2.2. Accessing and Modifying Server Configuration
This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.
When the Directory Server is installed, a default set of access control instructions (ACIs) is implemented for all entries under cn=config. The following code sample is an example of these default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all)
groupdn = "ldap:///cn=Configuration Administrators,u=Groups, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all)
userdn = "ldap:///uid=admin, ou=Administrators, ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all)
groupdn = "ldap:///ou=Directory Administrators, dc=example,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all)
groupdn = "ldap:///cn=slapd-phonebook, cn=Red Hat Directory Server,
cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";)
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
Members of the Configuration Administrators group.
The user acting as the administrator, the admin account that was configured at setup. By default, this is the same user account which is logged into the Console.
Members of local Directory Administrators group.
The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions process the main console.
For more information on access control, see the Directory Server Administration Guide.
Server attributes can be viewed and changed in one of three ways: through the Directory Server Console, by performing ldapsearch and ldapmodify commands, or by manually editing the dse.ldif file.
Before editing the dse.ldif file, the server must be stopped; otherwise, the changes are lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. See Section 2.2.2.3, “Configuration Changes Requiring Server Restart” for further information.
The following sections describe how to modify entries using LDAP (both by using Directory Server Console and by using the command line), the restrictions that apply to modifying entries, the restrictions that apply to modifying attributes, and the configuration changes requiring restart.
The configuration entries in the directory can be searched and modified using LDAP either via the Directory Server Console or by performing ldapsearch and ldapmodify operations in the same way as other directory entries. The advantage of using LDAP to modify entries is changes can be made while the server is running.
For further information, see the "Creating Directory Entries" chapter in the Directory Server Administration Guide. However, certain changes do require the server to be restarted before they are taken into account. See Section 2.2.2.3, “Configuration Changes Requiring Server Restart” for further information.
As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config subtree as this risks affecting Directory Server functionality.
The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree:
ldapsearch -b cn=config -DbindDN-wpassword
bindDN is the DN chosen for the Directory Manager when the server was installed (cn=Directory Manager by default).
password is the password chosen for the Directory Manager.
For more information on using ldapsearch, see Section 6.4, “ldapsearch”.
To disable a plug-in, use ldapmodify to edit the nsslapd-pluginEnabled attribute:
ldapmodify -D cn="directory manager" -w password dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off
Certain restrictions apply when modifying server entries and attributes:
The cn=monitor entry and its child entries are read-only and cannot be modified, except to manage ACIs.
If an attribute is added to cn=config, the server ignores it.
If an invalid value is entered for an attribute, the server ignores it.
Because ldapdelete is used for deleting an entire entry, use ldapmodify to remove an attribute from an entry.
Some configuration attributes cannot be altered while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file. Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run ldapsearch and search for the nsslapd-requiresrestart attribute. For example:
ldapsearch -p 389 -D "cn=directory manager" -w password -s sub -b "cn=config"
"(objectclass=*)" | grep nsslapd-requiresrestart
| nsslapd-cachesize | nsslapd-certdir |
| nsslapd-dbcachesize | nsslapd-dbncache |
| nsslapd-plugin | nsslapd-changelogdir |
| nsslapd-changelogmaxage | nsslapd-changelogmaxentries |
| nsslapd-port | nsslapd-schemadir |
| nsslapd-saslpath | nsslapd-secureport |
| nsslapd-tmpdir | nsSSL2 |
| nsSSL3 | nsSSLclientauth |
| nsSSLSessionTimeout | nsslapd-conntablesize |
| nsslapd-lockdir | nsslapd-maxdescriptors |
| nsslapd-reservedescriptors | nsslapd-listenhost |
| nsslapd-schema-ignore-trailing-spaces | nsslapd-securelistenhost |
| nsslapd-workingdir | nsslapd-return-exact-case |