Search

Chapter 6. Plug-in implemented server functionality reference

download PDF

This chapter contains reference information on plug-ins.

The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config.

dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: libsyntax-plugin
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes a given plug-in uses by performing an ldapsearch on the cn=config subtree.

All plug-ins are instances of the nsSlapdPlugin object class inherited from the extensibleObject object class. Server takes into account plug-in configuration attributes when both object classes (in addition to the top object class) are present in the entry, as shown in the following example:

dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:nsSlapdPlugin
objectclass:extensibleObject

6.1. List of attributes common to all plug-ins

This list provides a brief attribute description, the entry DN, valid range, default value, syntax, and an example for each attribute.

Each Directory Server plug-in belongs to the nsslapdPlugin object class.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.41

Table 6.1. Required Attributes
AttributeDefinition

objectClass

Gives the object classes assigned to the entry.

cn

Gives the common name of the entry.

nsslapd-pluginPath

Identifies the plugin library name (without the library suffix).

nsslapd-pluginInitfunc

Identifies an initialization function of the plugin.

nsslapd-pluginType

Identifies the type of plugin.

nsslapd-pluginId

Identifies the plugin ID.

nsslapd-pluginVersion

Identifies the version of plugin.

nsslapd-pluginVendor

Identifies the vendor of plugin.

nsslapd-pluginDescription

Identifies the description of the plugin.

nsslapd-pluginEnabled

Identifies whether or not the plugin is enabled.

nsslapd-pluginPrecedence

Sets the priority for the plug-in in the execution order.

6.1.1. nsslapd-logAccess

This attribute enables you to log search operations run by the plug-in to the file set in the nsslapd-accesslog parameter in cn=config.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-logAccess: Off

6.1.2. nsslapd-logAudit

This attribute enables you to log and audit modifications to the database originated from the plug-in.

Successful modification events are logged in the audit log, if the nsslapd-auditlog-logging-enabled parameter is enabled in cn=config. To log failed modification database operations by a plug-in, enable the nsslapd-auditfaillog-logging-enabled attribute in cn=config.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-logAudit: Off

6.1.3. nsslapd-pluginDescription

This attribute provides a description of the plug-in.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

 

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginDescription: acl access check plug-in

6.1.4. nsslapd-pluginEnabled

This attribute specifies whether the plug-in is enabled. This attribute can be changed over protocol but will only take effect when the server is next restarted.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-pluginEnabled: on

6.1.5. nsslapd-pluginId

This attribute specifies the plug-in ID.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in ID

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginId: chaining database

6.1.6. nsslapd-pluginInitfunc

This attribute specifies the plug-in function to be initiated.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in function

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginInitfunc: NS7bitAttr_Init

6.1.7. nsslapd-pluginPath

This attribute specifies the full path to the plug-in.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid path

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginPath: uid-plugin

6.1.8. nsslapd-pluginPrecedence

This attribute sets the precedence or priority for the execution order of a plug-in. Precedence defines the execution order of plug-ins, which allows more complex environments or interactions since it can enable a plug-in to wait for a completed operation before being executed. This is more important for pre-operation and post-operation plug-ins.

Plug-ins with a value of 1 have the highest priority and are run first; plug-ins with a value of 99 have the lowest priority. The default is 50.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

1 to 99

Default Value

50

Syntax

Integer

Example

nsslapd-pluginPrecedence: 3

6.1.9. nsslapd-pluginType

This attribute specifies the plug-in type. See Section 6.2.4, “nsslapd-plugin-depends-on-type” for further information.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in type

Default Value

None

Syntax

DirectoryString

Example

nsslapd-pluginType: preoperation

6.1.10. nsslapd-pluginVendor

This attribute specifies the vendor of the plug-in.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any approved plug-in vendor

Default Value

Red Hat, Inc.

Syntax

DirectoryString

Example

nsslapd-pluginVendor: Red Hat, Inc.

6.1.11. nsslapd-pluginVersion

This attribute specifies the plug-in version.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid plug-in version

Default Value

Product version number

Syntax

DirectoryString

Example

nsslapd-pluginVersion: {VER}

6.2. Optional attributes of certain plug-ins

6.2.1. nsslapd-dynamic-plugins

You can enable some Directory Server plug-ins dynamically without the instance restart. Enable the nsslapd-dynamic-plugins attribute in Directory Server to allow the dynamic plug-ins. By default, dynamic plug-ins are disabled.

Warning

Red Hat Directory Server does not support dynamic plug-ins. Use it only for testing and debugging purposes.

You cannot configure some plug-ins as dynamic. To enable such plug-ins, restart the instance.

Plug-in ParameterDescription

Entry DN

cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-dynamic-plugins: on

6.2.2. nsslapd-pluginConfigArea

Some plug-in entries are container entries, and multiple instances of the plug-in are created beneath this container in cn=plugins,cn=config. However, the cn=plugins,cn=config is not replicated, which means that the plug-in configurations beneath those container entries must be configured manually, in some way, on every Directory Server instance.

The nsslapd-pluginConfigArea attribute points to another container entry, in the main database area, which contains the plug-in instance entries. This container entry can be in a replicated database, which allows the plug-in configuration to be replicated.

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

Any valid DN

Default Value

 

Syntax

DN

Example

nsslapd-pluginConfigArea: cn=managed entries container,ou=containers,dc=example,dc=com

6.2.3. nsslapd-plugin-depends-on-named

Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the cn value of a plug-in. The plug-in with a cn value matching one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server fails to start. The following postoperation Referential Integrity Plug-in example shows that the Views plug-in is started before Roles. If Views is missing, the server is not going to start.

Plug-in ParameterDescription

Entry DN

cn=referential integrity postoperation,cn=plugins,cn=config

Valid Values

Class of Service

Default Value

 

Syntax

DirectoryString

Example

* nsslapd-plugin-depends-on-named: Views

* nsslapd-pluginId: roles

6.2.4. nsslapd-plugin-depends-on-type

Multi-valued attribute used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the type number of a plug-in, contained in the attribute nsslapd-pluginType. See Section 6.1.9, “nsslapd-pluginType” for further information. All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in. The following postoperation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the postoperation Referential Integrity Plug-in.

Plug-in ParameterDescription

Entry DN

cn=referential integrity postoperation,cn=plugins,cn=config

Valid Values

database

Default Value

 

Syntax

DirectoryString

Example

nsslapd-plugin-depends-on-type: database

6.2.5. nsslapd-pluginLoadGlobal

This attribute specifies whether the symbols in dependent libraries are made visible locally (false) or to the executable and to all shared objects (true).

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

true | false

Default Value

false

Syntax

DirectoryString

Example

nsslapd-pluginLoadGlobal: false

6.2.6. nsslapd-pluginLoadNow

This attribute specifies whether to load all of the symbols used by a plug-in immediately (true), as well as all symbols references by those symbols, or to load the symbol the first time it is used (false).

Plug-in ParameterDescription

Entry DN

cn=plug-in name,cn=plugins,cn=config

Valid Values

true | false

Default Value

false

Syntax

DirectoryString

Example

nsslapd-pluginLoadNow: false

6.3. Server plug-in functionality reference

This section provides an overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading.

6.3.1. 7-bit Check plug-in

Plug-in ParameterDescription

Plug-in ID

NS7bitAtt

DN of Configuration Entry

cn=7-bit check,cn=plugins,cn=config

Description

Checks certain attributes are 7-bit clean

Type

preoperation

Configurable Options

on | off

Default Setting

on

Configurable Arguments

List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur.

Dependencies

Database

Performance-Related Information

None

Further Information

If Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.

6.3.2. Account Policy plug-in

Account policies can be set that automatically lock an account after a certain amount of time has elapsed. This can be used to create temporary accounts that are only valid for a preset amount of time or to lock users which have been inactive for a certain amount of time.

The Account Policy Plug-in itself only accept on argument, which points to a plug-in configuration entry.

dn: cn=Account Policy Plugin,cn=plugins,cn=config
...
nsslapd-pluginarg0: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

The account policy configuration entry defines, for the entire server, what attributes to use for account policies. Most of the configuration defines attributes to use to evaluate account policies and expiration times, but the configuration also defines what object class to use to identify subtree-level account policy definitions.

dn: cn=config,cn=Account Policy Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: config

... attributes for evaluating accounts ...
alwaysRecordLogin: yes
stateattrname: lastLoginTime
altstateattrname: createTimestamp

... attributes for account policy entries ...
specattrname: acctPolicySubentry
limitattrname: accountInactivityLimit

One the plug-in is configured globally, account policy entries can be created within the user subtrees, and then these policies can be applied to users and to roles through classes of service.

Example 6.1. Account Policy Definition

dn: cn=AccountPolicy,dc=example,dc=com
objectClass: top
objectClass: ldapsubentry
objectClass: extensibleObject
objectClass: accountpolicy
# 86400 seconds per day * 30 days = 2592000 seconds
accountInactivityLimit: 2592000
cn: AccountPolicy

Any entry, both individual users and roles or CoS templates, can be an account policy subentry. Every account policy subentry has its creation and login times tracked against any expiration policy.

Example 6.2. User Account with Account Policy

dn: uid=scarter,ou=people,dc=example,dc=com
...
lastLoginTime: 20060527001051Z
acctPolicySubentry: cn=AccountPolicy,dc=example,dc=com
Plug-in ParameterDescription

Plug-in ID

none

DN of Configuration Entry

cn=Account Policy Plugin,cn=plugins,cn=config

Description

Defines a policy to lock user accounts after a certain expiration period or inactivity period.

Type

object

Configurable Options

on | off

Default Setting

off

Configurable Arguments

A pointer to a configuration entry which contains the global account policy settings.

Dependencies

Database

Performance-Related Information

None

Further Information

This plug-in configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the acctPolicySubentry object class. These configuration entries can then be applied to users or roles through classes of service.

6.3.2.1. altstateattrname

Account expiration policies are based on some timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. However, there may be instances where that attribute does not exist on an entry, such as a user who never logged into his account. The altstateattrname attribute provides a backup attribute for the server to reference to evaluate the expiration time.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

altstateattrname: createTimeStamp

6.3.2.2. alwaysRecordLogin

By default, only entries which have an account policy directly applied to them — meaning, entries with the acctPolicySubentry attribute — have their login times tracked. If account policies are applied through classes of service or roles, then the acctPolicySubentry attribute is on the template or container entry, not the user entries themselves.

The alwaysRecordLogin attribute sets that every entry records its last login time. This allows CoS and roles to be used to apply account policies.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

yes | no

Default Value

no

Syntax

DirectoryString

Example

alwaysRecordLogin: no

6.3.2.3. alwaysRecordLoginAttr

The Account Policy plug-in uses the attribute name set in the alwaysRecordLoginAttr parameter to store the time of the last successful login in this attribute in the user’s directory entry.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any valid attribute name

Default Value

stateAttrName

Syntax

DirectoryString

Example

alwaysRecordLoginAttr: lastLoginTime

6.3.2.4. lastLoginHistSize

To maintain a history of successful logins, you can use the lastLoginHistSize attribute that determines the number of logins to store and stores the last five successful logins by default.

For the lastLoginHistSize attribute to stores the last logins, you must enable the alwaysRecordLogin attribute.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

0 (Disable) to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

lastloginhistorysize: 10

6.3.2.5. limitattrname

The account policy entry in the user directory defines the time limit for the account lockout policy. This time limit can be set in any time-based attribute, and a policy entry could have multiple time-based attributes in ti. The attribute within the policy to use for the account inactivation limit is defined in the limitattrname attribute in the Account Policy Plug-in, and it is applied globally to all account policies.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

limitattrname: accountInactivityLimit

6.3.2.6. specattrname

There are really two configuration entries for an account policy: the global settings in the plug-in configuration entry and then yser- or subtree-level settings in an entry within the user directory. An account policy can be set directly on a user entry or it can be set as part of a CoS or role configuration. The way that the plug-in identifies which entries are account policy configuration entries is by identifying a specific attribute on the entry which flags it as an account policy. This attribute in the plug-in configuration is is specattrname; its will usually be set to acctPolicySubentry.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

specattrname: acctPolicySubentry

6.3.2.7. stateattrname

Account expiration policies are based on some timed criteria for the account. For example, for an inactivity policy, the primary criteria may be the last login time, lastLoginTime. The primary time attribute used to evaluate an account policy is set in the stateattrname attribute.

ParameterDescription

Entry DN

cn=config,cn=Account Policy Plugin,cn=plugins,cn=config

Valid Range

Any time-based entry attribute

Default Value

None

Syntax

DirectoryString

Example

stateattrname: lastLoginTime

6.3.3. Account Usability plug-in

Plug-in ParameterDescription

Plug-in ID

acctusability

DN of Configuration Entry

cn=Account Usability Plugin,cn=plugins,cn=config

Description

Checks the authentication status, or usability, of an account without actually authenticating as the given user

Type

preoperation

Configurable Options

on | off

Default Setting

on

Dependencies

Database

Performance-Related Information

None

6.3.4. ACL plug-in

Plug-in ParameterDescription

Plug-in ID

acl

DN of Configuration Entry

cn=ACL Plugin,cn=plugins,cn=config

Description

ACL access check plug-in

Type

accesscontrol

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

Database

Performance-Related Information

Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.

6.3.5. ACL Preoperation plug-in

Plug-in ParameterDescription

Plug-in ID

acl

DN of Configuration Entry

cn=ACL preoperation,cn=plugins,cn=config

Description

ACL access check plug-in

Type

preoperation

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

Database

Performance-Related Information

Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.

6.3.6. AD DN plug-in

The AD DN plug-in supports multiple domain configurations. Create one configuration entry for each domain.

Plug-in ParameterDescription

Plug-in ID

addn

DN of Configuration Entry

cn=addn,cn=plugins,cn=config

Description

Enables the usage of Active Directory-formatted user names, such as user_name and user_name@domain, for bind operations.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

addn_default_domain: Sets the default domain that is automatically appended to user names without domain.

Dependencies

None

Performance-Related Information

None

6.3.6.1. addn_base

Sets the base DN under which Directory Server searches the user’s DN.

ParameterDescription

Entry DN

cn=domain_name,cn=addn,cn=plugins,cn=config

Valid Entry

Any valid DN

Default Value

None

Syntax

DirectoryString

Example

addn_base: ou=People,dc=example,dc=com

6.3.6.2. addn_filter

Sets the search filter. Directory Server replaces the %s variable automatically with the non-domain part of the authenticating user. For example, if the user name in the bind is user_name@example.com, the filter searches the corresponding DN which is (&(objectClass=account)(uid=user_name)).

ParameterDescription

Entry DN

cn=domain_name,cn=addn,cn=plugins,cn=config

Valid Entry

Any valid DN

Default Value

None

Syntax

DirectoryString

Example

addn_filter: (&(objectClass=account)(uid=%s))

6.3.6.3. cn

Sets the domain name of the configuration entry. The plug-in uses the domain name from the authenticating user name to select the corresponding configuration entry.

ParameterDescription

Entry DN

cn=domain_name,cn=addn,cn=plugins,cn=config

Valid Entry

Any string

Default Value

None

Syntax

DirectoryString

Example

cn: example.com

6.3.7. Alias Entries plug-in

The Alias Entries plug-in checks the base entry for the object class alias and the aliasedObjectName attribute that contains a DN to another entry (an alias to another entry). During a search, the plug-in modifies the search base DN to this aliased DN.

The Alias Entries plug-in supports only base level searches. Use the ldapsearch -a find command to retrieve entries with aliases.

For the plug-in to return the aliased entry, the base entry must contain the following information:

  • The alias object class.
  • The aliasedObjectName attribute (known as the aliasedEntryName attribute in X.500) with a DN value pointing to another entry.

Directory Server can return to the client the following errors:

  • Error 32 (no such object) if the alias DN is missing.
  • Error 53 (unwilling to perform) if the search is a non-base level search.

Dereferencing is the conversion of an alias name to an object name. The process may require the examination of more than one alias entry. An alias entry may point to an entry that is not a leaf entry. An entry in the DIT may have multiple alias names, and several alias entries may point to the same entry.

Example 6.3. An Entry with an alias

dn: cn=Barbara Jensen,ou=Engineering,dc=example,dc=com
objectClass: top
objectClass: alias
objectClass: extensibleObject
cn: Barbara Jensen
aliasedObjectName: cn=Barbara Smith,ou=Engineering,dc=example,dc=com
Plug-in ParameterDescription

Plug-in ID

Alias Entries

DN of Configuration Entry

cn=Alias Entries, cn=plugins, cn=config

Description

Checks the base entry for alias object class and aliasedObjectName attribute, during base level searches

Type

object

Configurable Options

on | off

Default Setting

off

Configurable Arguments

Alias entries belong to the alias object class.

The aliasedObjectName attribute stores the DN of the entry that an alias points to.

Dependencies

Database

Performance-Related Information

Every alias entry must belong to the alias object class and have no subordinates.

Further Information

The aliasedObjectName attribute is known as the aliasedEntryName attribute in X.500.

The distinguishedNameMatch matching rule and the DistinguishedName syntax are defined in RFC 4517.

6.3.8. Attribute Uniqueness plug-in

The Attribute Uniqueness plug-in ensures that the value of an attribute is unique across the directory or subtree.

Plug-in ParameterDescription

Plug-in ID

NSUniqueAttr

DN of Configuration Entry

cn=Attribute Uniqueness,cn=plugins,cn=config

Description

Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN"…​. However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName". This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute.

Dependencies

Database

Performance-Related Information

Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes.

The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-supplier replication environment. Turning the plug-in on may slow down Directory Server performance.

6.3.8.1. cn

Sets the name of the Attribute Uniqueness plug-in configuration record. You can use any string, but Red Hat recommends naming the configuration record attribute_name Attribute Uniqueness.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid string

Default Value

None

Syntax

DirectoryString

Example

cn: mail Attribute Uniqueness

6.3.8.2. uniqueness-across-all-subtrees

If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

on | off

Default Value

off

Syntax

DirectoryString

Example

uniqueness-across-all-subtrees: off

6.3.8.3. uniqueness-attribute-name

Sets the name of the attribute whose values must be unique. This attribute is multi-valued.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid attribute name

Default Value

None

Syntax

DirectoryString

Example

uniqueness-attribute-name: mail

6.3.8.4. uniqueness-subtree-entries-oc

Optionally, when using the uniqueness-top-entry-oc parameter, you can configure that the Attribute Uniqueness plug-in only verifies if an attribute is unique, if the entry contains the object class set in this parameter.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid object class

Default Value

None

Syntax

DirectoryString

Example

uniqueness-subtree-entries-oc: inetOrgPerson

6.3.8.5. uniqueness-subtrees

Sets the DN under which the plug-in checks for uniqueness of the attribute’s value. This attribute is multi-valued.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid subtree DN

Default Value

None

Syntax

DirectoryString

Example

uniqueness-subtrees: ou=Sales,dc=example,dc=com

6.3.8.6. uniqueness-top-entry-oc

Directory Server searches this object class in the parent entry of the updated object. If it was not found, the search continues at the next higher level entry up to the root of the directory tree. If the object class was found, Directory Server verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree.

ParameterDescription

Entry DN

cn=attribute_uniqueness_configuration_record_name,cn=plugins,cn=config

Valid Values

Any valid object class

Default Value

None

Syntax

DirectoryString

Example

uniqueness-top-entry-oc: nsContainer

6.3.9. Auto Membership plug-in

Automembership essentially allows a static group to act like a dynamic group. Different automembership definitions create searches that are automatically run on all new directory entries. The automembership rules search for and identify matching entries — much like the dynamic search filters — and then explicitly add those entries as members to the specified static group.

The Auto Membership Plug-in itself is a container entry. Each automember definition is a child of the Auto Membership Plug-in. The automember definition defines the LDAP search base and filter to identify entries and a default group to add them to.

dn: cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
objectclass: autoMemberDefinition
cn: Hostgroups
autoMemberScope: dc=example,dc=com
autoMemberFilter: objectclass=ipHost
autoMemberDefaultGroup: cn=systems,cn=hostgroups,ou=groups,dc=example,dc=com
autoMemberGroupingAttr: member:dn

Each automember definition can have its own child entry that defines additional conditions for assigning the entry to group. Regular expressions can be used to include or exclude entries and assign them to specific groups based on those conditions.

dn: cn=webservers,cn=Hostgroups,cn=Auto Membership Plugin,cn=plugins,cn=config
objectclass: autoMemberRegexRule
description: Group for webservers
cn: webservers
autoMemberTargetGroup: cn=webservers,cn=hostgroups,dc=example,dc=com
autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

If the entry matches the main definition and not any of the regular expression conditions, then it uses the group in the main definition. If it matches a regular expression condition, then it is added to the regular expression condition group.

Plug-in ParameterDescription

Plug-in ID

Auto Membership

DN of Configuration Entry

cn=Auto Membership,cn=plugins,cn=config

Description

Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group.

Dependencies

Database

Performance-Related Information

None.

6.3.9.1. autoMemberDefaultGroup

This attribute sets a default or fallback group to add the entry to as a member. If only the definition entry is used, then this is the group to which all matching entries are added. If regular expression conditions are used, then this group is used as a fallback if an entry which matches the LDAP search filter do not match any of the regular expressions.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any existing Directory Server group

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberDefaultGroup: cn=hostgroups,ou=groups,dc=example,dc=com

6.3.9.2. autoMemberDefinition (object class)

This attribute identifies the entry as an automember definition. This entry must be a child of the Auto Membership Plug-in, cn=Auto Membership Plugin,cn=plugins,cn=config.

Allowed Attributes

  • autoMemberScope
  • autoMemberFilter
  • autoMemberDefaultGroup
  • autoMemberGroupingAttr

6.3.9.3. autoMemberExclusiveRegex

This attribute sets a single regular expression to use to identify entries to exclude. If an entry matches the exclusion condition, then it is not included in the group. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is excluded in the group.

The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.

Note

Exclude conditions are evaluated first and take precedence over include conditions.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any regular expression

Default Value

None

Single- or Multi-Valued

Multi-valued

Syntax

DirectoryString

Example

autoMemberExclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

6.3.9.4. autoMemberFilter

This attribute sets a standard LDAP search filter to use to search for matching entries.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any valid LDAP search filter

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberFilter:objectclass=ntUser

6.3.9.5. autoMemberGroupingAttr

This attribute gives the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr.

This structures how the Automembership Plug-in adds a member to the group, depending on the group configuration. For example, for a groupOfUniqueNames user group, each member is added as a uniqueMember attribute. The value of uniqueMember is the DN of the user entry. In essence, each group member is identified by the attribute-value pair of uniqueMember: user_entry_DN. The member entry format, then, is uniqueMember:dn.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server attribute

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberGroupingAttr: member:dn

6.3.9.6. autoMemberInclusiveRegex

This attribute sets a single regular expression to use to identify entries to include. Multiple regular expressions could be used, and if an entry matches any one of those expressions, it is included in the group (assuming it does not match an exclude expression).

The format of the expression is a Perl-compatible regular expression (PCRE). For more information on PCRE patterns, see the pcresyntax(3) man page.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any regular expression

Default Value

None

Single- or Multi-Valued

Multi-valued

Syntax

DirectoryString

Example

autoMemberInclusiveRegex: fqdn=^www\.web[0-9]+\.example\.com

6.3.9.7. autoMemberProcessModifyOps

By default, Directory Server invokes the Automembership plug-in for add and modify operations. With this setting, the plug-in changes groups when you add a group entry to a user or modify a group entry of a user. If you set the autoMemberProcessModifyOps to off, Directory Server only invokes the Automembership plug-in when you add a group entry to a user. In this case, if an administrator changes a user entry, and that entry impactes what Automembership groups the user belongs to, the plug-in does not remove the user from the old group and only adds the new group. To update the old group, you must then manually run a fix-up task.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Values

on | off

Default Value

on

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberProcessModifyOps: on

6.3.9.8. autoMemberRegexRule (object class)

This attribute identifies the entry as a regular expression rule. This entry must be a child of an automember definition (objectclass: autoMemberDefinition).

Allowed Attributes

  • autoMemberInclusiveRegex
  • autoMemberExclusiveRegex
  • autoMemberTargetGroup

6.3.9.9. autoMemberScope

This attribute sets the subtree DN to search for entries. This is the search base.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server subtree

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberScope: dc=example,dc=com

6.3.9.10. autoMemberTargetGroup

This attribute sets which group to add the entry to as a member, if it meets the regular expression conditions.

ParameterDescription

Entry DN

cn=Auto Membership Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server group

Default Value

None

Single- or Multi-Valued

Single

Syntax

DirectoryString

Example

autoMemberTargetGroup: cn=webservers,cn=hostgroups,ou=groups,dc=example,dc=com

6.3.10. Binary Syntax plug-in

Warning

Binary syntax is deprecated. Use Octet String syntax instead.

Plug-in ParameterDescription

Plug-in ID

bin-syntax

DN of Configuration Entry

cn=Binary Syntax,cn=plugins,cn=config

Description

Syntax for handling binary data.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

6.3.11. Bit String Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

bitstring-syntax

DN of Configuration Entry

cn=Bit String Syntax,cn=plugins,cn=config

Description

Supports bit string syntax values and related matching rules from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

RFC 4517

6.3.12. Bitwise plug-in

Plug-in ParameterDescription

Plug-in ID

bitwise

DN of Configuration Entry

cn=Bitwise Plugin,cn=plugins,cn=config

Description

Matching rule for performing bitwise operations against the LDAP server

Type

matchingrule

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

6.3.13. Boolean Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

boolean-syntax

DN of Configuration Entry

cn=Boolean Syntax,cn=plugins,cn=config

Description

Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

RFC 4517

6.3.14. Case Exact String Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

ces-syntax

DN of Configuration Entry

cn=Case Exact String Syntax,cn=plugins,cn=config

Description

Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This is not a case-exact syntax; this plug-in provides case-sensitive matching rules for different string syntaxes.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

6.3.15. Case Ignore String Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

directorystring-syntax

DN of Configuration Entry

cn=Case Ignore String Syntax,cn=plugins,cn=config

Description

Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This is not a case-insensitive syntax; this plug-in provides case-sensitive matching rules for different string syntaxes.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

6.3.16. Chaining Database plug-in

Plug-in ParameterDescription

Plug-in ID

chaining database

DN of Configuration Entry

cn=Chaining database,cn=plugins,cn=config

Description

Enables back end databases to be linked

Type

database

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

There are many performance related tuning parameters involved with the chaining database.

Further Information

A chaining database is also known as a database link.

6.3.17. Class of Service plug-in

Plug-in ParameterDescription

Plug-in ID

cos

DN of Configuration Entry

cn=Class of Service,cn=plugins,cn=config

Description

Allows for sharing of attributes between entries

Type

object

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

* Type: Database

* Named: State Change Plug-in

* Named: Views Plug-in

Performance-Related Information

Do not modify the configuration of this plug-in. Leave this plug-in running at all times.

6.3.18. Content Synchronization plug-in

Plug-in ParameterDescription

Plug-in ID

content-sync-plugin

DN of Configuration Entry

cn=Content Synchronization,cn=plugins,cn=config

Description

Enables support for the SyncRepl protocol in Directory Server according to RFC 4533.

Type

object

Configurable Options

on | off

Default Setting

off

Configurable Arguments

None

Dependencies

Retro Changelog plug-in

Performance-Related Information

If you know which back end or subtree clients access to synchronize data, limit the scope of the Retro Changelog plug-in accordingly.

6.3.19. Country String Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

countrystring-syntax

DN of Configuration Entry

cn=Country String Syntax,cn=plugins,cn=config

Description

Supports country naming syntax values and related matching rules from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

RFC 4517

6.3.20. Delivery Method Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

delivery-syntax

DN of Configuration Entry

cn=Delivery Method Syntax,cn=plugins,cn=config

Description

Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

RFC 4517

6.3.21. deref plug-in

Plug-in ParameterDescription

Plug-in ID

Dereference

DN of Configuration Entry

cn=deref,cn=plugins,cn=config

Description

For dereference controls in directory searches

Type

preoperation

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

Database

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

6.3.22. Distinguished Name Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

dn-syntax

DN of Configuration Entry

cn=Distinguished Name Syntax,cn=plugins,cn=config

Description

Supports DN value syntaxes and related matching rules from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

RFC 4517

6.3.23. Distributed Numeric Assignment plug-in

The Distributed Numeric Assignment Plug-in manages ranges of numbers and assigns unique numbers within that range to entries. By breaking number assignments into ranges, the Distributed Numeric Assignment Plug-in allows multiple servers to assign numbers without conflict. The plug-in also manages the ranges assigned to servers, so that if one instance runs through its range quickly, it can request additional ranges from the other servers.

Distributed numeric assignment can be configured to work with single attribute types or multiple attribute types, and is only applied to specific suffixes and specific entries within the subtree.

Distributed numeric assignment is handled per-attribute and is only applied to specific suffixes and specific entries within the subtree.

Plug-in InformationDescription

Plug-in ID

Distributed Numeric Assignment

Configuration Entry DN

cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Description

Distributed Numeric Assignment plugin

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

 

Dependencies

Database

Performance-Related Information

None

6.3.23.1. dnaFilter

This attribute sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range.

The dnaFilter attribute is required to set up distributed numeric assignment for an attribute.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any valid LDAP filter

Default Value

None

Syntax

DirectoryString

Example

dnaFilter: (objectclass=person)

6.3.23.2. dnaHostname

This attribute identifies the host name of a server in a shared range, as part of the DNA range configuration for that specific host in multi-supplier replication. Available ranges are tracked by host and the range information is replicated among all suppliers so that if any supplier runs low on available numbers, it can use the host information to contact another supplier and request an new range.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Syntax

DirectoryString

Valid Range

Any valid host name

Default Value

None

Example

dnahostname: ldap1.example.com

6.3.23.3. dnaInterval

This attribute sets an interval to use to increment through numbers in a range. Essentially, this skips numbers at a predefined rate. If the interval is 3 and the first number in the range is 1, the next number used in the range is 4, then 7, then 10, incrementing by three for every new number assignment.

In a replication environment, the dnaInterval enables multiple servers to share the same range. However, when you configure different servers that share the same range, set the dnaInterval and dnaNextVal parameters accordingly so that the different servers do not generate the same values. You must also consider this if you add new servers to the replication topology.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any integer

Default Value

1

Syntax

Integer

Example

dnaInterval: 1

6.3.23.4. dnaMagicRegen

This attribute sets a user-defined value that instructs the plug-in to assign a new value for the entry. The magic value can be used to assign new unique numbers to existing entries or as a standard setting when adding new entries.

The magic entry should be outside of the defined range for the server so that it cannot be triggered by accident. Note that this attribute does not have to be a number when used on a DirectoryString or other character type. However, in most cases the DNA plug-in is used on attributes which only accept integer values, and in such cases the dnamagicregen value must also be an integer.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any string

Default Value

None

Syntax

DirectoryString

Example

dnaMagicRegen: -1

6.3.23.5. dnaMaxValue

This attribute sets the maximum value that can be assigned for the range. The default is -1, which is the same as setting the highest 64-bit integer.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems; -1 is unlimited

Default Value

-1

Syntax

Integer

Example

dnaMaxValue: 1000

6.3.23.6. dnaNextRange

This attribute defines the next range to use when the current range is exhausted. This value is automatically set when range is transferred between servers, but it can also be manually set to add a range to a server if range requests are not used.

The dnaNextRange attribute should be set explicitly only if a separate, specific range has to be assigned to other servers. Any range set in the dnaNextRange attribute must be unique from the available range for the other servers to avoid duplication. If there is no request from the other servers and the server where dnaNextRange is set explicitly has reached its set dnaMaxValue, the next set of values (part of the dnaNextRange) is allocated from this deck.

The dnaNextRange allocation is also limited by the dnaThreshold attribute that is set in the DNA configuration. Any range allocated to another server for dnaNextRange cannot violate the threshold for the server, even if the range is available on the deck of dnaNextRange.

Note

If the dnaNextRange attribute is handled internally if it is not set explicitly. When it is handled automatically, the dnaMaxValue attribute serves as upper limit for the next range.

The attribute sets the range in the format lower_range-upper_range.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems for the lower and upper ranges

Default Value

None

Syntax

DirectoryString

Example

dnaNextRange: 100-500

6.3.23.7. dnaNextValue

This attribute gives the next available number which can be assigned. After being initially set in the configuration entry, this attribute is managed by the Distributed Numeric Assignment Plug-in.

The dnaNextValue attribute is required to set up distributed numeric assignment for an attribute.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems

Default Value

-1

Syntax

Integer

Example

dnaNextValue: 1

6.3.23.8. dnaPluginConfig (object class)

This object class is used for entries which configure the DNA Plug-in and numeric ranges to assign to entries.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.324

Allowed Attributes

  • dnaType
  • dnaPrefix
  • dnaNextValue
  • dnaMaxValue
  • dnaInterval
  • dnaMagicRegen
  • dnaFilter
  • dnaScope
  • dnaSharedCfgDN
  • dnaThreshold
  • dnaNextRange
  • dnaRangeRequestTimeout
  • cn

6.3.23.9. dnaPortNum

This attribute gives the standard port number to use to connect to the host identified in dnaHostname.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Syntax

Integer

Valid Range

0 to 65535

Default Value

389

Example

dnaPortNum: 389

6.3.23.10. dnaPrefix

This attribute defines a prefix that can be prepended to the generated number values for the attribute. For example, to generate a user ID such as user1000, the dnaPrefix setting would be user.

dnaPrefix can hold any kind of string. However, some possible values for dnaType (such as uidNumber and gidNumber) require only integer values. To use a prefix string, consider using a custom attribute for dnaType which allows strings.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any string

Default Value

None

Example

dnaPrefix: id

6.3.23.11. dnaRangeRequestTimeout

One potential situation with the Distributed Numeric Assignment Plug-in is that one server begins to run out of numbers to assign. The dnaThreshold attribute sets a threshold of available numbers in the range, so that the server can request an additional range from the other servers before it is unable to perform number assignments.

The dnaRangeRequestTimeout attribute sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server.

For range requests to be performed, the dnaSharedCfgDN attribute must be set.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems

Default Value

10

Syntax

Integer

Example

dnaRangeRequestTimeout: 15

6.3.23.12. dnaRemainingValues

This attribute contains the number of values that are remaining and available to a server to assign to entries.

ParameterDescription

Entry DN

dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com

Syntax

Integer

Valid Range

Any integer

Default Value

None

Example

dnaRemainingValues: 1000

6.3.23.13. dnaRemoteBindCred

Specifies the Replication Manager’s password. If you set a bind method in the dnaRemoteBindMethod attribute that requires authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred parameter for every server in the replication deployment in the plug-in configuration entry under the cn=config entry.

Set the parameter in plain text. The value is automatically AES-encrypted before it is stored.

A server restart is required for the change to take effect.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Syntax

DirectoryString {AES} encrypted_password

Valid Values

Any valid AES-encrypted password.

Default Value

 

Example

dnaRemoteBindCred: {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUmxObUk0WXpjM1l5MHdaVE5rTXpZNA0KTnkxaE9XSmhORGRoT0MwMk1ESmpNV014TUFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQk5KbUFDUWFOMHlITWdsUVp3QjBJOQ==}bBR3On6cBmw0DdhcRx826g==

6.3.23.14. dnaRemoteBindDN

Specifies the Replication Manager DN. If you set a bind method in the dnaRemoteBindMethod attribute that requires authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred parameter for every server in the replication deployment in the plug-in configuration under the cn=config entry.

A server restart is required for the change to take effect.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Syntax

DirectoryString

Valid Values

Any valid Replication Manager DN.

Default Value

 

Example

dnaRemoteBindDN: cn=replication manager,cn=config

6.3.23.15. dnaRemoteBindMethod

Specifies the remote bind method. If you set a bind method in this attribute that requires authentication, additionally set the dnaRemoteBindDN and dnaRemoteBindCred parameter for every server in the replication deployment in the plug-in configuration entry under the cn=config entry.

A server restart is required for the change to take effect.

ParameterDescription

Entry DN

dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com

Syntax

DirectoryString

Valid Values

SIMPLE | SSL | SASL/GSSAPI | SASL/DIGEST-MD5

Default Value

 

Example

dnaRemoteBindMethod: SIMPLE

6.3.23.16. dnaRemoteConnProtocol

Specifies the remote connection protocol.

A server restart is required for the change to take effect.

ParameterDescription

Entry DN

dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com

Syntax

DirectoryString

Valid Values

LDAP, SSL, or TLS

Default Value

 

Example

dnaRemoteConnProtocol: LDAP

6.3.23.17. dnaScope

This attribute sets the base DN to search for entries to which to apply the distributed numeric assignment. This is analogous to the base DN in an ldapsearch.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server entry

Default Value

None

Syntax

DirectoryString

Example

dnaScope: ou=people,dc=example,dc=com

6.3.23.18. dnaSecurePortNum

This attribute gives the secure (TLS) port number to use to connect to the host identified in dnaHostname.

ParameterDescription

Entry DN

dnaHostname=host_name+dnaPortNum=port_number,ou=ranges,dc=example,dc=com

Syntax

Integer

Valid Range

0 to 65535

Default Value

636

Example

dnaSecurePortNum: 636

6.3.23.19. dnaSharedCfgDN

This attribute defines a shared identity that the servers can use to transfer ranges to one another. This entry is replicated between servers and is managed by the plug-in to let the other servers know what ranges are available. This attribute must be set for range transfers to be enabled.

Note

The shared configuration entry must be configured in the replicated subtree, so that the entry can be replicated to the servers. For example, if the ou=People,dc=example,dc=com subtree is replicated, then the configuration entry must be in that subtree, such as ou=UID Number Ranges, ou=People,dc=example,dc=com.

The entry identified by this setting must be manually created by the administrator. The server will automatically contain a sub-entry beneath it to transfer ranges.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any DN

Default Value

None

Syntax

DN

Example

dnaSharedCfgDN: cn=range transfer user,cn=config

6.3.23.20. dnaSharedConfig (object class)

This object class is used to configure the shared configuration entry that is replicated between suppliers that are all using the same DNA Plug-in configuration for numeric assignements.

This object class is defined in Directory Server.

Superior Class

top

OID

2.16.840.1.113730.3.2.325

Allowed Attributes

  • dnaHostname
  • dnaPortNum
  • dnaSecurePortNum
  • dnaRemainingValues

6.3.23.21. dnaThreshold

One potential situation with the Distributed Numeric Assignment Plug-in is that one server begins to run out of numbers to assign, which can cause problems. The Distributed Numeric Assignment Plug-in allows the server to request a new range from the available ranges on other servers.

So that the server can recognize when it is reaching the end of its assigned range, the dnaThreshold attribute sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range.

For range requests to be performed, the dnaSharedCfgDN attribute must be set.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

1 to the maximum 32-bit integer on 32-bit systems and to the maximum 64-bit integer on 64-bit systems

Default Value

100

Syntax

Integer

Example

dnaThreshold: 100

6.3.23.22. dnaType

This attribute sets which attributes have unique numbers being generated for them. In this case, whenever the attribute is added to the entry with the magic number, an assigned value is automatically supplied.

This attribute is required to set a distributed numeric assignment for an attribute.

If the dnaPrefix attribute is set, then the prefix value is prepended to whatever value is generated by dnaType. The dnaPrefix value can be any kind of string, but some reasonable values for dnaType (such as uidNumber and gidNumber) require only integer values. To use a prefix string, consider using a custom attribute for dnaType which allows strings.

ParameterDescription

Entry DN

cn=DNA_config_entry,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config

Valid Range

Any Directory Server attribute

Default Value

None

Example

dnaType: uidNumber

6.3.24. Enhanced Guide Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

enhancedguide-syntax

DN of Configuration Entry

cn=Enhanced Guide Syntax,cn=plugins,cn=config

Description

Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

RFC 4517

6.3.25. Facsimile Telephone Number Syntax plug-in

Plug-in ParameterDescription

Plug-in ID

facsimile-syntax

DN of Configuration Entry

cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config

Description

Supports syntaxes and related matching rules for fax numbers; from RFC 4517.

Type

syntax

Configurable Options

on | off

Default Setting

on

Configurable Arguments

None

Dependencies

None

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Informat