Chapter 4. Plug-in Implemented Server Functionality Reference
This chapter contains reference information on Red Hat Directory Server plug-ins.
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config
.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: libsyntax-plugin nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an ldapsearch
on the cn=config
subtree.
All plug-ins are instances of the nsSlapdPlugin
object class, which in turn inherits from the extensibleObject
object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top
object class) must be present in the entry, as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=config objectclass:top objectclass:nsSlapdPlugin objectclass:extensibleObject
4.1. Server Plug-in Functionality Reference
The following tables provide a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading. These tables assist in weighing plug-in performance gains and costs and choose the optimal settings for the deployment. The Further Information section cross-references further reading, where this is available.
4.1.1. 7-bit Check Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | NS7bitAtt |
DN of Configuration Entry | cn=7-bit check,cn=plugins,cn=config |
Description | Checks certain attributes are 7-bit clean |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
List of attributes ( | Dependencies |
Database | Performance-Related Information |
None | Further Information |
4.1.2. ACL Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | acl |
DN of Configuration Entry | cn=ACL Plugin,cn=plugins,cn=config |
Description | ACL access check plug-in |
Type | accesscontrol |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
Database | Performance-Related Information |
Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. | Further Information |
4.1.3. ACL Preoperation Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | acl |
DN of Configuration Entry | cn=ACL preoperation,cn=plugins,cn=config |
Description | ACL access check plug-in |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
Database | Performance-Related Information |
Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. | Further Information |
4.1.4. Account Policy Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | none |
DN of Configuration Entry | cn=Account Policy Plugin,cn=plugins,cn=config |
Description | Defines a policy to lock user accounts after a certain expiration period or inactivity period. |
Type | object |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
A pointer to a configuration entry which contains the global account policy settings. | Dependencies |
Database | Performance-Related Information |
None | Further Information |
4.1.5. Account Usability Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | acctusability |
DN of Configuration Entry | cn=Account Usability Plugin,cn=plugins,cn=config |
Description | Checks the authentication status, or usability, of an account without actually authenticating as the given user |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
on | Dependencies |
Database | Performance-Related Information |
4.1.6. AD DN Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | addn |
DN of Configuration Entry | cn=addn,cn=plugins,cn=config |
Description |
Enables the usage of Active Directory-formatted user names, such as |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
| Dependencies |
None | Performance-Related Information |
4.1.7. Attribute Uniqueness Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | NSUniqueAttr |
DN of Configuration Entry | cn=Attribute Uniqueness,cn=plugins,cn=config |
Description | Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique. |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
To check for UID attribute uniqueness in all listed subtrees, enter | Dependencies |
Database | Performance-Related Information |
Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes. See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide for more information about the Attribute Uniqueness Plug-in. The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-supplier replication environment. Turning the plug-in on may slow down Directory Server performance. | Further Information |
4.1.8. Auto Membership Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | Auto Membership |
DN of Configuration Entry | cn=Auto Membership,cn=plugins,cn=config |
Description | Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically. |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group. | Dependencies |
Database | Performance-Related Information |
None. | Further Information |
4.1.9. Binary Syntax Plug-in
Binary syntax is deprecated. Use Octet String syntax instead.
Plug-in Parameter | Description |
---|---|
Plug-in ID | bin-syntax |
DN of Configuration Entry | cn=Binary Syntax,cn=plugins,cn=config |
Description | Syntax for handling binary data. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.10. Bit String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | bitstring-syntax |
DN of Configuration Entry | cn=Bit String Syntax,cn=plugins,cn=config |
Description | Supports bit string syntax values and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.11. Bitwise Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | bitwise |
DN of Configuration Entry | cn=Bitwise Plugin,cn=plugins,cn=config |
Description | Matching rule for performing bitwise operations against the LDAP server |
Type | matchingrule |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.12. Boolean Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | boolean-syntax |
DN of Configuration Entry | cn=Boolean Syntax,cn=plugins,cn=config |
Description | Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.13. Case Exact String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | ces-syntax |
DN of Configuration Entry | cn=Case Exact String Syntax,cn=plugins,cn=config |
Description | Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This is not a case-exact syntax; this plug-in provides case-sensitive matching rules for different string syntaxes. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.14. Case Ignore String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | directorystring-syntax |
DN of Configuration Entry | cn=Case Ignore String Syntax,cn=plugins,cn=config |
Description | Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This is not a case-insensitive syntax; this plug-in provides case-sensitive matching rules for different string syntaxes. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.15. Chaining Database Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | chaining database |
DN of Configuration Entry | cn=Chaining database,cn=plugins,cn=config |
Description | Enables back end databases to be linked |
Type | database |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
There are many performance related tuning parameters involved with the chaining database. See the "Maintaining Database Links" section in the Red Hat Directory Server Administration Guide. | Further Information |
4.1.16. Class of Service Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | cos |
DN of Configuration Entry | cn=Class of Service,cn=plugins,cn=config |
Description | Allows for sharing of attributes between entries |
Type | object |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
* Type: Database * Named: State Change Plug-in * Named: Views Plug-in | Performance-Related Information |
Do not modify the configuration of this plug-in. Leave this plug-in running at all times. | Further Information |
4.1.17. Content Synchronization Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | content-sync-plugin |
DN of Configuration Entry | cn=Content Synchronization,cn=plugins,cn=config |
Description |
Enables support for the |
Type | object |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None | Dependencies |
Retro Changelog Plug-in | Performance-Related Information |
If you know which back end or subtree clients access to synchronize data, limit the scope of the | Further Information |
4.1.18. Country String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | countrystring-syntax |
DN of Configuration Entry | cn=Country String Syntax,cn=plugins,cn=config |
Description | Supports country naming syntax values and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.19. Delivery Method Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | delivery-syntax |
DN of Configuration Entry | cn=Delivery Method Syntax,cn=plugins,cn=config |
Description | Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.20. deref Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | Dereference |
DN of Configuration Entry | cn=deref,cn=plugins,cn=config |
Description | For dereference controls in directory searches |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
Database | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.21. Distinguished Name Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | dn-syntax |
DN of Configuration Entry | cn=Distinguished Name Syntax,cn=plugins,cn=config |
Description | Supports DN value syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.22. Distributed Numeric Assignment Plug-in
Plug-in Information | Description |
---|---|
Plug-in ID | Distributed Numeric Assignment |
Configuration Entry DN | cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
Description | Distributed Numeric Assignment plugin |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
Dependencies | |
Database | Performance-Related Information |
None | Further Information |
4.1.23. Enhanced Guide Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | enhancedguide-syntax |
DN of Configuration Entry | cn=Enhanced Guide Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.24. Facsimile Telephone Number Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | facsimile-syntax |
DN of Configuration Entry | cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for fax numbers; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.25. Fax Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | fax-syntax |
DN of Configuration Entry | cn=Fax Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for storing images of faxed objects; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.26. Generalized Time Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | time-syntax |
DN of Configuration Entry | cn=Generalized Time Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for dealing with dates, times and time zones; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.27. Guide Syntax Plug-in
This syntax is deprecated. Use Enhanced Guide syntax instead.
Plug-in Parameter | Description |
---|---|
Plug-in ID | guide-syntax |
DN of Configuration Entry | cn=Guide Syntax,cn=plugins,cn=config |
Description | Syntax for creating complex criteria, based on attributes and filters, to build searches |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.28. HTTP Client Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | http-client |
DN of Configuration Entry | cn=HTTP Client,cn=plugins,cn=config |
Description | HTTP client plug-in |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
Database | Performance-Related Information |
Further Information |
4.1.29. Integer Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | int-syntax |
DN of Configuration Entry | cn=Integer Syntax,cn=plugins,cn=config |
Description | Supports integer syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.30. Internationalization Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | orderingrule |
DN of Configuration Entry | cn=Internationalization Plugin,cn=plugins,cn=config |
Description | Enables internationalized strings to be ordered in the directory |
Type | matchingrule |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
The Internationalization Plug-in has one argument, which must not be modified, which specifies the location of the | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.31. JPEG Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | jpeg-syntax |
DN of Configuration Entry | cn=JPEG Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for JPEG image data; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.32. ldbm database Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | ldbm-backend |
DN of Configuration Entry | cn=ldbm database,cn=plugins,cn=config |
Description | Implements local databases |
Type | database |
Configurable Options | |
Default Setting | on |
Configurable Arguments | None |
Dependencies | * Syntax * matchingRule |
Performance-Related Information | See Section 4.4, “Database Plug-in Attributes” for further information on database configuration. |
Further Information | See the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide. |
4.1.33. Linked Attributes Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | Linked Attributes |
DN of Configuration Entry | cn=Linked Attributes,cn=plugins,cn=config |
Description |
Container entry for linked-managed attribute configuration entries. Each configuration entry under the container links one attribute to another, so that when one entry is updated (such as a manager entry), then any entry associated with that entry (such as a custom |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None for the main plug-in entry. Each plug-in instance has three possible attributes: * linkType, which sets the primary attribute for the plug-in to monitor * managedType, which sets the attribute which will be managed dynamically by the plug-in whenever the attribute in linkType is modified * linkScope, which restricts the plug-in activity to a specific subtree within the directory tree | Dependencies |
Database | Performance-Related Information |
Any attribute set in linkType must only allow values in a DN format. Any attribute set in managedType must be multi-valued. | Further Information |
4.1.34. Managed Entries Plug-in
Plug-in Information | Description |
---|---|
Plug-in ID | Managed Entries |
Configuration Entry DN | cn=Managed Entries,cn=plugins,cn=config |
Description | Container entry for automatically generated directory entries. Each configuration entry defines a target subtree and a template entry. When a matching entry in the target subtree is created, then the plug-in automatically creates a new, related entry based on the template. |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None for the main plug-in entry. Each plug-in instance has four possible attributes: * originScope, which sets the search base * originFilter, which sets the search base for matching entries * managedScope, which sets the subtree under which to create new managed entries * managedTemplate, which is the template entry used to create the managed entries | Dependencies |
Database | Performance-Related Information |
None | Further Information |
4.1.35. MemberOf Plug-in
Plug-in Information | Description |
---|---|
Plug-in ID | memberOf |
Configuration Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config |
Description |
Manages the |
Type | postoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
*
* | Dependencies |
Database | Performance-Related Information |
None | Further Information |
4.1.36. Multi-master Replication Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | replication-multimaster |
DN of Configuration Entry | cn=Multimaster Replication plugin,cn=plugins,cn=config |
Description | Enables replication between two current Directory Servers |
Type | object |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
* Named: ldbm database * Named: DES * Named: Class of Service | Performance-Related Information |
Further Information |
4.1.37. Name and Optional UID Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | nameoptuid-syntax |
DN of Configuration Entry | cn=Name And Optional UID Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules to store and search for a DN with an optional unique ID; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.38. Numeric String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | numstr-syntax |
DN of Configuration Entry | cn=Numeric String Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for strings of numbers and spaces; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.39. Octet String Syntax Plug-in
Use the Octet String syntax instead of Binary, which is deprecated.
Plug-in Parameter | Description |
---|---|
Plug-in ID | octetstring-syntax |
DN of Configuration Entry | cn=Octet String Syntax,cn=plugins,cn=config |
Description | Supports octet string syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.40. OID Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | oid-syntax |
DN of Configuration Entry | cn=OID Syntax,cn=plugins,cn=config |
Description | Supports object identifier (OID) syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.41. PAM Pass Through Auth Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | pam_passthruauth |
DN of Configuration Entry | cn=PAM Pass Through Auth,cn=plugins,cn=config |
Description | Enables pass-through authentication for PAM, meaning that a PAM service can use the Directory Server as its user authentication store. |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
Database | Performance-Related Information |
Further Information |
4.1.42. Pass Through Authentication Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | passthruauth |
DN of Configuration Entry | cn=Pass Through Authentication,cn=plugins,cn=config |
Description | Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. |
Type | preoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
ldap://example.com:389/o=example | Dependencies |
Database | Performance-Related Information |
Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See the "Using Pass-through Authentication" chapter in the Red Hat Directory Server Administration Guide. | Further Information |
4.1.43. Password Storage Schemes
Directory Server implements the password storage schemes as plug-ins. However, the cn=Password Storage Schemes,cn=plugins,cn=config
entry itself is just a container, not a plug-in entry. All password storage scheme plug-ins are stored as a subentry of this container.
To display all password storage schemes plug-ins, enter:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \ -b "cn=Password Storage Schemes,cn=plugins,cn=config" -s sub "(objectclass=*)" dn
Red Hat recommends not disabling the password scheme plug-ins nor to change the configurations of the plug-ins to prevent unpredictable authentication behavior.
Strong Password Storage Schemes
Red Hat recommends using only the following strong password storage schemes (strongest first):
PBKDF2_SHA256
(default)The password-based key derivation function 2 (PBKDF2) was designed to expend resources to counter brute force attacks. PBKDF2 supports a variable number of iterations to apply the hashing algorithm. Higher iterations improve security but require more hardware resources. In Directory Server, the
PBKDF2_SHA256
scheme is implemented using 30,000 iterations to apply the SHA256 algorithm. This value is hard-coded and will be increased in future versions of Directory Server without requiring interaction by an administrator.NoteThe network security service (NSS) database in Red Hat Enterprise Linux 6 does not support PBKDF2. Therefore you cannot use this password scheme in a replication topology with Directory Server 9.
SSHA512
The salted secure hashing algorithm (SSHA) implements an enhanced version of the secure hashing algorithm (SHA), that uses a randomly generated salt to increase the security of the hashed password.
SSHA512
implements the hashing algorithm using 512 bits.
Weak Password Storage Schemes
Besides the recommended strong password storage schemes, Directory Server supports the following weak schemes for backward compatibility:
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[a]
Directory Server only supports authentication using this scheme. You can no longer use it to encrypt passwords.
[b]
160 bit
|
Only continue using a weak scheme over a short time frame, as it increases security risks.
4.1.44. Posix Winsync API Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | posix-winsync-plugin |
DN of Configuration Entry | cn=Posix Winsync API,cn=plugins,cn=config |
Description | Enables and configures Windows synchronization for Posix attributes set on Active Directory user and group entries. |
Type | preoperation |
Configurable Arguments | * on |
off * memberUID mapping (groups) * converting and sorting memberUID values in lower case (groups) * memberOf fix-up tasks with sync operations * use Windows 2003 Posix schema | Default Setting |
off | Configurable Arguments |
None | Dependencies |
4.1.45. Postal Address String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | postaladdress-syntax |
DN of Configuration Entry | cn=Postal Address Syntax,cn=plugins,cn=config |
Description | Supports postal address syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.46. Printable String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | printablestring-syntax |
DN of Configuration Entry | cn=Printable String Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and matching rules for alphanumeric and select punctuation strings (for strings which conform to printable strings as defined in RFC 4517). |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.47. Referential Integrity Postoperation Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | referint |
DN of Configuration Entry | cn=Referential Integrity Postoperation,cn=plugins,cn=config |
Description | Enables the server to ensure referential integrity |
Type | postoperation |
Configurable Options | All configuration and on |
off | Default Setting |
off | Configurable Arguments |
When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the | Dependencies |
Database | Performance-Related Information |
The Referential Integrity Plug-in should be enabled only on one supplier in a multi-supplier replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality. | Further Information |
4.1.48. Retro Changelog Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | retrocl |
DN of Configuration Entry | cn=Retro Changelog Plugin,cn=plugins,cn=config |
Description |
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the |
Type | object |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
See Section 4.16, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in. | Dependencies |
* Type: Database * Named: Class of Service | Performance-Related Information |
May slow down Directory Server update performance. | Further Information |
4.1.49. Roles Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | roles |
DN of Configuration Entry | cn=Roles Plugin,cn=plugins,cn=config |
Description | Enables the use of roles in the Directory Server |
Type | object |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
* Type: Database * Named: State Change Plug-in * Named: Views Plug-in | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.50. RootDN Access Control Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | rootdn-access-control |
DN of Configuration Entry | cn=RootDN Access Control,cn=plugins,cn=config |
Description | Enables and configures access controls to use for the root DN entry. |
Type | internalpreoperation |
Configurable Options | on |
off | Default Setting |
off | Configurable Attributes |
* rootdn-open-time and rootdn-close-time for time-based access controls * rootdn-days-allowed for day-based access controls * rootdn-allow-host, rootdn-deny-host, rootdn-allow-ip, and rootdn-deny-ip for host-based access controls | Dependencies |
None | Further Information |
4.1.51. Schema Reload Plug-in
Plug-in Information | Description |
---|---|
Plug-in ID | schemareload |
Configuration Entry DN | cn=Schema Reload,cn=plugins,cn=config |
Description | Task plug-in to reload schema files |
Type | object |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Further Information |
4.1.52. Space Insensitive String Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | none |
DN of Configuration Entry | cn=Space Insensitive String Syntax,cn=plugins,cn=config |
Description | Syntax for handling space-insensitive values |
Type | syntax |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.53. State Change Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | statechange |
DN of Configuration Entry | cn=State Change Plugin,cn=plugins,cn=config |
Description | Enables state-change-notification service |
Type | postoperation |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Further Information |
4.1.54. Syntax Validation Task Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | none |
DN of Configuration Entry | cn=Syntax Validation Task,cn=plugins,cn=config |
Description | Enables syntax validation for attribute values |
Type | object |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Further Information |
4.1.55. Telephone Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | tele-syntax |
DN of Configuration Entry | cn=Telephone Syntax,cn=plugins,cn=config |
Description | Supports telephone number syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.56. Teletex Terminal Identifier Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | teletextermid-syntax |
DN of Configuration Entry | cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config |
Description | Supports international telephone number syntaxes and related matching rules from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.57. Telex Number Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | telex-syntax |
DN of Configuration Entry | cn=Telex Number Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for the telex number, country code, and answerback code of a telex terminal; from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.58. URI Syntax Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | none |
DN of Configuration Entry | cn=URI Syntax,cn=plugins,cn=config |
Description | Supports syntaxes and related matching rules for unique resource identifiers (URIs), including unique resource locators (URLs); from RFC 4517. |
Type | syntax |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None | Dependencies |
None | Performance-Related Information |
Do not modify the configuration of this plug-in. If enabled, Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.1.59. USN Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | USN |
DN of Configuration Entry | cn=USN,cn=plugins,cn=config |
Description | Sets an update sequence number (USN) on an entry, for every entry in the directory, whenever there is a modification, including adding and deleting entries and modifying attribute values. |
Type | object |
Configurable Options | on |
off | Default Setting |
off | Configurable Arguments |
None | Dependencies |
Database | Performance-Related Information |
For replication, it is recommended that the | Further Information |
4.1.60. Views Plug-in
Plug-in Parameter | Description |
---|---|
Plug-in ID | views |
DN of Configuration Entry | cn=Views,cn=plugins,cn=config |
Description | Enables the use of views in the Directory Server databases. |
Type | object |
Configurable Options | on |
off | Default Setting |
on | Configurable Arguments |
None | Dependencies |
* Type: Database * Named: State Change Plug-in | Performance-Related Information |
Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | Further Information |
4.2. List of Attributes Common to All Plug-ins
This list provides a brief attribute description, the entry DN, valid range, default value, syntax, and an example for each attribute.
4.2.1. nsslapdPlugin (Object Class)
Each Directory Server plug-in belongs to the nsslapdPlugin
object class.
This object class is defined in Directory Server.
Superior Class
top
OID
2.16.840.1.113730.3.2.41
Attribute | Definition |
---|---|
objectClass | Gives the object classes assigned to the entry. |
cn | Gives the common name of the entry. |
Identifies the plugin library name (without the library suffix). | |
Identifies an initialization function of the plugin. | |
Identifies the type of plugin. | |
Identifies the plugin ID. | |
Identifies the version of plugin. | |
Identifies the vendor of plugin. | |
Identifies the description of the plugin. | |
Identifies whether or not the plugin is enabled. | |
Sets the priority for the plug-in in the execution order. |
4.2.2. nsslapd-logAccess
This attribute enables you to log search operations run by the plug-in to the file set in the nsslapd-accesslog
parameter in cn=config
.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-logAccess: Off |
4.2.3. nsslapd-logAudit
This attribute enables you to log and audit modifications to the database originated from the plug-in.
Successful modification events are logged in the audit log, if the nsslapd-auditlog-logging-enabled
parameter is enabled in cn=config
. To log failed modification database operations by a plug-in, enable the nsslapd-auditfaillog-logging-enabled
attribute in cn=config
.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-logAudit: Off |
4.2.4. nsslapd-pluginDescription
This attribute provides a description of the plug-in.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-pluginDescription: acl access check plug-in |
4.2.5. nsslapd-pluginEnabled
This attribute specifies whether the plug-in is enabled. This attribute can be changed over protocol but will only take effect when the server is next restarted.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-pluginEnabled: on |
4.2.6. nsslapd-pluginId
This attribute specifies the plug-in ID.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any valid plug-in ID |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-pluginId: chaining database |
4.2.7. nsslapd-pluginInitfunc
This attribute specifies the plug-in function to be initiated.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any valid plug-in function |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-pluginInitfunc: NS7bitAttr_Init |
4.2.8. nsslapd-pluginPath
This attribute specifies the full path to the plug-in.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any valid path |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-pluginPath: uid-plugin |
4.2.9. nsslapd-pluginPrecedence
This attribute sets the precedence or priority for the execution order of a plug-in. Precedence defines the execution order of plug-ins, which allows more complex environments or interactions since it can enable a plug-in to wait for a completed operation before being executed. This is more important for pre-operation and post-operation plug-ins.
Plug-ins with a value of 1 have the highest priority and are run first; plug-ins with a value of 99 have the lowest priority. The default is 50.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | 1 to 99 |
Default Value | 50 |
Syntax | Integer |
Example | nsslapd-pluginPrecedence: 3 |
4.2.10. nsslapd-pluginType
This attribute specifies the plug-in type. See Section 4.3.5, “nsslapd-plugin-depends-on-type” for further information.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any valid plug-in type |
Default Value | None |
Syntax | DirectoryString |
Example | nsslapd-pluginType: preoperation |
4.2.11. nsslapd-pluginVendor
This attribute specifies the vendor of the plug-in.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any approved plug-in vendor |
Default Value | Red Hat, Inc. |
Syntax | DirectoryString |
Example | nsslapd-pluginVendor: Red Hat, Inc. |
4.2.12. nsslapd-pluginVersion
This attribute specifies the plug-in version.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any valid plug-in version |
Default Value | Product version number |
Syntax | DirectoryString |
Example | nsslapd-pluginVersion: 11.3 |
4.3. Attributes Allowed by Certain Plug-ins
4.3.1. nsslapd-dynamic-plugins
Directory Server has dynamic plug-ins that can be enabled without restarting the server. The nsslapd-dynamic-plugins
attribute specifies whether the server is configured to allow dynamic plug-ins. By default, dynamic plug-ins are disabled.
Directory Server does not support dynamic plug-ins. Use it only for testing and debugging purposes.
Some plug-ins cannot be configured as dynamic, and they require the server to be restarted.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-dynamic-plugins: on |
4.3.2. nsslapd-pluginConfigArea
Some plug-in entries are container entries, and multiple instances of the plug-in are created beneath this container in cn=plugins,cn=config
. However, the cn=plugins,cn=config
is not replicated, which means that the plug-in configurations beneath those container entries must be configured manually, in some way, on every Directory Server instance.
The nsslapd-pluginConfigArea
attribute points to another container entry, in the main database area, which contains the plug-in instance entries. This container entry can be in a replicated database, which allows the plug-in configuration to be replicated.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | Any valid DN |
Default Value | |
Syntax | DN |
Example | nsslapd-pluginConfigArea: cn=managed entries container,ou=containers,dc=example,dc=com |
4.3.3. nsslapd-pluginLoadNow
This attribute specifies whether to load all of the symbols used by a plug-in immediately (true
), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false
).
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | true | false |
Default Value | false |
Syntax | DirectoryString |
Example | nsslapd-pluginLoadNow: false |
4.3.4. nsslapd-pluginLoadGlobal
This attribute specifies whether the symbols in dependent libraries are made visible locally (false
) or to the executable and to all shared objects (true
).
Plug-in Parameter | Description |
---|---|
Entry DN | cn=plug-in name,cn=plugins,cn=config |
Valid Values | true | false |
Default Value | false |
Syntax | DirectoryString |
Example | nsslapd-pluginLoadGlobal: false |
4.3.5. nsslapd-plugin-depends-on-type
Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the type number of a plug-in, contained in the attribute nsslapd-pluginType
. See Section 4.2.10, “nsslapd-pluginType” for further information. All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in. The following postoperation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the postoperation Referential Integrity Plug-in.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=referential integrity postoperation,cn=plugins,cn=config |
Valid Values | database |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-plugin-depends-on-type: database |
4.3.6. nsslapd-plugin-depends-on-named
Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn
value of a plug-in. The plug-in with a cn
value matching one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start. The following postoperation Referential Integrity Plug-in example shows that the Views plug-in is started before Roles. If Views is missing, the server is not going to start.
Plug-in Parameter | Description |
---|---|
Entry DN | cn=referential integrity postoperation,cn=plugins,cn=config |
Valid Values | Class of Service |
Default Value | |
Syntax | DirectoryString |
Example | * nsslapd-plugin-depends-on-named: Views * nsslapd-pluginId: roles |
4.4. Database Plug-in Attributes
The database plug-in is also organized in an information tree, as shown in Figure 4.1, “Database Plug-in”.
Figure 4.1. Database Plug-in
All plug-in technology used by the database instances is stored in the cn=ldbm database
plug-in node. This section presents the additional attribute information for each of the nodes in bold in the cn=ldbm database,cn=plugins,cn=config
information tree.
4.4.1. Database Attributes under cn=config,cn=ldbm database,cn=plugins,cn=config
This section covers global configuration attributes common to all instances are stored in the cn=config,cn=ldbm database,cn=plugins,cn=config
tree node.
4.4.1.1. nsslapd-backend-implement
The nsslapd-backend-implement
parameter defines the database back end Directory Server uses.
Directory Server currently only supports the Berkeley Database (BDB). Therefore, you cannot set this parameter to a different value.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | bdb |
Default Value | bdb |
Syntax | Directory String |
Example | nsslapd-backend-implement: bdb |
4.4.1.2. nsslapd-backend-opt-level
This parameter can trigger experimental code to improve write performance.
Possible values:
-
0
: Disables the parameter. -
1
: The replication update vector is not written to the database during the transaction -
2
: Changes the order of taking the back end lock and starts the transaction -
4
: Moves code out of the transaction.
All parameters can be combined. For example 7
enables all optimisation features.
This parameter is experimental. Never change its value unless you are specifically told to do so by the Red Hat support.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | 0 | 1 | 2 | 4 |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-backend-opt-level: 0 |
4.4.1.3. nsslapd-directory
This attribute specifies absolute path to database instance. If the database instance is manually created then this attribute must be included, something which is set by default (and modifiable) in the Directory Server Console. Once the database instance is created, do not modify this path as any changes risk preventing the server from accessing data.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | Any valid absolute path to the database instance |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-directory: /var/lib/dirsrv/slapd-instance/db |
4.4.1.4. nsslapd-exclude-from-export
This attribute contains a space-separated list of names of attributes to exclude from an entry when a database is exported. This mainly is used for some configuration and operational attributes which are specific to a server instance.
Do not remove any of the default values for this attribute, since that may affect server performance.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | Any valid attribute |
Default Value | entrydn entryid dncomp parentid numSubordinates entryusn |
Syntax | DirectoryString |
Example | nsslapd-exclude-from-export: entrydn entryid dncomp parentid numSubordinates entryusn |
4.4.1.5. nsslapd-db-transaction-wait
If you enable the nsslapd-db-transaction-wait
parameter, Directory Server does not start the transaction and waits until lock resources are available.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-db-transaction-wait: off |
4.4.1.6. nsslapd-db-private-import-mem
The nsslapd-db-private-import-mem
parameter manages whether or not Directory Server uses private memory for allocation of regions and mutexes for a database import.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-db-private-import-mem: on |
4.4.1.7. nsslapd-db-deadlock-policy
The nsslapd-db-deadlock-policy
parameter sets the libdb
library-internal deadlock policy.
Only change this parameter if instructed by Red Hat Support.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | 0-9 |
Default Value | 0 |
Syntax | DirectoryString |
Example | nsslapd-db-deadlock-policy: 9 |
4.4.1.8. nsslapd-idl-switch
The nsslapd-idl-switch
parameter sets the IDL format Directory Server uses. Note that Red Hat no longer supports the old IDL format.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | new | old |
Default Value | new |
Syntax | Directory String |
Example | nsslapd-idl-switch: new |
4.4.1.9. nsslapd-idlistscanlimit
This performance-related attribute, present by default, specifies the number of entry IDs that are searched during a search operation. Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM
error message, with additional error information explaining the problem. It is advisable to keep the default value to improve search performance.
For further details, see the corresponding sections in the:
This parameter can be changed while the server is running, and the new value will affect subsequent searches.
The corresponding user-level attribute is nsIDListScanLimit
.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 100 to the maximum 32-bit integer value (2147483647) entry IDs |
Default Value | 4000 |
Syntax | Integer |
Example | nsslapd-idlistscanlimit: 4000 |
4.4.1.10. nsslapd-lookthroughlimit
This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request. The Directory Manager DN, however, is, by default, unlimited and overrides any other settings specified here. It is worth noting that binder-based resource limits work for this limit, which means that if a value for the operational attribute nsLookThroughLimit
is present in the entry as which a user binds, the default limit will be overridden. Attempting to set a value that is not a number or is too big for a 32-bit signed integer returns an LDAP_UNWILLING_TO_PERFORM
error message with additional error information explaining the problem.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
Default Value | 5000 |
Syntax | Integer |
Example | nsslapd-lookthroughlimit: 5000 |
4.4.1.11. nsslapd-mode
This attribute specifies the permissions used for newly created index files.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values |
Any four-digit octal number. However, mode |
Default Value | 600 |
Syntax | Integer |
Example | nsslapd-mode: 0600 |
4.4.1.12. nsslapd-pagedidlistscanlimit
This performance-related attribute specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control.
This attribute works the same as the nsslapd-idlistscanlimit
attribute, except that it only applies to searches with the simple paged results control.
If this attribute is not present or is set to zero, then the nsslapd-idlistscanlimit
is used to paged searches as well as non-paged searches.
The corresponding user-level attribute is nsPagedIDListScanLimit
.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-pagedidlistscanlimit: 5000 |
4.4.1.13. nsslapd-pagedlookthroughlimit
This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries for a search which uses the simple paged results control.
This attribute works the same as the nsslapd-lookthroughlimit
attribute, except that it only applies to searches with the simple paged results control.
If this attribute is not present or is set to zero, then the nsslapd-lookthroughlimit
is used to paged searches as well as non-paged searches.
The corresponding user-level attribute is nsPagedLookThroughLimit
.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-pagedlookthroughlimit: 25000 |
4.4.1.14. nsslapd-rangelookthroughlimit
This performance-related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a range search request.
Range searches use operators to set a bracket to search for and return an entire subset of entries within the directory. For example, this searches for every entry modified at or after midnight on January 1:
(modifyTimestamp>=20200101010101Z)
The nature of a range search is that it must evaluate every single entry within the directory to see if it is within the range given. Essentially, a range search is always an all IDs search.
For most users, the look-through limit kicks in and prevents range searches from turning into an all IDs search. This improves overall performance and speeds up range search results. However, some clients or administrative users like Directory Manager may not have a look-through limit set. In that case, a range search can take several minutes to complete or even continue indefinitely.
The nsslapd-rangelookthroughlimit
attribute sets a separate range look-through limit that applies to all users, including Directory Manager.
This allows clients and administrative users to have high look-through limits while still allowing a reasonable limit to be set on potentially performance-impaired range searches.
Unlike other resource limits, this applies to searches by any user, including the Directory Manager, regular users, and other LDAP clients.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | -1 to maximum 32-bit integer in entries (where -1 is unlimited) |
Default Value | 5000 |
Syntax | Integer |
Example | nsslapd-rangelookthroughlimit: 5000 |
4.4.1.15. nsslapd-search-bypass-filter-test
If you enable the nsslapd-search-bypass-filter-test
parameter, Directory Server bypasses filter checks when it builds candidate lists during a search. If you set the parameter to verify
, Directory Server evaluates the filter against the search candidate entries.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off | verify |
Default Value | on |
Syntax | Directory String |
Example | nsslapd-search-bypass-filter-test: on |
4.4.1.16. nsslapd-search-use-vlv-index
The nsslapd-search-use-vlv-index
enables and disables virtual list view (VLV) searches.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | Directory String |
Example | nsslapd-search-use-vlv-index: on |
4.4.1.17. nsslapd-subtree-rename-switch
Every directory entry is stored as a key in an entry index file. The index key maps the current entry DN to its meta entry in the index. This mapping is done either by the RDN of the entry or by the full DN of the entry.
When a subtree entry is allowed to be renamed (meaning, an entry with children entries, effectively renaming the whole subtree), its entries are stored in the entryrdn.db
index, which associates parent and child entries by an assigned ID rather than their DN. If subtree rename operations are not allowed, then the entryrdn.db
index is disabled and the entrydn.db
index is used, which simply uses full DNs, with the implicit parent-child relationships.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | off | on |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-subtree-rename-switch: on |
4.4.2. Database Attributes under cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
This section covers global configuration attributes common to all instances are stored in the cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config
tree node.
4.4.2.1. nsslapd-cache-autosize
This performance tuning-related attribute sets the percentage of free memory that is used in total for the database and entry cache. For example, if the value is set to 10
, 10% of the system’s free RAM is used for both caches. If this value is set to a value greater than 0
, auto-sizing is enabled for the database and entry cache.
For optimized performance, Red Hat recommends not to disable auto-sizing. However, in certain situations in can be necessary to disable auto-sizing. In this case, set the nsslapd-cache-autosize
attribute to 0
and manually set:
-
the database cache in the
nsslapd-dbcachesize
attribute. -
the entry cache in the
nsslapd-cachememsize
attribute.
For further details about auto-sizing, see the corresponding section in the Red Hat Directory Server Performance Tuning Guide.
If the nsslapd-cache-autosize
and nsslapd-cache-autosize-split
attribute are both set to high values, such as 100
, Directory Server fails to start. To fix the problem, set both parameters to more reasonable values. For example:
nsslapd-cache-autosize: 10 nsslapd-cache-autosize-split: 40
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 0 to 100. If 0 is set, the default value is used instead. |
Default Value | 10 |
Syntax | Integer |
Example | nsslapd-cache-autosize: 10 |
4.4.2.2. nsslapd-cache-autosize-split
This performance tuning-related attribute sets the percentage of RAM that is used for the database cache. The remaining percentage is used for the entry cache. For example, if the value is set to 40
, the database cache uses 40%, and the entry cache the remaining 60% of the free RAM reserved in the nsslapd-cache-autosize
attribute.
For further details about auto-sizing, see the corresponding section in the Red Hat Directory Server Performance Tuning Guide.
If the nsslapd-cache-autosize
and nsslapd-cache-autosize-split
attribute are both set to high values, such as 100
, Directory Server fails to start. To fix the problem, set both parameters to more reasonable values. For example:
nsslapd-cache-autosize: 10 nsslapd-cache-autosize-split: 40
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 0 to 99. If 0 is set, the default value is used instead. |
Default Value | 40 |
Syntax | Integer |
Example | nsslapd-cache-autosize-split: 40 |
4.4.2.3. nsslapd-db-checkpoint-interval
This sets the amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. A checkpoint entry indicates which database operations have been physically written to the directory database. The checkpoint entries are used to determine where in the database transaction log to begin recovery after a system failure. The nsslapd-db-checkpoint-interval
attribute is absent from dse.ldif
. To change the checkpoint interval, add the attribute to dse.ldif
. This attribute can be dynamically modified using ldapmodify
. For further information on modifying this attribute, see the "Tuning Directory Server Performance" chapter in the Red Hat Directory Server Administration Guide.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Red Hat Technical Support or Red Hat Consulting. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
For more information on database transaction logging, see the "Monitoring Server and Database Activity" chapter in the Red Hat Directory Server Administration Guide.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 10 to 300 seconds |
Default Value | 60 |
Syntax | Integer |
Example | nsslapd-db-checkpoint-interval: 120 |
4.4.2.4. nsslapd-db-circular-logging
This attribute specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed and are kept renamed as old log transaction files. Turning circular logging off can severely degrade server performance and, as such, should only be modified with the guidance of Red Hat Technical Support or Red Hat Consulting.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-db-circular-logging: on |
4.4.2.5. nsslapd-db-compactdb-interval
The nsslapd-db-compactdb-interval
attribute defines the interval in seconds when Directory Server compacts the databases and replication changelogs. The compact operation returns the unused pages to the file system and the database file size shrinks. Note that compacting the database is resource-intensive and should not be done too often.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | 0 (no compaction) to 2147483647 second |
Default Value | 2592000 (30 days) |
Syntax | Integer |
Example | nsslapd-db-compactdb-interval: 2592000 |
4.4.2.6. nsslapd-db-compactdb-time
The nsslapd-db-compactdb-time
attribute sets the time of the day when Directory Server compacts all databases and their replication changelogs. The compaction task runs after the compaction interval (nsslapd-db-compactdb-interval
) has been exceeded.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | HH:MM. Time is set in 24-hour format |
Default Value | 23:59 |
Syntax | DirectoryString |
Example | nsslapd-db-compactdb-time: 23:59 |
4.4.2.7. nsslapd-db-debug
This attribute specifies whether additional error information is to be reported to {Directory Server}. To report error information, set the parameter to on
. This parameter is meant for troubleshooting; enabling the parameter may slow down the Directory Server.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | off |
Syntax | DirectoryString |
Example | nsslapd-db-debug: off |
4.4.2.8. nsslapd-db-durable-transactions
This attribute sets whether database transaction log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. With durable transactions enabled, every directory change will always be physically recorded in the log file and, therefore, able to be recovered in the event of a system failure. However, the durable transactions feature may also slow the performance of the Directory Server. When durable transactions is disabled, all transactions are logically written to the database transaction log but may not be physically written to disk immediately. If there were a system failure before a directory change was physically written to disk, that change would not be recoverable. The nsslapd-db-durable-transactions
attribute is absent from dse.ldif
. To disable durable transactions, add the attribute to dse.ldif
.
This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Red Hat Technical Support or Red Hat Consulting. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
For more information on database transaction logging, see the "Monitoring Server and Database Activity" chapter in the Red Hat Directory Server Administration Guide.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-db-durable-transactions: on |
4.4.2.9. nsslapd-db-home-directory
To move the database to another physical location for performance reasons, use this parameter to specify the home directory.
This situation will occur only for certain combinations of the database cache size, the size of physical memory, and kernel tuning attributes. In particular, this situation should not occur if the database cache size is less than 100 megabytes.
- The disk is heavily used (more than 1 megabyte per second of data transfer).
- There is a long service time (more than 100ms).
- There is mostly write activity.
If these are all true, use the nsslapd-db-home-directory
attribute to specify a subdirectory of a tempfs
type filesystem.
The directory referenced by the nsslapd-db-home-directory
attribute must be a subdirectory of a filesystem of type tempfs (such as /tmp
). However, Directory Server does not create the subdirectory referenced by this attribute. This directory must be created either manually or by using a script. Failure to create the directory referenced by the nsslapd-db-home-directory
attribute will result in Directory Server being unable to start.
Also, if there are multiple Directory Servers on the same machine, their nsslapd-db-home-directory
attributes must be configured with different directories. Failure to do so will result in the databases for both directories becoming corrupted.
The use of this attribute causes internal Directory Server database files to be moved to the directory referenced by the attribute. It is possible, but unlikely, that the server will no longer start after the files have been moved because not enough memory can be allocated. This is a symptom of an overly large database cache size being configured for the server. If this happens, reduce the size of the database cache size to a value where the server will start again.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values |
Any valid directory name in a tempfs filesystem, such as |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-db-home-directory: /tmp/slapd-phonebook |
4.4.2.10. nsslapd-db-idl-divisor
This attribute specifies the index block size in terms of the number of blocks per database page. The block size is calculated by dividing the database page size by the value of this attribute. A value of 1
makes the block size exactly equal to the page size. The default value of 0
sets the block size to the page size minus an estimated allowance for internal database overhead. For the majority of installations, the default value should not be changed unless there are specific tuning needs.
Before modifying the value of this attribute, export all databases using the db2ldif
script. Once the modification has been made, reload the databases using the ldif2db
script.
This parameter should only be used by very advanced users.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 0 to 8 |
Default Value | 0 |
Syntax | Integer |
Example | nsslapd-db-idl-divisor: 2 |
4.4.2.11. nsslapd-db-locks
Lock mechanisms in Directory Server control how many copies of Directory Server processes can run at the same time. The nsslapd-db-locks
parameter sets the maximum number of locks.
Only set this parameter to a higher value if Directory Server runs out of locks and logs libdb: Lock table is out of available locks
error messages. If you set a higher value without a need, this increases the size of the /var/lib/dirsrv/slapd-instance_name/db__db.*
files without any benefit. For more information about monitoring the logs and determining a realistic value, see the corresponding section in the Directory Server Performance Tuning Guide.
The service must be restarted for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 0 - 2147483647 |
Default Value | 10000 |
Syntax | Integer |
Example | nsslapd-db-locks: 10000 |
4.4.2.12. nsslapd-db-locks-monitoring-enable
Running out of database locks can lead to data corruption. With the nsslapd-db-locks-monitoring-enable
parameter, you can enable or disable database lock monitoring. If the parameter is enabled, which is the default, Directory Server terminates all searches if the number of active database locks is higher than the percentage threshold configured in nsslapd-db-locks-monitoring-threshold. If an issue occurs, the administrator can increase the number of database locks in the nsslapd-db-locks parameter.
Restart the service for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | on | off |
Default Value | on |
Syntax | DirectoryString |
Example | nsslapd-db-locks-monitoring-enable: on |
4.4.2.13. nsslapd-db-locks-monitoring-pause
If monitoring of database locks is enabled in the nsslapd-db-locks-monitoring-enable parameter, nsslapd-db-locks-monitoring-pause
defines the interval in milliseconds that the monitoring thread sleeps between the checks.
If you set this parameter to a too high value, the server can run out of database locks before the monitoring check happens. However, setting a too low value can slow down the server.
You do not have to restart the server for this setting to take effect.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | 0 - 2147483647 (value in milliseconds) |
Default Value | 500 |
Syntax | DirectoryString |
Example | nsslapd-db-locks-monitoring-pause: 500 |
4.4.2.14. nsslapd-db-locks-monitoring-threshold
If monitoring of database locks is enabled in the nsslapd-db-locks-monitoring-enable parameter, nsslapd-db-locks-monitoring-threshold
sets the maximum percentage of used database locks before Directory Server terminates searches to avoid further lock exhaustion.
Restart the service for changes to this attribute to take effect.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | 70 - 95 |
Default Value | 90 |
Syntax | DirectoryString |
Example | nsslapd-db-locks-monitoring-threshold: 90 |
4.4.2.15. nsslapd-db-logbuf-size
This attribute specifies the log information buffer size. Log information is stored in memory until the buffer fills up or the transaction commit forces the buffer to be written to disk. Larger buffer sizes can significantly increase throughput in the presence of long running transactions, highly concurrent applications, or transactions producing large amounts of data. The log information buffer size is the transaction log size divided by four.
The nsslapd-db-logbuf-size
attribute is only valid if the nsslapd-db-durable-transactions
attribute is set to on
.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 32K to maximum 32-bit integer (limited to the amount of memory available on the machine) |
Default Value | 32K |
Syntax | Integer |
Example | nsslapd-db-logbuf-size: 32K |
4.4.2.16. nsslapd-db-logdirectory
This attribute specifies the path to the directory that contains the database transaction log. The database transaction log contains a sequential listing of all recent database operations. Directory Server uses this information to recover the database after an instance shut down unexpectedly.
By default, the database transaction log is stored in the same directory as the directory database. To update this parameter, you must manually update the /etc/dirsrv/slapd-instance_name/dse.ldif
file. For details, see the Changing the Transaction Log Directory section in the Red Hat Directory Server Administration Guide.
Parameter | Description |
---|---|
Entry DN | cn=bdb,cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Values | Any valid path |
Default Value | |
Syntax | DirectoryString |
Example | nsslapd-db-logdirectory: /var/lib/dirsrv/slapd-instance_name/db/ |
4.4.2.17. nsslapd-db-logfile-size
This attribute specifies the maximum size of a single file in the log in bytes. By default, or if the value is set to 0
, a maximum size of 10 megabytes is used. The maximum size is an unsigned 4-byte value.
Parameter | Description |
---|---|
Entry DN | cn=config,cn=ldbm database,cn=plugins,cn=config |
Valid Range | 0 to unsigned 4-byte integer |
Default Value | 10MB |
Syntax | Integer |
Example | nsslapd-db-logfile-size: 10 MB |
4.4.2.18. nsslapd-db-page-size
This attribute specifies the size of the pages used to hold items in the database in bytes. The minimum size is 512 bytes, and the maximum size is 64 kilobytes. If the page size is not explicitly set, Directory Server defaults to a page size of 8 kilobytes. Changing this default value can have a significant performance impact. If the page size is too small, it results in e