 |
Configuration,
Command, and File Reference Netscape Directory Server |
| Previous |
Contents |
Index |
DocHome | Next |
Chapter 2 Core Server Configuration Reference
The configuration information for Netscape Directory Server (Directory Server) is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server via LDAP while it is still running, thus avoiding the need to shut the server down.
This chapter gives details on how the configuration is organized and how to alter it. The chapter also provides an alphabetical reference for all attributes. The chapter is divided into the following sections:
- Server
Configuration - Overview
- Accessing and Modifying Server Configuration
- Core Server Configuration Attributes Reference
- Configuration Quick Reference Tables
When you install the Directory Server, its default configuration is stored as a series of LDAP entries within the directory, under the subtree cn=config. When the server is started, the contents of the cn=config subtree are read from a file (dse.ldif) in LDIF format. This dse.ldif file contains all of the server configuration information. Note that the latest version of this file is called dse.ldif, the version prior to the last modification is called dse.ldif.bak, and the latest file with which the server successfully started is called dse.ldif.startOK.
Many of the features of the Directory Server are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config. For example, the configuration of the Telephone Syntax plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
Similarly, database-specific configuration is stored under
cn=ldbm database,cn=plugins,cn=config and cn=chaining database,cn=plugins,cn=config
Figure 2-1 shows how the configuration data fits within the cn=config Directory Information Tree.
The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory:
serverRoot/slapd-serverID/config
Thus, if you specified a server identifier of phonebook, then, in a default installation, your configuration LDIF files are all stored under:
Schema configuration is also stored in LDIF format, and these files are located in the following directory:
serverRoot/slapd-serverID/config/schema
For a full list of the LDIF configuration files that are supplied with Directory Server, see Table 2-3 under Configuration Quick Reference Tables at the end of this chapter.
How the Server Configuration Is Organized
The dse.ldif file contains all configuration information including directory specific entries created by the directory at server startup, as well as directory specific entries related to the database, also created by the directory at server startup. The file includes the Root DSE (named by "") and the entire contents of cn=config. When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.
Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.
Code Example 2-1 gives an example of part of the dse.ldif file for a Directory Server. The example shows, among other things, that schema checking has been turned on; this is represented by the attribute nsslapd-schemacheck, which takes the value on.
|
|
|
dn: cn=config |
|
|
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. Code Example 2-2 shows the configuration entry for an example plug-in, the Telephone Syntax plug-in.
|
|
|
dn: cn=Telephone
Syntax,cn=plugins,cn=config |
|
|
Some of these attributes are common to all plug-ins, and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.
For a list of plug-ins supported by Directory Server, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart, see chapter 3, "Plug-in Implemented Server Functionality Reference."
The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for the databases containing the o=NetscapeRoot and o=UserRoot suffixes.
- The
cn=NetscapeRoot
subtree contains the configuration data used by the Netscape
Administration Server for authentication and all actions that cannot be
performed through LDAP (such as start/stop).
- The cn=UserRoot subtree contains all the configuration data for the first user-defined database created during server installation. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user at the time new databases are added.
Configuration information for indexing is stored as entries in the Directory Server under the following information-tree nodes:
- cn=index,cn=NetscapeRoot,cn=ldbm
database,cn=plugins,cn=config
- cn=index,cn=UserRoot,cn=ldbm
database,cn=plugins,cn=config
- cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
For more information regarding indexes in general, see Netscape Directory Server Administrator's Guide. For information regarding the index configuration attributes, see Database Attributes under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config. The attributes are presented here because this node is the first to appear in our representation of the configuration attributes that is based on the cn=config information tree.
This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions to the kinds of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect.
When the Directory Server is installed, a default set of Access Control Instructions (ACIs) is implemented for all entries under cn=config. Code Example 2-3 shows an example of these default ACIs.
|
|
|
aci: (targetattr
= "*")(version 3.0; acl "Configuration Adminstrators Group"; allow
(all) aci:
(targetattr = "*")(version 3.0;
acl "Configuration Adminstrator"; allow (all) aci:
(targetattr = "*")(version 3.0;
acl "Local Directory Adminstrators Group"; allow (all) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-phonebook, cn=Netscape Directory Server, cn=Server Group, cn=phonebook.example.com, dc=example,dc=com, o=NetscapeRoot";) |
|
|
These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:
- Members of the
Configuration
Administrators Group.
- The user acting as
the Administrator, who
has the UID
admin that can be configured at installation time.
- Members of local
Directory Administrators
Group.
- The local Directory
Administrator (root
DN).
- The SIE (Server Instance Entry) Group, usually assigned using the Set Access Permissions from the main topology view in the main console.
For more information on Access Control, see the Netscape Directory Server Administrator's Guide.
You can view and change
server attribute
values in one of three ways. You make the changes by using LDAP through
Netscape Console, by performing
ldapsearch and
ldapmodify commands, or by manually editing the
dse.ldif file.
|
|
|
|
If you edit the dse.ldif file, you must stop the server beforehand; otherwise, your changes will be lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. See Configuration Changes Requiring Server Restart for further information.
|
|
|
|
|
The following sections describe how to modify entries using LDAP (both via Netscape Console and over the command-line), the restrictions to modifying entries, the restrictions to modifying attributes, and the configuration changes requiring restart.
The configuration entries
in the directory
can be searched and modified using LDAP either via the Netscape Console
or by performing
ldapsearch and
ldapmodify operations in the same way as other directory
entries.
The advantage of using LDAP to modify entries is that you can make the
changes while the server is running. You must remember to specify the
port number when modifying configuration entries since the server is
not necessarily running on port 389. For further information, see
chapter 2, "Creating Directory Entries," in the
Netscape Directory Server Administrator's Guide. However,
certain
changes do require the server to be restarted before
they are taken into account. See Configuration Changes Requiring Server Restart
for further information.
|
|
|
|
As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config subtree as this risks affecting Directory Server functionality.
|
|
|
|
|
The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree:
ldapsearch -b cn=config -D bindDN -w password
where bindDN is the DN chosen for the Directory Manager when the server was installed and password is the password chosen for Directory Manager. For more information on using ldapsearch, see ldapsearch.
Previously, we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in is enabled. If you wanted to disable this feature, you might use the following series of commands to implement this change.
Certain restrictions apply when modifying server entries and attributes:
- The
cn=monitor entry and its child entries are read-only and cannot
be
modified.
- If an attribute is
added to
cn=config, the server will ignore it.
- If an invalid value
is entered for an
attribute, this will be ignored by the server.
- Because ldapdelete is used for deleting an entire entry, you should use ldapmodify if you want to remove an attribute from an entry.
Some configuration attributes cannot be altered dynamically while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file. Table 2-4 under Configuration Quick Reference Tables at the end of this chapter contains a list of these attributes.
This section contains reference information on the configuration attributes that are relevant to the core server functionality. For information on changing server configuration, see Accessing and Modifying Server Configuration. For a list of server features that are implemented as plug-ins, see section Server Plug-in Functionality Reference. For implementing your own server functionality, contact Netscape Professional Services.
The configuration information stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config, as shown in Figure 2-2.
The list of configuration tree nodes covered in this section are as follows:
- cn=config
- cn=changelog5
- cn=encryption
- cn=features
- cn=mapping tree
- cn=monitor
- cn=replication
- cn=SNMP
- cn=tasks
- cn=uniqueid generator
The
cn=plugins node is covered in the chapter
3, "Plug-in
Implemented Server
Functionality Reference." The description of each
attribute contains details such as the DN of its directory entry, its
default value, the valid range of values, and an example of its use.
|
|
|
|
Some of the entries and attributes described in this chapter may change in future releases of the product.
|
|
|
|
|
General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.
Turns access control on and off. If this attribute has a value off, then any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.
Specifies the path and filename of the log used to record each database access. The following information is recorded by default in the log file:
- IP address of the
client machine that
accessed the database.
- Operations performed
(for example:
search, add, modify).
- Result of the access (for example: the number of entries returned).
For more information on turning access logging off, see chapter 12, "Monitoring Server and Database Activity," in the Netscape Directory Server Administrator's Guide.
For access logging to be enabled, this attribute must have a valid path and filename, and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
|
nsslapd-accesslog: /usr/netscape/servers/slapd-phonebook/logs/access |
Controls what is logged to the access log.
This read-only attribute, which cannot be set, provides a list of access log files used in access log rotation.
When set to off, the server writes all access log entries directly to disk.
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.
Specifies the units for nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, then the log will never expire.
Disables and enables accesslog logging but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on, and the nsslapd-accesslog configuration attribute must have a valid path and filename. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
||
|
nsslapd-accesslog-logging-enabled |
Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the access log is unlimited in size. |
|
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Specifies whether access log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, such as midnight to midnight everyday. This makes analysis of the log files much easier because they then map directly to the calendar.
For access log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate access log files everyday at midnight, enable this attribute by setting its value to on and then set the values of the nsslapd-accesslog-logrotationsynchour and nsslapd-accesslog-logrotationsyncmin attributes to 0.
Specifies the hour of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsyncmin attributes.
Specifies the minute of the day for rotating access logs. This attribute must be used in conjunction with nsslapd-accesslog-logrotationsync-enabled and nsslapd-accesslog-logrotationsynchour attributes.
Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
Although it is not recommended for performance reasons to specify no log rotation since the log will grow indefinitely, you have two ways of specifying this. Either you set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first, and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files) for more information.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited. |
|
Specifies the units for the nsslapd-accesslog-logrotationtime attribute.
Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That means the server starts writing log information to a new log file. If you set nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size. |
|
Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, then each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1 because the server will not rotate the log, and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, then there is no log rotation. See nsslapd-accesslog-logrotationtime (Access Log Rotation Time) for more information.
Specifies the access mode or file permission with which access log files are to be created. The valid values are any combination of 000 to 777 since they mirror numbered or absolute UNIX file permissions. The value must be a combination of a 3-digit number, the digits varying from 0 through 7:
0 - None
1 -
Execute only
2 -
Write only
3 -
Write and execute
4 -
Read only
5 -
Read and execute
6 -
Read and write
7 -
Read, write, and execute
In the 3-digit number, the first digit represents the owner's permissions, the second digit represents the group's permissions, and the third digit represents everyone's permissions. When changing the default value, keep in mind that 000 will not allow access to the logs and that allowing write permissions to everyone can result in the logs being overwritten or deleted by anyone.
The newly configured access mode will only affect new logs that are created; the mode will be set when the log rotates to a new file.
Allows non-standard characters in attribute names to be used for backwards compatibility with older servers.
Specifies the pathname and filename of the log used to record changes made to each database.
|
nsslapd-auditlog: /usr/netscape/servers/slapd-phonebook/logs/audit |
For audit logging to be enabled, this attribute must have a valid path and file name, and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on . The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
Specifies the maximum age that a log file is allowed to be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.
Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, then the log will never expire.
Turns audit logging on and off.
For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
||
|
nsslapd-auditlog-logging-enabled |
Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size. |
|
Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.
Specifies whether audit log rotation is to be synchronized with a particular time of the day. Synchronizing log rotation this way enables you to generate log files at a specified time during a day, such as midnight to midnight everyday. This makes analysis of the log files much easier because they then map directly to the calendar.
For audit log rotation to be synchronized with time-of-day, this attribute must be enabled with the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attribute values set to the hour and minute of the day for rotating log files.
For example, to rotate audit log files everyday at midnight, enable this attribute by setting its value to on and then set the values of the nsslapd-auditlog-logrotationsynchour and nsslapd-auditlog-logrotationsyncmin attributes to 0.
Specifies the hour of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsyncmin attributes.
|
None (because nsslapd-auditlog-logrotationsync-enabled is off) |
|
Specifies the minute of the day for rotating audit logs. This attribute must be used in conjunction with nsslapd-auditlog-logrotationsync-enabled and nsslapd-auditlog-logrotationsynchour attributes.
|
None (because nsslapd-auditlog-logrotationsync-enabled is off) |
|
Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.
Although it is not recommended for performance reasons to specify no log rotation, as the log will grow indefinitely, you have two ways of specifying this. Either you set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first, and, if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files) for more information.
|
-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited. |
|
Specifies the units for the nsslapd-auditlog-logrotationtime attribute.
Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That means the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.