains the object class set in this parameter.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | Any valid object class |
| Default Value | None |
| Syntax | DirectoryString |
| Example | uniqueness-subtree-entries-oc: inetOrgPerson |
6.3.8.6. uniqueness-subtrees
The uniqueness-subtrees attribute of the Attribute Uniqueness plugin sets the distinguished name (DN) under which the plugin checks for uniqueness of the attribute’s value. This attribute is multi-valued.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | Any valid subtree DN |
| Default Value | None |
| Syntax | DirectoryString |
| Example | uniqueness-subtrees: ou=Sales,dc=example,dc=com |
6.3.8.7. uniqueness-top-entry-oc
The uniqueness-top-entry-oc attribute of the Attribute Uniqueness plugin sets an object class based on which Red Hat Directory Server identifies a part of the directory where to maintain an attribute uniqueness.
Red Hat Directory Server searches the object class set in the uniqueness-top-entry-oc attribute in the parent entry of the updated object. If it was not found, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_uniqueness_configuration_entry_name>,cn=plugins,cn=config |
| Valid Values | Any valid object class |
| Default Value | None |
| Syntax | DirectoryString |
| Example | uniqueness-top-entry-oc: nsContainer |
6.3.9. Auto Membership plugin
The Auto Membership plugin in Red Hat Directory Server automatically assigns directory entries to specific groups based on their attribute values. Review the plugin reference to dynamically manage group memberships, reducing manual administration, and ensuring consistent access control across your environment.
With Auto Membership plugin, a static group can act like a dynamic group. Different Auto Membership definitions create searches that are automatically run on all new directory entries.
The Auto Membership rules search for and identify matching entries and then explicitly add those entries as members to the specified static group.
The Auto Membership plugin itself is a container entry. Each automember definition is a child of the Auto Membership plugin. The automember definition defines the LDAP search base and filter to identify entries and a default group to add them to.
dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
objectclass: autoMemberDefinition
cn: Hostgroups
autoMemberScope: dc=example,dc=com
autoMemberFilter: objectclass=ipHost
autoMemberDefaultGroup: cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com
autoMemberGroupingAttr: member:dnEach automember definition can have its own child entry that defines additional conditions for assigning the entry to group. Regular expressions can be used to include or exclude entries and assign them to specific groups based on those conditions.
dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
objectclass: autoMemberRegexRule
description: Group for webservers
cn: webservers
autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com
autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.comIf the entry matches the main definition and not any of the regular expression conditions, then it uses the group in the main definition. If it matches a regular expression condition, then it is added to the regular expression condition group.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | Auto Membership |
| DN of Configuration Entry | cn=Auto Membership,cn=plugins,cn=config |
| Description | Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None for the main plugin entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group. |
| Dependencies | Database |
| Performance-Related Information | None. |
6.3.9.1. autoMemberDefaultGroup
The autoMemberDefaultGroup attribute sets a default or fallback group to add the entry to as a member.
If only the definition entry is used in the Auto Membership plugin configuration, all matching entries are added to this group, and with regex conditions it is the fallback when an entry matches the LDAP filter but not any regular expression.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any existing Directory Server group |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberDefaultGroup: cn=hostgroups,ou=groups,dc=example,dc=com |
6.3.9.2. autoMemberDefinition (object class)
The autoMemberDefinition attribute identifies the entry as an Auto Membership definition which is the plugin configuration entry. The Auto Membership definition entry must be a child of the Auto Membership plugin and stored under cn=Auto Membership Plugin,cn=plugins,cn=config.
Allowed attributes are the following:
-
autoMemberScope -
autoMemberFilter -
autoMemberDefaultGroup -
autoMemberGroupingAttr
6.3.9.3. autoMemberExclusiveRegex
The autoMemberExclusiveRegex attribute sets a regular expression to identify entries to exclude from assigning automatic membership. If an entry matches the exclusion condition, then Red Hat Directory Server does not include it in the group.
You can use multiple regular expressions, and if an entry matches any one of those expressions, Red Hat Directory Server does not exclude it from the group.
The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.
Exclude conditions are evaluated first and take precedence over include conditions.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any regular expression |
| Default Value | None |
| Single- or Multi-Valued | Multi-valued |
| Syntax | DirectoryString |
| Example | autoMemberExclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com |
6.3.9.4. autoMemberFilter
The autoMemberFilter attribute sets the LDAP search filter Red Hat Directory Server useds to find matching entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any valid LDAP search filter |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberFilter:objectclass=ntUser |
6.3.9.5. autoMemberGroupingAttr
The autoMemberGroupingAttr attribute sets the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format <group_member_attribute>:<entry_attribute>.
For example, for a groupOfUniqueNames user group, each member is added as the uniqueMember attribute. The value of uniqueMember is the distinguished name (DN) of the user entry. Each group member is identified by the attribute-value pair of uniqueMember: <user_entry_DN>. Then the member entry format is uniqueMember:dn.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberGroupingAttr: member:dn |
6.3.9.6. autoMemberInclusiveRegex
The autoMemberInclusiveRegex attribute sets a regular expression to identify entries to include in a group. You can use multiple regular expressions, and if an entry matches any one of those expressions, Red Hat Directory Server includes the matched entry in the group.
Note that Red Hat Directory Server checks exclude expressions first.
The format is a Perl-compatible regular expression (PCRE). For more information, see the pcresyntax(3) man page.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any regular expression |
| Default Value | None |
| Single- or Multi-Valued | Multi-valued |
| Syntax | DirectoryString |
| Example | autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com |
6.3.9.7. autoMemberProcessModifyOps
The autoMemberProcessModifyOps attribute controls whether Red Hat Directory Server invokes the Auto Membership plugin on both add and modify operations. By default, autoMemberProcessModifyOps is set to on and the plugin changes groups when you add a group entry to a user or modify a group entry of a user.
If you set the autoMemberProcessModifyOps to off, Red Hat Directory Server only invokes the Auto Membership plugin when you add a group entry to a user. In this case, if you change a user entry, and that entry impacts what Automembership groups the user belongs to, the plugin does not remove the user from the old group and only adds the new group. To update the old group, you must then manually run a fix-up task.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberProcessModifyOps: on |
6.3.9.8. autoMemberRegexRule (object class)
The autoMemberRegexRule attribute identifies the entry as a regular expression rule. The entry must be a child of an Auto Membership definition entry (objectclass: autoMemberDefinition).
Allowed attributes are the following:
-
autoMemberInclusiveRegex -
autoMemberExclusiveRegex -
autoMemberTargetGroup
6.3.9.9. autoMemberScope
The autoMemberScope attribute sets the subtree distinguished name (DN), the search base, to search for entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server subtree |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberScope: dc=example,dc=com |
6.3.9.10. autoMemberTargetGroup
The autoMemberTargetGroup attribute sets which group to add the entry to as a member when it meets the regular expression conditions.
| Parameter | Description |
|---|---|
| Entry DN | cn=Auto Membership Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server group |
| Default Value | None |
| Single- or Multi-Valued | Single |
| Syntax | DirectoryString |
| Example | autoMemberTargetGroup: cn=webservers,cn=hostgroups,ou=groups,dc=example,dc=com |
6.3.10. Binary Syntax plugin
The Binary Syntax plugin provides syntax validation for binary data attributes in Red Hat Directory Server.
Binary syntax is deprecated. Use Octet String syntax instead.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | bin-syntax |
| DN of Configuration Entry | cn=Binary Syntax,cn=plugins,cn=config |
| Description | Syntax for handling binary data. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.11. Bit String Syntax plugin
The Bit String Syntax plugin validates bit string attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | bitstring-syntax |
| DN of Configuration Entry | cn=Bit String Syntax,cn=plugins,cn=config |
| Description | Supports bit string syntax values and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.12. Bitwise plug-in
The Bitwise plugin provides matching rules for bitwise operations in LDAP searches to enable efficient filtering based on bit-level attribute values.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | bitwise |
| DN of Configuration Entry | cn=Bitwise Plugin,cn=plugins,cn=config |
| Description | Matching rule for performing bitwise operations against the LDAP server |
| Type | matchingrule |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.13. Boolean Syntax plug-in
The Boolean Syntax plugin validates boolean attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | boolean-syntax |
| DN of Configuration Entry | cn=Boolean Syntax,cn=plugins,cn=config |
| Description | Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.14. Case Exact String Syntax plugin
The Case Exact String Syntax plugin provides case-sensitive matching rules for string attributes in Red Hat Directory Server to enable accurate string comparisons.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | ces-syntax |
| DN of Configuration Entry | cn=Case Exact String Syntax,cn=plugins,cn=config |
| Description | Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This is not a case-exact syntax; this plugin provides case-sensitive matching rules for different string syntaxes. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.15. Case Ignore String Syntax plugin
The Case Ignore String Syntax plugin provides case-insensitive matching rules for string attributes in Red Hat Directory Server to enable flexible string comparisons.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | directorystring-syntax |
| DN of Configuration Entry | cn=Case Ignore String Syntax,cn=plugins,cn=config |
| Description | Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This is not a case-insensitive syntax; this plugin provides case-sensitive matching rules for different string syntaxes. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.16. Chaining Database plugin
The Chaining Database plugin links receives a request for data that doesn’t exist on the local server and transparently forward (or "chain") that request to a remote LDAP server where the data actually resides.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | chaining database |
| DN of Configuration Entry | cn=Chaining database,cn=plugins,cn=config |
| Description | Enables back end databases to be linked |
| Type | database |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | There are many performance related tuning parameters involved with the chaining database. |
| Further Information | A chaining database is also known as a database link. |
6.3.17. Class of Service plugin
The Class of Service plugin enables attributes to be shared across multiple directory entries to reduce data redundancy and simplify attribute management.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | cos |
| DN of Configuration Entry | cn=Class of Service,cn=plugins,cn=config |
| Description | Allows for sharing of attributes between entries |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies |
|
| Performance-Related Information | Do not modify the configuration of this plugin. Leave this plugin running at all times. |
6.3.18. Content Synchronization plugin
The Content Synchronization plugin helps a client to stay synchronized with a portion of the directory data without having to perform a full search every time.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | content-sync-plugin |
| DN of Configuration Entry | cn=Content Synchronization,cn=plugins,cn=config |
| Description |
Enables support for the |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | Retro Changelog plug-in |
| Performance-Related Information |
If you know which back end or subtree clients access to synchronize data, limit the scope of the |
6.3.19. Country String Syntax plugin
The Country String Syntax plugin validates ISO 3166 country code attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | countrystring-syntax |
| DN of Configuration Entry | cn=Country String Syntax,cn=plugins,cn=config |
| Description | Supports country naming syntax values and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.20. Delivery Method Syntax plugin
The Delivery Method Syntax plugin validates preferredDeliveryMethod values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | delivery-syntax |
| DN of Configuration Entry | cn=Delivery Method Syntax,cn=plugins,cn=config |
| Description | Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.21. Deref plugin
The Deref plugin supports dereference controls in directory searches to retrieve referenced entry attributes in a single search operation.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | Dereference |
| DN of Configuration Entry | cn=deref,cn=plugins,cn=config |
| Description | For dereference controls in directory searches |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.22. Distinguished Name Syntax plugin
The Distinguished Name Syntax plugin validates LDAP distinguished name attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | dn-syntax |
| DN of Configuration Entry | cn=Distinguished Name Syntax,cn=plugins,cn=config |
| Description | Supports DN value syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.23. Distributed Numeric Assignment plug-in
The Distributed Numeric Assignment (DNA) plugin manages ranges of numbers and assigns unique numbers within that range to entries. By breaking number assignments into ranges, the DNA plugin helps multiple servers to assign numbers without conflict.
The plugin also manages the ranges assigned to servers, so that if one instance runs through its range quickly, it can request additional ranges from the other servers.
You can configure distributed numeric assignment to work with single attribute types or multiple attribute types.
Distributed numeric assignment is handled per-attribute and is only applied to specific suffixes and specific entries within the subtree.
| Plugin Information | Description |
|---|---|
| Plugin ID | Distributed Numeric Assignment |
| Configuration Entry DN | cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Description | Distributed Numeric Assignment plugin |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | |
| Dependencies | Database |
| Performance-Related Information | None |
6.3.23.1. dnaFilter
The dnaFilter attribute sets an LDAP filter to identify the entries to which to apply the distributed numeric assignment range.
The dnaFilter attribute is required to set up distributed numeric assignment for an attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any valid LDAP filter |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaFilter: (objectclass=person) |
6.3.23.2. dnaHostname
The dnaHostname attribute identifies a hostname of a server in a shared range, as part of the DNA range configuration for that specific host in multi-supplier replication.
Available ranges are tracked by host and the range information is replicated among all suppliers so that if any supplier runs low on available numbers, it can use the host information to contact another supplier and request an new range.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | DirectoryString |
| Valid Range | Any valid host name |
| Default Value | None |
| Example | dnahostname: ldap1.example.com |
6.3.23.3. dnaInterval
The dnaInterval attribute sets an interval to use to increment through numbers in a range.
This skips numbers at a predefined rate. If the interval is 3 and the first number in the range is 1, the next number used in the range is 4, then 7, then 10, incrementing by three for every new number assignment.
In a replication environment, the dnaInterval enables multiple servers to share the same range. However, when you configure different servers that share the same range, set the dnaInterval and dnaNextVal parameters accordingly so that the different servers do not generate the same values. You must also consider this if you add new servers to the replication topology.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any integer |
| Default Value | 1 |
| Syntax | Integer |
| Example | dnaInterval: 1 |
6.3.23.4. dnaMagicRegen
The dnaMagicRegen attribute sets a user-defined value (magic value) that instructs the plugin to assign a new value for the entry.
The magic value can be used to assign new unique numbers to existing entries or as a standard setting when adding new entries.
The magic entry should be outside of the defined range for the server so that it cannot be triggered by accident. Note that this attribute does not have to be a number when used on a DirectoryString or other character type. However, in most cases the DNA plug-in is used on attributes which only accept integer values, and in such cases the dnamagicregen value must also be an integer.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any string |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaMagicRegen: -1 |
6.3.23.5. dnaMaxValue
The dnaMaxValue attribute sets the maximum value that can be assigned for the range.
The default is -1, which is the same as setting the highest 64-bit integer.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems; -1 is unlimited |
| Default Value | -1 |
| Syntax | Integer |
| Example | dnaMaxValue: 1000 |
6.3.23.6. dnaNextRange
The dnaNextRange attribute defines the next range to use when the current range is exhausted.
This value is automatically set when range is transferred between servers, but it can also be manually set to add a range to a server if range requests are not used.
The dnaNextRange attribute should be set explicitly only if a separate, specific range has to be assigned to other servers. Any range set in the dnaNextRange attribute must be unique from the available range for the other servers to avoid duplication. If there is no request from the other servers and the server where dnaNextRange is set explicitly has reached its set dnaMaxValue, the next set of values (part of the dnaNextRange) is allocated from this deck.
The dnaNextRange allocation is also limited by the dnaThreshold attribute that is set in the DNA configuration. Any range allocated to another server for dnaNextRange cannot violate the threshold for the server, even if the range is available on the deck of dnaNextRange.
If the dnaNextRange attribute is handled internally if it is not set explicitly. When it is handled automatically, the dnaMaxValue attribute serves as upper limit for the next range.
The attribute sets the range in the format lower_range-upper_range.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems for the lower and upper ranges |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaNextRange: 100-500 |
6.3.23.7. dnaNextValue
The dnaNextValue attribute specifies the next available number which can be assigned.
After being initially set in the configuration entry, this attribute is managed by the Distributed Numeric Assignment Plugin.
The dnaNextValue attribute is required to set up distributed numeric assignment for an attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems |
| Default Value | -1 |
| Syntax | Integer |
| Example | dnaNextValue: 1 |
6.3.23.8. dnaPluginConfig (object class)
The dnaPluginConfig object class is used for entries which configure the DNA plugin and numeric ranges to assign to entries. This object class is defined in Red Hat Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.324
Allowed attributes:
-
dnaType -
dnaPrefix -
dnaNextValue -
dnaMaxValue -
dnaInterval -
dnaMagicRegen -
dnaFilter -
dnaScope -
dnaSharedCfgDN -
dnaThreshold -
dnaNextRange -
dnaRangeRequestTimeout -
cn
6.3.23.9. dnaPortNum
The dnaPortNum attribute specifies the standard port number to use to connect to the host configured in dnaHostname.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | Integer |
| Valid Range | 0 to 65535 |
| Default Value | 389 |
| Example | dnaPortNum: 389 |
6.3.23.10. dnaPrefix
The dnaPrefix attribute defines a prefix that can be prepended to the generated number values for the attribute.
For example, to generate a user ID such as user1000, the dnaPrefix setting would be user.
dnaPrefix can hold any kind of string. However, some possible values for dnaType (such as uidNumber and gidNumber) require only integer values. To use a prefix string, consider using a custom attribute for dnaType which allows strings.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any string |
| Default Value | None |
| Example | dnaPrefix: id |
6.3.23.11. dnaRangeRequestTimeout
The dnaRangeRequestTimeout attribute sets a timeout period, in seconds, for range requests.
One potential situation with the Distributed Numeric Assignment plugin is that one server begins to run out of numbers to assign. The dnaThreshold attribute sets a threshold of available numbers in the range, so that the server can request an additional range from the other servers before it is unable to perform number assignments.
The dnaRangeRequestTimeout attribute sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server.
For range requests to be performed, the dnaSharedCfgDN attribute must be set.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems |
| Default Value | 10 |
| Syntax | Integer |
| Example | dnaRangeRequestTimeout: 15 |
6.3.23.12. dnaRemainingValues
The dnaRemainingValues attribute contains the number of values that are remaining and available to a server to assign to entries.
| Parameter | Description |
|---|---|
| Entry DN | dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com |
| Syntax | Integer |
| Valid Range | Any integer |
| Default Value | None |
| Example | dnaRemainingValues: 1000 |
6.3.23.13. dnaRemoteBindCred
The dnaRemoteBindCred attribute specifies the Replication Manager’s password.
If you set a bind method in the dnaRemoteBindMethod attribute that requires authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred attribute for every server in the replication deployment in the plugin configuration entry under the cn=config entry.
Set the attribute in plain text. The value is automatically AES-encrypted before it is stored.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | DirectoryString {AES} encrypted_password |
| Valid Values | Any valid AES-encrypted password. |
| Default Value | |
| Example | dnaRemoteBindCred: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmxObUk0WXpjM1l5MHdaVE5rTXpZNA0KTnkxaE9XSmhORGRoT0MwMk1ESmpNV014TUFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQk5KbUFDUWFOMHlITWdsUVp3QjBJOQ==}bBR3On6cBmw0DdhcRx826g== |
6.3.23.14. dnaRemoteBindDN
The dnaRemoteBindDN attribute specifies the Replication Manager distinguished name (DN).
If you set a bind method in the dnaRemoteBindMethod attribute that requires authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred attributes for every server in the replication deployment in the plugin configuration under the cn=config entry.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Syntax | DirectoryString |
| Valid Values | Any valid Replication Manager DN. |
| Default Value | |
| Example | dnaRemoteBindDN: cn=replication manager,cn=config |
6.3.23.15. dnaRemoteBindMethod
The dnaRemoteBindMethod attribute specifies the remote bind method.
If you set a bind method in this attribute that requires authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred attributes for every server in the replication deployment in the plugin configuration entry under the cn=config entry.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com |
| Syntax | DirectoryString |
| Valid Values |
|
| Default Value | |
| Example | dnaRemoteBindMethod: SIMPLE |
6.3.23.16. dnaRemoteConnProtocol
The dnaRemoteConnProtocol attribute specifies the remote connection protocol.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com |
| Syntax | DirectoryString |
| Valid Values |
|
| Default Value | |
| Example | dnaRemoteConnProtocol: LDAP |
6.3.23.17. dnaScope
The dnaScope attribute sets the base DN to search for entries to which to apply the distributed numeric assignment. This is analogous to the base DN in an ldapsearch.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any Red Hat Directory Server entry |
| Default Value | None |
| Syntax | DirectoryString |
| Example | dnaScope: ou=people,dc=example,dc=com |
6.3.23.18. dnaSecurePortNum
The dnaSecurePortNum attribute specifies the secure (TLS) port number to use to connect to the host configured in dnaHostname.
| Parameter | Description |
|---|---|
| Entry DN | dnaHostname=<host_name>+dnaPortNum=<port_number>,ou=ranges,dc=example,dc=com |
| Syntax | Integer |
| Valid Range | 0 to 65535 |
| Default Value | 636 |
| Example | dnaSecurePortNum: 636 |
6.3.23.21. dnaThreshold
The dnaThreshold attribute sets a threshold of remaining available numbers in the range.
One potential situation with the Distributed Numeric Assignment plugin is that one server begins to run out of numbers to assign, which can cause problems. The Distributed Numeric Assignments plugin allows the server to request a new range from the available ranges on other servers.
The server can recognize when it is reaching the end of its assigned range, the dnaThreshold attribute sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range.
For range requests to be performed, the dnaSharedCfgDN attribute must be set.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | 1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems |
| Default Value | 100 |
| Syntax | Integer |
| Example | dnaThreshold: 100 |
6.3.23.22. dnaType
The dnaType attribute sets which attributes require generation of unique numbers for them.
Whenever the attribute is added to the entry with the magic number, an assigned value is automatically supplied.
This attribute is required to set a distributed numeric assignment for an attribute.
If the dnaPrefix attribute is set, then the prefix value is prepended to whatever value is generated by dnaType. The dnaPrefix value can be any kind of string, but some reasonable values for dnaType (such as uidNumber and gidNumber) require only integer values. To use a prefix string, consider using a custom attribute for dnaType which allows strings.
| Parameter | Description |
|---|---|
| Entry DN | cn=<DNA_config_entry>,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | None |
| Example | dnaType: uidNumber |
6.3.24. Enhanced Guide Syntax plugin
The Enhanced Guide Syntax plugin validates enhancedGuide attribute values and enables complex search criteria based on attributes and filters in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | enhancedguide-syntax |
| DN of Configuration Entry | cn=Enhanced Guide Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.25. Facsimile Telephone Number Syntax plugin
The Facsimile Telephone Number Syntax plugin validates fax number attribute values (facsimileTelephoneNumber).
| Plugin Parameter | Description |
|---|---|
| Plugin ID | facsimile-syntax |
| DN of Configuration Entry | cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for fax numbers; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.26. Fax Syntax plugin
The Fax Syntax plugin validates fax image attribute values (facsimileTelephoneNumber) in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | fax-syntax |
| DN of Configuration Entry | cn=Fax Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for storing images of faxed objects; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.27. Generalized Time Syntax plugin
The Generalized Time Syntax plugin validates attribute values that represent date and time in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | time-syntax |
| DN of Configuration Entry | cn=Generalized Time Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for dealing with dates, times and time zones; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information | The Generalized Time String consists of a four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second, and a time zone indication. Red Hat strongly recommends using the Z time zone indication, which indicates Greenwich Mean Time. See also RFC 4517. |
6.3.28. Guide Syntax plugin
The Guide Syntax plugin validates guide attribute values in Red Hat Directory Server.
This syntax is deprecated. Use Enhanced Guide syntax instead.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | guide-syntax |
| DN of Configuration Entry | cn=Guide Syntax,cn=plugins,cn=config |
| Description | Syntax for creating complex criteria, based on attributes and filters, to build searches |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information | This syntax is obsolete. The Enhanced Guide Syntax should be used instead. |
6.3.29. HTTP Client plugin
The HTTP Client plugin enables the LDAP server to communicate with external web services by using the HTTP or HTTPS protocols.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | http-client |
| DN of Configuration Entry | cn=HTTP Client,cn=plugins,cn=config |
| Description | HTTP client plug-in |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information |
6.3.30. Integer Syntax plug-in
The Integer Syntax plugin validates integer attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | int-syntax |
| DN of Configuration Entry | cn=Integer Syntax,cn=plugins,cn=config |
| Description | Supports integer syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.31. Internationalization plugin
The Internationalization plugin manages how Red Hat Directory Server handles different languages, character sets, and localized sorting rules (collations).
| Plugin Parameter | Description |
|---|---|
| Plugin ID | orderingrule |
| DN of Configuration Entry | cn=Internationalization Plugin,cn=plugins,cn=config |
| Description | Enables internationalized strings to be ordered in the directory |
| Type | matchingrule |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments |
The Internationalization plugin has one argument, which must not be modified, which specifies the location of the |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.32. JPEG Syntax plugin
The JPEG Syntax plugin validates JPEG image attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | jpeg-syntax |
| DN of Configuration Entry | cn=JPEG Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for JPEG image data; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time |
| Further Information |
6.3.33. ldbm database plugin
The ldbm database plugin is the most important plugin in the entire system. It implements local database storage and manages how the data is written to the disk, indexed, and retrieved.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | ldbm-backend |
| DN of Configuration Entry | cn=ldbm database,cn=plugins,cn=config |
| Description | Implements local databases |
| Type | database |
| Configurable Options | |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies |
|
| Performance-Related Information | See Database plugin attributes for further information on database configuration. |
6.3.34. Linked Attributes plugin
The Linked Attributes plugin in Red Hat Directory Server automatically establishes and manages bidirectional relationships between directory entries.
Many times, entries have inherent relationships to each other (such as managers and employees, document entries and their authors, or special groups and group members). While attributes exist that reflect these relationships, these attributes have to be added and updated on each entry manually. That can lead to a whimsically inconsistent set of directory data, where these entry relationships are unclear, outdated, or missing.
The Linked Attributes plugin allows one attribute, set in one entry, to update another attribute in another entry automatically. The first attribute has a DN value, which points to the entry to update; the second entry attribute also has a DN value which is a back-pointer to the first entry. The link attribute which is set by users and the dynamically-updated managed attribute in the effected entries are both defined by administrators in the Linked Attributes plugin instance.
Conceptually, this is similar to the way that the MemberOf plugin uses the member attribute in group entries to set memberOf attribute in user entries. Only with the Linked Attributes plugin, all of the link/managed attributes are user-defined and there can be multiple instances of the plugin, each reflecting different link-managed relationships.
There are a couple of caveats for linking attributes:
- Both the link attribute and the managed attribute must have DNs as values. The DN in the link attribute points to the entry to add the managed attribute to. The managed attribute contains the linked entry DN as its value.
- The managed attribute must be multi-valued. Otherwise, if multiple link attributes point to the same managed entry, the managed attribute value would not be updated accurately.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | Linked Attributes |
| DN of Configuration Entry | cn=Linked Attributes,cn=plugins,cn=config |
| Description |
Container entry for linked-managed attribute configuration entries. Each configuration entry under the container links one attribute to another, so that when one entry is updated (such as a manager entry), then any entry associated with that entry (such as a custom |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None for the main plugin entry. Each plugin instance has three possible attributes:
|
| Dependencies | Database |
| Performance-Related Information | Any attribute set in linkType must only allow values in a DN format. Any attribute set in managedType must be multi-valued. |
6.3.34.1. linkScope
The linkScope attribute restricts the scope of the plugin to a specific subtree or suffix.
| Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_instance>,cn=Linked Attributes,cn=plugins,cn=config |
| Valid Range | Any DN |
| Default Value | None |
| Syntax | DN |
| Example | linkScope: ou=People,dc=example,dc=com |
6.3.34.2. linkType
The linkType attribute sets the user-managed attribute.
When you modify and maintain this attribute value, the linked attribute is automatically updated in the targeted entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_instance>,cn=Linked Attributes,cn=plugins,cn=config |
| Valid Range | Any Red Hat Directory Server attribute |
| Default Value | None |
| Syntax | DirectoryString |
| Example | linkType: directReport |
6.3.34.3. managedType
The managedType attribute sets the managed, or plugin maintained, attribute. The Linked Attributes plugin instance manages managedType dynamically. Whenever a change is made to the managed attribute, then the plugin updates all of the linked attributes on the targeted entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=<plugin_instance>,cn=Linked Attributes,cn=plugins,cn=config |
| Valid Range | Any Red Hat Directory Server attribute |
| Default Value | None |
| Syntax | DN |
| Example | managedType: manager |
6.3.35. Managed Entries plug-in
The Managed Entries plug-in in Red Hat Directory Server automatically synchronizes associated directory entries. Understanding the plug-in settings helps you to dynamically manage related entries, such as users and their dependent groups.
In some unique circumstances, it is useful to have an entry created automatically when another entry is created. For example, this can be part of Posix integration by creating a specific group entry when a new user is created. Each instance of the Managed Entries plug-in identifies two areas:
- The scope of the plug-in, meaning the subtree and the search filter to use to identify entries which require a corresponding managed entry
- A template entry that defines what the managed entry should look like
| Plug-in Information | Description |
|---|---|
| Plug-in ID | Managed Entries |
| Configuration Entry DN | cn=Managed Entries,cn=plugins,cn=config |
| Description | Container entry for automatically generated directory entries. Each configuration entry defines a target subtree and a template entry. When a matching entry in the target subtree is created, then the plug-in automatically creates a new, related entry based on the template. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None for the main plug-in entry. Each plug-in instance has four possible attributes:
|
| Dependencies | Database |
| Performance-Related Information | None |
6.3.35.1. managedBase
The managedBase attribute sets the subtree under which to create the managed entries. This can be any entry in the directory tree.
| Parameter | Description |
|---|---|
| Entry DN | cn=<instance_name>,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any Directory Server subtree |
| Default Value | None |
| Syntax | DirectoryString |
| Example | managedBase: ou=groups,dc=example,dc=com |
6.3.35.2. managedTemplate
The managedTemplate attribute identifies the template entry to use to create the managed entry. This entry can be located anywhere in the directory tree, however add the entry to a replicated suffix so that all suppliers and consumers in replication use the same template.
| Parameter | Description |
|---|---|
| Entry DN | cn=<instance_name>,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values |
Any Red Hat Directory Server entry of the |
| Default Value | None |
| Syntax | DirectoryString |
| Example | managedTemplate: cn=My Template,ou=Templates,dc=example,dc=com |
6.3.35.3. originFilter
The originFilter attribute sets the search filter to use to identify the entries within the subtree which require a managed entry. The filter allows the managed entries behavior to be limited to a specific type of entry or subset of entries. The syntax is the same as a regular search filter.
| Parameter | Description |
|---|---|
| Entry DN | cn=<instance_name>,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any valid LDAP filter |
| Default Value | None |
| Syntax | DirectoryString |
| Example | originFilter: objectclass=posixAccount |
6.3.35.4. originScope
The originScope attribute sets the scope of the search to use to see which entries the plug-in monitors. If a new entry is created within the scope subtree, then the Managed Entries plugin creates a new managed entry that corresponds to it.
| Parameter | Description |
|---|---|
| Entry DN | cn=instance_name,cn=Managed Entries Plugin,cn=plugins,cn=config |
| Valid Values | Any Directory Server subtree |
| Default Value | None |
| Syntax | DirectoryString |
| Example | originScope: ou=people,dc=example,dc=com |
6.3.36. MemberOf plug-in
The MemberOf plug-in automatically scans group entries with a specified member attribute, traces back all of the user DNs, and creates a corresponding memberOf attribute in the user entry with the name of the group.
Group membership is defined within group entries using attributes such as member. Searching for the member attribute makes it easy to list all of the members for the group. However, group membership is not reflected in the member’s user entry, so it is impossible to tell to what groups a person belongs by looking at the user’s entry.
| Plug-in Information | Description |
|---|---|
| Plug-in ID | memberOf |
| Configuration Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Description |
Manages the |
| Type | postoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments |
|
| Dependencies | Database |
| Performance-Related Information | None |
6.3.36.1. cn
The cn attribute sets the name of the plugin instance.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Values | Any valid string |
| Default Value | |
| Syntax | DirectoryString |
| Example | cn: Example MemberOf Plugin Instance |
6.3.36.2. memberOfAllBackends
The memberOfAllBackends attribute specifies whether to search the local suffix for user entries or all available suffixes. Use it in directory trees where users are distributed across multiple databases so that group membership is evaluated comprehensively and consistently.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | memberOfAllBackends: on |
6.3.36.3. memberOfAttr
The memberOfAttr attribute specifies the attribute in the user entry for Red Hat Directory Server to manage to reflect group membership. The MemberOf plugin generates the value of the attribute specified here in the directory entry for the member.
A separate attribute is created for every group to which the user belongs.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute that supports DN syntax |
| Default Value | memberOf |
| Syntax | DirectoryString |
| Example | memberOfAttr: memberOf |
6.3.36.4. memberOfAutoAddOC
The memberOfAutoAddOC attribute specifies an object class that the MemberOf plugin adds to a user entry to allow the memberOf attribute.
To enable the memberOf plugin to add the memberOf attribute to a user, the user entry must contain an object class that allows this attribute. If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC attribute.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Values | Any Red Hat Directory Server object class |
| Default Value | nsMemberOf |
| Syntax | DirectoryString |
| Example | memberOfAutoAddOC: nsMemberOf |
6.3.36.5. memberOfDeferredUpdate
The memberOfDeferredUpdate attribute controls whether to defer the update of the members.
On instances with Berkeley Database (BDB), if a change to a static group impacts many members, such as adding more than 10,000 members to the group, this change triggers a large number of internal updates of all group members. Red Hat Directory Server (RHDS) processes all updates in one transaction that can hold sensitive database pages and block other searches waiting for the update completion.
Set the memberOfDeferredUpdate attribute to on to defer the update of the members. In this case, RHDS performs the members update in a separate transaction improving server responsiveness.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid range | on | off |
| Default value | off |
| Syntax | DirectoryString |
| Example | memberOfDeferredUpdate: off |
6.3.36.6. memberOfEntryScope
The memberOfEntryScope multi-valued attribute defines what suffixes the MemberOf plugin works on if you configured several backends or multiple-nested suffixes. If the attribute is not set, the plugin works on all suffixes.
The value set in the memberOfEntryScopeExcludeSubtree parameter has a higher priority than values set in memberOfEntryScope.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server entry DN. |
| Default Value | |
| Syntax | DirectoryString |
| Example | memberOfEntryScope: ou=people,dc=example,dc=com |
6.3.36.7. memberOfEntryScopeExcludeSubtree
The multi-valued memberOfEntryScopeExcludeSubtree attribute defines what suffixes the MemberOf plugin excludes from the plugin scope.
The value set in the memberOfEntryScopeExcludeSubtree attribute has a higher priority than values set in memberOfEntryScope. If the scopes set in both attributes overlap, the MemberOf plugin only works on the non-overlapping directory entries.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server entry DN. |
| Default Value | |
| Syntax | DirectoryString |
| Example | memberOfEntryScopeExcludeSubtree: ou=sample,dc=example,dc=com |
6.3.36.8. memberOfExcludeSpecificGroupFilter
The multi-valued memberOfExcludeSpecificGroupFilter attribute defines specific groups that the MemberOf plugin excludes from monitoring.
Use this attribute when you need to exclude certain groups from MemberOf plugin processing while monitoring all other groups in the configured scope. This approach is useful when most groups require the memberOf attribute, but you want to exclude specific groups for performance or operational reasons.
Do not use both memberOfExcludeSpecificGroupFilter and memberOfSpecificGroupFilter simultaneously, because specifying groups to include already excludes all non-matching groups.
The filters only apply to entries that have one of the object classes defined in the memberOfSpecificGroupOC attribute.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Valid LDAP search filter |
| Default Value | |
| Syntax | DirectoryString |
| Example |
memberOfExcludeSpecificGroupFilter: |
6.3.36.9. memberOfGroupAttr
The memberOfGroupAttr attribute specifies the attribute in the group entry to use to identify the distinguished names (DNs) of group members.
By default, this is the member attribute, but it can be any membership-related attribute that contains a DN value, such as uniquemember or member.
Any attribute can be used for the memberOfGroupAttr value, but the MemberOf Plug-in only works if the value of the target attribute contains the DN of the member entry. For example, the member attribute contains the DN of the member’s user entry:
member: uid=jsmith,ou=People,dc=example,dc=com
Some member-related attributes do not contain a DN, like the memberURL attribute. That attribute will not work as a value for memberOfGroupAttr. The memberURL value is a URL, and a non-DN value cannot work with the MemberOf Plug-in.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any Directory Server attribute |
| Default Value | member |
| Syntax | DirectoryString |
| Example | memberOfGroupAttr: member |
6.3.36.10. memberOfSkipNested
The memberOfSkipNested attribute controls whether to skip the nested group check.
If you do not use nested groups in the directory, set the memberOfSkipNested attribute to on to skip the nested group check. It significantly improves response time of update operations when Red Hat Directory Server needs to compute membership in more than 10,000 entries.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid range | on | off |
| Default value | off |
| Syntax | DirectoryString |
| Example | memberOfSkipNested: off |
6.3.36.11. memberOfSpecificGroupFilter
The multi-valued memberOfSpecificGroupFilter attribute defines specific groups that the MemberOf plugin monitors, enabling fine-grained configuration instead of monitoring all groups within a suffix.
Use this attribute when you need the MemberOf plugin to work only on specific groups rather than all groups in a suffix or backend. This approach improves performance by reducing the number of groups the plugin processes.
When you specify one or more specific groups to include, all other groups in the directory are automatically excluded from MemberOf plugin processing. The plugin only updates memberOf attributes for members of groups that match the specified filters.
The filters only apply to entries that have one of the object classes defined in the memberOfSpecificGroupOC attribute.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Valid LDAP search filter |
| Default Value | |
| Syntax | DirectoryString |
| Example |
memberOfSpecificGroupFilter: |
6.3.36.12. memberOfSpecificGroupOC
The multi-valued memberOfSpecificGroupOC attribute specifies the object classes that identify group entries when using group-specific filtering with the MemberOf plugin.
Use this attribute to define which object classes qualify an entry as a group for filtering purposes. The group-specific filters only apply to entries that have one of the object classes specified in memberOfSpecificGroupOC.
By default, the MemberOf plugin recognizes groupOfNames, groupOfUniqueNames, and nsAdminGroup as group object classes. You can add custom object classes if your directory uses non-standard group entries.
You do not need to restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
| Valid Range | Any valid LDAP object class name |
| Default Value |
|
| Syntax | DirectoryString |
| Example |
memberOfSpecificGroupOC: |
6.3.37. Multi-supplier Replication plugin
The Multi-supplier Replication plugin manages data synchronization between multiple Red Hat Directory Server instances to provide high availability and distributed directory services.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | replication-multisupplier |
| DN of Configuration Entry | cn=Multisupplier Replication Plugin,cn=plugins,cn=config |
| Description | Enables replication between two current Directory Server |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies |
|
| Performance-Related Information | |
| Further Information | Turn this plug-in off if one server will never replicate. |
6.3.38. Name and Optional UID Syntax plugin
The Name and Optional UID Syntax plugin validates distinguished name attributes with optional unique identifiers in Red Hat Directory Server. It is primarily used for attributes like uniqueMember.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | nameoptuid-syntax |
| DN of Configuration Entry | cn=Name And Optional UID Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules to store and search for a DN with an optional unique ID; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information | The optional UID is used to distinguish between entries which may have identical DNs or naming attributes. See also RFC 4517. |
6.3.39. Numeric String Syntax plugin
The Numeric String Syntax plugin validates numeric string attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | numstr-syntax |
| DN of Configuration Entry | cn=Numeric String Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for strings of numbers and spaces; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.40. Octet String Syntax plugin
The Octet String Syntax plugin validates binary octet string attribute values in Red Hat Directory Server.
Use the Octet String syntax instead of Binary, which is deprecated.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | octetstring-syntax |
| DN of Configuration Entry | cn=Octet String Syntax,cn=plugins,cn=config |
| Description | Supports octet string syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.41. OID Syntax plugin
The OID Syntax plugin validates object identifier attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | oid-syntax |
| DN of Configuration Entry | cn=OID Syntax,cn=plugins,cn=config |
| Description | Supports object identifier (OID) syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
6.3.42. PAM Pass Through Auth plug-in
The PAM Pass Through Auth plug-in in Red Hat Directory Server delegates directory authentication to the underlying operating system’s Pluggable Authentication Modules (PAM). Understanding the plug-in settings helps you to centralize credential management.
Local PAM configurations on Unix systems can use an external authentication store for LDAP users. With this form of pass-through authentication, you can use the externally-stored user credentials for directory access.
PAM pass-through authentication is configured in child entries beneath the PAM Pass Through Auth Plug-in container entry. All of the possible configuration attributes for PAM authentication (defined in the 60pam-plugin.ldif schema file) are available to a child entry; the child entry must be an instance of the PAM configuration object class.
Example 6.4. Example PAM Pass Through Auth Configuration Entries
dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginLoadGlobal: true
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 9.0.0
nsslapd-pluginVendor: Red Hat
nsslapd-pluginDescription: PAM pass through authentication plugin
dn: cn=Example PAM Config,cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: Example PAM Config
pamMissingSuffix: ALLOW
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN ou=people,dc=example,dc=com
pamIDMapMethod: ENTRY ou=engineering,dc=example,dc=com
pamIDAttr: customPamUid
pamFilter: (manager=uid=bjensen,ou=people,dc=example,dc=com)
pamFallback: FALSE
pamSecure: TRUE
pamService: ldapserverThe PAM configuration, at a minimum, must define a mapping method (a way to identify what the PAM user ID is from the Directory Server entry), the PAM server to use, and whether to use a secure connection to the service.
pamIDMapMethod: RDN
pamSecure: FALSE
pamService: ldapserverThe configuration can be expanded for special settings, such as to exclude or specifically include subtrees or to map a specific attribute value to the PAM user ID.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | pam_passthruauth |
| DN of Configuration Entry | cn=PAM Pass Through Auth,cn=plugins,cn=config |
| Description | Enables pass-through authentication for PAM, meaning that a PAM service can use Directory Server as its user authentication store. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information |
6.3.42.1. pamConfig (object class)
The pamConfig object class defines the PAM configuration to interact with the directory service. This object class is defined in Red Hat Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.318
Allowed attributes are the following:
-
pamExcludeSuffix -
pamIncludeSuffix -
pamMissingSuffix -
pamFilter -
pamIDAttr -
pamIDMapMethod -
pamFallback -
pamSecure -
pamService -
nsslapd-pluginConfigArea
6.3.42.2. pamExcludeSuffix
The pamExcludeSuffix attribute specifies a suffix to exclude from PAM authentication.
| OID | 2.16.840.1.113730.3.1.2068 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Red Hat Directory Server |
6.3.42.3. pamFallback
The pamFallback attribute sets whether to fallback to regular LDAP authentication if PAM authentication fails.
| OID | 2.16.840.1.113730.3.1.2072 |
| Syntax | Boolean |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.42.4. pamFilter
The pamFilter attribute sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication. If not set, all entries within the suffix are targeted by the configuration entry.
| OID | 2.16.840.1.113730.3.1.2131 |
| Syntax | Boolean |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.42.5. pamIDAttr
The pamIDAttr attribute contains the attribute name which is used to hold the PAM user ID.
| OID | 2.16.840.1.113730.3.1.2071 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Red Hat Directory Server |
6.3.42.6. pamIDMapMethod
The pamIDMapMethod attribute sets the method to use to map the LDAP bind DN to a PAM identity.
Red Hat Directory Server (RHDS) user account inactivation is only validated using the ENTRY mapping method. With RDN or DN, a RHDS user whose account is inactivated can still bind to the server successfully.
| OID | 2.16.840.1.113730.3.1.2070 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.42.7. pamIncludeSuffix
The pamIncludeSuffix attribute sets a suffix to include for PAM authentication.
| OID | 2.16.840.1.113730.3.1.2067 |
| Syntax | DN |
| Multi- or Single-Valued | Multi-valued |
| Defined in | Red Hat Directory Server |
6.3.42.8. pamMissingSuffix
The pamMissingSuffix attribute identifies how to handle missing include or exclude suffixes.
The options are the following:
-
ERRORwhich causes the bind operation to fail. -
ALLOWwhich logs an error but allows the operation to proceed. -
IGNOREwhich allows the operation and does not log any errors.
| OID | 2.16.840.1.113730.3.1.2069 |
| Syntax | DirectoryString |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.42.9. pamModuleIsThreadSafe
The pamModuleIsThreadSafe attribute controls whether Red Hat Directory Server starts to perform PAM authentications in parallel.
By default, Red Hat Directory Server (RHDS) serializes the Pluggable Authentication Module (PAM) authentications. If you set the pamModuleIsThreadSafe attribute to on, RHDS starts to perform PAM authentications in parallel. However, ensure that the PAM module you are using is a thread-safe module.
Currently, you can use the ldapmodify utility to configure the pamModuleIsThreadSafe attribute:
# ldapmodify -D "cn=Directory Manager" -W -H ldap://server.example.com -x
The ldapmodify utility requests you to provide the LDIF statement with the new timeout value:
dn: cn=Example PAM config entry,cn=PAM Pass Through Auth,cn=plugins,cn=config
changetype: modify
add: pamModuleIsThreadSafe
pamModuleIsThreadSafe: onTo apply changes, restart the server.
| OID | 2.16.840.1.113730.3.1.2399 |
| Syntax | Boolean |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.42.10. pamSecure
The pamSecure attribute requires secure TLS connection for PAM authentication.
| OID | 2.16.840.1.113730.3.1.2073 |
| Syntax | Boolean |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.42.11. pamService
The pamService attribute contains the service name to pass to PAM. This assumes that the service specified has a configuration file in the /etc/pam.d/ directory.
The pam_fprintd.so module cannot be in the configuration file referenced by the pamService attribute of the PAM Pass-Through Authentication plugin configuration. Using the PAM pam_fprintd.so module causes Red Hat Directory Server (RHDS) to hit the max file descriptor limit and can cause RHDS process to abort.
| OID | 2.16.840.1.113730.3.1.2074 |
| Syntax | IA5String |
| Multi- or Single-Valued | Single-valued |
| Defined in | Red Hat Directory Server |
6.3.43. Pass Through Authentication plugin
The Pass Through Authentication plugin delegates authentication requests to remote LDAP servers or different subtrees to enable centralized credential management across distributed directories.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | passthruauth |
| DN of Configuration Entry | cn=Pass Through Authentication,cn=plugins,cn=config |
| Description | Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | ldap://example.com:389/o=example |
| Dependencies | Database |
| Performance-Related Information | Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. |
6.3.44. Password Storage Schemes plugins
Password storage scheme plugins provide cryptographic hashing algorithms to protect user credentials in Red Hat Directory Server (RHDS).
RHDS implements the password storage schemes as plugins. However, the cn=Password Storage Schemes,cn=plugins,cn=config entry itself is just a container, not a plugin entry. All password storage scheme plugins are stored as a subentry of this container.
To display all password storage schemes plugins, enter:
# dsconf <instance_name> pwpolicy list-schemesDo not disable the password scheme plugins or change the configurations of the plugins to prevent unpredictable authentication behavior.
Strong Password Storage Schemes
Use only the following strong password storage schemes (strongest first):
-
PBKDF2-SHA512(default). ThePBKDF2-SHA512is more secure thanPBKDF2_SHA256.
The password-based key derivation function 2 (PBKDF2) is designed to expend resources to counter brute force attacks. PBKDF2 supports a variable number of iterations to apply the hashing algorithm. Higher iterations improve security but require more hardware resources. To apply the PBKDF2-SHA512 algorithm, RHDS uses 10,000 iterations.
The network security service (NSS) database in Red Hat Enterprise Linux 6 does not support PBKDF2. Therefore you cannot use this password scheme in a replication topology with RHDS 9.
-
SSHA512
The salted secure hashing algorithm (SSHA) implements an enhanced version of the secure hashing algorithm (SHA), that uses a randomly generated salt to increase the security of the hashed password. SSHA512 implements the hashing algorithm using 512 bits.
Weak Password Storage Schemes
Besides the recommended strong password storage schemes, RHDS supports the following weak schemes for backward compatibility:
-
AES -
CLEAR -
CRYPT -
CRYPT-MD5 -
CRYPT-SHA256,CRYPT-SHA512 -
GOST_YESCRYPT -
MD5 -
NS-MTA-MD5. RHDS only supports authentication using this scheme. You can no longer use it to encrypt passwords. -
SHA(160 bit),SHA256,SHA384,SHA512 -
SMD5 -
SSHA,SSHA256,SSHA384
Only continue using a weak scheme over a short time frame, as it increases security risks.
6.3.45. Posix Winsync API plugin
The Posix WinSync API plugin in Red Hat Directory Server (RHDS) synchronizes Posix identity data, such as UIDs and GIDs, with Microsoft Active Directory (AD). Understanding these settings helps you to maintain consistent user account attributes across both your Windows and Linux environments.
By default, Posix-related attributes are not synchronized between AD and RHDS. On Linux systems, system users and groups are identified as Posix entries, and LDAP Posix attributes contain that required information. However, when Windows users are synced over, they have ntUser and ntGroup attributes automatically added which identify them as Windows accounts, but no Posix attributes are synced over (even if they exist on the AActive Directory entry) and no Posix attributes are added on the RHDS side.
The Posix Winsync API plugin synchronizes POSIX attributes between AD and RHDS entries.
All Posix attributes, such as uidNumber, gidNumber, and homeDirectory, are synchronized between AD and RHDS entries. However, if a new Posix entry or Posix attributes are added to an existing entry in RHDS, only the Posix attributes are synchronized over to the AD corresponding entry. The Posix object class (posixAccount for users and posixGroup for groups) is not added to the AD entry.
This plugin is disabled by default and must be enabled before any Posix attributes will be synchronized from the AD entry to the RHDS entry.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | posix-winsync-plugin |
| DN of Configuration Entry | cn=Posix Winsync API,cn=plugins,cn=config |
| Description | Enables and configures Windows synchronization for Posix attributes set on Active Directory user and group entries. |
| Type | preoperation |
| Configurable Arguments |
|
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | database |
6.3.45.1. posixWinsyncCreateMemberOfTask
The posixWinsyncCreateMemberOfTask attribute sets whether to run the memberOf fixup task immediately after a sync run in order to update group memberships for synced users.
This is disabled by default because the memberOf fixup task can be resource-intensive and cause performance issues if it is run too frequently.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncCreateMemberOfTask: false |
6.3.45.2. posixWinsyncLowerCaseUID
The posixWinsyncLowerCaseUID attribute sets whether to store (and, if necessary, convert) the UID value in the memberUID attribute in lower case.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncLowerCaseUID: false |
6.3.45.3. posixWinsyncMapMemberUID
The posixWinsyncMapMemberUID attribute sets whether to map the memberUID attribute in an Active Directory group to the uniqueMember attribute in a Red Hat Directory Server group.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | true |
| Example | posixWinsyncMapMemberUID: false |
6.3.45.4. posixWinsyncMapNestedGrouping
The posixWinsyncMapNestedGrouping attribute manages if nested groups are updated when memberUID attributes in an Active Directory POSIX group change. Updating nested groups is supported up a depth of five levels.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncMapNestedGrouping: false |
6.3.45.5. posixWinsyncMsSFUSchema
The posixWinsyncMsSFUSchema attribute sets whether to use the older Microsoft System Services for Unix 3.0 (msSFU30) schema when syncing Posix attributes from Active Directory.
By default, the Posix Winsync API plugin uses Posix schema for modern Active Directory servers: 2005, 2008, and later versions. The modern Active Directory Posix schema differs from the Posix schema used by Windows Server 2003 and older Windows servers. If an Active Directory domain is using the older-style schema, then the older-style schema can be used instead.
| Parameter | Description |
|---|---|
| Entry DN | cn=Posix Winsync API Plugin,cn=plugins,cn=config |
| Valid Range | true | false |
| Default Value | false |
| Example | posixWinsyncMsSFUSchema: true |
6.3.46. Postal Address String Syntax plugin
The Postal Address String Syntax plugin validates postal address attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | postaladdress-syntax |
| DN of Configuration Entry | cn=Postal Address Syntax,cn=plugins,cn=config |
| Description | Supports postal address syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.47. Printable String Syntax plugin
The Printable String Syntax plugin validates printable string attribute values in Red Hat Directory Server. The Printable String syntax is much stricter than the Directory String syntax to ensure compatibility with legacy systems and international telecommunications standards.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | printablestring-syntax |
| DN of Configuration Entry | cn=Printable String Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and matching rules for alphanumeric and select punctuation strings (for strings which conform to printable strings as defined in RFC 4517). |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.48. Referential Integrity plugin
Referential Integrity ensures that when you perform update or remove operations for an entry in the directory, the server also updates information for entries that reference removed or updated one.
For example, if a user’s entry is removed from the directory and Referential Integrity is enabled, the server also removes the user from any groups where the user is a member.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | referint |
| DN of Configuration Entry | cn=Referential Integrity Postoperation,cn=plugins,cn=config |
| Description | Enables the server to ensure referential integrity |
| Type | postoperation |
| Configurable Options | All configuration and on | off |
| Default Setting | off |
| Configurable Arguments |
When enabled, the post-operation Referential Integrity plugin performs integrity updates on the |
| Dependencies | Database |
| Performance-Related Information | The Referential Integrity plugin should be enabled on all suppliers in multi-supplier replication environment. When enabling the plugin on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality. |
6.3.48.1. nsslapd-pluginAllowReplUpdates
With nsslapd-pluginAllowReplUpdates set to on, the Referential Integrity plugin processes common and replicated updates.
Referential Integrity can be a very resource demanding procedure. So if you configured multi-supplier replication, the Referential Integrity plugin will ignore replicated updates by default. However, sometimes it is not possible to enable the Referential Integrity plugin, or the plugin is not available.
For example, one of your suppliers in the replication topology is an Active Directory server that does not support Referential Integrity. In such cases you can allow the Referential Integrity plugin on another supplier to process replicated updates by using nsslapd-pluginAllowReplUpdates attribute. For more details about Active Directory integration, see Windows Synchronization.
Only one supplier must have the nsslapd-pluginAllowReplUpdates attribute value set to on in multi-supplier replication topology. Otherwise, it can lead to replication errors, and requires a full initialization to fix the problem. On the other hand, the Referential Integrity plugin must be enabled on all supplies where possible,to maintain data integrity.
| Parameter | Description |
|---|---|
| Entry DN | cn=referential integrity postoperation,cn=plugins,cn=config |
| Valid Range | on/off |
| Default Value | off |
| Syntax | Boolean |
| Example | nsslapd-pluginAllowReplUpdates: off |
6.3.49. Retro Changelog plug-in
The Retro Changelog plug-in is intended for use by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. The Retro Changelog plug-in records modifications made to a supplier server.
When the supplier server’s directory is modified, an entry is written to the Retro Changelog that contains both of the following:
- A number that uniquely identifies the modification. This number is sequential with respect to other entries in the changelog.
- The modification action; that is, exactly how the directory was modified.
It is through the Retro Changelog Plug-in that the changes performed to Directory Server are accessed using searches to cn=changelog suffix.
- NOTE
- Multi-supplier replication uses another type of changelog to replicate changes to suppliers.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | retrocl |
| DN of Configuration Entry | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Description |
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | See Retro Changelog plug-in for further information on the configuration attributes for this plug-in. |
| Dependencies |
|
| Performance-Related Information | May slow down Directory Server update performance. |
6.3.49.1. isReplicated
This optional attribute sets a flag to indicate on a change in the changelog whether the change is newly made on that server or whether it was replicated over from another server.
| Parameter | Description |
|---|---|
| OID | 2.16.840.1.113730.3.1.2085 |
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | None |
| Syntax | Boolean |
| Example | isReplicated: true |
6.3.49.2. nsslapd-attribute
The nsslapd-attribute attribute explicitly specifies another Red Hat Directory Server attribute which must be included in the retro changelog entries.
Many operational attributes and other types of attributes are commonly excluded from the retro changelog, but these attributes may need to be present for a third-party application to use the changelog data. This is done by listing the attribute in the retro changelog plug-in configuration using the nsslapd-attribute parameter.
It is also possible to specify an optional alias for the specified attribute within the nsslapd-attribute value.
nsslapd-attribute: attribute:_alias_Using an alias for the attribute can help avoid conflicts with other attributes in an external server or application which may use the retro changelog records.
Setting the value of the nsslapd-attribute attribute to isReplicated is a way of indicating, in the retro changelog entry itself, whether the modification was done on the local server (that is, whether the change is an original change) or whether the change was replicated over to the server.
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | Any valid directory attribute (standard or custom) |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-attribute: nsUniqueId: uniqueID |
6.3.49.3. nsslapd-changelogdir
The nsslapd-changelogdir attribute specifies the name of the directory in which the changelog database is created the first time the plugin is run. By default, the database is stored with all the other databases under /var/lib/dirsrv/slapd-<instance_name>/changelogdb.
For performance reasons, store this database on a different physical disk.
The server has to be restarted for changes to this attribute to go into effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | Any valid path to the directory |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-changelogdir: /var/lib/dirsrv/slapd-<instance_name>/changelogdb |
6.3.49.4. nsslapd-changelogmaxage
The nsslapd-changelogmaxage attribute sets the maximum age of any entry in the changelog. The changelog contains records of each directory modification and is used when synchronizing consumer servers.
Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this attribute is removed. By default, Red Hat Directory Server (RHDS) removes records that are older than seven days. If you set this attribute to 0, there is no age limit on changelog records, and RHDS keeps all records.
The size of the retro changelog is automatically reduced when you set a lower value.
Expired changelog records will not be removed if there is an agreement that has fallen behind further than the maximum age.
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Range | 0 (meaning that entries are not removed according to their age) to the maximum 32 bit integer value (2147483647) |
| Default Value | 7d |
| Syntax | DirectoryString IntegerAgeID, where AgeID is:
If you set only the integer value without the AgeID then Directory Server takes it as seconds. |
| Example | nsslapd-changelogmaxage: 30d |
6.3.49.5. nsslapd-exclude-attrs
The nsslapd-exclude-attrs attribute stores an attribute name to exclude from the retro changelog database. To exclude multiple attributes, add one nsslapd-exclude-attrs parameter for each attribute to exclude.
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | Any valid attribute name |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-exclude-attrs: example |
6.3.49.6. nsslapd-exclude-suffix
The nsslapd-exclude-suffix attribute stores a suffix to exclude from the retro changelog database. You can add the parameter multiple times to exclude multiple suffixes.
| Parameter | Description |
|---|---|
| Entry DN | cn=Retro Changelog Plugin,cn=plugins,cn=config |
| Valid Values | Any valid attribute name |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-exclude-suffix: ou=demo,dc=example,dc=com |
6.3.50. Roles plugin
The Roles plugin enables role-based access management in Red Hat Directory Server (RHDS) to simplify permission assignment and group membership administration.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | roles |
| DN of Configuration Entry | cn=Roles Plugin,cn=plugins,cn=config |
| Description | Enables the use of roles in RHDS |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies |
|
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
6.3.51. RootDN Access Control plug-in
The root DN, cn=Directory Manager, is a special user entry that you define outside the normal user database. Normal access control rules are not applied to the root DN, but because of the powerful nature of the root user, it can be beneficial to apply access control rules to the root user.
The RootDN Access Control plug-in sets normal access controls, such as host and IP address restrictions, time-of-day restrictions, and day of week restrictions, on the root user.
The plug-in is disabled by default.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | rootdn-access-control |
| DN of Configuration Entry | cn=RootDN Access Control,cn=plugins,cn=config |
| Description | Enables and configures access controls to use for the root DN entry. |
| Type | internalpreoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Attributes |
|
| Dependencies | None |
6.3.51.1. rootdn-allow-host
The rootdn-allow-host multi-valued attribute sets fully-qualified domain names of hosts that the root user is allowed to use to access Red Hat Directory Server. Any hosts not listed are implicitly denied.
You can use wild cards.
The rootdn-allow-host attribute can be used multiple times to specify multiple hosts, domains, or subdomains.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid host name or domain, including asterisks (*) for wildcards |
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-allow-host: *.example.com |
6.3.51.2. rootdn-allow-ip
The rootdn-allow-ip multi-valued attribute sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use to access Red Hat Directory Server. Any IP addresses not listed are implicitly denied.
You can use wild cards.
The rootdn-allow-ip attribute can be used multiple times to specify multiple addresses, domains, or subnets.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards |
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-allow-ip: 192.168.. |
6.3.51.3. rootdn-close-time
The rootdn-close-time attribute sets part of a time period or range when the root user is allowed to access Red Hat Directory Server (RHDS). This sets when the time-based access ends, when the root user is no longer allowed to access RHDS.
This is used in conjunction with the rootdn-open-time attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid time, in a 24-hour format |
| Default Value | None |
| Syntax | Integer |
| Example | rootdn-close-time: 1700 |
6.3.51.4. rootdn-days-allowed
The rootdn-days-allowed attribute sets a comma-separated list of which days the root user is allowed to use to access Red Hat Directory Server. Any days listed are implicitly denied.
Use the attribute with rootdn-close-time and rootdn-open-time to combine time-based access and days-of-week or it can be used by itself (with all hours allowed on allowed days).
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Values |
|
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-days-allowed: Mon, Tue, Wed, Thu, Fri |
6.3.51.5. rootdn-deny-ip
The rootdn-deny-ip multi-valied attribute sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to use to access Red Hat Directory Server. Any IP addresses not listed are implicitly allowed.
Deny rules supercede allow rules, so if an IP address is listed in both the rootdn-allow-ip and rootdn-deny-ip attributes, access is denied.
Wild cards are allowed.
The rootdn-deny-ip attribute can be used multiple times to specify multiple addresses, domains, or subnets.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid IPv4 or IPv6 address, including asterisks (*) for wildcards |
| Default Value | None |
| Syntax | DirectoryString |
| Example | rootdn-deny-ip: 192.168.0.0 |
6.3.51.6. rootdn-open-time
The rootdn-open-time attribute sets part of a time period or range when the root user is allowed to access Red Hat Directory Server. This sets when the time-based access begins.
Use the attribute in conjunction with the rootdn-close-time attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=RootDN Access Control Plugin,cn=plugins,cn=config |
| Valid Range | Any valid time, in a 24-hour format |
| Default Value | None |
| Syntax | Integer |
| Example | rootdn-open-time: 0800 |
6.3.52. Schema Reload plugin
The Schema Reload plugin enables dynamic schema updates in Red Hat Directory Server without requiring a server restart to apply schema changes.
| Plugin Information | Description |
|---|---|
| Plugin ID | schemareload |
| Configuration Entry DN | cn=Schema Reload,cn=plugins,cn=config |
| Description | Task plugin to reload schema files |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information |
6.3.53. Space Insensitive String Syntax plugin
The Space Insensitive String Syntax plugin enables space and case-insensitive matching for string attributes in Red Hat Directory Server (RHDS) to provide flexible search capabilities.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | none |
| DN of Configuration Entry | cn=Space Insensitive String Syntax,cn=plugins,cn=config |
| Description | Syntax for handling space-insensitive values |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information | This plugin enables the RHDS to support space and case insensitive values. This allows applications to search the directory using entries with ASCII space characters.
For example, a search or compare operation that uses |
6.3.54. State Change plugin
The State Change plugin provides state change notification services in Red Hat Directory Server to enable real-time monitoring of directory modifications, such as account locking or password expiration.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | statechange |
| DN of Configuration Entry | cn=State Change Plugin,cn=plugins,cn=config |
| Description | Enables state-change-notification service |
| Type | postoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information |
6.3.55. Syntax Validation Task plugin
The Syntax Validation Task plugin validates attribute values against their defined syntaxes in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | none |
| DN of Configuration Entry | cn=Syntax Validation Task,cn=plugins,cn=config |
| Description | Enables syntax validation for attribute values |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information | This plugin implements syntax validation tasks. The actual process that carries out syntax validation is performed by each specific syntax plugin. |
6.3.56. Telephone Syntax plugin
The Telephone Syntax plugin validates telephone number attribute values in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | tele-syntax |
| DN of Configuration Entry | cn=Telephone Syntax,cn=plugins,cn=config |
| Description | Supports telephone number syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.57. Teletex Terminal Identifier Syntax plugin
The Teletex Terminal Identifier Syntax plugin validates international teletex terminal identifier attribute values (teletexTerminalIdentifier) in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | teletextermid-syntax |
| DN of Configuration Entry | cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config |
| Description | Supports international telephone number syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.58. Telex Number Syntax plugin
The Telex Number Syntax plugin validates telex terminal information attribute values (telexNumber) in Red Hat Directory Server.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | telex-syntax |
| DN of Configuration Entry | cn=Telex Number Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for the telex number, country code, and answerback code of a telex terminal; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. Let the plugin run all the time. |
| Further Information |
6.3.59. URI Syntax plugin
The URI Syntax plugin validates Uniform Resource Identifier attribute values in Red Hat Directory Server. This plugin is essential for attributes like labeledURI, which are commonly used to store links to websites, internal documentation, or image resources.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | none |
| DN of Configuration Entry | cn=URI Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for unique resource identifiers (URIs), including unique resource locators (URLs); from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plugin. If enabled, let the plugin run all the time. |
| Further Information |
6.3.60. USN plug-in
The USN plugin assigns update sequence numbers (USNs) to directory entries in Red Hat Directory Server to track modifications and enable efficient change detection.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | USN |
| DN of Configuration Entry | cn=USN,cn=plugins,cn=config |
| Description | Sets an update sequence number (USN) on an entry, for every entry in the directory, whenever there is a modification, including adding and deleting entries and modifying attribute values. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information |
For replication, it is recommended that the |
6.3.61. Views plugin
The Views plugin enables customized directory views for different users or applications to provide tailored access to directory data based on specific requirements.
| Plugin Parameter | Description |
|---|---|
| Plugin ID | views |
| DN of Configuration Entry | cn=Views,cn=plugins,cn=config |
| Description | Enables the use of views in Red Hat Directory Server databases. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies |
|
| Performance-Related Information | Do not modify the configuration of this plugin.Let the plugin run all the time. |
6.4. Database plugin attributes
The Database plugin attributes under cn=ldbm database,cn=plugins,cn=config in Red Hat Directory Server store the global configuration settings that manages the primary directory database backend. Understanding these core parameters helps you to tune cache sizes and optimize transaction logging.
The Database plugin is organized in an information tree. All plugin technology used by the database instances is stored under the cn=ldbm database plugin node as follows:
cn=config,cn=ldbm database,cn=plugins,cn=config
cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
cn=monitor,cn=ldbm database,cn=plugins,cn=config
cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config
cn=_<database_name>_,cn=ldbm database,cn=plugins,cn=config
cn=changelog,cn=_<database_name>_,cn=ldbm database,cn=plugins,cn=config
cn=monitor,cn=_<database_name>_,cn=ldbm database,cn=plugins,cn=config
cn=index,cn=_<database_name>_,cn=ldbm database,cn=plugins,cn=config
cn=_<attribute_name>_,cn=encrypted attributes,cn=_<database_name>_,cn=ldbm database,cn=plugins,cn=configEach database configuration entry has its own set of attributes.
6.4.1. Database attributes under cn=config,cn=ldbm database,cn=plugins,cn=config
Global configuration attributes common to all Red Hat Directory Server database instances are stored in the cn=config,cn=ldbm database,cn=plugins,cn=config entry. Use these settings to tune databases and memory usage.
6.4.1.1. nsslapd-backend-implement
The nsslapd-backend-implement parameter defines the database backend that Directory Server uses.
Red Hat Directory Server 13 supports the Lightning Memory-Mapped Database Manager (LMDB) database type.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | bdb or mdb |
| Default Value | bdb |
| Syntax | Directory String |
| Example | nsslapd-backend-implement: mdb |
6.4.1.2. nsslapd-backend-opt-level
The nsslapd-backend-opt-level attribute can trigger experimental code to improve write performance.
Possible values:
-
0: Disables the parameter. -
1: The replication update vector is not written to the database during the transaction -
2: Changes the order of taking the back end lock and starts the transaction -
4: Moves code out of the transaction.
All parameters can be combined. For example 7 enables all optimisation features.
This parameter is experimental. Never change its value unless you are specifically told to do so by the Red Hat support.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0 | 1 | 2 | 4 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-backend-opt-level: 0 |
6.4.1.3. nsslapd-db-deadlock-policy
The nsslapd-db-deadlock-policy attribute sets the libdb library-internal deadlock policy.
Only change this parameter if instructed by Red Hat Support.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0-9 |
| Default Value | 0 |
| Syntax | DirectoryString |
| Example | nsslapd-db-deadlock-policy: 9 |
6.4.1.4. nsslapd-db-private-import-mem
The nsslapd-db-private-import-mem attribute manages whether or not Red Hat Directory Server uses private memory for allocation of regions and mutexes for a database import.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-db-private-import-mem: on |
6.4.1.5. nsslapd-db-transaction-wait
If you enable the nsslapd-db-transaction-wait attribute, Red Hat Directory Server does not start the transaction and waits until lock resources are available.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-db-transaction-wait: off |
6.4.1.6. nsslapd-directory
The nsslapd-directory attribute specifies absolute path to database instance. If you created the database instance manually, set this attribute value. Once the database instance is created, do not modify the path as any changes risk preventing the server from accessing data.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid absolute path to the database instance |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-directory: /var/lib/dirsrv/slapd-<instance_name>/db |
6.4.1.7. nsslapd-exclude-from-export
The nsslapd-exclude-from-export attribute contains a space-separated list of attribute names to exclude from entries during database export. For example, use it to exclude instance-specific configuration or operational attributes.
Do not remove any of the default values for this attribute, since that may affect server performance.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid attribute |
| Default Value | entrydn entryid dncomp parentid numSubordinates entryusn |
| Syntax | DirectoryString |
| Example | nsslapd-exclude-from-export: entrydn entryid dncomp parentid numSubordinates entryusn |
6.4.1.8. nsslapd-idlistscanlimit
The nsslapd-idlistscanlimit attribute is deprecated because the impact of the attribute on search performance is more harmful than helpful. Further description is provided for historical purposes only.
This performance-related attribute, present by default, specifies the number of entry IDs that are searched during a search operation. Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message, with additional error information explaining the problem. It is advisable to keep the default value to improve search performance.
This parameter can be changed while the server is running, and the new value will affect subsequent searches.
The corresponding user-level attribute is nsIDListScanLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 100 to the maximum 32-bit integer value (2147483647) entry IDs |
| Default Value | 2147483646 |
| Syntax | Integer |
| Example | nsslapd-idlistscanlimit: 50000 |
6.4.1.9. nsslapd-idl-switch
The nsslapd-idl-switch attribute sets the index data list (IDL) format that Red Hat Directory Server uses. Note that Red Hat no longer supports the old IDL format.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | new | old |
| Default Value | new |
| Syntax | Directory String |
| Example | nsslapd-idl-switch: new |
6.4.1.10. nsslapd-lookthroughlimit
The nsslapd-lookthroughlimit performance-related attribute specifies the maximum number of entries that Red Hat Directory Server checks when examining candidate entries in response to a search request.
However, by default, the Directory Manager DN is unlimited and overrides any other settings specified here. It is worth noting that binder-based resource limits work for this limit, which means that if a value for the operational attribute nsLookThroughLimit is present in the entry as which a user binds, the default limit will be overridden.
Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 5000 |
| Syntax | Integer |
| Example | nsslapd-lookthroughlimit: 5000 |
6.4.1.11. nsslapd-mode
The nsslapd-mode attribute specifies the permissions Red Hat Directory Server uses for newly created index files.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values |
Any four-digit octal number. However, mode |
| Default Value | 600 |
| Syntax | Integer |
| Example | nsslapd-mode: 0600 |
6.4.1.12. nsslapd-pagedidlistscanlimit
The nsslapd-pagedidlistscanlimit performance-related attribute specifies how many entry IDs are searched for operations by using the simple paged results control.
This attribute works the same as the nsslapd-idlistscanlimit attribute, except that it only applies to searches with the simple paged results control.
If this attribute is not present or is set to zero (0), then the nsslapd-idlistscanlimit is used to paged searches as well as non-paged searches.
The corresponding user-level attribute is nsPagedIDListScanLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-pagedidlistscanlimit: 5000 |
6.4.1.13. nsslapd-pagedlookthroughlimit
The nsslapd-pagedlookthroughlimit attribute specifies the maximum number of entries that Red Hat Directory Server checks when examining candidate entries for a search which uses the simple paged results control.
This attribute works the same as the nsslapd-lookthroughlimit attribute, except that it only applies to searches with the simple paged results control.
If this attribute is not present or is set to zero, then the nsslapd-lookthroughlimit is used to paged searches as well as non-paged searches.
The corresponding user-level attribute is nsPagedLookThroughLimit.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-pagedlookthroughlimit: 25000 |
6.4.1.14. nsslapd-rangelookthroughlimit
The nsslapd-rangelookthroughlimit performance-related attribute specifies the maximum number of entries that Red Hat Directory Server checks when examining candidate entries in response to a range search request.
Range searches use operators to set a bracket to search for and return an entire subset of entries within the directory. For example, this searches for every entry modified at or after midnight on January 1:
(modifyTimestamp>=20200101010101Z)The nature of a range search is that it must evaluate every single entry within the directory to see if it is within the range given. Essentially, a range search is always an all IDs search.
For most users, the look-through limit kicks in and prevents range searches from turning into an all IDs search. This improves overall performance and speeds up range search results. However, some clients or administrative users like Directory Manager may not have a look-through limit set. In that case, a range search can take several minutes to complete or even continue indefinitely.
The nsslapd-rangelookthroughlimit attribute sets a separate range look-through limit that applies to all users, including Directory Manager.
This allows clients and administrative users to have high look-through limits while still allowing a reasonable limit to be set on potentially performance-impaired range searches.
Unlike other resource limits, this applies to searches by any user, including Directory Manager, regular users, and other LDAP clients.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
| Default Value | 5000 |
| Syntax | Integer |
| Example | nsslapd-rangelookthroughlimit: 5000 |
6.4.1.15. nsslapd-search-bypass-filter-test
If you enable the nsslapd-search-bypass-filter-test attribute, Red Hat Directory Server bypasses filter checks when it builds candidate lists during a search. If you set the parameter to verify, Red Hat Directory Server evaluates the filter against the search candidate entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off | verify |
| Default Value | on |
| Syntax | Directory String |
| Example | nsslapd-search-bypass-filter-test: on |
6.4.1.16. nsslapd-search-use-vlv-index
The nsslapd-search-use-vlv-index enables and disables virtual list view (VLV) searches.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | Directory String |
| Example | nsslapd-search-use-vlv-index: on |
6.4.2. Database attributes under cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
Review global configuration attributes that are common to all instances and stored in the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry.
6.4.2.1. nsslapd-cache-autosize
The nsslapd-cache-autosize performance tuning-related attribute sets the percentage of free memory that is used in total for the database and entry cache.
For example, if the value is set to 10, 10% of the system’s free RAM is used for both caches. If this value is set to a value greater than 0, auto-sizing is enabled for the database and entry cache.
For optimized performance, do not disable auto-sizing. However, in certain situations disabling auto-sizing is necessary. In that case, set nsslapd-cache-autosize to 0 and manually configure:
-
the database cache in the
nsslapd-dbcachesizeattribute. -
the entry cache in the
nsslapd-cachememsizeattribute.
If the nsslapd-cache-autosize and nsslapd-cache-autosize-split attribute are both set to high values, such as 100, Directory Server fails to start. To fix the problem, set both parameters to more reasonable values. For example:
nsslapd-cache-autosize: 10
nsslapd-cache-autosize-split: 40| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 100. If 0 is set, the default value is used instead. |
| Default Value | 10 |
| Syntax | Integer |
| Example | nsslapd-cache-autosize: 10 |
6.4.2.2. nsslapd-cache-autosize-split
The nsslapd-cache-autosize-split performance tuning-related attribute sets the percentage of RAM that is used for the database cache. The remaining percentage is used for the entry cache.
For example, if the value is set to 40, the database cache uses 40%, and the entry cache the remaining 60% of the free RAM reserved in the nsslapd-cache-autosize attribute.
If the nsslapd-cache-autosize and nsslapd-cache-autosize-split attribute are both set to high values, such as 100, Red Hat Directory Server fails to start. To fix the problem, set both parameters to more reasonable values. For example:
nsslapd-cache-autosize: 10
nsslapd-cache-autosize-split: 40| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 99. If 0 is set, the default value is used instead. |
| Default Value | 40 |
| Syntax | Integer |
| Example | nsslapd-cache-autosize-split: 40 |
6.4.2.3. nsslapd-dbcachesize
The nsslapd-dbcachesize performance tuning-related attribute sets the database index cache size in bytes. This attribute strongly affects how much RAM Directory Server uses. This is not the entry cache.
This is not the entry cache. This is the amount of memory the Berkeley database back end will use to cache the indexes (the .db files) and other files. This value is passed to the Berkeley DB API function set_cachesize. If automatic cache resizing is activated, this attribute is overridden when the server replaces these values with its own guessed values at a later stage of the server startup.
Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
Do not set the database cache size manually. Red Hat recommends to use the database cache auto-sizing feature for optimized performance.
The server has to be restarted for changes to this attribute to go into effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 4 gigabytes for 32-bit platforms and 500 kilobytes to 2^64-1 for 64-bit platforms |
| Default Value | |
| Syntax | Integer |
| Example | nsslapd-dbcachesize: 10000000 |
6.4.2.4. nsslapd-db-checkpoint-interval
The nsslapd-db-checkpoint-interval attribute sets the amount of time in seconds after which Red Hat Directory Server sends a checkpoint entry to the database transaction log.
The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. A checkpoint entry indicates which database operations was physically written to the directory database. The checkpoint entries are used to determine where in the database transaction log to begin recovery after a system failure.
The nsslapd-db-checkpoint-interval attribute is absent from dse.ldif. To change the checkpoint interval, add the attribute to dse.ldif. This attribute can be dynamically modified using the ldapmodify utility.
Use nsslapd-db-checkpoint-interval only for system modification/diagnostics. Do not change the attribute value unless Red Hat Technical Support or Red Hat Consulting team instruct you to do so. Inconsistent settings of this attribute and other configuration attributes can cause Red Hat Directory Server failures.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 10 to 300 seconds |
| Default Value | 60 |
| Syntax | Integer |
| Example | nsslapd-db-checkpoint-interval: 120 |
6.4.2.5. nsslapd-db-circular-logging
The nsslapd-db-circular-logging attribute enables or disables circular logging for transaction log files. When off, Red Hat Directory Server does not remove old log files and keeps renamed as old log transaction files.
Turning circular logging off can severely degrade server performance and, as such, should only be modified with the guidance of Red Hat Technical Support or Red Hat Consulting.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-db-circular-logging: on |
6.4.2.6. nsslapd-db-debug
The nsslapd-db-debug attribute enables or disables additional error reporting to Red Hat Directory Server. Set nsslapd-db-debug to on to report error information, however enabling the attribute can slow Red Hat Directory Server down.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-db-debug: off |
6.4.2.7. nsslapd-db-durable-transactions
The nsslapd-db-durable-transactions attribute manages whether database transaction log entries are written to disk immediately.
The database transaction log contains a sequential listing of all recent database operations and Red Hat Directory Server uses this log for database recovery only. With durable transactions enabled, Red Hat Directory Server records every directory change to the log file and, therefore, can recover the change after the system failure. However, the durable transactions feature can slow the Red Hat Directory Server performance.
When durable transactions is disabled, Red Hat Directory Server logically writes all transactions to the database transaction log and not immediately to disk. When the system failure occurs before a directory change was physically written to disk, that change is not recoverable.
The nsslapd-db-durable-transactions attribute is absent from dse.ldif. To disable durable transactions, add the attribute to dse.ldif.
Use sslapd-db-durable-transactions only for system modification or diagnostics. Do not change the attribute value unless Red Hat Technical Support or Red Hat Consulting team instruct you to do so. Inconsistent settings of this attribute and other configuration attributes can cause Red Hat Directory Server failures.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-db-durable-transactions: on |
6.4.2.8. nsslapd-db-compactdb-interval
The nsslapd-db-compactdb-interval attribute defines the interval in seconds when Directory Server compacts the databases and replication changelogs. The compact operation returns the unused pages to the file system and the database file size shrinks.
Note that compacting the database is resource-intensive and should not be done too often.
The attribute change does not require the server restart. However, Directory Server starts to count the new interval value from the time you changed the value. For example, the compaction is planned for today at 10:40. Then at 10:35, 5 minutes before the planned compaction, you set the new interval (nsslapd-db-compactdb-interval) to 259200 seconds (3 days) and the new compaction time (nsslapd-db-compactdb-time) to 20:30. Now Directory Server discards the compaction planned for today at 10:40 and performs the next compaction in 3 days at 20:30.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0 (no compaction) to 2147483647 second |
| Default Value | 2592000 (30 days) |
| Syntax | Integer |
| Example | nsslapd-db-compactdb-interval: 2592000 |
6.4.2.9. nsslapd-db-compactdb-time
The nsslapd-db-compactdb-time attribute sets the time of the day when Red Hat Directory Server compacts all databases and their replication changelogs. The compaction task runs after the compaction interval (nsslapd-db-compactdb-interval) has been exceeded.
The attribute change does not require the server restart. However, Directory Server applies the new time value when the compaction interval set in nsslapd-db-compactdb-interval expires. For example, the compaction is planned today at 10:40. Then at 10:35, 5 minutes before the planned compaction, you set the new interval (nsslapd-db-compactdb-interval) to 259200 seconds (3 days) and the new compaction time (nsslapd-db-compactdb-time) to 20:30. Now Directory Server skips the 10:40 run and performs the next compaction in 3 days at 20:30.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | HH:MM. Time is set in 24-hour format |
| Default Value | 23:59 |
| Syntax | DirectoryString |
| Example | nsslapd-db-compactdb-time: 23:59 |
6.4.2.10. nsslapd-db-home-directory
The nsslapd-db-home-directory attribute specifies the location of memory-mapped files for Red Hat Directory Server databases. For performance reasons, the default value of nsslapd-db-home-directory refers to the /dev/shm/ directory, which uses a tmpfs file system.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid directory |
| Default Value | /dev/shm/ |
| Syntax | DirectoryString |
| Example | nsslapd-db-home-directory: /dev/shm/ |
6.4.2.11. nsslapd-db-idl-divisor
The nsslapd-db-idl-divisor attribute specifies the index block size in terms of the number of blocks per database page. The block size is calculated by dividing the database page size by the value of this attribute.
The default value of 0 sets the block size to the page size minus an estimated allowance for internal database overhead. For the majority of installations, do not change the default value unless the server requires specific tuning needs. A value of 1 makes the block size exactly equal to the page size.
Before modifying the value of this attribute, export all databases using the db2ldif script. Once the modification has been made, reload the databases using the ldif2db script.
This parameter should only be used by very advanced users.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 8 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-db-idl-divisor: 2 |
6.4.2.12. nsslapd-db-locks
The nsslapd-db-locks attribute sets the maximum number of database locks that manage how many copies of Red Hat Directory Server processes can run at the same time.
Increase the nsslapd-db-locks value only if Red Hat Directory Server runs out of locks and logs libdb: Lock table is out of available locks error messages. If you set a higher value without a need, this increases the size of the /var/lib/dirsrv/slapd-instance_name/db__db.* files without any benefit.
Restart the server for changes to take effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 - 2147483647 |
| Default Value | 10000 |
| Syntax | Integer |
| Example | nsslapd-db-locks: 10000 |
6.4.2.13. nsslapd-db-locks-monitoring-enabled
The nsslapd-db-locks-monitoring-enabled attribute enables or disables database lock monitoring. When enabled (default), Red Hat Directory Server terminates all searches if the number of active database locks is higher than the percentage threshold configured in nsslapd-db-locks-monitoring-threshold.
If an issue occurs, you can increase the number of database locks in the nsslapd-db-locks parameter.
Restart the service for changes to take effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsslapd-db-locks-monitoring-enabled: on |
6.4.2.14. nsslapd-db-locks-monitoring-pause
If database locks monitoring is enabled in nsslapd-db-locks-monitoring-enable, the nsslapd-db-locks-monitoring-pause attribute defines the interval in milliseconds that the monitoring thread sleeps between the checks.
If you set nsslapd-db-locks-monitoring-pause to a too high value, the server can run out of database locks before the monitoring check happens. However, setting to a too low value can slow down the server.
You do not have to restart the server for this setting to take effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0 - 2147483647 (value in milliseconds) |
| Default Value | 500 |
| Syntax | DirectoryString |
| Example | nsslapd-db-locks-monitoring-pause: 500 |
6.4.2.15. nsslapd-db-locks-monitoring-threshold
If monitoring of database locks is enabled in the nsslapd-db-locks-monitoring-enable attribute, nsslapd-db-locks-monitoring-threshold sets the maximum percentage of used database locks before Red Hat Directory Server terminates searches to avoid further lock exhaustion.
Restart the service for changes to take effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 70 - 95 |
| Default Value | 90 |
| Syntax | DirectoryString |
| Example | nsslapd-db-locks-monitoring-threshold: 90 |
6.4.2.16. nsslapd-db-logbuf-size
The nsslapd-db-logbuf-size attribute sets the log information buffer size.
Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can significantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data. The log information buffer size is the transaction log size divided by four.
The nsslapd-db-logbuf-size attribute is valid only if the nsslapd-db-durable-transactions attribute is set to on.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 32K to maximum 32-bit integer (limited to the amount of memory available on the machine) |
| Default Value | 32K |
| Syntax | Integer |
| Example | nsslapd-db-logbuf-size: 32K |
6.4.2.17. nsslapd-db-logdirectory
The nsslapd-db-logdirectory attribute sets the path to the directory that contains the database transaction log. The database transaction log contains all recent database operations. Red Hat Directory Server uses this information to recover the database after an instance failure.
By default, the log is in the same directory as the database. To change nsslapd-db-logdirectory, update /etc/dirsrv/slapd-instance_name/dse.ldif manually.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid path |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-db-logdirectory: /var/lib/dirsrv/slapd-instance_name/db/ |
6.4.2.18. nsslapd-db-logfile-size
The nsslapd-db-logfile-size attribute sets the maximum size of a single file in the log in bytes. By default, or if the value is set to 0, a maximum size is 10 megabytes. The maximum size is an unsigned 4-byte value.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to unsigned 4-byte integer |
| Default Value | 10MB |
| Syntax | Integer |
| Example | nsslapd-db-logfile-size: 10 MB |
6.4.2.19. nsslapd-dbncache
The nsslapd-dbncache attribute splits the LDBM cache into equally sized separate pieces of memory. Set this value to an integer that is one-quarter (1/4) the amount of memory in gigabytes.
For example, for a 12 gigabyte system, set the nsslapd-dbncache value to 3; for an 8 gigabyte system, set it to 2.
You can specify caches that are large enough so that they cannot be allocated contiguously on some architectures. For example, some systems limit the amount of memory that may be allocated contiguously by a process. If nsslapd-dbncache is 0 or 1, the cache will be allocated contiguously in memory. If it is greater than 1, the cache will be broken up into ncache, equally sized separate pieces of memory.
To configure a dbcache size larger than 4 gigabytes, add the nsslapd-dbncache attribute to cn=config,cn=ldbm database,cn=plugins,cn=config between the nsslapd-dbcachesize and nsslapd-db-logdirectory attribute lines.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Red Hat technical support or Red Hat professional services. Inconsistent settings of this attribute and other configuration attributes may cause Directory Server to be unstable.
The server has to be restarted for changes to this attribute to go into effect.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 1 to 4 |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsslapd-dbncache: 1 |
6.4.2.20. nsslapd-db-page-size
The nsslapd-db-page-size attribute sets the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes, and the maximum size is 64 kilobytes. If you do not set the page size explicitly, Red Hat Directory Server defaults to a page size of 8 kilobytes.
Changing the default value can have a significant performance impact. If the page size is too small, it results in extensive page splitting and copying. If the page size is too large, it can waste disk space.
Before modifying nsslapd-db-page-size, export all databases with db2ldif, then reload with ldif2db after the change.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 512 bytes to 64 kilobytes |
| Default Value | 8KB |
| Syntax | Integer |
| Example | nsslapd-db-page-size: 8KB |
6.4.2.21. nsslapd-db-spin-count
The nsslapd-db-spin-count attribute specifies how many times test-and-set mutexes spin without blocking.
Never touch this value unless you are very familiar with the inner workings of Berkeley DB or are specifically told to do so by Red Hat support.
The default value of 0 causes BDB to calculate the actual value by multiplying the number of available CPU cores (as reported by the nproc utility or the sysconf(_SC_NPROCESSORS_ONLN) call) by 50. For example, with a processor with 8 logical cores, leaving this attribute set to 0 is equivalent to setting it to 400. It is not possible to turn spinning off entirely - if you want to minimize the amount of times test-and-set mutexes will spin without blocking, set this attribute to 1.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 2147483647 (2^31-1) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-db-spin-count: 0 |
6.4.2.22. nsslapd-db-transaction-batch-max-wait
The nsslapd-db-transaction-batch-max-wait attribute sets the latest time (in milliseconds) at which batched transactions are flushed independently of the batch count when nsslapd-db-transaction-batch-val is set, so that few updates do not delay flushing indefinitely.
This parameter is experimental. Never change its value unless you are specifically told to do so by the Red Hat support.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 - 2147483647 (value in milliseconds) |
| Default Value | 50 |
| Syntax | Integer |
| Example | nsslapd-db-transaction-batch-max-wait: 50 |
6.4.2.23. nsslapd-db-transaction-batch-min-wait
The nsslapd-db-transaction-batch-min-wait parameter sets the earliest time (in milliseconds) at which batched transactions are flushed when nsslapd-db-transaction-batch-val is set.
This parameter is experimental. Never change its value unless you are specifically told to do so by the Red Hat support.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 - 2147483647 (value in milliseconds) |
| Default Value | 50 |
| Syntax | Integer |
| Example | nsslapd-db-transaction-batch-min-wait: 50 |
6.4.2.24. nsslapd-db-transaction-batch-val
The nsslapd-db-transaction-batch-val attribute specifies how many transactions are batched before Red Hat Directory Server commits them. The attribute can improve update performance when full durability is not required and can be changed dynamically with the ldapmodify utility.
When you set nsslapd-db-transaction-batch-val, a separate thread flushes transactions when the set batch value is reached. However, if only a few updates were performed, this process might take too long. To control when transactions should be flushed, use the nsslapd-db-transaction-batch-max-wait and nsslapd-db-transaction-batch-min-wait attributes.
Setting this value will reduce data consistency and may lead to loss of data. This is because if there is a power outage before the server can flush the batched transactions, those transactions in the batch will be lost.
Do not set this value unless specifically requested to do so by Red Hat support.
If this attribute is not defined or is set to a value of 0, transaction batching will be turned off, and it will be impossible to make remote modifications to this attribute using LDAP. However, setting this attribute to a value greater than 0 causes the server to delay committing transactions until the number of queued transactions is equal to the attribute value. A value greater than 0 also allows modifications to this attribute remotely using LDAP. A value of 1 for this attribute allows modifications to the attribute setting remotely using LDAP, but results in no batching behavior. A value of 1 at server startup is therefore useful for maintaining normal durability while also allowing transaction batching to be turned on and off remotely when required. Remember that the value for this attribute may require modifying the nsslapd-db-logbuf-size attribute to ensure sufficient log buffer size for accommodating the batched transactions.
The nsslapd-db-transaction-batch-val attribute is only valid if the nsslapd-db-durable-transaction attribute is set to on.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 30 |
| Default Value | 0 (or turned off) |
| Syntax | Integer |
| Example | nsslapd-db-transaction-batch-val: 5 |
6.4.2.25. nsslapd-db-trickle-percentage
The nsslapd-db-trickle-percentage attribute sets that at least the specified percentage of pages in the shared-memory pool are clean by writing dirty pages to their backing files to ensure that a page is always available for reading new information without having to wait for a write.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to 100 |
| Default Value | 40 |
| Syntax | Integer |
| Example | nsslapd-db-trickle-percentage: 40 |
6.4.2.26. nsslapd-db-verbose
The nsslapd-db-verbose attribute enables extra informational and debugging messages when searching the log for checkpoints, doing deadlock detection, and performing recovery. Use the attribute for troubleshooting. Enabling nsslapd-db-verbose might slow down Red Hat Directory Server.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-db-verbose: off |
6.4.2.27. nsslapd-import-cache-autosize
The nsslapd-import-cache-autosize performance tuning-related attribute automatically sets the size of the import cache (importCache) that Red Hat Directory Server uses during LDIF files import to the database by performing the ldif2db operation.
In Directory Server, the import operation can be run as a server task or exclusively on the command-line. In the task mode, the import operation runs as a general Directory Server operation. The nsslapd-import-cache-autosize attribute enables the import cache to be set automatically to a predetermined size when the import operation is run on the command-line. The attribute can also be used by Directory Server during the task mode import for allocating a specified percentage of free memory for import cache.
By default, the nsslapd-import-cache-autosize attribute is enabled and is set to a value of -1. This value autosizes the import cache for the ldif2db operation only, automatically allocating fifty percent (50%) of the free physical memory for the import cache. The percentage value (50%) is hard-coded and cannot be changed.
Setting the attribute value to 50 (nsslapd-import-cache-autosize: 50) has the same effect on performance during an ldif2db operation. However, such a setting will have the same effect on performance when the import operation is run as a Directory Server task. The -1 value autosizes the import cache just for the ldif2db operation and not for any, including import, general Directory Server tasks.
The purpose of a -1 setting is to enable the ldif2db operation to benefit from free physical memory but, at the same time, not compete for valuable memory with the entry cache, which is used for general operations of Directory Server.
Setting the nsslapd-import-cache-autosize attribute value to 0 turns off the import cache autosizing feature - that is, no autosizing occurs during either mode of the import operation. Instead, Directory Server uses the nsslapd-import-cachesize attribute for import cache size, with a default value of 20000000.
There are three caches in the context of Directory Server: database cache, entry cache, and import cache. The import cache is only used during the import operation. The nsslapd-cache-autosize attribute, which is used for autosizing the entry cache and database cache, is used during the Directory Server operations only and not during the ldif2db command-line operation; the attribute value is the percentage of free physical memory to be allocated for the entry cache and database cache.
If both the autosizing attributes, nsslapd-cache-autosize and nsslapd-import-cache-autosize, are enabled, ensure that their sum is less than 100.
| Parameter | Description |
|---|---|
| Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | -1, 0 (turns import cache autosizing off) to 100 |
| Default Value | -1 (turns import cache autosizing on for ldif2db only and allocates 50% of the free physical memory to import cache) |
| Syntax | Integer |
| Example | nsslapd-import-cache-autosize: -1 |
6.4.2.28. nsslapd-search-bypass-filter-test
If you enable the nsslapd-search-bypass-filter-test parameter, Red Hat Directory Server bypasses filter checks when it builds candidate lists during a search. If you set the parameter to verify, Red Hat Directory Server evaluates the filter against the search candidate entries.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off | verify |
| Default Value | on |
| Syntax | Directory String |
| Example | nsslapd-search-bypass-filter-test: on |
6.4.3. Database attributes under cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config
The cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config entry in Red Hat Directory Server defines the global configuration attributes for Lightning Memory-Mapped Database Manager (LMDB) backend. These configuration attributes are common to all instances.
6.4.3.1. nsslapd-mdb-max-dbs
The nsslapd-mdb-max-dbs attribute sets the maximum number of named database instances that can be included within the memory-mapped database file.
If the attribute value is set to zero (0), Red Hat Directory Server computes this attribute value.
Each suffix and default indexes consume 35 named databases. Each additional index consumes one named database. With the default value of 512, you can create up to 14 suffixes.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0-2147483647 |
| Default Value | 512 |
| Syntax | Integer |
| Example | nsslapd-mdb-max-dbs: 512 |
6.4.3.2. nsslapd-mdb-max-readers
The nsslapd-mdb-max-readers attribute sets the maximun number of read operations that can be opened simultaneously. If the attribute value is set to zero (0), Red Hat Directory Server computes this attribute value.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0-2147483647 |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-mdb-max-readers:0 |
6.4.3.3. nsslapd-mdb-max-size
The nsslapd-mdb-max-size attribute sets the maximum database size in bytes. The maximum size of the Lightning Memory-Mapped Database Manager (LMDB) database is limited by the system addressable memory.
Make sure that the value of nsslapd-mdb-max-size is high enough to store all intended data. However, the value must not be too high to impact the performance because the database file is memory-mapped.
You can use the database size in the Red Hat Directory Server Hardware requirements for a reference.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=mdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 512 to maximum 32-bit integer (limited to the amount of memory available on the machine) |
| Default Value | 21474836480 |
| Syntax | Integer |
| Example | nsslapd-mdb-max-size:21474836480 |
6.4.4. Database attributes under cn=monitor,cn=ldbm database,cn=plugins,cn=config
The cn=monitor,cn=ldbm database,cn=plugins,cn=config entry in Red Hat Directory Server defines global read-only attributes that contain database statistics for monitoring activity on the databases.
- currentNormalizedDNcachecount
-
The
currentNormalizedDNcachecountattribute displays the number of normalized cached DNs. - currentNormalizedDNcachesize
-
The
currentNormalizedDNcachesizeattribute displays the current size of the normalized DN cache in bytes. - dbcachehitratio
-
The
dbcachehitratioattribute displays the percentage of requested pages found in the database cache (hits/tries). - dbcachehits
-
The
dbcachehitsattribute displays the requested pages found in the database. - dbcachepagein
-
The
dbcachepageinattribute displays the pages read into the database cache. - dbcachepageout
-
The
dbcachepageoutattribute displays the pages written from the database cache to the backing file. - dbcacheroevict
-
The
dbcacheroevictattribute displays the clean pages forced from the cache. - dbcacherwevict
-
The
dbcacherwevictattribute displays the dirty pages forced from the cache. - dbcachetries
-
The
dbcachetriesattribute displays the total cache lookups. - maxNormalizedDNcachesize
-
The
maxNormalizedDNcachesizeattribute displays the current value of thensslapd-ndn-cache-max-sizeparameter. - normalizedDNcachehitratio
-
The
normalizedDNcachehitratioattribute displays the percentage of the normalized DNs found in the cache. - normalizedDNcachehits
-
The
normalizedDNcachehitsattribute displays the normalized DNs found within the cache. - normalizedDNcachemisses
-
The
normalizedDNcachemissesattribute displays the normalized DNs not found within the cache. - normalizedDNcachetries
-
The
normalizedDNcachetriesattribute displays the total number of cache lookups since the instance was started.
6.4.5. Database attributes under cn=,cn=ldbm database,cn=plugins,cn=config
The cn=<database_name>,cn=ldbm database,cn=plugins,cn=config entry contains all the configuration data for a user-defined database. By default, the database name is set to cn=userRoot, however you can choose another database name when adding the database.
The cn=userRoot database can be any user database.
6.4.5.1. nsslapd-cache-pinned-entries
The nsslapd-cache-pinned-entries attribute sets how many of the largest group entries the backend keeps permanently in the entry cache so the eviction algorithm does not remove them.
When an group entry is pinned, it is locked into the entry cache and cannot be evicted (deleted from memory to make room for others), even if the cache reaches its maximum size limit.
The backend removes pinned entries from the cache only in the following situations:
- A client application modifies the group.
- You stop the backend.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range |
Any integer value that is equal to or greater than zero ( |
| Default Value |
|
| Syntax | Integer |
| Example | nsslapd-cache-pinned-entries: 5 |
6.4.5.2. nsslapd-cachememsize
The nsslapd-cachememsize attribute sets the size, in bytes, for the available memory space (an absolute allocation of RAM) for the entry cache.
The simplest method is limiting cache size in terms of memory occupied. Activating automatic cache resizing overrides this attribute, replacing these values with its own guessed values at a later stage of the server startup.
Attempting to set a value that is not a number or is too big for a 32-bit signed integer (on 32-bit systems) returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
The performance counter for this setting goes to the highest 64-bit integer, even on 32-bit systems, but the setting itself is limited on 32-bit systems to the highest 32-bit integer because of how the system addresses memory.
Do not set the database cache size manually. Red Hat recommends to use the entry cache auto-sizing feature for optimized performance.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 264-1 on 64-bit systems |
| Default Value | 209715200 (200 MiB) |
| Syntax | Integer |
| Example | nsslapd-cachememsize: 209715200 |
6.4.5.3. nsslapd-cachesize
The nsslapd-cachesize attribute sets the cache size in terms of the number of entries it can hold. However, this attribute is deprecated in favor of the nsslapd-cachememsize attribute, which sets an absolute allocation of RAM for the entry cache size.
Attempting to set a value that is not a number or is too big for a 32-bit signed integer (on 32-bit systems) returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
The server has to be restarted for changes to this attribute to go into effect.
The performance counter for this setting goes to the highest 64-bit integer, even on 32-bit systems, but the setting itself is limited on 32-bit systems to the highest 32-bit integer because of how the system addresses memory.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 1 to 232-1 on 32-bit systems or 263-1 on 64-bit systems or -1, which means limitless |
| Default Value | -1 |
| Syntax | Integer |
| Example | nsslapd-cachesize: -1 |
6.4.5.4. nsslapd-directory
The nsslapd-directory attribute specifies the path to the database instance.
If it is a relative path, it starts from the path specified by nsslapd-directory in the cn=config,cn=ldbm database,cn=plugins,cn=config global database entry. The database instance directory is named after the instance name and located in the global database directory by default. After the database instance is created, do not modify this path because any changes risk preventing the server from accessing data.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid path to the database instance |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-directory: /var/lib/dirsrv/slapd-instance/db/userRoot |
6.4.5.5. nsslapd-dncachememsize
The nsslapd-dncachememsize attribute sets the size of the available memory space for the DN cache in bytes.
The DN cache is similar to the entry cache for a database, only its table stores only the entry ID and the entry DN. This allows faster lookups for rename and moddn operations.
The simplest method is limiting cache size in terms of memory occupied.
Attempting to set a value that is not a number or is too big for a 32-bit signed integer (on 32-bit systems) returns an LDAP_UNWILLING_TO_PERFORM error message with additional error information explaining the problem.
The performance counter for this setting goes to the highest 64-bit integer, even on 32-bit systems, but the setting itself is limited on 32-bit systems to the highest 32-bit integer because of how the system addresses memory.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 500 kilobytes to 232-1 on 32-bit systems and to 264-1 on 64-bit systems |
| Default Value | 10,485,760 (10 megabytes) |
| Syntax | Integer |
| Example | nsslapd-dncachememsize: 10485760 |
6.4.5.6. nsslapd-readonly
The nsslapd-readonly attribute enables read-only mode for a single backend instance.
If this attribute has a value of off, then users have all read, write, and execute permissions allowed by their access permissions.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-readonly: off |
6.4.5.7. nsslapd-require-index
The nsslapd-require-index attribute enables rejection of unindexed searches to improve performance.
With nsslapd-require-index set to on, Red Hat Directory Server can avoid overload with erroneous searches.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-require-index: off |
6.4.5.8. nsslapd-require-internalop-index
The nsslapd-require-internalop-index attribute enables rejection of internal unindexed searches by plugins.
When a plugin modifies data, it has a write lock on the database. On large databases, if the plugin then executes an unindexed search, the plugin can use all database locks and corrupt the database, or the server becomes unresponsive. To avoid this problem, you can reject internal unindexed searches by enabling the nsslapd-require-internalop-index parameter.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsslapd-require-internalop-index: off |
6.4.5.9. nsslapd-suffix
The nsslapd-suffix attribute specifies the suffix of a database link.
This is a single-valued attribute because each database instance can have only one suffix. Previously, you could have more than one suffix on a single database instance. As a result, this attribute is single-valued to enforce the fact that each database instance can have only one suffix entry. Any changes made to this attribute after the entry is created take effect only after the server containing the database link is restarted.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsslapd-suffix: o=Example |
6.4.5.10. vlvBase
The vlvBase attribute sets the base DN for which the browsing or virtual list view (VLV) index is created.
| Parameter | Description |
|---|---|
| Entry DN | cn=<index_name>,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid DN |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvBase: ou=People,dc=example,dc=com |
6.4.5.11. vlvEnabled
The vlvEnabled attribute shows status information about a specific VLV index, and Red Hat Directory Server sets this attribute at run time.
Although vlvEnabled is displayed in the configuration, you cannot modify this attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=<index_name>,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | 0 (disabled) | 1 (enabled) |
| Default Value | 1 |
| Syntax | DirectoryString |
| Example | vlvEnbled: 0 |
6.4.5.12. vlvFilter
The vlvFilter attribute sets the LDAP filter for selecting entries in a VLV index.
The browsing or virtual list view (VLV) index is created by running a search according to a filter and including entries that match that filter in the index.
| Parameter | Description |
|---|---|
| Entry DN | cn=<index_name>,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid LDAP filter |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvFilter: (|(objectclass=*)(objectclass=ldapsubentry)) |
6.4.5.13. vlvIndex
The vlvIndex object class defines the virtual list view (VLV) index entry.
A browsing index or virtual list view (VLV) index dynamically generates an abbreviated index of entry headers that makes it much faster to visually browse large indexes. A VLV index definition has two parts: one which defines the index and one which defines the search used to identify entries to add to the index. The vlvIndex object class defines the index entry.
This object class is defined in Red Hat Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.42
| Attribute | Definition |
|---|---|
| Defines the object classes for the entry. | |
| Gives the common name of the entry. | |
| Identifies the attribute list that the browsing index (virtual list view index) is sorted on. |
| Attribute | Definition |
|---|---|
| Stores the availability of the browsing index. | |
| Contains the count the browsing index is used. |
6.4.5.14. vlvScope
The vlvScope attribute sets the scope of the search to run for entries in the browsing or virtual list view (VLV) index.
| Parameter | Description |
|---|---|
| Entry DN | cn=<index_name>,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values |
|
| Default Value | |
| Syntax | Integer |
| Example | vlvScope: 2 |
6.4.5.15. vlvSearch
The vlvSearch object class defines the search filter for a VLV index.
A browsing index or virtual list view (VLV) index dynamically generates an abbreviated index of entry headers that makes it much faster to visually browse large indexes.
A VLV index definition has two parts: one which defines the index and one which defines the search used to identify entries to add to the index. The vlvSearch object class defines the search filter entry.
This object class is defined in Red Hat Directory Server.
Superior Class top
OID 2.16.840.1.113730.3.2.38
| Attribute | Definition |
|---|---|
| Defines the object classes for the entry. | |
| Identifies base DN the browsing index is created. | |
| Identifies the scope to define the browsing index. | |
| Identifies the filter string to define the browsing index. |
| Attribute | Definition |
|---|---|
| Gives a text description of the entry. |
6.4.5.16. vlvSort
The vlvSort attribute sets the sort order for returned entries in the browsing or virtual list view (VLV) index.
The entry for this attribute is a vlvIndex entry beneath the vlvSearch entry.
| Parameter | Description |
|---|---|
| Entry DN | cn=<index_name>,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any Directory Server attributes, in a space-separated list |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvSort: cn givenName o ou sn |
6.4.5.17. vlvUses
The vlvUses read-only attribute contains the count the browsing index uses, and Red Hat Directory Server sets this attribute at run time.
Although vlvUses is shown in the configuration, you cannot modify this attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=<index_name>,cn=userRoot,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | N/A |
| Default Value | |
| Syntax | DirectoryString |
| Example | vlvUses: 800 |
6.4.6. Database attributes under cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config
The attributes under cn=database,cn=monitor,cn=ldbm database,cn=plugins,cn=config are all read-only, database performance counters.
Red Hat Directory Server displays the following database performance counters:
- dbenvmapmaxsize
- Displays the memory-mapped file maximum size.
- dbenvmapsize
- Displays the space used in the memory-mapped file.
- dbenvlastpageno
- Displays the ID of the last used page.
- dbenvlasttxnid
- Displays the ID of the last committed transaction.
- dbenvmaxreaders
- Displays the maximum number of threads allowed to read the database.
- dbenvnumreaders
- Displays the number of threads reading the database.
- dbenvnumdbis
- Displays the number of database instances.
- waitingrwtxn
- Displays the number of write transactions waiting for the lock.
- activerwtxn
- Displays the number of active write transactions (0 or 1).
- abortrwtxn
- Displays the number of terminated write transactions.
- commitrwtxn
- Displays the number of committed write transactions.
- granttimerwtxn
- Displays the cumulated time to get write transactions (in nanoseconds).
- lifetimerwtxn
- Displays the cumulated lifetime of write transactions (in nanoseconds).
- waitingrotxn
- Displays the number of waiting read-only transactions.
- activerotxn
- Displays the number of active read-only transactions.
- abortrotxn
- Displays the number of terminated read-only transactions.
- commitrotxn
- Displays the number of committed read-only transactions.
- granttimerotxn
- Displays the cumulated time to get read-only transactions (in nanoseconds).
- lifetimerotxn
- Displays the cumulated lifetime of read-only transactions (in nanoseconds).
6.4.7. Database attributes under cn=changelog,cn=,cn=ldbm database,cn=plugins,cn=config
In the multi-supplier replication, the cn=changelog,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config entry in Red Hat Directory Server defines the configuration of the replication changelog settings for a specific directory database and has top and extensibleObject object classes.
The term changelog may refer to:
- Changelog
- The actual changelog in the multi-supplier replication that uses attributes described in this chapter.
- Retro Changelog
- The plugin that Red Hat Directory Server uses for compatibility with certain legacy applications. Fore more information, see Retro changelog plugin.
6.4.7.1. cn
The cn attribute sets the relative distinguished name (RDN) of a changelog entry. This attribute is mandatory.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog,cn=database_name,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any string |
| Default Value | changelog |
| Syntax | DirectoryString |
| Example | cn=changelog,cn=userRoot,cn=ldbm database,cn=plugins |
6.4.7.2. nsslapd-changelogmaxage
The nsslapd-changelogmaxage attribute sets the maximum age of a record stored in the replication changelog. Red Hat Directory Server automatically removes older records that were successfully transferred to all consumers.
By default, Red Hat Directory Server removes records that are older than seven days. However, if you disable the nsslapd-changelogmaxage and nsslapd-changelogmaxentries attributes, the server keeps all records in the changelog, which can lead to the excessive growth of the changelog file.
Retro changelog has its own nsslapd-changelogmaxage attribute. For more information, see Retro changelog nsslapd-changelogmaxage
The attribute change does not require the server restart, however the change takes effect after the trim operation that is scheduled according to the nsslapd-changelogtrim-interval attribute setting.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 (entries are not removed according to their age) to maximum 32-bit integer (2147483647) |
| Default Value | 7d |
| Syntax | DirectoryString IntegerAgeID, where AgeID is:
If you set only the integer value without the AgeID then Directory Server takes it as seconds. |
| Example | nsslapd-changelogmaxage: 30d |
6.4.7.3. nsslapd-changelogmaxentries
The nsslapd-changelogmaxentries attribute sets the maximum number of records stored in the replication changelog.
If the number of the oldest records that were successfully transferred to all consumers exceeds the nsslapd-changelogmaxentries value, Red Hat Directory Server automatically removes these records from the changelog. If you set the nsslapd-changelogmaxentries and nsslapd-changelogmaxage attribute to 0, Red Hat Directory Server keeps all records in the changelog, which can lead to the excessive growth of the changelog file.
Red Hat Directory Server does not automatically reduce the file size of the replication changelog if you set a lower value in the nsslapd-changelogmaxentries attribute.
The attribute change does not require the server restart, however the change takes effect after the trim operation that is scheduled according to the nsslapd-changelogtrim-interval attribute setting.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 (the only maximum limit is the disk size) to maximum 32-bit integer (2147483647) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsslapd-changelogmaxentries: 5000 |
6.4.7.4. nsslapd-changelogtrim-interval
The nsslapd-changelogtrim-interval attribute sets the interval in seconds between replication changelog trim runs.
The attribute change does not require the server restart, however the change takes effect after the trim operation.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | 0 to the maximum 32 bit integer value (2147483647) |
| Default Value | 300 (5 minutes) |
| Syntax | DirectoryString |
| Example | nsslapd-changelogtrim-interval: 300 |
6.4.7.5. nsslapd-encryptionalgorithm
The nsslapd-encryptionalgorithm attribute specifies the encryption algorithm that Red Hat Directory Server uses for the changelog encryption. To enable the changelog encryption, you must install the server certificate on Directory Server.
You must restart the server to apply the attribute value changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | AES or 3DES |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsslapd-encryptionalgorithm: AES |
6.4.7.6. nsSymmetricKey
The nsSymmetricKey attribute stores the internally-generated symmetric key.
You must restart the server to apply the attribute value changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=changelog,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Range | Base 64-encoded key |
| Default Value | None |
| Syntax | DirectoryString |
| Example | None |
6.4.8. Database attributes under cn=monitor,cn=,cn=ldbm database,cn=plugins,cn=config
The cn=monitor,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config entry in Red Hat Directory Server (RHDS) contains the read-only attributes (database performance counters) used to monitor the real-time status of a specific directory database.
If the nsslapd-counters attribute in cn=config is set to on, then some of the counters kept by the RHDS instance increment using 64-bit integers, even on 32-bit machines or with a 32-bit version of RHDS. For database monitoring, the entrycachehits and entrycachetries counters use 64-bit integers.
The nsslapd-counters attribute enables 64-bit support for these specific database and server counters. The counters which use 64-bit integers are not configurable. The 64-bit integers are either enabled for all the allowed counters or disabled for all allowed counters.
Review the attributes description:
- currentDNcachecount
-
The
currentDNcachecountattribute displays the number of cached DNs. - currentDNcachesize
-
The
currentDNcachesizeattribute displays the current size of the DN cache in bytes. - dbfilecachehit-number
-
The
dbfilecachehit-numberattribute displays the number of times that a search requiring data from this file was performed and that the data were successfully obtained from the cache. - dbfilecachemiss-number
-
The
dbfilecachemiss-numberattribute displays the number of times that a search requiring data from this file was performed but that the data was not obtained from the cache. - dbfilename-number
-
The
dbfilename-numberattribute sets the file name and provides a sequential integer identifier (starting at 0) for the file. - dbfilepagein-number
-
The
dbfilepagein-numberattribute displays the number of pages brought to the cache from the file. The number in this attributes name corresponds to the one indbfilename. - dbfilepageout-number
-
The
dbfilepageout-numberattribute displays the number of pages for this file written from cache to disk. The number in this attributes name corresponds to the one indbfilename. - DNcachehitratio
-
The
DNcachehitratioattribute displays the percentage of DNs found in the cache. - DNcachehits
-
The
DNcachehitsattribute displays the number of DNs found in the cache. - DNcachemisses
-
The
DNcachemissesattribute displays the number of DNs not found in the cache. - DNcachetries
-
The
DNcachetriesattribute displays the total number of DN cache lookups after the instance start. - maxDNcachesize
The
maxDNcachesizeattribute displays the current value of thensslapd-ndn-cache-max-sizeattribute.For details about how to update this setting, see nsslapd-ndn-cache-max-size.
6.4.9. Database attributes under cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
The cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config entry contains a set of default indexes that Red Hat Directory Server (RHDS) applies to all newly created databases.
Default indexes are configured per backend in order to optimize RHDS functionality for the majority of setup scenarios. You can remove all indexes, except system-essential ones, however be careful not to cause unnecessary disruptions.
6.4.9.1. cn
The cn attribute specifies the name of the attribute to index.
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid index cn |
| Default Value | None |
| Syntax | DirectoryString |
| Example | cn: aci |
6.4.9.2. nsIndex
The nsIndex object class defines an index in the backend database.
The object class is defined in Red Hat Directory Server.
Superior Class top
OID 2.16.840.1.113730.3.2.44
| Attribute | Definition |
|---|---|
| Defines the object classes for the entry. | |
| Gives the common name of the entry. | |
| Identify whether or not the index is a system defined index. |
| Attribute | Definition |
|---|---|
| Gives a text description of the entry. | |
| Identifies the index type. | |
| Identifies the matching rule. |
6.4.9.3. nsIndexType
The nsIndexType multi-valued attribute specifies the type of index for Red Hat Directory Server operations and takes the values of the attributes to be indexed.
Each required index type has to be entered on a separate line.
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values |
|
| Default Value | |
| Syntax | DirectoryString |
| Example | nsIndexType: eq |
6.4.9.4. nsMatchingRule
The nsMatchingRule attribute (optional, multi-valued) specifies the ordering matching rule name or OID used to match values and to generate index keys for the attribute. Use nsMatchingRule to ensure that equality and range searches work correctly for languages other than English (7-bit ASCII).
In addition, nsMatchingRule helps range searches to work correctly for integer syntax attributes that do not specify an ordering matching rule in their schema definition. uidNumber and gidNumber are two commonly used attributes that fall into this category.
For example, for a uidNumber that uses integer syntax, the rule attribute could be nsMatchingRule: integerOrderingMatch.
Any change to this attribute will not take effect until the change is saved and the index is rebuilt using db2index command.
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any valid collation order object identifier (OID) |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsMatchingRule: 2.16.840.1.113730.3.3.2.3.1 (For Bulgarian) |
6.4.9.5. nsSystemIndex
The nsSystemIndex attribute (mandatory) specifies whether the index is a system index, an index which is vital for Red Hat Directory Server operations. If this attribute has a value of true, then it is system-essential.
Do not remove system indexes, otherwise the server functionality can be seriously disrupted.
| Parameter | Description |
|---|---|
| Entry DN | cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | true | false |
| Default Value | |
| Syntax | DirectoryString |
| Example | nssystemindex: true |
6.4.10. Database attributes under cn=index,cn=,cn=ldbm database,cn=plugins,cn=config
The cn=index,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config entry in Red Hat Directory Server contains custom indexes for a specific directory database in addition to the set of default indexes that are stored under cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config.
For example, the index for the aci attribute under cn=UserRoot is the following:
dn:cn=aci,cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
objectclass:top
objectclass:nsIndex
cn:aci
nsSystemIndex:true
nsIndexType:presThese entries share all of the indexing attributes listed for the default indexes in Database attributes under cn=default indexes.
6.4.10.1. nsIndexIDListScanLimit
The nsIndexIDListScanLimit attribute defines search limits for specific indexes.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_name>,cn=index,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsIndexIDListScanLimit: limit=0 type=eq values=inetorgperson |
6.4.10.2. nsSubStrBegin
The nsSubStrBegin attribute sets the minimum number of characters required for an indexed search at the beginning of a search string before a wildcard.
By default, for a search to be indexed, the search string must be at least three characters long, without counting any wildcard characters. For example, the string abc would be an indexed search while ab* would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches.
This substring length can be edited based on the position of any wildcard characters. The nsSubStrBegin attribute sets the required number of characters for an indexed search for the beginning of a search string, before the wildcard. For example:
abc*
If the value of this attribute is changed, then the index must be regenerated using db2index.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_name>,cn=index,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsSubStrBegin: 2 |
6.4.10.3. nsSubStrEnd
The nsSubStrEnd attribute sets the minimum number of characters required for an indexed search at the end of a search string after a wildcard.
By default, for a search to be indexed, the search string must be at least three characters long, without counting any wildcard characters. For example, the string abc would be an indexed search while ab* would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches.
This substring length can be edited based on the position of any wildcard characters. The nsSubStrEnd attribute sets the required number of characters for an indexed search for the end of a search string, after the wildcard. For example:
*xyz
If the value of this attribute is changed, then the index must be regenerated using db2index.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_name>,cn=index,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsSubStrEnd: 2 |
6.4.10.4. nsSubStrMiddle
The nsSubStrMiddle attribute sets the minimum number of characters required for an indexed search when a wildcard is used in the middle of a search string.
By default, for a search to be indexed, the search string must be at least three characters long, without counting any wildcard characters. For example, the string abc would be an indexed search while ab* would not be. Indexed searches are significantly faster than unindexed searches, so changing the minimum length of the search key is helpful to increase the number of indexed searches.
This substring length can be edited based on the position of any wildcard characters. The nsSubStrMiddle attribute sets the required number of characters for an indexed search where a wildcard is used in the middle of a search string. For example:
ab*z
If the value of this attribute is changed, then the index must be regenerated using db2index.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_name>,cn=index,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Any integer |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsSubStrMiddle: 3 |
6.4.11. Database attributes under cn=,cn=encrypted attributes,cn=,cn=ldbm database,cn=plugins,cn=config
The cn=<attributeName>,cn=encrypted attributes,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config entry defines the configuration that manages the encryption of specific attributes within a database.
Proper configuration ensures that Red Hat Directory Server encrypts specified attributes using the following security settings:
nsAttributeEncryption-
The
nsAttributeEncryptionobject class allows selective encryption of attributes within a database. You might want to increase security of extremely sensitive information such as credit card numbers and government identification numbers because these attribute values are stored unencrypted within the database. Encrypting them while they are stored adds another layer of protection. nsEncryptionAlgorithm-
The
nsEncryptionAlgorithmattribute sets the encryption cipher used per attribute.
For example, configuration for the userPassword attribute under o=UserRoot is the following:
dn:cn=userPassword,cn=encrypted attributes,o=UserRoot,cn=ldbm database,
cn=plugins,cn=config
objectclass:top
objectclass:nsAttributeEncryption
cn:userPassword
nsEncryptionAlgorithm:AESFor details about attribute encryption, see Managing attribute encryption in the Red Hat Directory Server 13 Management, configuration, and operations documentation.
6.4.11.1. nsAttributeEncryption
The nsAttributeEncryption object class specifies core configuration entries which identify and encrypt selected attributes within a Red Hat Directory Server database.
This object class is defined in Red Hat Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.316
| Parameter | Description |
|---|---|
| objectClass | Defines the object classes for the entry. |
| cn | Specifies the common name of encrypted attribute. |
| Specifies the encryption cipher for the attribute. |
6.4.11.2. nsEncryptionAlgorithm
The nsEncryptionAlgorithm selects the cipher that nsAttributeEncryption object class uses. Set the algorithm per an encrypted attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=<attribute_name>,cn=encrypted attributes,cn=<database_name>,cn=ldbm database,cn=plugins,cn=config |
| Valid Values | Red Hat Directory Server supports the following ciphers:
|
| Default Value | |
| Syntax | DirectoryString |
| Example | nsEncryptionAlgorithm: AES |
6.5. Database Link plug-in attributes
The Database Link plugin attributes under cn=chaining database,cn=plugins,cn=config in Red Hat Directory Server store the configuration settings used to establish and manage connections to remote directory servers. Using these parameters helps you to securely chain client requests across multiple servers.
The Database Link plugin attributes are organized in an information tree. All plugin technology used by the database link instances is stored in the cn=chaining database plugin entry.
6.5.1. Database link attributes under cn=config,cn=chaining database,cn=plugins,cn=config
The cn=config,cn=chaining database,cn=plugins,cn=config entry contains global configuration attributes common to all chaining database instances.
6.5.1.1. nsActiveChainingComponents
The nsActiveChainingComponents attribute lists the components allowed to use chaining for LDAP operations.
A component is any functional unit in the server. The value of this attribute overrides the value in the global configuration attribute. To disable chaining on a particular database instance, use the value None. This attribute also allows the components used to chain to be altered. By default, no components are allowed to chain, which explains why this attribute will probably not appear in a list of cn=config,cn=chaining database,cn=config attributes, as LDAP considers empty attributes to be non-existent.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid component entry |
| Default Value | None |
| Syntax | DirectoryString |
| Example | nsActiveChainingComponents: cn=uid uniqueness,cn=plugins,cn=config |
6.5.1.2. nsMaxResponseDelay
The nsMaxResponseDelay attribute sets the maximum response time in seconds before a database link automatically tests an unresponsive connection to the remote server.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid delay period in seconds |
| Default Value | 60 seconds |
| Syntax | Integer |
| Example | nsMaxResponseDelay: 60 |
6.5.1.3. nsMaxTestResponseDelay
The nsMaxTestResponseDelay attribute specifies the duration of the test issued by the database link to check whether the remote server is responding.
If a response from the remote server is not returned before this period passed, the database link assumes the remote server is down, and the connection is not used for subsequent operations.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid delay period in seconds |
| Default Value | 15 seconds |
| Syntax | Integer |
| Example | nsMaxTestResponseDelay: 15 |
6.5.1.4. nsTransmittedControls
The nsTransmittedControls attribute specifies which LDAP controls the database link forwards to remote servers.
This attribute, which can be both a global (and thus dynamic) configuration or an instance (that is, cn=database link instance,cn=chaining database,cn=plugins,cn=config) configuration attribute, allows the controls the database link forwards to be altered. The following controls are forwarded by default by the database link:
- Managed DSA (OID: 2.16.840.1.113730.3.4.2)
- Virtual list view (VLV) (OID: 2.16.840.1.113730.3.4.9)
- Server side sorting (OID: 1.2.840.113556.1.4.473)
- Loop detection (OID: 1.3.6.1.4.1.1466.29539.12)
Other controls, such as dereferencing and simple paged results for searches, can be added to the list of controls to forward.
| Parameter | Description |
|---|---|
| Entry DN | cn=config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid OID or the above listed controls forwarded by the database link |
| Default Value | None |
| Syntax | Integer |
| Example | nsTransmittedControls: 1.2.840.113556.1.4.473 |
6.5.2. Database link attributes under cn=default instance config,cn=chaining database,cn=plugins,cn=config
The cn=default instance config,cn=chaining database,cn=plugins,cn=config entry in Red Hat Directory Server stores the default configuration attributes used for all newly created database links. These attributes helps you to standardize proxy behaviors, network timeouts, and client request routing.
Default instance configuration attributes for instances are housed in the cn=default instance config,cn=chaining database,cn=plugins,cn=config tree node.
6.5.2.1. nsAbandonedSearchCheckInterval
The nsAbandonedSearchCheckInterval attribute sets the interval in seconds for checking abandoned operations.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to maximum 32-bit integer (2147483647) seconds |
| Default Value | 1 |
| Syntax | Integer |
| Example | nsAbandonedSearchCheckInterval: 10 |
6.5.2.2. nsBindConnectionsLimit
The nsBindConnectionsLimit attribute sets the maximum number of TCP connections the database link establishes with the remote server.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to 50 connections |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsBindConnectionsLimit: 3 |
6.5.2.3. nsBindRetryLimit
The nsBindRetryLimit attribute sets the number of bind attempts to the remote server.
Contrary to what the name suggests, this attribute does not specify the number of times a database link re_tries to bind with the remote server but the number of times it _tries to bind with the remote server. A value of 1 here indicates that the database link only attempts to bind once.
Retries only occur for connection failures and not for other types of errors, such as invalid bind DNs or bad passwords.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to 5 |
| Default Value | 3 |
| Syntax | Integer |
| Example | nsBindRetryLimit: 3 |
6.5.2.4. nsBindTimeout
The nsBindTimeout attribute sets the amount of time before the bind attempt times out. No real valid range exists for this attribute, except reasonable patience limits.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to 60 seconds |
| Default Value | 15 |
| Syntax | Integer |
| Example | nsBindTimeout: 15 |
6.5.2.5. nsCheckLocalACI
The nsCheckLocalACI attribute controls whether ACIs are evaluated on the database link as well as the remote data server.
Reserved for advanced use only.
Restart the server to apply changes.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsCheckLocalACI: on |
6.5.2.6. nsConcurrentBindLimit
The nsConcurrentBindLimit attribute sets the maximum number of concurrent bind operations per TCP connection.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to 25 binds |
| Default Value | 10 |
| Syntax | Integer |
| Example | nsConcurrentBindLimit: 10 |
6.5.2.7. nsConcurrentOperationsLimit
The nsConcurrentOperationsLimit attribute sets the maximum number of allowed concurrent operations.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to 50 operations |
| Default Value | 2 |
| Syntax | Integer |
| Example | nsConcurrentOperationsLimit: 5 |
6.5.2.8. nsConnectionLife
The nsConnectionLife attribute sets the lifetime in seconds for connections between the database link and the remote server.
Connections between the database link and the remote server can be kept open for an unspecified time or closed after a specific period of time. It is faster to keep the connections open, but it uses more resources. When the value is 0 and a list of failover servers is provided in the nsFarmServerURL attribute, the main server is never contacted after failover to the alternate server.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 0 to limitless seconds (where 0 means forever) |
| Default Value | 0 |
| Syntax | Integer |
| Example | nsConnectionLife: 0 |
6.5.2.9. nsOperationConnectionsLimit
The nsOperationConnectionsLimit attribute sets the maximum number of LDAP connections the database link establishes with the remote server.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to n connections |
| Default Value | 20 |
| Syntax | Integer |
| Example | nsOperationConnectionsLimit: 10 |
6.5.2.10. nsProxiedAuthorization
The nsProxiedAuthorization attribute controls whether chained operations use proxied authorization.
Reserved for advanced use only. If you disable proxied authorization, binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | on |
| Syntax | DirectoryString |
| Example | nsProxiedAuthorization: on |
6.5.2.11. nsReferralOnScopedSearch
The nsReferralOnScopedSearch attribute controls whether referrals are returned by scoped searches.
Use the attribute to optimize the directory because returning referrals in response to scoped searches is more efficient. A referral is returned to all the configured farm servers.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Values | on | off |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsReferralOnScopedSearch: off |
6.5.2.12. nsSizeLimit
The nsSizeLimit attribute sets the default size limit for the database link.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | -1 (no limit) to maximum 32-bit integer (2147483647) entries |
| Default Value | 2000 |
| Syntax | Integer |
| Example | nsSizeLimit: 2000 |
6.5.2.13. nsTimeLimit
The nsTimeLimit attribute sets the default search time limit in seconds for the database link.
| Parameter | Description |
|---|---|
| Entry DN | cn=default instance config,cn=chaining database,cn=plugins,cn=config |
| Valid Range | -1 to maximum 32-bit integer (2147483647) seconds |
| Default Value | 3600 |
| Syntax | Integer |
| Example | nsTimeLimit: 3600 |
6.5.3. Database link attributes under cn=,cn=chaining database,cn=plugins,cn=config
The cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config entry stores the attributes that manage specific database links to remote servers.
These attributes can contain optional servers for failover, separated by spaces. For cascading chaining, this URL can point to another database link.
6.5.3.1. nsBindMechanism
The nsBindMechanism attribute sets a bind mechanism for the farm server to connect to the remote server. A farm server is a server that contains data in one or more databases.
Possible attribute values are the following:
empty-
Performs simple authentication and requires the
nsMultiplexorBindDnandnsMultiplexorCredentialsattributes to give the bind information. EXTERNALUses an TLS certificate to authenticate the farm server to the remote server. You must either set the farm server URL must to the secure URL (
ldaps) or set thensUseStartTLSattribute toon.Additionally, you must configure the remote server to map the farm server’s certificate to its bind identity.
DIGEST-MD5-
Uses SASL with DIGEST-MD5 encryption. As with simple authentication, this requires the
nsMultiplexorBindDnandnsMultiplexorCredentialsattributes to give the bind information. GSSAPIUses Kerberos-based authentication over SASL. The farm server must be connected over the standard port, meaning the URL has
ldap, because Red Hat Directory Server does not support SASL/GS-API over TLS.The farm server must be configured with a Kerberos keytab, and the remote server must have a defined SASL mapping for the farm server’s bind identity.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config |
| Valid Values |
|
| Default Value | empty |
| Syntax | DirectoryString |
| Example | nsBindMechanism: GSSAPI |
6.5.3.2. nsFarmServerURL
The nsFarmServerURL attribute specifies the LDAP URL of the remote server for database chaining.
A farm server is a server containing data in one or more databases. This attribute can contain optional servers for failover, separated by spaces. If using cascading changing, this URL can point to another database link.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid remote server LDAP URL |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsFarmServerURL: ldap://farm1.example.com farm2.example.com:389 farm3.example.com:1389/ |
6.5.3.3. nshoplimit
The nshoplimit attribute sets the maximum number of times a request can be forwarded from one database link to another.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config |
| Valid Range | 1 to an appropriate upper limit for the deployment |
| Default Value | 10 |
| Syntax | Integer |
| Example | nsHopLimit: 3 |
6.5.3.4. nsMultiplexorBindDN
The nsMultiplexorBindDN attribute specifies the distinguished name (DN) of the administrative entry used to communicate to the remote server.
The multiplexor is the server that contains the database link and communicates with the farm server. This bind DN cannot be the Directory Manager, and, if this attribute is not specified, the database link binds as anonymous.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config |
| Valid Values | |
| Default Value | DN of the multiplexor |
| Syntax | DirectoryString |
| Example | nsMultiplexerBindDN: cn=proxy manager |
6.5.3.5. nsMultiplexorCredentials
The nsMultiplexorCredentials attribute stores the password for the administrative user given in plain text.
If no password is provided, users can bind as anonymous. The password is encrypted in the configuration file. The example below is what is displayed, not typed.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config |
| Valid Values | Any valid password, which will then be encrypted using the DES reversible password encryption schema |
| Default Value | |
| Syntax | DirectoryString |
| Example | nsMultiplexerCredentials: {DES} 9Eko69APCJfF |
6.5.3.6. nsUseStartTLS
The nsUseStartTLS attribute allows StartTLS to establish encrypted connections over standard LDAP ports.
This attribute can be used if the nsBindMechanism attribute is set to EXTERNAL but the farm server URL set to the standard URL (ldap) or if the nsBindMechanism attribute is left empty.
| Parameter | Description |
|---|---|
| Entry DN | cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config |
| Valid Values | off | on |
| Default Value | off |
| Syntax | DirectoryString |
| Example | nsUseStartTLS: on |
6.5.4. Database link attributes under cn=monitoring,cn=,cn=chaining database,cn=plugins,cn=config
The cn=monitoring,cn=<database_link_name>,cn=chaining database,cn=plugins,cn=config entry in Red Hat Directory Server stores the read-only attributes used to monitor the real-time status of a specific remote database link. These attributes help you to track proxy connection health and evaluate request latency.
| Attribute | Definition |
|---|---|
| nsAbandonCount | Contains the number of abandon operations received. |
| nsAddCount | Contains the number of add operations received. |
| nsBindCount | Contains the number of bind requests received. |
| nsCompareCount | Contains the number of compare operations received. |
| nsDeleteCount | Contains the number of delete operations received. |
| nsModifyCount | Contains the number of modify operations received. |
| nsOpenBindConnectionCount | Contains the number of open connections for bind operations. |
| nsOperationConnectionCount | Contains the number of open connections for normal operations. |
| nsRenameCount | Contains the number of rename operations received. |
| nsSearchBaseCount | Contains the number of base level searches received. |
| nsSearchOneLevelCount | Contains the number of one-level searches received. |
| nsSearchSubtreeCount | Contains the number of subtree searches received. |
| nsUnbindCount | Contains the number of unbinds received. |
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}