|
Configuration, Command, and File Reference Netscape Directory Server |
|
||
|
|
Chapter 3 Plug-in Implemented Server Functionality Reference
This chapter contains reference information on Netscape Directory Server (Directory Server) server plug-ins. The chapter is divided into the following sections:
- Overview
- Server Plug-in Functionality Reference
- List of Attributes Common to All Plug-ins
- Attributes Allowed by Certain Plug-ins
- Database Plug-in Attributes
- Database Link Plug-in Attributes (chaining attributes)
- Retro Changelog Plug-in Attributes
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree
cn=plugins,cn=config. Code Example 2-2, which you also saw in Chapter 2 "Core Server Configuration Reference," shows some of the plug-in configuration attributes.
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an
ldapsearchon thecn=configsubtree.Object Classes for Plug-In Configuration
All plug-ins are instances of the
nsSlapdPluginobject class which in turn inherits from theextensibleObjectobject class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to thetopobject class) must be present in the entry as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=configobjectclass:topobjectclass:nsSlapdPluginobjectclass:extensibleObject
Server Plug-in Functionality Reference
The tables that follow provide you with a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance related information, and further reading. Information in these tables will help you to weigh up plug-in performance gains and costs and choose the optimal settings for your deployment. The "Further Information" row cross references further reading where this is available.
Chapter 6, "Managing Access Control" in the Netscape Directory Server Administrator's Guide.
Chapter 6, "Managing Access Control" in the Netscape Directory Server Administrator's Guide.
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Case Exact String Syntax Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Case Ignore String Syntax Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 3, "Configuring Directory Databases" in the Netscape Directory Server Administrator's Guide
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 5, "Advanced Entry Management" in the Netscape Directory Server Administrator's Guide
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Distinguished Name Syntax Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Generalized Time Syntax Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
The Internationalization has one argument which must not be modified: serverRoot/slapd-serverID/config/slapd-collations.conf
This directory stores the collation orders and locales used by the internationalization plug-in.
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
See Appendix D, "Internationalization" in the Netscape Directory Server Administrator's Guide.
See "Database Plug-in Attributes" on page 151 for further information on database configuration.
Chapter 3, "Configuring Directory Databases" in the Netscape Directory Server Administrator's Guide
Enables Directory Server 6.x to be a consumer of a 4.x supplier
None. This plug-in can be disabled if the server is not (and never will be) a consumer of a 4.x server.
Chapter 8, "Managing Replication" in the Netscape Directory Server Administrator's Guide
Multimaster Replication Plug-in
You can turn this plug-in off if you only have one server which will never replicate. See also Chapter 8, "Managing Replication" in the Netscape Directory Server Administrator's Guide
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
CLEAR Password Storage Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 7, "User Account Management" in the Netscape Directory Server Administrator's Guide
CRYPT Password Storage Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 7, "User Account Management" in the Netscape Directory Server Administrator's Guide
NS-MTA-MD5 Password Storage Scheme Plug-in
cn=NS-MTA-MD5,cn=Password Storage Schemes,cn=plugins,cn=configDo not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
You can no longer choose to encrypt passwords using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility, i.e. if the data in your directory still contains passwords encrypted with the NS-MTA-MD5 password storage scheme. See Chapter 7, "User Account Management" in the Netscape Directory Server Administrator's Guide
SHA Password Storage Scheme Plug-in
If there are not passwords encrypted using the SHA password storage scheme, you may turn this plug-in off. If you want to encrypt your password with the SHA password storage scheme, we recommend that you choose SSHA instead, as SSHA is a far more secure option.
Chapter 7, "User Account Management" in the Netscape Directory Server Administrator's Guide
SSHA Password Storage Scheme Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 7, "User Account Management" in the Netscape Directory Server Administrator's Guide
Postal Address String Syntax Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 18, "Configuring IM Presence Information" in the Netscape Directory Server Administrator's Guide.
Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests.
Chapter 16, "Using the Pass-Through Authentication Plug-in" in the Netscape Directory Server Administrator's Guide.
Chapter 16, "Using the Pass-Through Authentication Plug-in" in the Netscape Directory Server Administrator's Guide.
Referential Integrity Postoperation Plug-in
When enabled the post operation Referential Integrity plug-in performs integrity updates on the
member,uniquemember,ownerandseeAlsoattributes immediately after a delete or rename operation. You can reconfigure the plug-in to perform integrity checks on all other attributes.Configurable arguments are as follows:
- Check for referential integrity.
-1= no check for referential integrity0= check for referential integrity is performed immediatelypositive integer= request for referential integrity is queued and processed at a later stage. This positive integer serves as a wake-up call for the thread to process the request, at intervals corresponding to the integer specified.- Log file for storing the change, for example
/usr/netscape/servers/logs/referint- All the additional attribute names you want to be checked for referential integrity.
You should enable the Referential Integrity plug-in on only one master in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers you must be sure to analyze your performance resource and time needs as well as your integrity needs. Note that integrity checks can be time consuming and draining on memory/CPU.
See Chapter 3, "Configuring Directory Databases" in the Netscape Directory Server Administrator's Guide.
Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The Retro Changelog offers the same functionality as the changelog in the 4.x versions of Directory Server.
See "Retro Changelog Plug-in Attributes" for further information on the two configuration attributes for this plug-in.
Chapter 8, "Managing Replication" in the Netscape Directory Server Administrator's Guide.
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
Chapter 5, "Advanced Entry Management" in the Netscape Directory Server Administrator's Guide.
Space Insensitive String Syntax Plug-in
Do not modify the configuration of this plug-in. It is recommended that you leave this plug-in running at all times.
This plug-in enables the Directory Server to support space and case insensitive values. Applications can now search the directory using entries with ASCII space characters.
For example, applications that use AOL Screen NamesTM can search the Directory Server using filters that contain Screen Names—a search or compare operation that uses
jOHN Doewill match entries that contain any of the following Screen Name values:johndoe,john doe, andJohn Doe.For more information about finding directory entries, see Appendix B, "Finding Directory Entries" in the Netscape Directory Server Administrator's Guide.
Note that the
nsAIMIDattribute type, which is a part of the Presence schema, uses this syntax. For details, see Schema For the Presence Plug-In" in the Netscape Directory Server Administrator's Guide.
Do not modify the configuration of this plug-in. Netscape recommends that you leave this plug-in running at all times.
Checks that the values of specified attributes are unique each time a modification occurs on an entry.
Enter the following arguments:
if you want to check for UID attribute uniqueness in all listed subtrees.
However, enter the following arguments:
MarkerObjectclass = "ObjectClassName"
requiredObjectClass = "ObjectClassName"if you want to check for UID attribute uniqueness when adding or updating entries with the
requiredObjectClass, starting from the parent entry containing theObjectClassas defined by theMarkerObjectClassattribute.Directory Server 6.x provides the UID Uniqueness plug-in by default. If you want to ensure unique values for other attributes, you can create instances of the UID Uniqueness plug-in for those attributes. See Chapter 17, "Using the Attribute Uniqueness Plug-in" in the Netscape Directory Server Administrator's Guide for more information about the Attribute Uniquenss plug-in.
The UID Uniqueness plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance.
Chapter 17, "Using the Attribute Uniqueness Plug-in" in the Netscape Directory Server Administrator's Guide.
List of Attributes Common to All Plug-ins
This list provides a brief attribute description, the Entry DN, valid range, default value, syntax and an example for each attribute.
Specifies the full path to the plug-in.
Specifies the plug-in function to be initiated.
Specifies the plug-in type. See "nsslapd-plugin-depends-on-type" on page 150 for further information.
Specifies whether or not the plug-in is enabled. This attribute can be changed over protocol, but will only take effect when the server is next restarted.
Specifies the plug-in version.
Specifies the vendor of the plug-in.
Provides a description of the plug-in.
Attributes Allowed by Certain Plug-ins
nsslapd-plugin-depends-on-type
Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the type number of a plug-in, contained in the attribute
nsslapd-pluginType.See "nsslapd-pluginType" on page 148 for further information. All plug-ins whose type value matches one of the values in the following valid range will be started by the server prior to this plug-in. The following post operation Referential Integrity Plug-in example shows that the database plug-in will be started prior to the postoperation Referential Integrity Plug-in.
nsslapd-plugin-depends-on-named
Multi-valued attribute, used to ensure that plug-ins are called by the server in the correct order. Takes a value which corresponds to the
cnvalue of a plug-in. The plug-in whosecnvalue matches one of the following values will be started by the server prior to this plug-in. If the plug-in does not exist, the server will fail to start. The following post operation Referential Integrity Plug-in example shows that the Class of Service plug-in will be started prior to the postoperation Referential Integrity Plug-in. If the Class of Service plug-in does not exist then the server will fail to start.
The database plug-in is also organized in an information tree as shown in Figure 3-1.
All plug-in technology used by the database instances is stored in the
cn=ldbm database plug-in node. This section presents the additional attribute information for each of the nodes in bold in thecn=ldbm database,cn=plugins,cn=configinformation tree.Database Attributes Under cn=config,cn=ldbm database,cn=plugins,cn=config
Global configuration attributes common to all instances are stored in the
cn=config,cn=ldbm database,cn=plugins,cn=configtree node.This performance related attribute specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request. If you bind as the directory manager DN, however, unlimited is set by default and overrides any other settings you may specify here. It is worth noting that binder based resource limits work for this limit, which means that if a value for the operational attribute
nsLookThroughlimitis present in the entry you bind as, the default limit will be overridden. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer you will receive anLDAP_UNWILLING_TO_PERFORMerror message with additional error information explaining the problem.
This performance related attribute that is present by default, specifies the number of entry IDs that can be maintained for an index key before the server sets the All IDs token and stops maintaining a list of IDs for that specific key. If you attempt to set a value that is not a number or is too big for a 32-bit signed integer you will receive an
LDAP_UNWILLING_TO_PERFORMerror message with additional error information explaining the problem.However, as tuning this attribute is a complex task and can severely degrade performance, it is advisable to keep the default value. For a more detailed explanation of the All IDs Threshold see Chapter 10, "Managing Indexes" in the Netscape Directory Server Administrator's Guide.
100 to the maximum 32-bit integer value (2147483647) entry IDs
This performance tuning related attribute which is turned off by default, specifies the percentage of free memory to use for all the combined caches. For example, if the value is set to 80, then 80 percent of the remaining free memory would be claimed for the cache. If you plan to run other servers on the machine, then the value will be lower. Setting the value to 0 turns off the cache autosizing and uses the normal
nsslapd-cachememsizeandnsslapd-dbcachesizeattributes.
This performance tuning related attribute specifies the percentage of cache space to allocate to the database cache. For example, setting this to
60would give the database cache 60 percent of the cache space and split the remaining 40 percent between the backend entry caches. That is, if there were 2 databases each of them would receive 20 percent. This attribute only applies when the nsslapd-cache-autosize attribute has a value of0.
This performance tuning related attribute specifies database cache size. Note that this is neither the index cache nor the entry cache. If you activate automatic cache resizing, you override this attribute, by replacing these values with its own guessed values at a later stage of the server startup.
If you attempt to set a value that is not a number or is too big for a 32-bit signed integer you will receive an
LDAP_UNWILLING_TO_PERFORMerror message with additional error information explaining the problem.
500KB to 4GB for 32-bit platforms and 500KB to 2^64-1 for 64-bit platforms
nsslapd-db-checkpoint-interval
The amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. A checkpoint entry indicates which database operations have been physically written to the directory database. The checkpoint entries are used to determine where in the database transaction log to begin recovery after a system failure. The
nsslapd db-checkpoint-intervalattribute is absent fromdse.ldif. To change the checkpoint interval, you add the attribute todse.ldif. This attribute can be dynamically modified usingldapmodify. For further information on modifying this attribute, see Chapter 14, "Tuning Directory Server Performance" in the Netscape Directory Server Administrator's Guide.This attribute is provided only for system modification/diagnostics and should be changed only with the guidance of Netscape Technical Support or Netscape Professional Services. Inconsistent settings of this attribute and other configuration attributes may cause the Directory Server to be unstable.
For more information on database transaction logging, see Chapter 12, "Monitoring Server and Database Activity" in the Netscape Directory Server Administrator's Guide.
Specifies circular logging for the transaction log files. If this attribute is switched off, old transaction log files are not removed, and are kept renamed as old log transaction files. Turning circular logging off can severly degrade server performance and as such should should only be modified with the guidance of Netscape Technical Support or Netscape Professional Services.
Specifies whether additional error information is to be reported to Directory Server. To report error information, set the parameter to
on. Note that this parameter is meant for troubleshooting, and enabling the parameter may slow down the Directory Server.
nsslapd-db-durable-transactions
Indicates whether database transactions log entries are immediately written to the disk. The database transaction log contains a sequential listing of all recent database operations and is used for database recovery only. With durable transactions enabled, every directory change will always be physically recorded in the log file and therefore be able to be recovered in the event of a system failure. However, the durable transactions feature may also slow the performance of the Directory Server. When durable transactions is disabled, all transactions are logically written to th
