Previous     Contents     Index     DocHome     Next     
iPlanet Directory Server Configuration, Command, and File Reference



Chapter 2   Core Server Configuration Reference


The configuration information for iPlanet Directory Server 5.1 is stored as LDAP entries within the directory itself. Therefore, changes to the server configuration must be implemented through the use of the server itself rather than by simply editing configuration files. The principal advantage of this method of configuration storage is that it allows a directory administrator to reconfigure the server via LDAP while it is still running, and avoids having to shut it down.

This chapter gives details of how the configuration is organized, how to alter it, and provides an alphabetical reference for all attributes. The material is divided into the following sections:



Server Configuration - Overview

When you install the iPlanet Directory Server 5.1, its default configuration is stored as a series of LDAP entries within the directory, under the subtree cn=config. When the server is started, the contents of the cn=config subtree are read from a file in LDIF format: dse.ldif. This dse.ldif file contains all of the server configuration information. It is worth noting that the latest version of this file is called dse.ldif, the version prior to the last modification is called dse.ldif.bak, and the latest file with which the server successfully started is called dse.ldif.startOK. Many of the features of the iPlanet Directory Server 5.1 are designed as discrete modules that plug into the core server. The details of the internal configuration for each plug-in are contained in separate entries under cn=plugins,cn=config. For example, the configuration of the Telephone Syntax plug-in is contained in the entry:

cn=Telephone Syntax,cn=plugins,cn=config

Similarly, database-specific configuration is stored under:

cn=ldbm database,cn=plugins,cn=config and cn=chaining database,cn=plugins,cn=config

The following diagram shows how the configuration data fits within the cn=config Directory Information Tree.



This overview is divided into the following sections:


LDIF Configuration Files - Location

The Directory Server configuration data is automatically output to files in LDIF format that are located in the following directory by default:

Solaris 9 platform

/var/ds5/slapd-serverID/config

Other platforms

/usr/iplanet/servers/slapd-serverID/config

where serverID is the server identifier that you defined when you installed your Directory Server. In this chapter, all examples use phonebook for the server identifier where appropriate.


Schema Configuration Files - Location

Schema configuration is also stored in LDIF format and these files are located in the following directory:

Solaris 9 platform

/var/ds5/slapd-serverID/config/schema

Other platforms

/usr/iplanet/servers/slapd-serverID/config/schema

For a full list of the LDIF configuration files that are supplied with Directory Server, see Table 2-7 under Configuration Quick Reference Tables at the end of this chapter.


How the Server Configuration is Organized

The dse.ldif file contains all configuration information including directory specific entries created by the directory at server startup, and directory specific entries related to the database, also created by the directory at server startup. The file includes the Root DSE (named by "") and the entire contents of cn=config.When the server generates the dse.ldif file, it lists the entries in hierarchical order. It does so in the order that the entries appear in the directory under cn=config.

This section provides an overview of configuration attributes, plug-in functionality configuration, database configuration, and index configuration.


Configuration Attributes

Within a configuration entry, each attribute is represented as an attribute name. The value of the attribute corresponds to the attribute's configuration.

The following cod example gives an example of part of the dse.ldif file for a Directory Server and shows, amongst other things, that schema checking has been turned on. This is represented by the attribute nsslapd-schemacheck, which takes the value on.

Code Example 2-1    Extract of dse.ldif File
dn: cn=config
objectclass: top
objectclass: extensibleObject
objectclass: nsslapdConfig
nsslapd-accesslog-logging-enabled: on
nsslapd-enquote-sup-oc: on
nsslapd-localhost: phonebook.siroe.com
nsslapd-errorlog: installDir/slapd-phonebook/logs/errors
nsslapd-schemacheck: on
nsslapd-store-state-info: on
nsslapd-port: 389
nsslapd-localuser: nobody
...


Configuration of Plug-in Functionality

The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config. The following code example shows an example of the configuration entry for a plug-in, in this case the Telephone Syntax plug-in.

Code Example 2-2    Configuration Entry for Telephone Syntax Plug-in
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: installDir/lib/syntax-plug-in.so
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins and some may be particular to a specific plug-in. You can check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.

For a list of plug-ins supported by iPlanet Directory Server 5.1, general plug-in configuration information, the plug-in configuration attribute reference, and a list of plug-ins requiring restart see Chapter 3 "Plug-in Implemented Server Functionality Reference".


Configuration of Databases

The cn=NetscapeRoot and cn=UserRoot subtrees contain configuration data for the databases containing the o=NetscapeRoot and o=UserRoot suffixes respectively. The cn=NetscapeRoot subtree contains the configuration data used by the iPlanet Administration Server for authentication and all actions that cannot be performed through LDAP (such as start/stop). The cn=UserRoot subtree contains all the configuration data for the first user-defined database created during server installation. The cn=UserRoot subtree is called UserRoot by default. However, this is not hard-coded, and, given the fact that there will be multiple database instances, this name will be changed and defined by the user when new databases are added.


Configuration of Indexes

Configuration information for indexing is stored as entries in the Directory Server under the three following information tree nodes:

  • cn=index,cn=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config

  • cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config

  • cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config

For more information regarding indexes in general, see the iPlanet Directory Server Administrator's Guide and for information regarding the index configuration attributes, see "Database Attributes Under cn=default indexes,cn=config,cn=ldbm database, cn=plugins,cn=config" on page 153. The attributes are presented here because this node is the first to appear in the representation of the configuration attributes based on the cn=config information tree.


Migration of Pre-Directory Server 5.1 Configuration Files to LDIF Format

The iPlanet Directory Server 5.1 only recognizes configuration files that are in LDIF format, which means that the slapd.conf and slapd.ldbm.conf configuration files from 4.x versions of Netscape Directory Server must be converted to LDIF format. Netscape Directory Server 4.x configurations can be migrated to the new LDIF format using the tool migrateInstance5 tool.For more information, see Chapter 5, "Migrating From Previous Versions" in the iPlanet Directory Server Installation Guide and the Innosoft Distributed Directory Server Transition Guide.



Accessing and Modifying Server Configuration


This section discusses access control for configuration entries and describes the various ways in which the server configuration can be viewed and modified. It also covers restrictions on the types of modification that can be made and discusses attributes that require the server to be restarted for changes to take effect. This section has been divided into the following parts:


Access Control For Configuration Entries

When the Directory Server is installed, a default set of Access Control Instructions (ACIs) is implemented for all entries under cn=config. Code Example 2-3 shows an example of these default ACIs.

Code Example 2-3    Default ACIs in dse.ldif
aci: (targetattr = "*")(version 3.0; acl "Configuration Adminstrators Group";
 allow (all)
 groupdn = "ldap:///cn=Configuration Administrators,ou=Groups,  ou=TopologyManagement, o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Configuration  Adminstrator";
 allow (all) userdn =  "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";)
aci: (targetattr = "*")(version 3.0; acl "Local Directory Adminstrators Group";
 allow (all)
 groupdn = "ldap:///ou=Directory Administrators, dc=Siroe,dc=com";)
aci: (targetattr = "*")(version 3.0; acl "SIE Group";
 allow(all)
 groupdn = "ldap:///cn=slapd-phonebook, cn=Netscape Directory Server,
 cn=Server Group, cn=phonebook.siroe.com, dc=Siroe,dc=com, o=NetscapeRoot";)

These default ACIs allow all LDAP operations to be carried out on all configuration attributes by the following users:

  • Members of the Configuration Administrators Group

  • The user acting as the Administrator, who has the uid admin that can be configured at installation time

  • Members of local Directory Administrators Group

  • The local Directory Administrator (root DN)

  • The SIE (Server Instance Entry) Group that is usually assigned using the Set Access Permissions from the main topology view in the main console.

For more information on Access Control, see Chapter 5 of the iPlanet Directory Server Administrator's Guide.


Changing Configuration Attributes

You can view and change server attribute values in one of three ways: by using LDAP through iPlanet Console, by performing ldapsearch and ldapmodify commands, or by manually editing the dse.ldif file.


Note If you edit the dse.ldif file, you must stop the server beforehand, otherwise your changes will be lost. Editing the dse.ldif file is recommended only for changes to attributes which cannot be altered dynamically. For further information, see "Configuration Changes Requiring Server Restart".


The following sections describe how to modify entries using LDAP (both via iPlanet Console and over the command line), the restrictions to modifying entries, the restrictions to modifying attributes and the configuration changes requiring restart.


Modifying Configuration Entries Using LDAP

The configuration entries in the directory can be searched and modified using LDAP, either via the iPlanet Console or by performing ldapsearch and ldapmodify operations in the same way as other Directory entries. The advantage of using LDAP to modify entries is that you can make the changes while the server is running. You must remember to specify the port number when modifying configuration entries as the server is not necessarily running on port 389. For further information see Chapter 4, "Managing Directory Entries" in the iPlanet Directory Server Administrator's Guide. However, certain changes do require the server to be restarted before they are taken into account. For further information, see "Configuration Changes Requiring Server Restart".


Note As with any set of configuration files, care should be taken when changing or deleting nodes in the cn=config subtree, as this risks affecting iPlanet Directory Server functionality.


The entire configuration, including attributes that always take default values, can be viewed by performing an ldapsearch operation on the cn=config subtree:

ldapsearch -b cn=config -D bindDN -w password

where bindDN is the DN chosen for the Directory Manager when the server was installed and password is the password chosen for Directory Manager. For more information on using ldapsearch see Chapter 7 "Command-Line Utilities."

Previously we saw an example of the configuration entry for the Telephone Syntax plug-in where the plug-in was enabled. If you want to disable this feature you can use the following series of commands to implement this change.

Code Example 2-4    Disabling the Telephone Syntax Plug-in

ldapmodify -D bindDN -w password
dn: cn=Telephone Syntax,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: off


Restrictions to Modifying Configuration Entries

Certain restrictions apply when modifying server entries:

  • The dse.ldif cn=monitor entry and its child entries are read-only and cannot be modified.


Restrictions to Modifying Configuration Attributes

Certain restrictions apply when modifying server attributes:

  • If an attribute is added to cn=config, the server will ignore it.

  • If an invalid value is entered for an attribute, the server will ignore it.

  • Since ldapdelete is used for deleting entire entries, you should use ldapmodify if you want to remove an attribute from an entry.


Configuration Changes Requiring Server Restart

Some configuration attributes cannot be altered dynamically while the server is running. In these cases the server needs to be shut down and restarted for the changes to take effect. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file. Table 2-8 under Configuration Quick Reference Tables at the end of this chapter contains a list of these attributes.



Core Server Configuration Attributes Reference


This section guides you through all the core server functionality configuration attributes. For server functionality implemented via plug-ins, see the section "Configuration Quick Reference Tables". For implementing your own server functionality, contact iPlanet Professional Services.

For information on where to find the server configuration and how to change it, see "Server Configuration - Overview" and "Accessing and Modifying Server Configuration". For a list of the server features that are plug-ins and the attributes that apply to them, see Table 2-1, under Configuration Quick Reference Tables at the end of this chapter.

The configuration information which is stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config as shown below:



The list of configuration tree nodes covered in this section is as follows:

  • cn=config

  • cn=changelog5

  • cn=encryption

  • cn=features

  • cn=mapping tree

  • cn=monitor

  • cn=replica

  • cn=replication

  • cn=SNMP

  • cn=tasks

  • cn=uniqueid generator

The cn=plugins node is covered in the "Configuration Quick Reference Tables" section. We arrange the attributes alphabetically and provide a full description for each, giving the DN of its directory entry, its default value, the valid range of values, and an example of its use.


Caution

Some of the entries and attributes described in this chapter may change in future releases of the product.



cn=config

General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.


nsIdleTimeout (Idle Timeout)

Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.

Entry DN

cn=config

Valid Range

0 to the maximum 32 bit integer value (2147483647)

Default Value

0

Syntax

Integer

Example

nsIdleTimeout: 0


nsslapd-accesscontrol (Enable Access Control)

Turns access control on and off. If this attribute has a value off, any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesscontrol: off


nsslapd-accesslog (Access Log)

Specifies the path and filename of the log used to record each database access. The following information is recorded in the log file by default:

  • IP address of the client machine that accessed the database

  • operations performed (for example, search, add, modify)

  • result of the access (for example, the number of entries returned)

For more information on turning access logging off, see Chapter 13, "Monitoring Logging and Statistics" in the iPlanet Directory Server Administrator's Guide.

For access logging to be enabled, this attribute must have a valid path and file name and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.


Table 2-1    Possible Value Combinations of Access Log Attributes

Attribute Pair

Value Pair

Logging Status

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

on
empty string  

Disabled  

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

on
filename  

Enabled  

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

off
empty string  

Disabled  

nsslapd-accesslog-logging-enabled
nsslapd-accesslog  

off
filename  

Disabled  

Entry DN

cn=config

Valid Range

Any valid filename.

Default Value

installDir/slapd-serverID/logs/access

Syntax

DirectoryString

Solaris 9 Example

nsslapd-accesslog:
 /var/ds5/slapd-serverID/logs/access

Other Platform Example

nsslapd-accesslog:
 /usr/iplanet/servers/slapd-serverID/logs/access


nsslapd-accesslog-level

Controls what is logged to the access log.

Entry DN

cn=config

Valid Range

0—No access logging

4—Logging for internal access operations

256—Logging for access to an entry

512—Logging for access to an entry and referrals.

These values can be added together to provide you with the exact type of logging you require, for example 516 (4 + 512) to obtain internal access operation, entry access and referral logging.

Default Value

256

Syntax

Integer

Example

nsslapd-accesslog-level: 256


nsslapd-accesslog-list

This read-only attribute cannot be set. It provides a list of access log files used in access log rotation.

Entry DN

cn=config

Valid Range

N/A

Default Value

None

Syntax

DirectoryString

Example

nsslapd-accesslog-list:accesslog2,accesslog3


nsslapd-accesslog-logbuffering (Log Buffering)

When set to off, the server writes all access log entries directly to disk.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesslog-logbuffering: off


nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)

Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-accesslog-logexpirationtime: 2


nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)

Specifies the unit for the nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.

Entry DN

cn=config

Valid Range

month | week | day

Default Value

month

Syntax

DirectoryString

Example

nsslapd-accesslog-logexpirationtimeunit: week


nsslapd-accesslog-logging-enabled (Access Log Enable Logging)

Disables and enables accesslog logging, but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.

For access logging to be enabled, this attribute must be switched to on and the nsslapd-accesslog configuration attribute must have a valid path and filename. Table 2-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.

Entry DN

cn=config

Valid Range

on | off

Default Value

on

Syntax

DirectoryString

Example

nsslapd-accesslog-logging-enabled: off


nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)

Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647)

Default Value

500 (A value of -1 means that the disk space allowed to the access log is unlimited in size).

Syntax

Integer

Example

nsslapd-accesslog-logmaxdiskspace: 200


nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)

Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

nsslapd-accesslog-logminfreediskspace: 4


nsslapd-accesslog-logrotationtime (Access Log Rotation Time)

Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.

For performance reasons, it is not recommended to specify no log rotation as the log will grow indefinitely. However, you have two ways of specifying this. Either you set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See "nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)" on page 40 for more information.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between access log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-accesslog-logrotationtime: 100


nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)

Specifies the units for the nsslapd-accesslog-logrotationtime attribute.

Entry DN

cn=config

Valid Range

month | week | day | hour | minute

Default Value

day

Syntax

DirectoryString

Example

nsslapd-accesslog-logrotationtimeunit: week


nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)

Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set the nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-accesslog-maxlogsize: 100


nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)

Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1, as the server will not rotate the log and it will grow indefinitely.

If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, there is no log rotation. For more information, see "nsslapd-accesslog-logrotationtime (Access Log Rotation Time)" on page 38.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

10

Syntax

Integer

Example

nsslapd-accesslog-maxlogsperdir: 10


nsslapd-attribute-name-exceptions

Allows non-standard characters in attribute names to be used for backwards compatibility with older servers.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-attribute-name-exceptions: on


nsslapd-auditlog (Audit Log)

Specifies the pathname and filename of the log used to record changes made to each database.

Entry DN

cn=config

Valid Range

Any valid filename

Default Value

installDir/slapd-serverID/logs/audit

Syntax

DirectoryString

Solaris 9

Example

nsslapd-auditlog:
 /var/ds5/slapd-serverID/logs/audit

Other Platform Example

nsslapd-auditlog:
 /usr/iplanet/servers/slapd-serverID/logs/audit

For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. The table below lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.


Table 2-2    Possible Value Combinations of Audit Log Attributes

Attribute Pair

Value Pair

Logging Status

nsslapd-auditlog-logging-enabled
nsslapd-auditlog  

on
empty string  

Disabled  

nsslapd-auditlog-logging-enabled
nsslapd-auditlog  

on
filename  

Enabled  

nsslapd-auditlog-logging-enabled
nsslapd-auditlog  

off
empty string  

Disabled  

nsslapd-accesslog-logging-enabled
nsslapd-auditlog  

off
filename  

Disabled  


nsslapd-auditlog-list

Provides a list of audit log files.

Entry DN

cn=config

Valid Range

N/A

Default Value

None

Syntax

DirectoryString

Example

nsslapd-auditlog-list: auditlog2,auditlog3


nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)

Specifies the maximum age that a log file can be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

1

Syntax

Integer

Example

nsslapd-auditlog-logexpirationtime: 1


nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)

Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.

Entry DN

cn=config

Valid Range

month | week | day

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditlog-logexpirationtimeunit: day


nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)

Turns audit logging on and off.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-auditlog-logging-enabled: off

For audit logging to be enabled this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. Table 2-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.


nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)

Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.

When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the disk space allowed to the audit log is unlimited in size.

Default Value

500

Syntax

Integer

Example

nsslapd-auditlog-logmaxdiskspace: 500


nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)

Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.

Entry DN

cn=config

Valid Range

1 to the maximum 32 bit integer value (2147483647)

Default Value

5

Syntax

Integer

Example

nsslapd-auditlog-logminfreediskspace: 3


nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)

Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.

For performance reasons, it is not recommended to specify no log rotation, as the log will grow indefinitely. However, you have two ways of specifying this. Either you set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-auditlog-logrotationtime attribute. See "nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)" on page 46 for more information.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647), where a value of -1 means that the time between audit log file rotation is unlimited.

Default Value

1

Syntax

Integer

Example

nsslapd-auditlog-logrotationtime: 100


nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)

Specifies the units for the nsslapd-auditlog-logrotationtime attribute.

Entry DN

cn=config

Valid Range

month | week | day | hour | minute

Default Value

week

Syntax

DirectoryString

Example

nsslapd-auditlog-logrotationtimeunit: day


nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)

Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.

When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.

Entry DN

cn=config

Valid Range

-1 | 1 to the maximum 32 bit integer value (2147483647) where a value of -1 means the log file is unlimited in size.

Default Value

100

Syntax

Integer

Example

nsslapd-auditlog-maxlogsize: 50


nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)

Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, then the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.

If the value for this attribute is higher than 1, then you need to check the nsslapd-auditlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See "nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)" on page 44 for more information.

Entry DN

cn=config

Valid range

1 to the maximum 32 bit integer value (2147483647)

Default value

1

Syntax

Integer

Example

nsslapd-auditlog-maxlogsperdir: 10


nsslapd-certmap-basedn (Certificate Map Search Base)

This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in certmap.conf. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. Note that if the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. For further information, see Chapter 11, "Managing SSL" in the iPlanet Directory Server Administrator's Guide.


nsslapd-config

This read-only attribute is the config DN.

Entry DN

cn=config

Valid Range

Any valid config DN.

Default Value

N/A

Syntax

DirectoryString

Example

nsslapd-config:cn=config


nsslapd-ds4-compatible-schema

Makes the schema in cn=schema compatible with 4.x versions of Directory Server.

Entry DN

cn=config

Valid Range

on | off

Default Value

off

Syntax

DirectoryString

Example

nsslapd-ds4-compatible-schema: off


nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)

Controls whether the quoting in the objectclasses attributes contained in the cn=schema entry conforms to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.

That is, the Directory Server publishes objectclasses attributes in the cn=schema entry as follows:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )

However, RFC 2252 indicates that this attribute should be published as follows:

objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )

Notice the absence of single quotes around the word top.

Turning this attrib