Red Hat SummitChapter 1. File locations overview
Red Hat Directory Server is compatible with the Filesystem Hierarchy Standards (FHS). For further details about the FHS, see FHS Specification.
1.1. Directory Server instance-independent files and directories
The instance-independent default files and directory locations for the Directory Server include:
| Type | Location |
|---|---|
| Command-line utilities |
|
| Systemd unit files |
|
| Self-Signed Certificate Authority |
|
1.2. Directory Server instance-specific files and directories
To separate multiple instances running on the same host, certain files and directories contain the name of the instance. You set the instance name during the Directory Server setup. By default, this is the host name without domain name. For example, if your fully-qualified domain name is server.example.com, the default instance name is server.
The instance-independent default file and directory locations for the Directory Server include:
| Type | Location |
|---|---|
| Backup files |
|
| Configuration files |
|
| Certificate and key databases |
|
| Database files |
|
| LDIF files |
|
| Lock files |
|
| Log files |
|
| PID file |
|
| Systemd unit files |
|
1.2.1. Configuration files
Each Directory Server instance stores its configuration files in the /etc/dirsrv/slapd-instance_name_/ directory.
The configuration information for Red Hat Directory Server is stored as LDAP entries in the directory. Therefore, you must change the server configuration through the server instead of editing configuration files. The principal advantage of configuration storage is that a directory administrator can reconfigure the server using LDAP while the server is still running, avoiding the need to shut the server down for most configuration changes.
1.2.2. Overview of the Directory Server configuration
When the Directory Server is set up, the server stores the default configuration as a series of LDAP entries within the directory, under the cn=config sub-tree. When you start the server, the server reads the contents of the cn=config sub-tree from the dse.ldif file that is in the LDIF format. The dse.ldif file contains all of the server configuration information and has the following names:
-
dse.ldif. The latest version of this file. -
dse.ldif.bak. The version prior to the last modification. -
dse.ldif.startOK. The latest file with which the server successfully started.
Most features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config sub-tree. For example, the configuration of the Telephone Syntax plug-in is contained in the cn=Telephone Syntax,cn=plugins,cn=config.
Similarly, database-specific configuration is stored under cn=ldbm database,cn=plugins,cn=config for local databases and cn=chaining database,cn=plugins,cn=config for database links.
The following diagram shows where the configuration data is placed under the cn=config directory tree.
Figure 1.1. Configuration data sub-tree
The dc\3Dexample\2Cdc\3Dcom value represents the dc=example,dc=com DN with escaped characters.
1.2.2.1. LDIF and schema configuration files
Directory Server stores configuration data in LDIF files in the /etc/dirsrv/slapd-instance_name directory. If a server name is phonebook, then for a Directory Server, the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook.
This directory also contains other server instance-specific configuration files.
Schema configuration is also stored in LDIF format in the following directories:
-
/etc/dirsrv/instance_name/schema/for instance-specific schema. -
/usr/share/dirsrv/schema/for default schema. -
/etc/dirsrv/schema/for schema that overrides the default schema.
Previously, schema configuration files were stored in the /etc/dirsrv/schema directory only.
The following table lists the configuration files that are supplied with the Directory Server, including those for the compatible servers schema. Each file is preceded by a number which indicates the order in which they should be loaded (ascending numerically, then alphabetically).
| Configuration Filename | Purpose |
|---|---|
| dse.ldif |
Contains front-end directory-specific entries (DSE) created by the directory at the server startup. The entries include the Root DSE ( |
| 00core.ldif |
Contains schema definitions, such as
The rest of the schema used by users, features, and applications is located in the |
| 02common.ldif |
The
Modifying the file causes interoperability problems. You must add user-defined attributes through the Directory Server web console. |
| 05rfc2247.ldif | Schema from RFC 2247, Using Domains in LDAP/X500 Distinguished Names, and the related pilot schema. |
| 05rfc2927.ldif |
Schema from RFC 2927, MIME Directory Profile for LDAP Schema. Contains the |
| 06inetorgperson.ldif |
Contains |
| 10presence.ldif | Legacy. Schema for instant messaging presence (online) information. The file lists the default object classes with the allowed attributes that must be added to a user entry in order for instant-messaging presence information to be available for that user. |
| 10rfc2307.ldif | Schema from RFC 2307, An Approach for Using LDAP as a Network Information Service.
The |
| 20subscriber.ldif |
Contains new schema elements and the Nortel subscriber interoperability specification. Also contains the |
| 25java-object.ldif | Schema from RFC 2713, Schema for Representing Java® Objects in an LDAP Directory. |
| 28pilot.ldif |
Contains pilot directory schema from RFC 1274, which is no longer recommended for new deployments. Future RFCs that succeed RFC 1274 may deprecate some or all of |
| 30ns-common.ldif | Schema that contains objects classes and attributes common to the Directory Server web console framework. |
| 50ns-admin.ldif | Schema used by Red Hat Administration Server. |
| 50ns-certificate.ldif | Schema for Red Hat Certificate Management System. |
| 50ns-directory.ldif | Contains additional configuration schema used by Directory Server 4.12 and earlier versions of the directory, which is no longer applicable to the current releases of Directory Server. This schema is required for replication between Directory Server 4.12 and the current releases. |
| 50ns-mail.ldif | Schema used by Netscape Messaging Server to define mail users and mail groups. |
| 50ns-value.ldif | Schema for servers value item attributes. |
| 50ns-web.ldif | Schema for Netscape Web Server. |
| 60pam-plugin.ldif | Reserved for future use. |
| 99user.ldif | User-defined schema that Directory Server replication consumers maintain. The schema contains the attributes and object classes from the suppliers. |
1.2.2.2. The dse.ldif server configuration file
The dse.ldif file contains all configuration information including directory-specific entries (DSE) created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or Root DSE, named by "") and the contents of the cn=config sub-tree.
When the server generates the dse.ldif file, the server lists the entries in the order that the entries appear in the directory under cn=config, which is usually the same order in which an LDAP search of sub-tree scope for the cn=config base returns the entries.
The dse.ldif file also contains the cn=monitor entry, which is mostly read-only, but can have ACIs set on it.
The dse.ldif file does not contain every attribute in cn=config entry. If the administrator did not set the attribute and it has a default value, the server does not write this attribute to the dse.ldif file. To see every attribute in the cn=config entry, use the ldapsearch utility.
Configuration attributes
Each configuration entry, such as `cn=config", contains attribute-value pairs set for this entry.
The following example part of the dse.ldif file shows that schema checking was enabled by setting the nsslapd-schemacheck attribute to on.
dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: off
nsslapd-localhost: phonebook.example.com
nsslapd-schemacheck: on
nsslapd-port: 389
nsslapd-localuser: dirsrv
...Configuration of plug-in functionality
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the cn=plugins,cn=config sub-tree.
The following example shows the example configuration for the Telephone Syntax plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
A plug-in configuration contains attributes that are common to all plug-ins and attributes that are specific to this plug-in. To check which attributes Directory Server currently uses, run the ldapsearch command on the cn=config sub-tree.
For more information about supported plug-ins and their configuration information, see Plug-in implemented server functionality reference.
Configuration of databases
The cn=UserRoot,cn=ldbm database,cn=plugins,cn=config sub-tree contains configuration data for the databases that contains the default suffix Directory Server creates during setup.
The cn=UserRoot sub-tree and its children have many attributes used to configure different database settings, like the cache sizes, the paths to the index files and transaction logs, entries and attributes for monitoring and statistics, and database indexes.
Configuration of indexes
Indexes configuration information is stored as entries in the Directory Server under the following sub-directories:
-
cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config -
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
For general information about indexes, see Managing indexes documentation.
For information about the index configuration attributes, see Database attributes under cn=config,cn=ldbm database,cn=plugins,cn=config.
1.2.3. Database files
Every Directory Server instance contains the /var/lib/dirsrv/slapd-instance/db directory for storing all of the database files. A sample listing of the /var/lib/dirsrv/slapd-instance/db directory contents is illustrated below.
Database directory contents
db.001 db.002 __db.003 DBVERSION log.0000000001 userroot/
-
db.00xfiles. Used internally by the database and you must not move, delete, or modify these files in any way. -
log.xxxxxxxxxxfiles. Used for storing the transaction logs per database. -
DBVERSION. Used for storing the version of the database. -
userRoot. Stores the user-defined suffixs (user-defined databases) created at setup, for example,dc=example,dc=com.
When you create a new database, for example testRoot, to store the directory tree under a new suffix, the directory named testRoot also appears in the /var/lib/dirsrv/slapd-instance/db directory.
The following example lists of the userRoot directory contents.
The userroot database directory contents
ancestorid.db DBVERSION entryrdn.db id2entry.db nsuniqueid.db numsubordinates.db objectclass.db parentid.db
The userroot sub-directory contains the following files:
-
ancestorid.db. Contains a list of IDs to find the ID of the entry ancestor. -
entrydn.db. Contains a list of full DNs to find any ID. -
id2entry.db. Contains the actual directory database entries. All other database files can be recreated from this one, if necessary. -
nsuniqueid.db. Contains a list of unique IDs to find any ID. -
numsubordinates.db. Contains IDs that have child entries. -
objectclass.db. Contains a list of IDs which have a particular object class. -
parentid.db. Contains a list of IDs to find the ID of the parent.
1.3. LDIF files
Directory Server stores LDIF-related files in the /usr/share/dirsrv/data/ directory.
LDIF directory contents
European.ldif Example.ldif Example-roles.ldif Example-views.ldif
The example contains the following files:
-
European.ldif. Contains European character examples. -
Example.ldif. Is an example LDIF file. -
Example-roles.ldif. Is an example LDIF file similar toExample.ldif, except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators.
The LDIF files exported by db2ldif or db2ldif.pl scripts in the instance directory are stored in /var/lib/dirsrv/slapd-instance_name/ldif/.
1.4. Lock files
Every Directory Server instance contains a /var/lock/dirsrv/slapd-instance_name/ directory for storing lock-related files.
The following example lists the locks directory contents.
Lock directory contents
exports/ imports/ server/
The lock mechanisms control how many copies of the Directory Server process can be running at once:
-
If the server performs an import, a lock is placed in the
imports/directory to prevent any otherns-slapd(normal),ldif2db(another import), ordb2ldif(export) operations from running. -
If the server is running as normal, the lock is placed in the
server/directory, which prevents only import operations. -
If the server performs an export, the lock is placed in the
exports/directory. This allows normal server operations, but prevents imports.
The number of available locks can affect overall Directory Server performance. The number of locks is set in the nsslapd-db-locks attribute. For more details, see The nsslapd-db-locks attribute description.
1.5. Log files
Every Directory Server instance stores log files in the /var/log/dirsrv/slapd-instance_name/ directory.
Log directory contents
access access.rotationinfo audit audit.rotationinfo errors errors.rotationinfo security security.rotationinfo
The content of the access, audit, error, security log files depends on the log configuration. The stats file is located at the`/var/run/dirsrv/slapd-instance_name.stats/` directory.
The stats file is a memory-mapped file that cannot be read by an editor. It contains data that the Directory Server SNMP data collection component collect. This data is read by the SNMP sub-agent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.
For overview of all log files, refer to Log files reference chapter.
1.6. PID files
When the server is up and running, the slapd-serverID.pid and slapd-serverID.startpid files are created in the /var/run/dirsrv/ directory. Both files store the server process ID.
1.7. Backup files
Every Directory Server instance contains the following directories to store backup-related files:
-
/var/lib/dirsrv/slapd-instance_name/bak/. Contains backup copies of the database. Each backup is dated with the instance name, time and date of the database backup, for example,instance_name-2023_05_04_18_01_23. -
/var/lib/dirsrv/slapd-instance_name/bak/config_files/. Contains backed up configuration files, the certificate database, and custom schema files.
