|
| Sun ONE Directory Server 5.2 Reference Manual |
Chapter 4 Core Server Configuration Attributes
This chapter provides an alphabetical reference of the attributes used to configure and monitore core server functionality. It is divided into the following sections:
- Core Server Configuration Attributes Reference
- Monitoring Attributes
- Configuration Quick Reference Tables
Core Server Configuration Attributes Reference
This section guides you through all the core server functionality configuration attributes. For server functionality implemented via plug-ins, see the section "Plug-In Implemented Server Functionality". For implementing your own server functionality, contact Sun ONE Professional Services.
For information on where to find the server configuration and how to change it, see "Server Configuration Overview" and "Accessing and Modifying Server Configuration".
The configuration information that is stored in the dse.ldif file is organized as an information tree under the general configuration entry cn=config. This information tree is illustrated in Figure 3-1.
This section describes the configuration tree nodes within this information tree, and is divided into the following subsections:
- cn=config
- cn=changelog5
- cn=encryption
- cn=features
- cn=mapping tree
- cn=Password Policy
- cn=replica
- cn=ReplicationAgreementName
- cn=replication
- cn=SNMP
- cn=tasks
- cn=uniqueid generator
The cn=plugins node is covered in Chapter 5 "Plug-In Implemented Server Functionality." Attributes are arranged alphabetically and a full description is provided for each, giving the DN of its directory entry, its default value, the valid range of values, and an example of its use.
Caution
Some of the entries and attributes described in this chapter may change in future releases of the product.
cn=config
General configuration entries are stored under the cn=config entry. The cn=config entry is an instance of the nsslapdConfig object class, which in turn inherits from the extensibleObject object class. For attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry. General configuration entries are presented in this section.
ds-start-tls-enabled (Enable startTLS)
Enables startTLS (Windows installations only). startTLS facilitates dynamic changing to a secured connection. To enable startTLS, security must also be enabled (by setting the nsslapd-security attribute to on).
Because startTLS has a performance impact on Windows installations, it is disabled by default and should only be enabled if required.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
ds-start-tls-enabled: off
nsslapd-accesscontrol (Enable Access Control)
Turns access control on and off. If this attribute has a value off, any valid bind attempt (including an anonymous bind) results in full access to all information stored in the Directory Server.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesscontrol: off
nsslapd-accesslog (Access Log)
Specifies the path and filename of the log used to record each database access. The following information is recorded in the log file by default:
- IP address of the client machine that accessed the database
- operations performed (for example, search, add, modify)
- result of the access (for example, the number of entries returned)
For more information on turning access logging off, see Chapter 12, "Managing Log Files" in the Sun ONE Directory Server Administration Guide.
For access logging to be enabled, this attribute must have a valid path and file name and the nsslapd-accesslog-logging-enabled configuration attribute must be switched to on. Table 4-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
nsslapd-accesslog-level
Controls what is logged to the access log.
nsslapd-accesslog-list
This read-only attribute cannot be set. It provides a list of access log files used in access log rotation.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-accesslog-list:accesslog2,accesslog3
nsslapd-accesslog-logbuffering (Log Buffering)
When set to off, the server writes all access log entries directly to disk.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesslog-logbuffering: off
nsslapd-accesslog-logexpirationtime (Access Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units are provided by the nsslapd-accesslog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-accesslog-logexpirationtime: 2
nsslapd-accesslog-logexpirationtimeunit (Access Log Expiration Time Unit)
Specifies the unit for the nsslapd-accesslog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-accesslog-logexpirationtimeunit: week
nsslapd-accesslog-logging-enabled (Access Log Enable Logging)
Disables and enables access log logging, but only in conjunction with the nsslapd-accesslog attribute that specifies the path and filename of the log used to record each database access.
For access logging to be enabled, this attribute must be switched to on and the nsslapd-accesslog configuration attribute must have a valid path and filename. Table 4-1 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of access logging.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-accesslog-logging-enabled: off
nsslapd-accesslog-logmaxdiskspace (Access Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the access logs are allowed to consume. If this value is exceeded, the oldest access log is deleted.
When setting the maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
nsslapd-accesslog-logminfreediskspace (Access Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified by this attribute, the oldest access log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-accesslog-logminfreediskspace: 4
nsslapd-accesslog-logrotationtime (Access Log Rotation Time)
Specifies the time between access log file rotations. The access log will be rotated when this time interval is up, regardless of the current size of the access log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-accesslog-logrotationtimeunit attribute.
For performance reasons, it is not recommended that you specify no log rotation as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-accesslog-maxlogsperdir attribute value to 1 or the nsslapd-accesslog-logrotationtime attribute to -1. The server checks the nsslapd-accesslog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-accesslog-logrotationtime attribute. See "nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)" on page 94 for more information.
nsslapd-accesslog-logrotationtimeunit (Access Log Rotation Time Unit)
Specifies the units for the nsslapd-accesslog-logrotationtime attribute.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
day
Syntax
DirectoryString
Example
nsslapd-accesslog-logrotationtimeunit: week
nsslapd-accesslog-maxlogsize (Access Log Maximum Log Size)
Specifies the maximum access log size in megabytes. When this value is reached, the access log is rotated. That is, the server starts writing log information to a new log file. If you set the nsslapd-accesslog-maxlogsperdir attribute to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the access log.
nsslapd-accesslog-maxlogsperdir (Access Log Maximum Number of Log Files)
Specifies the total number of access logs that can be contained in the directory where the access log is stored. If you are using log file rotation, each time the access log is rotated, a new log file is created. When the number of files contained in the access log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. For performance reasons, it is not recommended that you set this value to 1, as the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-accesslog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-accesslog-logrotationtime attribute has a value of -1, there is no log rotation. For more information, see "nsslapd-accesslog-logrotationtime (Access Log Rotation Time)" on page 93.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
10
Syntax
Integer
Example
nsslapd-accesslog-maxlogsperdir: 10
nsslapd-attribute-name-exceptions
Allows non-standard characters in attribute names to be used for backward compatibility with older servers.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-attribute-name-exceptions: on
nsslapd-auditlog (Audit Log)
Specifies the pathname and filename of the log used to record changes made to each database.
For audit logging to be enabled, this attribute must have a valid path and file name and the nsslapd-auditlog-logging-enabled configuration attribute must be switched to on. Table 4-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
nsslapd-auditlog-list
Provides a list of audit log files.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-auditlog-list: auditlog2,auditlog3
nsslapd-auditlog-logexpirationtime (Audit Log Expiration Time)
Specifies the maximum age that a log file can be before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-auditlog-logexpirationtime: 1
nsslapd-auditlog-logexpirationtimeunit (Audit Log Expiration Time Unit)
Specifies the units for the nsslapd-auditlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-auditlog-logexpirationtimeunit: day
nsslapd-auditlog-logging-enabled (Audit Log Enable Logging)
Turns audit logging on and off.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-auditlog-logging-enabled: off
For audit logging to be enabled this attribute must be switched to on and the nsslapd-auditlog configuration attribute must have a valid path and file name. Table 4-2 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of audit logging.
nsslapd-auditlog-logmaxdiskspace (Audit Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the audit logs are allowed to consume. If this value is exceeded, the oldest audit log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are three different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations with the total amount of disk space that you want to be used by the audit log.
nsslapd-auditlog-logminfreediskspace (Audit Log Minimum Free Disk Space)
Specifies the minimum permissible free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest audit log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-auditlog-logminfreediskspace: 3
nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)
Specifies the time between audit log file rotations. The audit log will be rotated when this time interval is up, regardless of the current size of the audit log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-auditlog-logrotationtimeunit attribute. If you set the nsslapd-auditlog-maxlogsperdir attribute to 1, the server ignores this attribute.
For performance reasons, it is not recommended that you specify no log rotation, as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-auditlog-maxlogsperdir attribute value to 1 or the nsslapd-auditlog-logrotationtime attribute to -1. The server checks the nsslapd-auditlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server checks the nsslapd-auditlog-logrotationtime attribute. See "nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)" on page 101 for more information.
nsslapd-auditlog-logrotationtimeunit (Audit Log Rotation Time Unit)
Specifies the units for the nsslapd-auditlog-logrotationtime attribute.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
week
Syntax
DirectoryString
Example
nsslapd-auditlog-logrotationtimeunit: day
nsslapd-auditlog-maxlogsize (Audit Log Maximum Log Size)
Specifies the maximum audit log size in megabytes. When this value is reached, the audit log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-auditlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the audit log.
nsslapd-auditlog-maxlogsperdir (Audit Log Maximum Number of Log Files)
Specifies the total number of audit logs that can be contained in the directory where the audit log is stored. If you are using log file rotation, then each time the audit log is rotated, a new log file is created. When the number of files contained in the audit log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. The default is 1 log. If you accept this default, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, you need to check the nsslapd-auditlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-auditlog-logrotationtime attribute has a value of -1, then there is no log rotation. See "nsslapd-auditlog-logrotationtime (Audit Log Rotation Time)" on page 99 for more information.
Property
Value
Entry DN
cn=config
Valid range
1 to the maximum 32 bit integer value (2147483647)
Default value
1
Syntax
Integer
Example
nsslapd-auditlog-maxlogsperdir: 10
nsslapd-certmap-basedn (Certificate Map Search Base)
This attribute can be used when client authentication is performed using SSL certificates in order to avoid limitation of the security subsystem certificate mapping, configured in certmap.conf. Depending on the certmap.conf configuration, the certificate mapping may be done using a directory subtree search based at the root DN. Note that if the search is based at the root DN, then the nsslapd-certmap-basedn attribute may force the search to be based at some entry other than the root. For further information, see Chapter 11, "Implementing Security" in the Sun ONE Directory Server Administration Guide.
Property
Value
Entry DN
cn=config
Valid Range
The DN of an entry in the directory
Default Value
N/A
Syntax
DN
Example
nsslapd-certmap-basedn: ou=people,dc=example,dc=com
nsslapd-config
This read-only attribute is the config DN.
Property
Value
Entry DN
cn=config
Valid Range
Any valid config DN.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-config:cn=config
nsslapd-ds4-compatible-schema
Makes the schema in cn=schema compatible with 4.x versions of Directory Server.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-ds4-compatible-schema: off
nsslapd-enquote-sup-oc (Enable Superior Object Class Enquoting)
Controls whether the quoting in the objectclasses attributes contained in the cn=schema entry conforms to the quoting specified by internet draft RFC 2252. By default, the Directory Server places single quotes around the superior object class identified on the objectclasses attributes contained in cn=schema. RFC 2252 indicates that this value should not be quoted.
That is, the Directory Server publishes objectclasses attributes in the cn=schema entry as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP 'top' MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
However, RFC 2252 indicates that this attribute should be published as follows:
objectclasses: ( 2.5.6.6 NAME 'person' DESC 'Standard ObjectClass' SUP top MUST ( objectclass $ sn $ cn ) MAY ( aci $ description $ seealso $ telephonenumber $ userpassword ) )
Notice the absence of single quotes around the word top.
Turning this attribute on means that the Directory Server Resource Kit LDAP Clients will no longer function, as they require the schema as defined in RFC 2252.
Turning this attribute off causes the Directory Server to conform to RFC 2252, but doing so may interfere with some earlier LDAP clients. Specifically, any client written using the Sun ONE LDAP SDK for Java 4.x will no longer be able to correctly read and modify schema. This includes the 4.x version of the Sun ONE Server Console. Please note that turning this attribute on or off does not affect the 5.x Sun ONE Server Console.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-enquote-sup-oc: off
nsslapd-errorlog (Error Log)
Specifies the pathname and filename of the log used to record error messages generated by the Directory Server. These messages can describe error conditions, but more often they contain informative conditions such as:
- server startup and shutdown times
- port number the server uses
This log contains varying amounts of information depending on the current setting of the Log Level attribute. See "nsslapd-errorlog-level (Error Log Level)" for more information.
For error logging to be enabled, this attribute must have a valid path and file name and the nsslapd-errorlog-logging-enabled configuration attribute must be switched to on. Table 4-3 lists the four possible combinations of values for these two configuration attributes and their outcome in terms of disabling or enabling of error logging.
nsslapd-errorlog-level (Error Log Level)
Specifies the level of logging to be used by the Directory Server.
Note This attribute has been deprecated in Directory Server 5.2. It is still supported for backward compatibility but has been replaced by the nsslapd-infolog-area (Information Log Area) and nsslapd-infolog-level (Information Log Level) attributes.
nsslapd-errorlog-list (Error Log List)
This read-only attribute provides a list of error log files.
Property
Value
Entry DN
cn=config
Valid Range
N/A
Default Value
None
Syntax
DirectoryString
Example
nsslapd-errorlog-list:errorlog2,errorlog3
nsslapd-errorlog-logexpirationtime (Error Log Expiration Time)
Specifies the maximum age that a log file is allowed to reach before it is deleted. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logexpirationtimeunit attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
1
Syntax
Integer
Example
nsslapd-errorlog-logexpirationtime: 1
nsslapd-errorlog-logexpirationtimeunit (Error Log Expiration Time Unit)
Specifies the units for the nsslapd-errorlog-logexpirationtime attribute. If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day
Default Value
month
Syntax
DirectoryString
Example
nsslapd-errorlog-logexpirationtimeunit: week
nsslapd-errorlog-logging-enabled (Enable Error Logging)
Turns error logging on and off.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-errorlog-logging-enabled: on
nsslapd-errorlog-logmaxdiskspace (Error Log Maximum Disk Space)
Specifies the maximum amount of disk space in megabytes that the error logs are allowed to consume. If this value is exceeded, the oldest error log is deleted.
When setting a maximum disk space, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
nsslapd-errorlog-logminfreediskspace (Error Log Minimum Free Disk Space)
Specifies the minimum allowed free disk space in megabytes. When the amount of free disk space falls below the value specified on this attribute, the oldest error log is deleted until enough disk space is freed to satisfy this attribute.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
5
Syntax
Integer
Example
nsslapd-errorlog-logminfreediskspace: 5
nsslapd-errorlog-logrotationtime (Error Log Rotation Time)
Specifies the time between error log file rotations. The error log will be rotated when this time interval is up, regardless of the current size of the error log. This attribute supplies only the number of units. The units (day, week, month, and so forth) are given by the nsslapd-errorlog-logrotationtimeunit attribute.
For performance reasons, it is not recommended that you specify no log rotation as the log will grow indefinitely. However, there are two ways to specify no log rotation. Either set the nsslapd-errorlog-maxlogsperdir attribute value to 1 or the nsslapd-errorlog-logrotationtime attribute to -1. The server checks the nsslapd-errorlog-maxlogsperdir attribute first and if this attribute value is larger than 1, the server then checks the nsslapd-errorlog-logrotationtime attribute. See "nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)" on page 109 for more information.
nsslapd-errorlog-logrotationtimeunit (Error Log Rotation Time Unit)
Specifies the units for nsslapd-errorlog-logrotationtime (Error Log Rotation Time). If the unit is unknown by the server, the log will never expire.
Property
Value
Entry DN
cn=config
Valid Range
month | week | day | hour | minute
Default Value
week
Syntax
DirectoryString
Example
nsslapd-errorlog-logrotationtimeunit: day
nsslapd-errorlog-maxlogsize (Maximum Error Log Size)
Specifies the maximum error log size in megabytes. When this value is reached, the error log is rotated. That is, the server starts writing log information to a new log file. If you set nsslapd-errorlog-maxlogsperdir to 1, the server ignores this attribute.
When setting a maximum log size, consider the total number of log files that can be created due to log file rotation. Also, remember that there are 3 different log files (access log, audit log, and error log) maintained by the Directory Server, each of which will consume disk space. Compare these considerations to the total amount of disk space that you want to be used by the error log.
nsslapd-errorlog-maxlogsperdir (Maximum Number of Error Log Files)
Specifies the total number of error logs that can be contained in the directory where the error log is stored. If you are using log file rotation, then each time the error log is rotated, a new log file is created. When the number of files contained in the error log directory exceeds the value stored on this attribute, the oldest version of the log file is deleted. If this attribute is set to 1, the server will not rotate the log and it will grow indefinitely.
If the value for this attribute is higher than 1, then you need to check the nsslapd-errorlog-logrotationtime attribute to establish whether or not log rotation is specified. If the nsslapd-errorlog-logrotationtime attribute has a value of -1 then there is no log rotation. See "nsslapd-errorlog-logrotationtime (Error Log Rotation Time)" on page 108 for more information.
Property
Value
Entry DN
cn=config
Valid Range
1 to the maximum 32 bit integer value (2147483647)
Default Value
2
Syntax
Integer
Example
nsslapd-errorlog-maxlogsperdir: 10
nsslapd-groupevalnestlevel
Specifies the number of levels of nesting that the access control system will perform for group evaluation.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 64-bit integer value
Default Value
0
Syntax
Integer
Example
nsslapd-groupevalnestlevel:5
nsslapd-hash-filters
Enables experimental code that attempts to speed up filter comparisons by using a hash. This attribute would be used if search tune in the database instance is set to include the VLV_INDEX flag.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
off
Syntax
DirectoryString
Example
nsslapd-hash-filters: off
nsslapd-idletimeout (Idle Timeout)
Specifies the amount of time in seconds after which an idle LDAP client connection is closed by the server. A value of 0 indicates that the server will never close idle connections.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value (2147483647)
Default Value
0
Syntax
Integer
Example
nsslapd-IdleTimeout: 0
nsslapd-infolog-area (Information Log Area)
Specifies the component for which logging information should be provided. Each component is identified as an area, whose value is a decimal translation of the hex values in slapi-plugin.h.
The log area is additive; for example, to enable logging on Search filter processing (32) and Config file processing (64), you would set this attribute to 96 (32+64).
If you are writing plug-ins for the Directory Server, refer to the Sun ONE Directory Server Plug-In API Programming Guide for more information on using this attribute.
nsslapd-infolog-level (Information Log Level)
Specifies the level of logging information that should be returned for the server component defined by the nsslapd-infolog-area attribute. A value of 0 means that only default logging information is returned for the selected area. Setting this attribute to 1 enables additional logging information to be returned for the selected area.
Property
Value
Entry DN
cn=config
Valid Range
0 | 1
Default Value
0
Syntax
Integer
Example
nsslapd-infolog-level: 0
nsslapd-instancedir (Instance Directory)
Specifies the full path to the directory where this server instance is installed. The hostname is the default serverID given at installation time.
Property
Value
Entry DN
cn=config
Valid Range
Any valid file path.
Default Value
ServerRoot/slapd-serverID
Syntax
DirectoryString
Example
nsslapd-instancedir: /ServerRoot/slapd-myServer
nsslapd-ioblocktimeout (IO Block Time Out)
Specifies the amount of time in milliseconds after which the connection to a stalled LDAP client is closed. An LDAP client is considered to be stalled when it has not made any I/O progress for read or write operations.
Property
Value
Entry DN
cn=config
Valid Range
0 to the maximum 32 bit integer value (2147483647) in ticks
Default Value
1800000
Syntax
Integer
Example
nsslapd-ioblocktimeout: 1800000
nsslapd-lastmod (Track Modification Time)
Specifies whether the Directory Server maintains the modification attributes for Directory Server entries. These attributes include:
- modifiersname—The distinguished name of the person who last modified the entry.
- modifytimestamp—The timestamp, in GMT format, for when the entry was last modified.
- creatorsname—The distinguished name of the person who initially created the entry.
- createtimestamp—The timestamp for when the entry was created in GMT format.
Property
Value
Entry DN
cn=config
Valid Range
on | off
Default Value
on
Syntax
DirectoryString
Example
nsslapd-lastmod: off
nsslapd-listenhost (Listen to IP Address)
Allows multiple Directory Server instances to run on a multihomed machine (or makes it possible to limit listening to one interface of a multihomed machine). Provide the hostname which corresponds to the IP interface you want to specify as a value for this attribute. Directory Server will only respond to requests sent to the interface that corresponds to the hostname provided on this attribute.
Property
Value
Entry DN
cn=config
Valid Range
Any hostname.
Default Value
N/A
Syntax
DirectoryString
Example
nsslapd-listenhost: host_name
nsslapd-localhost (Local Host)
This read-only attribute specifies the host machine on which the Directory Server runs.
Property
Value
Entry DN
cn=config
Valid Range
Any fully qualified hostname.
Default Value
Hostname of installed machine.
Syntax
DirectoryString
Example
nsslapd-localhost:myServer.example.com
nsslapd-localuser (Local User)
UNIX and Linux installations only. Specifies the user under which the Directory Server runs. The group under which the user runs is derived from this attribute, by examining the groups that the user is a member of. Should the user change, all the files in the installation directory must be owned by this user.
nsslapd-maxbersize (Maximum Message Size)
Defines the maximum size in bytes allowed for an incoming message. This limits the size of LDAP requests that can be handled by the Directory Server. Limiting the size of requests prevents some kinds of denial of service attacks.
The limit applies to the total size of the LDAP request. For example, if the request is to add an entry, and the entry in the request is larger than two megabytes, then the add request is denied. Care should be taken when changing this attribute and we recommend contacting Sun ONE Professional Services before doing so.
nsslapd-maxconnections (Maximum Number of Connections)
This attribute limits the number of simultaneous connections the server can manage. The value of this attribute is not set by default. If it is not set manually, its implicit value is the maximum number of file descriptors a process can open on the system.
You can use this attribute to limit the amount of memory used by Directory Server. Directory Server allocates n*512 bytes of data, where n is equal to the value of nsslapd-maxconnections, if set, or to the maximum number of file descriptors a process can open on the system.
For example, on Solaris 9 systems, the maximum number of file descriptors is 64000. If nsslapd-maxconnections is not set, Directory Server will allocate 35MB of data, which may cause problems for some deployments. Setting nsslapd-maxconnections to a suitable value can help to alleviate this problem.
nsslapd-maxdescriptors (Maximum File Descriptors)
Not applicable to directory installations on Windows and AIX.
This attribute sets the maximum, platform-dependent number of file descriptors that the Directory Server will try to use. A file descriptor is used whenever a client connects to the server. It is also used for some server activities such as index maintenance. The number of available file descriptors for TCP/IP connections is the total for the nsslapd-maxdescriptors attribute minus the number of file descriptors used by the server for non-client connections, such as index management and managing replication, as specified in the nsslapd-reservedescriptors attribute (see "nsslapd-reservedescriptors (Reserved File Descriptors)" on page 123.)
The number that you specify here should not be greater than the total number of file descriptors that your operating system allows the ns-slapd process to use. This number will differ depending on your operating system. Some operating systems allow you to configure the number of file descriptors available to a process. See your operating system documentation for details on file descriptor limits and configuration. It is worth noting that the included idsktune program can be used to suggest changes to the system kernel or TCP/IP tuning attributes, including increasing the number of file descriptors if necessary. You should consider increasing the value on this attribute if the Directory Server is refusing connections because it is out of file descriptors. When this occurs, the following message is written to the Directory Server's error log file:
Not listening for new connections -- too many fds open
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
1024
Syntax
Integer
Example
nsslapd-maxdescriptors: 1024
nsslapd-maxpsearch (Maximum Persistent Searches)
Defines the maximum number of persistent searches that can be performed on the Directory Server. The persistent search mechanism provides an active channel through which entries that change (and information about the changes that occur) can be communicated. Because each persistent search operation uses one thread, limiting the number of simultaneous persistent searches prevents certain kinds of denial of service attacks.
Property
Value
Entry DN
cn=config
Valid Range
1 to maximum threadnumber
Default Value
30
Syntax
Integer
Example
nsslapd-maxpsearch: 30
nsslapd-maxthreadsperconn (Maximum Threads Per Connection)
Defines the maximum number of threads that a connection should use. For normal operations where a client binds and performs only one or two operations before unbinding, you should use the default value. For situations where a client binds and simultaneously issues many requests, you should increase this value to allow each connection enough resources to perform all the operations.
Property
Value
Entry DN
cn=config
Valid Range
1 to maximum threadnumber
Default Value
5
Syntax
Integer
Example
nsslapd-maxthreadsperconn: 5
nsslapd-nagle
When the value of this attribute is off, the TCP_NODELAY option is set so that LDAP responses (such as entries or result messages) are sent back to a client immediately. When the attribute is turned on, default TCP behavior applies. That is, the sending of data is delayed, in the hope that this will enable additional data to be grouped into one packet of the underlying network MTU size (typically 1500 bytes for Ethernet).
Property
Value
Entry DN
cn=config
Valid range
on | off
Default value
off
Syntax
DirectoryString
Example
nsslapd-nagle: off
nsslapd-plugin
This multi-valued, read-only attribute lists the syntaxes and matching rules loaded by the server.
nsslapd-port (Port Number)
TCP/IP port number used for LDAP communications. If you want to run SSL/TLS over this port, you can do so through the Start TLS extended operation. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. On UNIX systems, specifying a port number of less than 1024 requires the Directory Server to run as root.
If you are changing the port number for a configuration directory, you must also update the corresponding Server Instance Entry in the configuration directory. Please note that you need to restart the server for the port number change to be taken into account.
Property
Value
Entry DN
cn=config
Valid Range
1 to 65535
Default Value
389
Syntax
Integer
Example
nsslapd-port: 389
nsslapd-privatenamespaces
Contains the list of the private naming contexts cn=config, cn=schema,and cn=monitor.
Property
Value
Entry DN
cn=config
Valid Range
cn=config, cn=schema ,and cn=monitor
Default Value
N/A