Chapter 16. Managing default options for Directory Server command-line utilities using .dsrc file

download PDF

A ~/.dsrc file simplifies commands that use the Directory Server command-line utilities. By default, you can pass information, for example, the LDAP URL or the bind distinguished name (DN) to the command for these utilities. You can store the settings in a ~/dsrc file to use the command-line utilities without specifying these settings each time.

16.1. How a .dsrc file simplifies commands

You can specify the LDAP URL of an instance and a bind DN in a ~/.dsrc file:

# server1
uri = ldap://
binddn = cn=Directory Manager
basedn = dc=example,dc=com

You can use shorter Directory Server commands with these settings. For example, to create a user account:

# dsidm server1 user create

Without the ~/.dsrc file, you must specify the bind DN, LDAP URL, and base DN in the command:

# dsidm -D cn=Directory Manager ldap:// -b "dc=example,dc=com" user create

16.2. Using the dsctl utility to create a .dsrc file

You can use the dsctl utility to create a ~/.dsrc file instead of creating it manually.


  • Run:
# dsctl instance_name dsrc create ...

You can add these options in the command:

  • --uri

When using the --uri option, sets the URL to the instance in the format protocol://host_name_or_IP_address_or_socket

For example:

  1. --uri ldap://
  2. --uri = ldaps://
  3. --uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socket

When you set the path to the Directory Server socket, use %%02 instead of slashes (/) in the path.


The server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility when you use the ldapi URL. If you run the command as the root user, both UID and GID are 0 and Directory Server automatically authenticates you as cn=Directory Manager without entering the corresponding password.

  • --starttls

When using the --starttls option, configures the utilities to connect to an LDAP port and then send the STARTTLS command to switch to an encrypted connection.

  • --basedn

When using the --basedn option, sets the base distinguished name (DN).

For example: --basedn dc=example,dc=com

  • --binddn

When using the --basedn option, sets the bind DN.

For example: --binddn cn=Directory Manager

  • --pwdfile

When using the --pwdfile, sets the path to a file that contains the password of bind DN.

For example: --pwdfile /root/rhds.pwd

  • --tls-cacertdir

When using the --tls-cacertdir option, sets the path in this parameter which defines the directory with the certificate authority (CA) certificate that is required to verify the server’s certificate if you use the LDAPS connection.

For example: --tls-cacertdir /etc/pki/CA/certs/


You can use the c_rehash /etc/pki/CA/certs/ command only when you copy the CA certificate to the specified directory.

  • --tls-cert

When using the --tls-certl option, sets the absolute path to the server’s certificate.

For example: --tls-cert /etc/dirsrv/slapd-instance_name/Server-Cert.crt

  • --tls-key

When using the --tls-key option, sets the absolute path to the server’s private key.

For example: --tls-key /etc/dirsrv/slapd-instance_name/Server-Cert.key

  • --tls-reqcert

When using the --tls-reqcert option, sets what checks the client utilities perform on server certificates in a TLS session.

For example: --tls-reqcert hard

These parameters are available:

  1. never: The utilities do not request or check the server certificate.
  2. allow: The utilities ignore certificate errors and the connection is established anyway.
  3. hard: The utilities terminate the connection on certificate errors.

    • --saslmech

When using the --saslmech option, sets the SASL mechanism to use to PLAIN or EXTERNAL.

For example: --saslmech PLAIN

16.3. Remote and local connection resolution when using directory server utilities

You can call Directory Server commands remotely and locally when securing the Directory Server connection. When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the /etc/openldap/ldap.conf configuration file along with system-wide settings to proceed with the command.

When you run a Directory Server command with an instance name specified, the server checks if the ~/.dsrc file is present and applies the following logic to proceed:

  1. The Directory Server considers the ~/.dsrc file as a remote connection and checks whether the /etc/openldap/ldap.conf configuration file and system-wide settings contain both the instance name and the LDAP URL.
  2. The Directory Server considers the ~/.dsrc file as a local connection and uses the nsslapd-certdir setting from the local dse.ldif file to secure the connection if the ~/.dsrc file contains only the specified instance name, or if the ~/.dsrc file does not exist. The server uses the default path /etc/dirsrv/slapd-instance_name/ to store the Network Security Services (NSS) database of the instance if nsslapd-certdir is not present.

Additional resources

Red Hat logoGithubRedditYoutubeTwitter


Try, buy, & sell


About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.