1.8. Setting Directory Server Configuration Parameters
Directory Server stores its configuration in the
cn=config
directory entry. Each configuration parameter is an LDAP attribute and the parameter's value is the value set in this attribute.
1.8.1. Managing Configuration Parameters
You can set, update, and delete configuration parameters by:
- Using the
dsconf
utility:Note
Red Hat recommends using thedsconf
utility to manage the Directory Server configuration.Example 1.1. Setting a Configuration Parameter Using
dsconf
For example, to set the error log level to16384
, update thensslapd-errorlog-level
parameter using thedsconf
utility:# dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-errorlog-level=16384
For further details about usingdsconf
, see the dsconf(8) man page. - Using the LDAP interface:
Example 1.2. Setting a Configuration Parameter using the LDAP Interface
For example, to set the error log level to16384
, update thensslapd-errorlog-level
parameter using the LDAP interface:# ldapmodify -D "cn=Directory Manager" -W -x -H ldap://server.example.com:389 dn: cn=config replace: nsslapd-errorlog-level nsslapd-errorlog-level: 16384
- Editing the
/etc/dirsrv/slapd-instance_name/dse.ldif
file.Warning
As long as an instance starts successfully, do not manually edit this file because this can cause Directory Server to not work as expected, or the instance can fail to start.
1.8.2. Where Directory Server Stores its Configuration
Directory Server stores the configuration from the
cn=config
entry in the /etc/dirsrv/slapd-instance_name/dse.ldif
file. The server stores only parameters you modified in this file. Attributes that are not listed, use their default value. This enables you to identify all configuration parameters you set in this instance by displaying the /etc/dirsrv/slapd-instance_name/dse.ldif
file.
Important
Do not manually edit the
/etc/dirsrv/slapd-instance_name/dse.ldif
file as long as the instance starts successfully.
For details about how you can edit configuration parameters, see Section 1.8.1, “Managing Configuration Parameters”.
1.8.3. Benefits of Using Default Values
If a parameter is not set, Directory Server uses the default value of this parameter. Using the default value has the benefit that new versions often provide optimized settings and increased security.
For example, if you do not set the
passwordStorageScheme
attribute, Directory Server automatically uses the strongest supported password storage scheme available. If a future update changes the default value to increase security, passwords will be automatically encrypted using the new storage scheme when a user sets a password.
1.8.3.1. Removing a Parameter to Use the Default Value
If a parameter is set and you want to use the default value instead, delete the parameter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config delete parameter_name
Important
You cannot delete certain parameters, such as
nsslapd-secureport
to reset them to default. If you try to delete them, the server rejects the request with a Server is unwilling to perform (53)
error.
1.8.4. The dsconf config backend
command limitations
The
dsconf config backend
command retrieves and sets backends configuration. The command has the following arguments:
- get
- set
The
dsconf config backend get
command retrieves all server backend configuration attributes with set values, for example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com:389 backend config get nsslapd-lookthroughlimit: 5000 nsslapd-mode: 600 nsslapd-idlistscanlimit: 2147483646 …
Note
You can get only the full set of attribute values by using the
dsconf config backend get
command, not a value for a specified attribute.
The
dsconf config backend set
command sets backends configuration attributes individually. To set a value, specify an option that matches the LDAP attribute name, for example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com:389 backend config set --lookthroughlimit 4000 --cache-autosize-split 24
The following is the
dsconf backend config set
command options and LDAP attribute names mapping:
The dsconf backend config set command options | LDAP attribute names |
---|---|
--lookthroughlimit | nsslapd-lookthroughlimit |
--mode | nsslapd-mode |
--idlistscanlimit | nsslapd-idlistscanlimit |
--directory | nsslapd-directory |
--dbcachesize | nsslapd-dbcachesize |
--logdirectory | nsslapd-db-logdirectory |
--txn-wait | nsslapd-db-transaction-wait |
--checkpoint-interval | nsslapd-db-checkpoint-interval |
--compactdb-interval | nsslapd-db-compactdb-interval |
--compactdb-time | nsslapd-db-compactdb-time |
--txn-batch-val | nsslapd-db-transaction-batch-val |
--txn-batch-min | nsslapd-db-transaction-batch-min-wait |
--txn-batch-max | nsslapd-db-transaction-batch-max-wait |
--logbufsize | nsslapd-db-logbuf-size |
--locks | nsslapd-db-locks |
--locks-monitoring-enabled | nsslapd-db-locks-monitoring-enabled |
--locks-monitoring-threshold | nsslapd-db-locks-monitoring-threshold |
--locks-monitoring-pause | nsslapd-db-locks-monitoring-pause |
--import-cache-autosize | nsslapd-import-cache-autosize |
--import-cachesize | nsslapd-import-cachesize |
--cache-autosize | nsslapd-cache-autosize |
--cache-autosize-split | nsslapd-cache-autosize-split |
--exclude-from-export | nsslapd-exclude-from-export |
--pagedlookthroughlimit | nsslapd-pagedlookthroughlimit |
--pagedidlistscanlimit | nsslapd-pagedidlistscanlimit |
--rangelookthroughlimit | nsslapd-rangelookthroughlimit |
--backend-opt-level | nsslapd-backend-opt-level |
--deadlock-policy | nsslapd-db-deadlock-policy |
--db-home-directory | nsslapd-db-home-directory |
--db-lib | nsslapd-backend-implement |