Configuration, Command, and File Reference
Reference guide for configuring Directory Server
Abstract
Preface
Reference guide for configuring Directory Server
Legal Notice
Copyright 2021 Red Hat, Inc.
This document is licensed by Red Hat under the Creative Commons Attribution-ShareAlike 3.0 Unported License. If you distribute this document, or a modified version of it, you must provide attribution to Red Hat, Inc. and provide a link to the original. If the document is modified, all Red Hat trademarks must be removed.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux is the registered trademark of Linus Torvalds in the United States and other countries.
Java is a registered trademark of Oracle and/or its affiliates.
XFS is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.
Making Open Source More Inclusive
Red Hat is committed to replacing problematic language in our code, documentation, and web properties. We are beginning with these four terms: master, slave, blacklist, and whitelist. Because of the enormity of this endeavor, these changes will be implemented gradually over several upcoming releases. For more details, see our CTO Chris Wright’s message.
About This Reference
Red Hat Directory Server (Directory Server) is a powerful and scalable distributed directory server based on the industry-standard Lightweight Directory Access Protocol (LDAP). Directory Server is the cornerstone for building a centralized and distributed data repository that can be used in an intranet, over an extranet with trading partners, or over the public Internet to reach customers.
This reference covers the server configuration and the command-line utilities. It is designed primarily for directory administrators and experienced directory users who want to use the command-line to access the directory. After configuring the server, use this reference to help maintain it.
The Directory Server can also be managed through the Directory Server Console, a graphical user interface. The Red Hat Directory Server Administration Guide describes how to do this and explains individual administration tasks more fully.
1. Directory Server Overview
The major components of Directory Server include:
- An LDAP server – The LDAP v3-compliant network daemon.
- Directory Server Console – A graphical management console that dramatically reduces the effort of setting up and maintaining your directory service.
- SNMP agent – Can monitor the Directory Server using the Simple Network Management Protocol (SNMP).
Chapter 1. Introduction
Directory Server is based on an open-systems server protocol called the Lightweight Directory Access Protocol (LDAP). The Directory Server is a robust, scalable server designed to manage large scale directories to support an enterprise-wide directory of users and resources, extranets, and e-commerce applications over the Internet. The Directory Server runs as the ns-slapd
process or service on the machine. The server manages the directory databases and responds to client requests.
Most Directory Server administrative tasks can be performed through the Directory Server Console, the graphical user interface provided with the Directory Server. For information on the use of the Directory Server Console, see the Red Hat Directory Server Administration Guide.
This reference deals with the other methods of managing the Directory Server by altering the server configuration attributes using the command line and using command-line utilities and scripts.
1.1. Directory Server Configuration
The format and method for storing configuration information for Directory Server and a listing for all server attributes are found in two chapters, Chapter 3, Core Server Configuration Reference and Chapter 4, Plug-in Implemented Server Functionality Reference.
1.2. Directory Server Instance File Reference
Section 2.1, “Directory Server Instance-independent Files and Directories” has an overview of the files and configuration information stored in each instance of Directory Server. This is useful reference to helps administrators understand the changes or absence of changes in the course of directory activity. From a security standpoint, this also helps users detect errors and intrusion by highlighting normal changes and abnormal behavior.
1.3. Using Directory Server Command-Line Utilities
Directory Server comes with a set of configurable command-line utilities that can search and modify entries in the directory and administer the server. Chapter 9, Command-Line Utilities describes these command-line utilities and contains information on where the utilities are stored and how to access them.
Chapter 2. File Locations Overview
Red Hat Directory Server is compatible with the Filesystem Hierarchy Standards (FHS). For further information on the FHS, see http://refspecs.linuxfoundation.org/fhs.shtml.
2.1. Directory Server Instance-independent Files and Directories
The following are the Directory Server’s instance-independent default file and directory locations:
Type | Location |
---|---|
Command-line utilities |
|
Systemd unit files |
|
2.2. Directory Server Instance-specific Files and Directories
To separate multiple instances running on the same host, certain files and directories contain the name of the instance. You set the instance name during the Directory Server setup. By default, this is the host name without domain name. For example, if your fully-qualified domain name is server.example.com
, the default instance name is server
.
The following are the Directory Server’s instance-specific default file and directory locations:
Type | Location |
---|---|
Backup files |
|
Configuration files |
|
Certificate and key databases |
|
Database files |
|
LDIF files |
|
Lock files |
|
Log files |
|
PID file |
|
Systemd unit files |
|
2.2.1. Configuration Files
Each Directory Server instance stores its configuration files in the /etc/dirsrv/slapd-instance
directory.
The configuration information for Red Hat Directory Server is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server using LDAP while it is still running, thus avoiding the need to shut the server down for most configuration changes.
2.2.1.1. Overview of the Directory Server Configuration
When the Directory Server is set up, its default configuration is stored as a series of LDAP entries within the directory, under the subtree cn=config
. When the server is started, the contents of the cn=config
subtree are read from a file (dse.ldif
) in LDIF format. This dse.ldif
file contains all of the server configuration information. The latest version of this file is called dse.ldif
, the version prior to the last modification is called dse.ldif.bak
, and the latest file with which the server successfully started is called dse.ldif.startOK
.
Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config
. For example, the configuration of the Telephone Syntax Plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
Similarly, database-specific configuration is stored under
cn=ldbm database,cn=plugins,cn=config
for local databases and cn=chaining database,cn=plugins,cn=config
for database links.
The following diagram illustrates how the configuration data fits within the cn=config
directory information tree.
Figure 2.1. Directory Information Tree Showing Configuration Data
2.2.1.1.1. LDIF and Schema Configuration Files
The Directory Server configuration data are stored in LDIF files in the /etc/dirsrv/slapd-instance
directory. Thus, if a server identifier is phonebook
, then for a Directory Server, the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook
.
This directory also contains other server instance-specific configuration files.
Schema configuration is also stored in LDIF format, and these files are located in the /etc/dirsrv/schema
directory.
The following table lists all of the configuration files that are supplied with the Directory Server, including those for the schema of other compatible servers. Each file is preceded by a number which indicates the order in which they should be loaded (in ascending numerical and then alphabetical order).
Configuration Filename | Purpose |
---|---|
dse.ldif |
Contains front-end Directory Specific Entries created by the directory at server startup. These include the Root DSE ( |
00core.ldif |
Contains only those schema definitions necessary for starting the server with the bare minimum feature set (no user schema, no schema for any non-core features). The rest of the schema used by users, features, and applications is found in |
01common.ldif |
Contains LDAPv3 standard operational schema, such as |
05rfc2247.ldif | Schema from RFC 2247 and related pilot schema, from "Using Domains in LDAP/X500 Distinguished Names." |
05rfc2927.ldif |
Schema from RFC 2927, "MIME Directory Profile for LDAP Schema." Contains the |
10presence.ldif | Legacy. Schema for instant messaging presence (online) information; the file lists the default object classes with the allowed attributes that must be added to a user’s entry in order for instant-messaging presence information to be available for that user. |
10rfc2307.ldif |
Schema from RFC 2307, "An Approach for Using LDAP as a Network Information Service." This may be superseded by |
20subscriber.ldif |
Contains new schema elements and the Nortel subscriber interoperability specification. Also contains the |
25java-object.ldif | Schema from RFC 2713, "Schema for Representing Java® Objects in an LDAP Directory." |
28pilot.ldif |
Contains pilot directory schema from RFC 1274, which is no longer recommended for new deployments. Future RFCs which succeed RFC 1274 may deprecate some or all of |
30ns-common.ldif | Schema that contains objects classes and attributes common to the Directory Server Console framework. |
50ns-admin.ldif | Schema used by Red Hat Administration Server. |
50ns-certificate.ldif | Schema for Red Hat Certificate Management System. |
50ns-directory.ldif | Contains additional configuration schema used by Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to current releases of Directory Server. This schema is required for replicating between Directory Server 4.12 and current releases. |
50ns-mail.ldif | Schema used by Netscape Messaging Server to define mail users and mail groups. |
50ns-value.ldif | Schema for servers' value item attributes. |
50ns-web.ldif | Schema for Netscape Web Server. |
60pam-plugin.ldif | Reserved for future use. |
99user.ldif | User-defined schema maintained by Directory Server replication consumers which contains the attributes and object classes from the suppliers. |
2.2.1.1.2. How the Server Configuration Is Organized
The dse.ldif
file contains all configuration information including directory-specific entries created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or DSE, named by ""
) and the contents of cn=config
and cn=monitor
.
When the server generates the dse.ldif
file, it lists the entries in hierarchical order in the order that the entries appear in the directory under cn=config
, which is usually the same order in which an LDAP search of subtree scope for base cn=config
returns the entries.
dse.ldif
also contains the cn=monitor
entry, which is mostly read-only, but can have ACIs set on it.
The dse.ldif
file does not contain every attribute in cn=config
. If the attribute has not been set by the administrator and has a default value, the server will not write it to dse.ldif
. To see every attribute in cn=config
, use ldapsearch
.
Configuration Attributes
Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute’s configuration.
The following code sample is an example of part of the dse.ldif
file for a Directory Server. The example shows, among other things, that schema checking has been enabled; this is represented by the attribute nsslapd-schemacheck
, which takes the value on
.
dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: off nsslapd-localhost: phonebook.example.com nsslapd-schemacheck: on nsslapd-port: 389 nsslapd-localuser: dirsrv ...
Configuration of Plug-in Functionality
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config
. The following code sample is an example of the configuration entry for an example plug-in, the Telephone Syntax plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an ldapsearch
on the cn=config
subtree.
For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart for configuration changes, see Chapter 4, Plug-in Implemented Server Functionality Reference.
Configuration of Databases
The cn=UserRoot
subtree under the database plug-in entry contain configuration data for the databases containing the default suffix created during setup.
These entries and their children have many attributes used to configure different database settings, like the cache sizes, the paths to the index files and transaction logs, entries and attributes for monitoring and statistics; and database indexes.
Configuration of Indexes
Configuration information for indexing is stored as entries in the Directory Server under the following information-tree nodes:
-
cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
-
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
For more information about indexes in general, see the Red Hat Directory Server Administration Guide. For information about the index configuration attributes, see Section 4.4.1, “Database Attributes under cn=config,cn=ldbm database,cn=plugins,cn=config”.
2.2.1.2. Accessing and Modifying Server Configuration
This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.
2.2.1.2.1. Access Control for Configuration Entries
When the Directory Server is installed, a default set of access control instructions (ACIs) is implemented for all entries under cn=config
. The following code sample is an example of these default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all) groupdn = "ldap:///ou=Directory Administrators,dc=example,dc=com";)
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
- Members of the Configuration Administrators group.
-
The user acting as the administrator, the
admin
account that was configured at setup. By default, this is the same user account which is logged into the Console. - Members of local Directory Administrators group.
-
The SIE (Server Instance Entry) group, usually assigned using the
Set Access Permissions
process the main console.
For more information on access control, see the Red Hat Directory Server Administration Guide.
2.2.1.2.2. Changing Configuration Attributes
Server attributes can be viewed and changed in one of three ways: through the Directory Server Console, by performing ldapsearch
and ldapmodify
commands, or by manually editing the dse.ldif
file.
Before editing the dse.ldif
file, the server must be stopped; otherwise, the changes are lost. Editing the dse.ldif
file is recommended only for changes to attributes which cannot be altered dynamically. See Configuration Changes Requiring Server Restart for further information.
The following sections describe how to modify entries using LDAP (both by using Directory Server Console and by using the command line), the restrictions that apply to modifying entries, the restrictions that apply to modifying attributes, and the configuration changes requiring restart.
Modifying Configuration Entries Using LDAP
The configuration entries in the directory can be searched and modified using LDAP either using the Directory Server Console or by performing ldapsearch
and ldapmodify
operations in the same way as other directory entries. The advantage of using LDAP to modify entries is changes can be made while the server is running.
For further information, see the "Creating Directory Entries" chapter in the Red Hat Directory Server Administration Guide. However, certain changes do require the server to be restarted before they are taken into account. See Configuration Changes Requiring Server Restart for further information.
As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config
subtree as this risks affecting Directory Server functionality.
The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch
operation on the cn=config
subtree:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)"
-
bindDN is the DN chosen for the Directory Manager when the server was installed (
cn=Directory Manager
by default). - password is the password chosen for the Directory Manager.
To disable a plug-in, use ldapmodify
to edit the nsslapd-pluginEnabled
attribute:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off
Restrictions to Modifying Configuration Entries and Attributes
Certain restrictions apply when modifying server entries and attributes:
-
The
cn=monitor
entry and its child entries are read-only and cannot be modified, except to manage ACIs. -
If an attribute is added to
cn=config
, the server ignores it. - If an invalid value is entered for an attribute, the server ignores it.
-
Because
ldapdelete
is used for deleting an entire entry, useldapmodify
to remove an attribute from an entry.
Configuration Changes Requiring Server Restart
Some configuration attributes cannot be altered while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif
file. Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run ldapsearch
and search for the nsslapd-requiresrestart
attribute. For example:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[a]
Although this attribute requires a restart, it is not returned in the search.
|
Deleting Configuration Attributes
All core configuration attributes are present, even if they are not written in the /etc/dirsrv/slapd-instance-name/dse.ldif
file, because they all have default values used by the server.
For details about deleting core configuration attributes and a list of attributes that cannot be deleted, see the corresponding section in the Red Hat Directory Server Administration Guide.
2.2.2. Database Files
Each Directory Server instance contains the /var/lib/dirsrv/slapd-instance/db
directory for storing all of the database files. The following is a sample listing of the /var/lib/dirsrv/slapd-instance/db
directory contents.
Example 2.1. Database Directory Contents
db.001 db.002 __db.003 DBVERSION log.0000000001 userroot/
-
db.00x
files — Used internally by the database and should not be moved, deleted, or modified in any way. -
log.xxxxxxxxxx
files — Used to store the transaction logs per database. -
DBVERSION
— Used for storing the version of the database. -
userRoot
— Stores the user-defined suffix (user-defined databases) created at setup; for example,dc=example,dc=com
.
If a new database is created (for example, testRoot
) to store the directory tree under a new suffix, the directory named testRoot
also appears in the /var/lib/dirsrv/slapd-instance/db
directory.
The following is a sample listing of the userRoot
directory contents.
Example 2.2. userroot Database Directory Contents
ancestorid.db DBVERSION entryrdn.db id2entry.db nsuniqueid.db numsubordinates.db objectclass.db parentid.db
The userroot
subdirectory contains the following files:
-
ancestorid.db
— Contains a list of IDs to find the ID of the entry’s ancestor. -
entrydn.db
— Contains a list of full DNs to find any ID. -
id2entry.db
— Contains the actual directory database entries. All other database files can be recreated from this one, if necessary. -
nsuniqueid.db
— Contains a list of unique IDs to find any ID. -
numsubordinates.db
— Contains IDs that have child entries. -
objectclass.db
— Contains a list of IDs which have a particular object class. -
parentid.db
— Contains a list of IDs to find the ID of the parent.
2.2.3. LDIF Files
Sample LDIF files are stored in the /var/lib/dirsrv/slapd-instance/ldif
directory for storing LDIF-related files. Example 2.3, “LDIF Directory Contents” lists the /ldif
directory contents.
Example 2.3. LDIF Directory Contents
European.ldif Example.ldif Example-roles.ldif Example-views.ldif
-
European.ldif
— Contains European character samples. -
Example.ldif
— Is a sample LDIF file. -
Example-roles.ldif
— Is a sample LDIF file similar toExample.ldif
, except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators.
The LDIF files exported by db2ldif
or db2ldif.pl
scripts in the instance directory are stored in /var/lib/dirsrv/slapd-instance/ldif
.
2.2.4. Lock Files
Each Directory Server instance contains a /var/lock/dirsrv/slapd-instance
directory for storing lock-related files. The following is a sample listing of the locks
directory contents.
Example 2.4. Lock Directory Contents
exports/ imports/ server/
The lock mechanisms control how many copies of the Directory Server process can be running at one. For example, if there is an import job, then a lock is placed in the imports/
directory to prevent any other ns-slapd
(normal), ldif2db
(another import), or db2ldif
(export) operations from running. If the server is running as normal, there is a lock in the server/
directory, which prevents import operations (but not export operations), while if there is an export operation, the lock in the exports/
directory allows normal server operations but prevents import operations.
The number of available locks can affect overall Directory Server performance. The number of locks is set in the nsslapd-db-locks
attribute. Tuning that attribute value is described in the Performance Tuning Guide.
2.2.5. Log Files
Each Directory Server instance contains a /var/log/dirsrv/slapd-instance
directory for storing log files. The following is a sample listing of the /logs
directory contents.
Example 2.5. Log Directory Contents
access access.20200228-171925 errors access.20200221-162824 access.rotationinfo errors.20200221-162824 access.20200223-171949 audit errors.rotationinfo access.20200227-171818 audit.rotationinfo slapd.stats
-
The content of the
access
,audit
, anderror
log files is dependent on the log configuration. -
The
slapd.stats
file is a memory-mapped file which cannot be read by an editor. It contains data collected by the Directory Server SNMP data collection component. This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.
Chapter 7, Log File Reference contains a solid overview of the access, error, and audit log file formats and the information in them.
2.2.6. PID Files
slapd-serverID.pid
and slapd-serverID.startpid
files are created in the /var/run/dirsrv
directory when the server is up and running. Both files store the server’s process ID.
2.2.7. Backup Files
Each Directory Server instance contains the following directory and file for storing backup-related files:
-
/var/lib/dirsrv/slapd-instance/bak
— This contains a directory dated with the instance, time and date of the database backup, such asinstance-2020_05_02_16_56_05/
, which in turn holds the database backup copy. -
/etc/dirsrv/slapd-instance/dse_original.ldif
— This is a backup copy of thedse.ldif
configuration file from the time of installation.
Chapter 3. Core Server Configuration Reference
The chapter provides an alphabetical reference for all core (server-related) attributes. Section 2.2.1.1, “Overview of the Directory Server Configuration” contains a good overview of the Red Hat Directory Server configuration files.
3.1. Core Server Configuration Attributes Reference
This section contains reference information on the configuration attributes that are relevant to the core server functionality. For information on changing server configuration, see Section 2.2.1.2, “Accessing and Modifying Server Configuration”. For a list of server features that are implemented as plug-ins, see Section 4.1, “Server Plug-in Functionality Reference”. For help with implementing custom server functionality, contact Directory Server support.
The configuration information stored in the dse.ldif
file is organized as an information tree under the general configuration entry cn=config
, as shown in the following diagram.
Figure 3.1. Directory Information Tree Showing Configuration Data
Most of these configuration tree nodes are covered in the following sections.
The cn=plugins
node is covered in Chapter 4, Plug-in Implemented Server Functionality Reference. The description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Some of the entries and attributes described in this chapter may change in future releases of the product.
3.1.1. cn=config
General configuration entries are stored in the cn=config
entry. The cn=config
entry is an instance of the nsslapdConfig
object class, which in turn inherits from extensibleObject
object class.
3.1.1.1. nsslapd-accesslog (Access Log)
This attribute specifies the path and filename of the log used to record each LDAP access. The following information is recorded by default in the log file:
- IP address (IPv4 or IPv6) of the client machine that accessed the database.
- Operations performed (for example, search, add, and modify).
- Result of the access (for example, the number of entries returned or an error code).
For more information on turning access logging off, see the "Monitoring Server and Database Activity" chapter in the Red Hat Directory Server Administration Guide.
For access logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-accesslog-logging-enabled
configuration attribute must be switched to on
. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Attribute | Value | Logging enabled or disabled |
---|---|---|
nsslapd-accesslog-logging-enabled nsslapd-accesslog | on empty string | Disabled |
nsslapd-accesslog-logging-enabled nsslapd-accesslog | on filename | Enabled |
nsslapd-accesslog-logging-enabled nsslapd-accesslog | off empty string | Disabled |
nsslapd-accesslog-logging-enabled nsslapd-accesslog | off filename | Disabled |
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid filename. |
Default Value | /var/log/dirsrv/slapd-instance/access |
Syntax | DirectoryString |
Example | nsslapd-accesslog: /var/log/dirsrv/slapd-instance/access |
3.1.1.2. nsslapd-accesslog-level (Access Log Level)
This attribute controls what is logged to the access log.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | * 0 - No access logging * 4 - Logging for internal access operations * 256 - Logging for connections, operations, and results * 512 - Logging for access to an entry and referrals
* These values can be added together to provide the exact type of logging required; for example, |
Default Value | 256 |
Syntax | Integer |
Example | nsslapd-accesslog-level: 256 |
3.1.1.3. nsslapd-accesslog-list (List of Access Log Files)
This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-accesslog-list: accesslog2,accesslog3 |
3.1.1.4. nsslapd-accesslog-logbuffering (Log Buffering)
When set to off
, the server writes all access log entries directly to disk. Buffering allows the server to use access logging even when under a heavy load without impacting performance. However, when debugging, it is sometimes useful to disable buffering in order to see the operations and their results right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-accesslog-logbuffering: off |
3.1.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
This attribute specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 to the maximum 32 bit integer value (2147483647) A value of -1 or 0 means that the log never expires. |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-accesslog-logexpirationtime: 2 |
3.1.1.6. nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
This attribute specifies the units for nsslapd-accesslog-logexpirationtime
attribute. If the unit is unknown by the server, then the log never expires.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day |
Default Value | month |
Syntax | DirectoryString |
Example | nsslapd-accesslog-logexpirationtimeunit: week |
3.1.1.7. nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog
attribute that specifies the path and parameter of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on
, and the nsslapd-accesslog
configuration attribute must have a valid path and parameter. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Attribute | Value | Logging Enabled or Disabled |
---|---|---|
nsslapd-accesslog-logging-enabled nsslapd-accesslog | on empty string | Disabled |
nsslapd-accesslog-logging-enabled nsslapd-accesslog | on filename | Enabled |
nsslapd-accesslog-logging-enabled nsslapd-accesslog | off empty string | Disabled |
nsslapd-accesslog-logging-enabled nsslapd-accesslog | off filename | Disabled |
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-accesslog-logging-enabled: off |
3.1.1.8. nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
This attribute specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the access log is unlimited in size. |
Default Value | 500 |
Syntax | Integer |
Example | nsslapd-accesslog-logmaxdiskspace: 500 |
3.1.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to satisfy this attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-accesslog-logminfreediskspace: -1 |
3.1.1.10. nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)
This attribute sets whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour
and nsslapd-accesslog-logrotationsyncmin
attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate access log files every day at midnight, enable this attribute by setting its value to on
, and then set the values of the nsslapd-accesslog-logrotationsynchour
and nsslapd-accesslog-logrotationsyncmin
attributes to 0
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-accesslog-logrotationsync-enabled: on |
3.1.1.11. nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)
This attribute sets the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled
and nsslapd-accesslog-logrotationsyncmin
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 23 |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-accesslog-logrotationsynchour: 23 |
3.1.1.12. nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)
This attribute sets the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled
and nsslapd-accesslog-logrotationsynchour
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 59 |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-accesslog-logrotationsyncmin: 30 |
3.1.1.13. nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
This attribute sets the time between access log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit
attribute.
Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.
Although it is not recommended for performance reasons to specify no log rotation since the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-accesslog-maxlogsperdir
attribute value to 1
or set the nsslapd-accesslog-logrotationtime
attribute to -1
. The server checks the nsslapd-accesslog-maxlogsperdir
attribute first, and, if this attribute value is larger than 1
, the server then checks the nsslapd-accesslog-logrotationtime
attribute. See Section 3.1.1.16, “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited. |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-accesslog-logrotationtime: 100 |
3.1.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
This attribute sets the units for the nsslapd-accesslog-logrotationtime
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day | hour | minute |
Default Value | day |
Syntax | DirectoryString |
Example | nsslapd-accesslog-logrotationtimeunit: week |
3.1.1.15. nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
This attribute sets the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If the nsslapd-accesslog-maxlogsperdir
attribute is set to 1
, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
Default Value | 100 |
Syntax | Integer |
Example | nsslapd-accesslog-maxlogsize: 100 |
3.1.1.16. nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
This attribute sets the total number of access logs that can be contained in the directory where the access log is stored. Each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored in this attribute, then the oldest version of the log file is deleted. For performance reasons, Red Hat recommends not setting this value to 1
because the server does not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1
, then check the nsslapd-accesslog-logrotationtime
attribute to establish whether log rotation is specified. If the nsslapd-accesslog-logrotationtime
attribute has a value of -1
, then there is no log rotation. See Section 3.1.1.13, “nsslapd-accesslog-logrotationtime (Access Log Rotation Time)” for more information.
Note that, depending on the values set in nsslapd-accesslog-logminfreediskspace
and nsslapd-accesslog-maxlogsize
, the actual number of logs could be less than what you configure in nsslapd-accesslog-maxlogsperdir
. For example, if nsslapd-accesslog-maxlogsperdir
uses the default (10 files) and you set nsslapd-accesslog-logminfreediskspace
to 500
MB and nsslapd-accesslog-maxlogsize
to 100
MB, Directory Server keeps only 5 access files.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | 10 |
Syntax | Integer |
Example | nsslapd-accesslog-maxlogsperdir: 10 |
3.1.1.17. nsslapd-accesslog-mode (Access Log File Permission)
This attribute sets the access mode or file permission with which access log files are to be created. The valid values are any combination of 000
to 777
(these mirror the numbered or absolute UNIX file permissions). The value must be a 3-digit number, the digits varying from 0
through 7
:
-
0
- None -
1
- Execute only -
2
- Write only -
3
- Write and execute -
4
- Read only -
5
- Read and execute -
6
- Read and write -
7
- Read, write, and execute
In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000
does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 000 through 777 |
Default Value | 600 |
Syntax | Integer |
Example | nsslapd-accesslog-mode: 600 |
3.1.1.18. nsslapd-allow-anonymous-access
If a user attempts to connect to the Directory Server without supplying any bind DN or password, this is an anonymous bind. Anonymous binds simplify common search and read operations, like checking the directory for a phone number or email address, by not requiring users to authenticate to the directory first.
However, there are risks with anonymous binds. Adequate ACIs must be in place to restrict access to sensitive information and to disallow actions like modifies and deletes. Additionally, anonymous binds can be used for denial of service attacks or for malicious people to gain access to the server.
Anonymous binds can be disabled to increase security (off). By default, anonymous binds are allowed (on) for search and read operations. This allows access to regular directory entries, which includes user and group entries as well as configuration entries like the root DSE. A third option, rootdse
, allows anonymous search and read access to search the root DSE itself, but restricts access to all other directory entries.
Optionally, resource limits can be placed on anonymous binds using the nsslapd-anonlimitsdn
attribute as described in Section 3.1.1.22, “nsslapd-anonlimitsdn”.
Changes to this value will not take effect until the server is restarted.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off | rootdse |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-allow-anonymous-access: on |
3.1.1.19. nsslapd-allow-hashed-passwords
This parameter disables the pre-hashed password checks. By default, the Directory Server does not allow pre-hashed passwords to be set by anyone other than the Directory Manager. You can delegate this privilege to other users when you add them to the Password Administrators group. However in some scenarios, like when the replication partner already controls the pre-hashed passwords checking, this feature has to be disabled on the Directory Server.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-allow-hashed-passwords: off |
3.1.1.20. nsslapd-allow-unauthenticated-binds
Unauthenticated binds are connections to Directory Server where a user supplies an empty password. Using the default settings, Directory Server denies access in this scenario for security reasons.
Red Hat recommends not enabling unauthenticated binds. This authentication method enables users to bind without supplying a password as any account, including the Directory Manager. After the bind, the user can access all data with the permissions of the account used to bind.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-allow-unauthenticated-binds: off |
3.1.1.21. nsslapd-allowed-sasl-mechanisms
Per default, the root DSE lists all mechanisms the SASL library supports. However in some environments only certain ones are preferred. The nsslapd-allowed-sasl-mechanisms
attribute allows you to enable only some defined SASL mechanisms.
The mechanism names must consist of uppercase letters, numbers, and underscores. Each mechanism can be separated by commas or spaces.
The EXTERNAL
mechanism is actually not used by any SASL plug-in. It is internal to the server, and is mainly used for TLS client authentication. Hence, the EXTERNAL
mechanism cannot be restricted or controlled. It will always appear in the supported mechanisms list, regardless what is set in the nsslapd-allowed-sasl-mechanisms
attribute.
This setting does not require a server restart to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid SASL mechanism |
Default Value | None (all SASL mechanisms allowed) |
Syntax | DirectoryString |
Example | nsslapd-allowed-sasl-mechanisms: GSSAPI, DIGEST-MD5, OTP |
3.1.1.22. nsslapd-anonlimitsdn
Resource limits can be set on authenticated binds. The resource limits can set a cap on how many entries can be searched in a single operation (nsslapd-sizeLimit
), a time limit (nsslapd-timelimit
) and time out period (nsslapd-idletimeout
) for searches, and the total number of entries that can be searched (nsslapd-lookthroughlimit
). These resource limits prevent denial of service attacks from tying up directory resources and improve overall performance.
Resource limits are set on a user entry. An anonymous bind, obviously, does not have a user entry associated with it. This means that resource limits usually do not apply to anonymous operations.
To set resource limits for anonymous binds, a template entry can be created, with the appropriate resource limits. The nsslapd-anonlimitsdn
configuration attribute can then be added that points to this entry and applies the resource limits to anonymous binds.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any DN |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-anonlimitsdn: cn=anon template,ou=people,dc=example,dc=com |
3.1.1.23. nsslapd-attribute-name-exceptions
This attribute allows non-standard characters in attribute names to be used for backwards compatibility with older servers, such as "_" in schema-defined attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-attribute-name-exceptions: on |
3.1.1.24. nsslapd-auditlog (Audit Log)
This attribute sets the path and filename of the log used to record changes made to each database.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid filename |
Default Value | /var/log/dirsrv/slapd-instance/audit |
Syntax | DirectoryString |
Example | nsslapd-auditlog: /var/log/dirsrv/slapd-instance/audit |
For audit logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-auditlog-logging-enabled
configuration attribute must be switched to on
. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Attributes in dse.ldif | Value | Logging enabled or disabled |
---|---|---|
nsslapd-auditlog-logging-enabled nsslapd-auditlog | on empty string | Disabled |
nsslapd-auditlog-logging-enabled nsslapd-auditlog | on filename | Enabled |
nsslapd-auditlog-logging-enabled nsslapd-auditlog | off empty string | Disabled |
nsslapd-auditlog-logging-enabled nsslapd-auditlog | off filename | Disabled |
3.1.1.25. nsslapd-auditlog-display-attrs
With the nsslapd-auditlog-display-attrs
attribute you can set attributes that Directory Server displays in the audit log to provide useful identifying information about the entry being modified. By adding attributes to the audit log, you can check the current state of certain attributes in the entry and details of the entry update.
You can display attributes in the log by choosing one of the following options:
- To display a certain attribute of the entry that Directory Server modifies, provide the attribute name as a value.
- To display more than one attribute, provide the space separated list of attribute names as a value.
- To display all attributes of the entry, use an asterisk (*) as a value.
Provide the space separated list of attributes that Directory Server must display in the audit log, or use an asterisk (*) as a value to display all attributes of an entry being modified.
For example, you want to add cn
attribute to the audit log output. When you set nsslapd-auditlog-display-attrs
attribute to cn
, the audit log displays the following output:
time: 20221027102743
dn: uid=73747737483,ou=people,dc=example,dc=com
#cn: Frank Lee
result: 0
changetype: modify
replace: description
description: Adds cn attribute to the audit log
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221027142743Z
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid attribute name. Use an asterisk (*) if you want to display all attributes of an entry in the audit log. |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-auditlog-display-attrs: cn ou |
3.1.1.26. nsslapd-auditlog-list
Provides a list of audit log files.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-auditlog-list: auditlog2,auditlog3 |
3.1.1.27. nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
This attribute sets the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 to the maximum 32 bit integer value (2147483647) A value of -1 or 0 means that the log never expires. |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-auditlog-logexpirationtime: 1 |
3.1.1.28. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
This attribute sets the units for the nsslapd-auditlog-logexpirationtime
attribute. If the unit is unknown by the server, then the log never expires.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day |
Default Value | week |
Syntax | DirectoryString |
Example | nsslapd-auditlog-logexpirationtimeunit: day |
3.1.1.29. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
Turns audit logging on and off.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-auditlog-logging-enabled: off |
For audit logging to be enabled, this attribute must have a valid path and parameter and the nsslapd-auditlog-logging-enabled
configuration attribute must be switched to on
. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Attribute | Value | Logging enabled or disabled |
---|---|---|
nsslapd-auditlog-logging-enabled nsslapd-auditlog | on empty string | Disabled |
nsslapd-auditlog-logging-enabled nsslapd-auditlog | on filename | Enabled |
nsslapd-auditlog-logging-enabled nsslapd-auditlog | off empty string | Disabled |
nsslapd-auditlog-logging-enabled nsslapd-auditlog | off filename | Disabled |
3.1.1.30. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations with the total amount of disk space for the audit log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size. |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-auditlog-logmaxdiskspace: 10000 |
3.1.1.31. nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
This attribute sets the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest audit logs are deleted until enough disk space is freed to satisfy this attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-auditlog-logminfreediskspace: -1 |
3.1.1.32. nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)
This attribute sets whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour
and nsslapd-auditlog-logrotationsyncmin
attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate audit log files every day at midnight, enable this attribute by setting its value to on
, and then set the values of the nsslapd-auditlog-logrotationsynchour
and nsslapd-auditlog-logrotationsyncmin
attributes to 0
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-auditlog-logrotationsync-enabled: on |
3.1.1.33. nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)
This attribute sets the hour of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled
and nsslapd-auditlog-logrotationsyncmin
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 23 |
Default Value |
None (because |
Syntax | Integer |
Example | nsslapd-auditlog-logrotationsynchour: 23 |
3.1.1.34. nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)
This attribute sets the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled
and nsslapd-auditlog-logrotationsynchour
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 59 |
Default Value |
None (because |
Syntax | Integer |
Example | nsslapd-auditlog-logrotationsyncmin: 30 |
3.1.1.35. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
This attribute sets the time between audit log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit
attribute. If the nsslapd-auditlog-maxlogsperdir
attribute is set to 1
, the server ignores this attribute.
Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.
Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-auditlog-maxlogsperdir
attribute value to 1
or set the nsslapd-auditlog-logrotationtime
attribute to -1
. The server checks the nsslapd-auditlog-maxlogsperdir
attribute first, and, if this attribute value is larger than 1
, the server then checks the nsslapd-auditlog-logrotationtime
attribute. See Section 3.1.1.38, “nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited. |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-auditlog-logrotationtime: 100 |
3.1.1.36. nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
This attribute sets the units for the nsslapd-auditlog-logrotationtime
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day | hour | minute |
Default Value | week |
Syntax | DirectoryString |
Example | nsslapd-auditlog-logrotationtimeunit: day |
3.1.1.37. nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
This attribute sets the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If nsslapd-auditlog-maxlogsperdir
to 1
, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the audit log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
Default Value | 100 |
Syntax | Integer |
Example | nsslapd-auditlog-maxlogsize: 50 |
3.1.1.38. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored. Each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1
log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1
, then check the nsslapd-auditlog-logrotationtime
attribute to establish whether log rotation is specified. If the nsslapd-auditlog-logrotationtime
attribute has a value of -1
, then there is no log rotation. See Section 3.1.1.35, “nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-auditlog-maxlogsperdir: 10 |
3.1.1.39. nsslapd-auditlog-mode (Audit Log File Permission)
This attribute sets the access mode or file permissions with which audit log files are to be created. The valid values are any combination of 000
to 777
since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0
through 7
:
- 0 - None
- 1 - Execute only
- 2 - Write only
- 3 - Write and execute
- 4 - Read only
- 5 - Read and execute
- 6 - Read and write
- 7 - Read, write, and execute
In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000
does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 000 through 777 |
Default Value | 600 |
Syntax | Integer |
Example | nsslapd-auditlog-mode: 600 |
3.1.1.40. nsslapd-auditfaillog (Audit Fail Log)
This attribute sets the path and filename of the log used to record failed LDAP modifications.
If nsslapd-auditfaillog-logging-enabled
is enabled, and nsslapd-auditfaillog
is not set, the audit fail events are logged to the file specified in nsslapd-auditlog
.
If you set the nsslapd-auditfaillog
parameter to the same path as nsslapd-auditlog
, both are logged in the same file.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid filename |
Default Value | /var/log/dirsrv/slapd-instance/audit |
Syntax | DirectoryString |
Example | nsslapd-auditfaillog: /var/log/dirsrv/slapd-instance/audit |
To enable the audit fail log, this attribute must have a valid path and the nsslapd-auditfaillog-logging-enabled
attribute must be set to on
3.1.1.41. nsslapd-auditfaillog-list
Provides a list of audit fail log files.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-auditfaillog-list: auditfaillog2,auditfaillog3 |
3.1.1.42. nsslapd-auditfaillog-logexpirationtime (Audit Fail Log Expiration Time)
This attribute sets the maximum age of a log file before it is removed. It supplies to the number of units. Specify the units, such as day, week, month, and so forth in the nsslapd-auditfaillog-logexpirationtimeunit
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 to the maximum 32 bit integer value (2147483647) A value of -1 or 0 means that the log never expires. |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-auditfaillog-logexpirationtime: 1 |
3.1.1.43. nsslapd-auditfaillog-logexpirationtimeunit (Audit Fail Log Expiration Time Unit)
This attribute sets the units for the nsslapd-auditfaillog-logexpirationtime
attribute. If the unit is unknown by the server, the log never expires.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day |
Default Value | week |
Syntax | DirectoryString |
Example | nsslapd-auditfaillog-logexpirationtimeunit: day |
3.1.1.44. nsslapd-auditfaillog-logging-enabled (Audit Fail Log Enable Logging)
Turns on and off logging of failed LDAP modifications.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-auditfaillog-logging-enabled: off |
3.1.1.45. nsslapd-auditfaillog-logmaxdiskspace (Audit Fail Log Maximum Disk Space)
This attribute sets the maximum amount of disk space in megabytes the audit fail logs are can consume. If the size exceed the limit, the oldest audit fail log is deleted.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit fail log is unlimited in size. |
Default Value | 100 |
Syntax | Integer |
Example | nsslapd-auditfaillog-logmaxdiskspace: 10000 |
3.1.1.46. nsslapd-auditfaillog-logminfreediskspace (Audit Fail Log Minimum Free Disk Space)
This attribute sets the minimum permissible free disk space in megabytes. When the amount of free disk space is lower than the specified value, the oldest audit fail logs are deleted until enough disk space is freed.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-auditfaillog-logminfreediskspace: -1 |
3.1.1.47. nsslapd-auditfaillog-logrotationsync-enabled (Audit Fail Log Rotation Sync Enabled)
This attribute sets whether audit fail log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For audit fail log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditfaillog-logrotationsynchour
and nsslapd-auditfaillog-logrotationsyncmin
attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate audit fail log files every day at midnight, enable this attribute by setting its value to on
, and then set the values of the nsslapd-auditfaillog-logrotationsynchour
and nsslapd-auditfaillog-logrotationsyncmin
attributes to 0
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-auditfaillog-logrotationsync-enabled: on |
3.1.1.48. nsslapd-auditfaillog-logrotationsynchour (Audit Fail Log Rotation Sync Hour)
This attribute sets the hour of the day the audit fail log is rotated. This attribute must be used in conjunction with nsslapd-auditfaillog-logrotationsync-enabled
and nsslapd-auditfaillog-logrotationsyncmin
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 23 |
Default Value |
None (because |
Syntax | Integer |
Example | nsslapd-auditfaillog-logrotationsynchour: 23 |
3.1.1.49. nsslapd-auditfaillog-logrotationsyncmin (Audit Fail Log Rotation Sync Minute)
This attribute sets the minute the audit fail log is rotated. This attribute must be used in conjunction with nsslapd-auditfaillog-logrotationsync-enabled
and nsslapd-auditfaillog-logrotationsynchour
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 59 |
Default Value |
None (because |
Syntax | Integer |
Example | nsslapd-auditfaillog-logrotationsyncmin: 30 |
3.1.1.50. nsslapd-auditfaillog-logrotationtime (Audit Fail Log Rotation Time)
This attribute sets the time between audit fail log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditfaillog-logrotationtimeunit
attribute. If the nsslapd-auditfaillog-maxlogsperdir
attribute is set to 1
, the server ignores this attribute.
Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.
Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-auditfaillog-maxlogsperdir
attribute value to 1
or set the nsslapd-auditfaillog-logrotationtime
attribute to -1
. The server checks the nsslapd-auditfaillog-maxlogsperdir
attribute first, and, if this attribute value is larger than 1
, the server then checks the nsslapd-auditfaillog-logrotationtime
attribute. See Section 3.1.1.53, “nsslapd-auditfaillog-maxlogsperdir (Audit Fail Log Maximum Number of Log Files)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the time between audit fail log file rotation is unlimited. |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-auditfaillog-logrotationtime: 100 |
3.1.1.51. nsslapd-auditfaillog-logrotationtimeunit (Audit Fail Log Rotation Time Unit)
This attribute sets the units for the nsslapd-auditfaillog-logrotationtime
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day | hour | minute |
Default Value | week |
Syntax | DirectoryString |
Example | nsslapd-auditfaillog-logrotationtimeunit: day |
3.1.1.52. nsslapd-auditfaillog-maxlogsize (Audit Fail Log Maximum Log Size)
This attribute sets the maximum audit fail log size in megabytes. When this value is reached, the audit fail log is rotated. That means the server starts writing log information to a new log file. If the nsslapd-auditfaillog-maxlogsperdir
parameter is set to 1
, the server ignores this attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
Default Value | 100 |
Syntax | Integer |
Example | nsslapd-auditfaillog-maxlogsize: 50 |
3.1.1.53. nsslapd-auditfaillog-maxlogsperdir (Audit Fail Log Maximum Number of Log Files)
This attribute sets the total number of audit fail logs that can be contained in the directory where the audit log is stored. Each time the audit fail log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1
log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1
, then check the nsslapd-auditfaillog-logrotationtime
attribute to establish whether log rotation is specified. If the nsslapd-auditfaillog-logrotationtime
attribute has a value of -1
, then there is no log rotation. See Section 3.1.1.50, “nsslapd-auditfaillog-logrotationtime (Audit Fail Log Rotation Time)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-auditfaillog-maxlogsperdir: 10 |
3.1.1.54. nsslapd-auditfaillog-mode (Audit Fail Log File Permission)
This attribute sets the access mode or file permissions with which audit fail log files are to be created. The valid values are any combination of 000
to 777
since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0
through 7
:
- 0 - None
- 1 - Execute only
- 2 - Write only
- 3 - Write and execute
- 4 - Read only
- 5 - Read and execute
- 6 - Read and write
- 7 - Read, write, and execute
In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000
does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 000 through 777 |
Default Value | 600 |
Syntax | Integer |
Example | nsslapd-auditfaillog-mode: 600 |
3.1.1.55. nsslapd-bakdir (Default Backup Directory)
This parameter sets the path to the default backup directory. The Directory Server user must have write permissions in the configured directory.
This setting does not require a server restart to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any local directory path. |
Default Value | /var/lib/dirsrv/slapd-instance/bak |
Syntax | DirectoryString |
Example | nsslapd-bakdir: /var/lib/dirsrv/slapd-instance/bak |
3.1.1.56. nsslapd-certdir (Certificate and Key Database Directory)
This parameter defines the full path to the directory that Directory Server uses to store the Network Security Services (NSS) database of the instance. This database contains the private keys and certificates of the instance.
As a fallback, Directory Server extracts the private key and certificates to this directory, if the server cannot extract them to the /tmp/
directory in a private name space. For details about private name spaces, see the PrivateTmp
parameter description in the systemd.exec(5) man page.
The directory specified in nsslapd-certdir
must be owned by the user ID of the server, and only this user ID must have read-write permissions in this directory. For security reasons, no other users should have permissions to read or write to this directory.
The service must be restarted for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | An absolute path |
Default Value | /etc/dirsrv/slapd-instance_name/ |
Syntax | DirectoryString |
Example | nsslapd-certdir: /etc/dirsrv/slapd-instance_name/ |
3.1.1.57. nsslapd-certmap-basedn (Certificate Map Search Base)
This attribute can be used when client authentication is performed using TLS certificates in order to avoid limitations of the security subsystem certificate mapping, configured in the /etc/dirsrv/slapd-instance_name/certmap.conf
file. Depending on the configuration in this file, the certificate mapping may be done using a directory subtree search based at the root DN. If the search is based at the root DN, then the nsslapd-certmap-basedn
attribute may force the search to be based at some entry other than the root. The valid value for this attribute is the DN of the suffix or subtree to use for certificate mapping.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid DN |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-certmap-basedn: ou=People,dc=example,dc=com |
3.1.1.58. nsslapd-config
This read-only attribute is the config DN.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid configuration DN |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-config: cn=config |
3.1.1.59. nsslapd-cn-uses-dn-syntax-in-dns
This parameter allows you to enable a DN inside a CN value.
The Directory Server DN normalizer follows RFC4514 and keeps a white space if the RDN attribute type is not based on the DN syntax. However the Directory Server’s configuration entry sometimes uses a cn
attribute to store a DN value. For example in dn: cn="dc=A,dc=com", cn=mapping tree,cn=config
, the cn
should be normalized following the DN syntax.
If this configuration is required, enable the nsslapd-cn-uses-dn-syntax-in-dns
parameter.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-cn-uses-dn-syntax-in-dns: off |
3.1.1.60. nsslapd-connection-buffer
This attribute sets the connection buffering behavior. Possible values:
-
0
: Disable buffering. Only single Protocol Data Units (PDU) are read at a time. -
1
: Regular fixed sizeLDAP_SOCKET_IO_BUFFER_SIZE
of512
bytes. -
2
: Adaptable buffer size.
The value 2
provides a better performance if the client sends a large amount of data at once. This is, for example, the case for large add and modify operations, or when many asynchronous requests are received over a single connections like during a replication.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | 0 | 1 | 2 |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-connection-buffer: 1 |
3.1.1.61. nsslapd-connection-nocanon
This option allows you to enable or disable the SASL NOCANON
flag. Disabling avoids the Directory Server looking up DNS reverse entries for outgoing connections.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-connection-nocanon: on |
3.1.1.62. nsslapd-conntablesize
This attribute sets the connection table size, which determines the total number of connections supported by the server.
Increase the value of this attribute if Directory Server is refusing connections because it is out of connection slots. When this occurs, the Directory Server’s error log file records the message Not listening for new connections — too many fds open
.
It may be necessary to increase the operating system limits for the number of open files and number of open files per process, and it may be necessary to increase the ulimit
for the number of open files (ulimit -n
) in the shell that starts Directory Server.
The size of the connection table is cap with nsslapd-maxdescriptor
. See Section 3.1.1.119, “nsslapd-maxdescriptors (Maximum File Descriptors)” for more information.
The server has to be restarted for changes to this attribute to go into effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Operating-system dependent |
Default Value |
The maximum number of files that the Directory Server process can open. See the |
Syntax | Integer |
Example | nsslapd-conntablesize: 4093 |
3.1.1.63. nsslapd-counters
The nsslapd-counters
attribute enables and disables Directory Server database and server performance counters.
There can be a performance impact by keeping track of the larger counters. Turning off 64-bit integers for counters can have a minimal improvement on performance, although it negatively affects long term statistics tracking.
This parameter is enabled by default. To disable counters, stop the Directory Server, edit the dse.ldif
file directly, and restart the server.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-counters: on |
3.1.1.64. nsslapd-csnlogging
This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-csnlogging: on |
3.1.1.65. nsslapd-defaultnamingcontext
This attribute gives the naming context, of all configured naming contexts, which clients should use by default as a search base. This value is copied over to the root DSE as the defaultNamingContext
attribute, which allows clients to query the root DSE to obtain the context and then to initiate a search with the appropriate base.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any root suffix DN |
Default Value | The default user suffix |
Syntax | DN |
Example | nsslapd-defaultnamingcontext: dc=example,dc=com |
3.1.1.66. nsslapd-disk-monitoring
This attribute enables a thread which runs every ten (10) seconds to check the available disk space on the disk or mount where the Directory Server database is running. If the available disk space drops below a configured threshold, then the server begins reducing logging levels, disabling access or audit logs, and deleting rotated logs. If that does not free enough available space, then the server shuts down gracefully (after a wanring and grace period).
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-disk-monitoring: on |
3.1.1.67. nsslapd-disk-monitoring-grace-period
Sets a grace period to wait before shutting down the server after it hits half of the disk space limit set in Section 3.1.1.70, “nsslapd-disk-monitoring-threshold”. This gives the administrator time to clean out the disk and prevent a shutdown.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any integer (sets value in minutes) |
Default Value | 60 |
Syntax | Integer |
Example | nsslapd-disk-monitoring-grace-period: 45 |
3.1.1.68. nsslapd-disk-monitoring-logging-critical
Sets whether to shut down the server if the log directories pass the halfway point set in the disk space limit, Section 3.1.1.70, “nsslapd-disk-monitoring-threshold”.
If this is enabled, then logging is not disabled and rotated logs are not deleted as means of reducing disk usage by the server. The server simply goes toward a shutdown process.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-disk-monitoring-logging-critical: on |
3.1.1.69. nsslapd-disk-monitoring-readonly-on-threshold
If the free disk space reaches half of the value you set in the nsslapd-disk-monitoring-threshold
parameter, Directory Server shuts down the instance after the grace period set in nsslapd-disk-monitoring-grace-period
is reached. However, if the disk runs out of space before the instance is down, data can be corrupted. To prevent this problem, enable the nsslapd-disk-monitoring-readonly-on-threshold
parameter, the Directory Server sets the instance to read-only mode when the threshold is reached.
With this setting, Directory Server does not start if the free disk space is below half of the threshold configured in the nsslapd-disk-monitoring-threshold
.
The service must be restarted for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-disk-monitoring-readonly-on-threshold: off |
3.1.1.70. nsslapd-disk-monitoring-threshold
Sets the threshold, in bytes, to use to evaluate whether the server has enough available disk space. Once the space reaches half of this threshold, then the server begins a shut down process.
For example, if the threshold is 2MB (the default), then once the available disk space reaches 1MB, the server will begin to shut down.
By default, the threshold is evaluated backs on the disk space used by the configuration, transaction, and database directories for the Directory Server instance. If the Section 3.1.1.68, “nsslapd-disk-monitoring-logging-critical” attribute is enabled, then the log directory is included in the evaluation.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | * 0 to the maximum 32-bit integer value (2147483647) on 32-bit systems * 0 to the maximum 64-bit integer value (9223372036854775807) on 64-bit systems |
Default Value | 2000000 (2MB) |
Syntax | DirectoryString |
Example | nsslapd-disk-monitoring-threshold: 2000000 |
3.1.1.71. nsslapd-dn-validate-strict
The Section 3.1.1.168, “nsslapd-syntaxcheck” attribute enables the server to verify that any new or modified attribute value matches the required syntax for that attribute.
However, the syntax rules for DNs have grown increasingly strict. Attempting to enforce DN syntax rules in RFC 4514 could break many servers using older syntax definitions. By default, then nsslapd-syntaxcheck
validates DNs using RFC 1779 or RFC 2253.
The nsslapd-dn-validate-strict
attribute explicitly enables strict syntax validation for DNs, according to section 3 in RFC 4514. If this attribute is set to off
(the default), the server normalizes the value before checking it for syntax violations.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-dn-validate-strict: off |
3.1.1.72. nsslapd-ds4-compatible-schema
Makes the schema in cn=schema
compatible with 4.x versions of Directory Server.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-ds4-compatible-schema: off |
3.1.1.73. nsslapd-enable-turbo-mode
The Directory Server turbo mode is a feature that enables a worker thread to be dedicated to a connection and continuously read incoming operations from that connection. This can improve the performance on very active connections, and the feature is enabled by default.
Worker threads are processing the LDAP operation received by the server. The number of worker threads is defined in the nsslapd-threadnumber
parameter. Every five seconds, each worker thread evaluates if the activity level of its current connection is one of the highest among all established connections. Directory Server measures the activity as the number of operations initiated since the last check, and switches a worker thread in turbo mode if the activity of the current connection is one of the highest.
If you encounter long execution times (etime
value in log files) for bind operations, such as one second or longer, deactivating the turbo mode can improve the performance. However, in some cases, long bind times are a symptom of networking or hardware issues. In these situations, disabling the turbo mode does not result in improved performance.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-enable-turbo-mode: on |
3.1.1.74. nsslapd-enable-upgrade-hash
During a simple bind, Directory Server has access to the plain text password due to the nature of bind operations. If the nsslapd-enable-upgrade-hash
parameter is enabled and a user authenticates, Directory Server checks if the userPassword
attribute of the user uses the hashing algorithm set in the passwordStorageScheme
attribute. If the algorithm is different, the server hashes the plain text password with the algorithm from passwordStorageScheme
and updates the value of the user’s userPassword
attribute.
For example, if you import a user entry with a password that is hashed using a weak algorithm, the server automatically re-hashes the passwords on the first login of the user using the algorithm set in passwordStorageScheme
, which is, by default, PBKDF2_SHA256
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-enable-upgrade-hash: on |
3.1.1.75. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
This attribute is deprecated and will be removed in a future version of Directory Server.
This attribute controls whether quoting in the objectclass
attributes contained in the cn=schema
entry conforms to the quoting specified by Internet draft RFC 2252. By default, the Directory Server conforms to RFC 2252, which indicates that this value should not be quoted. Only very old clients need this value set to on
, so leave it off
.
Turning this attribute on or off does not affect Directory Server Console.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-enquote-sup-oc: off |
3.1.1.76. nsslapd-entryusn-global
The nsslapd-entryusn-global
parameter defines if the USN plug-in assigns unique update sequence numbers (USN) across all back end databases or to each database individually. For unique USNs across all back end databases, set this parameter to on
.
For further details, see Section 6.8, “entryusn”.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-entryusn-global: off |
3.1.1.77. nsslapd-entryusn-import-initval
Entry update sequence numbers (USNs) are not preserved when entries are exported from one server and imported into another, including when initializing a database for replication. By default, the entry USNs for imported entries are set to zero.
It is possible to configure a different initial value for entry USNs using nsslapd-entryusn-import-initval
. This sets a starting USN which is used for all imported entries.
There are two possible values for nsslapd-entryusn-import-initval
:
- An integer, which is the explicit start number used for every imported entry.
- next, which means that every imported entry uses whatever the highest entry USN value was on the server before the import operation, incremented by one.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any integer | next |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-entryusn-import-initval: next |
3.1.1.78. nsslapd-errorlog (Error Log)
This attribute sets the path and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions, such as:
- Server startup and shutdown times.
- The port number that the server uses.
This log contains differing amounts of information depending on the current setting of the Log Level attribute. See Section 3.1.1.79, “nsslapd-errorlog-level (Error Log Level)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid filename |
Default Value | /var/log/dirsrv/slapd-instance/errors |
Syntax | DirectoryString |
Example | nsslapd-errorlog: /var/log/dirsrv/slapd-instance/errors |
For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-errorlog-logging-enabled
configuration attribute must be switched to on
. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
Attributes in dse.ldif | Value | Logging enabled or disabled |
---|---|---|
nsslapd-errorlog-logging-enabled nsslapd-errorlog | on empty string | Disabled |
nsslapd-errorlog-logging-enabled nsslapd-errorlog | on filename | Enabled |
nsslapd-errorlog-logging-enabled nsslapd-errorlog | off empty string | Disabled |
nsslapd-errorlog-logging-enabled nsslapd-errorlog | off filename | Disabled |
3.1.1.79. nsslapd-errorlog-level (Error Log Level)
This attribute sets the level of logging for the Directory Server. The log level is additive; that is, specifying a value of 3
includes both levels 1
and 2
.
The default value for nsslapd-errorlog-level
is 16384
.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | * 1 — Trace function calls. Logs a message when the server enters and exits a function. * 2 — Debug packet handling. * 4 — Heavy trace output debugging. * 8 — Connection management. * 16 — Print out packets sent/received. * 32 — Search filter processing. * 64 — Config file processing. * 128 — Access control list processing. * 1024 — Log communications with shell databases. * 2048 — Log entry parsing debugging. * 4096 — Housekeeping thread debugging. * 8192 — Replication debugging. * 16384 — Default level of logging used for critical errors and other messages that are always written to the error log; for example, server startup messages. Messages at this level are always included in the error log, regardless of the log level setting. * 32768 — Database cache debugging.
* 65536 — Server plug-in debugging. It writes an entry to the log file when a server plug-in calls
* 262144 — Access control summary information, much less verbose than level * 524288 — LMDB database debugging. |
Default Value | 16384 |
Syntax | Integer |
Example | nsslapd-errorlog-level: 8192 |
3.1.1.80. nsslapd-errorlog-list
This read-only attribute provides a list of error log files.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-errorlog-list: errorlog2,errorlog3 |
3.1.1.81. nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
This attribute sets the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 to the maximum 32 bit integer value (2147483647) A value of -1 or 0 means that the log never expires. |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-errorlog-logexpirationtime: 1 |
3.1.1.82. nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
This attribute sets the units for the nsslapd-errorlog-logexpirationtime
attribute. If the unit is unknown by the server, then the log never expires.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day |
Default Value | month |
Syntax | DirectoryString |
Example | nsslapd-errorlog-logexpirationtimeunit: week |
3.1.1.83. nsslapd-errorlog-logging-enabled (Enable Error Logging)
Turns error logging on and off.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-errorlog-logging-enabled: on |
3.1.1.84. nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
This attribute sets the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size. |
Default Value | 100 |
Syntax | Integer |
Example | nsslapd-errorlog-logmaxdiskspace: 10000 |
3.1.1.85. nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | -1 |
Syntax | Integer |
Example | nsslapd-errorlog-logminfreediskspace: -1 |
3.1.1.86. nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled)
This attribute sets whether error log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For error log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-errorlog-logrotationsynchour
and nsslapd-errorlog-logrotationsyncmin
attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate error log files every day at midnight, enable this attribute by setting its value to on
, and then set the values of the nsslapd-errorlog-logrotationsynchour
and nsslapd-errorlog-logrotationsyncmin
attributes to 0
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-errorlog-logrotationsync-enabled: on |
3.1.1.87. nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour)
This attribute sets the hour of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled
and nsslapd-errorlog-logrotationsyncmin
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 23 |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-errorlog-logrotationsynchour: 23 |
3.1.1.88. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute)
This attribute sets the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled
and nsslapd-errorlog-logrotationsynchour
attributes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 through 59 |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-errorlog-logrotationsyncmin: 30 |
3.1.1.89. nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
This attribute sets the time between error log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit
(Error Log Rotation Time Unit) attribute.
Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.
Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-errorlog-maxlogsperdir
attribute value to 1
or set the nsslapd-errorlog-logrotationtime
attribute to -1
. The server checks the nsslapd-errorlog-maxlogsperdir
attribute first, and, if this attribute value is larger than 1
, the server then checks the nsslapd-errorlog-logrotationtime
attribute. See Section 3.1.1.92, “nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited). |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-errorlog-logrotationtime: 100 |
3.1.1.90. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
This attribute sets the units for nsslapd-errorlog-logrotationtime
(Error Log Rotation Time). If the unit is unknown by the server, then the log never expires.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | month | week | day | hour | minute |
Default Value | week |
Syntax | DirectoryString |
Example | nsslapd-errorlog-logrotationtimeunit: day |
3.1.1.91. nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
This attribute sets the maximum error log size in megabytes. When this value is reached, the error log is rotated, and the server starts writing log information to a new log file. If nsslapd-errorlog-maxlogsperdir
is set to 1
, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size. |
Default Value | 100 |
Syntax | Integer |
Example | nsslapd-errorlog-maxlogsize: 100 |
3.1.1.92. nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
This attribute sets the total number of error logs that can be contained in the directory where the error log is stored. Each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1
log. If this default is accepted, the server does not rotate the log, and it grows indefinitely.
If the value for this attribute is higher than 1
, then check the nsslapd-errorlog-logrotationtime
attribute to establish whether log rotation is specified. If the nsslapd-errorlog-logrotationtime
attribute has a value of -1
, then there is no log rotation. See Section 3.1.1.89, “nsslapd-errorlog-logrotationtime (Error Log Rotation Time)” for more information.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to the maximum 32 bit integer value (2147483647) |
Default Value | 1 |
Syntax | Integer |
Example | nsslapd-errorlog-maxlogsperdir: 10 |
3.1.1.93. nsslapd-errorlog-mode (Error Log File Permission)
This attribute sets the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000
to 777
since they mirror numbered or absolute UNIX file permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0
through 7
:
- 0 - None
- 1 - Execute only
- 2 - Write only
- 3 - Write and execute
- 4 - Read only
- 5 - Read and execute
- 6 - Read and write
- 7 - Read, write, and execute
In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000
does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 000 through 777 |
Default Value | 600 |
Syntax | Integer |
Example | nsslapd-errorlog-mode: 600 |
3.1.1.94. nsslapd-force-sasl-external
When establishing a TLS connection, a client sends its certificate first and then issues a BIND request using the SASL/EXTERNAL mechanism. Using SASL/EXTERNAL tells the Directory Server to use the credentials in the certificate for the TLS handshake. However, some clients do not use SASL/EXTERNAL when they send their BIND request, so the Directory Server processes the bind as a simple authentication request or an anonymouse request and the TLS connection fails.
The nsslapd-force-sasl-external
attribute forces clients in certificate-based authentication to send the BIND request using the SASL/EXTERNAL method.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | String |
Example | nsslapd-force-sasl-external: on |
3.1.1.95. nsslapd-groupevalnestlevel
This attribute is deprecated, and documented here only for historical purposes.
The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel
attribute to set the number of levels of nesting that access control performs for group evaluation. Instead, the number of levels of nesting is hardcoded as 5
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 to 5 |
Default Value | 5 |
Syntax | Integer |
Example | nsslapd-groupevalnestlevel: 5 |
3.1.1.96. nsslapd-haproxy-trusted-ip (HAProxy Trusted IP)
The nsslapd-haproxy-trusted-ip
attribute configures the list of trusted proxy servers. When you set nsslapd-haproxy-trusted-ip
, Directory Server uses HAProxy protocol to receive client IP addresses via an additional TCP header to evaluate access control instructions (ACIs) correctly and log the client traffic.
If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:
[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | IPv4 or IPv6 addresses |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-haproxy-trusted-ip: 127.0.0.1 |
3.1.1.97. nsslapd-idletimeout (Default Idle Timeout)
This attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0
means that the server never closes idle connections. This setting applies to all connections and all users. Idle timeout is enforced when the connection table is walked, when poll()
does not return zero. Therefore, a server with a single connection never enforces the idle timeout.
Use the nsIdleTimeout
operational attribute, which can be added to user entries, to override the value assigned to this attribute. For details, see the "Setting Resource Limits Based on the Bind DN" section in the Red Hat Directory Server Administration Guide.
For very large databases, with millions of entries, this attribute must have a high enough value that the online initialization process can complete or replication will fail when the connection to the server times out. Alternatively, the nsIdleTimeout
attribute can be set to a high value on the entry used as the supplier bind DN.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 to the maximum 32 bit integer value (2147483647) |
Default Value | 3600 |
Syntax | Integer |
Example | nsslapd-idletimeout: 3600 |
3.1.1.98. nsslapd-ignore-virtual-attrs
This parameter allows to disable the virtual attribute lookup in a search entry.
If you do not require virtual attributes, you can disable virtual attribute lookups in search results to increase the speed of searches.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-ignore-virtual-attrs: off |
3.1.1.99. nsslapd-instancedir (Instance Directory)
This attribute is deprecated. There are now separate configuration parameters for instance-specific paths, such as nsslapd-certdir
and nsslapd-lockdir
. See the documentation for the specific directory path that is set.
3.1.1.100. nsslapd-ioblocktimeout (IO Block Time Out)
This attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 to the maximum 32 bit integer value (2147483647) in ticks |
Default Value | 10000 |
Syntax | Integer |
Example | nsslapd-ioblocktimeout: 10000 |
3.1.1.101. nsslapd-lastmod (Track Modification Time)
This attribute sets whether the Directory Server maintains the creatorsName
, createTimestamp
, modifiersName
, and modifyTimestamp
operational attributes for newly created or updated entries.
Red Hat recommends not disabling tracking these attributes. If disabled, entries do not get a unique ID assigned in the nsUniqueID
attribute and replication does not work.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-lastmod: on |
3.1.1.102. nsslapd-ldapiautobind (Enable Autobind)
The nsslapd-ldapiautobind
sets whether the server will allow users to autobind to Directory Server using LDAPI. Autobind maps the UID or GUID number of a system user to a Directory Server user, and automatically authenticates the user to Directory Server based on those credentials. The Directory Server connection occurs over UNIX socket.
Along with enabling autobind, configuring autobind requires configuring mapping entries. The nsslapd-ldapimaprootdn
maps a root user on the system to the Directory Manager. The nsslapd-ldapimaptoentries
maps regular users to Directory Server users, based on the parameters defined in the nsslapd-ldapiuidnumbertype
, nsslapd-ldapigidnumbertype
, and nsslapd-ldapientrysearchbase
attributes.
Autobind can only be enabled if LDAPI is enabled, meaning the nsslapd-ldapilisten
is on
and the nsslapd-ldapifilepath
attribute is set to an LDAPI socket.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-ldapiautobind: off |
3.1.1.103. nsslapd-ldapientrysearchbase (Search Base for LDAPI Authentication Entries)
With autobind, it is possible to map system users to Directory Server user entries, based on the system user’s UID and GUID numbers. This requires setting Directory Server parameters for which attribute to use for the UID number (nsslapd-ldapiuidnumbertype
) and GUID number (nsslapd-ldapigidnumbertype
) and setting the search base to use to search for matching user entries.
The nsslapd-ldapientrysearchbase
gives the subtree to search for user entries to use for autobind.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | DN |
Default Value |
The suffix created when the server instance was created, such as |
Syntax | DN |
Example | nsslapd-ldapientrysearchbase: ou=people,dc=example,dc=om |
3.1.1.104. nsslapd-ldapifilepath (File Location for LDAPI Socket)
LDAPI connects a user to an LDAP server over a UNIX socket rather than TCP. In order to configure LDAPI, the server must be configured to communicate over a UNIX socket. The UNIX socket to use is set in the nsslapd-ldapifilepath
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any directory path |
Default Value | /var/run/dirsrv/slapd-example.socket |
Syntax | Case-exact string |
Example | nsslapd-ldapifilepath: /var/run/slapd-example.socket |
3.1.1.105. nsslapd-ldapigidnumbertype (Attribute Mapping for System GUID Number)
Autobind can be used to authenticate system users to the server automatically and connect to the server using a UNIX socket. To map the system user to a Directory Server user for authentication, the system user’s UID and GUID numbers should be mapped to be a Directory Server attribute. The nsslapd-ldapigidnumbertype
attribute points to the Directory Server attribute to map system GUIDs to user entries.
Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-ldapilisten
and nsslapd-ldapifilepath
), autobind is enabled (nsslapd-ldapiautobind
), and autobind mapping is enabled for regular users (nsslapd-ldapimaptoentries
).
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any Directory Server attribute |
Default Value | gidNumber |
Syntax | DirectoryString |
Example | nsslapd-ldapigidnumbertype: gidNumber |
3.1.1.106. nsslapd-ldapilisten (Enable LDAPI)
The nsslapd-ldapilisten
enables LDAPI connections to the Directory Server. LDAPI allows users to connect to the Directory Server over a UNIX socket rather than a standard TCP port. Along with enabling LDAPI by setting nsslapd-ldapilisten
to on
, there must also be a UNIX socket set for LDAPI in the nsslapd-ldapifilepath
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-ldapilisten: on |
3.1.1.107. nsslapd-ldapimaprootdn (Autobind Mapping for Root User)
With autobind, a system user is mapped to a Directory Server user and then automatically authenticated to the Directory Server over a UNIX socket.
The root system user (the user with a UID of 0) is mapped to whatever Directory Server entry is specified in the nsslapd-ldapimaprootdn
attribute.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any DN |
Default Value | cn=Directory Manager |
Syntax | DN |
Example | nsslapd-ldapimaprootdn: cn=Directory Manager |
3.1.1.108. nsslapd-ldapimaptoentries (Enable Autobind Mapping for Regular Users)
With autobind, a system user is mapped to a Directory Server user and then automatically authenticated to the Directory Server over a UNIX socket. This mapping is automatic for root users, but it must be enabled for regular system users through the nsslapd-ldapimaptoentries
attribute. Setting this attribute to on
enables mapping for regular system users to Directory Server entries. If this attribute is not enabled, then only root users can use autobind to authenticate to the Directory Server, and all other users connect anonymously.
The mappings themselves are configured through the nsslapd-ldapiuidnumbertype
and nsslapd-ldapigidnumbertype
attributes, which map Directory Server attributes to the user’s UID and GUID numbers.
Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-ldapilisten
and nsslapd-ldapifilepath
) and autobind is enabled (nsslapd-ldapiautobind
).
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-ldapimaptoentries: on |
3.1.1.109. nsslapd-ldapiuidnumbertype
Autobind can be used to authenticate system users to the server automatically and connect to the server using a UNIX socket. To map the system user to a Directory Server user for authentication, the system user’s UID and GUID numbers must be mapped to be a Directory Server attribute. The nsslapd-ldapiuidnumbertype
attribute points to the Directory Server attribute to map system UIDs to user entries.
Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-ldapilisten
and nsslapd-ldapifilepath
), autobind is enabled (nsslapd-ldapiautobind
), and autobind mapping is enabled for regular users (nsslapd-ldapimaptoentries
).
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any Directory Server attribute |
Default Value | uidNumber |
Syntax | DirectoryString |
Example | nsslapd-ldapiuidnumbertype: uidNumber |
3.1.1.110. nsslapd-ldifdir
Directory Server exports files in LDAP Data Interchange Format (LDIF) format to the directory set in this parameter when using the db2ldif
or db2ldif.pl
. The directory must be owned by the Directory Server user and group. Only this user and group must have read and write access in this directory.
The service must be restarted for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any directory writable by the Directory Server user |
Default Value | /var/lib/dirsrv/slapd-instance_name/ldif/ |
Syntax | DirectoryString |
Example | nsslapd-ldifdir: /var/lib/dirsrv/slapd-instance_name/ldif/ |
3.1.1.111. nsslapd-listen-backlog-size
This attribute sets the maximum of the socket connection backlog. The listen service sets the number of sockets available to receive incoming connections. The backlog setting sets a maximum length for how long the queue for the socket (sockfd) can grow before refusing connections.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | The maximum 64-bit integer value (9223372036854775807) |
Default Value | 128 |
Syntax | Integer |
Example | nsslapd-listen-backlog-size: 128 |
3.1.1.112. nsslapd-listenhost (Listen to IP Address)
This attribute allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). There can be multiple IP addresses associated with a single hos tname, and these IP addresses can be a mix of both IPv4 and IPv6. This parameter can be used to restrict the Directory Server instance to a single IP interface.
If a host name is given as the nsslapd-listenhost
value, then the Directory Server responds to requests for every interface associated with the host name. If a single IP interface (either IPv4 or IPv6) is given as the nsslapd-listenhost
value, Directory Server only responds to requests sent to that specific interface. Either an IPv4 or IPv6 address can be used.
The server has to be restarted for changes to this attribute to go into effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any local host name, IPv4 or IPv6 address |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-listenhost: ldap.example.com |
3.1.1.113. nsslapd-localhost (Local Host)
This attribute specifies the host machine on which the Directory Server runs. This attribute creates the referral URL that forms part of the MMR protocol. In a high-availability configuration with failover nodes, that referral should point to the virtual name of the cluster, not the local host name.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any fully qualified host name. |
Default Value | Hostname of installed machine. |
Syntax | DirectoryString |
Example | nsslapd-localhost: phonebook.example.com |
3.1.1.114. nsslapd-localuser (Local User)
This attribute sets the user as whom the Directory Server runs. The group as which the user runs is derived from this attribute by examining the user’s primary group. Should the user change, then all of the instance-specific files and directories for this instance need to be changed to be owned by the new user, using a tool such as chown
.
The value for the nsslapd-localuser
is set initially when the server instance is configured.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid user |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-localuser: dirsrv |
3.1.1.115. nsslapd-lockdir (Server Lock File Directory)
This is the full path to the directory the server uses for lock files. The default value is /var/lock/dirsrv/slapd-instance
. Changes to this value will not take effect until the server is restarted.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Absolute path to a directory owned by the server user ID with write access to the server ID |
Default Value | /var/lock/dirsrv/slapd-instance |
Syntax | DirectoryString |
Example | nsslapd-lockdir: /var/lock/dirsrv/slapd-instance |
3.1.1.116. nsslapd-localssf
The nsslapd-localssf
parameter sets the security strength factor (SSF) for LDAPI connections. Directory Server allows LDAPI connections only if the value set in nsslapd-localssf
is greater or equal than the value set in the nsslapd-minssf
parameter. Therefore, LDAPI connections meet the minimum SSF set in nsslapd-minssf
.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | 0 to the maximum 32-bit integer value (2147483647) |
Default Value | 71 |
Syntax | Integer |
Example | nsslapd-localssf: 71 |
3.1.1.117. nsslapd-logging-hr-timestamps-enabled (Enable or Disable High-resolution Log Timestamps)
Controls whether logs will use high resolution timestamps with nanosecond precision, or standard resolution timestamps with one second precision. Enabled by default. Set this option to off
to revert log timestamps back to one second precision.
This setting does not require restarting the server to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values |
|
Default Value |
|
Syntax | DirectoryString |
Example | nsslapd-logging-hr-timestamps-enabled: on |
3.1.1.118. nsslapd-maxbersize (Maximum Message Size)
Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than the configured value or the default, then the add request is denied. However, the limit is not applied to replication processes. Be cautious before changing this attribute.
This setting does not require a server restart to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 - 2 gigabytes (2,147,483,647 bytes)
Zero |
Default Value | 2097152 |
Syntax | Integer |
Example | nsslapd-maxbersize: 2097152 |
3.1.1.119. nsslapd-maxdescriptors (Maximum File Descriptors)
This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server tries to use. A file descriptor is used whenever a client connects to the server. File descriptors are also used by access logs, error logs, audit logs, database files (indexes and transaction logs), and as sockets for outgoing connections to other servers for replication and chaining.
The number of descriptors available for TCP/IP to serve client connections is determined by the nsslapd-conntablesize
attribute. The default value for this attribute is set to the file descriptor soft limit, which defaults to 1024. However, if you configure this attribute manually, the server updates the process file descriptor soft limit to match.
If this value is set too high, the Directory Server queries the operating system for the maximum allowable value, and then uses that value. It also issues an information message in the error log. If this value is set to an invalid value remotely, by using the Directory Server Console or ldapmodify
, the server rejects the new value, keeps the old value, and responds with an error.
Some operating systems let users configure the number of file descriptors available to a process. See the operating system documentation for details on file descriptor limits and configuration. The dsktune
program (explained in the Red Hat Directory Server Installation Guide) can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. Increased the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server’s error log file:
Not listening for new connections -- too many fds open
See Section 3.1.1.62, “nsslapd-conntablesize” for more information about increasing the number of incoming connections.
UNIX shells usually have configurable limits on the number of file descriptors. See the operating system documentation for further information about limit
and ulimit
, as these limits can often cause problems.
The server has to be restarted for changes to this attribute to go into effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to 65535 |
Default Value | 4096 |
Syntax | Integer |
Example | nsslapd-maxdescriptors: 4096 |
3.1.1.120. nsslapd-maxsasliosize (Maximum SASL Packet Size)
When a user is authenticated to the Directory Server over SASL GSS-API, the server must allocate a certain amount of memory to the client to perform LDAP operations, according to how much memory the client requests. It is possible for an attacker to send such a large packet size that it crashes the Directory Server or ties it up indefinitely as part of a denial of service attack.
The packet size which the Directory Server will allow for SASL clients can be limited using the nsslapd-maxsasliosize
attribute. This attribute sets the maximum allowed SASL IO packet size that the server will accept.
When an incoming SASL IO packet is larger than the nsslapd-maxsasliosize
limit, the server immediately disconnects the client and logs a message to the error log, so that an administrator can adjust the setting if necessary.
This attribute value is specified in bytes.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | * -1 (unlimited) to the maximum 32-bit integer value (2147483647) on 32-bit systems * -1 (unlimited) to the maximum 64-bit integer value (9223372036854775807) on 64-bit systems |
Default Value | 2097152 (2MB) |
Syntax | Integer |
Example | nsslapd-maxsasliosize: 2097152 |
3.1.1.121. nsslapd-maxthreadsperconn (Maximum Threads per Connection)
Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, use the default value. For situations where a client binds and simultaneously issues many requests, increase this value to allow each connection enough resources to perform all the operations. This attribute is not available from the server console.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to maximum threadnumber |
Default Value | 5 |
Syntax | Integer |
Example | nsslapd-maxthreadsperconn: 5 |
3.1.1.122. nsslapd-minssf
A security strength factor is a relative measurement of how strong a connection is according to its key strength. The SSF determines how secure an TLS or SASL connection is. The nsslapd-minssf
attribute sets a minimum SSF requirement for any connection to the server; any connection attempts that are weaker than the minimum SSF are rejected.
TLS and SASL connections can be mixed in a connection to the Directory Server. These connections generally have different SSFs. The higher of the two SSFs is used to compare to the minimum SSF requirement.
Setting the SSF value to 0 means that there is no minimum setting.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any positive integer |
Default Value | 0 (off) |
Syntax | DirectoryString |
Example | nsslapd-minssf: 128 |
3.1.1.123. nsslapd-minssf-exclude-rootdse
A security strength factor is a relative measurement of how strong a connection is according to its key strength. The SSF determines how secure an TLS or SASL connection is.
The nsslapd-minssf-exclude-rootdse
attribute sets a minimum SSF requirement for any connection to the server except for queries for the root DSE. This enforces appropriate SSF values for most connections, while still allowing clients to get required information about the server configuration from the root DSE without having to establish a secure connection first.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any positive integer |
Default Value | 0 (off) |
Syntax | DirectoryString |
Example | nsslapd-minssf-exclude-rootdse: 128 |
3.1.1.124. nsslapd-moddn-aci
This parameter controls the ACI checks when directory entries are moved from one subtree to another and using source and target restrictions in moddn operations. For backward compatibility, you can disable the ACI checks.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-moddn-aci: on |
3.1.1.125. nsslapd-malloc-mmap-threshold
If a Directory Server instance is started as a service using the systemctl
utility, environment variables are not passed to the server unless you set them in the /etc/sysconfig/dirsrv
or /etc/sysconfig/dirsrv-instance_name
file. For further details, see the systemd.exec(3) man page.
Instead of manually editing the service files to set the M_MMAP_THRESHOLD
environment variable, the nsslapd-malloc-mmap-threshold
parameter enables you to set the value in the Directory Server configuration. For further details, see the M_MMAP_THRESHOLD
parameter description in the mallopt(3) man page.
This setting does not require restarting the server to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 - 33554432 |
Default Value |
See the |
Syntax | Integer |
Example | nsslapd-malloc-mmap-threshold: 33554432 |
3.1.1.126. nsslapd-malloc-mxfast
If a Directory Server instance is started as a service using the systemctl
utility, environment variables are not passed to the server unless you set them in the /etc/sysconfig/dirsrv
or /etc/sysconfig/dirsrv-instance_name
file. For further details, see the systemd.exec(3) man page.
Instead of manually editing the service files to set the M_MXFAST
environment variable, the nsslapd-malloc-mxfast
parameter enables you to set the value in the Directory Server configuration. For further details, see the M_MXFAST
parameter description in the mallopt(3) man page.
This setting does not require restarting the server to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 - 80 * (sizeof(size_t) / 4) |
Default Value |
See the |
Syntax | Integer |
Example | nsslapd-malloc-mxfast: 1048560 |
3.1.1.127. nsslapd-malloc-trim-threshold
If a Directory Server instance is started as a service using the systemctl
utility, environment variables are not passed to the server unless you set them in the /etc/sysconfig/dirsrv
or /etc/sysconfig/dirsrv-instance_name
file. For further details, see the systemd.exec(3) man page.
Instead of manually editing the service files to set the M_TRIM_THRESHOLD
environment variable, the nsslapd-malloc-trim-threshold
parameter enables you to set the value in the Directory Server configuration. For further details, see the M_TRIM_THRESHOLD
parameter description in the mallopt(3) man page.
This setting does not require restarting the server to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 to 2^31-1 |
Default Value |
See the |
Syntax | Integer |
Example | nsslapd-malloc-trim-threshold: 131072 |
3.1.1.128. nsslapd-nagle
When the value of this attribute is off
, the TCP_NODELAY
option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies; specifically, sending data is delayed so that additional data can be grouped into one packet of the underlying network MTU size, typically 1500 bytes for Ethernet.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-nagle: off |
3.1.1.129. nsslapd-ndn-cache-enabled
Normalizing distinguished names (DN) is a resource intensive task. If the nsslapd-ndn-cache-enabled
parameter is enabled, Directory Server caches normalized DNs in memory. Update the nsslapd-ndn-cache-max-size
parameter to set the maximum size of this cache.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-ndn-cache-enabled: on |
3.1.1.130. nsslapd-ndn-cache-max-size
Normalizing distinguished names (DN) is a resource intensive task. If the nsslapd-ndn-cache-enabled
parameter is enabled, Directory Server caches normalized DNs in memory. The nsslapd-ndn-cache-max-size
parameter sets the maximum size of this cache.
If a DN requested is not cached already, it is normalized and added. When the cache size limit is exceeded, Directory Server removes the least recently used 10,000 DNs from the cache. However, a minimum of 10,000 DNs is always kept cached.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | 0 to the maximum 32-bit integer value (2147483647) |
Default Value | 20971520 |
Syntax | Integer |
Example | nsslapd-ndn-cache-max-size: 20971520 |
3.1.1.131. nsslapd-outbound-ldap-io-timeout
This attribute limits the I/O wait time for all outbound LDAP connections. The default is 300000
milliseconds (5 minutes). A value of 0
means that the server does not impose a limit on I/O wait time.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 to the maximum 32-bit integer value (2147483647) |
Default Value | 300000 |
Syntax | DirectoryString |
Example | nsslapd-outbound-ldap-io-timeout: 300000 |
3.1.1.132. nsslapd-pagedsizelimit (Size Limit for Simple Paged Results Searches)
This attribute sets the maximum number of entries to return from a search operation specifically which uses the simple paged results control. This overrides the nsslapd-sizelimit
attribute for paged searches.
If this value is set to zero, then the nsslapd-sizelimit
attribute is used for paged searches as well as non-paged searches.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 to the maximum 32 bit integer value (2147483647) |
Default Value | |
Syntax | Integer |
Example | nsslapd-pagedsizelimit: 10000 |
3.1.1.133. nsslapd-plug-in
This read-only attribute lists the DNs of the plug-in entries for the syntax and matching rule plug-ins loaded by the server.
3.1.1.134. nsslapd-plugin-binddn-tracking
Sets the bind DN used for an operation as the modifier of an entry, even if the operation itself was initiated by a server plug-in. The specific plug-in which performed the operation is listed in a separate operational attribute, internalModifiersname
.
One change can trigger other, automatic changes in the directory tree. When a user is deleted, for example, that user is automatically removed from any groups it belonged to by the Referential Integrity Plug-in. The initial deletion of the user is performed by whatever user account is bound to the server, but the updates to the groups (by default) are shown as being performed by the plug-in, with no information about which user initiated that update. The nsslapd-plugin-binddn-tracking
attribute allows the server to track which user originated an update operation, as well as the internal plug-in which actually performed it. For example:
dn: cn=my_group,ou=groups,dc=example,dc=com modifiersname: uid=jsmith,ou=people,dc=example,dc=com internalModifiersname: cn=referential integrity plugin,cn=plugins,cn=config
This attribute is disabled by default.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-plugin-binddn-tracking: on |
3.1.1.135. nsslapd-plugin-logging
By default, even if access logging is set to record internal operations, plug-in internal operations are not logged in the access log file. Instead of enabling the logging in each plug-in’s configuration, you can control it globally with this parameter.
When enabled, plug-ins use this global setting and log access and audit events if enabled.
If nsslapd-plugin-logging
is enabled and nsslapd-accesslog-level
is set to record internal operations, unindexed searches and other internal operations are logged into the access log file.
In case nsslapd-plugin-logging
is not set, unindexed searches from plug-ins are still logged in the Directory Server error log.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-plugin-logging: off |
3.1.1.136. nsslapd-port (Port Number)
This attribute gives the TCP/IP port number used for standard LDAP communications. To run TLS over this port, use the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024
means the Directory Server has to be started as root
.
The server sets its uid
to the nsslapd-localuser
value after startup. When changing the port number for a configuration directory, the corresponding server instance entry in the configuration directory must be updated.
The server has to be restarted for the port number change to be taken into account.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 0 to 65535 |
Default Value | 389 |
Syntax | Integer |
Example | nsslapd-port: 389 |
Set the port number to zero (0
) to disable the LDAP port if the LDAPS port is enabled.
3.1.1.137. nsslapd-privatenamespaces
This read-only attribute contains the list of the private naming contexts cn=config
, cn=schema
, and cn=monitor
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | cn=config, cn=schema, and cn=monitor |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-privatenamespaces: cn=config |
3.1.1.138. nsslapd-pwpolicy-inherit-global (Inherit Global Password Syntax)
When the fine-grained password syntax is not set, new or updated passwords are not checked even though the global password syntax is configured. To inherit the global fine-grained password syntax, set this attribute to on
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-pwpolicy-inherit-global: off |
3.1.1.139. nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy)
Turns fine-grained (subtree- and user-level) password policy on and off.
If this attribute has a value of off
, all entries (except for cn=Directory Manager
) in the directory are subjected to the global password policy; the server ignores any defined subtree/user level password policy.
If this attribute has a value of on
, the server checks for password policies at the subtree- and user-level and enforce those policies.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-pwpolicy-local: off |
3.1.1.140. nsslapd-readonly (Read Only)
This attribute sets whether the whole server is in read-only mode, meaning that neither data in the databases nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-readonly: off |
3.1.1.141. nsslapd-referral (Referral)
This multi-valued attribute specifies the LDAP URLs to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes. For example, assume the server contains only entries:
ou=People,dc=example,dc=com
but the request is for this entry:
ou=Groups,dc=example,dc=com
In this case, the referral would be passed back to the client in an attempt to allow the LDAP client to locate a server that contains the requested entry. Although only one referral is allowed per Directory Server instance, this referral can have multiple values.
To use TLS communications, the referral attribute should be in the form ldaps://
server-location.
Start TLS does not support referrals.
For more information on managing referrals, see the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid LDAP URL |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-referral: ldap://ldap.example.com/dc=example,dc=com |
3.1.1.142. nsslapd-referralmode (Referral Mode)
When set, this attribute sends back the referral for any request on any suffix.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid LDAP URL |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-referralmode: ldap://ldap.example.com |
3.1.1.143. nsslapd-require-secure-binds
This parameter requires that a user authenticate to the directory over a protected connection such as TLS, StartTLS, or SASL, rather than a regular connection.
This only applies to authenticated binds. Anonymous binds and unauthenticated binds can still be completed over a standard channel, even if nsslapd-require-secure-binds
is turned on.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-require-secure-binds: on |
3.1.1.144. nsslapd-requiresrestart
This parameter lists what other core configuration attributes require that the server be restarted after a modification. This means that if any attribute listed in nsslapd-requiresrestart
is changed, the new setting does not take effect until after the server is restarted. The list of attributes can be returned in an ldapsearch
:
ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
This attribute is multi-valued.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any core server configuration attribute |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-requiresrestart: nsslapd-cachesize |
3.1.1.145. nsslapd-reservedescriptors (Reserved File Descriptors)
This attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (See Section 3.1.1.119, “nsslapd-maxdescriptors (Maximum File Descriptors)”).
Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true:
- The server is replicating to a large number of consumer servers (more than 10), or the server is maintaining a large number of index files (more than 30).
- The server is servicing a large number of LDAP connections.
- There are error messages reporting that the server is unable to open file descriptors (the actual error message differs depending on the operation that the server is attempting to perform), but these error messages are not related to managing client LDAP connections.
Increasing the value on this attribute may result in more LDAP clients being unable to access the directory. Therefore, the value on this attribute is increased, also increase the value on the nsslapd-maxdescriptors
attribute. It may not be possible to increase the nsslapd-maxdescriptors
value if the server is already using the maximum number of file descriptors that the operating system allows a process to use; see the operating system documentation for details. If this is the case, then reduce the load on the server by causing LDAP clients to search alternative directory replicas. See Section 3.1.1.62, “nsslapd-conntablesize” for information about file descriptor usage for incoming connections.
To assist in computing the number of file descriptors set for this attribute, use the following formula:
nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex + ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors
- NldbmBackends is the number of ldbm databases.
- NglobalIndex is the total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database).
- ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplier or hub (NSupplierReplica).
-
ChainingBackendDescriptors is NchainingBackend times the nsOperationConnectionsLimit (a chaining or database link configuration attribute;
10
by default). -
PTADescriptors is
3
if PTA is configured and0
if PTA is not configured. -
SSLDescriptors is
5
(4 files + 1 listensocket) if TLS is configured and0
if TLS is not configured.
The server has to be restarted for changes to this attribute to go into effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to 65535 |
Default Value | 64 |
Syntax | Integer |
Example | nsslapd-reservedescriptors: 64 |
3.1.1.146. nsslapd-return-exact-case (Return Exact Case)
Returns the exact case of attribute type names as requested by the client. Although LDAPv3-compliant clients must ignore the case of attribute names, some client applications require attribute names to match exactly the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server as the result of a search or modify operation. However, most client applications ignore the case of attributes; therefore, by default, this attribute is disabled. Do not modify it unless there are legacy clients that can check the case of attribute names in results returned from the server.
The server has to be restarted for changes to this attribute to go into effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-return-exact-case: off |
3.1.1.147. nsslapd-rewrite-rfc1274
This attribute is deprecated and will be removed in a later version.
This attribute is used only for LDAPv2 clients that require attribute types to be returned with their RFC 1274 names. Set the value to on
for those clients. The default is off
.
3.1.1.148. nsslapd-rootdn (Manager DN)
This attribute sets the distinguished name (DN) of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general. There does not have to be an entry corresponding to this DN, and by default there is not an entry for this DN, thus values like cn=Directory Manager
are acceptable.
For information on changing the root DN, see the "Creating Directory Entries" chapter in the Red Hat Directory Server Administration Guide.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid distinguished name |
Default Value | |
Syntax | DN |
Example | nsslapd-rootdn: cn=Directory Manager |
3.1.1.149. nsslapd-rootpw (Root Password)
This attribute sets the password associated with the Manager DN. When the root password is provided, it is encrypted according to the encryption method selected for the nsslapd-rootpwstoragescheme
attribute. When viewed from the server console, this attribute shows the value *
. When viewed from the dse.ldif
file, this attribute shows the encryption method followed by the encrypted string of the password. The example shows the password as displayed in the dse.ldif
file, not the actual password.
When the root DN is configred at server setup, a root password is required. However, it is possible for the root password to be deleted from dse.ldif
by directly editing the file. In this situation, the root DN can only obtain the same access to the directory is allowed for anonymous access. Always make sure that a root password is defined in dse.ldif
when a root DN is configured for the database. The pwdhash
command-line utility can create a new root password. For more information, see Section 9.6, “pwdhash”.
When resetting the Directory Manager’s password from the command line, do not use curly braces ({}
) in the password. The root password is stored in the format {password-storage-scheme}hashed_password. Any characters in curly braces are interpreted by the server as the password storage scheme for the root password. If that text is not a valid storage scheme or if the password that follows is not properly hashed, then the Directory Manager cannot bind to the server.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid password, encrypted by any one of the encryption methods which are described in Section 4.1.43, “Password Storage Schemes”. |
Default Value | |
Syntax | DirectoryString {encryption_method }encrypted_Password |
Example | nsslapd-rootpw: {SSHA}9Eko69APCJfF |
3.1.1.150. nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
This attribute sets the method used to encrypt the Directory Server’s manager password stored in the nsslapd-rootpw
attribute. For further details, such as recommended strong password storage schemes, see Section 4.1.43, “Password Storage Schemes”.
This setting does not require restarting the server to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | |
Default Value | PBKDF2_SHA256 |
Syntax | DirectoryString |
Example | nsslapd-rootpwstoragescheme: PBKDF2_SHA256 |
3.1.1.151. nsslapd-rundir
This parameter sets the absolute path to the directory in which Directory Server stores run-time information, such as the PID file. The directory must be owned by the Directory Server user and group. Only this user and group must have read and write access in this directory.
The service must be restarted for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any directory writable by the Directory Server user |
Default Value | /var/run/dirsrv/ |
Syntax | DirectoryString |
Example | nsslapd-rundir: /var/run/dirsrv/ |
3.1.1.152. nsslapd-sasl-mapping-fallback
By default, only first matching SASL mapping is checked. If this mapping fails, the bind operation will fail even if there are other matching mappings that might have worked. SASL mapping fallback will keep checking all of the matching mappings.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-sasl-mapping-fallback: off |
3.1.1.153. nsslapd-sasl-max-buffer-size
This attribute sets the maximum SASL buffer size.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | 0 to the maximum 32 bit integer value (2147483647) |
Default Value | 67108864 (64 kilobytes) |
Syntax | Integer |
Example | nsslapd-sasl-max-buffer-size: 67108864 |
3.1.1.154. nsslapd-saslpath
Sets the absolute path to the directory containing the Cyrus-SASL SASL2 plug-ins. Setting this attribute allows the server to use custom or non-standard SASL plug-in libraries. This is usually set correctly during installation, and Red Hat strongly recommends not changing this attribute. If the attribute is not present or the value is empty, this means the Directory Server is using the system provided SASL plug-in libraries which are the correct version.
If this parameter is set, the server uses the specified path for loading SASL plug-ins. If this parameter is not set, the server uses the SASL_PATH
environment variable. If neither nsslapd-saslpath
or SASL_PATH
are set, the server attempts to load SASL plug-ins from the default location, /usr/lib/sasl2
.
Changes made to this attribute will not take effect until the server is restarted.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Path to plug-ins directory. |
Default Value | Platform dependent |
Syntax | DirectoryString |
Example | nsslapd-saslpath: /usr/lib/sasl2 |
3.1.1.155. nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names)
Ignores trailing spaces in object class names. By default, the attribute is turned off. If the directory contains entries with object class values that end in one or more spaces, turn this attribute on. It is preferable to remove the trailing spaces because the LDAP standards do not allow them.
For performance reasons, server restart is required for changes to take effect.
An error is returned by default when object classes that include trailing spaces are added to an entry. Additionally, during operations such as add, modify, and import (when object classes are expanded and missing superiors are added) trailing spaces are ignored, if appropriate. This means that even when nsslapd-schema-ignore-trailing-spaces
is on
, a value such as top
is not added if top
is already there. An error message is logged and returned to the client if an object class is not found and it contains trailing spaces.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-schema-ignore-trailing-spaces: on |
3.1.1.156. nsslapd-schemacheck (Schema Checking)
This attribute sets whether the database schema is enforced when entries are added or modified. When this attribute has a value of on
, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database. The default schema can be extended using the object classes and attribute types. For information on how to extend the schema using the Directory Server Console, see the "Extending the Directory Schema" chapter in the Red Hat Directory Server Administration Guide.
Red Hat strongly discourages turning off schema checking. This can lead to severe interoperability problems. This is typically used for very old or non-standard LDAP data that must be imported into the Directory Server. If there are not a lot of entries that have this problem, consider using the extensibleObject
object class in those entries to disable schema checking on a per entry basis.
Schema checking works by default when database modifications are made using an LDAP client, such as ldapmodify
or when importing a database from LDIF using ldif2db
. If schema checking is turned off, every entry has to be verified manually to see that they conform to the schema. If schema checking is turned on, the server sends an error message listing the entries which do not match the schema. Ensure that the attributes and object classes created in the LDIF statements are both spelled correctly and identified in dse.ldif
. Either create an LDIF file in the schema directory or add the elements to 99user.ldif
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-schemacheck: on |
3.1.1.157. nsslapd-schemadir
This is the absolute path to the directory containing the Directory Server instance-specific schema files. When the server starts up, it reads the schema files from this directory, and when the schema is modified through LDAP tools, the schema files in this directory are updated. This directory must be owned by the server user ID, and that user must have read and write permissions to the directory.
Changes made to this attribute will not take effect until the server is restarted.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any valid path |
Default Value | /etc/dirsrv/instance_name/schema |
Syntax | DirectoryString |
Example | nsslapd-schemadir: /etc/dirsrv/instance_name/schem |
3.1.1.158. nsslapd-schemamod
Online schema modifications require a lock protection that are impacting the performance. If schema modifications are disabled, setting this parameter to off
can increase the performance.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-schemamod: on |
3.1.1.159. nsslapd-schemareplace
Determines whether modify operations that replace attribute values are allowed on the cn=schema
entry.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off | replication-only |
Default Value | replication-only |
Syntax | DirectoryString |
Example | nsslapd-schemareplace: replication-only |
3.1.1.160. nsslapd-search-return-original-type-switch
If the attribute list passed to a search contains a space followed by other characters, the same string is returned to the client. For example:
# ldapsearch -b <basedn> "(filter)" "sn someothertext" dn: <matched dn> sn someothertext: <sn>
This behavior is disabled by default, but can be enabled using this configuration parameter.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-search-return-type-switch: off |
3.1.1.161. nsslapd-securelistenhost
This attribute allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). There can be multiple IP addresses associated with a single host name, and these IP addresses can be a mix of both IPv4 and IPv6. This parameter can be used to restrict the Directory Server instance to a single IP interface; this parameter also specifically sets what interface to use for TLS traffic rather than regular LDAP connections.
If a host name is given as the nsslapd-securelistenhost
value, then the Directory Server responds to requests for every interface associated with the host name. If a single IP interface (either IPv4 or IPv6) is given as the nsslapd-securelistenhost
value, Directory Server only responds to requests sent to that specific interface. Either an IPv4 or IPv6 address can be used.
The server has to be restarted for changes to this attribute to go into effect.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | Any secure host name, IPv4 or IPv6 address |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-securelistenhost: ldaps.example.com |
3.1.1.162. nsslapd-securePort (Encrypted Port Number)
This attribute sets the TCP/IP port number used for TLS communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024
requires that Directory Server be started as root
. The server sets its uid
to the nsslapd-localuser
value after startup.
The server only listens to this port if it has been configured with a private key and a certificate, and nsslapd-security
is set to on
; otherwise, it does not listen on this port.
The server has to be restarted for the port number change to be taken into account.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | 1 to 65535 |
Default Value | 636 |
Syntax | Integer |
Example | nsslapd-securePort: 636 |
3.1.1.163. nsslapd-security (Security)
This attribute sets whether the Directory Server is to accept TLS communications on its encrypted port. This attribute should be set to on
for secure connections. To run with security on, the server must be configured with a private key and server certificate in addition to the other TLS configuration.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-security: off |
3.1.1.164. nsslapd-sizelimit (Size Limit)
This attribute sets the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd
returns any entries it has located that match the search request, as well as an exceeded size limit error.
When no limit is set, ns-slapd
returns every matching entry to the client regardless of the number found. To set a no limit value whereby the Directory Server waits indefinitely for the search to complete, specify a value of -1
for this attribute in the dse.ldif
file.
This limit applies to everyone, regardless of their organization.
A value of -1
on this attribute in dse.ldif
file is the same as leaving the attribute blank in the server console, in that it causes no limit to be used. This cannot have a null value in dse.ldif
file, as it is not a valid integer. It is possible to set it to 0
, which returns size limit exceeded
for every search.
The corresponding user-level attribute is nsSizeLimit
.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Range | -1 to the maximum 32 bit integer value (2147483647) |
Default Value | 2000 |
Syntax | Integer |
Example | nsslapd-sizelimit: 2000 |
3.1.1.165. nsslapd-snmp-index
This parameter controls the SNMP index number of the Directory Server instance.
If you have multiple Directory Server instances on the same host listening all on port 389 but on different network interfaces, this parameter allows you to set different SNMP index numbers for each instance.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | 0 to the maximum 32 bit integer value (2147483647) |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-snmp-index: 0 |
3.1.1.166. nsslapd-SSLclientAuth
The nsslapd-SSLclientAuth
parameter will be deprecated in a future release and is currently maintained for backward compatibility. Use the new parameter nsSSLClientAuth
, stored under cn=encryption,cn=config
, instead. See Section 3.1.4.5, “nsSSLClientAuth”.
3.1.1.167. nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections)
This attribute sets whether an TLS-enabled Directory Server should verify authenticity of a request by matching the host name against the value assigned to the common name (cn
) attribute of the subject name (subjectDN
field) in the certificate being presented. By default, the attribute is set to on
. If it is on and if the host name does not match the cn
attribute of the certificate, appropriate error and audit messages are logged.
For example, in a replicated environment, messages similar to the following are logged in the supplier server’s log files if it finds that the peer server’s host name does not match the name specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 - Unable to communicate securely with peer: requested domain name does not match the server's certificate.) [DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1" (host1.example.com:636): Replication bind with SSL client authentication failed: LDAP error 81 (Can't contact LDAP server)
Red Hat recommends turning this attribute on to protect Directory Server’s outbound TLS connections against a man in the middle (MITM) attack.
DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the server cannot resolve the peer IP address to the host name in the subject DN in the certificate.
Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-ssl-check-hostname: on |
3.1.1.168. nsslapd-syntaxcheck
This attribute validates all modifications to entry attributes to make sure that the new or changed values conform to the required syntax for that attribute type. Any changes which do not conform to the proper syntax are rejected, when this attribute is enabled. All attribute values are validated against the syntax definitions in RFC 4514.
By default, this is turned on.
Syntax validation is only run against new or modified attributes; it does not validate the syntax of existing attribute values. Syntax validation is triggered for LDAP operations such as adds and modifies; it does not happen after operations like replication, since the validity of the attribute syntax should be checked on the originating supplier.
This validates all supported attribute types for Directory Serve