Search

Chapter 6. Plug-in implemented server functionality reference

download PDF

This chapter contains reference information on plug-ins.

The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config.

dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: libsyntax-plugin
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes a given plug-in uses by performing an ldapsearch on the cn=config subtree.

All plug-ins are instances of the nsSlapdPlugin object class inherited from the extensibleObject object class. Server takes into account plug-in configuration attributes when both object classes (in addition to the top object class) are present in the entry, as shown in the following example:

dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:nsSlapdPlugin
objectclass:extensibleObject

6.1. List of attributes common to all plug-ins

This list provides a brief attribute description, the entry DN, valid range, default value, syntax, and an example for each attribute.

Each Directory Server plug-in belongs to the nsslapdPlugin object class.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.41

Table 6.1. Required Attributes
AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

cn

Gives the common name of the entry.

nsslapd-pluginPath

Identifies the plugin library name (without the library suffix).

nsslapd-pluginInitfunc

Identifies an initialization function of the plugin.

nsslapd-pluginType

Identifies the type of plugin.

nsslapd-pluginId

Identifies the plugin ID.

nsslapd-pluginVersion

Identifies the version of plugin.

nsslapd-pluginVendor

Identifies the vendor of plugin.

nsslapd-pluginDescription

Identifies the description of the plugin.

nsslapd-pluginEnabled

Identifies whether or not the plugin is enabled.

nsslapd-pluginPrecedence

Sets the priority for the plug-in in the execution order.

6.1.1. nsslapd-logAccess

This attribute enables you to log search operations run by the plug-in to the file set in the nsslapd-accesslog parameter in cn=config.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-logAccess: Off

6.1.2. nsslapd-logAudit

This attribute enables you to log and audit modifications to the database originated from the plug-in.

Successful modification events are logged in the audit log, if the nsslapd-auditlog-logging-enabled parameter is enabled in cn=config. To log failed modification database operations by a plug-in, enable the nsslapd-auditfaillog-logging-enabled attribute in cn=config.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-logAudit: Off

6.1.3. nsslapd-pluginDescription

This attribute provides a description of the plug-in.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

 

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginDescription: acl access check plug-in

6.1.4. nsslapd-pluginEnabled

This attribute specifies whether the plug-in is enabled. This attribute can be changed over protocol but will only take effect when the server is next restarted.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-pluginEnabled: on

6.1.5. nsslapd-pluginId

This attribute specifies the plug-in ID.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in ID

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginId: chaining database

6.1.6. nsslapd-pluginInitfunc

This attribute specifies the plug-in function to be initiated.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in function

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginInitfunc: NS7bitAttr_Init

6.1.7. nsslapd-pluginPath

This attribute specifies the full path to the plug-in.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid path

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginPath: uid-plugin

6.1.8. nsslapd-pluginPrecedence

This attribute sets the precedence or priority for the execution order of a plug-in. Precedence defines the execution order of plug-ins, which allows more complex environments or interactions since it can enable a plug-in to wait for a completed operation before being executed. This is more important for pre-operation and post-operation plug-ins.

Plug-ins with a value of 1 have the highest priority and are run first; plug-ins with a value of 99 have the lowest priority. The default is 50.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

1 to 99

Default Value

50

Syntax

Integer

Example

nsslapd-pluginPrecedence: 3

6.1.9. nsslapd-pluginType

This attribute specifies the plug-in type. See Section 6.2.4, “nsslapd-plugin-depends-on-type” for further information.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in type

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginType: preoperation

6.1.10. nsslapd-pluginVendor

This attribute specifies the vendor of the plug-in.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any approved plug-in vendor

Default Value

Red Hat, Inc.

Syntax

DirectoryString

Example

nsslapd-pluginVendor: Red Hat, Inc.

6.1.11. nsslapd-pluginVersion

This attribute specifies the plug-in version.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in version

Default Value

Product version number

Syntax

DirectoryString

Example

nsslapd-pluginVersion: {VER}

6.2. Optional attributes of certain plug-ins

6.2.1. nsslapd-dynamic-plugins

You can enable some Directory Server plug-ins dynamically without the instance restart. Enable the nsslapd-dynamic-plugins attribute in Directory Server to allow the dynamic plug-ins. By default, dynamic plug-ins are disabled.

Warning

Red Hat Directory Server does not support dynamic plug-ins. Use it only for testing and debugging purposes.

You cannot configure some plug-ins as dynamic. To enable such plug-ins, restart the instance.

Plug-in ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-dynamic-plugins: on

6.2.2. nsslapd-pluginConfigArea

Some plug-in entries are container entries, and multiple instances of the plug-in are created beneath this container in cn=plugins,cn=config. However, the cn=plugins,cn=config is not replicated, which means that the plug-in configurations beneath those container entries must be configured manually, in some way, on every Directory Server instance.

The nsslapd-pluginConfigArea attribute points to another container entry, in the main database area, which contains the plug-in instance entries. This container entry can be in a replicated database, which allows the plug-in configuration to be replicated.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid DN

Default Value

 

Syntax

DN

Example

nsslapd-pluginConfigArea: cn=managed entries container,ou=containers,dc=example,dc=com

6.2.3. nsslapd-plugin-depends-on-named

Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn value of a plug-in. The plug-in with a cn value matching one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start. The following postoperation Referential Integrity Plug-in example shows that the Views plug-in is started before Roles. If Views is missing, the server is not going to start.

Plug-in ParameterDescription

Entry DN

cn=referential integrity postoperation,cn=plugins,cn=config

Valid Values

Class of Service

Default Value

 

Syntax

DirectoryString

Example

* nsslapd-plugin-depends-on-named: Views

* nsslapd-pluginId: roles

6.2.4. nsslapd-plugin-depends-on-type

Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the type number of a plug-in, contained in the attribute nsslapd-pluginType. See Section 6.1.9, “nsslapd-pluginType” for further information. All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in. The following postoperation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the postoperation Referential Integrity Plug-in.

Plug-in ParameterDescription

Entry DN

cn=referential integrity postoperation,cn=plugins,cn=config

Valid Values

database

Default Value

 

Syntax

DirectoryString

Example

nsslapd-plugin-depends-on-type: database

6.2.5. nsslapd-pluginLoadGlobal

This attribute specifies whether the symbols in dependent libraries are made visible locally (false) or to the executable and to all shared objects (true).

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

true | false

Default Value

false

Syntax

DirectoryString

Example

nsslapd-pluginLoadGlobal: false

6.2.6. nsslapd-pluginLoadNow

This attribute specifies whether to load all of the symbols used by a plug-in immediately (true), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false).

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

true | false

Default Value

false

Syntax

DirectoryString

Example

nsslapd-pluginLoadNow: false

6.3. Server plug-in functionality reference

This section provides an overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading.

6.3.1. 7-bit Check plug-in

Plug-in ParameterDescription

Plug-in ID

NS7bitAtt

DN of Configuration Entry

cn=7-bit check,cn=plugins,cn=config

Description

Checks certain attributes are 7-bit clean

Type

preoperation

Configurable Options

on | off

Default Setting

on

Configurable Arguments

List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur.

Dependencies

Database

Performance-Related Information

None

Further Information

If Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.

6.3.2. Account Policy plug-in

Account policies can be set that automatically lock an account after a certain amount of time has elapsed. This can be used to create temporary accounts that are only valid for a preset amount of time or to lock users which have been inactive for a certain amount of time.

The Account Policy Plug-in itself only accept on argument, which points to a plug-in configuration entry.

dn: cn=Account Policy Plugin,cn=plugins,cn=config
...
nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

The account policy configuration entry defines, for the entire server, what attributes to use for account policies. Most of the configuration defines attributes to use to evaluate account policies and expiration times, but the configuration also defines what object class to use to identify subtree-level account policy definitions.

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config

... attributes for evaluating accounts ...
alwaysRecordLogin: yes
stateattrname: lastLoginTime
altstateattrname: createTimestamp

... attributes for account policy entries ...
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit

One the plug-in is configured globally, account policy entries can be created within the user subtrees, and then these policies can be applied to users and to roles through classes of service.

Example 6.1. Account Policy Definition

dn: cn=AccountPolicy,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
# 86400 seconds per day * 30 days = 2592000 seconds
accountInactivityLimit: 2592000
cn: AccountPolicy

Any entry, both individual users and roles or CoS templates, can be an account policy subentry. Every account policy subentry has its creation and login times tracked against any expiration policy.

Example 6.2. User Account with Account Policy

dn: uid=scarter,ou=people,dc=example,dc=com
...
lastLoginTime: 20060527001051Z
acctPolicySubentry: cn=AccountPolicy,dc=example,dc=com
Plug-in ParameterDescription

Plug-in ID

none

DN of Configuration Entry

cn=Account Policy Plugin,cn=plugins,cn=config

Description

Defines a policy to lock user accounts after a certain expiration period or inactivity period.

Type

object

Configurable Options

on | off

Default Setting

off

Configurable Arguments

A pointer to a configuration entry which contains the global account policy settings.

Dependencies

Database

Performance-Related Information

None

Further Information

This plug-in configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the acctPolicySubentry object class. These configuration entries can then be applied to users or roles through classes of service.

6.3.2.1. altstateattrname

Account expiration policies are based on some timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. However, there may be instances where that attribute does not exist on an entry, such as a user who never logged into his account. The altstateattrname attribute provides a backup attribute for the server to reference to evaluate the expiration time.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

altstateattrname: createTimeStamp

6.3.2.2. alwaysRecordLogin

By default, only entries which have an account policy directly applied to them — meaning, entries with the acctPolicySubentry attribute — have their login times tracked. If account policies are applied through classes of service or roles, then the acctPolicySubentry attribute is on the template or container entry, not the user entries themselves.

The alwaysRecordLogin attribute sets that every entry records its last login time. This allows CoS and roles to be used to apply account policies.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

yes | no

Default Value

no

Syntax

DirectoryString

Example

alwaysRecordLogin: no

6.3.2.3. alwaysRecordLoginAttr

The Account Policy plug-in uses the attribute name set in the alwaysRecordLoginAttr parameter to store the time of the last successful login in this attribute in the user’s directory entry.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any valid attribute name

Default Value

stateAttrName

Syntax

DirectoryString

Example

alwaysRecordLoginAttr: lastLoginTime

6.3.2.4. lastLoginHistSize

To maintain a history of successful logins, you can use the lastLoginHistSize attribute that determines the number of logins to store and stores the last five successful logins by default.

For the lastLoginHistSize attribute to stores the last logins, you must enable the alwaysRecordLogin attribute.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

0 (Disable) to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

lastloginhistorysize: 10

6.3.2.5. limitattrname

The account policy entry in the user directory defines the time limit for the account lockout policy. This time limit can be set in any time-based attribute, and a policy entry could have multiple time-based attributes in ti. The attribute within the policy to use for the account inactivation limit is defined in the limitattrname attribute in the Account Policy Plug-in, and it is applied globally to all account policies.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

limitattrname: accountInactivityLimit

6.3.2.6. specattrname

There are really two configuration entries for an account policy: the global settings in the plug-in configuration entry and then yser- or subtree-level settings in an entry within the user directory. An account policy can be set directly on a user entry or it can be set as part of a CoS or role configuration. The way that the plug-in identifies which entries are account policy configuration entries is by identifying a specific attribute on the entry which flags it as an account policy. This attribute in the plug-in configuration is is specattrname; its will usually be set to acctPolicySubentry.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

specattrname: acctPolicySubentry

6.3.2.7. stateattrname

Account expiration policies are based on some timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. The primary time attribute used to evaluate an account policy is set in the stateattrname attribute.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

stateattrname: lastLoginTime

6.3.3. Account Usability plug-in

Plug-in ParameterDescription

Plug-in ID

acctusability

DN of Configuration Entry

cn=Account Usability Plugin,cn=plugins,cn=config

Description

Checks the authentication status, or usability, of an account without actually authenticating as the given user

Type

preoperation

Configurable Options

on | off

Default Setting

on

Dependencies

Database

Performance-Related Information

None

6.3.4. ACL plug-in

Plug-in ParameterDescription

Plug-in ID

acl

DN of Configuration Entry

cn=ACL Plugin,cn=plugins,cn=config

Description

ACL access check plug-in

Type

accesscontrol

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

Database

Performance-Related Information

Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.

6.3.5. ACL Preoperation plug-in

Plug-in ParameterDescription

Plug-in ID

acl

DN of Configuration Entry

cn=ACL preoperation,cn=plugins,cn=config

Description

ACL access check plug-in

Type

preoperation

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

Database

Performance-Related Information

Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.

6.3.6. AD DN plug-in

The AD DN plug-in supports multiple domain configurations. Create one configuration entry for each domain.

Plug-in ParameterDescription

Plug-in ID

addn

DN of Configuration Entry

cn=addn,cn=plugins,cn=config

Description

Enables the usage of Active Directory-formatted user names, such as user_name and user_name@domain, for bind operations.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

addn_default_domain: Sets the default domain that is automatically appended to user names without domain.

Dependencies

None

Performance-Related Information

None

6.3.6.1. addn_base

Sets the base DN under which Directory Server searches the user’s DN.

ParameterDescription

Entry DN

cn=domain_name,cn=addn,cn=plugins,cn=config

Valid Entry

Any valid DN

Default Value

None

Syntax

DirectoryString

Example

addn_base: ou=People,dc=example,dc=com

6.3.6.2. addn_filter

Sets the search filter. Directory Server replaces the %s variable automatically with the non-domain part of the authenticating user. For example, if the user name in the bind is user_name@example.com, the filter searches the corresponding DN which is (&(objectClass=account)(uid=user_name)).

ParameterDescription

Entry DN

cn=domain_name,cn=addn,cn=plugins,cn=config

Valid Entry

Any valid DN

Default Value

None

Syntax

DirectoryString

Example

addn_filter: (&(objectClass=account)(uid=%s))

6.3.6.3. cn

Sets the domain name of the configuration entry. The plug-in uses the domain name from the authenticating user name to select the corresponding configuration entry.

ParameterDescription

Entry DN

cn=domain_name,cn=addn,cn=plugins,cn=config

Valid Entry

Any string

Default Value

None

Syntax

DirectoryString

Example

cn: example.com

6.3.7. Alias Entries plug-in

The Alias Entries plug-in checks the base entry for the object class alias and the aliasedObjectName attribute that contains a DN to another entry (an alias to another entry). During a search, the plug-in modifies the search base DN to this aliased DN.

The Alias Entries plug-in supports only base level searches. Use the ldapsearch -a find command to retrieve entries with aliases.

For the plug-in to return the aliased entry, the base entry must contain the following information:

  • The alias object class.
  • The aliasedObjectName attribute (known as the aliasedEntryName attribute in X.500) with a DN value pointing to another entry.

Directory Server can return to the client the following errors:

  • Error 32 (no such object) if the alias DN is missing.
  • Error 53 (unwilling to perform) if the search is a non-base level search.

Dereferencing is the conversion of an alias name to an object name. The process may require the examination of more than one alias entry. An alias entry may point to an entry that is not a leaf entry. An entry in the DIT may have multiple alias names, and several alias entries may point to the same entry.

Example 6.3. An Entry with an alias

dn: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com
objectClass: top
objectClass: alias
objectClass: extensibleObject
cn: Barbara Jensen
aliasedObjectName: cn=Barbara Smith,ou=Engineering,dc=example,dc=com
Plug-in ParameterDescription

Plug-in ID

Alias Entries

DN of Configuration Entry

cn=Alias Entries, cn=plugins, cn=config

Description

Checks the base entry for alias object class and aliasedObjectName attribute, during base level searches

Type

object

Configurable Options

on | off

Default Setting

off

Configurable Arguments

Alias entries belong to the alias object class.

The aliasedObjectName attribute stores the DN of the entry that an alias points to.

Dependencies

Database

Performance-Related Information

Every alias entry must belong to the alias object class and have no subordinates.

Further Information

The aliasedObjectName attribute is known as the aliasedEntryName attribute in X.500.

The distinguishedNameMatch matching rule and the DistinguishedName syntax are defined in RFC 4517.

6.3.8. Attribute Uniqueness plug-in

The Attribute Uniqueness plug-in ensures that the value of an attribute is unique across the directory or subtree.

Plug-in ParameterDescription

Plug-in ID

NSUniqueAttr

DN of Configuration Entry

cn=Attribute Uniqueness,cn=plugins,cn=config

Description

Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN"…​. However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName". This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute.

Dependencies

Database

Performance-Related Information

Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes.

The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-supplier replication environment. Turning the plug-in on may slow down Directory Server performance.

6.3.8.1. cn

Sets the name of the Attribute Uniqueness plug-in configuration record. You can use any string, but Red Hat recommends naming the configuration record attribute_name Attribute Uniqueness.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid string

Default Value

None

Syntax

DirectoryString

Example

cn: mail Attribute Uniqueness

6.3.8.2. uniqueness-across-all-subtrees

If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

uniqueness-across-all-subtrees: off

6.3.8.3. uniqueness-attribute-name

Sets the name of the attribute whose values must be unique. This attribute is multi-valued.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid attribute name

Default Value

None

Syntax

DirectoryString

Example

uniqueness-attribute-name: mail

6.3.8.4. uniqueness-subtree-entries-oc

Optionally, when using the uniqueness-top-entry-oc parameter, you can configure that the Attribute Uniqueness plug-in only verifies if an attribute is unique, if the entry contains the object class set in this parameter.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid object class

Default Value

None

Syntax

DirectoryString

Example

uniqueness-subtree-entries-oc: inetOrgPerson

6.3.8.5. uniqueness-subtrees

Sets the DN under which the plug-in checks for uniqueness of the attribute’s value. This attribute is multi-valued.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid subtree DN

Default Value

None

Syntax

DirectoryString

Example

uniqueness-subtrees: ou=Sales,dc=example,dc=com

6.3.8.6. uniqueness-top-entry-oc

Directory Server searches this object class in the parent entry of the updated object. If it was not found, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid object class

Default Value

None

Syntax

DirectoryString

Example

uniqueness-top-entry-oc: nsContainer

6.3.9. Auto Membership plug-in

Automembership essentially allows a static group to act like a dynamic group. Different automembership definitions create searches that are automatically run on all new directory entries. The automembership rules search for and identify matching entries — much like the dynamic search filters — and then explicitly add those entries as members to the specified static group.

The Auto Membership Plug-in itself is a container entry. Each automember definition is a child of the Auto Membership Plug-in. The automember definition defines the LDAP search base and filter to identify entries and a default group to add them to.

dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
objectclass: autoMemberDefinition
cn: Hostgroups
autoMemberScope: dc=example,dc=com
autoMemberFilter: objectclass=ipHost
autoMemberDefaultGroup: cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com
autoMemberGroupingAttr: member:dn

Each automember definition can have its own child entry that defines additional conditions for assigning the entry to group. Regular expressions can be used to include or exclude entries and assign them to specific groups based on those conditions.

dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
objectclass: autoMemberRegexRule
description: Group for webservers
cn: webservers
autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com
autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

If the entry matches the main definition and not any of the regular expression conditions, then it uses the group in the main definition. If it matches a regular expression condition, then it is added to the regular expression condition group.

Plug-in ParameterDescription

Plug-in ID

Auto Membership

DN of Configuration Entry

cn=Auto Membership,cn=plugins,cn=config

Description

Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group.

Dependencies

Database

Performance-Related Information

None.

6.3.9.1. autoMemberDefaultGroup

This attribute sets a default or fallback group to add the entry to as a member. If only the definition entry is used, then this is the group to which all matching entries are added. If regular expression conditions are used, then this group is used as a fallback if an entry which matches the LDAP search filter do not match any of the regular expressions.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any existing Directory Server group

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberDefaultGroup: cn=hostgroups,ou=groups,dc=example,dc=com

6.3.9.2. autoMemberDefinition (object class)

This attribute identifies the entry as an automember definition. This entry must be a child of the Auto Membership Plug-in, cn=Auto Membership Plugin,cn=plugins,cn=config.

Allowed Attributes

  • autoMemberScope
  • autoMemberFilter
  • autoMemberDefaultGroup
  • autoMemberGroupingAttr

6.3.9.3. autoMemberExclusiveRegex

This attribute sets a single regular expression to use to identify entries to exclude. If an entry matches the exclusion condition, then it is not included in the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is excluded in the group.

The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.

Note

Exclude conditions are evaluated first and take precedence over include conditions.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any regular expression

Default Value

None

Single- or Multi-Valued

Multi-valued

Syntax

DirectoryString

Example

autoMemberExclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

6.3.9.4. autoMemberFilter

This attribute sets a standard LDAP search filter to use to search for matching entries.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any valid LDAP search filter

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberFilter:objectclass=ntUser

6.3.9.5. autoMemberGroupingAttr

This attribute gives the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr.

This structures how the Automembership Plug-in adds a member to the group, depending on the group configuration. For example, for a groupOfUniqueNames user group, each member is added as a uniqueMember attribute. The value of uniqueMember is the DN of the user entry. In essence, each group member is identified by the attribute-value pair of uniqueMember: user_entry_DN. The member entry format, then, is uniqueMember:dn.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server attribute

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberGroupingAttr: member:dn

6.3.9.6. autoMemberInclusiveRegex

This attribute sets a single regular expression to use to identify entries to include. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is included in the group (assuming it does not match an exclude expression).

The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any regular expression

Default Value

None

Single- or Multi-Valued

Multi-valued

Syntax

DirectoryString

Example

autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

6.3.9.7. autoMemberProcessModifyOps

By default, Directory Server invokes the Automembership plug-in for add and modify operations. With this setting, the plug-in changes groups when you add a group entry to a user or modify a group entry of a user. If you set the autoMemberProcessModifyOps to off, Directory Server only invokes the Automembership plug-in when you add a group entry to a user. In this case, if an administrator changes a user entry, and that entry impactes what Automembership groups the user belongs to, the plug-in does not remove the user from the old group and only adds the new group. To update the old group, you must then manually run a fix-up task.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Values

on | off

Default Value

on

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberProcessModifyOps: on

6.3.9.8. autoMemberRegexRule (object class)

This attribute identifies the entry as a regular expression rule. This entry must be a child of an automember definition (objectclass: autoMemberDefinition).

Allowed Attributes

  • autoMemberInclusiveRegex
  • autoMemberExclusiveRegex
  • autoMemberTargetGroup

6.3.9.9. autoMemberScope

This attribute sets the subtree DN to search for entries. This is the search base.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server subtree

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberScope: dc=example,dc=com

6.3.9.10. autoMemberTargetGroup

This attribute sets which group to add the entry to as a member, if it meets the regular expression conditions.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server group

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberTargetGroup: cn=webservers,cn=hostgroups,ou=groups,dc=example,dc=com

6.3.10. Binary Syntax plug-in

Warning

Binary syntax is deprecated. Use Octet String syntax instead.

Plug-in ParameterDescription

Plug-in ID

bin-syntax

DN of Configuration Entry

cn=Binary Syntax,cn=plugins,cn=config

Description

Syntax for handling binary data.