Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 1. Basic management tasks

Learn about basic tasks of managing Directory Server instances after the installation.

The web console is a browser-based graphical user interface (GUI) that you can use for performing administrative tasks. The Directory Server package automatically installs the Directory Server user interface for the web console.

Prerequisites

  • You have permissions to access the web console.

Procedure

  1. Access the web console by using the following URL in your browser: 

    https://<directory_server_host>:9090
    Copy to Clipboard Toggle word wrap
  2. Log in as a user with sudo privileges.

  3. Select the Red Hat Directory Server entry.

    logging-to-DS-web-console
    View larger image
    logging-to-DS-web-console

You can start, stop, and restart a Directory Server instance by using the command line or the web console.

Use the dsctl utility to start, stop, or restart a Directory Server instance.

Important

The dsctl utility is the only correct way to stop the Directory Server instances. Do not use the kill command to terminate the ns-slapd process to avoid any data loss and corruption.

Procedure

  • To start the instance, run: 

    # dsctl <instance_name> start
    Copy to Clipboard Toggle word wrap

  • To stop the instance, run: 

    # dsctl <instance_name> stop
    Copy to Clipboard Toggle word wrap

  • To restart the instance, run: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Optionally, you can enable Directory Server instances to automatically start when the system boots:

  • For a single instance, run: 

    # systemctl enable dirsrv@<instance_name>
    Copy to Clipboard Toggle word wrap

  • For all instances on a server, run: 

    # systemctl enable dirsrv.target
    Copy to Clipboard Toggle word wrap

Verification

You can check the instance status by using the dsctl or systemctl utility:

  • To view the instance status by using the dsctl utility, run: 

    # dsctl <instance_name> status
    Copy to Clipboard Toggle word wrap

  • To view the instance status by using the systemctl utility, run: 

    # systemctl status dirsrv@<instance_name>
    Copy to Clipboard Toggle word wrap

You can use the web console to start, stop, or restart a Directory Server instance.

Prerequisites

Procedure

  1. Select the Directory Server instance.

  2. Click the Actions button and select the action to execute:

Verification

  • Ensure that the Directory Server instance is running. When the instance is not running, the web console displays the following message: 

    This server instance is not running, either start it from the Actions dropdown menu, or choose a different instance.
    Copy to Clipboard Toggle word wrap

1.3. Changing the LDAP and LDAPS port numbers
Copy link

By default, Directory Server uses port 389 for the LDAP and, if you enabled, port 636 for the LDAPS protocol. You can change the port numbers, for example, to run multiple Directory Server instances on one host.

Important

Other services must not use new ports that you assigned to the protocols for an instance.

You can change the port numbers of the LDAP and LDAPS protocol using the command line. LDAP and LDAPs port change requires update of the nsslapd-port and nsslapd-securePort parameters.

Procedure

  1. Optionally: Display the current port numbers for the instance: 

    # dsconf <instance_name> config get nsslapd-port nsslapd-securePort
    Copy to Clipboard Toggle word wrap

  2. Change the LDAP port:

    1. Set the new port for the LDAP protocol. For example, to set it to 1389, run: 

      # dsconf <instance_name> config replace nsslapd-port=1389
      Copy to Clipboard Toggle word wrap

    2. Set the ldap_port_t type for the LDAP port you assigned in the previous step: 

      # semanage port -a -t ldap_port_t -p tcp 1389
      Copy to Clipboard Toggle word wrap

  3. Change the LDAPS port:

    1. Set the new port for the LDAPS protocol. For example, to set it to 1636, run: 

      # dsconf <instance_name> config replace nsslapd-securePort=1636
      Copy to Clipboard Toggle word wrap

    2. Set the ldap_port_t type for the LDAPS port you assigned in the previous step: 

      # semanage port -a -t ldap_port_t -p tcp 1636
      Copy to Clipboard Toggle word wrap

  4. Restart the instance: 

    # dsctl <instance_name> restart
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that Directory Server now uses the new LDAP port by the command: 

    # dsconf <instance_name> config get nsslapd-port
    Copy to Clipboard Toggle word wrap

  2. Verify that Directory Server now uses the new LDAPS port number by the command: 

    # dsconf <instance_name> config get nsslapd-securePort
    Copy to Clipboard Toggle word wrap

You can change the port numbers of the LDAP and LDAPS protocol using the web console.

Prerequisites

  • You are logged in to the instance in the web console.

Procedure

  1. Change the LDAP port:

    1. Open the Server Setting menu.
    2. On the Server Setting tab, enter the new port number into the LDAP Port field.
  2. Click Save.

  3. Change the LDAPS port:

    1. Open the Server Setting menu.
    2. On the General Settings tab, enter the new port number into the LDAPS Port field.
    3. Click Save.
  4. Restart the instance by clicking Action and selecting Restart Instance.

Verification

  1. Verify in the server setting that the changed port is reflected .

A ~/.dsrc file simplifies commands that use the Directory Server command-line utilities. By default, you can pass information, for example, the LDAP URL or the bind distinguished name (DN) to the command for these utilities. You can store the settings in a ~/.dsrc file to use the command-line utilities without specifying these settings each time.

1.4.1. How a .dsrc file simplifies commands
Copy link

You can specify the LDAP URL of an instance and a bind DN in a ~/.dsrc file: 

# server1
uri = ldap://server1.example.com
binddn = cn=Directory Manager
basedn = dc=example,dc=com
Copy to Clipboard Toggle word wrap

You can use shorter Directory Server commands with these settings. For example, to create a user account: 

# dsidm server1 user create
Copy to Clipboard Toggle word wrap

Without the ~/.dsrc file, you must specify the bind DN, LDAP URL, and base DN in the command: 

# dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create
Copy to Clipboard Toggle word wrap

You can use the dsctl utility to create a ~/.dsrc file instead of creating it manually.

Procedure

  • Run: 
# dsctl <instance_name> dsrc create ...
Copy to Clipboard Toggle word wrap

You can add these options in the command:

  • --uri

When using the --uri option, sets the URL to the instance in the format protocol://host_name_or_IP_address_or_socket

For example:

  1. --uri ldap://server.example.com
  2. --uri = ldaps://server.example.com
  3. --uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socket

When you set the path to the Directory Server socket, use %%02 instead of slashes (/) in the path.

Important

The server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility when you use the ldapi URL. If you run the command as the root user, both UID and GID are 0 and Directory Server automatically authenticates you as cn=Directory Manager without entering the corresponding password.

  • --starttls

When using the --starttls option, configures the utilities to connect to an LDAP port and then send the STARTTLS command to switch to an encrypted connection.

  • --basedn

When using the --basedn option, sets the base distinguished name (DN).

For example: --basedn dc=example,dc=com

  • --binddn

When using the --basedn option, sets the bind DN.

For example: --binddn cn=Directory Manager

  • --pwdfile

When using the --pwdfile, sets the path to a file that contains the password of bind DN.

For example: --pwdfile /root/rhds.pwd

  • --tls-cacertdir

When using the --tls-cacertdir option, sets the path in this parameter which defines the directory with the certificate authority (CA) certificate that is required to verify the server’s certificate if you use the LDAPS connection.

For example: --tls-cacertdir /etc/pki/CA/certs/

Note

You can use the c_rehash /etc/pki/CA/certs/ command only when you copy the CA certificate to the specified directory.

  • --tls-cert

When using the --tls-certl option, sets the absolute path to the server’s certificate.

For example: --tls-cert /etc/dirsrv/slapd-<instance_name>/Server-Cert.crt

  • --tls-key

When using the --tls-key option, sets the absolute path to the server’s private key.

For example: --tls-key /etc/dirsrv/slapd-<instance_name>/Server-Cert.key

  • --tls-reqcert

When using the --tls-reqcert option, sets what checks the client utilities perform on server certificates in a TLS session.

For example: --tls-reqcert hard

These parameters are available:

  1. never: The utilities do not request or check the server certificate.
  2. allow: The utilities ignore certificate errors and the connection is established anyway.

  3. hard: The utilities terminate the connection on certificate errors.

    • --saslmech

When using the --saslmech option, sets the SASL mechanism to use to PLAIN or EXTERNAL.

For example: --saslmech PLAIN

You can call Directory Server commands remotely and locally when securing the Directory Server connection. When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the /etc/openldap/ldap.conf configuration file along with system-wide settings to proceed with the command.

When you run a Directory Server command with an instance name specified, the server checks if the ~/.dsrc file is present and applies the following logic to proceed:

  1. The Directory Server considers the ~/.dsrc file as a remote connection and checks whether the /etc/openldap/ldap.conf configuration file and system-wide settings contain both the instance name and the LDAP URL.
  2. The Directory Server considers the ~/.dsrc file as a local connection and uses the nsslapd-certdir setting from the local dse.ldif file to secure the connection if the ~/.dsrc file contains only the specified instance name, or if the ~/.dsrc file does not exist. The server uses the default path /etc/dirsrv/slapd-<instance_name>/ to store the Network Security Services (NSS) database of the instance if nsslapd-certdir is not present.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat