Chapter 16. Managing default options for Directory Server command-line utilities using .dsrc file
A ~/.dsrc
file simplifies commands that use the Directory Server command-line utilities. By default, you can pass information, for example, the LDAP URL
or the bind distinguished name (DN) to the command for these utilities. You can store the settings in a ~/.dsrc
file to use the command-line utilities without specifying these settings each time.
16.1. How a .dsrc file simplifies commands
You can specify the LDAP URL of an instance and a bind DN in a ~/.dsrc
file:
server1
# server1
uri = ldap://server1.example.com
binddn = cn=Directory Manager
basedn = dc=example,dc=com
You can use shorter Directory Server commands with these settings. For example, to create a user account:
dsidm server1 user create
# dsidm server1 user create
Without the ~/.dsrc
file, you must specify the bind DN, LDAP URL, and base DN in the command:
dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create
# dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create
16.2. Using the dsctl utility to create a .dsrc file
You can use the dsctl
utility to create a ~/.dsrc
file instead of creating it manually.
Procedure
- Run:
dsctl instance_name dsrc create ...
# dsctl instance_name dsrc create ...
You can add these options in the command:
-
--uri
When using the --uri
option, sets the URL to the instance in the format protocol://host_name_or_IP_address_or_socket
For example:
-
--uri ldap://server.example.com
-
--uri = ldaps://server.example.com
-
--uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socket
When you set the path to the Directory Server socket, use %%02
instead of slashes (/)
in the path.
The server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility when you use the ldapi
URL. If you run the command as the root
user, both UID and GID are 0
and Directory Server automatically authenticates you as cn=Directory Manager
without entering the corresponding password.
-
--starttls
When using the --starttls
option, configures the utilities to connect to an LDAP port and then send the STARTTLS
command to switch to an encrypted connection.
-
--basedn
When using the --basedn
option, sets the base distinguished name (DN).
For example: --basedn dc=example,dc=com
-
--binddn
When using the --basedn
option, sets the bind DN.
For example: --binddn cn=Directory Manager
-
--pwdfile
When using the --pwdfile
, sets the path to a file that contains the password of bind DN.
For example: --pwdfile /root/rhds.pwd
-
--tls-cacertdir
When using the --tls-cacertdir
option, sets the path in this parameter which defines the directory with the certificate authority (CA) certificate that is required to verify the server’s certificate if you use the LDAPS connection.
For example: --tls-cacertdir /etc/pki/CA/certs/
You can use the c_rehash /etc/pki/CA/certs/
command only when you copy the CA certificate to the specified directory.
-
--tls-cert
When using the --tls-certl
option, sets the absolute path to the server’s certificate.
For example: --tls-cert /etc/dirsrv/slapd-instance_name/Server-Cert.crt
-
--tls-key
When using the --tls-key
option, sets the absolute path to the server’s private key.
For example: --tls-key /etc/dirsrv/slapd-instance_name/Server-Cert.key
-
--tls-reqcert
When using the --tls-reqcert
option, sets what checks the client utilities perform on server certificates in a TLS session.
For example: --tls-reqcert hard
These parameters are available:
-
never
: The utilities do not request or check the server certificate. -
allow
: The utilities ignore certificate errors and the connection is established anyway. hard
: The utilities terminate the connection on certificate errors.-
--saslmech
-
When using the --saslmech
option, sets the SASL mechanism to use to PLAIN
or EXTERNAL
.
For example: --saslmech PLAIN
16.3. Remote and local connection resolution when using directory server utilities
You can call Directory Server commands remotely and locally when securing the Directory Server connection. When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the /etc/openldap/ldap.conf
configuration file along with system-wide settings to proceed with the command.
When you run a Directory Server command with an instance name specified, the server checks if the ~/.dsrc
file is present and applies the following logic to proceed:
-
The Directory Server considers the
~/.dsrc
file as a remote connection and checks whether the/etc/openldap/ldap.conf
configuration file and system-wide settings contain both the instance name and the LDAP URL. -
The Directory Server considers the
~/.dsrc
file as a local connection and uses thensslapd-certdir
setting from the localdse.ldif
file to secure the connection if the~/.dsrc
file contains only the specified instance name, or if the~/.dsrc
file does not exist. The server uses the default path/etc/dirsrv/slapd-instance_name/
to store the Network Security Services (NSS) database of the instance ifnsslapd-certdir
is not present.
Additional resources