Chapter 3. Core Server Configuration Reference


The chapter provides an alphabetical reference for all core (server-related) attributes. Section 2.2.1.1, “Overview of the Directory Server Configuration” contains a good overview of the Red Hat Directory Server configuration files.

3.1. Core Server Configuration Attributes Reference

This section contains reference information on the configuration attributes that are relevant to the core server functionality. For information on changing server configuration, see Section 2.2.1.2, “Accessing and Modifying Server Configuration”. For a list of server features that are implemented as plug-ins, see Section 4.1, “Server Plug-in Functionality Reference”. For help with implementing custom server functionality, contact Directory Server support.

The configuration information stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config, as shown in the following diagram.

Figure 3.1. Directory Information Tree Showing Configuration Data

cfgdit1

Most of these configuration tree nodes are covered in the following sections.

The cn=plugins node is covered in Chapter 4, Plug-in Implemented Server Functionality Reference. The description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.

Note

Some of the entries and attributes described in this chapter may change in future releases of the product.

3.1.1. cn=config

General configuration entries are stored in the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class.

3.1.1.1. nsslapd-accesslog (Access Log)

This attribute specifies the path and filename of the log used to record each LDAP access. The following information is recorded by default in the log file:

  • IP address (IPv4 or IPv6) of the client machine that accessed the database.
  • Operations performed (for example, search, add, and modify).
  • Result of the access (for example, the number of entries returned or an error code).

For more information on turning access logging off, see the "Monitoring Server and Database Activity" chapter in the Red Hat Directory Server Administration Guide.

For access logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.

Table 3.1. dse.ldif File Attributes
AttributeValueLogging enabled or disabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

on

empty string

Disabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

on

filename

Enabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

off

empty string

Disabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

off

filename

Disabled

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid filename.

Default Value

/var/log/dirsrv/slapd-instance/access

Syntax

DirectoryString

Example

nsslapd-accesslog: /var/log/dirsrv/slapd-instance/access

3.1.1.2. nsslapd-accesslog-level (Access Log Level)

This attribute controls what is logged to the access log.

You do not have to restart the server for this setting to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

* 0 - No access logging

* 4 - Logging for internal access operations

* 256 - Logging for connections, operations, and results

* 512 - Logging for access to an entry and referrals

* These values can be added together to provide the exact type of logging required; for example, 516 (4 + 512) to obtain internal access operation, entry access, and referral logging.

Default Value

256

Syntax

Integer

Example

nsslapd-accesslog-level: 256

3.1.1.3. nsslapd-accesslog-list (List of Access Log Files)

This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation.

ParameterDescription

Entry DN

cn=config

Valid Values

 

Default Value

None

Syntax

DirectoryString

Example

nsslapd-accesslog-list: accesslog2,accesslog3

3.1.1.4. nsslapd-accesslog-logbuffering (Log Buffering)

When set to off, the server writes all access log entries directly to disk. Buffering allows the server to use access logging even when under a heavy load without impacting performance. However, when debugging, it is sometimes useful to disable buffering in order to see the operations and their results right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesslog-logbuffering: off

3.1.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)

This attribute specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 to the maximum 32 bit integer value (2147483647)

A value of -1 or 0 means that the log never expires.

Default Value

-1

Syntax

Integer

Example

nsslapd-accesslog-logexpirationtime: 2

3.1.1.6. nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)

This attribute specifies the units for nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day

Default Value

month

Syntax

DirectoryString

Example

nsslapd-accesslog-logexpirationtimeunit: week

3.1.1.7. nsslapd-accesslog-logging-enabled (Access Log Enable Logging)

Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog attribute that specifies the path and parameter of the log used to record each database access.

For access logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and parameter. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.

Table 3.2. dse.ldif Attributes
AttributeValueLogging Enabled or Disabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

on

empty string

Disabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

on

filename

Enabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

off

empty string

Disabled

nsslapd-accesslog-logging-enabled

nsslapd-accesslog

off

filename

Disabled

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesslog-logging-enabled: off

3.1.1.8. nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)

This attribute specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the access log is unlimited in size.

Default Value

500

Syntax

Integer

Example

nsslapd-accesslog-logmaxdiskspace: 500

3.1.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)

This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to satisfy this attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647)

Default Value

-1

Syntax

Integer

Example

nsslapd-accesslog-logminfreediskspace: -1

3.1.1.10. nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)

This attribute sets whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.

For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.

For example, to rotate access log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-accesslog-logrotationsync-enabled: on

3.1.1.11. nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)

This attribute sets the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsyncmin attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 23

Default Value

0

Syntax

Integer

Example

nsslapd-accesslog-logrotationsynchour: 23

3.1.1.12. nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)

This attribute sets the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsynchour attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 59

Default Value

0

Syntax

Integer

Example

nsslapd-accesslog-logrotationsyncmin: 30

3.1.1.13. nsslapd-accesslog-logrotationtime (Access Log Rotation Time)

This attribute sets the time between access log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.

Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.

Although it is not recommended for performance reasons to specify no log rotation since the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or set the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See Section 3.1.1.16, “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-accesslog-logrotationtime: 100

3.1.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)

This attribute sets the units for the nsslapd-accesslog-logrotationtime attribute.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day | hour | minute

Default Value

day

Syntax

DirectoryString

Example

nsslapd-accesslog-logrotationtimeunit: week

3.1.1.15. nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)

This attribute sets the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If the nsslapd-accesslog-maxlogsperdir attribute is set to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-accesslog-maxlogsize: 100

3.1.1.16. nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)

This attribute sets the total number of access logs that can be contained in the directory where the access log is stored. Each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored in this attribute, then the oldest version of the log file is deleted. For performance reasons, Red Hat recommends not setting this value to 1 because the server does not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-accesslog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.13, “nsslapd-accesslog-logrotationtime (Access Log Rotation Time)” for more information.

Note that, depending on the values set in nsslapd-accesslog-logminfreediskspace and nsslapd-accesslog-maxlogsize, the actual number of logs could be less than what you configure in nsslapd-accesslog-maxlogsperdir. For example, if nsslapd-accesslog-maxlogsperdir uses the default (10 files) and you set nsslapd-accesslog-logminfreediskspace to 500 MB and nsslapd-accesslog-maxlogsize to 100 MB, Directory Server keeps only 5 access files.

ParameterDescription

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

10

Syntax

Integer

Example

nsslapd-accesslog-maxlogsperdir: 10

3.1.1.17. nsslapd-accesslog-mode (Access Log File Permission)

This attribute sets the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777 (these mirror the numbered or absolute UNIX file permissions). The value must be a 3-digit number, the digits varying from 0 through 7:

  • 0 - None
  • 1 - Execute only
  • 2 - Write only
  • 3 - Write and execute
  • 4 - Read only
  • 5 - Read and execute
  • 6 - Read and write
  • 7 - Read, write, and execute

In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.

The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.

ParameterDescription

Entry DN

cn=config

Valid Range

000 through 777

Default Value

600

Syntax

Integer

Example

nsslapd-accesslog-mode: 600

3.1.1.18. nsslapd-allow-anonymous-access

If a user attempts to connect to the Directory Server without supplying any bind DN or password, this is an anonymous bind. Anonymous binds simplify common search and read operations, like checking the directory for a phone number or email address, by not requiring users to authenticate to the directory first.

However, there are risks with anonymous binds. Adequate ACIs must be in place to restrict access to sensitive information and to disallow actions like modifies and deletes. Additionally, anonymous binds can be used for denial of service attacks or for malicious people to gain access to the server.

Anonymous binds can be disabled to increase security (off). By default, anonymous binds are allowed (on) for search and read operations. This allows access to regular directory entries, which includes user and group entries as well as configuration entries like the root DSE. A third option, rootdse, allows anonymous search and read access to search the root DSE itself, but restricts access to all other directory entries.

Optionally, resource limits can be placed on anonymous binds using the nsslapd-anonlimitsdn attribute as described in Section 3.1.1.22, “nsslapd-anonlimitsdn”.

Changes to this value will not take effect until the server is restarted.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off | rootdse

Default Value

on

Syntax

DirectoryString

Example

nsslapd-allow-anonymous-access: on

3.1.1.19. nsslapd-allow-hashed-passwords

This parameter disables the pre-hashed password checks. By default, the Directory Server does not allow pre-hashed passwords to be set by anyone other than the Directory Manager. You can delegate this privilege to other users when you add them to the Password Administrators group. However in some scenarios, like when the replication partner already controls the pre-hashed passwords checking, this feature has to be disabled on the Directory Server.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-allow-hashed-passwords: off

3.1.1.20. nsslapd-allow-unauthenticated-binds

Unauthenticated binds are connections to Directory Server where a user supplies an empty password. Using the default settings, Directory Server denies access in this scenario for security reasons.

Warning

Red Hat recommends not enabling unauthenticated binds. This authentication method enables users to bind without supplying a password as any account, including the Directory Manager. After the bind, the user can access all data with the permissions of the account used to bind.

You do not have to restart the server for this setting to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-allow-unauthenticated-binds: off

3.1.1.21. nsslapd-allowed-sasl-mechanisms

Per default, the root DSE lists all mechanisms the SASL library supports. However in some environments only certain ones are preferred. The nsslapd-allowed-sasl-mechanisms attribute allows you to enable only some defined SASL mechanisms.

The mechanism names must consist of uppercase letters, numbers, and underscores. Each mechanism can be separated by commas or spaces.

Note

The EXTERNAL mechanism is actually not used by any SASL plug-in. It is internal to the server, and is mainly used for TLS client authentication. Hence, the EXTERNAL mechanism cannot be restricted or controlled. It will always appear in the supported mechanisms list, regardless what is set in the nsslapd-allowed-sasl-mechanisms attribute.

This setting does not require a server restart to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid SASL mechanism

Default Value

None (all SASL mechanisms allowed)

Syntax

DirectoryString

Example

nsslapd-allowed-sasl-mechanisms: GSSAPI, DIGEST-MD5, OTP

3.1.1.22. nsslapd-anonlimitsdn

Resource limits can be set on authenticated binds. The resource limits can set a cap on how many entries can be searched in a single operation (nsslapd-sizeLimit), a time limit (nsslapd-timelimit) and time out period (nsslapd-idletimeout) for searches, and the total number of entries that can be searched (nsslapd-lookthroughlimit). These resource limits prevent denial of service attacks from tying up directory resources and improve overall performance.

Resource limits are set on a user entry. An anonymous bind, obviously, does not have a user entry associated with it. This means that resource limits usually do not apply to anonymous operations.

To set resource limits for anonymous binds, a template entry can be created, with the appropriate resource limits. The nsslapd-anonlimitsdn configuration attribute can then be added that points to this entry and applies the resource limits to anonymous binds.

ParameterDescription

Entry DN

cn=config

Valid Values

Any DN

Default Value

None

Syntax

DirectoryString

Example

nsslapd-anonlimitsdn: cn=anon template,ou=people,dc=example,dc=com

3.1.1.23. nsslapd-attribute-name-exceptions

This attribute allows non-standard characters in attribute names to be used for backwards compatibility with older servers, such as "_" in schema-defined attributes.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-attribute-name-exceptions: on

3.1.1.24. nsslapd-auditlog (Audit Log)

This attribute sets the path and filename of the log used to record changes made to each database.

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid filename

Default Value

/var/log/dirsrv/slapd-instance/audit

Syntax

DirectoryString

Example

nsslapd-auditlog: /var/log/dirsrv/slapd-instance/audit

For audit logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.

Table 3.3. Possible Combinations for nsslapd-auditlog
Attributes in dse.ldifValueLogging enabled or disabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

on

empty string

Disabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

on

filename

Enabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

off

empty string

Disabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

off

filename

Disabled

3.1.1.25. nsslapd-auditlog-display-attrs

With the nsslapd-auditlog-display-attrs attribute you can set attributes that Directory Server displays in the audit log to provide useful identifying information about the entry being modified. By adding attributes to the audit log, you can check the current state of certain attributes in the entry and details of the entry update.

You can display attributes in the log by choosing one of the following options:

  • To display a certain attribute of the entry that Directory Server modifies, provide the attribute name as a value.
  • To display more than one attribute, provide the space separated list of attribute names as a value.
  • To display all attributes of the entry, use an asterisk (*) as a value.

Provide the space separated list of attributes that Directory Server must display in the audit log, or use an asterisk (*) as a value to display all attributes of an entry being modified.

For example, you want to add cn attribute to the audit log output. When you set nsslapd-auditlog-display-attrs attribute to cn, the audit log displays the following output:

time: 20221027102743
dn: uid=73747737483,ou=people,dc=example,dc=com
#cn: Frank Lee
result: 0
changetype: modify
replace: description
description: Adds cn attribute to the audit log
-
replace: modifiersname
modifiersname: cn=dm
-
replace: modifytimestamp
modifytimestamp: 20221027142743Z
ParameterDescription

Entry DN

cn=config

Valid Values

Any valid attribute name. Use an asterisk (*) if you want to display all attributes of an entry in the audit log.

Default Value

None

Syntax

DirectoryString

Example

nsslapd-auditlog-display-attrs: cn ou

3.1.1.26. nsslapd-auditlog-list

Provides a list of audit log files.

ParameterDescription

Entry DN

cn=config

Valid Values

 

Default Value

None

Syntax

DirectoryString

Example

nsslapd-auditlog-list: auditlog2,auditlog3

3.1.1.27. nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)

This attribute sets the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 to the maximum 32 bit integer value (2147483647)

A value of -1 or 0 means that the log never expires.

Default Value

-1

Syntax

Integer

Example

nsslapd-auditlog-logexpirationtime: 1

3.1.1.28. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)

This attribute sets the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditlog-logexpirationtimeunit: day

3.1.1.29. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)

Turns audit logging on and off.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-auditlog-logging-enabled: off

For audit logging to be enabled, this attribute must have a valid path and parameter and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.

Table 3.4. Possible combinations for nsslapd-auditlog and nsslapd-auditlog-logging-enabled
AttributeValueLogging enabled or disabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

on

empty string

Disabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

on

filename

Enabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

off

empty string

Disabled

nsslapd-auditlog-logging-enabled

nsslapd-auditlog

off

filename

Disabled

3.1.1.30. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)

This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations with the total amount of disk space for the audit log.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size.

Default Value

-1

Syntax

Integer

Example

nsslapd-auditlog-logmaxdiskspace: 10000

3.1.1.31. nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)

This attribute sets the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest audit logs are deleted until enough disk space is freed to satisfy this attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647)

Default Value

-1

Syntax

Integer

Example

nsslapd-auditlog-logminfreediskspace: -1

3.1.1.32. nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)

This attribute sets whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.

For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.

For example, to rotate audit log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attributes to 0.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-auditlog-logrotationsync-enabled: on

3.1.1.33. nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)

This attribute sets the hour of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsyncmin attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 23

Default Value

None (because nsslapd-auditlog-logrotationsync-enabled is off)

Syntax

Integer

Example

nsslapd-auditlog-logrotationsynchour: 23

3.1.1.34. nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)

This attribute sets the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsynchour attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 59

Default Value

None (because nsslapd-auditlog-logrotationsync-enabled is off)

Syntax

Integer

Example

nsslapd-auditlog-logrotationsyncmin: 30

3.1.1.35. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)

This attribute sets the time between audit log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If the nsslapd-auditlog-maxlogsperdir attribute is set to 1, the server ignores this attribute.

Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.

Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or set the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See Section 3.1.1.38, “nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-auditlog-logrotationtime: 100

3.1.1.36. nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)

This attribute sets the units for the nsslapd-auditlog-logrotationtime attribute.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day | hour | minute

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditlog-logrotationtimeunit: day

3.1.1.37. nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)

This attribute sets the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the audit log.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-auditlog-maxlogsize: 50

3.1.1.38. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)

This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored. Each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-auditlog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.35, “nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-auditlog-maxlogsperdir: 10

3.1.1.39. nsslapd-auditlog-mode (Audit Log File Permission)

This attribute sets the access mode or file permissions with which audit log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:

  • 0 - None
  • 1 - Execute only
  • 2 - Write only
  • 3 - Write and execute
  • 4 - Read only
  • 5 - Read and execute
  • 6 - Read and write
  • 7 - Read, write, and execute

In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.

The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.

ParameterDescription

Entry DN

cn=config

Valid Range

000 through 777

Default Value

600

Syntax

Integer

Example

nsslapd-auditlog-mode: 600

3.1.1.40. nsslapd-auditfaillog (Audit Fail Log)

This attribute sets the path and filename of the log used to record failed LDAP modifications.

If nsslapd-auditfaillog-logging-enabled is enabled, and nsslapd-auditfaillog is not set, the audit fail events are logged to the file specified in nsslapd-auditlog.

If you set the nsslapd-auditfaillog parameter to the same path as nsslapd-auditlog, both are logged in the same file.

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid filename

Default Value

/var/log/dirsrv/slapd-instance/audit

Syntax

DirectoryString

Example

nsslapd-auditfaillog: /var/log/dirsrv/slapd-instance/audit

To enable the audit fail log, this attribute must have a valid path and the nsslapd-auditfaillog-logging-enabled attribute must be set to on

3.1.1.41. nsslapd-auditfaillog-list

Provides a list of audit fail log files.

ParameterDescription

Entry DN

cn=config

Valid Values

 

Default Value

None

Syntax

DirectoryString

Example

nsslapd-auditfaillog-list: auditfaillog2,auditfaillog3

3.1.1.42. nsslapd-auditfaillog-logexpirationtime (Audit Fail Log Expiration Time)

This attribute sets the maximum age of a log file before it is removed. It supplies to the number of units. Specify the units, such as day, week, month, and so forth in the nsslapd-auditfaillog-logexpirationtimeunit attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 to the maximum 32 bit integer value (2147483647)

A value of -1 or 0 means that the log never expires.

Default Value

-1

Syntax

Integer

Example

nsslapd-auditfaillog-logexpirationtime: 1

3.1.1.43. nsslapd-auditfaillog-logexpirationtimeunit (Audit Fail Log Expiration Time Unit)

This attribute sets the units for the nsslapd-auditfaillog-logexpirationtime attribute. If the unit is unknown by the server, the log never expires.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditfaillog-logexpirationtimeunit: day

3.1.1.44. nsslapd-auditfaillog-logging-enabled (Audit Fail Log Enable Logging)

Turns on and off logging of failed LDAP modifications.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-auditfaillog-logging-enabled: off

3.1.1.45. nsslapd-auditfaillog-logmaxdiskspace (Audit Fail Log Maximum Disk Space)

This attribute sets the maximum amount of disk space in megabytes the audit fail logs are can consume. If the size exceed the limit, the oldest audit fail log is deleted.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit fail log is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-auditfaillog-logmaxdiskspace: 10000

3.1.1.46. nsslapd-auditfaillog-logminfreediskspace (Audit Fail Log Minimum Free Disk Space)

This attribute sets the minimum permissible free disk space in megabytes. When the amount of free disk space is lower than the specified value, the oldest audit fail logs are deleted until enough disk space is freed.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647)

Default Value

-1

Syntax

Integer

Example

nsslapd-auditfaillog-logminfreediskspace: -1

3.1.1.47. nsslapd-auditfaillog-logrotationsync-enabled (Audit Fail Log Rotation Sync Enabled)

This attribute sets whether audit fail log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.

For audit fail log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditfaillog-logrotationsynchour and nsslapd-auditfaillog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.

For example, to rotate audit fail log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-auditfaillog-logrotationsynchour and nsslapd-auditfaillog-logrotationsyncmin attributes to 0.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-auditfaillog-logrotationsync-enabled: on

3.1.1.48. nsslapd-auditfaillog-logrotationsynchour (Audit Fail Log Rotation Sync Hour)

This attribute sets the hour of the day the audit fail log is rotated. This attribute must be used in conjunction with nsslapd-auditfaillog-logrotationsync-enabled and nsslapd-auditfaillog-logrotationsyncmin attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 23

Default Value

None (because nsslapd-auditfaillog-logrotationsync-enabled is off)

Syntax

Integer

Example

nsslapd-auditfaillog-logrotationsynchour: 23

3.1.1.49. nsslapd-auditfaillog-logrotationsyncmin (Audit Fail Log Rotation Sync Minute)

This attribute sets the minute the audit fail log is rotated. This attribute must be used in conjunction with nsslapd-auditfaillog-logrotationsync-enabled and nsslapd-auditfaillog-logrotationsynchour attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 59

Default Value

None (because nsslapd-auditfaillog-logrotationsync-enabled is off)

Syntax

Integer

Example

nsslapd-auditfaillog-logrotationsyncmin: 30

3.1.1.50. nsslapd-auditfaillog-logrotationtime (Audit Fail Log Rotation Time)

This attribute sets the time between audit fail log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditfaillog-logrotationtimeunit attribute. If the nsslapd-auditfaillog-maxlogsperdir attribute is set to 1, the server ignores this attribute.

Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.

Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-auditfaillog-maxlogsperdir attribute value to 1 or set the nsslapd-auditfaillog-logrotationtime attribute to -1. The server checks the nsslapd-auditfaillog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditfaillog-logrotationtime attribute. See Section 3.1.1.53, “nsslapd-auditfaillog-maxlogsperdir (Audit Fail Log Maximum Number of Log Files)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the time between audit fail log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-auditfaillog-logrotationtime: 100

3.1.1.51. nsslapd-auditfaillog-logrotationtimeunit (Audit Fail Log Rotation Time Unit)

This attribute sets the units for the nsslapd-auditfaillog-logrotationtime attribute.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day | hour | minute

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditfaillog-logrotationtimeunit: day

3.1.1.52. nsslapd-auditfaillog-maxlogsize (Audit Fail Log Maximum Log Size)

This attribute sets the maximum audit fail log size in megabytes. When this value is reached, the audit fail log is rotated. That means the server starts writing log information to a new log file. If the nsslapd-auditfaillog-maxlogsperdir parameter is set to 1, the server ignores this attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-auditfaillog-maxlogsize: 50

3.1.1.53. nsslapd-auditfaillog-maxlogsperdir (Audit Fail Log Maximum Number of Log Files)

This attribute sets the total number of audit fail logs that can be contained in the directory where the audit log is stored. Each time the audit fail log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-auditfaillog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-auditfaillog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.50, “nsslapd-auditfaillog-logrotationtime (Audit Fail Log Rotation Time)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-auditfaillog-maxlogsperdir: 10

3.1.1.54. nsslapd-auditfaillog-mode (Audit Fail Log File Permission)

This attribute sets the access mode or file permissions with which audit fail log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:

  • 0 - None
  • 1 - Execute only
  • 2 - Write only
  • 3 - Write and execute
  • 4 - Read only
  • 5 - Read and execute
  • 6 - Read and write
  • 7 - Read, write, and execute

In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.

The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.

ParameterDescription

Entry DN

cn=config

Valid Range

000 through 777

Default Value

600

Syntax

Integer

Example

nsslapd-auditfaillog-mode: 600

3.1.1.55. nsslapd-bakdir (Default Backup Directory)

This parameter sets the path to the default backup directory. The Directory Server user must have write permissions in the configured directory.

This setting does not require a server restart to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

Any local directory path.

Default Value

/var/lib/dirsrv/slapd-instance/bak

Syntax

DirectoryString

Example

nsslapd-bakdir: /var/lib/dirsrv/slapd-instance/bak

3.1.1.56. nsslapd-certdir (Certificate and Key Database Directory)

This parameter defines the full path to the directory that Directory Server uses to store the Network Security Services (NSS) database of the instance. This database contains the private keys and certificates of the instance.

As a fallback, Directory Server extracts the private key and certificates to this directory, if the server cannot extract them to the /tmp/ directory in a private name space. For details about private name spaces, see the PrivateTmp parameter description in the systemd.exec(5) man page.

The directory specified in nsslapd-certdir must be owned by the user ID of the server, and only this user ID must have read-write permissions in this directory. For security reasons, no other users should have permissions to read or write to this directory.

The service must be restarted for changes to this attribute to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

An absolute path

Default Value

/etc/dirsrv/slapd-instance_name/

Syntax

DirectoryString

Example

nsslapd-certdir: /etc/dirsrv/slapd-instance_name/

3.1.1.57. nsslapd-certmap-basedn (Certificate Map Search Base)

This attribute can be used when client authentication is performed using TLS certificates in order to avoid limitations of the security subsystem certificate mapping, configured in the /etc/dirsrv/slapd-instance_name/certmap.conf file. Depending on the configuration in this file, the certificate mapping may be done using a directory subtree search based at the root DN. If the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. The valid value for this attribute is the DN of the suffix or subtree to use for certificate mapping.

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid DN

Default Value

 

Syntax

DirectoryString

Example

nsslapd-certmap-basedn: ou=People,dc=example,dc=com

3.1.1.58. nsslapd-config

This read-only attribute is the config DN.

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid configuration DN

Default Value

 

Syntax

DirectoryString

Example

nsslapd-config: cn=config

3.1.1.59. nsslapd-cn-uses-dn-syntax-in-dns

This parameter allows you to enable a DN inside a CN value.

The Directory Server DN normalizer follows RFC4514 and keeps a white space if the RDN attribute type is not based on the DN syntax. However the Directory Server’s configuration entry sometimes uses a cn attribute to store a DN value. For example in dn: cn="dc=A,dc=com", cn=mapping tree,cn=config, the cn should be normalized following the DN syntax.

If this configuration is required, enable the nsslapd-cn-uses-dn-syntax-in-dns parameter.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-cn-uses-dn-syntax-in-dns: off

3.1.1.60. nsslapd-connection-buffer

This attribute sets the connection buffering behavior. Possible values:

  • 0: Disable buffering. Only single Protocol Data Units (PDU) are read at a time.
  • 1: Regular fixed size LDAP_SOCKET_IO_BUFFER_SIZE of 512 bytes.
  • 2: Adaptable buffer size.

The value 2 provides a better performance if the client sends a large amount of data at once. This is, for example, the case for large add and modify operations, or when many asynchronous requests are received over a single connections like during a replication.

ParameterDescription

Entry DN

cn=config

Valid Values

0 | 1 | 2

Default Value

1

Syntax

Integer

Example

nsslapd-connection-buffer: 1

3.1.1.61. nsslapd-connection-nocanon

This option allows you to enable or disable the SASL NOCANON flag. Disabling avoids the Directory Server looking up DNS reverse entries for outgoing connections.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-connection-nocanon: on

3.1.1.62. nsslapd-conntablesize

This attribute sets the connection table size, which determines the total number of connections supported by the server.

Increase the value of this attribute if Directory Server is refusing connections because it is out of connection slots. When this occurs, the Directory Server’s error log file records the message Not listening for new connections — too many fds open.

It may be necessary to increase the operating system limits for the number of open files and number of open files per process, and it may be necessary to increase the ulimit for the number of open files (ulimit -n) in the shell that starts Directory Server.

The size of the connection table is cap with nsslapd-maxdescriptor. See Section 3.1.1.119, “nsslapd-maxdescriptors (Maximum File Descriptors)” for more information.

The server has to be restarted for changes to this attribute to go into effect.

ParameterDescription

Entry DN

cn=config

Valid Values

Operating-system dependent

Default Value

The maximum number of files that the Directory Server process can open. See the getdtablesize() glibc function.

Syntax

Integer

Example

nsslapd-conntablesize: 4093

3.1.1.63. nsslapd-counters

The nsslapd-counters attribute enables and disables Directory Server database and server performance counters.

There can be a performance impact by keeping track of the larger counters. Turning off 64-bit integers for counters can have a minimal improvement on performance, although it negatively affects long term statistics tracking.

This parameter is enabled by default. To disable counters, stop the Directory Server, edit the dse.ldif file directly, and restart the server.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-counters: on

3.1.1.64. nsslapd-csnlogging

This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-csnlogging: on

3.1.1.65. nsslapd-defaultnamingcontext

This attribute gives the naming context, of all configured naming contexts, which clients should use by default as a search base. This value is copied over to the root DSE as the defaultNamingContext attribute, which allows clients to query the root DSE to obtain the context and then to initiate a search with the appropriate base.

ParameterDescription

Entry DN

cn=config

Valid Values

Any root suffix DN

Default Value

The default user suffix

Syntax

DN

Example

nsslapd-defaultnamingcontext: dc=example,dc=com

3.1.1.66. nsslapd-disk-monitoring

This attribute enables a thread which runs every ten (10) seconds to check the available disk space on the disk or mount where the Directory Server database is running. If the available disk space drops below a configured threshold, then the server begins reducing logging levels, disabling access or audit logs, and deleting rotated logs. If that does not free enough available space, then the server shuts down gracefully (after a wanring and grace period).

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-disk-monitoring: on

3.1.1.67. nsslapd-disk-monitoring-grace-period

Sets a grace period to wait before shutting down the server after it hits half of the disk space limit set in Section 3.1.1.70, “nsslapd-disk-monitoring-threshold”. This gives the administrator time to clean out the disk and prevent a shutdown.

ParameterDescription

Entry DN

cn=config

Valid Values

Any integer (sets value in minutes)

Default Value

60

Syntax

Integer

Example

nsslapd-disk-monitoring-grace-period: 45

3.1.1.68. nsslapd-disk-monitoring-logging-critical

Sets whether to shut down the server if the log directories pass the halfway point set in the disk space limit, Section 3.1.1.70, “nsslapd-disk-monitoring-threshold”.

If this is enabled, then logging is not disabled and rotated logs are not deleted as means of reducing disk usage by the server. The server simply goes toward a shutdown process.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-disk-monitoring-logging-critical: on

3.1.1.69. nsslapd-disk-monitoring-readonly-on-threshold

If the free disk space reaches half of the value you set in the nsslapd-disk-monitoring-threshold parameter, Directory Server shuts down the instance after the grace period set in nsslapd-disk-monitoring-grace-period is reached. However, if the disk runs out of space before the instance is down, data can be corrupted. To prevent this problem, enable the nsslapd-disk-monitoring-readonly-on-threshold parameter, the Directory Server sets the instance to read-only mode when the threshold is reached.

Important

With this setting, Directory Server does not start if the free disk space is below half of the threshold configured in the nsslapd-disk-monitoring-threshold.

The service must be restarted for changes to this attribute to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-disk-monitoring-readonly-on-threshold: off

3.1.1.70. nsslapd-disk-monitoring-threshold

Sets the threshold, in bytes, to use to evaluate whether the server has enough available disk space. Once the space reaches half of this threshold, then the server begins a shut down process.

For example, if the threshold is 2MB (the default), then once the available disk space reaches 1MB, the server will begin to shut down.

By default, the threshold is evaluated backs on the disk space used by the configuration, transaction, and database directories for the Directory Server instance. If the Section 3.1.1.68, “nsslapd-disk-monitoring-logging-critical” attribute is enabled, then the log directory is included in the evaluation.

ParameterDescription

Entry DN

cn=config

Valid Values

* 0 to the maximum 32-bit integer value (2147483647) on 32-bit systems

* 0 to the maximum 64-bit integer value (9223372036854775807) on 64-bit systems

Default Value

2000000 (2MB)

Syntax

DirectoryString

Example

nsslapd-disk-monitoring-threshold: 2000000

3.1.1.71. nsslapd-dn-validate-strict

The Section 3.1.1.168, “nsslapd-syntaxcheck” attribute enables the server to verify that any new or modified attribute value matches the required syntax for that attribute.

However, the syntax rules for DNs have grown increasingly strict. Attempting to enforce DN syntax rules in RFC 4514 could break many servers using older syntax definitions. By default, then nsslapd-syntaxcheck validates DNs using RFC 1779 or RFC 2253.

The nsslapd-dn-validate-strict attribute explicitly enables strict syntax validation for DNs, according to section 3 in RFC 4514. If this attribute is set to off (the default), the server normalizes the value before checking it for syntax violations.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-dn-validate-strict: off

3.1.1.72. nsslapd-ds4-compatible-schema

Makes the schema in cn=schema compatible with 4.x versions of Directory Server.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-ds4-compatible-schema: off

3.1.1.73. nsslapd-enable-turbo-mode

The Directory Server turbo mode is a feature that enables a worker thread to be dedicated to a connection and continuously read incoming operations from that connection. This can improve the performance on very active connections, and the feature is enabled by default.

Worker threads are processing the LDAP operation received by the server. The number of worker threads is defined in the nsslapd-threadnumber parameter. Every five seconds, each worker thread evaluates if the activity level of its current connection is one of the highest among all established connections. Directory Server measures the activity as the number of operations initiated since the last check, and switches a worker thread in turbo mode if the activity of the current connection is one of the highest.

If you encounter long execution times (etime value in log files) for bind operations, such as one second or longer, deactivating the turbo mode can improve the performance. However, in some cases, long bind times are a symptom of networking or hardware issues. In these situations, disabling the turbo mode does not result in improved performance.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-enable-turbo-mode: on

3.1.1.74. nsslapd-enable-upgrade-hash

During a simple bind, Directory Server has access to the plain text password due to the nature of bind operations. If the nsslapd-enable-upgrade-hash parameter is enabled and a user authenticates, Directory Server checks if the userPassword attribute of the user uses the hashing algorithm set in the passwordStorageScheme attribute. If the algorithm is different, the server hashes the plain text password with the algorithm from passwordStorageScheme and updates the value of the user’s userPassword attribute.

For example, if you import a user entry with a password that is hashed using a weak algorithm, the server automatically re-hashes the passwords on the first login of the user using the algorithm set in passwordStorageScheme, which is, by default, PBKDF2_SHA256.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-enable-upgrade-hash: on

3.1.1.75. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)

This attribute is deprecated and will be removed in a future version of Directory Server.

This attribute controls whether quoting in the objectclass attributes contained in the cn=schema entry conforms to the quoting specified by Internet draft RFC 2252. By default, the Directory Server conforms to RFC 2252, which indicates that this value should not be quoted. Only very old clients need this value set to on, so leave it off.

Turning this attribute on or off does not affect Directory Server Console.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-enquote-sup-oc: off

3.1.1.76. nsslapd-entryusn-global

The nsslapd-entryusn-global parameter defines if the USN plug-in assigns unique update sequence numbers (USN) across all back end databases or to each database individually. For unique USNs across all back end databases, set this parameter to on.

For further details, see Section 6.8, “entryusn”.

You do not have to restart the server for this setting to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-entryusn-global: off

3.1.1.77. nsslapd-entryusn-import-initval

Entry update sequence numbers (USNs) are not preserved when entries are exported from one server and imported into another, including when initializing a database for replication. By default, the entry USNs for imported entries are set to zero.

It is possible to configure a different initial value for entry USNs using nsslapd-entryusn-import-initval. This sets a starting USN which is used for all imported entries.

There are two possible values for nsslapd-entryusn-import-initval:

  • An integer, which is the explicit start number used for every imported entry.
  • next, which means that every imported entry uses whatever the highest entry USN value was on the server before the import operation, incremented by one.
ParameterDescription

Entry DN

cn=config

Valid Values

Any integer | next

Default Value

 

Syntax

DirectoryString

Example

nsslapd-entryusn-import-initval: next

3.1.1.78. nsslapd-errorlog (Error Log)

This attribute sets the path and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions, such as:

  • Server startup and shutdown times.
  • The port number that the server uses.

This log contains differing amounts of information depending on the current setting of the Log Level attribute. See Section 3.1.1.79, “nsslapd-errorlog-level (Error Log Level)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Values

Any valid filename

Default Value

/var/log/dirsrv/slapd-instance/errors

Syntax

DirectoryString

Example

nsslapd-errorlog: /var/log/dirsrv/slapd-instance/errors

For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.

Table 3.5. Possible Combinations for nsslapd-errorlog Configuration Attributes
Attributes in dse.ldifValueLogging enabled or disabled

nsslapd-errorlog-logging-enabled

nsslapd-errorlog

on

empty string

Disabled

nsslapd-errorlog-logging-enabled

nsslapd-errorlog

on

filename

Enabled

nsslapd-errorlog-logging-enabled

nsslapd-errorlog

off

empty string

Disabled

nsslapd-errorlog-logging-enabled

nsslapd-errorlog

off

filename

Disabled

3.1.1.79. nsslapd-errorlog-level (Error Log Level)

This attribute sets the level of logging for the Directory Server. The log level is additive; that is, specifying a value of 3 includes both levels 1 and 2.

The default value for nsslapd-errorlog-level is 16384.

You do not have to restart the server for this setting to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

* 1 — Trace function calls. Logs a message when the server enters and exits a function.

* 2 — Debug packet handling.

* 4 — Heavy trace output debugging.

* 8 — Connection management.

* 16 — Print out packets sent/received.

* 32 — Search filter processing.

* 64 — Config file processing.

* 128 — Access control list processing.

* 1024 — Log communications with shell databases.

* 2048 — Log entry parsing debugging.

* 4096 — Housekeeping thread debugging.

* 8192 — Replication debugging.

* 16384 — Default level of logging used for critical errors and other messages that are always written to the error log; for example, server startup messages. Messages at this level are always included in the error log, regardless of the log level setting.

* 32768 — Database cache debugging.

* 65536 — Server plug-in debugging. It writes an entry to the log file when a server plug-in calls slapi-log-error.

* 262144 — Access control summary information, much less verbose than level 128. This value is recommended for use when a summary of access control processing is needed. Use 128 for very detailed processing messages.

* 524288 — LMDB database debugging.

Default Value

16384

Syntax

Integer

Example

nsslapd-errorlog-level: 8192

3.1.1.80. nsslapd-errorlog-list

This read-only attribute provides a list of error log files.

ParameterDescription

Entry DN

cn=config

Valid Values

 

Default Value

None

Syntax

DirectoryString

Example

nsslapd-errorlog-list: errorlog2,errorlog3

3.1.1.81. nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)

This attribute sets the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 to the maximum 32 bit integer value (2147483647)

A value of -1 or 0 means that the log never expires.

Default Value

-1

Syntax

Integer

Example

nsslapd-errorlog-logexpirationtime: 1

3.1.1.82. nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)

This attribute sets the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day

Default Value

month

Syntax

DirectoryString

Example

nsslapd-errorlog-logexpirationtimeunit: week

3.1.1.83. nsslapd-errorlog-logging-enabled (Enable Error Logging)

Turns error logging on and off.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-errorlog-logging-enabled: on

3.1.1.84. nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)

This attribute sets the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the error log is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-errorlog-logmaxdiskspace: 10000

3.1.1.85. nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)

This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 (unlimited) | 1 to the maximum 32 bit integer value (2147483647)

Default Value

-1

Syntax

Integer

Example

nsslapd-errorlog-logminfreediskspace: -1

3.1.1.86. nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled)

This attribute sets whether error log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.

For error log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.

For example, to rotate error log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attributes to 0.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-errorlog-logrotationsync-enabled: on

3.1.1.87. nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour)

This attribute sets the hour of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsyncmin attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 23

Default Value

0

Syntax

Integer

Example

nsslapd-errorlog-logrotationsynchour: 23

3.1.1.88. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute)

This attribute sets the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsynchour attributes.

ParameterDescription

Entry DN

cn=config

Valid Range

0 through 59

Default Value

0

Syntax

Integer

Example

nsslapd-errorlog-logrotationsyncmin: 30

3.1.1.89. nsslapd-errorlog-logrotationtime (Error Log Rotation Time)

This attribute sets the time between error log file rotations. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.

Directory Server rotates the log at the first write operation after the configured interval has expired, regardless of the size of the log.

Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or set the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See Section 3.1.1.92, “nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between error log file rotation is unlimited).

Default Value

1

Syntax

Integer

Example

nsslapd-errorlog-logrotationtime: 100

3.1.1.90. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)

This attribute sets the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log never expires.

ParameterDescription

Entry DN

cn=config

Valid Values

month | week | day | hour | minute

Default Value

week

Syntax

DirectoryString

Example

nsslapd-errorlog-logrotationtimeunit: day

3.1.1.91. nsslapd-errorlog-maxlogsize (Maximum Error Log Size)

This attribute sets the maximum error log size in megabytes. When this value is reached, the error log is rotated, and the server starts writing log information to a new log file. If nsslapd-errorlog-maxlogsperdir is set to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log.

ParameterDescription

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-errorlog-maxlogsize: 100

3.1.1.92. nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)

This attribute sets the total number of error logs that can be contained in the directory where the error log is stored. Each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server does not rotate the log, and it grows indefinitely.

If the value for this attribute is higher than 1, then check the nsslapd-errorlog-logrotationtime attribute to establish whether log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1, then there is no log rotation. See Section 3.1.1.89, “nsslapd-errorlog-logrotationtime (Error Log Rotation Time)” for more information.

ParameterDescription

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-errorlog-maxlogsperdir: 10

3.1.1.93. nsslapd-errorlog-mode (Error Log File Permission)

This attribute sets the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0 through 7:

  • 0 - None
  • 1 - Execute only
  • 2 - Write only
  • 3 - Write and execute
  • 4 - Read only
  • 5 - Read and execute
  • 6 - Read and write
  • 7 - Read, write, and execute

In the 3-digit number, the first digit represents the owner’s permissions, the second digit represents the group’s permissions, and the third digit represents everyone’s permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.

The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.

ParameterDescription

Entry DN

cn=config

Valid Range

000 through 777

Default Value

600

Syntax

Integer

Example

nsslapd-errorlog-mode: 600

3.1.1.94. nsslapd-force-sasl-external

When establishing a TLS connection, a client sends its certificate first and then issues a BIND request using the SASL/EXTERNAL mechanism. Using SASL/EXTERNAL tells the Directory Server to use the credentials in the certificate for the TLS handshake. However, some clients do not use SASL/EXTERNAL when they send their BIND request, so the Directory Server processes the bind as a simple authentication request or an anonymouse request and the TLS connection fails.

The nsslapd-force-sasl-external attribute forces clients in certificate-based authentication to send the BIND request using the SASL/EXTERNAL method.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

String

Example

nsslapd-force-sasl-external: on

3.1.1.95. nsslapd-groupevalnestlevel

This attribute is deprecated, and documented here only for historical purposes.

The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to set the number of levels of nesting that access control performs for group evaluation. Instead, the number of levels of nesting is hardcoded as 5.

ParameterDescription

Entry DN

cn=config

Valid Range

0 to 5

Default Value

5

Syntax

Integer

Example

nsslapd-groupevalnestlevel: 5

3.1.1.96. nsslapd-haproxy-trusted-ip (HAProxy Trusted IP)

The nsslapd-haproxy-trusted-ip attribute configures the list of trusted proxy servers. When you set nsslapd-haproxy-trusted-ip, Directory Server uses HAProxy protocol to receive client IP addresses via an additional TCP header to evaluate access control instructions (ACIs) correctly and log the client traffic.

If an untrusted proxy server initiates a bind request, Directory Server rejects the request and records the following message to the error log file:

[time_stamp] conn=5 op=-1 fd=64 Disconnect - Protocol error - Unknown Proxy - P4
ParameterDescription

Entry DN

cn=config

Valid Range

IPv4 or IPv6 addresses

Default Value

 

Syntax

DirectoryString

Example

nsslapd-haproxy-trusted-ip: 127.0.0.1

3.1.1.97. nsslapd-idletimeout (Default Idle Timeout)

This attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 means that the server never closes idle connections. This setting applies to all connections and all users. Idle timeout is enforced when the connection table is walked, when poll() does not return zero. Therefore, a server with a single connection never enforces the idle timeout.

Use the nsIdleTimeout operational attribute, which can be added to user entries, to override the value assigned to this attribute. For details, see the "Setting Resource Limits Based on the Bind DN" section in the Red Hat Directory Server Administration Guide.

Note

For very large databases, with millions of entries, this attribute must have a high enough value that the online initialization process can complete or replication will fail when the connection to the server times out. Alternatively, the nsIdleTimeout attribute can be set to a high value on the entry used as the supplier bind DN.

ParameterDescription

Entry DN

cn=config

Valid Range

0 to the maximum 32 bit integer value (2147483647)

Default Value

3600

Syntax

Integer

Example

nsslapd-idletimeout: 3600

3.1.1.98. nsslapd-ignore-virtual-attrs

This parameter allows to disable the virtual attribute lookup in a search entry.

If you do not require virtual attributes, you can disable virtual attribute lookups in search results to increase the speed of searches.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-ignore-virtual-attrs: off

3.1.1.99. nsslapd-instancedir (Instance Directory)

This attribute is deprecated. There are now separate configuration parameters for instance-specific paths, such as nsslapd-certdir and nsslapd-lockdir. See the documentation for the specific directory path that is set.

3.1.1.100. nsslapd-ioblocktimeout (IO Block Time Out)

This attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.

ParameterDescription

Entry DN

cn=config

Valid Range

0 to the maximum 32 bit integer value (2147483647) in ticks

Default Value

10000

Syntax

Integer

Example

nsslapd-ioblocktimeout: 10000

3.1.1.101. nsslapd-lastmod (Track Modification Time)

This attribute sets whether the Directory Server maintains the creatorsName, createTimestamp, modifiersName, and modifyTimestamp operational attributes for newly created or updated entries.

Important

Red Hat recommends not disabling tracking these attributes. If disabled, entries do not get a unique ID assigned in the nsUniqueID attribute and replication does not work.

You do not have to restart the server for this setting to take effect.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-lastmod: on

3.1.1.102. nsslapd-ldapiautobind (Enable Autobind)

The nsslapd-ldapiautobind sets whether the server will allow users to autobind to Directory Server using LDAPI. Autobind maps the UID or GUID number of a system user to a Directory Server user, and automatically authenticates the user to Directory Server based on those credentials. The Directory Server connection occurs over UNIX socket.

Along with enabling autobind, configuring autobind requires configuring mapping entries. The nsslapd-ldapimaprootdn maps a root user on the system to the Directory Manager. The nsslapd-ldapimaptoentries maps regular users to Directory Server users, based on the parameters defined in the nsslapd-ldapiuidnumbertype, nsslapd-ldapigidnumbertype, and nsslapd-ldapientrysearchbase attributes.

Autobind can only be enabled if LDAPI is enabled, meaning the nsslapd-ldapilisten is on and the nsslapd-ldapifilepath attribute is set to an LDAPI socket.

ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-ldapiautobind: off

3.1.1.103. nsslapd-ldapientrysearchbase (Search Base for LDAPI Authentication Entries)

With autobind, it is possible to map system users to Directory Server user entries, based on the system user’s UID and GUID numbers. This requires setting Directory Server parameters for which attribute to use for the UID number (nsslapd-ldapiuidnumbertype) and GUID number (nsslapd-ldapigidnumbertype) and setting the search base to use to search for matching user entries.

The nsslapd-ldapientrysearchbase gives the subtree to search for user entries to use for autobind.

ParameterDescription

Entry DN

cn=config

Valid Values

DN

Default Value

The suffix created when the server instance was created, such as dc=example,dc=com

Syntax

DN

Example

nsslapd-ldapientrysearchbase: ou=people,dc=example,dc=om

3.1.1.104. nsslapd-ldapifilepath (File Location for LDAPI Socket)

LDAPI connects a user to an LDAP server over a UNIX socket rather than TCP. In order to configure LDAPI, the server must be configured to communicate over a UNIX socket. The UNIX socket to use is set in the nsslapd-ldapifilepath attribute.

ParameterDescription

Entry DN

cn=config

Valid Values

Any directory path

Default Value

/var/run/dirsrv/slapd-example.socket

Syntax

Case-exact string

Example

nsslapd-ldapifilepath: /var/run/slapd-example.socket

3.1.1.105. nsslapd-ldapigidnumbertype (Attribute Mapping for System GUID Number)

Autobind can be used to authenticate system users to the server automatically and connect to the server using a UNIX socket. To map the system user to a Directory Server user for authentication, the system user’s UID and GUID numbers should be mapped to be a Directory Server attribute. The nsslapd-ldapigidnumbertype attribute points to the Directory Server attribute to map system GUIDs to user entries.

Users can only connect to the server with autobind if LDAPI is enabled (nsslapd-ldapilisten and nsslapd-ldapifilepath), autobind is enabled (nsslapd-ldapiautobind), and autobind mapping is enabled for regular users (nsslapd-ldapimaptoentries).

ParameterDescription

Entry DN

cn=config

Valid Values

Any Directory Server attribute

Default Value

gidNumber

Syntax

DirectoryString

Example

nsslapd-ldapigidnumberty