|
Configuration, Command, and File Reference Netscape Directory Server |
|
||
|
|
Chapter 2 Core Server Configuration Reference
The configuration information for Netscape Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server via LDAP while it is still running, and thus avoid the need to shut the server down.
This chapter gives details on how the configuration is organized and how to alter it. The chapter also provides an alphabetical reference for all attributes. The chapter is divided into the following sections:
- Server Configuration - Overview
- Accessing and Modifying Server Configuration
- Core Server Configuration Attributes Reference
- Configuration Quick Reference Tables
Server Configuration - Overview
When you install the Directory Server, its default configuration is stored as a series of LDAP entries within the directory, under the subtree
cn=config. When the server is started, the contents of thecn=configsubtree are read from a file (dse.ldif) in LDIF format. Thisdse.ldiffile contains all of the server configuration information. Note that the latest version of this file is calleddse.ldif, the version prior to the last modification is calleddse.ldif.bak, and the latest file with which the server successfully started is calleddse.ldif.startOK.Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under
cn=plugins,cn=config. For example, the configuration of the Telephone Syntax plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=configSimilarly, database-specific configuration is stored under:
cn=ldbm database,cn=plugins,cn=config and cn=chaining database,cn=plugins,cn=configFigure 2-1 shows how the configuration data fits within the
cn=configDirectory Information Tree.Figure 2-1 Directory Information Tree Showing Configuration Data
This overview is divided into the following sections:
- LDIF Configuration Files - Location
- Schema Configuration Files - Location
- How the Server Configuration is Organized
- Migration of Pre-Directory Server 6.x Configuration Files to LDIF Format
LDIF Configuration Files - Location
The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory:
serverRoot
/slapd-serverID/configThus, if you specified a server identifier of
phonebookfor example, then in a default installation, your configuration LDIF files are all stored under:
/usr/netscape/servers/slapd-phonebook/configSchema Configuration Files - Location
Schema configuration is also stored in LDIF format and these files are located in the following directory:
serverRoot
/slapd-serverID/config/schemaFor a full list of the LDIF configuration files that are supplied with Directory Server, see Table 2-3 under "Configuration Quick Reference Tables" at the end of this chapter.
How the Server Configuration is Organized
The
dse.ldiffile contains all configuration information including directory specific entries created by the directory at server startup, as well as directory specific entries related to the database, also created by the directory at server startup. The file includes the Root DSE (named by"") and the entire contents ofcn=config. When the server generates thedse.ldiffile it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory undercn=config.Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.
Code Example 2-1 gives an example of part of the
dse.ldiffile for a Directory Server. The example shows, amongst other things, that schema checking has been turned on; this is represented by the attributensslapd-schemacheck, which takes the valueon.Code Example 2-1 Extract of dse.ldif File
Configuration of Plug-in Functionality
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree
cn=plugins,cn=config. Code Example 2-2 shows an example of the configuration entry for a plug-in, the Telephone Syntax plug-in.Code Example 2-2 Configuration Entry for Telephone Syntax Plug-in
Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an
ldapsearchon thecn=configsubtree.For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart, see Chapter 3 "Plug-in Implemented Server Functionality Reference."
The
cn=NetscapeRootandcn=UserRootsubtrees contain configuration data for the databases containing theo=NetscapeRootando=UserRootsuffixes.
- The
cn=NetscapeRootsubtree contains the configuration data used by the Netscape Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop).- The
cn=UserRootsubtree contains all the configuration data for the first user-defined database created during server installation. Thecn=UserRootsubtree is calledUserRootby default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user as and when new databases are added.Configuration information for indexing is stored as entries in the Directory Server under the following information-tree nodes:
cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=configcn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=configcn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=configFor more information regarding indexes in general, see Netscape Directory Server Administrator's Guide. For information regarding the index configuration attributes see "Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config". The attributes are presented here as this node is the first to appear in our representation of the configuration attributes that is based on the
cn=configinformation tree.Migration of Pre-Directory Server 6.x Configuration Files to LDIF Format
The Directory Server will only recognize configuration files that are in the LDIF format, which means that the
slapd.confandslapd.ldbm.confconfiguration files from 4.x versions of Directory Server must be converted to LDIF format. Directory Server 4.x configurations can be migrated to the new LDIF format using the toolmigrateInstance6tool. For more information, see Chapter 6, "Migrating From Previous Versions" in the Netscape Directory Server Installation Guide and the Innosoft Distributed Directory Server Transition Guide.Accessing and Modifying Server Configuration
This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.
Access Control For Configuration Entries
When the Directory Server is installed, a default set of Access Control Instructions (ACIs) is implemented for all entries under
cn=config. Code Example 2-3 shows an example of these default ACIs.Code Example 2-3 Default ACIs in dse.ldif
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
- Members of the Configuration Administrators Group.
- The user acting as the Administrator, who has the UID
adminthat can be configured at installation time.- Members of local Directory Administrators Group.
- The local Directory Administrator (root DN).
- The SIE (Server Instance Entry) Group that is usually assigned using the Set Access Permissions from the main topology view in the main console.
For more information on Access Control, see the Netscape Directory Server Administrator's Guide.
Changing Configuration Attributes
You can view and change server attribute values in one of three ways. You make the changes by using LDAP through Netscape Console, by performing
ldapsearchandldapmodifycommands, or by manually editing thedse.ldiffile.
If you edit the
dse.ldiffile, you must stop the server beforehand, otherwise your changes will be lost. Editing thedse.ldiffile is recommended only for changes to attributes which cannot be altered dynamically. See "Configuration Changes Requiring Server Restart" for further information.
The following sections describe how to modify entries using LDAP (both via Netscape Console and over the command line), the restrictions to modifying entries, the restrictions to modifying attributes, and the configuration changes requiring restart.
Modifying Configuration Entries Using LDAP
The configuration entries in the directory can be searched and modified using LDAP either via the Netscape Console or by performing
ldapsearchandldapmodifyoperations in the same way as other directory entries. The advantage of using LDAP to modify entries is that you can make the changes while the server is running. You must remember to specify the port number when modifying configuration entries as the server is not necessarily running on port 389. For further information, see Chapter 2, "Creating Directory Entries" in the Netscape Directory Server Administrator's Guide. However, certain changes do require the server to be restarted before they are taken into account. See "Configuration Changes Requiring Server Restart" for further information.
As with any set of configuration files, care should be taken when changing or deleting nodes in the
cn=configsubtree, as this risks affecting Directory Server functionality.
The entire configuration, including attributes that always take default values, can be viewed by performing an
ldapsearchoperation on thecn=configsubtree:ldapsearch -b cn=config -D bindDN -w password
where bindDN is the DN chosen for the Directory Manager when the server was installed and password is the password chosen for Directory Manager. For more information on using
ldapsearch, see "ldapsearch".Previously, we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in is enabled. If you wanted to disable this feature you might use the following series of commands to implement this change.
Code Example 2-4 Disabling the Telephone Syntax Plug-in
ldapmodify -D bindDN -w passworddn: cn=Telephone Syntax,cn=plugins,cn=configchangetype: modifyreplace: nsslapd-pluginEnablednsslapd-pluginEnabled: off
Restrictions to Modifying Configuration Entries and Attributes
Certain restrictions apply when modifying server entries and attributes:
- The
cn=monitorentry and its child entries are read-only and cannot be modified.- If an attribute is added to
cn=config, the server will ignore it.- If an invalid value is entered for an attribute, this will be ignored by the server.
- Because
ldapdeleteis used for deleting an entire entry, you should useldapmodifyif you want to remove an attribute from an entry.Configuration Changes Requiring Server Restart
Some configuration attributes cannot be altered dynamically while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the
dse.ldiffile. Table 2-4 under "Configuration Quick Reference Tables" at the end of this chapter contains a list of these attributes.Core Server Configuration Attributes Reference
This section contains reference information on the configuration attributes that are relevant to the core server functionality. For information on changing server configuration, see "Accessing and Modifying Server Configuration". For a list of server features that are implemented as plug-ins, see Table 2-1 in the section "Configuration Quick Reference Tables". For implementing your own server functionality, contact Netscape Professional Services.
The configuration information which is stored in the
dse.ldiffile is organized as an information tree under the general configuration entrycn=configas shown in Figure 2-2.Figure 2-2 Directory Information Tree Showing Configuration Data
The list of configuration tree nodes covered in this section is as follows:
- cn=config
- cn=changelog5
- cn=encryption
- cn=features
- cn=mapping tree
- cn=monitor
- cn=replication
- cn=SNMP
- cn=tasks
- cn=uniqueid generator
The
cn=pluginsnode is covered in the "Configuration Quick Reference Tables"" section. The attributes are listed alphabetically, and the description of each attribute contains details such as the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Some of the entries and attributes described in this chapter may change in future releases of the product.
General configuration entries are stored under the
cn=configentry. Thecn=configentry is an instance of thensslapdConfigobject class, which in turn inherits fromextensibleObjectobject class. For attributes to be taken into account by the server, both of these object classes (in addition to thetopobject class) must be present in the entry. General configuration entries are presented in this section.nsslapd-accesscontrol (Enable Access Control)
Turns access control on and off. If this attribute has a value
off, then any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.
nsslapd-accesslog (Access Log)
Specifies the path and filename of the log used to record each database access. The following information is recorded by default in the log file:
- IP address of the client machine that accessed the database
- Operations performed (for example, search, add, modify)
- Result of the access (for example, the number of entries returned)
For more information on turning access logging off, see Chapter 12, "Monitoring Server and Database Activity" in the Netscape Directory Server Administrator's Guide.
For access logging to be enabled, this attribute must have a valid path and filename and the
nsslapd-accesslog-logging-enabledconfiguration attribute must be switched toon. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
nsslapd-accesslog: /usr/netscape/servers/slapd-phonebook/logs/access
Controls what is logged to the access log.
This read-only attribute which cannot be set provides a list of access log files used in access log rotation.
nsslapd-accesslog-logbuffering (Log Buffering)
When set to
off, the server writes all access log entries directly to disk.
nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the
nsslapd-accesslog-logexpirationtimeunitattribute.
nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
Specifies the units for
nsslapd-accesslog-logexpirationtimeattribute. If the unit is unknown by the server, then the log will never expire.
nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
Disables and enables accesslog logging but only in conjunction with the
nsslapd-accesslogattribute that specifies the path and filename of the log used to record each database access.For access logging to be enabled this attribute must be switched to
onand thensslapd-accesslogconfiguration attribute must have a valid path and filename. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
500(A value of -1 means that the disk space allowed to the access log is unlimited in size).
nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)
Specifies whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, say midnight to midnight everyday, making analysis of the log files much easier because they then map directly to the calendar.
For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the
nsslapd-accesslog-logrotationsynchourandnsslapd-accesslog-logrotationsyncminattribute values set to the hour and minute of the day for rotating log files.For example, to rotate access log files everyday at midnight, enable this attribute by setting its value to
onand then set the values of thensslapd-accesslog-logrotationsynchourandnsslapd-accesslog-logrotationsyncminattributes to0.
nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)
Specifies the hour of the day for rotating access logs. This attribute must be used in conjunction with
nsslapd-accesslog-logrotationsync-enabledandnsslapd-accesslog-logrotationsyncminattributes.
nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)
Specifies the minute of the day for rotating access logs. This attribute must be used in conjunction with
nsslapd-accesslog-logrotationsync-enabledandnsslapd-accesslog-logrotationsynchourattributes.
nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the
nsslapd-accesslog-logrotationtimeunitattribute.Although it is not recommended for performance reasons to specify no log rotation as the log will grow indefinitely, you have two ways of specifying this. Either you set the
nsslapd-accesslog-maxlogsperdirattribute value to 1 or thensslapd-accesslog-logrotationtimeattribute to -1. The server checks thensslapd-accesslog-maxlogsperdirattribute first and if this attribute value is larger than 1, the server then checks thensslapd-accesslog-logrotationtimeattribute. See "nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)" for more information.
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means that the time between access log file rotation is unlimited.
nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
Specifies the units for the
nsslapd-accesslog-logrotationtimeattribute.
nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set
nsslapd-accesslog-maxlogsperdirattribute to 1, the server ignores this attribute.When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size.
nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, then each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. For performance reasons it is not recommended that you set this value to 1, as the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the
nsslapd-accesslog-logrotationtimeattribute to establish whether or not log rotation is specified. If thensslapd-accesslog-logrotationtimeattribute has a value of -1 then there is no log rotation. See "nsslapd-accesslog-logrotationtime (Access Log Rotation Time)" for more information.
nsslapd-attribute-name-exceptions
Allows non-standard characters in attribute names to be used for backwards compatibility with older servers.
Specifies the pathname and filename of the log used to record changes made to each database.
nsslapd-auditlog: /usr/netscape/servers/slapd-phonebook/logs/audit
For audit logging to be enabled this attribute must have a valid path and file name and the
nsslapd-auditlog-logging-enabledconfiguration attribute must be switched toon. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
Provides a list of audit log files.
nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
Specifies the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the
nsslapd-auditlog-logexpirationtimeunitattribute.
nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
Specifies the units for the
nsslapd-auditlog-logexpirationtimeattribute. If the unit is unknown by the server, then the log will never expire.
nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
Turns audit logging on and off.
For audit logging to be enabled this attribute must have a valid path and file name and the
nsslapd-auditlog-logging-enabledconfiguration attribute must be switched toon. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means that the disk space allowed to the audit log is unlimited in size.
nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.
nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)
Specifies whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, say midnight to midnight everyday, making analysis of the log files much easier because they then map directly to the calendar.
For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the
nsslapd-auditlog-logrotationsynchourandnsslapd-auditlog-logrotationsyncminattribute values set to the hour and minute of the day for rotating log files.For example, to rotate audit log files everyday at midnight, enable this attribute by setting its value to
onand then set the values of thensslapd-auditlog-logrotationsynchourandnsslapd-auditlog-logrotationsyncminattributes to0.
nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)
Specifies the hour of the day for rotating audit logs. This attribute must be used in conjunction with
nsslapd-auditlog-logrotationsync-enabledandnsslapd-auditlog-logrotationsyncminattributes.
None (because
nsslapd-auditlog-logrotationsync-enabledisoff)
nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)
Specifies the minute of the day for rotating audit logs. This attribute must be used in conjunction with
nsslapd-auditlog-logrotationsync-enabledandnsslapd-auditlog-logrotationsynchourattributes.
None (because
nsslapd-auditlog-logrotationsync-enabledisoff)
nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the
nsslapd-auditlog-logrotationtimeunitattribute. If you set thensslapd-auditlog-maxlogsperdirattribute to 1, the server ignores this attribute.Although it is not recommended for performance reasons to specify no log rotation as the log will grow indefinitely, you have two ways of specifying this. Either you set the
nsslapd-auditlog-maxlogsperdirattribute value to 1 or thensslapd-auditlog-logrotationtimeattribute to -1. The server checks thensslapd-auditlog-maxlogsperdirattribute first and if this attribute value is larger than 1, the server then checks thensslapd-auditlog-logrotationtimeattribute. See "nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)" for more information.
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means that the time between audit log file rotation is unlimited.
nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
Specifies the units for the
nsslapd-auditlog-logrotationtimeattribute.
nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size.
nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the
nsslapd-auditlog-logrotationtimeattribute to establish whether or not log rotation is specified. If thensslapd-auditlog-logrotationtimeattribute has a value of -1 then there is no log rotation. See "nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)" for more information.
nsslapd-certmap-basedn (Certificate Map Search Base)
This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in the
certmap.conffile. Depending on thecertmap.confconfiguration, the certificate mapping may be done using a directory subtree search based at the root DN. Note that if the search is based at the root DN, then thensslapd-certmap-basednattribute may force the search to be based at some entry other than the root. For further information see Chapter 11, "Managing SSL" in the Netscape Directory Server Administrator's Guide.This read-only attribute is the config DN.
Specifies whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.
Makes the schema in
cn=schemacompatible with 4.x versions of Directory Server.
nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
Controls whether quoting in the
objectclassesattributes contained in thecn=schemaentry will conform to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on theobjectclassesattributes contained incn=schema. RFC 2252 indicates that this value should not be quoted.That is, the Directory Server publishes
objectclassesattributes in thecn=schemaentry as follows:objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
However, RFC 2252 indicates that this attribute should be published as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
Notice the absence of single quotes around the word
top.Turning this attribute on will cause the Directory Server Resource Kit LDAP clients to no longer function, as they require the schema as defined in RFC 2252.
Turning this attribute off causes the Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients. Specifically, any client written using the Netscape Java LDAP SDK 4.x will no longer be able to correctly read and modify schema. This includes the 4.x version of the Netscape Console. Please note that turning this attribute on or off does not affect versions 6.x of Netscape Console.
Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they will contain informative conditions such as these:
This log will contain differing amounts of information depending on the current setting of the Log Level attribute. See "nsslapd-errorlog-level (Error Log Level)" for more information.
nsslapd-errorlog: /usr/netscape/servers/slapd-phonebook/logs/error
For error logging to be enabled this attribute must have a valid path and filename and the
nsslapd-errorlog-logging-enabledconfiguration attribute must be switched toon. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
nsslapd-errorlog-level (Error Log Level)
Specifies the level of logging to be used by the Directory Server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed.
To turn logging off, remove the
nsslapd-errorlog-levelattribute fromdse.ldifand restart the Directory Server.
This read-only attribute provides a list of error log files.
nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.
nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
Specifies the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, then the log will never expire.
nsslapd-errorlog-logging-enabled (Enable Error Logging)
Turns error logging on and off.
nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means that the disk space allowed to the error log is unlimited in size.