Chapter 1. File locations overview

download PDF

Red Hat Directory Server is compatible with the Filesystem Hierarchy Standards (FHS). For further details about the FHS, see FHS Specification.

1.1. Directory Server instance-independent files and directories

The instance-independent default files and directory locations for the Directory Server include:


Command-line utilities



Systemd unit files





Self-Signed Certificate Authority


1.2. Directory Server instance-specific files and directories

To separate multiple instances running on the same host, certain files and directories contain the name of the instance. You set the instance name during the Directory Server setup. By default, this is the host name without domain name. For example, if your fully-qualified domain name is, the default instance name is server.

The instance-independent default file and directory locations for the Directory Server include:


Backup files


Configuration files


Certificate and key databases


Database files


LDIF files


Lock files


Log files


PID file


Systemd unit files


1.2.1. Configuration files

Each Directory Server instance stores its configuration files in the /etc/dirsrv/slapd-instance_name_/ directory.

The configuration information for Red Hat Directory Server is stored as LDAP entries in the directory. Therefore, you must change the server configuration through the server instead of editing configuration files. The principal advantage of configuration storage is that a directory administrator can reconfigure the server using LDAP while the server is still running, avoiding the need to shut the server down for most configuration changes.

1.2.2. Overview of the Directory Server configuration

When the Directory Server is set up, the server stores the default configuration as a series of LDAP entries within the directory, under the cn=config sub-tree. When you start the server, the server reads the contents of the cn=config sub-tree from the dse.ldif file that is in the LDIF format. The dse.ldif file contains all of the server configuration information and has the following names:

  • dse.ldif. The latest version of this file.
  • dse.ldif.bak. The version prior to the last modification.
  • dse.ldif.startOK. The latest file with which the server successfully started.

Most features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config sub-tree. For example, the configuration of the Telephone Syntax plug-in is contained in the cn=Telephone Syntax,cn=plugins,cn=config.

Similarly, database-specific configuration is stored under cn=ldbm database,cn=plugins,cn=config for local databases and cn=chaining database,cn=plugins,cn=config for database links.

The following diagram shows where the configuration data is placed under the cn=config directory tree.

Figure 1.1. Configuration data sub-tree

config data sub tree

The dc\3Dexample\2Cdc\3Dcom value represents the dc=example,dc=com DN with escaped characters. LDIF and schema configuration files

Directory Server stores configuration data in LDIF files in the /etc/dirsrv/slapd-instance_name directory. If a server name is phonebook, then for a Directory Server, the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook.

This directory also contains other server instance-specific configuration files.

Schema configuration is also stored in LDIF format in the following directories:

  • /etc/dirsrv/instance_name/schema/ for instance-specific schema.
  • /usr/share/dirsrv/schema/ for default schema.
  • /etc/dirsrv/schema/ for schema that overrides the default schema.

Previously, schema configuration files were stored in the /etc/dirsrv/schema directory only.

The following table lists the configuration files that are supplied with the Directory Server, including those for the compatible servers schema. Each file is preceded by a number which indicates the order in which they should be loaded (ascending numerically, then alphabetically).

Table 1.1. Directory Server LDIF configuration files
Configuration FilenamePurpose


Contains front-end directory-specific entries (DSE) created by the directory at the server startup. The entries include the Root DSE ("") and the contents of cn=config and cn=monitor (ACIs only).


Contains schema definitions, such as subschemaSubentry, necessary for starting the server with the minimum feature set (no user schema, no schema for any non-core features). Do not modify this file.

The rest of the schema used by users, features, and applications is located in the 02common.ldif file and the other schema files.


The 02common.ldif file contains:

  • LDAPv3 standard operational schema, such as subschemaSubentry.
  • LDAPv3 standard user and organization schema defined in RFC 2256 (based on X.520/X.521).
  • The inetOrgPerson and other widely-used attributes.
  • The operational attributes that Directory Server configuration uses.

Modifying the file causes interoperability problems. You must add user-defined attributes through the Directory Server web console.


Schema from RFC 2247, Using Domains in LDAP/X500 Distinguished Names, and the related pilot schema.


Schema from RFC 2927, MIME Directory Profile for LDAP Schema. Contains the ldapSchemas operational attribute required for the attribute to show up in the subschema sub-entry.


Contains 01core389.ldif schema and inetOrgPerson attribite.


Legacy. Schema for instant messaging presence (online) information. The file lists the default object classes with the allowed attributes that must be added to a user entry in order for instant-messaging presence information to be available for that user.


Schema from RFC 2307, An Approach for Using LDAP as a Network Information Service.

The 10rfc2307bis schema, the new version of rfc2307, may supersede the 10rfc2307.ldif scheme, when that schema becomes available.


Contains new schema elements and the Nortel subscriber interoperability specification. Also contains the adminRole and memberOf attributes and inetAdmin object class, previously stored in the 50ns-delegated-admin.ldif file.


Schema from RFC 2713, Schema for Representing Java® Objects in an LDAP Directory.


Contains pilot directory schema from RFC 1274, which is no longer recommended for new deployments. Future RFCs that succeed RFC 1274 may deprecate some or all of 28pilot.ldif schema attribute types and classes.


Schema that contains objects classes and attributes common to the Directory Server web console framework.


Schema used by Red Hat Administration Server.


Schema for Red Hat Certificate Management System.


Contains additional configuration schema used by Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to the current releases of Directory Server. This schema is required for replication between Directory Server 4.12 and the current releases.


Schema used by Netscape Messaging Server to define mail users and mail groups.


Schema for servers value item attributes.


Schema for Netscape Web Server.


Reserved for future use.


User-defined schema that Directory Server replication consumers maintain. The schema contains the attributes and object classes from the suppliers. The dse.ldif server configuration file

The dse.ldif file contains all configuration information including directory-specific entries (DSE) created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or Root DSE, named by "") and the contents of the cn=config sub-tree.

When the server generates the dse.ldif file, the server lists the entries in the order that the entries appear in the directory under cn=config, which is usually the same order in which an LDAP search of sub-tree scope for the cn=config base returns the entries.

The dse.ldif file also contains the cn=monitor entry, which is mostly read-only, but can have ACIs set on it.


The dse.ldif file does not contain every attribute in cn=config entry. If the administrator did not set the attribute and it has a default value, the server does not write this attribute to the dse.ldif file. To see every attribute in the cn=config entry, use the ldapsearch utility.

Configuration attributes

Each configuration entry, such as `cn=config", contains attribute-value pairs set for this entry.

The following example part of the dse.ldif file shows that schema checking was enabled by setting the nsslapd-schemacheck attribute to on.

dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: off
nsslapd-schemacheck: on
nsslapd-port: 389
nsslapd-localuser: dirsrv

Configuration of plug-in functionality

The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the cn=plugins,cn=config sub-tree.

The following example shows the example configuration for the Telephone Syntax plug-in.

dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

A plug-in configuration contains attributes that are common to all plug-ins and attributes that are specific to this plug-in. To check which attributes Directory Server currently uses, run the ldapsearch command on the cn=config sub-tree.

For more information about supported plug-ins and their configuration information, see Plug-in implemented server functionality reference.

Configuration of databases

The cn=UserRoot,cn=ldbm database,cn=plugins,cn=config sub-tree contains configuration data for the databases that contains the default suffix Directory Server creates during setup.

The cn=UserRoot sub-tree and its children have many attributes used to configure different database settings, like the cache sizes, the paths to the index files and transaction logs, entries and attributes for monitoring and statistics, and database indexes.

Configuration of indexes

Indexes configuration information is stored as entries in the Directory Server under the following sub-directories:

  • cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
  • cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config

For general information about indexes, see Managing indexes documentation.

For information about the index configuration attributes, see Database attributes under cn=config,cn=ldbm database,cn=plugins,cn=config.

1.2.3. Database files

Every Directory Server instance contains the /var/lib/dirsrv/slapd-instance/db directory for storing all of the database files. A sample listing of the /var/lib/dirsrv/slapd-instance/db directory contents is illustrated below.

Database directory contents

db.001 db.002  __db.003  DBVERSION  log.0000000001  userroot/

  • db.00x files. Used internally by the database and you must not move, delete, or modify these files in any way.
  • log.xxxxxxxxxx files. Used for storing the transaction logs per database.
  • DBVERSION. Used for storing the version of the database.
  • userRoot. Stores the user-defined suffixs (user-defined databases) created at setup, for example, dc=example,dc=com.

When you create a new database, for example testRoot, to store the directory tree under a new suffix, the directory named testRoot also appears in the /var/lib/dirsrv/slapd-instance/db directory.

The following example lists of the userRoot directory contents.

The userroot database directory contents


The userroot sub-directory contains the following files:

  • ancestorid.db. Contains a list of IDs to find the ID of the entry ancestor.
  • entrydn.db. Contains a list of full DNs to find any ID.
  • id2entry.db. Contains the actual directory database entries. All other database files can be recreated from this one, if necessary.
  • nsuniqueid.db. Contains a list of unique IDs to find any ID.
  • numsubordinates.db. Contains IDs that have child entries.
  • objectclass.db. Contains a list of IDs which have a particular object class.
  • parentid.db. Contains a list of IDs to find the ID of the parent.

1.3. LDIF files

Directory Server stores LDIF-related files in the /usr/share/dirsrv/data/ directory.

LDIF directory contents


The example contains the following files:

  • European.ldif. Contains European character examples.
  • Example.ldif. Is an example LDIF file.
  • Example-roles.ldif. Is an example LDIF file similar to Example.ldif, except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators.

The LDIF files exported by db2ldif or scripts in the instance directory are stored in /var/lib/dirsrv/slapd-instance_name/ldif/.

1.4. Lock files

Every Directory Server instance contains a /var/lock/dirsrv/slapd-instance_name/ directory for storing lock-related files.

The following example lists the locks directory contents.

Lock directory contents

exports/ imports/ server/

The lock mechanisms control how many copies of the Directory Server process can be running at once:

  • If the server performs an import, a lock is placed in the imports/ directory to prevent any other ns-slapd (normal), ldif2db (another import), or db2ldif (export) operations from running.
  • If the server is running as normal, the lock is placed in the server/ directory, which prevents only import operations.
  • If the server performs an export, the lock is placed in the exports/ directory. This allows normal server operations, but prevents imports.

The number of available locks can affect overall Directory Server performance. The number of locks is set in the nsslapd-db-locks attribute. For more details, see The nsslapd-db-locks attribute description.

1.5. Log files

Every Directory Server instance stores log files in the /var/log/dirsrv/slapd-instance_name/ directory.

Log directory contents


The content of the access, audit, error, security log files depends on the log configuration. The stats file is located at the`/var/run/dirsrv/slapd-instance_name.stats/` directory.

The stats file is a memory-mapped file that cannot be read by an editor. It contains data that the Directory Server SNMP data collection component collect. This data is read by the SNMP sub-agent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.

For overview of all log files, refer to Log files reference chapter.

1.6. PID files

When the server is up and running, the and slapd-serverID.startpid files are created in the /var/run/dirsrv/ directory. Both files store the server process ID.

1.7. Backup files

Every Directory Server instance contains the following directories to store backup-related files:

  • /var/lib/dirsrv/slapd-instance_name/bak/. Contains backup copies of the database. Each backup is dated with the instance name, time and date of the database backup, for example, instance_name-2023_05_04_18_01_23.
  • /var/lib/dirsrv/slapd-instance_name/bak/config_files/. Contains backed up configuration files, the certificate database, and custom schema files.
Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.