Most of these configuration tree nodes are covered in the following sections.
General configuration entries are stored in the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class.
2.3.1.1. nsslapd-accesslog (Access Log)
This attribute specifies the path and filename of the log used to record each LDAP access. The following information is recorded by default in the log file:
IP address of the client machine that accessed the database.
Operations performed (for example, search, add, and modify).
Result of the access (for example, the number of entries returned or an error code).
For more information on turning access logging off, see the "Monitoring Server and Database Activity" chapter in the Directory Server Administrator's Guide.
For access logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
|
Attribute
|
Value
|
Logging enabled or disabled
|
|---|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
empty string
|
Disabled
|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
filename
|
Enabled
|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
empty string
|
Disabled
|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
filename
|
Disabled
|
Table 2.2. dse.ldif File Attributes
2.3.1.2. nsslapd-accesslog-level
This attribute controls what is logged to the access log.
2.3.1.3. nsslapd-accesslog-list
This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation.
2.3.1.4. nsslapd-accesslog-logbuffering (Log Buffering)
When set to off, the server writes all access log entries directly to disk. Buffering allows the server to use access logging even when under a heavy load without impacting performance. However, when debugging, it is sometimes useful to disable buffering in order to see the operations and their results right away instead of having to wait for the log entries to be flushed to the file. Disabling log buffering can severely impact performance in heavily loaded servers.
2.3.1.5. nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
This attribute specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.
2.3.1.6. nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
This attribute specifies the units for nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
2.3.1.7. nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog attribute that specifies the path and parameter of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and parameter. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
|
Attribute
|
Value
|
Logging Enabled or Disabled
|
|---|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
empty string
|
Disabled
|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
on
filename
|
Enabled
|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
empty string
|
Disabled
|
|
nsslapd-accesslog-logging-enabled
nsslapd-accesslog
|
off
filename
|
Disabled
|
Table 2.3. dse.ldif Attributes
2.3.1.8. nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
This attribute specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.
2.3.1.9. nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access logs are deleted until enough disk space is freed to satisfy this attribute.
2.3.1.10. nsslapd-accesslog-logrotationsync-enabled (Access Log Rotation Sync Enabled)
This attribute sets whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate access log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0.
2.3.1.11. nsslapd-accesslog-logrotationsynchour (Access Log Rotation Sync Hour)
This attribute sets the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsyncmin attributes.
2.3.1.12. nsslapd-accesslog-logrotationsyncmin (Access Log Rotation Sync Minute)
This attribute sets the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsynchour attributes.
2.3.1.13. nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
This attribute sets the time between access log file rotations. The access log is rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
Although it is not recommended for performance reasons to specify no log rotation since the log grows indefinitely, there are two ways of specifying this. Either set the
nsslapd-accesslog-maxlogsperdir attribute value to
1 or set the
nsslapd-accesslog-logrotationtime attribute to
-1. The server checks the
nsslapd-accesslog-maxlogsperdir attribute first, and, if this attribute value is larger than
1, the server then checks the
nsslapd-accesslog-logrotationtime attribute. See
Section 2.3.1.16, “nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)” for more information.
2.3.1.14. nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
This attribute sets the units for the nsslapd-accesslog-logrotationtime attribute.
2.3.1.15. nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
This attribute sets the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If the nsslapd-accesslog-maxlogsperdir attribute is set to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the access log.
2.3.1.16. nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
This attribute sets the total number of access logs that can be contained in the directory where the access log is stored. Each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored in this attribute, then the oldest version of the log file is deleted. For performance reasons, Red Hat recommends not setting this value to 1 because the server does not rotate the log, and it grows indefinitely.
2.3.1.17. nsslapd-accesslog-mode (Access Log File Permission)
This attribute sets the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777 (these mirror the numbered or absolute UNIX file permissions). The value must be a 3-digit number, the digits varying from 0 through 7:
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
2.3.1.18. nsslapd-attribute-name-exceptions
This attribute allows non-standard characters in attribute names to be used for backwards compatibility with older servers, such as "_" in schema-defined attributes.
2.3.1.19. nsslapd-auditlog (Audit Log)
This attribute sets the path and filename of the log used to record changes made to each database.
For audit logging to be enabled, this attribute must have a valid path and parameter, and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
|
Attributes in dse.ldif
|
Value
|
Logging enabled or disabled
|
|---|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
empty string
|
Disabled
|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
filename
|
Enabled
|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
empty string
|
Disabled
|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
filename
|
Disabled
|
Table 2.4. Possible Combinations for nsslapd-auditlog
2.3.1.20. nsslapd-auditlog-list
Provides a list of audit log files.
2.3.1.21. nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
This attribute sets the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.
2.3.1.22. nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
This attribute sets the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
2.3.1.23. nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
Turns audit logging on and off.
For audit logging to be enabled, this attribute must have a valid path and parameter and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
|
Attribute
|
Value
|
Logging enabled or disabled
|
|---|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
empty string
|
Disabled
|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
on
filename
|
Enabled
|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
empty string
|
Disabled
|
|
nsslapd-auditlog-logging-enabled
nsslapd-auditlog
|
off
filename
|
Disabled
|
Table 2.5. Possible combinations for nsslapd-auditlog and nsslapd-auditlog-logging-enabled
2.3.1.24. nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
This attribute sets the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations with the total amount of disk space for the audit log.
2.3.1.25. nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
This attribute sets the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest audit logs are deleted until enough disk space is freed to satisfy this attribute.
2.3.1.26. nsslapd-auditlog-logrotationsync-enabled (Audit Log Rotation Sync Enabled)
This attribute sets whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate audit log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attributes to 0.
2.3.1.27. nsslapd-auditlog-logrotationsynchour (Audit Log Rotation Sync Hour)
This attribute sets the hour of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsyncmin attributes.
2.3.1.28. nsslapd-auditlog-logrotationsyncmin (Audit Log Rotation Sync Minute)
This attribute sets the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsynchour attributes.
2.3.1.29. nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
This attribute sets the time between audit log file rotations. The audit log is rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If the nsslapd-auditlog-maxlogsperdir attribute is set to 1, the server ignores this attribute.
Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the
nsslapd-auditlog-maxlogsperdir attribute value to
1 or set the
nsslapd-auditlog-logrotationtime attribute to
-1. The server checks the
nsslapd-auditlog-maxlogsperdir attribute first, and, if this attribute value is larger than
1, the server then checks the
nsslapd-auditlog-logrotationtime attribute. See
Section 2.3.1.32, “nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)” for more information.
2.3.1.30. nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
This attribute sets the units for the nsslapd-auditlog-logrotationtime attribute.
2.3.1.31. nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
This attribute sets the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the audit log.
2.3.1.32. nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
This attribute sets the total number of audit logs that can be contained in the directory where the audit log is stored. Each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server will not rotate the log, and it grows indefinitely.
2.3.1.33. nsslapd-auditlog-mode (Audit Log File Permission)
This attribute sets the access mode or file permissions with which audit log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
2.3.1.34. nsslapd-certdir (Certificate and Key Database Directory)
This is the full path to the directory holding the certificate and key databases for a Directory Server instance. This directory must contain only the certificate and key databases for this instance and no other instances. This directory must be owned and allow read-write access for the server user ID. No other user should have read-right access to this directory. The default location is the configuration file directory, /etc/dirsrv/slapd-instance_name.
Changes to this value will not take effect until the server is restarted.
2.3.1.35. nsslapd-certmap-basedn (Certificate Map Search Base)
This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitations of the security subsystem certificate mapping, configured in the certmap.conf file. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. If the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. The valid value for this attribute is the DN of the suffix or subtree to use for certificate mapping. For further information on configuring for SSL, see the "Managing SSL" chapter in the Directory Server Administrator's Guide.
This read-only attribute is the config DN.
2.3.1.37. nsslapd-conntablesize
This attribute sets the connection table size, which determines the total number of connections supported by the server.
The server has to be restarted for changes to this attribute to go into effect.
Increase the value of this attribute if Directory Server is refusing connections because it is out of connection slots. When this occurs, the Directory Server's error log file records the message Not listening for new connections -- too many fds open.
A server restart is required for the change to take effect.
It may be necessary to increase the operating system limits for the number of open files and number of open files per process, and it may be necessary to increase the
ulimit for the number of open files (
ulimit -n) in the shell that starts the Directory Server. See
Section 2.3.1.67, “nsslapd-maxdescriptors (Maximum File Descriptors)” for more information.
2.3.1.38. nsslapd-csnlogging
This attribute sets whether change sequence numbers (CSNs), when available, are to be logged in the access log. By default, CSN logging is turned on.
2.3.1.39. nsslapd-ds4-compatible-schema
Makes the schema in cn=schema compatible with 4.x versions of Directory Server.
2.3.1.40. nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
This attribute is deprecated and will be removed in a future version of Directory Server.
This attribute controls whether quoting in the objectclass attributes contained in the cn=schema entry conforms to the quoting specified by Internet draft RFC 2252. By default, the Directory Server conforms to RFC 2252, which indicates that this value should not be quoted. Only very old clients need this value set to on, so leave it off.
Turning this attribute on or off does not affect Directory Server Console.
2.3.1.41. nsslapd-errorlog (Error Log)
This attribute sets the path and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions, such as:
For error logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. The table lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
|
Attributes in dse.ldif
|
Value
|
Logging enabled or disabled
|
|---|
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
on
empty string
|
Disabled
|
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
on
filename
|
Enabled
|
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
off
empty string
|
Disabled
|
|
nsslapd-errorlog-logging-enabled
nsslapd-errorlog
|
off
filename
|
Disabled
|
Table 2.6. Possible Combinations for nsslapd-errorlog Configuration Attributes
2.3.1.42. nsslapd-errorlog-level (Error Log Level)
This attribute sets the level of logging for the Directory Server. The log level is additive; that is, specifying a value of 3 includes both levels 1 and 2.
The default value for nsslapd-errorlog-level is 16384.
2.3.1.43. nsslapd-errorlog-list
This read-only attribute provides a list of error log files.
2.3.1.44. nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
This attribute sets the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.
2.3.1.45. nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
This attribute sets the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, then the log never expires.
2.3.1.46. nsslapd-errorlog-logging-enabled (Enable Error Logging)
Turns error logging on and off.
2.3.1.47. nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
This attribute sets the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log.
2.3.1.48. nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
This attribute sets the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
2.3.1.49. nsslapd-errorlog-logrotationsync-enabled (Error Log Rotation Sync Enabled)
This attribute sets whether error log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way can generate log files at a specified time during a day, such as midnight to midnight every day. This makes analysis of the log files much easier because they then map directly to the calendar.
For error log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate error log files every day at midnight, enable this attribute by setting its value to on, and then set the values of the nsslapd-errorlog-logrotationsynchour and nsslapd-errorlog-logrotationsyncmin attributes to 0.
2.3.1.50. nsslapd-errorlog-logrotationsynchour (Error Log Rotation Sync Hour)
This attribute sets the hour of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsyncmin attributes.
2.3.1.51. nsslapd-errorlog-logrotationsyncmin (Error Log Rotation Sync Minute)
This attribute sets the minute of the day for rotating error logs. This attribute must be used in conjunction with nsslapd-errorlog-logrotationsync-enabled and nsslapd-errorlog-logrotationsynchour attributes.
2.3.1.52. nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
This attribute sets the time between error log file rotations. The error log is rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit) attribute.
Although it is not recommended for performance reasons to specify no log rotation, as the log grows indefinitely, there are two ways of specifying this. Either set the
nsslapd-errorlog-maxlogsperdir attribute value to
1 or set the
nsslapd-errorlog-logrotationtime attribute to
-1. The server checks the
nsslapd-errorlog-maxlogsperdir attribute first, and, if this attribute value is larger than
1, the server then checks the
nsslapd-errorlog-logrotationtime attribute. See
Section 2.3.1.55, “nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)” for more information.
2.3.1.53. nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
This attribute sets the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, then the log never expires.
2.3.1.54. nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
This attribute sets the maximum error log size in megabytes. When this value is reached, the error log is rotated, and the server starts writing log information to a new log file. If nsslapd-errorlog-maxlogsperdir is set to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which consumes disk space. Compare these considerations to the total amount of disk space for the error log.
2.3.1.55. nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
This attribute sets the total number of error logs that can be contained in the directory where the error log is stored. Each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If this default is accepted, the server does not rotate the log, and it grows indefinitely.
2.3.1.56. nsslapd-errorlog-mode (Error Log File Permission)
This attribute sets the access mode or file permissions with which error log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. That is, the value must be a combination of a 3-digit number, the digits varying from 0 through 7:
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, remember that 000 does not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode only affects new logs that are created; the mode is set when the log rotates to a new file.
2.3.1.57. nsslapd-groupevalnestlevel
This attribute is deprecated, and documented here only for historical purposes.
The Access Control Plug-in does not use the value specified by the nsslapd-groupevalnestlevel attribute to set the number of levels of nesting that access control performs for group evaluation. Instead, the number of levels of nesting is hardcoded as 5.
2.3.1.58. nsslapd-idletimeout (Default Idle Timeout)
This attribute sets the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 means that the server never closes idle connections. This setting applies to all connections and all users. Idle timeout is enforced when the connection table is walked, when poll() does not return zero. Therefore, a server with a single connection never enforces the idle timeout.
Use the nsIdleTimeout operational attribute, which can be added to user entries, to override the value assigned to this attribute. For details, see the "Setting Resource Limits Based on the Bind DN" section in the Directory Server Administrator's Guide.
2.3.1.59. nsslapd-instancedir (Instance Directory)
This attribute is deprecated. There are now separate configuration parameters for instance-specific paths, such as nsslapd-certdir and nsslapd-lockdir. See the documentation for the specific directory path that is set.
2.3.1.60. nsslapd-ioblocktimeout (IO Block Time Out)
This attribute sets the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
2.3.1.61. nsslapd-lastmod (Track Modification Time)
This attribute sets whether the Directory Server maintains the modification attributes for Directory Server entries. These are operational attributes. These attributes include:
modifiersname - The distinguished name of the person who last modified the entry.
modifytimestamp - The timestamp, in GMT format, for when the entry was last modified.
creatorsname - The distinguished name of the person who initially created the entry.
createtimestamp - The timestamp for when the entry was created in GMT format.
WARNING
This attribute should never be turned off. If the nsslapd-lastmod is set to off, then generating nsUniqueIDs is also disabled, replication does not work, and other issues may arise.
If for some reason this attribute were set to off, the solution is to export the database to ldif (db2ldif or db2ldif.pl or from the console), set the value to on, and import the data. The import process assigns each entry a unique id.
2.3.1.62. nsslapd-listenhost (Listen to IP Address)
This attribute allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). There can be multiple IP addresses associated with a single hostname, and these IP addresses can be a mix of both IPv4 and IPv6. This parameter can be used to restrict the Directory Server instance to a single IP interface.
If a hostname is given as the nsslapd-listenhost value, then the Directory Server responds to requests for every interface associated with the hostname. If a single IP interface (either IPv4 or IPv6) is given as the nsslapd-listenhost value, Directory Server only responds to requests sent to that specific interface. Either an IPv4 or IPv6 address can be used.
The server has to be restarted for changes to this attribute to go into effect.
NOTE
On HP-UX the hostname value can be a relocatable IP address.
2.3.1.63. nsslapd-localhost (Local Host)
This attribute specifies the host machine on which the Directory Server runs. This attribute is used to create the referral URL that forms part of the MMR protocol. In a high-availability configuration with failover nodes, that referral should point to the virtual name of the cluster, not the local hostname.
2.3.1.64. nsslapd-localuser (Local User)
This attribute sets the user as whom the Directory Server runs. The group as which the user runs is derived from this attribute by examining the user's primary group. Should the user change, then all of the instance-specific files and directories for this instance need to be changed to be owned by the new user, using a tool such as chown.
The value for the nsslapd-localuser is set initially when the server instance is configured.
2.3.1.65. nsslapd-lockdir (Server Lock File Directory)
This is the full path to the directory the server uses for lock files. The default value is /var/lock/dirsrv/slapd-instance_name. Changes to this value will not take effect until the server is restarted.
2.3.1.66. nsslapd-maxbersize (Maximum Message Size)
Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry and if the entry in the request is larger than two megabytes, then the add request is denied. Be cautious before changing this attribute, and Red Hat recommends contacting Directory Server support first.
2.3.1.67. nsslapd-maxdescriptors (Maximum File Descriptors)
This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server tries to use. A file descriptor is used whenever a client connects to the server and also for some server activities, such as index maintenance. File descriptors are also used by access logs, error logs, audit logs, database files (indexes and transaction logs), and as sockets for outgoing connections to other servers for replication and chaining.
The number of descriptors available for TCP/IP to serve client connections is determined by
nsslapd-conntablesize, and is equal to the
nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server as specified in the
nsslapd-reservedescriptors attribute for non-client connections, such as index management and managing replication. The
nsslapd-reservedescriptors attribute is the number of file descriptors available for other uses as described above. See
Section 2.3.1.78, “nsslapd-reservedescriptors (Reserved File Descriptors)”.
The number given here should not be greater than the total number of file descriptors that the operating system allows the ns-slapd process to use. This number differs depending on the operating system.
If this value is set too high, the Directory Server queries the operating system for the maximum allowable value, and then use that value. It also issues a warning in the error log. If this value is set to an invalid value remotely, by using the Directory Server Console or ldapmodify, the server rejects the new value, keep the old value, and respond with an error.
Some operating systems let users configure the number of file descriptors available to a process. See the operating system documentation for details on file descriptor limits and configuration. The dsktune program (explained in the Directory Server Installation Guide) can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. Increased the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:
Not listening for new connections -- too many fds open
NOTE
UNIX shells usually have configurable limits on the number of file descriptors. See the operating system documentation for further information about limit and ulimit, as these limits can often cause problems.
The server has to be restarted for changes to this attribute to go into effect.
2.3.1.68. nsslapd-maxthreadsperconn (Maximum Threads per Connection)
Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, use the default value. For situations where a client binds and simultaneously issues many requests, increase this value to allow each connection enough resources to perform all the operations. This attribute is not available from the server console.
When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies; specifically, sending data is delayed so that additional data can be grouped into one packet of the underlying network MTU size, typically 1500 bytes for Ethernet.
2.3.1.70. nsslapd-outbound-ldap-io-timeout
This attribute limits the I/O wait time for all outbound LDAP connections. The default is 300000 milliseconds (5 minutes). A value of 0 means that the server does not impose a limit on I/O wait time.
2.3.1.71. nsslapd-plug-in
This read-only attribute lists the DNs of the plug-in entries for the syntax and matching rule plug-ins loaded by the server.
2.3.1.72. nsslapd-port (Port Number)
This attribute gives the TCP/IP port number used for standard LDAP communications. To run SSL/TLS over this port, use the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024 means the Directory Server has to be started as root.
The server sets its uid to the nsslapd-localuser value after startup. When changing the port number for a configuration directory, the corresponding server instance entry in the configuration directory must be updated.
The server has to be restarted for the port number change to be taken into account.
NOTE
Set the port number to zero (0) to disable the LDAP port if the LDAPS port is enabled.
2.3.1.73. nsslapd-privatenamespaces
This read-only attribute contains the list of the private naming contexts cn=config, cn=schema, and cn=monitor.
2.3.1.74. nsslapd-pwpolicy-local (Enable Subtree- and User-Level Password Policy)
Turns fine-grained (subtree- and user-level) password policy on and off.
If this attribute has a value of off, all entries (except for cn=Directory Manager) in the directory is subjected to the global ord policy; the server ignores any defined subtree/user level password policy.
If this attribute has a value of on, the server checks for password policies at the subtree- and user-level and enforce those policies.
2.3.1.75. nsslapd-readonly (Read Only)
This attribute sets whether the whole server is in read-only mode, meaning that neither data in the databases nor configuration information can be modified. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.
2.3.1.76. nsslapd-referral (Referral)
This multi-valued attribute specifies the LDAP URLs to be returned by the suffix when the server receives a request for an entry not belonging to the local tree; that is, an entry whose suffix does not match the value specified on any of the suffix attributes. For example, assume the server contains only entries:
ou=People,dc=example,dc=com
but the request is for this entry:
ou=Groups,dc=example,dc=com
In this case, the referral would be passed back to the client in an attempt to allow the LDAP client to locate a server that contains the requested entry. Although only one referral is allowed per Directory Server instance, this referral can have multiple values.
NOTE
To use SSL and TLS communications, the referral attribute should be in the form ldaps://server-location.
Start TLS does not support referrals.
For more information on managing referrals, see the "Configuring Directory Databases" chapter in the Directory Server Administrator's Guide.
2.3.1.77. nsslapd-referralmode (Referral Mode)
When set, this attribute sends back the referral for any request on any suffix.
2.3.1.78. nsslapd-reservedescriptors (Reserved File Descriptors)
This attribute specifies the number of file descriptors that Directory Server reserves for managing non-client connections, such as index management and managing replication. The number of file descriptors that the server reserves for this purpose subtracts from the total number of file descriptors available for servicing LDAP client connections (See
Section 2.3.1.67, “nsslapd-maxdescriptors (Maximum File Descriptors)”).
Most installations of Directory Server should never need to change this attribute. However, consider increasing the value on this attribute if all of the following are true:
The server is replicating to a large number of consumer servers (more than 10), and/or the server is maintaining a large number of index files (more than 30).
The server is servicing a large number of LDAP connections.
There are error messages reporting that the server is unable to open file descriptors (the actual error message differs depending on the operation that the server is attempting to perform), but these error messages are not related to managing client LDAP connections.
Increasing the value on this attribute may result in more LDAP clients being unable to access the directory. Therefore, the value on this attribute is increased, also increase the value on the
nsslapd-maxdescriptors attribute. It may not be possible to increase the
nsslapd-maxdescriptors value if the server is already using the maximum number of file descriptors that the operating system allows a process to use; see the operating system documentation for details. If this is the case, then reduce the load on the server by causing LDAP clients to search alternative directory replicas. See
Section 2.3.1.37, “nsslapd-conntablesize” for information about file descriptor usage for incoming connections.
To assist in computing the number of file descriptors set for this attribute, use the following formula:
nsslapd-reservedescriptor = 20 + (NldbmBackends * 4) + NglobalIndex +
ReplicationDescriptor + ChainingBackendDescriptors + PTADescriptors + SSLDescriptors
NldbmBackends is the number of ldbm databases.
NglobalIndex is the total number of configured indexes for all databases including system indexes. (By default 8 system indexes and 17 additional indexes per database).
ReplicationDescriptor is eight (8) plus the number of replicas in the server that can act as a supplier or hub (NSupplierReplica).
ChainingBackendDescriptors is NchainingBackend times the nsOperationConnectionsLimit (a chaining or database link configuration attribute; 10 by default).
PTADescriptors is 3 if PTA is configured and 0 if PTA is not configured.
SSLDescriptors is 5 (4 files + 1 listensocket) if SSL is configured and 0 if SSL is not configured.
The server has to be restarted for changes to this attribute to go into effect.
2.3.1.79. nsslapd-return-exact-case (Return Exact Case)
Returns the exact case of attribute type names as requested by the client. Although LDAPv3-compliant clients must ignore the case of attribute names, some client applications require attribute names to match exactly the case of the attribute as it is listed in the schema when the attribute is returned by the Directory Server as the result of a search or modify operation. However, most client applications ignore the case of attributes; therefore, by default, this attribute is disabled. Do not modify it unless there are legacy clients that can check the case of attribute names in results returned from the server.
The server has to be restarted for changes to this attribute to go into effect.
2.3.1.80. nsslapd-rewrite-rfc1274
This attribute is deprecated and will be removed in a later version.
This attribute is used only for LDAPv2 clients that require attribute types to be returned with their RFC 1274 names. Set the value to on for those clients. The default is off.
2.3.1.81. nsslapd-rootdn (Manager DN)
This attribute sets the distinguished name (DN) of an entry that is not subject to access control restrictions, administrative limit restrictions for operations on the directory, or resource limits in general. There does not have to be an entry corresponding to this DN, and by default there is not an entry for this DN, thus values like cn=Directory Manager are acceptable.
For information on changing the root DN, see the "Creating Directory Entries" chapter in the Directory Server Administrator's Guide.
2.3.1.82. nsslapd-rootpw (Root Password)
This attribute sets the password associated with the Manager DN. When the root password is provided, it is encrypted according to the encryption method selected for the nsslapd-rootpwstoragescheme attribute. When viewed from the server console, this attribute shows the value *****. When viewed from the dse.ldif file, this attribute shows the encryption method followed by the encrypted string of the password. The example shows the password as displayed in the dse.ldif file, not the actual password.
CAUTION
When the root DN is configred at server setup, a root password is required. However, it is possible for the root password to be deleted from
dse.ldif by directly editing the file. In this situation, the root DN can only obtain the same access to the directory is allowed for anonymous access. Always make sure that a root password is defined in
dse.ldif when a root DN is configured for the database. The
pwdhash command-line utility can create a new root password. For more information, see
Section 7.3.9, “pwdhash (Prints Encrypted Passwords)”.
2.3.1.83. nsslapd-rootpwstoragescheme (Root Password Storage Scheme)
This attribute sets the encryption method used for the root password.
2.3.1.84. nsslapd-saslpath
Sets the absolute path to the directory containing the Cyrus-SASL SASL2 plug-ins. On HP-UX and Solaris systems, the Directory Server cannot use the system SASL libraries because they are either not provided or are not the correct version. Setting this attribute allows the server to use custom or non-standard SASL plug-in libraries. This is usually set correctly during installation, and Red Hat strongly recommends not changing this attribute. If the attribute is not present or the value is empty, this means the Directory Server is using the system provided SASL plug-in libraries which are the correct version.
If this parameter is set, the server uses the specified path for loading SASL plugins. If this parameter is not set, the server uses the SASL_PATH environment variable. If neither nsslapd-saslpath or SASL_PATH are set, the server attempts to load SASL plugins from the default location, /usr/lib/sasl2.
Changes made to this attribute will not take effect until the server is restarted.
2.3.1.85. nsslapd-schema-ignore-trailing-spaces (Ignore Trailing Spaces in Object Class Names)
Ignores trailing spaces in object class names. By default, the attribute is turned off. If the directory contains entries with object class values that end in one or more spaces, turn this attribute on. It is preferable to remove the trailing spaces because the LDAP standards do not allow them.
For performance reasons, server restart is required for changes to take effect.
An error is returned by default when object classes that include trailing spaces are added to an entry. Additionally, during operations such as add, modify, and import (when object classes are expanded and missing superiors are added) trailing spaces are ignored, if appropriate. This means that even when nsslapd-schema-ignore-trailing-spaces is on, a value such as top is not added if top is already there. An error message is logged and returned to the client if an object class is not found and it contains trailing spaces.
2.3.1.86. nsslapd-schemacheck (Schema Checking)
This attribute sets whether the database schema is enforced when entries are added or modified. When this attribute has a value of on, Directory Server will not check the schema of existing entries until they are modified. The database schema defines the type of information allowed in the database. The default schema can be extended using the object classes and attribute types. For information on how to extend the schema using the Directory Server Console, see the "Extending the Directory Schema" chapter in the Directory Server Administrator's Guide.
CAUTION
Red Hat strongly discourages turning off schema checking. This can lead to severe interoperability problems. This is typically used for very old or non-standard LDAP data that must be imported into the Directory Server. If there are not a lot of entries that have this problem, consider using the extensibleObject object class in those entries to disable schema checking on a per entry basis.
NOTE
Schema checking works by default when database modifications are made using an LDAP client, such as ldapmodify, or when importing a database from LDIF using ldif2db. If schema checking is turned off, every entry has to be verified manually to see that they conform to the schema. If schema checking is turned on, the server sends an error message listing the entries which do not match the schema. Ensure that the attributes and object classes created in the LDIF statements are both spelled correctly and identified in dse.ldif. Either create an LDIF file in the schema directory or add the elements to 99user.ldif.
2.3.1.87. nsslapd-schemadir
This is the absolute path to the directory containing the Directory Server instance-specific schema files. When the server starts up, it reads the schema files from this directory, and when the schema is modified through LDAP tools, the schema files in this directory are updated. This directory must be owned by the server user ID, and that user must have read and write permissions to the directory. The default value is the schema subdirectory of the Directory Server instance-specific configuration directory, /etc/dirsrv/slapd-instance_name/schema.
Changes made to this attribute will not take effect until the server is restarted.
2.3.1.88. nsslapd-schemareplace
Determines whether modify operations that replace attribute values are allowed on the cn=schema entry.
2.3.1.89. nsslapd-securelistenhost
This attribute allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). There can be multiple IP addresses associated with a single hostname, and these IP addresses can be a mix of both IPv4 and IPv6. This parameter can be used to restrict the Directory Server instance to a single IP interface; this parameter also specifically sets what interface to use for SSL/TLS traffic rather than regular LDAP connections.
If a hostname is given as the nsslapd-securelistenhost value, then the Directory Server responds to requests for every interface associated with the hostname. If a single IP interface (either IPv4 or IPv6) is given as the nsslapd-securelistenhost value, Directory Server only responds to requests sent to that specific interface. Either an IPv4 or IPv6 address can be used.
The server has to be restarted for changes to this attribute to go into effect.
2.3.1.90. nsslapd-securePort (Encrypted Port Number)
This attribute sets the TCP/IP port number used for SSL/TLS communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Specifying a port number of less than 1024 requires that Directory Server be started as root. The server sets its uid to the nsslapd-localuser value after startup.
The server only listens to this port if it has been configured with a private key and a certificate, and nsslapd-security is set to on; otherwise, it does not listen on this port.
The server has to be restarted for the port number change to be taken into account.
2.3.1.91. nsslapd-security (Security)
This attribute sets whether the Directory Server is to accept SSL/TLS communications on its encrypted port. This attribute should be set to on for secure connections. To run with security on, the server must be configured with a private key and server certificate in addition to the other SSL/TLS configuration.
2.3.1.92. nsslapd-sizelimit (Size Limit)
This attribute sets the maximum number of entries to return from a search operation. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error.
When no limit is set, ns-slapd returns every matching entry to the client regardless of the number found. To set a no limit value whereby the Directory Server waits indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file.
This limit applies to everyone, regardless of their organization.
NOTE
A value of -1 on this attribute in dse.ldif file is the same as leaving the attribute blank in the server console, in that it causes no limit to be used. This cannot have a null value in dse.ldif file, as it is not a valid integer. It is possible to set it to 0, which returns size limit exceeded for every search.
2.3.1.93. nsslapd-ssl-check-hostname (Verify Hostname for Outbound Connections)
This attribute sets whether an SSL-enabled Directory Server should verify authenticity of a request by matching the hostname against the value assigned to the common name (cn) attribute of the subject name (subjectDN field) in the certificate being presented. By default, the attribute is set to on. If it is on and if the hostname does not match the cn attribute of the certificate, appropriate error and audit messages are logged.
For example, in a replicated environment, messages similar to the following are logged in the supplier server's log files if it finds that the peer server's hostname does not match the name specified in its certificate:
[DATE] - SSL alert: ldap_sasl_bind("",LDAP_SASL_EXTERNAL) 81 (Netscape runtime error -12276 -
Unable to communicate securely with peer: requested domain name does not
match the server's certificate.)
[DATE] NSMMReplicationPlugin - agmt="cn=SSL Replication Agreement to host1" (host1.example.com:636):
Replication bind with SSL client authentication failed:
LDAP error 81 (Can't contact LDAP server)
Red Hat recommends turning this attribute on to protect Directory Server's outbound SSL connections against a man in the middle (MITM) attack.
NOTE>
DNS and reverse DNS must be set up correctly in order for this to work; otherwise, the server cannot resolve the peer IP address to the hostname in the subject DN in the certificate.
2.3.1.94. nsslapd-threadnumber (Thread Number)
Defines the number of operation threads that the Directory Server creates at startup. The nsslapd-threadnumber value should be increased if there are many directory clients performing time-consuming operations such as add or modify, as this ensures that there are other threads available for servicing short-lived operations such as simple searches. This value may also need increased if there are many replication agreements or chained backends (database links). This attribute is not available from the server console.
2.3.1.95. nsslapd-timelimit (Time Limit)
This attribute sets the maximum number of seconds allocated for a search request. If this limit is reached, Directory Server returns any entries it has located that match the search request, as well as an exceeded time limit error.
When no limit is set, ns-slapd returns every matching entry to the client regardless of the time it takes. To set a no limit value whereby Directory Server waits indefinitely for the search to complete, specify a value of -1 for this attribute in the dse.ldif file. A value of zero (0) causes no time to be allowed for searches. The smallest time limit is 1 second.
NOTE
A value of -1 on this attribute in thedse.ldif is the same as leaving the attribute blank in the server console in that it causes no limit to be used. However, a negative integer cannot be set in this field in the server console, and a null value cannot be used in the dse.ldif entry, as it is not a valid integer.
This is the absolute path of the directory the server uses for temporary files. The directory must be owned by the server user ID and the user must have read and write access. No other user ID should have read or write acces to the directory. The default value is /tmp.
Changes made to this attribute will not take effect until the server is restarted.
2.3.1.97. nsslapd-versionstring
This attribute sets the server version number. The build data is automatically appended when the version string is displayed.
2.3.1.98. nsslapd-workingdir
This is the absolute path of the directory that the server uses as its current working directory after startup. This is the value that the server would return as the value of the getcwd() function, and the value that the system process table shows as its current working directory. This is the directory a core file is generated in. The server user ID must have read and write access to the directory, and no other user ID should have read or write access to it. The default value for this attribute is the same directory containing the error log, which is usually /var/log/dirsrv/slapd-instance_name.
Changes made to this attribute will not take effect until the server is restarted.
2.3.1.99. passwordChange (Password Change)
Indicates whether users may change their passwords.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.100. passwordCheckSyntax (Check Password Syntax)
This attribute sets whether the password syntax is checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the password minimum length requirement and that the string does not contain any trivial words, such as the user's name or user ID or any attribute value stored in the uid, cn, sn, givenName, ou, or mail attributes of the user's directory entry.
Password syntax includes several different categories for checking:
Minimum number of digit characters (0-9)
Minimum number of ASCII alphabetic characters, both upper- and lower-case
Minimum number of uppercase ASCII alphabetic characters
Minimum number of lowercase ASCII alphabetic characters
Minimum number of special ASCII characters, such as !@#$
Minimum number of 8-bit characters
Maximum number of times that the same character can be immediately repeated, such as aaabbb
Minimum number of character categories required per password; a category can be upper- or lower-case letters, special characters, digits, or 8-bit characters
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.101. passwordExp (Password Expiration)
Indicates whether user passwords expire after a given number of seconds. By default, user passwords do not expire. Once password expiration is enabled, set the number of seconds after which the password expires using the passwordMaxAge attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.102. passwordGraceLimit (Password Expiration)
This attribute is only applicable if password expiration is enabled. After the user's password has expired, the server allows the user to connect for the purpose of changing the password. This is called a grace login. The server allows only a certain number of attempts before completely locking out the user. This attribute is the number of grace logins allowed. A value of 0 means the server does not allow grace logins.
2.3.1.103. passwordHistory (Password History)
Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled, and users can reuse passwords. If this attribute is set to on, the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. Set the number of old passwords the Directory Server stores using the passwordInHistory attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.104. passwordInHistory (Number of Passwords to Remember)
Indicates the number of passwords the Directory Server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled, meaning that the Directory Server does not store any old passwords, and so users can reuse passwords. Enable password history using the passwordHistory attribute.
To prevent users from rapidly cycling through the number of passwords that are tracked, use the passwordMinAge attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.105. passwordIsGlobalPolicy (Password Policy and Replication)
This attribute controls whether password policy attributes are replicated.
2.3.1.106. passwordLockout (Account Lockout)
Indicates whether users are locked out of the directory after a given number of failed bind attempts. By default, users are not locked out of the directory after a series of failed bind attempts. If account lockout is enabled, set the number of failed bind attempts after which the user is locked out using the passwordMaxFailure attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.107. passwordLockoutDuration (Lockout Duration)
Indicates the amount of time in seconds during which users are locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. Enable and disable the account lockout feature using the passwordLockout attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.108. passwordMaxAge (Password Maximum Age)
Indicates the number of seconds after which user passwords expire. To use this attribute, password expiration has to be enabled using the passwordExp attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.109. passwordMaxFailure (Maximum Password Failures)
Indicates the number of failed bind attempts after which a user is locked out of the directory. By default, account lockout is disabled. Enable account lockout by modifying the passwordLockout attribute.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.110. passwordMaxRepeats (Password Syntax)
Maximum number of times the same character can appear sequentially in the password. Zero (0) is off. Integer values reject any password which used a character more than that number of times; for example, 1 rejects characters that are used more than once (aa) and 2 rejects characters used more than twice (aaa).
2.3.1.111. passwordMin8Bit (Password Syntax)
This sets the minimum number of 8-bit characters the password must contain.
NOTE
The 7-bit checking for userPassword must be disabled to use this.
2.3.1.112. passwordMinAge (Password Minimum Age)
Indicates the number of seconds that must pass before a user can change their password. Use this attribute in conjunction with the passwordInHistory (number of passwords to remember) attribute to prevent users from quickly cycling through passwords so that they can use their old password again. A value of zero (0) means that the user can change the password immediately.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.113. passwordMinAlphas (Password Syntax)
This attribute sets the minimum number of alphabetic characters password must contain.
2.3.1.114. passwordMinCategories (Password Syntax)
This sets the minimum number of character categories that are represented in the password. The categories are lower, upper, digit, special, and 8-bit. For example, if the value of this attribute were set to 2, and the user tried to change the password to aaaaa, the server would reject the password because it contains only lower case characters, and therefore contains characters from only one category. A password of aAaAaA would pass because it contains characters from two categories, uppercase and lowercase. The default is 3, which means that if password syntax checking is enabled, valid passwords have to have three categories of characters.
2.3.1.115. PasswordMinDigits (Password Syntax)
This sets the minimum number of digits a password must contain.
2.3.1.116. passwordMinLength (Password Minimum Length)
This attribute specifies the minimum number of characters that must be used in Directory Server user password attributes. In general, shorter passwords are easier to crack. Directory Server enforces a minimum password of eight characters. This is long enough to be difficult to crack but short enough that users can remember the password without writing it down.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.117. PasswordMinLowers (Password Syntax)
This attribute sets the minimum number of lower case letters password must contain.
2.3.1.118. PasswordMinSpecials (Password Syntax)
This attribute sets the minimum number of special, or not alphanumeric, characters a password must contain.
2.3.1.119. PasswordMinTokenLength (Password Syntax)
This attribute sets the smallest attribute value length that is used for trivial words checking. For example, if the PasswordMinTokenLength is set to 3, then a givenName of DJ does not result in a policy that rejects DJ from being in the password, but the policy rejects a password comtaining the givenName of Bob.
2.3.1.120. PasswordMinUppers (Password Syntax)
This sets the minimum number of uppercase letters password must contain.
2.3.1.121. passwordMustChange (Password Must Change)
Indicates whether users must change their passwords when they first bind to the Directory Server or when the password has been reset by the Manager DN.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.122. passwordResetFailureCount (Reset Password Failure Count After)
Indicates the amount of time in seconds after which the password failure counter resets. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the passwordLockout attribute is set to on, users are locked out of the directory when the counter reaches the number of failures specified by the passwordMaxFailure attribute (within 600 seconds by default). After the amount of time specified by the passwordLockoutDuration attribute, the failure counter is reset to zero (0).
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.123. passwordStorageScheme (Password Storage Scheme)
This attribute sets the type of encryption used to store Directory Server passwords.
The following encryption types are supported by the Directory Server:
CLEAR means the password is stored in cleartext, with no hashing or encryption. This scheme must be used in order to use SASL DIGEST-MD5.
SSHA (Salted Secure Hash Algorithm), the default, is the recommended method because it is the most secure. There are several bit sizes available: 140 bits (the default), 256, 384, and 512.
SHA (Secure Hash Algorithm) is included only for backward compatibility with 4.x Directory Servers; do not use this algorithm.
MD5 (Message Digest algorithm 5) is a commonly used standard hashing algorithm.
CRYPT, the UNIX crypt algorithm, is provided for compatibility with UNIX passwords.
NOTE
Passwords cannot be encrypted using the NS-MTA-MD5 password storage scheme. The storage scheme is still present but only for reasons of backward compatibility.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.124. passwordUnlock (Unlock Account)
Indicates whether users are locked out of the directory for a specified amount of time or until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. If this passwordUnlock attribute is set to off and the operational attribute accountUnlockTime has a value of 0, then the account is locked indefinitely.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
2.3.1.125. passwordWarning (Send Warning)
Indicates the number of seconds before a user's password is due to expire that the user receives a password expiration warning control on their next LDAP operation. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.
For more information on password policies, see the "Managing Users and Passwords" chapter in the Directory Server Administrator's Guide.
