Copyright © 2011-2012 ForgeRock AS
Last updated: February 21, 2012
Hands-on guide to configuring and using OpenDJ features. The OpenDJ project offers open source LDAP directory services in Java.
- Preface
- 1. Administration Interfaces & Tools
- 2. Managing Server Processes
- 3. Importing & Exporting LDIF Data
- 4. Configuring Servers For Client Application Access
- 5. Configuring Privileges & Access Control
- 6. Performing LDAP Operations
- 7. Indexing Attribute Values
- 8. Managing Data Replication
- 9. Backing Up & Restoring Data
- 10. Configuring Password Policy
- 11. Implementing Account Lockout & Notification
- 12. Setting Resource Limits
- 13. Working With Groups of Entries
- 14. Implementing Attribute Value Uniqueness
- 15. Managing Schema
- 16. Working With Referrals
- 17. Working With Virtual and Collective Attributes
- 18. Configuring Pass Through Authentication
- 19. Samba Password Synchronization
- 20. Monitoring Servers
- 21. Tuning Servers For Performance
- 22. Moving Servers
- 23. Troubleshooting Server Problems
- I. Tools Reference
- A. File Layout
- B. Ports Used
- C. Standards, RFCs, & Internet-Drafts
- D. LDAP Controls
- E. LDAP Extended Operations
- F. Localization
- Index
This guide shows you how to configure, maintain, and troubleshoot OpenDJ directory services. This guide also describes file layouts, ports used, and standards, controls, extended operations, and languages supported for OpenDJ installations.
This guide is written for directory designers and administrators who build, deploy, and maintain OpenDJ directory services for your organizations.
This guide starts by introducing the OpenDJ administrative interfaces and tools, and by showing how to manage OpenDJ server processes. It also demonstrates how to import and export directory data. This guide continues by showing how to configure and monitor the principle features of individual OpenDJ servers, and how to configure and monitor replicated server topologies for distributed high availability. It then demonstrates how to tune, troubleshoot, and move servers. This guide concludes with appendices of useful reference information for directory designers and administrators.
You do not need to be an LDAP wizard to learn something from this guide, though a background in directory services and maintaining server software can help. You do need some background in managing servers and services on your operating system of choice. You can nevertheless get started with this guide, and then learn more as you go along.
Some items are formatted differently from other text, like
filenames, commands, and
literal values.
In many cases, sections pertaining to UNIX, GNU/Linux, Mac OS X, BSD,
and so forth are marked (UNIX). Sections pertaining to Microsoft Windows
might be marked (Windows). To avoid repetition, however, file system
directory names are often given only in UNIX format as in
/path/to/OpenDJ, even if the text applies to
C:\path\to\OpenDJ as well.
Core documentation, such as what you are now reading, aims to be technically accurate and complete with respect to the software documented. Core documentation therefore follows a three-phase review process designed to eliminate errors. The review process should slow authors down enough that documentation you get with a stable release has had time to bake fully.
Fully baked core documentation is available at docs.forgerock.org.
The OpenDJ Wiki regularly brings you more, fresh content. In addition, you are welcome to sign up and then edit the Wiki if you notice an error, or if you have something to share.
After you sign up at ForgeRock, you can also login to the Wiki and the issue database to follow what is happening with the project.
If you have questions regarding OpenDJ which are not answered by the documentation, there is a mailing list which can be found at https://lists.forgerock.org/mailman/listinfo/opendj where you are likely to find an answer.
You can join the IRC discussion in the #opendj room at irc.freenode.net.
The Wiki has information on how to check out OpenDJ source code. There is also a mailing list for OpenDJ development which can be found at https://lists.forgerock.org/mailman/listinfo/opendj-dev Should you want to contribute a patch, test, or feature, or want to author part of the core documentation, first have a look on the ForgeRock Community page at how to get involved.
OpenDJ server software installs with a cross-platform, Java Swing-based Control Panel for many day-to-day tasks. OpenDJ server software also installs command-line tools for configuration and management tasks.
This chapter is one of the few to include screen shots of the control panel. Most examples make use of the command-line tools. Once you understand the concepts, and how to perform a task using the command-line tools, you no doubt need no more than to know where to start in the Control Panel to accomplish what you set out to do.
At a protocol level, administration tools and interfaces connect to servers through a different network port than that used to listen for traffic from other client applications.
This chapter takes a quick look at the tools for managing directory services.
OpenDJ Control Panel offers a graphical user interface for managing both local and remote servers. You choose the server to manage when you start the Control Panel. The Control Panel connects to the administration server port, making a secure LDAPS connection.
Start OpenDJ Control Panel.
(UNIX) Run OpenDJ/bin/control-panel.
(Windows) Double-click OpenDJ\bat\control-panel.bat.
(Mac OS X) Double-click OpenDJ/bin/ControlPanel.app.
When you login to OpenDJ Control Panel, you authenticate over LDAP. This means that if a user can run the Control Panel, she can use it to manage a running server. Yet, to start and stop the server process through OpenDJ Control Panel, you must start the Control Panel on the system where OpenDJ runs, as the user who owns the OpenDJ server files (such as the user who installed OpenDJ). In other words, the OpenDJ Control Panel does not do remote process management.
Down the left side of OpenDJ Control Panel, notice what you can configure.
- Directory Data
Directory data provisioning is typically not something you do by hand in most deployments. Usually entries are created, modified, and deleted through specific directory client applications. The Manage Entries window can be useful, however, both in the lab as you design and test directory data, and also if you modify individual ACIs or debug issues with particular entries.
The Manage Entries window can check that your changes are valid before sending the request to the directory.
Additionally, the Directory Data list makes it easy to create a new base DN, and then import user data for the new base DN from LDIF. You can also use the tools in the list to export user data to LDIF, and to backup and restore user data.
- Schema
The Manage Schema window lets you browse and modify the rules that define how data is stored in the directory. You can add new schema definitions such as new attribute types and new object classes while the server is running, and the changes you make take effect immediately.
- Indexes
The Manage Indexes window gives you a quick overview of all the indexes currently maintained for directory attributes. To protect your directory resources from being absorbed by costly searches on unindexed attributes, you may choose to keep the default behavior, preventing unindexed searches, instead adding indexes required by specific applications. (Notice that if the number of user data entries is smaller than the default resource limits, you can still perform what appear to be unindexed searches. That is because the dn2id indexes returns all user data entries without hitting a resource limit that would make the search unindexed.)
OpenDJ Control Panel also allows you to verify and rebuild existing indexes, which you may have to do after an upgrade operation, or if you have reason to suspect index corruption.
- Monitoring
The Monitoring list gives you windows to observe information about the system, the JVM used, and indications about how the cache is used, whether the work queue has been filling up, as well as details about the database. You can also view the numbers and types of requests arriving over the connection handlers, and the current tasks in progress as well.
- Runtime Options
If you did not set appropriate JVM runtime options during the installation process, this is the list that allows you to do so through the Control Panel.
All OpenDJ command-line tools take the --help option.
All commands call Java programs and therefore involve starting a JVM.
Setup, upgrade, and uninstall tools are located in the directory where
you unpacked OpenDJ, such as /path/to/OpenDJ. Find the
additional command-line tools for your platform.
(UNIX) In OpenDJ/bin.
(Windows) In OpenDJ\bat.
The following list uses the UNIX names for the tools. On Windows all command-line tools have the extension .bat.
- backup
Backup or schedule backup of directory data.
- base64
Encode and decode data in base64 format.
Base64 encoding represents binary data in ASCII, and can be used to encode character strings in LDIF, for example.
- create-rc-script (UNIX)
Generate a script you can use to start, stop, and restart the server either directly or at system boot and shutdown. Use create-rc-script -f
script-file.- dbtest
Debug JE databases.
- dsconfig
The dsconfig command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, dsconfig prompts you for administration connection information. Once connected it presents you with a menu-driven interface to the server configuration.
When you pass connection information, subcommands, and additional options to dsconfig, the command runs in script mode and so is not interactive.
You can prepare dsconfig batch scripts by running the tool with the
--commandFilePathoption in interactive mode, then reading from the batch file with the--batchFileoption in script mode. Batch files can be useful when you have many dsconfig commands to run and want to avoid starting the JVM and setting up a new connection for each command.In addition to the dsconfig reference that covers subcommands, the Configuration Reference covers the properties you can set using the dsconfig command.
- dsframework
Manage server registration, server groups, and administrative users.
- dsjavaproperties
Apply changes you make to OpenDJ/config/java.properties, which sets JVM runtime options.
- dsreplication
Configure data replication between directory servers to keep their contents in sync.
- encode-password
Encode a clear text password according to one of the available storage schemes.
- export-ldif
Export directory data to LDAP Data Interchange Format, a standard, portable, text-based representation of directory content.
- import-ldif
Load LDIF content into the directory, overwriting existing data.
- ldapcompare
Compare the attribute values you specify with those stored on entries in the directory.
- ldapdelete
Delete one entry or an entire branch of subordinate entries in the directory.
- ldapmodify
Modify the specified attribute values for the specified entries.
Use the ldapmodify command with the -a option to add new entries.
- ldappasswordmodify
Modify user passwords.
- ldapsearch
Search a branch of directory data for entries matching the LDAP filter that you specify.
- ldifdiff
Display differences between two LDIF files, with the resulting output having LDIF format.
- ldifmodify
Similar to the ldapmodify command, modify specified attribute values for specified entries in an LDIF file.
- ldifsearch
Similar to the ldapsearch command, search a branch of data in LDIF for entries matching the LDAP filter you specify.
- list-backends
List backends and base DNs served by OpenDJ.
- make-ldif
Generate directory data in LDIF, based on templates that define how the data should appear.
The make-ldif command is designed to help you quickly generate test data that mimics data you expect to have in production, but without compromising private information.
- manage-account
Lock and unlock user accounts, and view and manipulate password policy state information.
- manage-tasks
View information about tasks scheduled to run in the server, and cancel specified tasks.
- rebuild-index
Rebuild an index stored in a JE backend.
- restore
Restore user data from backup.
- start-ds
Start OpenDJ directory server.
- status
Display information about the server.
- stop-ds
Stop OpenDJ directory server.
- verify-index
Verify that an index stored in a JE backend is not corrupt.
- windows-service.bat (Windows)
Register OpenDJ as a Windows Service.
Using the OpenDJ Control Panel, you can start and stop local servers. You can also start and stop OpenDJ using command-line tools, and use the operating system's capabilities for starting OpenDJ at boot time.
This chapter demonstrates how to start and stop server processes with command line tools and using operating system capabilities. This chapter also describes what OpenDJ directory server does during startup and shutdown, and how it recovers following an abrupt shutdown such as happens during a system crash or when you kill the server process using system tools.
Use one of the following techniques.
Use the start-ds command.
$ OpenDJ/bin/start-dsAlternatively, you can specify the --no-detach option to start the server in the foreground.
(UNIX) Create an RC script, and then use the script to start the server.
Unless you run OpenDJ as root, use the --userName
userNameoption to specify the user who installed OpenDJ.$ sudo OpenDJ/bin/create-rc-script --outputFile /etc/init.d/opendj --userName mark [sudo] password for mark: $ sudo /etc/init.d/opendj startFor example, on Linux if you run OpenDJ as root, you can use the RC script to start the server at system boot, and stop the server at system shutdown.
$ sudo update-rc.d opendj defaults update-rc.d: warning: /etc/init.d/opendj missing LSB information update-rc.d: see <http://wiki.debian.org/LSBInitScripts> Adding system startup for /etc/init.d/opendj ... /etc/rc0.d/K20opendj -> ../init.d/opendj /etc/rc1.d/K20opendj -> ../init.d/opendj /etc/rc6.d/K20opendj -> ../init.d/opendj /etc/rc2.d/S20opendj -> ../init.d/opendj /etc/rc3.d/S20opendj -> ../init.d/opendj /etc/rc4.d/S20opendj -> ../init.d/opendj /etc/rc5.d/S20opendj -> ../init.d/opendj(Windows) Register OpenDJ as a Windows Service, and then manage the service through Windows administration tools.
C:\Users\Mark> OpenDJ\bat\windows-service.bat --enableService
Use one of the following techniques.
Use the stop-ds command.
$ OpenDJ/bin/stop-ds(UNIX) Create an RC script, and then use the script to stop the server.
$ sudo OpenDJ/bin/create-rc-script --outputFile /etc/init.d/opendj --userName mark [sudo] password for mark: $ sudo /etc/init.d/opendj stop(Windows) Register OpenDJ as a Windows Service, and then manage the service through Windows administration tools.
C:\Users\Mark> OpenDJ\bat\windows-service.bat --enableService
Use one of the following techniques.
Use the stop-ds command.
$ OpenDJ/bin/stop-ds --restart(UNIX) Create an RC script, and then use the script to stop the server.
$ sudo OpenDJ/bin/create-rc-script --outputFile /etc/init.d/opendj --userName mark [sudo] password for mark: $ /etc/init.d/opendj restart(Windows) Register OpenDJ as a Windows Service, and then manage the service through Windows administration tools.
C:\Users\Mark> OpenDJ\bat\windows-service.bat --enableService
OpenDJ tends to show resilience when restarting after a crash or after the server process is killed abruptly. OpenDJ might have to replay the last few entries in a transaction log. Generally OpenDJ returns to service quickly.
You can find Berkeley Java Edition database recovery messages in the
database log file, such as
/path/to/OpenDJ/db/userRoot/je.info.0. The following
shows two example messages from that log, the first written at the beginning
of the recovery process, the second written at the end of the process.
What can take some time during server startup is preloading database
content into memory when the server starts. Objects cached in memory do not
survive a crash. By default, OpenDJ does not cache objects in memory before
starting to accept client requests. You can however set a
preload-time-limit for the database cache of your
backend if you do want to load objects into the database cache before
OpenDJ begins accepting client connections.
LDAP Data Interchange Format provides a mechanism for representing directory data in text format. LDIF data is typically used to initialize directory databases, but also may be used to move data between different directories that cannot replicate directly, or even as an alternative backup format.
This chapter shows you how to import and export LDIF. This chapter also covers creating test data in LDIF format, and manipulating LDIF data with command-line tools.
When you install OpenDJ, you have the option of importing sample data generated during the installation. This procedure demonstrates how to generate LDIF using the make-ldif command.
The make-ldif command uses templates to provide
sample data. Default templates are located in the
OpenDJ/config/MakeLDIF/ directory. The
example.template file can be used to create
a suffix with entries of the type inetOrgPerson. You can
do the equivalent in OpenDJ Control Panel (Directory Data > New Base
DN... > Import Automatically Generated Example Data).
Write a file to act as the template for your generated LDIF.
The resulting test data template depends on what data you expect to encounter in production. Base your work on your knowledge of the production data, and on the sample template,
OpenDJ/config/MakeLDIF/example.template, and associated data.Create additional data files for the content in your template to be selected randomly from a file, rather than generated by an expression.
Additional data files are located in the same directory as your template file.
Decide whether you want to generate the same test data each time you run the make-ldif command with your template.
If so, provide the same
randomSeedinteger each time you run the command.Before generating a very large LDIF file, make sure you have enough space on disk.
Run the make-ldif command to generate your LDIF file.
$ make-ldif --randomSeed 0 --templateFile /path/to/my.template --ldifFile /path/to/generated.ldif Processed 1000 entries Processed 2000 entries ... Processed 10000 entries LDIF processing complete. 10003 entries written
You can use the OpenDJ Control Panel to import data (Directory Data > Import LDIF...) and to export data (Directory Data > Export LDIF...). The following procedures demonstrate how to use the import-ldif and export-ldif commands.
The most efficient method of importing LDIF data is to take the OpenDJ server offline. Alternatively, you can schedule a task to import the data while the server is online.
If you do not want to use the default
userRootbackend, create a new JE backend for your data.See Section 3.4, “Creating a New Database Backend” for details.
The following example imports
dc=example,dc=orgdata into theuserRootbackend, overwriting existing data.If you want to speed up the process—for example because you have millions of directory entries to import—first shut down the server, and then run the import-ldif command.
$ stop-ds $ import-ldif --includeBranch dc=example,dc=org --backendID userRoot --ldifFile /path/to/generated.ldifIf not, schedule a task to import the data while online.
$ import-ldif --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --includeBranch dc=example,dc=org --backendID userRoot --ldifFile /path/to/generated.ldif --trustAllNotice that the task is scheduled through communication over SSL on the administration port, by default
4444. You can schedule the import task to start at a particular time using the--startoption.The
--trustAlloption trusts all SSL certificates, such as a default self-signed certificate used for testing.
The following example exports
dc=example,dc=orgdata from theuserRootbackend.If you want to speed up export, first shut down the server, and then export data using the export-ldif command.
$ stop-ds $ export-ldif --includeBranch dc=example,dc=org --backendID userRoot --ldifFile /path/to/backup.ldifIf not, schedule a task to export the data while online.
$ export-ldif --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --includeBranch dc=example,dc=org --backendID userRoot --ldifFile /path/to/backup.ldif --start 20111221230000 --trustAllThe
--start 20111221230000option tells OpenDJ to start the export at 11 PM on December 21, 2012.If OpenDJ is stopped at this time, then when you start OpenDJ again, the server attempts to perform the task after starting up.
This section demonstrates the ldifsearch, ldifmodify, and ldifdiff tools.
The ldifsearch command lets you search LDIF files in a similar way to how you search LDAP directories with the ldapsearch command.
The --ldifFile
option replaces the ldif-file--hostname and --port
options used to connect to an LDAP directory. Otherwise the command syntax
and LDIF output is familiar to ldapsearch users.
The ldifmodify command lets you apply changes to LDIF files, generating a new, changed version of the original file.
Notice that the resulting new LDIF file is likely to be about the same size as the source LDIF file.
The ldifdiff command reports differences between two LDIF files in LDIF format.
As the ldifdiff command reads both files into memory, constructing tree maps to perform the comparison, the command is designed to work with small files and fragments. The command can quickly run out of memory when calculating differences between large files.
OpenDJ stores your data in a backend. OpenDJ
stores directory data in backends. Backends are what you backup and restore.
By default, OpenDJ stores your data in a backend named
userRoot. You can create new backends using the
dsconfig command. The following example creates a
local backend named testData.
Alternatively, you can create a new backend in OpenDJ Control Panel
(Directory Data > New Base DN... > Backend > New Backend:
backend-name).
This chapter shows you how to configure OpenDJ directory server to listen for directory client requests, using connection handlers. You can view information about connection handlers in the OpenDJ Control Panel, and update the configuration using the dsconfig command.
You configure LDAP client access by using the command-line tool dsconfig. By default you configure OpenDJ to listen for LDAP when you install.
The standard port number for LDAP client access is 389. If you install OpenDJ directory server as a user who can use port 389 and the port is not yet in use, then 389 is the default port number presented at installation time. If you install as a user who cannot use a port < 1024, then the default port number presented at installation time is 1389.
Change the port number using the dsconfig command.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAP Connection Handler" --set listen-port:11389 --trustAll --no-promptThis example changes the port number to 11389 in the configuration.
Restart the server so the change takes effect.
$ stop-ds --restart
You can set up a self-signed certificate as part of the OpenDJ installation process. You can also choose to import your own CA-signed certificate as part of the installation process.
Other applications recognize certificates signed by CAs whose root certificates are installed already. If you need your server certificate to be recognized automagically by applications configured to use SSL out of the box, then use a CA-signed certificate.
Yet for testing purposes self-signed certificates can be a cheap alternative. This section covers how to set up a self-signed certificate after installation. With the self-signed certificate you can set up, for example, secure communications with StartTLS and over LDAPS.
First you create and sign a server certificate that you place in a Java Key Store. Then you set up the Key Manager Provider and Trust Manager Provider to rely on your new server certificate in its key store.
Generate the server certificate using the Java keytool command.
$ keytool -genkey -alias server-cert -keyalg rsa -dname "CN=opendj.example.com,O=Example Corp,C=FR" -keystore OpenDJ/config/keystore -storepass changeit -keypass changeitIn this example, OpenDJ is running on a system with fully qualified host name
opendj.example.com. The Java Key Store (JKS) is created in theconfigdirectory where OpenDJ is installed, which is the default value for JKS.Self-sign the server certificate.
$ keytool -selfcert -alias server-cert -keystore OpenDJ/config/keystore -storepass changeitConfigure the File Based Key Manager Provider for JKS to use the filename and key store PIN that you set up with the keytool command.
$ dsconfig set-key-manager-provider-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --provider-name JKS --set enabled:true --set key-store-pin:changeit --remove key-store-pin-file:config/keystore.pin --trustAll --no-promptConfigure the File Based Trust Manager Provider for JKS to use the key store and PIN as well.
$ dsconfig set-trust-manager-provider-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --provider-name JKS --set enabled:true --set trust-store-file:config/keystore --set trust-store-pin:changeit --trustAll --no-promptAt this point, OpenDJ directory server can use your new self-signed certificate, for example for StartTLS and LDAPS connection handlers.
StartTLS (Transport Layer Security) negotiations start on the unsecure LDAP port, and then protect communication with the client. You can opt to configure StartTLS during installation, or later using the dsconfig command.
Ensure you have a server certificate installed.
Activate StartTLS on the current LDAP port.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAP Connection Handler" --set allow-start-tls:true --set key-manager-provider:JKS --set trust-manager-provider:JKS --trustAll --no-promptThe change takes effect. No need to restart the server.
You configure LDAPS (LDAP/SSL) client access by using the command-line tool dsconfig. You can opt to configure LDAPS access when you install.
The standard port number for LDAPS client access is 636. If you install OpenDJ directory server as a user who can use port 636 and the port is not yet in use, then 389 is the default port number presented at installation time. If you install as a user who cannot use a port < 1024, then the default port number presented at installation time is 1636.
Ensure you have a server certificate installed.
Configure the server to activate LDAPS access.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --set listen-port:1636 --set enabled:true --set use-ssl:true --trustAll --no-promptThis example changes the port number to 1636 in the configuration.
Change the port number using the dsconfig command.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDAPS Connection Handler" --set listen-port:11636 --trustAll --no-promptThis example changes the port number to 11636 in the configuration.
Restart the server so the change takes effect.
$ stop-ds --restart
Directory Services Markup Language (DSML) client access is implemented as a servlet that runs in a web application container.
You configure DSML client access by editing the
WEB-INF/web.xml after you deploy the web
application. In particular, you must at least set the
ldap.host and ldap.port parameters
if they differ from the default values, which are
localhost and 389.
The list of DSML configuration parameters, including those that are optional, consists of the following.
ldap.hostRequired parameter indicating the host name of the underlying directory server. Default:
localhost.ldap.portRequired parameter indicating the LDAP port of the underlying directory server. Default: 389.
ldap.userdnOptional parameter specifying the DN used by the DSML gateway to bind to the underlying directory server. Not used by default.
ldap.userpasswordOptional parameter specifying the password used by the DSML gateway to bind to the underlying directory server. Not used by default.
ldap.authzidtypeisidThis parameter can help you set up the DSML gateway to do HTTP Basic Access Authentication, given the appropriate mapping between the user ID, and the user's entry in the directory.
Required boolean parameter specifying whether the HTTP Authorization header field's Basic credentials in the request hold a plain ID, rather than a DN. If set to
true, then the gateway performs an LDAP SASL bind using SASL plain, enabled by default in OpenDJ to look for an exact match between auidvalue and the plain ID value from the header. In other words, if the plain ID isbjensen, and that corresponds in the directory server to Babs Jensen's entry with DNuid=bjensen,ou=people,dc=example,dc=com, then the bind happens as Babs Jensen. Note also that you can configure OpenDJ identity mappers for scenarios that use a different attribute thanuid, such as themailattribute.Default:
falseldap.usesslRequired parameter indicating whether
ldap.portpoints to a port listening for LDAPS (LDAP/SSL) traffic. Default:false.ldap.usestarttlsRequired parameter indicating whether to use StartTLS to connect to the specified
ldap.port. Default:false.ldap.trustallRequired parameter indicating whether blindly to trust all certificates presented to the DSML gateway when using secure connections (LDAPS or StartTLS). Default:
false.ldap.truststore.pathOptional parameter indicating the trust store used to verify certificates when using secure connections. If you want to connect using LDAPS or StartTLS, and do not want the gateway blindly to trust all certificates, then you must set up a trust store. Not used by default.
ldap.truststore.passwordOptional parameter indicating the trust store password. If you set up and configure a trust store, then you need to set this as well. Not used by default.
The DSML servlet translates between DSML and LDAP, and passes requests
to the directory server. For initial testing purposes, you might try
JXplorer, where DSML Service:
/webapp-dir/DSMLServlet. Here,
webapp-dir refers to the name of the directory
in which you unpacked the DSML .war file.
You configure Java Management Extensions (JMX) client access by using the command-line tool, dsconfig.
Configure the server to activate JMX access.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "JMX Connection Handler" --set enabled:true --trustAll --no-promptThis example uses the default port number, 1689.
Restart the server so the change takes effect.
$ stop-ds --restart
The LDIF connection handler lets you make changes to directory data by placing LDIF in a file system directory that OpenDJ server regularly polls for changes. The LDIF, once consumed, is deleted.
You configure LDIF file access by using the command-line tool dsconfig.
Activate LDIF file access.
$ dsconfig set-connection-handler-prop --hostname opendj.example.com --port 4444 --bindDN "cn=Directory Manager" --bindPassword password --handler-name "LDIF Connection Handler" --set enabled:true --trustAll --no-promptThe change takes effect immediately.
Add the directory where you put LDIF to be processed.
$ mkdir /path/to/OpenDJ/config/auto-process-ldifThis example uses the default value of the
ldif-directoryproperty for the LDIF connection handler.
OpenDJ supports use of both access control instructions and privileges. Access control instructions can be added to directory data for fine-grained control over what a given user or group member is authorized to do. Privileges are implemented independently from access control. By default, privileges restrict administrative access to directory root users. You can configure OpenDJ to extend privileges to other administrators as well.
This chapter covers both access control instructions and privileges, demonstrating how to configure both.
OpenDJ directory server access control instructions (ACIs) exist as
aci attribute values in the directory data. ACIs apply
to a scope defined in the instruction, and set permissions that depend on
what operation is requested, who requested the operation, and how the client
connected to the server. For example, the ACIs on the following
entry allow anonymous read access to all attributes except passwords, and
allow full read-write access to directory administrators under
dc=example,dc=com.
ACI attribute values use a specific language described in this section. Although ACI attribute values can become difficult to read in LDIF, the basic syntax is simple.
targets(version 3.0;acl "name";permissionssubjects;)
The following list briefly explains the variables in the syntax above.
targetsThe
targetsspecifies entries, attributes, controls, and extended operations to which the ACI applies.To include multiple
targets, enclose each individual target in parentheses, (). When you specify multiple targets, all targets must match for the ACI to apply (AND).nameSupplies a human-readable description of what the ACI does.
permissionsDefines which actions to allow, and which to deny. Paired with
subjects.subjectsIdentify clients to which the ACI applies depending on who connected, and when, where, and how they connected. Paired with
permissions.
Separate multiple pairs of permissions
subjects definitions with semicolons, ;. When you
specify multiple permissions-subjects pairs, at least one must match
(OR).
The seven types of ACI targets identify the objects to which the ACI applies.
(target = "ldap:///,DN")(target != "ldap:///DN")Sets the scope to the entry with distinguished name
DN, and to child entries.You can use asterisks, *, to replace attribute types, attribute values, and entire DN components. In other words, the following specification targets both
uid=bjensen,ou=People,dc=example,dc=comand alsocn=Frank Zappa,ou=Musicians,dc=example,dc=com.(target = "ldap:///*=*,*,dc=example,dc=com")The
DNmust be in the subtree of the entry on which the ACI is defined.(targetattr = ",attr-list")(targetattr != "attr-list")Replace
attr-listwith a list of attribute type names, such asuserPassword, separating multiple attribute type names with ||.This specification affects the entry where the ACI is located, or the entries specified by other targets in the ACI.
You can use an asterisk, *, to specify all non-operational attributes, although you will see better performance when explicitly including or excluding attribute types needed. You can use a plus, +, to specify all operational attributes.
If you do not include this target specification, then by default no attributes are affected by the ACI.
(targetfilter = ",ldap-filter")(targetfilter != "ldap-filter")Sets the scope to match the
ldap-filterdynamically, as in an LDAP search. Theldap-filtercan be any valid LDAP filter.(targattrfilters = ",expression")(targattrfilters != "expression")Use this target specification when managing changes made to particular attributes.
Here
expressiontakes one of the following forms. Separate expressions with semicolons, ;.op=attr1:filter1[&&attr2:filter2...][;op=attr3:filter3[&&attr4:filter4...] ...]Here
opcan be eitheraddfor operations creating attributes, ordeletefor operations removing them. Replaceattrwith an attribute type. Replacefilterwith an LDAP filter that corresponds to theattrattribute type.(targetscope = "base|onelevel|subtree|subordinate")Here
baserefers to the entry where the ACI is defined,onelevelto immediate children,subtreeto the base entry and all children, andsubordinateto all children only.If you do not specify
targetscope, then the default issubtree.(targetcontrol = ",OID")(targetcontrol != "OID")Replace
OIDwith the object identifier for the LDAP control to target. Separate multiple OIDs with ||.This target cannot be restricted to a specific subtree by combining it with another target.
(extop = ",OID")(extop != "OID")Replace
OIDwith the object identifier for the extended operation to target. Separate multiple OIDs with ||.This target cannot be restricted to a specific subtree by combining it with another target.
ACI permission definitions take one of the following forms.
allow(action[,action...])
deny(action[,action...])
Tip
Although deny is supported, avoid restricting
permissions by using deny. Instead, explicitly
allow access only where needed. What looks harmless and
simple in your lab examples can grow difficult to maintain in a real-world
deployment with nested ACIs.
Replace action with one of the following.
addEntry creation, as for an LDAP add operation
allAll permissions, except
export,import,proxycompareAttribute value comparison, as for an LDAP compare operation
deleteEntry deletion, as for an LDAP delete operation
exportEntry export during a modify DN operation.
Despite the name, this action is unrelated to LDIF export operations.
importEntry import during a modify DN operation.
Despite the name, this action is unrelated to LDIF import operations.
proxyAccess the ACI target using the rights of another user
readRead entries and attributes
searchSearch the ACI targets. Needs to be combine with
readin order to read the search results.selfwriteAdd or delete own DN from a group
writeModify attributes on ACI target entries
ACI subjects match characteristics of the client connection to the server. Use subjects to restrict whether the ACI applies depending on who connected, and when, where, and how they connected.
authmethod = "none|simple|ssl|sasl,mech"authmethod != "none|simple|ssl|saslmech"Here you use
noneto mean do not check,simplefor simple authentication,sslfor certificate-based authentication over LDAPS,saslfor SASL wheremechmechis DIGEST-MD5, EXTERNAL, or GSSAPI.dayofweek = ",day[,day...]"dayofweek != "day[,day...]"Replace
daywith one ofsun,mon,tue,wed,thu,fri,sat.dns = ",hostname"dns != "hostname"You can use asterisks, *, to replace name components, such as
dns = "*.myCompany.com".groupdn = "ldap:///,DN[|| ldap:///DN...]"groupdn != "ldap:///DN[|| ldap:///DN...]"Replace
DNwith the distinguished name of a group to permit or restrict access for members.ip = ",addresses"ip != "addresses"Here
addressescan be specified for IPv4 or IPv6. IPv6 addresses are specified in brackets asldap://[where /address]/subnet-prefixsubnet-prefixis optional. You can specify individual IPv4 addresses, addresses with asterisks (*) to replace subnets and host numbers, CIDR notation, and forms such as192.168.0.*+255.255.255.0to specify subnet masks.ssf = ",strength"ssf !=! ",strength"ssf > ",strength"ssf >= ",strength"ssf < ",strength"ssf <= "strength"Here the security strength factor pertains to the cipher key strength for connections using DIGEST-MD5, GSSAPI, SSL, or TLS. For example, to require that the connection must have at least 128 bits of encryption, specify
ssf >= 128.timeofday = ",hhmm"timeofday != ",hhmm"timeofday > ",hhmm"timeofday >= ",hhmm"timeofday < ",hhmm"timeofday <= "hhmm"Here
hhmmis expressed as on a 24-hour clock. For example, 1:15 PM is written1315.userattr = ",attr#value"userattr != ",attr#value"userattr =,ldap-url#LDAPURL"userattr !=,ldap-url#LDAPURL"userattr = "[parent[,child-level].]attr#GROUPDN|USERDN"userattr != "[parent[child-level].]attr#GROUPDN|USERDN"The
userattrsubject specifies an attribute that must match on both the bind entry and the target of the ACI.To match when the attribute on the bind DN entry corresponds directly to the attribute on the target entry, replace
attrwith the attribute type, andvaluewith the attribute value.To match when the target entry is identified by an LDAP URL, and the bind DN is in the subtree of the DN of the LDAP URL, use
ldap-url#LDAPURL.To match when the bind DN corresponds to a member of the group identified by the
attrvalue on the target entry, useattr#GROUPDN.To match when the bind DN corresponds to the
attrvalue on the target entry, useattr#USERDN.The optional inheritence specification,
parent[, lets you specify how many levels below the target entry inherit the ACI. Herechild-level].child-levelis a number from 0 to 9, with 0 indicating the target entry only. Separate multiplechild-leveldigits with commas (,).userdn = ",ldap-url++[||ldap-url++...]"userdn != "ldap-url++[||ldap-url++...]"To match the bind DN, replace
ldap-url++with either a valid LDAP URL such asldap:///uid=bjensen,ou=People,dc=example,dc=com,ldap:///dc=example,dc=com??sub?(uid=bjensen), or a special LDAP URL-like keyword from the following list.ldap:///allMatch authenticated users.
ldap:///anyoneMatch anonymous and authenticated users.
ldap:///parentMatch when the bind DN is a parent of the ACI target.
ldap:///selfMatch when the bind DN entry corresponds to ACI target.
Privileges provide access control for server administration independently from access control instructions.
Directory root users, such as cn=Directory Manager,
are granted privileges in the following list and marked with an asterisk (*)
by default. Other administrator users can be assigned privileges, too.
backend-backup*Request a task to backup data
backend-restore*Request a task to restore data from backup
bypass-acl*Perform operations without regard to ACIs
bypass-lockdown*Perform operations without regard to lockdown mode
cancel-request*Cancel any client request
config-read*Read the server configuration
config-write*Change the server configuration
data-syncPerform data synchronization
disconnect-client*Close any client connection
jmx-notifySubscribe to JMX notifications
jmx-readRead JMX attribute values
jmx-writeWrite JMX attribute values
ldif-export*Export data to LDIF
ldif-import*Import data from LDIF
modify-acl*Change ACIs
password-reset*Reset other users' passwords
privilege-change*Change the privileges assigned to users
proxied-authUse the Proxied Authorization control
server-lockdown*Put OpenDJ into, and take OpenDJ out of, lockdown mode
server-restart*Request a task to restart the server
server-shutdown*Request a task to stop the server
subentry-write*Perform LDAP subentry write operations
unindexed-search*Search using a filter with no correponding index
update-schema*Change OpenDJ schema definitions
* = default directory root user privileges
For root directory administrators, by default cn=Directory
Manager, you configure privileges using the
dsconfig command.
For non-root directory administrators, you add privileges with the ldapmodify command.
Start dsconfig in interactive mode.
$ dsconfig --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword passwordSelect the Root DN menu.
Select View and edit the Root DN.
Edit the
default-root-privilege-name.Make sure you apply the changes when finished.
Privileges are specified using the ds-privilege-name
operational attribute, which you can change on the command-line using
ldapmodify.
Determine the privileges to add.
$ cat privilege.ldif dn: uid=kvaughan,ou=People,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: config-read ds-privilege-name: password-resetThis example lets the user read the server configuration, and reset user passwords. In order for the user to be able to change a user password, you must also allow the modification using ACIs. For this example, Kirsten Vaughan is a member of the Directory Administrators group for Example.com, and already has access to modify user entries.
Prior to having the privileges, Kirsten gets messages about insufficent access when trying to read the server configuration, or reset a user password.
$ ldapsearch --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --baseDN cn=config "(objectclass=*)" SEARCH operation failed Result Code: 50 (Insufficient Access Rights) Additional Information: You do not have sufficient privileges to perform search operations in the Directory Server configuration $ ldappasswordmodify --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" --newPassword changeit The LDAP password modify operation failed with result code 50 Error Message: You do not have sufficient privileges to perform password reset operationsApply the change as a user with the
privilege-changeprivilege.$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename privilege.ldif Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=comAt this point, Kirsten can perform the operations requiring privileges.
$ ldapsearch --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --baseDN cn=config "(objectclass=*)" dn: cn=config ds-cfg-return-bind-error-messages: false ds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies, cn=config ... $ ldappasswordmodify --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" --newPassword changeit The LDAP password modify operation was successful
For deployments with more than one administrator, you no doubt use a group to define adminstrative rights. You can use a collective attribute subentry to specify privileges for the administrator group.
Collective attributes provide a standard mechanism for defining
attributes that appear on all the entries in a particular subtree. OpenDJ
extends collective attributes to give you fine-grained control over the
which entries in the subtree are targetted. Also, OpenDJ lets you use
virtual attributes, such as isMemberOf to construct the
filter for targetting entries to which the collective attributes apply. This
allows you, for example, to define administrative privileges that apply to
all users who belong to an administrator group.
Create an LDAP subentry that specifies the collective attributes.
$ cat collective.ldif dn: cn=Administrator Privileges,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Administrator Privileges ds-privilege-name;collective: config-read ds-privilege-name;collective: config-write ds-privilege-name;collective: ldif-export ds-privilege-name;collective: modify-acl ds-privilege-name;collective: password-reset ds-privilege-name;collective: proxied-auth subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename collective.ldif Processing ADD request for cn=Administrator Privileges,dc=example,dc=com ADD operation successful for DN cn=Administrator Privileges,dc=example,dc=comThe Directory Administrators group for Example.com includes members like Kirsten Vaughan.
Observe that the change takes effect immediately.
$ ldappasswordmodify --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" --newPassword changeit The LDAP password modify operation was successful
Access control instructions are defined in the data, as values for
aci attributes. They can be imported in LDIF. They can
be modified over LDAP. Yet in order to make changes to ACIs users first
need the modify-acl privilege described previously.
By default, only the root DN user has the modify-acl
privilege.
Global ACIs on cn=Access Control Handler,cn=config
can be set using the dsconfig command. Global ACIs have
attribute type ds-cfg-global-aci. Modify global ACIs from
the Access Control Handler menu in dsconfig.
Default global ACIs set up the following access rules.
Users can employ LDAP controls and perform extended operations.
Anonymous read access is allowed for most user data attributes.
Users can read password values on their own entries after binding. (Also by default, password values are hashed.)
Anonymous read access is allowed for schema-related operational attributes.
Anonymous read access is allowed for root DSE attributes describing what the server supports.
Anonymous read access is allowed for operational attributes related to entry updates and entry identification.
Access to replication data is denied.
Users with write access to add ACIs and with the
modify-acl privilege can use the
ldapmodify command to change ACIs located in user
data.
This section therefore focuses on ACI examples, rather than demonstrating how to directory data for each example.
This works when the only attributes you do not want world-readable are password attributes.
Directory Administrators need privileges as well for full access to administrative operations.
Notice both targetattr = "* || +", which permits
access to both all user attributes and all operational attributes, and
allow(all, proxy, import, export), which permits not
only all user operations, but also proxy authorization as well as data
import and export operations.
By default this capability is set in a global ACI.
For some static groups such as carpoolers and social club members, you might choose to let users manage their own memberships.
Let users create and delete self-managed groups.
This ACI uses IP address and Security Strength Factor subjects.
The ssf is one for example when using SSL but you
have not configured a cipher, so the packets are checksummed for integrity
checking by all content is nevertheless sent in clear text.
Once you set up a number of ACIs, you might find it difficult to understand by inspection what rights a user actually has to a given entry. The Get Effective Rights control can help.
Note
The control OID, 1.3.6.1.4.1.42.2.27.9.5.2, is
not allowed by the default global ACIs.
In this example, Babs Jensen is the owner of a small group of people who are willing to carpool.
Performing the same search with the get effective rights control, and
asking for the aclRights attribute, shows what rights
Babs has on the entry.
Requesting the aclRightsInfo attribute results in
information about the ACIs applied to arrive at the results.
OpenDJ comes with a Control Panel browser for managing entries and also command-line tools for performing LDAP operations. This chapter demonstrates how to use the command line tools to script LDAP operations.
Searching the directory resembles searching for a phone number in a paper phone book. You can look up a phone number because you know the last name of a subscriber's entry. In other words, you use the value of one attribute of the entry to find entries that have another attribute you want.
Yet whereas a paper phone book has only one index (alphabetical order by name), the directory has many indexes. For a search you therefore always specify which index to use, by specifying which attribute(s) you are using to lookup entries.
Your paper phone book might be divided into white pages for residential subscribers, and yellow pages for businesses. If you are looking up an individual's phone number, you limit your search to the white pages. Directory services divide entries in various ways, often to separate organizations, and to separate groups from user entries from printers for example, but potentially in other ways. When searching you therefore also specify where in the directory to search.
The ldapsearch command thus takes at minimum a
search base DN option and an LDAP filter. The search base DN identifies
where in the directory to search for entries that match the filter.
For example, if you are looking for printers, you might specify the base
DN as ou=Printers,dc=example,dc=com. Perhaps you are
visiting the GNB00 office and are looking for a
printer.
In the example, the LDAP filter indicates to the directory that you
want to lookup printer entries where the printerLocation
attribute is equal to GNB00.
You also specify the host and port to access directory services, what protocol to use (for example, LDAP/SSL, or StartTLS to protect communication). If the directory service does not allow anonymous access to the data you want to search, you also identify who is performing the search and provide their credentials, such as a password or certificate. Finally, you can specify a list of attributes to return. If you do not specify attributes, then the search returns all user attributes for the entry.
Review the following examples in this section to get a sense of how searches work.
The following example searches for entries with UID containing
jensen, returning only DNs and uid values.
The following example returns entries with uid
containing jensen for users located in Santa Clara. The
command returns the attributes associated with the person
object class.
Complex filters can use both "and" syntax,
(&(,
and "or" syntax,
filtercomp)(filtercomp))(|(.filtercomp)(filtercomp))
Use + in the attribute list after the filter
to return all operational attributes. Alternatively, specify operational
attributes by name.
Use @ in the
attribute list after the filter to return the attributes associated with
a particular object class.objectClass
RFC 4515: Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters mentions a number of characters that you must handle with care when using them in search filters.
For a filter like (attr=, the following list indicates characters
that you must replace with a backslash ( value)\ ) followed
by two hexadecimal digits when using them as part of the
value string.
Replace
*with\2a.Replace
(with\28.Replace
)with\29.Replace
\with\5c.Replace NUL (0x00) with
\2a.
The following example shows a filter with escaped characters matching an actual value.
OpenDJ supports extensible matching rules, meaning you can pass in filters specifying a matching rule OID that extends your search beyond what you can do with standard LDAP. One specific matching rule of this type that OpenDJ supports is the generalized time based "later than" and "earlier than" matching rules. See the example, Configure an Extensible Match Index, showing how to build an index for these matching rules.
You can use these matching rules to list, for example, all users who have authenticated recently.
First set up an attribute to store a last login timestamp. You can do this by adding a schema file for the attribute.
Configure the applicable password policy to write the last login
timestamp when a user authenticates. The following command configures the
default password policy to write the timestamp in generalized time format
to the lastLoginTime operational attribute on the user's
entry.
Wait a while for users to authenticate again (or test it yourself) so that OpenDJ writes the timestamps. The following search then returns users who have authenticated in the last three months (13 weeks) after you configured OpenDJ to keep the last login timestamps.
The compare operation checks whether an attribute value you specify matches the attribute value stored on one or more directory entries.
authPasswordIn this example, Kirsten Vaughan checks whether the hashed password
value matches the stored value on authPassword.
ldapcompare
--port 1389
--bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
--bindPassword bribery
'authPassword:MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q=='
uid=kvaughan,ou=people,dc=example,dc=com
Comparing type authPassword with value
MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q== in entry
uid=kvaughan,ou=people,dc=example,dc=com
Compare operation returned true for entry
uid=kvaughan,ou=people,dc=example,dc=comAuthorized users can change directory data using the LDAP add, modify, modify DN, and delete operations.
With the ldapmodify -a command, authorized users can add entire entries from the same sort of LDIF file used to import and export data.
With the ldapmodify command, authorized users can change the values of attributes in the directory using LDIF as specified in RFC 2849.
The following example adds a description and JPEG photo to Sam Carter's entry.
The following example replaces the description on Sam Carter's entry.
The following example deletes the JPEG photo on Sam Carter's entry.
Some client applications send updates including attributes with names
that differ from the attribute names defined in OpenDJ. Other client
applications might try to update attributes they should not update, such
as the operational attributes creatorsName,
createTimestamp, modifiersName,
and modifyTimestamp. Ideally you would fix the client
application behavior, but that is not always feasible.
You can configure the attribute cleanup plugin to filter add and modify requests, renaming attributes in requests using incorrect names, and removing attributes that applications should not change.
The following example renames incoming email
attributes to mail attributes. First, configure the
attribute cleanup plugin to rename the inbound attribute.
Next, see that it works as expected.
The following example prevents client applications from adding or
modifying creatorsName,
createTimestamp, modifiersName,
and modifyTimestamp attributes. First, set up the
attribute cleanup plugin.
Next, see that it works as expected.
The Relative Distinguished Name (RDN) refers to the part of an
entry's DN that distinguishes it from all other DNs at the same level
in the directory tree. For example uid=bjensen is
the RDN of the entry having DN
uid=bjensen,ou=People,dc=example,dc=com.
With the ldapmodify command, authorized users can rename entries in the directory.
When you change the RDN of the entry, you are renaming the entry, modifying the value of the naming attribute, but also modifying the entry's DN.
Sam Carter is changing her last name to Jensen, and changing her
login from scarter to sjensen.
The following example renames and changes Sam Carter's entry accordingly.
Notice the boolean field, deleteoldrdn: 1, which
indicates that the previous RDN, uid: scarter, should
be removed. (Setting deleteoldrdn: 0 instead would
preserve uid: scarter on the entry.)
When you rename an entry with child entries, the directory has to move all the entries underneath.
Note
The modify DN operation only works when moving entries in the same backend, under the same suffix. Also, depending on the number of entries you move, this can be a resource-intensive operation.
With the ldapmodify command, authorized users can move entries in the directory.
ou=PeopleThe following example moves
ou=Customers,dc=example,dc=com to
ou=People,dc=example,dc=com, and then moves each
employee under ou=Employees,dc=example,dc=com
under ou=People,dc=example,dc=com as well, finally
removing the empty ou=Employees,dc=example,dc=com
container. Here, deleteoldrdn: 1 indicates that the
old RDN, ou: Customers, should be removed from the
entry. For employees, deleteoldrdn: 0 indicates that
old RDNs, in this case uid attribute values, should
be preserved.
With the ldapmodify command, authorized users can delete entries from the directory.
The following example uses the subtree delete option to remove all Special Users from the directory.
With the ldappasswordmodify command, authorized users can change and reset user passwords.
The following example shows Kirsten Vaughan resetting Sam Carter's password. Kirsten has the appropriate privilege to reset Sam's password.
You could also accomplish password reset with the following command, but set-password-is-reset is a hidden option, supported only for testing.
You can use the ldappasswordmodify command to change your password, as long as you know your current password.
The same operation works for cn=Directory
Manager.
OpenDJ expects passwords to be UTF-8 encoded (base64 encoded when included in LDIF).
Tip
If you forget the password for cn=Directory Manager,
then one remedy uses the following steps.
Generate an encoded password value using the encode-password command.
By default, the password for Directory Manager uses the SSHA512 password storage scheme. In the following example, the encoded password is wrapped to fit on a printed page.
$ encode-password --storageScheme SSHA512 --interactivePassword Please enter the password : Please renter the password: Encoded Password: "{SSHA512}U7Kx5oYcLxdsqSrpSkBk425LwL0Z61loNfS0dBVCcEKVhMyTT oe3oWikDJ/AJjKEkYBg+q3VUQ5hWgrGVf7MjfDrm5mum6yI"Stop OpenDJ.
Edit
config/config.ldif, replacing theuserPasswordvalue on the entry forcn=Directory Manager,cn=Root DNs,cn=configwith the encoded password, taking care not to leave any whitespace at the end of the line.Start OpenDJ.
You can use ~/.opendj/tools.properties to set
the defaults for bind DN, host name, and port number as in the following
example.
The location on Windows is
%UserProfile%/.opendj/tools.properties.
Proxied authorization provides a standard control as defined in RFC 4370 (and an earlier Internet-Draft) for binding with the user credentials of a proxy, who carries out LDAP operations on behalf of other users. You might use proxied authorization, for example, to have your application bind with its credentials, and then carry out operations as the users who login to the application.
Suppose you have an administrative directory client application that
has an entry in the directory with DN
cn=My App,ou=Apps,dc=example,dc=com. You can give that
application the access rights and privileges to use proxied authorization.
The default access control for OpenDJ permits authenticated users to use
the proxied authorization control.
Suppose also that when directory administrator, Kirsten Vaughan, logs
in to your application to change Babs Jensen's entry, your application looks
up Kirsten's entry, and finds that she has DN
uid=kvaughan,ou=People,dc=example,dc=com. For the example
commands in the following procedure. My App uses proxied authorization to
make a change to Babs's entry as Kirsten.
Grant access to applications that can use proxied authorization.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com") (targetattr ="* ")(version 3.0; acl "Allow apps proxied auth"; allow(all, proxy )(userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");) Processing MODIFY request for dc=example,dc=com MODIFY operation successful for DN dc=example,dc=comGrant the privilege to use proxied authorization to My App.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password dn: cn=My App,ou=Apps,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: proxied-auth Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=comTest that My App can use proxied authorization.
$ ldapmodify --port 1389 --bindDN "cn=My App,ou=Apps,dc=example,dc=com" --bindPassword password --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com" dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify replace: description description: Changed through proxied auth Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
OpenDJ provides several indexing schemes to speed up searches.
When a client requests a directory search operation, the client sends
the server a filter expression such as
(&(uid=*jensen*)(l=Stavanger)). The server then uses
applicable indexes to find entries with attribute values likely to match
the search. If no indexes are applicable, then the server potentially has
to go through all entries to look for candidate matches.
Looking through all entries is resource-intensive for large directories.
For this reason, the unindexed-search privilege, allowing
users to request searches for which no applicable index exists, is reserved
for the directory root user by default.
Rather than granting the unindexed-search privilege
to more users and client applications, you configure indexes to correspond
to the searches that clients need to perform.
This chapter first describes index types, then demonstrates how to index attribute values. This chapter also lists the default indexing configuration for OpenDJ directory server.
OpenDJ provides several different index types, each corresponding to a different type of search.
An approximate index is used to match values that "sound like" those
provided in the filter. An approximate index on cn
allows clients to find people even when they misspell names as in the
following example.
An equality index is used to match values that correspond exactly (though generally without case sensitivity) to the value provided in the search filter. An equality index requires clients to match values without wildcards or misspellings.
An ordering index is used to match values for a filter that
specifies a range. The ds-sync-hist has an ordering
index by default because searches on that attribute often seek entries
with changes more recent than the last time a search was performed.
The following example shows a search that specifies ranges.
A presence index is used to match the fact that an attribute is
present on the entry, regardless of the value. The aci
attribute is indexed for presence by default to allow quick retrieval
of entries with ACIs.
A substring index is used to match values specified with wildcards in the filter. Substring indexes can be expensive to maintain, especially for large attribute values.
A VLV or browsing index are designed to help the server respond to client applications that need virtual list view results, for example to browse through a long list in a GUI. They also help the server respond to clients that request server-side sorting of the search results.
VLV indexes correspond to particular searches. Configure your VLV indexes using the Control Panel, and copy the command-line equivalent from the Details pane for the operation, if necessary.
You modify index configurations using the dsconfig command. The configuration changes then take effect after you rebuild the index according to the new configuration, using the rebuild-index. The dsconfig --help-database command lists subcommands for creating, reading, updating, and deleting index configuration.
Tip
Indexes are per directory backend rather than per suffix. To maintain separate indexes for different suffixes on the same directory server, put the suffixes in different backends.
You can configure standard indexes from the Control Panel, and also on the command line using the dsconfig command. After you finish configuring the index, you must rebuild the index for the changes to take effect.
The following example creates a new substring index for
description.
The OpenDJ Control Panel New Index window does not help you set up extensible matching rule indexes. Use the dsconfig command instead.
The following example configures an extensible matching rule
index for "later than" and "earlier than" generalized time matching on
a lastLoginTime attribute.
In the OpenDJ Control Panel, select Manage Indexes > New VLV Index..., and then set up your VLV index using the New VLV Index window.
After you finish configuring your index and click OK, the Control Panel prompts you to make the additional changes necessary to complete the VLV index configuration, and then to build the index.
You can also create the equivalent index configuration using the dsconfig command.
Note
When referring to a virtual list view (VLV) index after creation, you
must add vlv. as a prefix. In other words, if you named
the VLV index people-by-last-name, you refer to it as
vlv.people-by-last-name when rebuilding indexes,
changing index properties such as the index entry limit, or verifying
indexes.
After you change an index configuration, or when you find that
an index is corrupt, you can rebuild the index. When you rebuild indexes,
you specify the base DN of the data to index, and either the list of indexes
to rebuild or --rebuildAll. You can rebuild indexes while
the server is offline, or while the server is online. If you rebuild the
index while the server is online, then you must schedule the rebuild process
as a task.
The following example rebuilds the cn index
immediately with the server online.
The following example rebuilds degraded indexes immediately with the server online.
As the number of entries in your directory grows, it can make sense
not to maintain indexes for particular values. For example, every entry
in the directory has the value top for the
objectClass attribute, so maintaining a list of entries
that match the filter (objectClass=top) is not a
reasonable use of resources. In a very, very large directory, the same can
be true for (givenName=John) and
(sn=Smith).
In an index, each index key points to a list of entries that
are candidates to match. For the objectClass index key
that corresponds to =top, the list of entries can
include every entry in the directory.
OpenDJ directory server therefore defines an index entry limit. When the number of entries that an index key points to exceeds the index entry limit, OpenDJ stops maintaining the list of entries for that index key.
The default index entry limit value is 4000. 4000 is usually plenty
large for all index keys, except for objectClass indexes.
If you have clients performing searches with filters such as
(objectClass=person), you might suggest that they adjust
the search to be more specific, such as
(&(mail=username@maildomain.net)(objectClass=person)),
so that the server can use an index, in this case equality for mail, to
limit the number of candidate entries to check for matches.
You can change the index entry limit on a per index basis.
The following example changes the index entry limit for the
objectClass index, and then rebuilds the index for the
configuration change to take effect.
Alternatively, you can configure the index entry limit for all
indexes stored in a backend by using the dsconfig
set-backend-prop command with the --backend-name
options.backendName --set
index-entry-limit:limitValue
You can verify that indexes correspond to current directory data, and that indexes do not contain errors using the verify-index command.
The following example verifies the cn (common
name) index for completeness and for errors.
Ignore the messages regarding lock tables and cleaner threads. The important information is whether any errors are found in the indexes.
When searching, you can improve performance by making sure your search
is indexed as you expect. One way of checking is to request the
debugsearchindex attribute in your results.
When you request the debugsearchindex attribute,
instead of performing the search, OpenDJ returns debug information indicating
how it would process the search operation. In the example above you notice
OpenDJ hits the equality index for uid right away.
A less exact search requires more work from OpenDJ. In the following example OpenDJ would have to return 160 entries.
By default OpenDJ rejects unindexed searches when the number of candidate entries goes beyond the search or look-though limit.
When you first install OpenDJ directory server and import your data from LDIF, the following indexes are configured.
| Index | Approximate | Equality | Ordering | Presence | Substring | Entry Limit |
|---|---|---|---|---|---|---|
aci | - | - | - | Yes | - | 4000 |
cn | - | Yes | - | - | Yes | 4000 |
dn2id | Non-configurable internal index | |||||
ds-sync-conflict | - | Yes | - | - | - | 4000 |
ds-sync-hist | - | - | Yes | - | - | 4000 |
entryUUID | - | Yes | - | - | - | 4000 |
givenName | - | Yes | - | - | Yes | 4000 |
id2children | Non-configurable internal index | |||||
id2subtree | Non-configurable internal index | |||||
mail | - | Yes | - | - | Yes | 4000 |
member | - | Yes | - | - | - | 4000 |
objectClass | - | Yes | - | - | - | 4000 |
sn | - | Yes | - | - | Yes | 4000 |
telephoneNumber | - | Yes | - | - | Yes | 4000 |
uid | - | Yes | - | - | - | 4000 |
uniqueMember | - | Yes | - | - | - | 4000 |
OpenDJ uses advanced data replication with automated conflict resolution to help ensure your directory services remain available in the event a server crashes or a network goes down, and also as you backup or upgrade your directory service. You can configure data replication as part of OpenDJ installation, and in many cases let replication do its work in the background.
You can set up replication during installation by choosing to configure replication through the setup wizard.
In the Topology Options screen for the first server you set up, select This server will be part of a replication topology. If you also choose Configure as Secure, then replication traffic is protected by SSL.
In the Topology Options screen for subsequent servers, also select There is already a server in the topology, providing the Host Name, Administration Connector Port number, Admin User, and Admin Password for the first replica you set up.
You also set up a global administrator account, stored under
cn=admin data across replicas, used to manage replication
in the topology.
You further set up what to replicate.
Once replication is set up, it works for all the replicas. You can monitor the replication connection and status through the OpenDJ Control Panel.
Before you take replication further than setting up replication in the setup wizard, read this section to learn more about how OpenDJ replication works.
Replication is the process of copying updates between OpenDJ directory servers such that all servers converge on identical copies of directory data. Replication is designed to let convergence happen over time by default. [1] Letting convergence happen over time means that different replicas can be momentarily out of sync, but it also means that if you lose an individual server or even an entire data center, your directory service can keep on running, and then get back in sync when the servers are restarted or the network is repaired.
Replication is specific to the OpenDJ directory service. Replication uses a specific protocol that replays update operations quickly, storing enough historical information about the updates to resolve most conflicts automatically. For example, if two client applications separately update a user entry to change the phone number, replication can work out which was the latest change, and apply that change across servers. The historical information needed to resolve these issues is periodically purged to avoid growing larger and larger forever. As a directory administrator, you must ensure that you do not purge the historical information more often than you backup your directory data.
The primary unit of replication is the suffix, specified by a
base DN such as dc=example,dc=com. [2] Replication also depends on the directory schema, defined on
cn=schema, and the cn=admin data
suffix with administrative identities and certificates for protecting
communications. Thus that content gets replicated as well.
The set of replicas sharing data in a given suffix is called
a replication topology. You can have more than one replication topology.
For example, one topology could be devoted to
dc=example,dc=com, and another to
dc=example,dc=org. Directory servers are capable of
serving more than one suffix. They are also capable of participating in
more than one replication topology.
Keep server clocks synchronized for your topology. You can use NTP for example. Keeping server clocks synchronized helps prevent issues with SSL connections and with replication itself. Keeping server clocks synchronized also makes it easier to compare timestamps from multiple servers.
This section shows how to configure replication with command-line tools.
You can start the replication process by using the dsreplication enable command.
To enable secure connections for replication use the
--secureReplication1 and
--secureReplication2 options, which are equivalent to
selecting Configure as Secure in the replication topology options screen of
the setup wizard.
As you see in the command output, replication is set up to function once enabled. You must however initialize replication in order to start the process.
Tip
When scripting the configuration to set up multiple replicas in quick
succession, use the same initial replication server each time you run the
command. In other words, pass the same --host1,
--port1, --bindDN1,
--bindPassword1, and --replicationPort1
options for each of the other replicas that you set up in your
script.
If you need to add another OpenDJ directory server to participate in replication, use the dsreplication enable with the new server as the second server.
Although you can enable replication before you have user data, you must initialize each replica to activate the replication process.
You can perform initialization either over the replication protocol, by importing the same LDIF data on all server before performing initialization when starting out, by importing data from LDIF that you exported from another replica when adding a server to the topology, or by restoring a backup from an existing replica onto a new server.
Online initialization is straightforward, and works well if your network bandwidth is large compared to the amount of data to replicate.
Make sure you have enabled servers you want to participate in replication.
Start replication with the dsreplication initialize-all command.
$ dsreplication initialize-all --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostname opendj.example.com --port 4444 --trustAll --no-prompt Initializing base DN dc=example,dc=com with the contents from opendj.example.com:4444: 160 entries processed (100 % complete). Base DN initialized successfully. See /var/.../opends-replication-5020375834904394170.log for a detailed log of this operation.
Follow these steps to prepare a replication topology starting from directory data in LDIF.
Depending on the size of the data and your network bandwidth, you might find it quicker to initialize all replica as described in Procedure 8.1, “To Initialize Online”, and then import the LDIF on a single replica.
Import the same LDIF on all servers you want to participate in replication.
Make sure you have enabled servers you want to participate in replication.
Start replication with the dsreplication initialize-all command.
$ dsreplication initialize-all --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostname opendj.example.com --port 4444 --trustAll --no-prompt Initializing base DN dc=example,dc=com with the contents from opendj.example.com:4444: 161 entries processed (100 % complete). Base DN initialized successfully. See /var/.../opends-replication-5745536041520679254.log for a detailed log of this operation.
You can create a new replica from a backup of a server in the existing topology. The dsreplication commands use differ slightly from the other cases, as you must reset the generation ID on the new replica, such that replication can proceed from the proper starting point. Follow these steps to add another server to the topology.
Install a new server to serve as the new replica.
Backup the database to replicate from an existing server.
Enable replication on the new replica.
$ dsreplication enable --adminUID admin --adminPassword password --baseDN dc=example,dc=com --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 opendj.example.com --port2 6444 --bindDN2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 10989 --trustAll --no-prompt Establishing connections ..... Done. Checking registration information ..... Done. Updating remote references on server opendj.example.com:4444 ..... Done. Configuring Replication port on server opendj.example.com:6444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:6444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:5444 ..... Done. Updating remote references on server opendj.example.com:5444 ..... Done. Updating registration configuration on server opendj.example.com:4444 ..... Done. Updating registration configuration on server opendj.example.com:6444 ..... Done. Updating registration configuration on server opendj.example.com:5444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:6444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:5444 ..... Done. Initializing registration information on server opendj.example.com:6444 with the contents of server opendj.example.com:4444 ..... Done. Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so). See /var/.../opends-replication-1672058070147419978.log for a detailed log of this operation.Prepare the new replica for initialization.
$ dsreplication pre-external-initialization --adminUID admin --adminPassword password --port 6444 --baseDN dc=example,dc=com --trustAll --no-prompt Preparing base DN dc=example,dc=com to be initialized externally ..... Done. Now you can proceed to the initialization of the contents of the base DN's on all the replicated servers. You can use the command import-ldif or the binary copy to do so. You must use the same LDIF file or binary copy on each server. When the initialization is completed you must use the subcommand 'post-external-initialization' for replication to work with the new base DN's contents.On the new server, restore the database from the backup archive.
Initialize replication on the new replica.
$ dsreplication post-external-initialization --adminUID admin --adminPassword password --port 6444 --baseDN dc=example,dc=com --trustAll --no-prompt Updating replication information on base DN dc=example,dc=com ..... Done. Post initialization procedure completed successfully.
How you stop replication depends on whether the change is meant to be temporary or permanent.
If you need to stop a server from replicating temporarily, you can do so using dsconfig command.
Warning
Do not allow modifications on the replica for which replication is disabled, as no record of such changes is kept, and the changes cause replication to diverge.
Disable the multimaster synchronization provider.
$ dsconfig set-synchronization-provider-prop --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:false --trustAll --no-promptWhen you are ready to resume replication, enable the multimaster synchronization provider.
$ dsconfig set-synchronization-provider-prop --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set enabled:true --trustAll --no-prompt
If you need to stop a server from replicating permanently, for example in preparation to remove a server, you can do so with the dsreplication disable command.
Stop replication using the dsreplication disable command.
$ dsreplication disable --disableAll --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --adminPassword password --trustAll --no-prompt Establishing connections ..... Done. Disabling replication on base DN cn=admin data of server opendj.example.com:5444 ..... Done. Disabling replication on base DN dc=example,dc=com of server opendj.example.com:5444 ..... Done. Disabling replication on base DN cn=schema of server opendj.example.com:5444 ..... Done. Disabling replication port 9989 of server opendj.example.com:5444 ..... Done. Removing registration information ..... Done. Removing truststore information ..... Done. See /var/.../opends-replication-125248191132797765.log for a detailed log of this operation.The dsreplication disable as shown completely removes the replication configuration information from the server.
If you want to restart replication for the server, you need to run the dsreplication enable and dsreplication initialize commands again.
Replication in OpenDJ is designed to be both easy to implement in environments with a few servers, and also scalable in environments with many servers. You can enable the replication service on each OpenDJ directory server in your deployment, for example, to limit the number of servers you deploy. Yet in a large deployment, you can use stand-alone replication servers — OpenDJ servers that do nothing but relay replication messages — to configure (and troubleshoot) the replication service separately from the directory service. You only need a few stand-alone replication servers publishing changes to serve many directory servers subscribed to the changes. Furthermore, replication is designed such that you need only connect a directory server to the nearest replication server for the directory server to replicate with all others in your topology. Yet only the stand-alone replication servers participate in fully-meshed replication.
All replication servers in a topology are connected to all other replication servers. Directory servers are connected only to one replication server at a time, and their connections should be to replication servers on the same LAN. Therefore the total number of replication connections, Totalconn is expressed as follows.
Here, NRS is the number of replication servers, and NDS is the number of stand-alone directory servers. In other words, if you have only three servers, then Totalconn is three with no stand-alone servers. However, if you have two data centers, and need 12 directory servers, then with no stand-alone directory servers Totalconn is (12 * 11)/2 or 66. Yet, with four stand-alone replication servers, and 12 stand-alone directory servers, Totalconn is (4 * 3)/2 + 12, or 18, with only four of those connections needing to go over the WAN. (By running four directory servers that also run replication servers and eight stand-alone directory servers, you reduce the number of replication connections to 14 for 12 replicas.)
Tip
If you set up OpenDJ directory server to replicate by using the Quick Setup wizard, then the wizard activated the replication service for that server. You can turn off the replication service on OpenDJ directory server, and then configure the server to work with a separate, stand-alone replication server instead. Start by using the dsreplication disable --disableReplicationServer command to turn off the replication service on the server.
This example sets up a stand-alone replication server to handle the replication traffic between two directory servers that do not handle replication themselves.
Here the replication server has admin port 6444. The directory servers have admin ports 4444 and 5444.
In a real deployment, you would have more replication servers to avoid a single point of failure.
Setup the replication server as a directory server that has no database.
Setup the directory servers as stand-alone directory servers.
Enable replication with the appropriate
--noReplicationServerand--onlyReplicationServeroptions.$ dsreplication enable --adminUID admin --adminPassword password --baseDN dc=example,dc=com --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 password --noReplicationServer1 --host2 opendj.example.com --port2 6444 --bindDN2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --onlyReplicationServer2 --trustAll --no-prompt Establishing connections ..... Done. Only one replication server will be defined for the following base DN's: dc=example,dc=com It is recommended to have at least two replication servers (two changelogs) to avoid a single point of failure in the replication topology. Checking registration information ..... Done. Configuring Replication port on server opendj.example.com:6444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:4444 ..... Done. Updating registration configuration on server opendj.example.com:4444 ..... Done. Updating registration configuration on server opendj.example.com:6444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:4444 ..... Done. Initializing registration information on server opendj.example.com:6444 with the contents of server opendj.example.com:4444 ..... Done. Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so). See /var/.../opends-replication-1720959352638609971.log for a detailed log of this operation. $ dsreplication enable --adminUID admin --adminPassword password --baseDN dc=example,dc=com --host1 opendj.example.com --port1 5444 --bindDN1 "cn=Directory Manager" --bindPassword1 password --noReplicationServer1 --host2 opendj.example.com --port2 6444 --bindDN2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --onlyReplicationServer2 --trustAll --no-prompt Establishing connections ..... Done. Only one replication server will be defined for the following base DN's: dc=example,dc=com It is recommended to have at least two replication servers (two changelogs) to avoid a single point of failure in the replication topology. Checking registration information ..... Done. Updating remote references on server opendj.example.com:6444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:5444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:4444 ..... Done. Updating registration configuration on server opendj.example.com:5444 ..... Done. Updating registration configuration on server opendj.example.com:6444 ..... Done. Updating registration configuration on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:5444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:4444 ..... Done. Initializing registration information on server opendj.example.com:5444 with the contents of server opendj.example.com:6444 ..... Done. Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so). See /var/folders/.../opends-replication-5893037538856033562.log for a detailed log of this operation.Initialize replication from one of the directory servers.
$ dsreplication initialize-all --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostname opendj.example.com --port 4444 --trustAll --no-prompt Initializing base DN dc=example,dc=com with the contents from opendj.example.com:4444: 160 entries processed (100 % complete). Base DN initialized successfully. See /var/.../opends-replication-7677303986403997574.log for a detailed log of this operation.
Replication lets you define groups so that replicas communicate first with replication servers in the group before going to replication servers outside the group. Groups are identified with unique numeric group IDs.
Replication groups are designed for deployments across multiple data centers, where you aim to focus replication traffic on the LAN rather than the WAN. In multi-data center deployments, group nearby servers together.
For each group, set the appropriate group ID for the topology on both the replication servers and the directory servers.
The example commands in this procedure set up two replication groups, each with a replication server and a directory server. The directory servers have admin ports 4444 and 5444. The replication servers have admin ports 6444 and 7444. In a full-scale deployment, you would have multiple servers of each type in each group, such as all the replicas and replication servers in each data center being in the same group.
Pick a group ID for each group.
The default group ID is 1.
Set the group ID for each group by replication domain on the directory servers.
$ dsconfig set-replication-domain-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "MultimasterSynchronization" --domain-name "dc=example,dc=com" --set group-id:1 --trustAll --no-prompt $ dsconfig set-replication-domain-prop --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name "dc=example,dc=com" --set group-id:2 --trustAll --no-promptSet the group ID for each group on the replication servers.
$ dsconfig set-replication-server-prop --port 6444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set group-id:1 --trustAll --no-prompt $ dsconfig set-replication-server-prop --port 7444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --set group-id:2 --trustAll --no-prompt
By default all directory servers in a replication topology are read-write. You can however choose to make replicas take updates only from the replication protocol, and refuse updates from client applications.
In standard replication, when a client requests an update operation the directory server performs the update and, if the update is successful, sends information about the update to the replication service, and sends a result code to the client application right away. As a result, the client application can conclude that the update was successful, but only on the replica that handled the update.
Assured replication lets you force the replica performing the initial update to wait for confirmation that the update has been received elsewhere in the topology before sending a result code to the client application. You can configure assured replication either to wait for one or more replication servers to acknowledge having received the update, or to wait for all directory servers to have replayed the update.
As you might imagine, assured replication is theoretically safer than standard replication, yet it is also slower, potentially waiting for a timeout before failing when the network or other servers are down.
Safe data mode requires the update be sent to
assured-sd-level replication servers before
acknowledgement is returned to the client application.
For each directory server, set safe data mode for the replication domain, and also set the safe data level.
$ dsconfig set-replication-domain-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name "dc=example,dc=com" --set assured-type:safe-data --set assured-sd-level:1 --trustAll --no-prompt $ dsconfig set-replication-domain-prop --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name "dc=example,dc=com" --set assured-type:safe-data --set assured-sd-level:1 --trustAll --no-prompt
Safe read mode requires the update be replayed on all directory servers before acknowledgement is returned to the client application.
For each directory server, set safe read mode for the replication domain.
$ dsconfig set-replication-domain-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name "dc=example,dc=com" --set assured-type:safe-read --trustAll --no-prompt $ dsconfig set-replication-domain-prop --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name "dc=example,dc=com" --set assured-type:safe-read --trustAll --no-prompt
When working with assured replication, the replication server property
degraded-status-threshold (default: 5000), sets the
number of operations allowed to build up in the replication queue before
the server is assigned degraded status. When a replication server has
degraded status, assured replication ceases to have an effect.
OpenDJ can perform subtree replication, for example replicating
ou=People,dc=example,dc=com, but not the rest of
dc=example,dc=com, by putting the subtree in a separate
backend from the rest of the suffix.
For example, in this case you might have a userRoot
backend containing everything in dc=example,dc=com
except ou=People,dc=example,dc=com, and a separate
peopleRoot backend for
ou=People,dc=example,dc=com. Then you replicate
ou=People,dc=example,dc=com in its own topology.
OpenDJ can perform fractional replication, whereby you specify the attributes to include in or to exclude from the replication process.
You set fractional replication configuration as
fractional-include or
fractional-exclude properties for a replication
domain. When you include attributes, the attributes that are required on
the relevant object classes are also included, whether you specify them
or not. When you exclude attributes, the excluded attributes must be
optional attributes for the relevant object classes. Fractional
replicas still respect schema definitions.
Fractional replication works by filtering objects at the replication server. Initialize replication as you would normally. Of course you cannot create a full replica from a replica with only a subset of the data. If you must prevent data from being replicated across a national boundary, split the replication server handling the updates from the directory servers receiving the updates as described in Procedure 8.6, “To Set Up a Stand-alone Replication Server”.
For example, you might configure an externally facing
fractional replica to include only some inetOrgPerson
attributes.
As another example, you might exclude a custom attribute called
sessionToken from being replicated.
This last example only works if you first define a
sessionToken attribute in the directory server
schema.
Some applications require notification when directory data updates occur. For example, an application might need to sync directory data with another database, or the application might need to kick off other processing when certain updates occur.
In addition to supporting persistent search operations, OpenDJ provides an external change log mechanism to allow applications to be notified of changes to directory data.
OpenDJ directory servers without replication cannot expose an external change log. The OpenDJ server that exposes the change log must function both as a directory server, and also as a replication server for the suffix whose changes you want logged.
Enable replication without using the
--noReplicationServeror--onlyReplicationServeroptions.With replication enabled, the changelog data can be accessed under
cn=changelog. For example, the following search shows the publicly visible data available before any changes have been made.$ ldapsearch --baseDN cn=changelog --port 1389 "(objectclass=*)" \* + dn: cn=changelog cn: changelog objectClass: top objectClass: container subschemaSubentry: cn=schema hasSubordinates: false entryDN: cn=changelog
You read the external change log over LDAP. In addition, when you poll the change log periodically, you can get the list of updates that happened since your last request.
The external change log mechanism uses an LDAP control with
OID 1.3.6.1.4.1.26027.1.5.4 to allow the exchange
of cookies for the client application to bookmark the last changes seen,
and then start reading the next set of changes from where it left off on
the previous request.
This procedure shows the client reading the change log as
cn=Directory Manager. Make sure your client application
reads the changes with sufficient access to view all the changes it
needs to see.
Send an initial search request using the LDAP control with no cookie value.
Notice the value of the
changeLogCookieattribute for the last of the two changes.$ ldapsearch --baseDN cn=changelog --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --control "1.3.6.1.4.1.26027.1.5.4:false" "(objectclass=*)" \* + dn: cn=changelog cn: changelog objectClass: top objectClass: container subschemaSubentry: cn=schema hasSubordinates: true entryDN: cn=changelog # Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4): dc=example,dc=com:0000013087cbc28212d100000001; dn: replicationCSN=0000013087cbc28212d100000001,dc=example,dc=com,cn=changelog targetDN: cn=arsene lupin,ou=special users,dc=example,dc=com changeNumber: 0 changes:: b2JqZWN0Q2xhc3M6IHBlcnNvbgpvYmplY3RDbGFzczogdG9wCmNuOiBBcnNlbmUgTHVwaW 4KdGVsZXBob25lTnVtYmVyOiArMzMgMSAyMyA0NSA2NyA4OQpzbjogTHVwaW4KZW50cnlVVUlEOiA5M GM3MTRmNy00ODZiLTRkNDctOTQwOS1iNDRkMTlkZWEzMWUKY3JlYXRlVGltZXN0YW1wOiAyMDExMDYx MzA2NTg1NVoKY3JlYXRvcnNOYW1lOiBjbj1EaXJlY3RvcnkgTWFuYWdlcixjbj1Sb290IEROcyxjbj1 jb25maWcK changeType: add changeTime: 20110613065855Z objectClass: top objectClass: changeLogEntry targetEntryUUID: 90c714f7-486b-4d47-9409-b44d19dea31e replicationCSN: 0000013087cbc28212d100000001 numSubordinates: 0 replicaIdentifier: 4817 changeLogCookie: dc=example,dc=com:0000013087cbc28212d100000001; changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config subschemaSubentry: cn=schema hasSubordinates: false entryDN: replicationCSN=0000013087cbc28212d100000001,dc=example,dc=com,cn=change log # Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4): dc=example,dc=com:0000013087cbc34a12d100000002; dn: replicationCSN=0000013087cbc34a12d100000002,dc=example,dc=com,cn=changelog targetDN: cn=horace velmont,ou=special users,dc=example,dc=com changeNumber: 0 changes:: b2JqZWN0Q2xhc3M6IHBlcnNvbgpvYmplY3RDbGFzczogdG9wCmNuOiBIb3JhY2UgVmVsbW 9udAp0ZWxlcGhvbmVOdW1iZXI6ICszMyAxIDEyIDIzIDM0IDQ1CnNuOiBWZWxtb250CmVudHJ5VVVJR DogNmIyMjQ0MGEtNzZkMC00MDMxLTk0YjctMzViMWQ4NmYwNjdlCmNyZWF0ZVRpbWVzdGFtcDogMjAx MTA2MTMwNjU4NTVaCmNyZWF0b3JzTmFtZTogY249RGlyZWN0b3J5IE1hbmFnZXIsY249Um9vdCBETnM sY249Y29uZmlnCg== changeType: add changeTime: 20110613065855Z objectClass: top objectClass: changeLogEntry targetEntryUUID: 6b22440a-76d0-4031-94b7-35b1d86f067e replicationCSN: 0000013087cbc34a12d100000002 numSubordinates: 0 replicaIdentifier: 4817 changeLogCookie: dc=example,dc=com:0000013087cbc34a12d100000002; changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config subschemaSubentry: cn=schema hasSubordinates: false entryDN: replicationCSN=0000013087cbc34a12d100000002,dc=example,dc=com,cn=change logIn this example, two new users were added to another replica before the change log request was made.
Here the changes are base64 encoded, so you can decode them using the base64 command.
$ base64 decode --encodedData b2JqZW...ZmlnCg== objectClass: person objectClass: top cn: Horace Velmont telephoneNumber: +33 1 12 23 34 45 sn: Velmont entryUUID: 6b22440a-76d0-4031-94b7-35b1d86f067e createTimestamp: 20110613065855Z creatorsName: cn=Directory Manager,cn=Root DNs,cn=configFor the next search, provide the cookie to start reading where you left off last time.
In this example, a description was added to Babs Jensen's entry.
$ ldapsearch --baseDN cn=changelog --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --control "1.3.6.1.4.1.26027.1.5.4:false: dc=example,dc=com:0000013087cbc34a12d100000002;" "(objectclass=*)" \* + dn: cn=changelog cn: changelog objectClass: top objectClass: container subschemaSubentry: cn=schema hasSubordinates: true entryDN: cn=changelog # Public changelog exchange control(1.3.6.1.4.1.26027.1.5.4): dc=example,dc=com:0000013087d7e27f12d100000003; dn: replicationCSN=0000013087d7e27f12d100000003,dc=example,dc=com,cn=changelog targetDN: uid=bjensen,ou=people,dc=example,dc=com changeNumber: 0 changes:: YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UKLQpyZXBsYW NlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2VyLGNuPVJvb 3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW1lc3RhbXA6 IDIwMTEwNjEzMDcxMjEwWgotCg== changeType: modify changeTime: 20110613071210Z objectClass: top objectClass: changeLogEntry targetEntryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c replicationCSN: 0000013087d7e27f12d100000003 numSubordinates: 0 replicaIdentifier: 4817 changeLogCookie: dc=example,dc=com:0000013087d7e27f12d100000003; changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config subschemaSubentry: cn=schema hasSubordinates: false entryDN: replicationCSN=0000013087d7e27f12d100000003,dc=example,dc=com,cn=change logIf we base64-decode the changes, we see the following.
$ base64 decode --encodedData YWRkO...gotCg== add: description description: A third change - replace: modifiersName modifiersName: cn=Directory Manager,cn=Root DNs,cn=config - replace: modifyTimestamp modifyTimestamp: 20110613071210Z -If for some reason you lose the cookie, you can start over from the earliest available change by sending a search request with no value for the cookie.
As shown above, the changes returned from a search on the external
change log include only what was actually changed. If you have applications
that need additional attributes published with every change log entry,
regardless of whether or not the attribute itself has changed, then specify
those using ecl-include and
ecl-include-for-deletes.
Set the attributes to include for all update operations with
ecl-include.$ dsconfig set-external-changelog-domain-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set ecl-include:"@person" --trustAll --no-promptSet the attributes to include for deletes with
ecl-include-for-deletes.$ dsconfig set-external-changelog-domain-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --add ecl-include-for-deletes:"*" --add ecl-include-for-deletes:"+" --trustAll --no-prompt
You can limit external change log content by disabling the domain
for a base DN. By default, cn=schema and
cn=admin data are not enabled.
Prevent OpenDJ from logging changes by disabling the domain.
$ dsconfig set-external-changelog-domain-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --provider-name "Multimaster Synchronization" --domain-name dc=example,dc=com --set enabled:false --trustAll --no-prompt
The external change log can also work for applications that follow the Internet-Draft: Definition of an Object Class to Hold LDAP Change Records. Nothing special is required to get the objects specified for this legacy format. Such applications cannot however use the change log cookies that are shared across the replication topology, and therefore can continue to be used after failover to another replica in a multi-master replication environment.
[1] Assured replication can require, however, that the convergence happen before the client application is notified that the operation was successful.
[2] When you configure partial and fractional replication, however, you can replicate only part of a suffix, or only certain attributes on entries. Also, if you split your suffix across multiple backends, then you need to set up replication separately for each part of suffix in a different backend.
OpenDJ lets you backup and restore your data either in compressed, binary format, or in LDAP Data Interchange Format. This chapter shows you how to backup and to restore OpenDJ data from archives, and explains portability of backup archives, as well as backing up server configuration information.
A bak/ directory is provided when you install
OpenDJ, as a location to save binary backups. When you create a backup,
the bak/backup.info contains information about the
archive.
Archives produced by the backup command contain
backups only of the directory data. Backups of server configuration are
found in config/archived-configs/.
Use one of the following alternatives.
Back up only the database for Example.com, where the data is stored in the backend named
userRoot.$ backup --port 5444 --bindDN "cn=Directory Manager" --bindPassword password --backendID userRoot --backupDirectory /path/to/OpenDJ/bak --start 0 Backup task 20110613143715983 scheduled to start Jun 13, 2011 2:37:15 PM CESTStop the server to back up Example.com data offline.
$ stop-ds Stopping Server... [13/Jun/2011:14:31:00 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend userRoot is now taken offline [13/Jun/2011:14:31:00 +0200] category=CORE severity=NOTICE msgID=458955 msg=The Directory Server is now stopped $ backup --backendID userRoot -d /path/to/OpenDJ/bak [13/Jun/2011:14:33:48 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend userRoot [13/Jun/2011:14:33:48 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000000.jdb [13/Jun/2011:14:33:48 +0200] category=TOOLS severity=NOTICE msgID=10944795 msg=The backup process completed successfully $ start-ds ... The Directory Server has started successfullyBack up all user data on the server.
$ backup --port 5444 --bindDN "cn=Directory Manager" --bindPassword password --backUpAll --backupDirectory /path/to/OpenDJ/bak --start 0 Backup task 20110613143801866 scheduled to start Jun 13, 2011 2:38:01 PM CEST
You can schedule data backup using crontab format.
Back up all user data every night at 2 AM, and notify diradmin@example.com when finished, or on error.
$ backup --port 5444 --bindDN "cn=Directory Manager" --bindPassword password --backUpAll --backupDirectory /path/to/OpenDJ/bak --recurringTask "00 02 * * *" --completionNotify diradmin@example.com --errorNotify diradmin@example.com Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0 scheduled successfully
When you restore data, the procedure to follow depends on whether the OpenDJ directory server is replicated.
Use one of the following alternatives.
Stop the server to restore data for Example.com.
$ stop-ds Stopping Server... [13/Jun/2011:15:44:06 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend userRoot is now taken offline [13/Jun/2011:15:44:06 +0200] category=CORE severity=NOTICE msgID=458955 msg=The Directory Server is now stopped $ restore -d /path/to/OpenDJ/bak -l Backup ID: 20110613080032 Backup Date: 13/Jun/2011:08:00:45 +0200 Is Incremental: false Is Compressed: false Is Encrypted: false Has Unsigned Hash: false Has Signed Hash: false Dependent Upon: none $ restore --backupDirectory /path/to/OpenDJ/bak --backupID 20110613080032 [13/Jun/2011:15:47:41 +0200] category=JEB severity=NOTICE msgID=8847445 msg=Restored: 00000000.jdb (size 341835) $ start-ds ... The Directory Server has started successfullySchedule the restore as a task to begin immediately.
$ restore --port 5444 --bindDN "cn=Directory Manager" --bindPassword password --backupDirectory /path/to/OpenDJ/bak --backupID 20110613080032 --start 0 Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST
When you restore a replicated server from backup, make sure the backup is newer than the last purge of the replication change log (default: 3 days).
Prepare the replica to be restored.
$ dsreplication pre-external-initialization --adminUID admin --bindPassword password --trustAll --no-prompt --port 5444 --baseDN dc=example,dc=com Preparing base DN dc=example,dc=com to be initialized externally ..... Done. Now you can proceed to the initialization of the contents of the base DN's on all the replicated servers. You can use the command import-ldif or the binary copy to do so. You must use the same LDIF file or binary copy on each server. When the initialization is completed you must use the subcommand 'post-external-initialization' for replication to work with the new base DN's contents.Restore the server database from the backup archive.
$ stop-ds Stopping Server... [13/Jun/2011:15:44:06 +0200] category=BACKEND severity=NOTICE msgID=9896306 msg=The backend userRoot is now taken offline [13/Jun/2011:15:44:06 +0200] category=CORE severity=NOTICE msgID=458955 msg=The Directory Server is now stopped $ restore --backupDirectory /path/to/OpenDJ/bak --listBackups Backup ID: 20110613080032 Backup Date: 13/Jun/2011:08:00:45 +0200 Is Incremental: false Is Compressed: false Is Encrypted: false Has Unsigned Hash: false Has Signed Hash: false Dependent Upon: none $ restore --backupDirectory /path/to/OpenDJ/bak --backupID 20110613080032 [13/Jun/2011:15:47:41 +0200] category=JEB severity=NOTICE msgID=8847445 msg=Restored: 00000000.jdb (size 341835) $ start-ds ... The Directory Server has started successfullyReinitialize replication on the replica.
$ dsreplication post-external-initialization --adminUID admin --bindPassword password --port 5444 --baseDN dc=example,dc=com --trustAll --no-prompt Updating replication information on base DN dc=example,dc=com ..... Done. Post initialization procedure completed successfully.
If you want to synchronize password policy across your organization and your applications go to the directory for authentication, then the directory can be a good place to enforce your password policy uniformly. Even if you do not depend on the directory for all your password policy, you no doubt still want to consider directory password policy if only to choose the appropriate password storage scheme.
This chapter covers password policy, including examples of how to configure password policies for common use cases.
OpenDJ password policies govern not only passwords, but also account lockout, and how OpenDJ provides notification about account status.
OpenDJ supports password policies as part of the server configuration, and also subentry password policies as part of the (replicated) user data.
You manage server based password policies in the OpenDJ configuration by using the dsconfig command. As they are part of the server configuration, such password policies are not replicated. You must instead apply password policy configuration updates to each replica in your deployment.
By default, OpenDJ includes two password policy configurations, one
default for all users, and another for directory root DN users, such as
cn=Directory Manager. You can see all the default password
policy settings using the dsconfig command as
follows.
See the OpenDJ Configuration Reference page on Password Policy for detailed descriptions of each property.
Here you notice that many capabilities are not set by default: no lockout, no password expiration, no multiple passwords, no password validator to check that passwords contain the appropriate mix of characters. This means that if you decide to use the directory to enforce password policy, you must configure at least the default password policy to meet your needs.
Yet a few basic protections are configured by default. When you import
LDIF with userPassword values, OpenDJ hashes the values
before storing them. When a user provides a password value during a bind for
example, the server hashes the value provided to compared it with the stored
value. Even the directory manager cannot see the plain text value of a user's
password.
In addition, users can change their passwords provided you have
granted them access to do so. OpenDJ uses the userPassword
attribute to store passwords by default, rather than the
authPassword attribute, which is designed to store
passwords hashed by the client application.
You manage subentry password policies by adding the subentries alongside the user data. Thus OpenDJ can replicate subentry password policies across servers.
Subentry password policies support the Internet-Draft Password Policy for LDAP Directories (version 09). A subentry password policy effectively overrides settings in the default password policy defined in the OpenDJ configuration. Settings not supported or not included in the subentry password policy are thus inherited from the default password policy.
As a result, the following Internet-Draft password policy attributes override the default password policy when you set them in the subentry.
pwdAllowUserChange, corresponding to the OpenDJ password policy propertyallow-user-password-changespwdMustChange, corresponding to the OpenDJ password policy propertyforce-change-on-resetpwdGraceAuthNLimit, corresponding to the OpenDJ password policy propertygrace-login-countpwdLockoutDuration, corresponding to the OpenDJ password policy propertylockout-durationpwdMaxFailure, corresponding to the OpenDJ password policy propertylockout-failure-countpwdFailureCountInterval, corresponding to the OpenDJ password policy propertylockout-failure-expiration-intervalpwdMaxAge, corresponding to the OpenDJ password policy propertymax-password-agepwdMinAge, corresponding to the OpenDJ password policy propertymin-password-agepwdAttribute, corresponding to the OpenDJ password policy propertypassword-attributepwdSafeModify, corresponding to the OpenDJ password policy propertypassword-change-requires-current-passwordpwdExpireWarning, corresponding to the OpenDJ password policy propertypassword-expiration-warning-intervalpwdInHistory, corresponding to the OpenDJ password policy propertypassword-history-count
The following Internet-Draft password policy attributes are not taken into account by OpenDJ.
pwdCheckQuality, as OpenDJ has password validators. You can set password validators to use in the default password policy.pwdMinLength, as this is handled by the Length Based Password Validator. You can configure this as part of the default password policy.pwdLockout, as OpenDJ can deduce whether lockout is configured based on the values of other lockout-related password policy attributes.
Values of the following properties are inherited from the default password policy for Internet-Draft based password policies.
account-status-notification-handlersallow-expired-password-changesallow-multiple-password-valuesallow-pre-encoded-passwordsdefault-password-storage-schemesdeprecated-password-storage-schemesexpire-passwords-without-warningforce-change-on-addidle-lockout-intervallast-login-time-attributelast-login-time-formatmax-password-reset-agepassword-generatorpassword-history-durationpassword-validatorsprevious-last-login-time-formatsrequire-change-by-timerequire-secure-authenticationrequire-secure-password-changesskip-validation-for-administratorsstate-update-failure-policy
The password policy that applies to a user is identified by the
operational attribute, pwdPolicySubentry.
You configure server based password policies using the dsconfig command. Notice that server based password policies are part of the server configuration, and therefore not replicated. Alternatively, you can configure a subset of password policy features using subentry based password policies that are stored with the replicated server data. This section covers both server based and subentry based password policies.
You can reconfigure the default password policy for example to enforce password expiration, check that passwords do not match dictionary words, and prevent password reuse. This default policy is a server based password policy.
Enable the appropriate password validator.
$ dsconfig set-password-validator-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --validator-name Dictionary --set enabled:true --set check-substrings:true --set min-substring-length:4 --trustAll --no-promptApply the changes to the default password policy.
$ dsconfig set-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --set max-password-age:90d --set min-password-age:4w --set password-history-count:7 --set password-validator:Dictionary --trustAll --no-promptCheck your work.
$ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" Property : Value(s) ------------------------------------------:-------------------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : false force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 12 w 6 d max-password-reset-age : 0 s min-password-age : 4 w password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : Random Password Generator password-history-count : 7 password-history-duration : 0 s password-validator : Dictionary previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : false
You can add a password policy for example for new users who have not yet used their credentials to bind.
Create the new password policy.
$ dsconfig create-password-policy --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "New Account Password Policy" --set default-password-storage-scheme:"Salted SHA-1" --set force-change-on-add:true --set password-attribute:userPassword --trustAll --no-promptCheck your work.
$ dsconfig get-password-policy-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --policy-name "New Account Password Policy" Property : Value(s) ------------------------------------------:------------- account-status-notification-handler : - allow-expired-password-changes : false allow-user-password-changes : true default-password-storage-scheme : Salted SHA-1 deprecated-password-storage-scheme : - expire-passwords-without-warning : false force-change-on-add : true force-change-on-reset : false grace-login-count : 0 idle-lockout-interval : 0 s last-login-time-attribute : - last-login-time-format : - lockout-duration : 0 s lockout-failure-count : 0 lockout-failure-expiration-interval : 0 s max-password-age : 0 s max-password-reset-age : 0 s min-password-age : 0 s password-attribute : userpassword password-change-requires-current-password : false password-expiration-warning-interval : 5 d password-generator : - password-history-count : 0 password-history-duration : 0 s password-validator : - previous-last-login-time-format : - require-change-by-time : - require-secure-authentication : false require-secure-password-changes : falseIf you use a password policy like this, you might want to change the user's policy again when the new user successfully updates the password.
You can add a subentry to configure a password policy that applies to Directory Administrators.
Create the entry that specifies the password policy.
$ cat /path/to/subentry-pwp.ldif dn: cn=Subentry Password Policy,dc=example,dc=com objectClass: top objectClass: subentry objectClass: pwdPolicy cn: Subentry Password Policy pwdAttribute: userPassword pwdLockout: TRUE pwdMaxFailure: 3 pwdFailureCountInterval: 300 pwdLockoutDuration: 300 pwdAllowUserChange: TRUE pwdSafeModify: TRUE subtreeSpecification: {base "ou=people", specificationFilter "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }Add the policy to the directory.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename /path/to/subentry-pwp.ldif Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com ADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=comCheck that the policy applies as specified.
In the example, the policy should apply to a Directory Administrator, while a normal user has the default password policy. Here, Kirsten Vaughan is a member of the Directory Administrators group, and Babs Jensen is not a member.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan pwdPolicySubentry dn: uid=kvaughan,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com $ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry dn: uid=bjensen,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
You assign subentry based password policies for a subtree of the DIT by
adding the policy to an LDAP subentry whose immediate superior is the root of
the subtree. In other words you can add the subtree based password policy
under ou=People,dc=example,dc=com, to have it apply to all
entries under ou=People,dc=example,dc=com. You can further
use the capabilities of LDAP subentries to refine
the scope of application.
You assign server based password policies by using the
ds-pwp-password-policy-dn attribute.
Prevent users from selecting their own password policy.
$ cat protectpwp.ldif dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr = "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass word policy";deny (write)(userdn = "ldap:///self");) $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename protectpwp.ldif Processing MODIFY request for ou=People,dc=example,dc=com MODIFY operation successful for DN ou=People,dc=example,dc=comUpdate the user's
ds-pwp-password-policy-dnattribute.$ cat newuser.ldif dn: uid=newuser,ou=People,dc=example,dc=com uid: newuser objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top cn: New User sn: User ou: People mail: newuser@example.com userPassword: changeme ds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies, cn=config $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename newuser.ldif Processing ADD request for uid=newuser,ou=People,dc=example,dc=com ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=comCheck your work.
$ ldapsearch --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --baseDN dc=example,dc=com uid=newuser pwdPolicySubentry dn: uid=newuser,ou=People,dc=example,dc=com pwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config
Create a subentry defining the collective attribute that sets the
ds-pwp-password-policy-dnattribute for group members' entries.$ cat pwp-coll.ldif dn: cn=Password Policy for Dir Admins,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Password Policy for Dir Admins ds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass word Policies,cn=config subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf= cn=Directory Administrators,ou=Groups,dc=example,dc=com)"} $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename pwp-coll.ldif Processing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com ADD operation successful for DN cn=Password Policy for Dir Admins,dc=example,dc=comCheck your work.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan pwdPolicySubentry dn: uid=kvaughan,ou=People,dc=example,dc=com pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config
OpenDJ directory server supports automatic account lockout. The aim of account lockout is not to punish users who mistype their passwords, but instead to protect the directory against attacks in which the attacker attempts to guess a user password, repeatedly attempting to bind until success is achieved.
Account lockout disables a user account after a specified number of successive authentication failures. When you implement account lockout, you can opt to have the directory server unlock the account again after a specified interval, or you can leave the account locked until the password is reset.
Note
When you configure account lockout as part of password policy, OpenDJ locks an account after the specified number of consecutive authentication failures. Account lockout is not transactional across a replication topology, however. Under normal circumstances, replication nevertheless propagates lockout quickly. If ever replication is delayed, an attacker with direct access to multiple replica could get more than the specified number of tries to authenticate before being locked out on all replicas.
This chapter shows you how to set up account lockout policies, and how to intervene manually to lock and unlock accounts.
Account lockout is configured as part of password policy. This section demonstrates configuring account lockout as part of the default password policy. Users are allowed three consecutive failures before being locked out for five minutes. Failures themselves also expire after five minutes.
Change the default password policy to activate lockout using the dsconfig command. As the password policy is part of the server configuration, you must manually apply the changes to each replica in a replication topology.
Users having the default password policy are then locked out after three failed attempts in succession.
This section covers disabling and enabling accounts by using the manage-account command. Password reset is covered in the chapter on performing LDAP operations.
For the following examples, the directory admin user, Kirsten Vaughan,
has ds-privilege-name: password-reset, and the following
ACI on ou=People,dc=example,dc=com.
(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")( version 3.0;acl "Admins can run amok"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
Set the account status to disabled with the manage-account command.
$ manage-account set-account-is-disabled --port 4444 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --operationValue true --targetDN uid=bjensen,ou=people,dc=example,dc=com --trustAll Account Is Disabled: true
Clear the disabled status using the manage-account command.
$ manage-account clear-account-is-disabled --port 4444 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword bribery --targetDN uid=bjensen,ou=people,dc=example,dc=com --trustAll Account Is Disabled: false
OpenDJ can send mail about account status changes. OpenDJ needs an
SMTP server to send messages, and needs templates for the mail it sends.
By default, message templates are in English, under
/path/to/OpenDJ/config/messages/.
OpenDJ generates notifications only when OpenDJ writes to an entry or evaluates a user entry for authentication. OpenDJ generates account enabled and account disabled notifications when the user account is enabled or disabled with the manage-account command, which writes to the entry. OpenDJ generates password expiration notifications when a user tries to bind.
For example, if you set up OpenDJ to send a notification about password expiration, that notification gets triggered when the user authenticates during the password expiration warning interval. OpenDJ does not automatically scan entries to send password expiry notifications. OpenDJ does implement controls that you can pass in an LDAP search to determine whether a user's password is about to expire. See the appendix on LDAP Controls for a list. You can send notifications then based on the results of your search.
The following steps demonstrate how to set up notifications. Whether OpenDJ sends notifications depends on the settings in the password policy, and on account activity as described above.
Identify the SMTP server to which OpenDJ sends messages.
$ dsconfig set-global-configuration-prop --port 4444 --hostname `hostname` --bindDN "cn=Directory Manager" --bindPassword password --set smtp-server:smtp.example.com --trustAll --no-promptSet up OpenDJ to be able to mail users about account status.
$ dsconfig set-account-status-notification-handler-prop --port 4444 --hostname `hostname` --bindDN "cn=Directory Manager" --bindPassword password --handler-name "SMTP Handler" --set enabled:true --set email-address-attribute-type:mail --trustAll --no-promptNotice that OpenDJ finds the user's mail address on the attribute on the user's entry, specified by
email-address-attribute-type.You can also configure the
message-subjectandmessage-template-fileproperties. Try interactive mode if you plan to do so.You find templates for messages by default under the
config/messagesdirectory. You can edit the templates to suit your purposes.Adjust applicable password policies to use the account status notification handler you configured.
$ dsconfig set-password-policy-prop --port 4444 --hostname `hostname` --bindDN "cn=Directory Manager" --bindPassword password --policy-name "Default Password Policy" --set account-status-notification-handler:"SMTP Handler" --trustAll --no-prompt
When editing the config/messages templates
to suit your purposes, you can use the following tokens to have OpenDJ
update the message text dynamically.
%%notification-type%%This token is replaced with the name of the account status notification type for the notification.
%%notification-message%%This token is replaced with the message for the account status notification.
%%notification-user-dn%%This token is replaced with the string representation of the DN for the user that is the target of the account status notification.
%%notification-user-attr:attrname%%This token is replaced with the value of the attribute specified by
attrnamefrom the user's entry. If the specified attribute has multiple values, then OpenDJ uses the first value encountered. If the specified attribute does not have any values, then OpenDJ replaces it with an emtpy string.%%notification-property:propname%%This token is replaced with the value of the specified notification property from the account status notification. If the specified property has multiple values, then OpenDJ uses the first value encountered. If the specified property does not have any values, then OpenDJ replaces it with an emtpy string. Valid
propnamevalues include the following.account-unlock-timenew-passwordold-passwordpassword-expiration-timepassword-policy-dnseconds-until-expirationseconds-until-unlocktime-until-expirationtime-until-unlock
This chapter shows you how to set resource limits that prevent directory clients from using an unfair share of system resources.
Well-written directory client applications limit the scope of their searches with filters that narrow the number of results returned. By default, OpenDJ also only allows users with appropriate privileges to perform unindexed searches.
You can further adjust additional limits on search operations, such as the following.
The lookthrough limit defines the maximum number of candidate entries OpenDJ considers when processing a search.
The default lookthrough limit, set by using the global server property
lookthrough-limit, is 5000.You can override the limit for a particular user by changing the operational attribute,
ds-rlim-lookthrough-limit, on the user's entry.The size limit sets the maximum number of entries returned for a search.
The default size limit, set by using the global server property
size-limit, is 1000.You can override the limit for a particular user by changing the operational attribute,
ds-rlim-size-limit, on the user's entry.The time limit defines the maximum processing time OpenDJ devotes to a search operation.
The default time limit, set by using the global server property
time-limit, is 1 minute.You can override the limit for a particular user by changing the operational attribute,
ds-rlim-time-limit, on the user's entry.The maximum number of persistent searches can be set using the global server property
max-psearches.
Change the user entry to set the limits to override.
$ cat limit.ldif dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: ds-rlim-size-limit ds-rlim-size-limit: 10 $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename limit.ldif Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=comNow when Babs Jensen performs a search returning more than 10 entries, she sees the following message.
Result Code: 4 (Size Limit Exceeded) Additional Information: This search operation has sent the maximum of 10 entries to the client
Create an LDAP subentry to specify the limits using collective attributes.
$ cat grouplim.ldif dn: cn=Remove Administrator Search Limits,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: Remove Administrator Search Limits ds-rlim-lookthrough-limit;collective: 0 ds-rlim-size-limit;collective: 0 ds-rlim-time-limit;collective: 0 subtreeSpecification: {base "ou=people", specificationFilter " (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" } $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename grouplim.ldif Processing ADD request for cn=Remove Administrator Search Limits,dc=example,dc=com ADD operation successful for DN cn=Remove Administrator Search Limits,dc=example,dc=comCheck the results.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim ds-rlim-lookthrough-limit: 0 ds-rlim-time-limit: 0 ds-rlim-size-limit: 0
If you have applications that leave connections open for long
periods, OpenDJ can end up devoting resources to maintaining connections
that are no longer used. If your network does not drop such connections
eventually, you can configure OpenDJ to drop them by setting the
global configuration property, idle-time-limit. By
default, no idle time limit is set.
The example shown sets the idle time limit to 24 hours.
The default maximum request size of 5 MB, set using the advanced
connection handler property max-request-size, is
sufficient to satisfy most client requests. Yet, there are some cases where
you might need to raise the request size limit. For example, if clients
add groups with large numbers of members, those add requests can go beyond
the 5 MB limit.
The example shown sets the maximum request size on the LDAP connection handler to 20 MB.
OpenDJ supports several methods of grouping entries in the directory. Static groups list their members, whereas dynamic groups look up their membership based on an LDAP filter. OpenDJ also supports virtual static groups, which uses a dynamic group style definition, but allows applications to list group members as if the group were static.
When listing entries in static groups, you must also have a mechanism for removing entries from the list when they are deleted or modified in ways that end their membership. OpenDJ makes that possible with referential integrity functionality.
This chapter demonstrates how to work with groups.
A static group is expressed as an entry that enumerates all the entries that belong to the group. Static group entries grow as their membership increases.
Static group entries can take the standard object class
groupOfNames where each member
attribute value is a distinguished name of an entry, or
groupOfUniqueNames where each
uniqueMember attribute value is also a DN, but no
uniqueMember value is repeated. Static group entries
can also take the object class groupOfEntries that
allows groups to be created before any member
entries are specified.
To create a static group, add a group entry such as the following to the directory.
To change group membership, modify the values of the membership attribute.
A dynamic group specifies members using LDAP URLs. Dynamic groups entries can stay small even as their membership increases.
Dynamic group entries take the groupOfURLs
object class, with one or more memberURL values
specifying LDAP URLs to identify group members.
To create a dynamic group, add a group entry such as the following to the directory.
Group membership changes dynamically as entries change to match the
memberURL values.
OpenDJ lets you create virtual static groups, which let applications see dynamic groups as what appear to be static groups.
The virtual static group takes auxiliary object class
ds-virtual-static-group. Virtual static groups also take
either the object class groupOfNames, or
groupOfUniqueNames, but instead of having
member or uniqueMember attributes,
have ds-target-group-dn attributes pointing to other
groups.
Generating the list of members can be resource intensive for large
groups, so by default you cannot retrieve the list of members. You can
change this with the dsconfig command by setting the
Virtual Static member or
Virtual Static uniqueMember property.
The following example creates a virtual static group, and reads the group entry with all members.
OpenDJ lets you look up which groups a user belongs to by using the
isMemberOf attribute.
You must request isMemberOf explicitly.
When you delete or rename an entry that belongs to static groups, that entry's DN must be removed or changed in the list of each group to which it belongs. You can configure OpenDJ to resolve membership on your behalf after the change operation succeeds by enabling referential integrity.
Referential integrity functionality is implemented as a plugin. The referential integrity plugin is disabled by default. To enable the plugin, use the dsconfig command.
With the plugin enabled, you can see OpenDJ referential integrity resolving group membership automatically.
You can also configure the referential integrity plugin to check that
new entries added to groups actually exist in the directory by setting the
check-references property to true. You
can specify additional criteria once you have activated the check. To ensure
that entries added must match a filter, set the
check-references-filter-criteria to identify the attribute
and the filter. For example, you can specify that group members must be person
entries by setting check-references-filter-criteria to
member:(objectclass=person). To ensure that entries must be
located in the same naming context, set
check-references-scope-criteria to
naming-context.
Some attribute values ought to remain unique. If you are using
uid values as RDNs to distinguish between millions of
user entries stored under ou=People, then you do not
want your directory to contain two or more identical
uid values. If your credit card or mobile number is
stored as an attribute value on your directory entry, you certainly do not
want to share that credit card or mobile number with another customer.
The same is true for your email address.
The difficulty for you as directory administrator lies in implementing attribute value uniqueness without sacrificing the high availability that comes from using OpenDJ's loosely consistent, multi-master data replication. Indeed OpenDJ's replication model lets you maintain write access during network outages for directory applications. Yet, write access during a network outage can result in the same, theoretically unique attribute value getting assigned to two different entries at once. You do not notice the problem until the network outage goes away and replication resumes.
This chapter shows you how to set up attribute value uniqueness in your directory environment.
OpenDJ provides a unique attribute plugin that you configure by using
the dsconfig command. By default, the plugin is prepared
to ensure attribute values are unique for uid
attributes.
Set the base DN where
uidshould have unique values, and enable the plugin.$ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "UID Unique Attribute" --set base-dn:ou=people,dc=example,dc=com --set enabled:true --trustAll --no-promptAlternatively, you can specify multiple base DNs for unique values across multiple suffixes.
$ dsconfig set-plugin-prop --port 4444 --hostname opendj.example.com --bindDn "cn=Directory Manager" --bindPassword password --plugin-name "UID Unique Attribute" --set enabled:true --add base-dn:dc=example,dc=com --add base-dn:dc=example,dc=org --trustAll --no-promptCheck that the plugin is working correctly.
$ cat bjensen.ldif dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify add: uid uid: bjensen $ ldapmodify --defaultAdd --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename bjensen.ldif Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com MODIFY operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for \ attribute uid: value bjensen already exists in entry uid=bjensen,ou=People,dc=example,dc=comIf you have set up multiple suffixes, you might try something like this.
$ cat bjensen.ldif dn: uid=bjensen,ou=People,dc=example,dc=org objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson cn: Babs sn: Jensen uid: bjensen $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename bjensen.ldif Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org ADD operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for attribute uid: value bjensen already exists in entry uid=bjensen,ou=People,dc=example,dc=com
You can also configure the unique attribute plugin for use with
other attributes, such as mail, mobile,
or attributes you define, for example cardNumber.
Before you set up the plugin, index the attribute for equality.
Set up the plugin configuration for your attribute.
$ dsconfig create-plugin --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "Unique mobile numbers" --type unique-attribute --set enabled:true --set base-dn:ou=people,dc=example,dc=com --set type:mobile --trustAll --no-promptCheck that the plugin is working correctly.
$ cat mobile.ldif dn: uid=ajensen,ou=People,dc=example,dc=com changetype: modify add: mobile mobile: +1 828 555 1212 dn: uid=bjensen,ou=People,dc=example,dc=com changetype: modify add: mobile mobile: +1 828 555 1212 $ ldapmodify --defaultAdd --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename mobile.ldif Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com MODIFY operation failed Result Code: 19 (Constraint Violation) Additional Information: A unique attribute conflict was detected for attribute mobile: value +1 828 555 1212 already exists in entry uid=ajensen,ou=People,dc=example,dc=com
The unique attribute plugin ensures unique attribute values on the directory server where the attribute value is updated. If client applications separately write the same attribute value at the same time on different directory replicas, it is possible that both servers consider the duplicate value unique, especially if the network is down between the replicas.
Enable the plugin identically on all replicas.
To avoid duplicate values where possible, try one of the following solutions.
Use a load balancer or proxy technology to direct all updates to the unique attribute to the same directory server.
The drawback here is the need for an additional component to direct the updates to the same server, and to manage failover should that server go down.
Configure safe read mode assured replication between replicas storing the unique attribute.
The drawbacks here are the cost of safe read assured replication, and the likelihood that assured replication can enter degraded mode during a network outage, thus continuing to allow updates during the outage.
Schema definitions describe the data, and especially the object classes and attribute types that can be stored in the directory. By default OpenDJ conforms strictly to LDAPv3 standards pertaining to schema definitions and attribute syntax checking, ensuring that data stored is valid and properly formed. Unless your data use only standard schema present in OpenDJ when you install, then you must add additional schema definitions to account the data your applications stored.
Out of the box, OpenDJ comes with many standard schema definitions. In addition you can update and extend schema definitions while OpenDJ is online. As a result you can add new applications requiring additional data without stopping your directory service.
This chapter demonstrates how to change and to extend OpenDJ schema. This chapter also identifies the standard schema definitions available when you install OpenDJ.
Directory schema, described in RFC 4512, define the kinds of information you find in the directory, and can define how the information are related. This chapter focuses primarily on two types of directory schema definitions.
Attribute type definitions describe attributes of directory entries, such as
givenNameormail.Here is an example of an attribute type definition.
# Attribute type definition attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' )Attribute type definitions start with an object identifier (OID), and generally a short name or names that are easier to remember than the OID. The attribute type definition can specify how attribute values should be collated for sorting, and what syntax they use. The X-ORIGIN is an extension to identify where the definition originated. When you define your one schema, you likely want to provide an X-ORIGIN to help you to track versions of definitions, and where the definitions came from.
Object class definitions identify the attribute types that an entry must have, and may have. Examples of object classes include
personandorganizationalUnit.Here is an example of an object class definition.
# Object class definition objectClasses: ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) X-ORIGIN 'RFC 4519' )Entries all have an attribute identifying their object classes, called
objectClass.Object class definitions start with an object identifier (OID), and generally a short name that is easier to remember than the OID. The definition here says that the person object class inherits from the top object class, which is the top-level parent of all object classes. When you view the objectclass attribute values on an entry, you see the list of object classes that the entry takes. An entry can have one STRUCTURAL object class inheritance branch, such as
top-person-organizationalPerson-inetOrgPerson. Yet entries can have multiple AUXILIARY object classes. The object class then defines the attribute types that must be included, and the attribute types that may be included on entries having the object class.
OpenDJ exposes schema over protocol through the
cn=schema entry. OpenDJ stores the schema definitions
corresponding to the entry in LDIF under the
config/schema/ directory. Many standard definitions
and definitions pertaining to the server configuration are included at
installation time.
OpenDJ directory server is designed to permit updating the list of directory schema definitions while the server is running. As a result you can add support for new applications that require new attributes or new kinds of entries without interrupting the directory service. OpenDJ also replicates schema definitions, so the schema you add on one replica are propagated to other replicas without you having to intervene manually.
As it is easy to introduce typos into schema definitions, the best way to start defining your own schema is with the OpenDJ Control Panel. Open the Control Panel > Schema > Manage Schema window to get started creating your custom object classes and attribute types.
As object classes reference attribute types, you first create custom attribute types, and then create the object class that references the attribute types.
Create a custom attribute type through the New Attribute window.
Using the New Object Class window, create an auxiliary object class that allows your new custom attribute type. You set the type to Auxiliary under Extra Options.
When you finish, the schema changes show up by default in the file
config/schema/99-user.ldif. Notice that the file name
starts with a number, 99. This number is larger than the numbers prefixing
other schema file names. In fact, OpenDJ reads the schema files in sorted
order, reading schema definitions as they occur. If OpenDJ reads a schema
definition for an object class before it has read the definitions of the
attribute types mentioned in the object class definition, then it displays
an error. Therefore, when naming your schema file, make sure the name appears
in the sorted list of file names after all the schema
files containing definitions that your schema definitions depends on. The
default file name for your schema, 99-user.ldif, ensures
that your definitions load only after all of the schema files installed by
default.
You can create this file in the lab using the Control Panel, and then apply the definitions in production by adapting the content for use with the ldapmodify command, for example.
To test your schema definition, add the object class and attribute to an entry.
By default, OpenDJ accepts data that follows the standards in terms of what is allowed and what is rejected. You might have legacy data from a directory service that is more lenient, allowing non-standard constructions such as multiple structural object classes per entry, not checking attribute value syntax, or even not respecting schema definitions.
For example, when importing data with multiple structural object classes defined per entry, you can relax schema checking to warn rather than reject entries having this issue.
You can allow attribute values that do not respect the defined syntax with the dsconfig command as well.
You can even turn off schema checking altogether, although turning off schema checking only really makes sense when you are absolutely sure that the entries and attribute values respect the schema definitions, and you simply want to turn off schema checking temporarily to speed up import processing.
The following files under config/schema/
contain schema definitions out of the box.
-
00-core.ldif This file contains a core set of attribute type and objectlass definitions from several standard LDAP documents, including draft-ietf-boreham-numsubordinates, draft-findlay-ldap-groupofentries, draft-furuseth-ldap-untypedobject, draft-good-ldap-changelog, draft-ietf-ldup-subentry, draft-wahl-ldap-adminaddr, RFC 1274, RFC 2079, RFC 2256, RFC 2798, RFC 3045, RFC 3296, RFC 3671, RFC 3672, RFC 4512, RFC 4519, RFC 4523, RFC 4524, RFC 4530, RFC 5020, and X.501.
-
01-pwpolicy.ldif This file contains schema definitions from draft-behera-ldap-password-policy, which defines a mechanism for storing password policy information in an LDAP directory server.
-
02-config.ldif This file contains the attribute type and objectclass definitions for use with the directory server configuration.
-
03-changelog.ldif This file contains schema definitions from draft-good-ldap-changelog, which defines a mechanism for storing information about changes to directory server data.
-
03-rfc2713.ldif This file contains schema definitions from RFC 2713, which defines a mechanism for storing serialized Java objects in the directory server.
-
03-rfc2714.ldif This file contains schema definitions from RFC 2714, which defines a mechanism for storing CORBA objects in the directory server.
-
03-rfc2739.ldif This file contains schema definitions from RFC 2739, which defines a mechanism for storing calendar and vCard objects in the directory server. Note that the definition in RFC 2739 contains a number of errors, and this schema file has been altered from the standard definition in order to fix a number of those problems.
-
03-rfc2926.ldif This file contains schema definitions from RFC 2926, which defines a mechanism for mapping between Service Location Protocol (SLP) advertisements and LDAP.
-
03-rfc3112.ldif This file contains schema definitions from RFC 3112, which defines the authentication password schema.
-
03-rfc3712.ldif This file contains schema definitions from RFC 3712, which defines a mechanism for storing printer information in the directory server.
-
03-uddiv3.ldif This file contains schema definitions from RFC 4403, which defines a mechanism for storing UDDIv3 information in the directory server.
-
04-rfc2307bis.ldif This file contains schema definitions from the draft-howard-rfc2307bis specification, used to store naming service information in the directory server.
-
05-rfc4876.ldif This file contains schema definitions from RFC 4876, which defines a schema for storing Directory User Agent (DUA) profiles and preferences in the directory server.
-
05-samba.ldif This file contains schema definitions required when storing Samba user accounts in the directory server.
-
05-solaris.ldif This file contains schema definitions required for Solaris and OpenSolaris LDAP naming services.
-
06-compat.ldif This file contains the attribute type and objectclass definitions for use with the directory server configuration.
Referrals point directory clients to another directory container, which can be another directory server running elsewhere, or another container on the same server. The client receiving a referral must then connect to the other container to complete the request.
Note
Some clients follow referrals on your behalf by default. The OpenDJ ldapsearch command does not follow referrals.
Referrals are used for example when a some directory data are temporarily unavailable due to maintenance. Referrals can also be used when a container holds only some of the directory data for a suffix and points to other containers for branches whose data is not available locally.
This chapter demonstrates how to add and remove referrals with the ldapmodify command. You can also use the Manage Entries window of the Control Panel to handle referrals.
Referrals are implemented as entries with LDAP URL
ref attribute values that point elsewhere. The
ref attribute type is required by the
referral object class. The referral
object class is structural, however, and therefore cannot by default be added
to an entry that already has a structural object class defined. When adding
a ref attribute type to an existing entry, you can use
the extensibleObject auxiliary object class.
When a referral is set, OpenDJ returns the referral to client applications requesting the entry or child entries affected. Client applications must be capable of following the referral returned. When the directory server responds for example to your search with referrals to one or more LDAP URLs, your client then constructs new searches from the LDAP URLs returned, and tries again.
To create an LDAP referral either you create a referral entry, or
you add the extensibleObject object class and the
ref attribute with an LDAP URL to an existing entry.
This section demonstrates use of the latter approach.
The example above adds a referral to
ou=People,dc=example,dc=com. OpenDJ can now return
a referral for operations under the People organizational unit.
To access the entry instead of the referral, use the Manage DSAIT control.
The example above shows how to remove the referral using the Manage DSAIT control with the ldapmodify command.
OpenDJ supports virtual attributes with dynamically generated values. Virtual attributes are used by the server. You can also define your own. OpenDJ also supports standard collective attributes as described in RFC 3671, allowing entries to share common, read-only attribute values.
This chapter demonstrates how to define virtual and collective attributes, showing common solutions as examples of their use.
OpenDJ defines a number of virtual attributes by default.
entryDNThe value is the DN of the entry.
entryUUIDProvides a universally unique identifier for the entry.
hasSubordinatesBoolean. Whether the entry has children.
numSubordinatesProvides the number of direct child entries.
isMemberOfIdentifies groups the entry belongs to.
memberGenerated for virtual static groups.
uniqueMemberGenerated for virtual static groups.
pwdPolicySubentryIdentifies the password policy that applies to the entry.
subschemaSubentryReferences the schema definitions.
collectiveAttributeSubentriesReferences applicable collective attribute definitions.
governingStructureRuleReferences the rule on what type of subordinates the entry can have.
structuralObjectClassReferences the structural object class for the entry.
These virtual attributes are typically operational, so you get them back from a search only when you request them.
You can use the existing virtual attribute types to create your
own virtual attributes, and you can also use the
user-defined type to create your own. The virtual
attribute is defined by the server configuration, which is not
replicated.
Collective attributes cover many use cases better than virtual attributes.
Collective attributes provide a standard mechanism for defining
attributes that appear on all the entries in a subtree potentially filtered
by object class. Standard collective attribute type names have the prefix
c-.
OpenDJ extends collective attributes to make them easier to use.
You can define any OpenDJ attribute as collective using the
;collective attribute option. You can use LDAP filters
in your subtree specification for fine-grained control over which entries
have the collective attributes.
For example, you can define administrative privileges that apply to all users who belong to an administrators group. Alternatively you can define attributes that specify services available for a user depending on that user's service level.
Note
The following example depends on the cos object
class, and the classOfService attribute type defined but
commented out in the Example.ldif file imported as sample data. To try this example
for yourself, add the attribute type and object class definitions
in comments near the top of the file, and then uncomment the
objectClass: cos and classOfService
attribute lines in Example.ldif before importing
the data into OpenDJ.
This example positions collective attributes that depend on the
classOfService attribute values.
For entries with
classOfService: bronze,mailQuotais set to 1 GB, anddiskQuotais set to 10 GB.For entries with
classOfService: silver,mailQuotais set to 5 GB, anddiskQuotais set to 50 GB.For entries with
classOfService: gold,mailQuotais set to 10 GB, anddiskQuotais set to 100 GB.
You define collective attributes in the user data using a subentry.
In other words, collective attributes can be replicated. Collective
attributes use attributes defined in the directory schema. First, add the
mailQuote and diskQuota attributes,
and adjust the definition of the cos object class to
allow the two quota attributes.
Use the following collective attribute definitions to set the quotas depending on class of service.
You can add the collective attribute subentries by using the ldapmodify command.
With the collective attributes defined, you can see the results on user entries.
This chapter focuses on pass through authentication (PTA), whereby you configure another server to determine the response to an authentication request. A typical use case for pass through authentication involves passing authentication through to Active Directory for users coming from Microsoft Windows systems.
You use LDAP pass through authentication when the credentials for authenticating are stored not in OpenDJ, but instead in a remote directory service. In effect OpenDJ redirects the bind operation against a remote LDAP server.
Exactly how OpenDJ redirects the bind depends on how the user entry in OpenDJ maps to the corresponding user entry in the remote directory.
OpenDJ provides you several choices to set up the mapping.
When both the local entry in OpenDJ and the remote entry in the other server have the same DN, you do not have to set up the mapping at all. By default, OpenDJ redirects the bind with the original DN and password from the client application.
When the local entry in OpenDJ has been provisioned with an attribute holding the DN of the remote entry, you can specify which attribute holds the DN, and OpenDJ redirects the bind on the remote server using the DN value.
When you cannot get the remote bind DN directly, you need an attribute and value on the OpenDJ entry that corresponds to an identical attribute and value on the remote server in order to map the local entry to the remote entry. In this case you also need the bind credentials for a user who can search for the entry on the remote server. OpenDJ performs a search for the entry using the matching attribute and value, and then redirects the bind with the DN from the remote entry.
You configure pass through authentication as an authentication policy that you associate with a user's entry in the same way that you associate a password policy with a user's entry. Either a user has an authentication policy for pass through authentication, or the user has a local password policy.
When setting up pass through authentication, you need to know to which remote server or servers to redirect binds, and you need to know how you map user entries in OpenDJ to user entries in the remote directory.
When performing pass through authentication, you no doubt protect communications between OpenDJ and the server providing authentication. If you test using SSL with self-signed certificates, and you do not want the client blindly to trust the server, follow these steps to import the authentication server's certificate into the OpenDJ key store.
Export the server certificate from the authentication server.
How you perform this step depends on the authentication directory server. With OpenDJ, you can export the certificate as shown here.
$ cd /path/to/PTA-Server/config $ keytool -exportcert -rfc -alias server-cert -keystore keystore -storepass `cat keystore.pin` > /tmp/pta-srv-cert.pemMake note of the host name used in the certificate.
You use the host name when configuring the SSL connection. With OpenDJ, you can view the certificate details as shown here.
$ keytool -list -v -alias server-cert -keystore keystore -storepass `cat keystore.pin` Alias name: server-cert Creation date: Sep 12, 2011 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate Serial number: 4e6dc429 Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013 Certificate fingerprints: MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E Signature algorithm name: SHA1withRSA Version: 3Import the authentication server certificate into OpenDJ's key store.
$ cd /path/to/OpenDJ/config $ keytool -importcert -alias pta-cert -keystore truststore -storepass `cat keystore.pin` -file /tmp/pta-srv-cert.pem Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate Serial number: 4e6dc429 Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013 Certificate fingerprints: MD5: B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
You configure authentication policies with the dsconfig command. Notice that authentication policies are part of the server configuration, and therefore not replicated.
Set up an authentication policy for pass through authentication to the authentication server.
$ dsconfig create-password-policy --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --type ldap-pass-through --policy-name "PTA Policy" --set primary-remote-ldap-server:pta-server.example.com:636 --set mapped-attribute:uid --set mapped-search-base-dn:"dc=PTA Server,dc=com" --set mapping-policy:mapped-search --set use-ssl:true --set trust-manager-provider:JKS --trustAll --no-promptThe policy shown here maps identities having this password policy to identities under
dc=PTA Server,dc=com. Users must have the sameuidvalues on both servers. The policy here also uses SSL between OpenDJ and the authentication server.Check that your policy has been added to the list.
$ dsconfig list-password-policies --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --property use-ssl Password Policy : Type : use-ssl ------------------------:-------------------:-------- Default Password Policy : password-policy : - PTA Policy : ldap-pass-through : true Root Password Policy : password-policy : -
The steps below demonstrate setting up pass through authentication to Active Directory. Here is some background to help you make sense of the steps.
Entries on the OpenDJ side use uid as the naming
attribute, and entries also have cn attributes. Active
Directory entries use cn as the naming attribute.
User entries on both sides share the same cn values. The
mapping between entries therefore uses cn.
Consider the example where an OpenDJ account with cn=LDAP
PTA User and DN
uid=ldapptauser,ou=People,dc=example,dc=com corresponds
to an Active Directory account with DN CN=LDAP PTA
User,CN=Users,DC=internal,DC=forgerock,DC=com. The steps below
enable the user with cn=LDAP PTA User on OpenDJ
authenticate through to Active Directory.
OpenDJ must map its
uid=ldapptauser,ou=People,dc=example,dc=com entry to the
Active Directory entry, CN=LDAP PTA
User,CN=Users,DC=internal,DC=forgerock,DC=com. In order to do the
mapping, OpenDJ has to perform a search for the user in Active Directory
using the cn value it recovers from its own entry for the
user. Active Directory does not allow anonymous searches, so part of the
authentication policy configuration consists of the administrator DN and
password OpenDJ uses to bind to Active Directory to be able to search.
Finally, before setting up the pass through authentication policy, make sure OpenDJ can connect to Active Directory over a secure connection to avoid sending passwords in the clear.
Export the certificate from the Windows server.
Click start > All Programs > Administrative Tools > Certification Authority, then right-click the CA and select Properties.
In the General tab, select the certificate and click View Certificate.
In the Certificate dialog, click the Details tab, then click Copy to File...
Use the Certificate Export Wizard to export the certificate into a file, such as
windows.cer.
Copy the exported certificate to the system running OpenDJ.
Import the server certificate into OpenDJ's key store.
$ cd /path/to/OpenDJ/config $ keytool -importcert -alias ad-cert -keystore truststore -storepass `cat keystore.pin` -file ~/Downloads/windows.cer Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com Issuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com Serial number: 587465257200a7b14a6976cb47916b32 Valid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016 Certificate fingerprints: MD5: A3:D6:F1:8D:0D:F9:9C:76:00:BC:84:8A:14:55:28:38 SHA1: 0F:BD:45:E6:21:DF:BD:6A:CA:8A:7C:1D:F9:DA:A1:8E:8A:0D:A4:BF Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #2: ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: A3 3E C0 E3 B2 76 15 DC 97 D0 B3 C0 2E 77 8A 11 .>...v.......w.. 0010: 24 62 70 0A $bp. ] ] #4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false Trust this certificate? [no]: yes Certificate was added to keystoreAt this point OpenDJ can connect to Active Directory over SSL.
Set up an authentication policy for OpenDJ users to authenticate to Active Directory.
$ dsconfig create-password-policy --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --type ldap-pass-through --policy-name "AD PTA Policy" --set primary-remote-ldap-server:ad.example.com:636 --set mapped-attribute:cn --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal,DC=forgerock ,DC=com" --set mapped-search-bind-password:password --set mapping-policy:mapped-search --set trust-manager-provider:JKS --set use-ssl:true --trustAll --no-promptAssign the authentication policy to a test user.
$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password dn: uid=ldapptauser,ou=People,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=comCheck that the user can bind using pass through authentication to Active Directory.
$ ldapsearch --hostname opendj.example.com --port 1389 --baseDN dc=example,dc=com --bindDN uid=ldapptauser,ou=People,dc=example,dc=com --bindPassword password "(cn=LDAP PTA User)" userpassword cn dn: uid=ldapptauser,ou=People,dc=example,dc=com cn: LDAP PTA UserNotice that to complete the search, the user authenticated with a password to Active Directory, though no
userpasswordvalue is present on the entry on the OpenDJ side.
You assign authentication policies in the same way as you
assign password policies, by using the
ds-pwp-password-policy-dn attribute.
Note
Although you assign the pass through authentication policy using
the same attribute as for password policy, the authentication policy is
not in fact a password policy. Therefore, the user with a pass through
authentication policy does not have a value for the operational attribute
pwdPolicySubentry.
Users depending on pass through authentication no longer need a local password policy, as they no longer authenticate locally.
Examples in the following procedure work for this user, whose
entry on OpenDJ is as shown. Notice that the user has no password set. The
user's password on the authentication server is
password.
This user's entry on the authentication server also has
uid=user.0, and the pass through authentication policy
performs the mapping to find the user entry in the authentication
server.
Prevent users from changing their own password policies.
$ cat protect-pta.ldif dn: ou=People,dc=example,dc=com changetype: modify add: aci aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr = "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass word policy";deny (write)(userdn = "ldap:///self");) $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename protect-pta.ldif Processing MODIFY request for ou=People,dc=example,dc=com MODIFY operation successful for DN ou=People,dc=example,dc=comUpdate the user's
ds-pwp-password-policy-dnattribute.$ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password dn: uid=user.0,ou=People,dc=example,dc=com changetype: modify add: ds-pwp-password-policy-dn ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com MODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=comCheck that the user can authenticate through to the authentication server.
$ ldapsearch --port 1389 --baseDN dc=example,dc=com --bindDN uid=user.0,ou=People,dc=example,dc=com --bindPassword password uid=user.0 cn sn dn: uid=user.0,ou=People,dc=example,dc=com cn: Aaccf Amar sn: Amar
Examples in the following steps use the pass through authentication
policy as defined above. Kirsten Vaughan's entry has been reproduced on
the authentication server under dc=PTA
Server,dc=com.
Create a subentry to assign a collective attribute that sets the
ds-pwp-password-policy-dnattribute for group members' entries.$ cat pta-coll.ldif dn: cn=PTA Policy for Dir Admins,dc=example,dc=com objectClass: collectiveAttributeSubentry objectClass: extensibleObject objectClass: subentry objectClass: top cn: PTA Policy for Dir Admins ds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies, cn=config subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf= cn=Directory Administrators,ou=Groups,dc=example,dc=com)"} $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename pta-coll.ldif Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com ADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=comCheck that OpenDJ has applied the policy.
Make sure you can bind as the user on the authentication server.
$ ldapsearch --port 2389 --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" --bindPassword password --baseDN "dc=PTA Server,dc=com" uid=kvaughan dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: top givenName: Kirsten uid: kvaughan cn: Kirsten Vaughan sn: Vaughan userPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w== ou: People mail: jvaughan@example.comCheck that the user can authenticate through to the authentication server from OpenDJ.
$ ldapsearch --port 1389 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" --bindPassword password --baseDN dc=example,dc=com uid=kvaughan cn sn dn: uid=kvaughan,ou=People,dc=example,dc=com cn: Kirsten Vaughan sn: Vaughan
When you store Samba profiles in OpenDJ, Samba stores its own attributes
as defined in the Samba schema. Samba does not use the LDAP standard
userPassword attribute to store users' Samba passwords.
You can configure Samba to apply changes to Samba passwords to LDAP passwords
as well, too. Yet, if a user modifies her LDAP password directly without
updating the Samba password, the LDAP and Samba passwords get out of
sync.
The OpenDJ Samba Password plugin resolves this problem for you. The
plugin intercepts password changes to Samba user profiles, synchronizing Samba
password and LDAP password values. For an incoming Password Modify Extended
Request or modify request changing the user password, the OpenDJ Samba Password
plugin detects whether the user's entry reflects a Samba user profile (entry
has object class sambaSAMAccount), hashes the incoming
password value, and applies the password change to the appropriate password
attribute, keeping the password values in sync. The OpenDJ Samba Password
plugin can perform synchronization as long as new passwords values are
provided in clear text in the modification request. If you configure Samba
to synchronize LDAP passwords when it changes Samba passwords, then the
plugin can ignore changes by the Samba user to avoid duplicate
synchronization.
The Samba Administrator synchronizes LDAP passwords after changing
Samba passwords by issuing a Password Modify Extended Request. In Samba's
smb.conf configuration file, the value of
ldap admin dn is set to the DN of this account. When
the Samba Administrator changes a user password, the plugin ignores
the changes, so choose a distinct account different from Directory Manager
and other administrators.
Create or choose an account for the Samba Administrator.
$ cat samba.ldif dn: uid=samba-admin,ou=Special Users,dc=example,dc=com cn: Samba Administrator givenName: Samba mail: samba@example.com objectClass: person objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: top sn: Administrator uid: samba-admin userPassword: password $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --defaultAdd --filename samba.ldif Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com ADD operation successful for DN uid=samba-admin,ou=Special Users, dc=example,dc=comEnsure the Samba Administrator can reset user passwords.
$ cat samba-rights.ldif dn: uid=samba-admin,ou=Special Users,dc=example,dc=com changetype: modify add: ds-privilege-name ds-privilege-name: password-reset dn: dc=example,dc=com changetype: modify add: aci aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl " Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou= Special Users,dc=example,dc=com";) $ ldapmodify --port 1389 --bindDN "cn=Directory Manager" --bindPassword password --filename samba-rights.ldif Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com MODIFY operation successful for DN uid=samba-admin,ou=Special Users,dc=example,dc=com Processing MODIFY request for dc=example,dc=com MODIFY operation successful for DN dc=example,dc=com
Determine whether the plugin must store passwords hashed like LanManager (
sync-lm-password) or like Windows NT (sync-nt-password), based on how you set up Samba in your environment.Enable the plugin.
$ dsconfig create-plugin --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --plugin-name "Samba Password Synchronisation" --type samba-password --set enabled:true --set pwd-sync-policy:sync-nt-password --set samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com" --trustAll --no-promptAt this point the Samba Password plugin is active.
When troubleshooting Samba Password plugin issues, you can turn on debug logging as follows.
$ dsconfig create-debug-target --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --publisher-name "File-Based Debug Logger" --target-name org.opends.server.plugins.SambaPasswordPlugin --set debug-level:all --trustAll --no-prompt $ dsconfig set-log-publisher-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --publisher-name "File-Based Debug Logger" --set enabled:true --trustAll --no-prompt
This chapter describes the monitoring capabilities that OpenDJ implements, and shows how to configure them.
OpenDJ Control Panel provides basic monitoring capabilities under Monitoring > Connection Handler, Monitoring > Connection Handler, and Monitoring > Manage Tasks. This chapter covers the other options for monitoring OpenDJ.
OpenDJ exposes monitoring information over LDAP under the entry
cn=monitor. Many different types of information are
exposed. The following example shows monitoring information about the
userRoot backend holding Example.com data.
You can set global ACIs on the Access Control Handler if you want
to limit read access under cn=monitor.
OpenDJ lets you monitor the server over the Simple Network Management Protocol (SNMP), with support for the Management Information Base described in RFC 2605: Directory Server Monitoring MIB.
OpenDJ SNMP-based monitoring depends on OpenDMK, which you must
download
separately. Install the Full Binary Bundle alongside OpenDJ. OpenDJ
that you download from ForgeRock is built with OpenDMK, but OpenDMK is not
part of OpenDJ, and SNMP is therefore not enabled by default. You can
set up a connection handler for SNMP by enabling the connection
handler, and pointing OpenDJ to your installation of the OpenDMK
jdmkrt.jar library.
By default, the SNMP Connection Handler listens on port 161 and uses port 162 for traps. On UNIX and Linux systems, only root can normally open these ports. Therefore if you install as a normal user, you might want to change the listen and trap ports.
OpenDJ provides Java Management eXtensions (JMX) based monitoring. A number of tools support JMX, including jconsole and jvisualvm, which are bundled with the Sun/Oracle Java platform. JMX is not configured by default. Use the dsconfig command to configure the JMX connection handler.
By default, no users have privileges to access the JMX connection. The following command adds JMX privileges for Directory Manager.
You must also configure security to login remotely. Good luck.
Alternatively, you can connect to a local server process by using the server process identifier.
OpenDJ comes with two commands for monitoring server processes and tasks. The status command displays basic information about the local server, similar to what is seen in the default window of the Control Panel. The manage-tasks command lets you manage tasks scheduled on a server, such as nightly backup.
The status command takes administrative credentials to read the configuration, as does the Control Panel.
The manage-tasks command connects over the administration port, and so can connect to both local and remote servers.
By default OpenDJ stores access and errors logs as well as a
server process ID file under the logs/ directory.
For the replication service, OpenDJ also keeps a replication log there.
You can also configure a debug log. Furthermore, you can configure policies
about how logs are rotated, and how they are retained. You configure logging
using the dsconfig command.
The access log traces the operations the server processes including timestamps, connection information, and information about the operation itself. The access log can therefore grow quickly, as each client request results in at least one new log message.
The following access log excerpt shows a search operation from the local host, with the first three lines wrapped for readability.
[21/Jun/2011:08:01:53 +0200] CONNECT conn=4 from=127.0.0.1:49708 to=127.0.0.1:1389 protocol=LDAP [21/Jun/2011:08:01:53 +0200] SEARCH REQ conn=4 op=0 msgID=1 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="ALL" [21/Jun/2011:08:01:53 +0200] SEARCH RES conn=4 op=0 msgID=1 result=0 nentries=1 etime=3 [21/Jun/2011:08:01:53 +0200] UNBIND REQ conn=4 op=1 msgID=2 [21/Jun/2011:08:01:53 +0200] DISCONNECT conn=4 reason="Client Unbind"The errors log traces server events, error conditions, and warnings, categorized and identified by severity.
The following errors log excerpt shows log entries about a backup task, with lines wrapped for readability.
[22/Jun/2011:12:32:23 +0200] category=BACKEND severity=NOTICE msgID=9896349 msg=Backup task 20110622123224088 started execution [22/Jun/2011:12:32:23 +0200] category=TOOLS severity=NOTICE msgID=10944792 msg=Starting backup for backend userRoot [22/Jun/2011:12:32:24 +0200] category=JEB severity=NOTICE msgID=8847446 msg=Archived: 00000000.jdb [22/Jun/2011:12:32:24 +0200] category=TOOLS severity=NOTICE msgID=10944795 msg=The backup process completed successfully [22/Jun/2011:12:32:24 +0200] category=BACKEND severity=NOTICE msgID=9896350 msg=Backup task 20110622123224088 finished executionThe replication log traces replication events, with entries similar to the errors log. The following excerpt has lines wrapped for readability.
[22/Jun/2011:14:37:34 +0200] category=SYNC severity=NOTICE msgID=15139026 msg=Finished total update: exported domain "dc=example,dc=com" from this directory server DS(24065) to all remote directory servers. [22/Jun/2011:14:37:35 +0200] category=SYNC severity=MILD_WARNING msgID=14745663 msg=Replication server RS(23947) at opendj.example.com/10.10.0.168:8989 has closed the connection to this directory server DS(24065). This directory server will now try to connect to another replication server in order to receive changes for the domain "dc=example,dc=com" [22/Jun/2011:14:37:35 +0200] category=SYNC severity=NOTICE msgID=15138894 msg=The generation ID for domain "dc=example,dc=com" has been reset to 3679640Notice that the replication log does not trace replication operations. Use the external change log instead to get notifications about changes to directory data over protocol. You can alternatively configure an audit log, which is a type of access log that dumps changes in LDIF.
A debug log traces details needed to troubleshoot a problem in the server. Debug logs can grow large quickly, and therefore no debug logs are enabled by default.
Each log depends on a log publisher, whose type corresponds to the type of log. OpenDJ uses file-based log publishers. The design allows for custom log publishers, however, which could publish the logs elsewhere besides a file.
Each log can also be associated with a log rotation policy, and a log retention policy. The former can specify when, after how much time, or at what maximum size a log is rotated. The latter can specify a maximum number or size of logs to retain, or an amount of free disk space to maintain. The design allows for custom policies as well.
For debug logging, you also set a debug target to control what gets logged.
By default the file-based logs are subject to rotation and retention policies that you can list with dsconfig list-rotation-policies and dsconfig list-retention-policies.
Each time a client application sends a request to OpenDJ, the server writes to its access log. As shown above, a simple search operation results in five messages written to the access log. This volume of logging gives you the information to analyze overall access patterns, or to audit access when you do not know in advance what you are looking for.
Yet when you do know what you are looking for, log filtering lets you limit what the server logs, and focus on what you want to see. You define the filter criteria, and also set the filtering policy.
You can filter both access and also audit logs.
Log filtering lets you define rules based these criteria.
Client IP address, bind DN, group membership
Port number
Protocol used (such as LDAP, LDAPS, JMX)
Response times
Result codes (only log error results, for example)
Search response criteria (number of entries returned, whether the search was indexed)
Target DN
Type of operation (connect, bind, add, delete, modify, rename, search, etc.)
The filtering policy in the log publisher configuration specifies whether to include or exclude log messages that match the criteria you define. OpenDJ does not filter logs until you update the log publisher configuration.
A common development troubleshooting technique consists of sending client requests while tailing the access log:
Trouble is, when OpenDJ Control Panel is running, or when you are also adapting your configuration using the dsconfig command, OpenDJ writes access log messages related to administration. These might prevent you from noticing the messages that interest you.
This example demonstrates how to filter out access log messages due to administrative connections over LDAPS on ports 1636 and 4444.
Create access log filtering criteria rules.
Activate filtering to exclude messages from the default access log according to the criteria you specified.
At this point, OpenDJ filters out connections over LDAPS to ports 1636 and 4444. While performing operations in OpenDJ Control Panel, if you perform a simple ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen cn, then all you see in the access log is the effect of the ldapsearch command.
In addition to the filtering policy, you can also adjust how OpenDJ
writes log messages. By default, OpenDJ writes one log message for a
request, and another for a response. You can set the log publisher
property log-format to combined
to have OpenDJ write a single message per operation. This can be helpful,
for example, when evaluating response times. In addition, you can change
the log message time stamps with log-record-time-format,
and specify whether to log LDAP control OIDs for operations by setting
log-control-oids to true.
OpenDJ can send alerts to provide notifications of significant server events. Yet alert notifications are not enabled by default. You can use the dsconfig command to enable alert notifications.
OpenDJ can also send mail over SMTP instead of JMX notifications. Before you set up the SMTP-based alert handler, you must identify an SMTP server to which OpenDJ sends messages.
Server tuning refers to the art of adjusting server, JVM, and system configuration to meet the service level performance requirements of directory clients. In the optimal case you achieve service level performance requirements without much tuning at all, perhaps only setting JVM runtime options when installing OpenDJ.
If you are reading this chapter, however, you are probably not facing an optimal situation. Instead you are looking for trade offs that maximize performance for clients given the constraints of your deployment. This chapter therefore aims to provide suggestions on how to measure and to improve directory service performance for better trade offs.
Your key performance requirement is most likely to satisfy your users or customers with the resources available to you. Before you can solve potential performance problems, define what those users or customers expect, and determine what resources you will have to satisfy their expectations.
Service-level agreement (SLA) is a formal name for what directory client applications and the people who run them expect from your service in terms of performance.
SLAs might cover many aspects of the directory service. Whether or not your SLA is formally defined, you ought to know what is expected, or at least what you provide, in the following four areas.
Directory service response times
Directory service response times range from less than a millisecond on average across a low latency connection on the same network to however long it takes your network to deliver the response. More important than average or best response times is the response time distribution, because applications set timeouts based on worst case scenarios. For example, a response time performance requirement might be defined as, "Directory response times must average less than 10 milliseconds for all operations except searches returning more than 10 entries, with 99.9% of response times under 40 milliseconds."
Directory service throughput
Directory service throughput can range up to many thousands of operations per second. In fact there is no upper limit for read operations such as searches, because only write operations must be replicated. To increase read throughput, simply add additional replicas. More important than average throughput is peak throughput. You might have peak write throughput in the middle of the night when batch jobs update entries in bulk, and peak binds for a special event or first thing Monday morning. For example, a throughput performance requirement might be expressed as, "The directory service must sustain a mix of 5,000 operations per second made up of 70% reads, 25% modifies, 3% adds, and 2% deletes."
Even better is to mimic the behavior of key operations for performance testing, so that you understand the patterns of operations in the throughput you need to provide.
Directory service availability
OpenDJ is designed to let you build directory services that are basically available, including during maintenance and even upgrade of individual servers. Yet, in order to reach very high levels of availability, you must make sure not only that the software is designed for availability, but also that your operations execute in such a way as to preserve availability. Availability requirements can be as lax as best effort, or as stringent as 99.999% or more uptime.
Replication is the OpenDJ feature that allows you to build a highly available directory service.
Directory service administrative support
Do not forget to make sure you understand and set expectations about how you support your users when they run into trouble. Directory services can perhaps help you turn password management into a self-service visit to a web site, but some users no doubt still need to know what they can expect if they need your help.
Writing down the SLA, even if your first version consists of guesses, helps you reduce performance tuning from an open-ended project to a clear set of measurable goals for a manageable project with a definite outcome.
With your SLA in hand, take inventory of the server, networks, storage, people, and other resources at your disposal. Now is the time to estimate whether it is possible to meet the requirements at all.
If for example you are expected to serve more throughput than the network can transfer, maintain high availability with only one physical machine, store 100 GB of backups on a 50 GB partition, or provide 24/7 support all alone, no amount of tweaking available resources is likely to fix the problem.
When checking that the resources you have at least theoretically suffice to meet your requirements, do not forget that high availability in particular requires at least two of everything to avoid single points of failure. Be sure to list the resources you expect to have, when and how long you expect to have them, and why you need them. Also make note of what is missing and why.
Concerning server hardware, OpenDJ runs on systems with Java support, and is therefore quite portable. That said, OpenDJ tends to perform best on single-board, x86 systems due to low memory latency.
OpenDJ is designed to work with local storage for the database, not for network file systems such as NFS.
High performance storage is essential if you need to handle high write throughput.
The Berkeley Java Edition DB works well with traditional disks as long as the database cache size allows the DB to stay fully cached in memory. This is the case because the database transaction log is append only. When the DB is too big to stay cached in memory, however, then cache misses lead to random disk access, slowing OpenDJ performance.
You might mitigate this effect by using solid-state disks for persistent storage, or for file system cache.
Regarding database size on disk, if you have sustained write traffic then the database grows to about twice its initial size on disk. This is normal, and due to the way the database manages its logs. The size on disk does not impact the DB cache size requirements.
Even if you do not need high availability, you still need two of everything, because your test environment needs to mimic your production environment as closely as possible if you want to avoid nasty surprises.
In your test environment, you set up OpenDJ as you will later in production, and then conduct experiments to determine how best to meet the requirements defined in the SLA.
Use make-ldif to generate sample data that match what you expect to find in production.
The OpenDJ LDAP Toolkit provides three command-line tools to help with basic performance testing.
The authrate command measures bind throughput and response time.
The modrate command measures modification throughput and response time.
The searchrate command measures search throughput and response time.
All three commands show you information about the response time distributions, and allow you to perform tests at specific levels of throughput.
For more extensive testing, try the SLAMD Distributed Load Generation Engine. SLAMD is built to test more than just directory, but is particularly well suited to test directory service performance, is well documented, and is available under the Sun Public License. SLAMD is designed both to offer an easy to used web-based interface, and also to allow you to customize jobs to match the access patterns you expect from client applications.
When your tests show that OpenDJ performance is lacking even though you have the right underlying network, hardware, storage, and system resources in place, you can tweak OpenDJ performance in a number of ways. This section mentions the most common tweaks.
Default Java settings let you evaluate OpenDJ using limited system resources. If you need high performance for production system, test with the following JVM options. These apply to the Sun/Oracle JVM.
Tip
To apply JVM settings for your server, edit
config/java.properties, and apply the changes with the
dsjavaproperties command.
-serverUse the C2 compiler and optimizer.
-d64To use a heap larger than about 3.5 GB on a 64-bit system, use this option.
-Xms, -XmxSet both minimum and maximum heap size to the same value to avoid resizing. Leave space for the entire DB cache and more.
-XmnSet the new generation size between 1-4 GB for high throughput deployments, but leave enough overall JVM heap to avoid overlaps with the space used for DB cache.
-XX:MaxTenuringThreshold=1Force OpenDJ to create only objects that have either a short lifetime, or a long lifetime.
-XX:+UseConcMarkSweepGCThe CMS garbage collector tends to give the best performance characteristics. You might also consider the G1 garbage collector.
-XX:+PrintGCDetails,-XX:+PrintGCTimeStampsUse these when diagnosing JVM tuning problems. You can turn them off when everything is running smoothly.
-XX:+UseCompressedOopsJava object pointers normally have the same size as native machine pointers. If you run a small, but 64-bit JVM, then compressed object pointers can save space. Set this option when you have a 64-bit JVM,
-Xmxless than 32 GB, and Java SE 6u23 or later.
By default, OpenDJ does use compact data encoding, reducing size used
by attribute type and object class strings. However, OpenDJ does try to
compress entries by default. You can potentially gain space by setting the
backend property entries-compressed to
true before you (re-)import data from LDIF. OpenDJ
compresses entries before writing them to the database, but does not
proactively rewrite all entries in the database after you change the
settings, so to force OpenDJ to compress the entries, import the data
from LDIF.
You can tweak OpenDJ to speed up import of large LDIF files.
By default, the temporary directory used for scratch files is
import-tmp under the directory where you installed
OpenDJ. Use import-ldif with the
--tmpdirectory option to set this directory to a
tmpfs file system, such as
/tmp.
In some cases, you can improve performance by using the
--threadCount option with the
import-ldif command to set the thread count larger than
the default, which is twice the number of CPUs.
If you are certain your LDIF contains only valid entries with
correct syntax, because the LDIF was exported from OpenDJ with all checks
active for example, you can skip schema and DN validation. Use the
--skipSchemaValidation and
--skipDNValidation options with the
import-ldif command to skip validation.
Database cache size is, by default, set as a percentage of the JVM
heap, using the backend property db-cache-percent.
Alternatively, you use the backend property
db-cache-size to set the size. If you set up multiple
database backends, the total percent of JVM heap used must remain less than
100, and must leave space for other uses. Default settings work for servers
with one user data backend JVM heaps up to 2 GB. For heaps larger than 2 GB,
you can allocate a larger percentage of heap space to DB cache.
Depending on the size of your database, you have a choice to make about database cache settings.
By caching the entire database in the JVM heap, you can get more
deterministic response times and limit disk I/O. Yet, caching the whole
DB can require a very large JVM, which you must pre-load on startup, and
which can result in long garbage collections and a difficult-to-manage
JVM. Test database pre-load on startup by setting the
preload-time-limit for the backend.
Database pre-load is single-threaded, and loads each database one at a time.
By allowing file system cache to hold the portion of database that does not fit in DB cache, you trade less deterministic and slightly slower response times for not having to pre-load the DB and not having garbage collection pauses with large JVMs. How you configure the file system cache depends on your operating system.
OpenDJ implements an entry cache. The entry cache is not designed to cache every entry in your database, but is instead useful in cases where you have a few, typically large entries that are regularly used. For example, if you have a few large static groups and applications that regularly check group membership, you could cache your group entries.
Debug logs trace the internal workings of OpenDJ, and therefore generally should be used sparingly, especially in high performance deployments.
In general leave other logs active for production environments to help troubleshoot any issues that arise.
For OpenDJ servers handling very high throughput, however, such as 100,000 operations per second or more, the access log constitue a performance bottleneck, as each client request results in multiple access log messages. Consider disabling the access log in such cases.
When you change where OpenDJ is deployed, you must take host names, port numbers, and certificates into account. The changes can also affect your replication configuration. This chapter shows what to do when moving a server.
From time to time you might change server hardware, file system layout, or host names. At those times you move the services running on the system. You can move OpenDJ data between servers and operating systems. Most of the configuration is also portable.
Two aspects of the configuration are not portable.
Server certificates contain the host name of the system. Even if you did not set up secure communications when you installed the server, the server still has a certificate used for secure communications on the administrative port.
To resolve the issue with server certificates, you can change the server certificates during the move as described in this chapter.
Replication configuration includes the host name and administrative port numbers.
You can work around the issue with replication configuration by disabling replication for the server before the move, and then enabling and initializing replication again after the move.
Take a moment to determine whether you find it quicker and easier to move your server, or instead to recreate a copy. To recreate a copy, install a new server, set up the new server configuration to match the old, and then copy only the data from the old server to the new server, initializing replication from existing data, or even from LDIF if your database is not too large.
After you decide to move a server, start by taking it out of service. Taking it out of service means directing client applications elsewhere, and then preventing updates from client applications, and finally disabling replication, too. Directing client applications elsewhere depends on your network configuration and possibly on your client application configuration. The other two steps can be completed with the dsconfig and dsreplication commands.
Direct client applications to other servers.
How you do this depends on your network and client application configurations.
Prevent the server from accepting updates from client applications.
$ dsconfig set-global-configuration-prop --port 5444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --set writability-mode:internal-only --trustAll --no-promptDisable replication for the server.
$ dsreplication disable --disableAll --port 5444 --hostname opendj.example.com --adminUID admin --adminPassword password --trustAll --no-prompt Establishing connections ..... Done. Disabling replication on base DN dc=example,dc=com of server opendj.example.com:5444 ..... Done. Disabling replication on base DN cn=admin data of server opendj.example.com:5444 ..... Done. Disabling replication on base DN cn=schema of server opendj.example.com:5444 ..... Done. Disabling replication port 9989 of server opendj.example.com:5444 ..... Done. Removing registration information ..... Done. Removing truststore information ..... Done. See /var/.../opends-replication-3173475478874782719.log for a detailed log of this operation.With the server no longer receiving traffic or accepting updates from clients, and no longer replicating to other servers, you can shut it down in preparation for the move.
$ stop-ds Stopping Server... ... msg=The Directory Server is now stoppedYou might also choose to remove extra log files from the server
logs/directory before moving the server.
Now that you have decided to move your server, and prepared for the move, you must not only move the files but also fix the configuration and the server certificates, and then enable replication.
Move the contents of the server installation directory to the new location.
If you must change port numbers, edit the port numbers in
config/config.ldif, carefully avoiding to change any whitespace or other lines in the file.Change server certificates as described in the separate procedure below.
Start the server.
$ start-ds ... The Directory Server has started successfullyEnable and initialize replication.
$ dsreplication enable --adminUID admin --bindPassword password --baseDN dc=example,dc=com --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" --bindPassword1 password --replicationPort1 8989 --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager" --bindPassword2 password --replicationPort2 8989 --trustAll --no-prompt Establishing connections ..... Done. Checking registration information ..... Done. Configuring Replication port on server opendj.example.com:4444 ..... Done. Updating remote references on server opendj2.example.com:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN dc=example,dc=com on server opendj2.example.com:4444 ..... Done. Updating registration configuration on server opendj.example.com:4444 ..... Done. Updating registration configuration on server opendj2.example.com:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj.example.com:4444 ..... Done. Updating replication configuration for baseDN cn=schema on server opendj2.example.com:4444 ..... Done. Initializing registration information on server opendj.example.com:4444 with the contents of server opendj2.example.com:4444 ..... Done. Initializing schema on server opendj2.example.com:4444 with the contents of server opendj.example.com:4444 ..... Done. Replication has been successfully enabled. Note that for replication to work you must initialize the contents of the base DN's that are being replicated (use dsreplication initialize to do so). See /tmp/opends-replication-1476402020764482023.log for a detailed log of this operation. $ dsreplication pre-external-initialization --adminUID admin --bindPassword password --port 4444 --baseDN dc=example,dc=com --trustAll --no-prompt Preparing base DN dc=example,dc=com to be initialized externally ..... Done. Now you can proceed to the initialization of the contents of the base DN's on all the replicated servers. You can use the command import-ldif or the binary copy to do so. You must use the same LDIF file or binary copy on each server. When the initialization is completed you must use the subcommand 'post-external-initialization' for replication to work with the new base DN's contents. $ dsreplication post-external-initialization --adminUID admin --bindPassword password --port 4444 --baseDN dc=example,dc=com --trustAll --no-prompt Updating replication information on base DN dc=example,dc=com ..... Done. Post initialization procedure completed successfully.Accept updates from client applications.
$ dsconfig set-global-configuration-prop --port 4444 --hostname opendj.example.com --bindDN "cn=Directory Manager" --bindPassword password --set writability-mode:enabled --trustAll --no-promptDirect client applications to the server.
Note
This procedure demonstrates using a new self-signed certificate to
replace the existing certificate in the
admin-truststore and corresponding private key in the
admin-keystore. Use CA-signed certificates to protect
communications with client applications in production deployments.
To hold certificates for StartTLS/SSL, and for communication between
servers, OpenDJ uses key stores (for private keys) and trust stores (for
public, signed certificates), all located by default in the
config/ directory. The default files are as
follows.
admin-keystoreThis Java Key Store holds the private key corresponding to the administrative certificate,
admin-cert, used to protect communications on the administration port, and for replication. The password is stored inadmin-keystore.pin.admin-truststoreThis Java Key Store holds the public administrative certificate,
admin-cert, corresponding to the private key having the same alias in theadmin-keystore. The password is the same as for theadmin-keystore, in other words the string inadmin-keystore.pin.ads-truststoreThis Java Key Store holds public keys of all servers participating in the replication topology including the current server, and also holds the private key of the current server. The password is stored in
ads-truststore.pin.keystoreThis Java Key Store holds the private key corresponding to the server certificate used to protect TLS/SSL communications with client applications. The password is stored in
keystore.pin.truststoreThis Java Key Store holds the public server certificate corresponding to the private key having the same alias in the
keystore. The password is the same as for thekeystore, in other words the string inkeystore.pin.
List information about the contents of the keystore and truststore whose contents you want to replace.
$ cd /path/to/OpenDJ/config $ keytool -list -v -keystore admin-keystore -storepass `cat admin-keystore.pin`Remove the certificate to replace from the keystore and from the truststore.
$ keytool -delete -alias admin-cert -keystore admin-keystore -storepass `cat admin-keystore.pin` $ keytool -delete -alias admin-cert -keystore admin-truststore -storepass `cat admin-keystore.pin`Generate the private key, storing it in the keystore.
$ keytool -genkey -alias admin-cert -keyalg RSA -dname "CN=opendj.example.com, O=Administration Connector Self-Signed Certificate" -keystore admin-keystore -storepass `cat admin-keystore.pin` -keypass `cat admin-keystore.pin`You might choose to make the key valid for two years with
-validity 730.Self-sign what you generated.
$ keytool -selfcert -alias admin-cert -keystore admin-keystore -storepass `cat admin-keystore.pin`Export the certificate from the keystore.
$ keytool -export -alias admin-cert -keystore admin-keystore -storepass `cat admin-keystore.pin` -file admin-cert.crt Certificate stored in file <admin-cert.crt>Import the certificate into the truststore.
$ keytool -import -alias admin-cert -keystore admin-truststore -storepass `cat admin-keystore.pin` -file admin-cert.crt Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate Issuer: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate Serial number: 4e0321c6 Valid from: Thu Jun 23 13:21:42 CEST 2011 until: Wed Sep 21 13:21:42 CEST 2011 Certificate fingerprints: MD5: 5C:4B:CC:9A:37:E2:71:BD:C4:86:8E:FC:D4:37:39:57 SHA1: 70:D0:36:0D:EB:0D:AC:45:6D:A4:EF:8A:8E:CB:C7:04:7D:3A:EE:6E Signature algorithm name: SHA1withRSA Version: 3 Trust this certificate? [no]: yes Certificate was added to keystore
This chapter describes how to troubleshoot common server problems, and how to collect information necessary when seeking support help.
In order to solve your problem methodically, save time by defining the problem clearly up front. In a replicated environment with multiple directory servers and many client applications, it can be particularly important to pin down not only the problem (difference in observed behavior compared to expected behavior), but also the circumstances and steps that lead to the problem occurring.
Answer the following questions.
How do you reproduce the problem?
What exactly is the problem? In other words, what is the behavior you expected? What is the behavior you observed?
When did the problem start occurring? Under similar circumstances, when does the problem not occur?
Is the problem permanent? Intermittent? Is it getting worse? Getting better? Staying the same?
Pinpointing the problem can sometimes indicate where you should start looking for solutions.
Installation and upgrade procedures result in a log file tracing the operation. The log location differs by operating system, but look for lines in the command output of the following form.
See /var/....log for a detailed log of this operation.
Misconfiguration can potentially put OpenDJ in a state where you must intervene, and where you need to prevent users and applications from accessing the directory until you are done fixing the problem.
OpenDJ provides a lockdown mode that allows
connections only on the loopback address, and allows only operations
requested by root users, such as cn=Directory
Manager. You can use lockdown mode to prevent all but
administrative access to OpenDJ in order to repair the server.
To put OpenDJ into lockdown mode, the server must be running. You cause the server to enter lockdown mode by using a task. Notice that the modify operation is performed over the loopback address (accessing OpenDJ on the local host).
OpenDJ logs a notice message in logs/errors
when lockdown mode takes effect.
[30/Jan/2012:17:04:32 +0100] category=BACKEND severity=NOTICE msgID=9896350 msg=Lockdown task Enter Lockdown Mode finished execution
Client applications that request operations get a message concerning lockdown mode.
You also leave lockdown mode by using a task.
OpenDJ also logs a notice message when leaving lockdown.
[30/Jan/2012:17:13:05 +0100] category=BACKEND severity=NOTICE msgID=9896350 msg=Leave Lockdown task Leave Lockdown Mode finished execution
By default OpenDJ requires that LDIF data you import respect standards.
In particular, OpenDJ is set to check that entries to import match the
schema defined for the server. You can temporarily bypass this check by using
the --skipSchemaValidation with the
import-ldif command.
OpenDJ also ensures by default that entries have only one inheritance
of structural object classes. You can relax this behavior by using the
advanced global configuration property,
single-structural-objectclass-behavior. This can be useful
when importing data exported from Sun Directory Server. For example, to
warn when entries have more than one structural object class instead of
reject such entries being added, set the property as follows.
By default, OpenDJ also checks syntax for a number of attribute types.
You can relax this behavior as well by using the dsconfig
set-attribute-syntax-prop command. See the list of attribute
syntaxes and use the --help option for further
information.
When running import-ldif, you can use the -R
option to capture entries that
could not be imported, and the rejectFile--countRejects option to
return the number of rejected entries as the import-ldif
exit code.
Once you work through the issues with your LDIF data, reinstate the default behavior to ensure automated checking.
In order to trust the server certificate, client applications usually compare the signature on certificates with those of the Certificate Authorities (CAs) whose certificates are distributed with the client software. For example, the Java environment is distributed with a key store holding many CA certificates.
The self-signed server certificates that can be configured during OpenDJ setup are not recognized as being signed by any CAs. Your software therefore is configured not to trust the self-signed certificates by default. You must either configure the client applications to accept the self-signed certificates, or else use certificates signed by recognized CAs.
You can further debug the network traffic by collecting debug traces.
To see the traffic going over TLS/SSL in debug mode, configure OpenDJ to dump
debug traces from javax.net.debug into the
logs/server.out file.
Replication uses SSL to protect directory data on the network. In some configurations, replica can fail to connect to each other due to SSL handshake errors. This leads to error log messages such as the following.
Notice these problem characteristics in the message above.
The host name,
myserver, is not fully qualified.You should not see non fully qualified host names in the error logs. Non fully qualified host names are a sign that an OpenDJ server has not been configured properly.
Always install and configure OpenDJ using fully-qualified host names. The OpenDJ administration connector, which is used by the dsconfig command, and also replication depend upon SSL and, more specifically, self-signed certificates for establishing SSL connections. If the host name used for connection establishment does not correspond to the host name stored in the SSL certificate then the SSL handshake can fail. For the purposes of establishing the SSL connection, a host name like
myserverdoes not matchmyserver.example.com, and vice versa.The connection succeeded, but the SSL handshake failed, suggesting a problem with authentication or with the cipher or protocol negotiation. As most deployments use the same Java Virtual Machine, and the same JVM configuration for each replica, the problem is likely not related to SSL cipher or protocol negotiation, but instead lies with authentication.
Follow these steps on each OpenDJ server to check whether the problem lies with the host name configuration.
Make sure each OpenDJ server uses only fully qualified host names in the replication configuration. You can obtain a quick summary by running the following command against each server's configuration.
$ grep ds-cfg-replication-server: config/config.ldif | sort | uniqMake sure that the host names in OpenDJ certificates also contain fully qualified host names, and correspond to the host names found in the previous step.
# Examine the certificates used for the administration connector. $ keytool -list -v -keystore config/admin-truststore -storepass `cat config/admin-keystore.pin` |grep "^Owner:" # Examine the certificates used for replication. $ keytool -list -v -keystore config/ads-truststore -storepass `cat config/ads-truststore.pin`| grep "^Owner:"
Sample output for a server on host opendj.example.com
follows.
Unfortunately there is no easy solution to badly configured host names. It is often easier and quicker simply to reinstall your OpenDJ servers remembering to use fully qualified host names everywhere.
When using the setup tool to install and configure a server ensure that the
-hoption is included, and that it specifies the fully qualified host name. Make sure you include this option even if you are not enabling SSL/StartTLS LDAP connections (see OPENDJ-363).If you are using the GUI installer, then make sure you specify the fully qualified host name on the first page of the wizard.
When using the dsreplication tool to enable replication make sure that any
--hostoptions include the fully qualified host name.
If you cannot reinstall the server, follow these steps.
Disable replication in each replica.
$ dsreplication disable --disableAll --portadminPort--hostnamehostName--bindDN "cn=Directory Manager" --adminPasswordpassword--trustAll --no-promptStop and restart each server in order to clear the in-memory ADS trust store backend.
Enable replication making certain that fully qualified host names are used throughout
$ dsreplication enable --adminUID admin --adminPasswordpassword--baseDN dc=example,dc=com --host1hostName1--port1adminPort1--bindDN1 "cn=Directory Manager" --bindPassword1password--replicationPort1replPort1--host2hostName2--port2adminPort2--bindDN2 "cn=Directory Manager" --bindPassword2password--replicationPort2replPort2--trustAll --no-promptRepeat the previous step for each remaining replica. In other words, host1 with host2, host1 with host3, host1 with host4, ..., host1 with hostN.
Initialize all remaining replica with the data from host1.
$ dsreplication initialize-all --adminUID admin --adminPassword password --baseDN dc=example,dc=com --hostnamehostName1--port 4444 --trustAll --no-promptCheck that the host names are correct in the configuration and in the key stores by following the steps you used to check for host name problems. The only broken host name remaining should be in the key and trust stores for the administration connector.
$ keytool -list -v -keystore config/admin-truststore -storepass `cat config/admin-keystore.pin` |grep "^Owner:"Stop each server, and then fix the remaining admin connector certificate as described here in the procedure about changing server certificates.
By default OpenDJ logs information about all client operations in
logs/access. The following lines are wrapped for
readability, showing a search for the entry with
uid=bjensen as traced in the access log. In the access
log itself, each line starts with a time stamp.
As you see, each client connection and set of LDAP operations are traced, starting with a time stamp and information about the operation performed, then including information about the connection, the operation number for the sequence of operations performed by the client, a message identification number, and additional information about the operation.
Do help diagnose errors due to access permissions, OpenDJ supports the
get effective rights control. The control OID,
1.3.6.1.4.1.42.2.27.9.5.2, is not allowed by the default
global ACIs. You must therefore add access to use the get effective rights
control when not using it as Directory Manager.
For Solaris and some versions of Linux you might see a message in the OpenDJ access logs such as the following.
The request control with Object Identifier (OID) "1.2.840.113556.1.4.319" cannot be used due to insufficient access rights
This message means clients are trying to use the simple paged results control without authenticating. By default, OpenDJ includes a global ACI to allow only authenticated users to use the control.
To grant anonymous (unauthenticated) user access to the control,
add the OID for the simple paged results control to the list of those in
the Anonymous control access global ACI.
Alternatively, stop OpenDJ, edit the corresponding ACI carefully in
/path/to/OpenDJ/config/config.ldif, and restart OpenDJ.
[3]
Replication can generally recover from conflicts and transient issues. Replication does, however, require that update operations be copied from server to server. It is therefore possible to experience temporary delays while replicas converge, especially when the write operation load is heavy. OpenDJ's tolerance for temporary divergence between replicas is what allows OpenDJ to remain available to serve client applications even when networks linking the replicas go down.
In other words, the fact that directory services are loosely convergent rather than transactional is a feature, not a bug.
That said, you may encounter errors. Replication uses its own error log
file, logs/replication. Error messages in the log file
have category=SYNC. The messages have the following form.
Here the line is folded for readability.
OpenDJ maintains historical information about changes in order to
bring replicas up to date, and to resolve replication conflicts. To prevent
historical information from growing without limit, OpenDJ purges historical
information after a configurable delay
(replication-purge-delay, default: 3 days). A replica
can become irrevocably out of sync if you restore it from a backup archive
older than the purge delay, or if you stop it for longer than the purge
delay. If this happens to you, disable the replica, and then reinitialize it
from a recent backup or from a server that is up to date.
When you cannot resolve a problem yourself, and want to ask for help, clearly identify the problem and how you reproduce it, and also the version of OpenDJ you use to reproduce the problem. The version includes both a version number and also a build time stamp.
yyyymmddhhmmssZBe ready to provide additional information, too.
The output from the java -version command.
accessanderrorslogs showing what the server was doing when the problem started occurringA copy of the server configuration file,
config/config.ldif, in use when the problem started occurringOther relevant logs or output, such as those from client applications experiencing the problem
A description of the environment where OpenDJ is running, including system characteristics, host names, IP addresses, Java versions, storage characteristics, and network characteristics. This helps to understand the logs, and other information.
[3] Unlike the dsconfig command, the
config.ldif file is not a public interface. In this
particular case, however, the dsconfig command is such a
pain in the nether regions that you might as well edit the LDIF instead
(unless you are doing this in production).
- backup — back up OpenDJ directory data
- base64 — encode and decode base64 strings
- control-panel — start the OpenDJ graphical admin interface
- create-rc-script — script to manage OpenDJ as a service on UNIX
- dbtest — gather OpenDJ JE database debugging information
- dsconfig — manage OpenDJ directory server configuration
- dsframework — manage OpenDJ administration framework
- dsjavaproperties — apply OpenDJ Java home and JVM settings
- dsreplication — manage OpenDJ directory data replication
- encode-password — encode a password with an OpenDJ storage scheme
- export-ldif — export OpenDJ directory data in LDIF
- import-ldif — import OpenDJ directory data from LDIF
- ldapcompare — perform LDAP compare operations
- ldapdelete — perform LDAP delete operations
- ldapmodify — perform LDAP modify, add, delete, mod DN operations
- ldappasswordmodify — perform LDAP password modifications
- ldapsearch — perform LDAP search operations
- ldifdiff — compare small LDIF files
- ldifmodify — apply LDIF changes to LDIF
- ldifsearch — search LDIF with LDAP filters
- list-backends — list OpenDJ backends and base DNs
- make-ldif — generate test LDIF
- manage-account — manage state of directory server accounts
- manage-tasks — manage OpenDJ server administration tasks
- rebuild-index — rebuild index after configuration change
- restore — restore OpenDJ directory data backups
- setup — install OpenDJ directory server
- start-ds — start OpenDJ directory server
- status — display basic OpenDJ server information
- stop-ds — stop OpenDJ directory server
- uninstall — remove OpenDJ directory server software
- upgrade — upgrade OpenDJ directory server
- verify-index — check index for consistency or errors
Name
backup — back up OpenDJ directory data
Synopsis
backup {options}
Options
The following options are supported.
-a, --backUpAllBack up all backends in the server
-A, --hashGenerate a hash of the backup contents
-B, --incrementalBaseID {backupID}Backup ID of the source archive for an incremental backup.
-c, --compressCompress the backup content
-d, --backupDirectory {backupDir}Path to the target directory for the backup file(s)
-i, --incrementalPerform an incremental backup rather than a full backup
-I, --backupID {backupID}Use the provided identifier for the backup
-n, --backendID {backendName}Backend ID for the backend to archive
-s, --signHashSign the hash of the backup contents
-y, --encryptEncrypt the backup contents
Task Backend Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Task Scheduling Options
--completionNotify {emailAddress}Email address of a recipient to be notified when the task completes. This option may be specified more than once.
--dependency {taskID}ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
--errorNotify {emailAddress}Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
--failedDependencyAction {action}Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS, CANCEL, DISABLE. If not specified defaults to CANCEL.
--recurringTask {schedulePattern}Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
-t, --start {startTime}Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
Exit Codes
- 0
The command completed successfully.
- 1
An error occurred while parsing the command-line arguments.
Examples
The following example backs up all user data on the server.
The following example schedules back up of all user data every night at 2 AM, and notifies diradmin@example.com when finished, or on error.
Name
base64 — encode and decode base64 strings
Synopsis
base64 subcommand
Subcommands
The following subcommands are supported.
- base64 decode
Decode base64-encoded information into raw data
- base64 encode
Encode raw data using base64
Examples
The following command shows the changes from the external change log in human-readable format.
Name
control-panel — start the OpenDJ graphical admin interface
Synopsis
control-panel {options}
Description
This utility can be used to display the Control Panel window which displays basic server information and allows to do some basic administration tasks on the server.
Options
The following options are supported.
-r, --remoteConnect to a remote server
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --adminPasswordFile {bindPasswordFile}Global administrator password file
-p, --port {port}Directory server administration port number
Default value: 4444
-w, --adminPassword {bindPassword}Password for the global administrator
-X, --trustAllTrust all server SSL certificates
Name
create-rc-script — script to manage OpenDJ as a service on UNIX
Synopsis
create-rc-script {options}
Description
Create an RC script that may be used to start, stop, and restart the directory server on UNIX-based systems.
Options
The following options are supported.
-f, --outputFile {path}The path to the output file to create.
-j, --javaHome {path}The path to the Java installation that should be used to run the server.
-J, --javaArgs {args}A set of arguments that should be passed to the JVM when running the server.
-u, --userName {userName}The name of the user account under which the server should run.
Name
dbtest — gather OpenDJ JE database debugging information
Synopsis
dbtest subcommand [options]
Subcommands
The following subcommands are supported.
- dbtest dump-database-container
Dump records from a database container
- dbtest list-database-containers
List the database containers for an entry container
- dbtest list-entry-containers
List the entry containers for a root container
- dbtest list-index-status
List the status of indexes in an entry container
- dbtest list-root-containers
List the root containers used by all JE backends
Options
The following global options are supported.
For other options, see dbtest
subcommand --help.
--versionDisplay version information
-?, -H, --helpDisplay usage information
Examples
The following example displays debugging information about the
equality index for sudoUser.
Name
dsconfig — manage OpenDJ directory server configuration
Synopsis
dsconfig [ [options]subcommand]
Description
This utility serves to configure a running directory server.
The dsconfig command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, dsconfig prompts you for administration connection information, including the host name, administration port number, administrator bind DN and administrator password. The dsconfig command then connects securely to the directory server over the administration port. Once connected it presents you with a menu-driven interface to the server configuration.
When you pass connection information, subcommands, and additional
options to dsconfig, the command runs in script mode and
so is not interactive, though it can prompt you to ask whether to apply
changes and whether to trust certificates (unless you use the
--no-prompt and --trustAll options,
respectively).
You can prepare dsconfig batch scripts by running
the tool with the --commandFilePath option in interactive
mode, then reading from the batch file with the --batchFile
option in script mode. Batch files can be useful when you have many
dsconfig commands to run and want to avoid starting
the JVM and setting up a new connection for each command.
The dsconfig command categorizes directory server configuration into components, also called managed objects. Actual components often inherit from a parent component type. For example, one component is a Connection Handler. An LDAP Connection Handler is a type of Connection Handler. You configure the LDAP Connection Handler component to specify how OpenDJ directory server handles LDAP connections coming from client applications.
Configuration components have properties.
For example, the LDAP Connection Handler component has properties such as
listen-port and allow-start-tls. You
can set the component's listen-port property to
389 to use the default LDAP port number. You can set the
component's allow-start-tls property to
true to permit LDAP client applications to use StartTLS.
Much of the configuration you do with dsconfig involves
setting component properties. The OpenDJ Configuration Reference covers all
dsconfig component properties in detail, drawing on the
documentation you also view when getting help through the
dsconfig command.
Getting Help
The dsconfig command provides many subcommands. Use the following options to view help for subcommands.
See dsconfig Subcommands for details of individual subcommands.
- dsconfig --help-all
Display all subcommands
- dsconfig --help-core-server
Display subcommands relating to core server
- dsconfig --help-database
Display subcommands relating to caching and back-ends
- dsconfig --help-logging
Display subcommands relating to logging
- dsconfig --help-replication
Display subcommands relating to replication
- dsconfig --help-security
Display subcommands relating to authentication and authorization
- dsconfig --help-user-management
Display subcommands relating to user management
For help with individual subcommands, either use dsconfig
subcommand --help, or start
dsconfig in interactive mode, without specifying a
subcommand.
To view component properties, use the dsconfig list-properties command.
Generally Applicable Options
The following options are supported for all dsconfig subcommands.
--advancedAllows the configuration of advanced components and properties
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-I, --adminUID {adminUID}User ID of the global administrator to use to bind to the server. For the enable subcommand, if no global administrator was defined previously for any servers, the global administrator will be created using the UID provided.
Default value: admin
-j, --adminPasswordFile {bindPasswordFile}Global administrator password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
Default value: /path/to/OpenDJ/config/admin-truststore
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --adminPassword {bindPassword}Password for the global administrator
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Utility Input/Output Options
--commandFilePath {path}The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.
--displayCommandDisplay the equivalent non-interactive option on standard output when this command is run in interactive mode.
-F, --batchFilePath {batchFilePath}Path to a batch file containing a set of dsconfig commands to be executed
-n, --no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the command exits with an error.
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-Q, --quietDo not write progress information to standard output
-s, --script-friendlyUse script-friendly mode
-v, --verboseUse verbose mode
dsconfig Subcommands
This section covers individual dsconfig subcommands.
Subcommands let you create, list, and delete entire configuration components, and also let you get and set component properties. Subcommands therefore have names that reflect these five actions.
create-
componentlist-
componentsdelete-
componentget-
component-propset-
component-prop
Component properties for the dsconfig command are covered in the OpenDJ Configuration Reference.
Many subcommands let you set property values. Notice in the reference
for the subcommands below that specific options are available for handling
multi-valued properties. Whereas you can assign a single property value using
the --set option, you assign multiple values to a
multi-valued property using the --add option. You can reset
the values of the multi-valued property using the --reset
option.
dsconfig create-access-log-filtering-criteria
Creates Access Log Filtering Criteria
--publisher-name {name}The name of the Access Log Publisher
--criteria-name {name}The name of the new Access Log Filtering Criteria
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Access Log Filtering Criteria which should be created (Default: generic). The value for TYPE can be one of: generic
dsconfig create-account-status-notification-handler
Creates Account Status Notification Handlers
--handler-name {name}The name of the new Account Status Notification Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Account Status Notification Handler which should be created. The value for TYPE can be one of: custom | error-log | smtp
dsconfig create-alert-handler
Creates Alert Handlers
--handler-name {name}The name of the new Alert Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Alert Handler which should be created. The value for TYPE can be one of: custom | jmx | smtp
dsconfig create-attribute-syntax
Creates Attribute Syntaxes
--syntax-name {name}The name of the new Attribute Syntax
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Attribute Syntax which should be created (Default: generic). The value for TYPE can be one of: attribute-type-description | directory-string | generic | telephone-number
dsconfig create-backend
Creates Backends
--backend-name {STRING}The name of the new Backend which will also be used as the value of the "backend-id" property: Specifies a name to identify the associated backend.
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Backend which should be created. The value for TYPE can be one of: backup | config-file-handler | custom | ldif | local-db | memory | monitor | null | schema | task | trust-store
dsconfig create-certificate-mapper
Creates Certificate Mappers
--mapper-name {name}The name of the new Certificate Mapper
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Certificate Mapper which should be created. The value for TYPE can be one of: custom | fingerprint | subject-attribute-to-user-attribute | subject-dn-to-user-attribute | subject-equals-dn
dsconfig create-connection-handler
Creates Connection Handlers
--handler-name {name}The name of the new Connection Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Connection Handler which should be created. The value for TYPE can be one of: custom | jmx | ldap | ldif | snmp
dsconfig create-debug-target
Creates Debug Targets
--publisher-name {name}The name of the Debug Log Publisher
--target-name {STRING}The name of the new Debug Target which will also be used as the value of the "debug-scope" property: Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Debug Target which should be created (Default: generic). The value for TYPE can be one of: generic
dsconfig create-entry-cache
Creates Entry Caches
--cache-name {name}The name of the new Entry Cache
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Entry Cache which should be created. The value for TYPE can be one of: custom | fifo | file-system | soft-reference
dsconfig create-extended-operation-handler
Creates Extended Operation Handlers
--handler-name {name}The name of the new Extended Operation Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Extended Operation Handler which should be created. The value for TYPE can be one of: cancel | custom | get-connection-id | get-symmetric-key | password-modify | password-policy-state | start-tls | who-am-i
dsconfig create-group-implementation
Creates Group Implementations
--implementation-name {name}The name of the new Group Implementation
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Group Implementation which should be created. The value for TYPE can be one of: custom | dynamic | static | virtual-static
dsconfig create-identity-mapper
Creates Identity Mappers
--mapper-name {name}The name of the new Identity Mapper
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Identity Mapper which should be created. The value for TYPE can be one of: custom | exact-match | regular-expression
dsconfig create-key-manager-provider
Creates Key Manager Providers
--provider-name {name}The name of the new Key Manager Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Key Manager Provider which should be created. The value for TYPE can be one of: custom | file-based | pkcs11
dsconfig create-local-db-index
Creates Local DB Indexes
--backend-name {name}The name of the Local DB Backend
--index-name {OID}The name of the new Local DB Index which will also be used as the value of the "attribute" property: Specifies the name of the attribute for which the index is to be maintained.
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Local DB Index which should be created (Default: generic). The value for TYPE can be one of: generic
dsconfig create-local-db-vlv-index
Creates Local DB VLV Indexes
--backend-name {name}The name of the Local DB Backend
--index-name {STRING}The name of the new Local DB VLV Index which will also be used as the value of the "name" property: Specifies a unique name for this VLV index.
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Local DB VLV Index which should be created (Default: generic). The value for TYPE can be one of: generic
dsconfig create-log-publisher
Creates Log Publishers
--publisher-name {name}The name of the new Log Publisher
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Log Publisher which should be created. The value for TYPE can be one of: custom-access | custom-debug | custom-error | file-based-access | file-based-audit | file-based-debug | file-based-error
dsconfig create-log-retention-policy
Creates Log Retention Policies
--policy-name {name}The name of the new Log Retention Policy
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Log Retention Policy which should be created. The value for TYPE can be one of: custom | file-count | free-disk-space | size-limit
dsconfig create-log-rotation-policy
Creates Log Rotation Policies
--policy-name {name}The name of the new Log Rotation Policy
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Log Rotation Policy which should be created. The value for TYPE can be one of: custom | fixed-time | size-limit | time-limit
dsconfig create-matching-rule
Creates Matching Rules
--rule-name {name}The name of the new Matching Rule
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Matching Rule which should be created (Default: generic). The value for TYPE can be one of: collation | generic
dsconfig create-monitor-provider
Creates Monitor Providers
--provider-name {name}The name of the new Monitor Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Monitor Provider which should be created. The value for TYPE can be one of: client-connection | custom | entry-cache | memory-usage | stack-trace | system-info | version
dsconfig create-password-generator
Creates Password Generators
--generator-name {name}The name of the new Password Generator
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Password Generator which should be created. The value for TYPE can be one of: custom | random
dsconfig create-password-policy
Creates Authentication Policies
--policy-name {name}The name of the new Authentication Policy
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Authentication Policy which should be created. The value for TYPE can be one of: ldap-pass-through | password-policy
dsconfig create-password-storage-scheme
Creates Password Storage Schemes
--scheme-name {name}The name of the new Password Storage Scheme
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Password Storage Scheme which should be created. The value for TYPE can be one of: aes | base64 | blowfish | clear | crypt | custom | md5 | rc4 | salted-md5 | salted-sha1 | salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-des
dsconfig create-password-validator
Creates Password Validators
--validator-name {name}The name of the new Password Validator
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Password Validator which should be created. The value for TYPE can be one of: attribute-value | character-set | custom | dictionary | length-based | repeated-characters | similarity-based | unique-characters
dsconfig create-plugin
Creates Plugins
--plugin-name {name}The name of the new Plugin
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Plugin which should be created. The value for TYPE can be one of: attribute-cleanup | change-number-control | custom | entry-uuid | fractional-ldif-import | last-mod | ldap-attribute-description-list | password-policy-import | profiler | referential-integrity | samba-password | seven-bit-clean | unique-attribute
dsconfig create-replication-domain
Creates Replication Domains
--provider-name {name}The name of the Replication Synchronization Provider
--domain-name {name}The name of the new Replication Domain
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Replication Domain which should be created (Default: generic). The value for TYPE can be one of: generic
dsconfig create-replication-server
Creates Replication Servers
--provider-name {name}The name of the Replication Synchronization Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Replication Server which should be created (Default: generic). The value for TYPE can be one of: generic
dsconfig create-sasl-mechanism-handler
Creates SASL Mechanism Handlers
--handler-name {name}The name of the new SASL Mechanism Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of SASL Mechanism Handler which should be created. The value for TYPE can be one of: anonymous | cram-md5 | custom | digest-md5 | external | gssapi | plain
dsconfig create-synchronization-provider
Creates Synchronization Providers
--provider-name {name}The name of the new Synchronization Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Synchronization Provider which should be created. The value for TYPE can be one of: custom | replication
dsconfig create-trust-manager-provider
Creates Trust Manager Providers
--provider-name {name}The name of the new Trust Manager Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Trust Manager Provider which should be created. The value for TYPE can be one of: blind | custom | file-based
dsconfig create-virtual-attribute
Creates Virtual Attributes
--name {name}The name of the new Virtual Attribute
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
-t | --type {type}The type of Virtual Attribute which should be created. The value for TYPE can be one of: collective-attribute-subentries | custom | entry-dn | entry-uuid | governing-structure-rule | has-subordinates | is-member-of | member | num-subordinates | password-policy-subentry | structural-object-class | subschema-subentry | user-defined
dsconfig delete-access-log-filtering-criteria
Deletes Access Log Filtering Criteria
--publisher-name {name}The name of the Access Log Publisher
--criteria-name {name}The name of the Access Log Filtering Criteria
-f | --forceIgnore non-existent Access Log Filtering Criteria
dsconfig delete-account-status-notification-handler
Deletes Account Status Notification Handlers
--handler-name {name}The name of the Account Status Notification Handler
-f | --forceIgnore non-existent Account Status Notification Handlers
dsconfig delete-alert-handler
Deletes Alert Handlers
--handler-name {name}The name of the Alert Handler
-f | --forceIgnore non-existent Alert Handlers
dsconfig delete-attribute-syntax
Deletes Attribute Syntaxes
--syntax-name {name}The name of the Attribute Syntax
-f | --forceIgnore non-existent Attribute Syntaxes
dsconfig delete-backend
Deletes Backends
--backend-name {name}The name of the Backend
-f | --forceIgnore non-existent Backends
dsconfig delete-certificate-mapper
Deletes Certificate Mappers
--mapper-name {name}The name of the Certificate Mapper
-f | --forceIgnore non-existent Certificate Mappers
dsconfig delete-connection-handler
Deletes Connection Handlers
--handler-name {name}The name of the Connection Handler
-f | --forceIgnore non-existent Connection Handlers
dsconfig delete-debug-target
Deletes Debug Targets
--publisher-name {name}The name of the Debug Log Publisher
--target-name {name}The name of the Debug Target
-f | --forceIgnore non-existent Debug Targets
dsconfig delete-entry-cache
Deletes Entry Caches
--cache-name {name}The name of the Entry Cache
-f | --forceIgnore non-existent Entry Caches
dsconfig delete-extended-operation-handler
Deletes Extended Operation Handlers
--handler-name {name}The name of the Extended Operation Handler
-f | --forceIgnore non-existent Extended Operation Handlers
dsconfig delete-group-implementation
Deletes Group Implementations
--implementation-name {name}The name of the Group Implementation
-f | --forceIgnore non-existent Group Implementations
dsconfig delete-identity-mapper
Deletes Identity Mappers
--mapper-name {name}The name of the Identity Mapper
-f | --forceIgnore non-existent Identity Mappers
dsconfig delete-key-manager-provider
Deletes Key Manager Providers
--provider-name {name}The name of the Key Manager Provider
-f | --forceIgnore non-existent Key Manager Providers
dsconfig delete-local-db-index
Deletes Local DB Indexes
--backend-name {name}The name of the Local DB Backend
--index-name {name}The name of the Local DB Index
-f | --forceIgnore non-existent Local DB Indexes
dsconfig delete-local-db-vlv-index
Deletes Local DB VLV Indexes
--backend-name {name}The name of the Local DB Backend
--index-name {name}The name of the Local DB VLV Index
-f | --forceIgnore non-existent Local DB VLV Indexes
dsconfig delete-log-publisher
Deletes Log Publishers
--publisher-name {name}The name of the Log Publisher
-f | --forceIgnore non-existent Log Publishers
dsconfig delete-log-retention-policy
Deletes Log Retention Policies
--policy-name {name}The name of the Log Retention Policy
-f | --forceIgnore non-existent Log Retention Policies
dsconfig delete-log-rotation-policy
Deletes Log Rotation Policies
--policy-name {name}The name of the Log Rotation Policy
-f | --forceIgnore non-existent Log Rotation Policies
dsconfig delete-matching-rule
Deletes Matching Rules
--rule-name {name}The name of the Matching Rule
-f | --forceIgnore non-existent Matching Rules
dsconfig delete-monitor-provider
Deletes Monitor Providers
--provider-name {name}The name of the Monitor Provider
-f | --forceIgnore non-existent Monitor Providers
dsconfig delete-password-generator
Deletes Password Generators
--generator-name {name}The name of the Password Generator
-f | --forceIgnore non-existent Password Generators
dsconfig delete-password-policy
Deletes Authentication Policies
--policy-name {name}The name of the Authentication Policy
-f | --forceIgnore non-existent Authentication Policies
dsconfig delete-password-storage-scheme
Deletes Password Storage Schemes
--scheme-name {name}The name of the Password Storage Scheme
-f | --forceIgnore non-existent Password Storage Schemes
dsconfig delete-password-validator
Deletes Password Validators
--validator-name {name}The name of the Password Validator
-f | --forceIgnore non-existent Password Validators
dsconfig delete-plugin
Deletes Plugins
--plugin-name {name}The name of the Plugin
-f | --forceIgnore non-existent Plugins
dsconfig delete-replication-domain
Deletes Replication Domains
--provider-name {name}The name of the Replication Synchronization Provider
--domain-name {name}The name of the Replication Domain
-f | --forceIgnore non-existent Replication Domains
dsconfig delete-replication-server
Deletes Replication Servers
--provider-name {name}The name of the Replication Synchronization Provider
-f | --forceIgnore non-existent Replication Servers
dsconfig delete-sasl-mechanism-handler
Deletes SASL Mechanism Handlers
--handler-name {name}The name of the SASL Mechanism Handler
-f | --forceIgnore non-existent SASL Mechanism Handlers
dsconfig delete-synchronization-provider
Deletes Synchronization Providers
--provider-name {name}The name of the Synchronization Provider
-f | --forceIgnore non-existent Synchronization Providers
dsconfig delete-trust-manager-provider
Deletes Trust Manager Providers
--provider-name {name}The name of the Trust Manager Provider
-f | --forceIgnore non-existent Trust Manager Providers
dsconfig delete-virtual-attribute
Deletes Virtual Attributes
--name {name}The name of the Virtual Attribute
-f | --forceIgnore non-existent Virtual Attributes
dsconfig get-access-control-handler-prop
Shows Access Control Handler properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-access-log-filtering-criteria-prop
Shows Access Log Filtering Criteria properties
--publisher-name {name}The name of the Access Log Publisher
--criteria-name {name}The name of the Access Log Filtering Criteria
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-account-status-notification-handler-prop
Shows Account Status Notification Handler properties
--handler-name {name}The name of the Account Status Notification Handler
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-administration-connector-prop
Shows Administration Connector properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-alert-handler-prop
Shows Alert Handler properties
--handler-name {name}The name of the Alert Handler
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-attribute-syntax-prop
Shows Attribute Syntax properties
--syntax-name {name}The name of the Attribute Syntax
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-backend-prop
Shows Backend properties
--backend-name {name}The name of the Backend
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-certificate-mapper-prop
Shows Certificate Mapper properties
--mapper-name {name}The name of the Certificate Mapper
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-connection-handler-prop
Shows Connection Handler properties
--handler-name {name}The name of the Connection Handler
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-crypto-manager-prop
Shows Crypto Manager properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-debug-target-prop
Shows Debug Target properties
--publisher-name {name}The name of the Debug Log Publisher
--target-name {name}The name of the Debug Target
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-entry-cache-prop
Shows Entry Cache properties
--cache-name {name}The name of the Entry Cache
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-extended-operation-handler-prop
Shows Extended Operation Handler properties
--handler-name {name}The name of the Extended Operation Handler
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-external-changelog-domain-prop
Shows External Changelog Domain properties
--provider-name {name}The name of the Replication Synchronization Provider
--domain-name {name}The name of the Replication Domain
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-global-configuration-prop
Shows Global Configuration properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-group-implementation-prop
Shows Group Implementation properties
--implementation-name {name}The name of the Group Implementation
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-identity-mapper-prop
Shows Identity Mapper properties
--mapper-name {name}The name of the Identity Mapper
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-key-manager-provider-prop
Shows Key Manager Provider properties
--provider-name {name}The name of the Key Manager Provider
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-local-db-index-prop
Shows Local DB Index properties
--backend-name {name}The name of the Local DB Backend
--index-name {name}The name of the Local DB Index
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-local-db-vlv-index-prop
Shows Local DB VLV Index properties
--backend-name {name}The name of the Local DB Backend
--index-name {name}The name of the Local DB VLV Index
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-log-publisher-prop
Shows Log Publisher properties
--publisher-name {name}The name of the Log Publisher
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-log-retention-policy-prop
Shows Log Retention Policy properties
--policy-name {name}The name of the Log Retention Policy
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-log-rotation-policy-prop
Shows Log Rotation Policy properties
--policy-name {name}The name of the Log Rotation Policy
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-matching-rule-prop
Shows Matching Rule properties
--rule-name {name}The name of the Matching Rule
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-monitor-provider-prop
Shows Monitor Provider properties
--provider-name {name}The name of the Monitor Provider
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-password-generator-prop
Shows Password Generator properties
--generator-name {name}The name of the Password Generator
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-password-policy-prop
Shows Authentication Policy properties
--policy-name {name}The name of the Authentication Policy
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-password-storage-scheme-prop
Shows Password Storage Scheme properties
--scheme-name {name}The name of the Password Storage Scheme
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-password-validator-prop
Shows Password Validator properties
--validator-name {name}The name of the Password Validator
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-plugin-prop
Shows Plugin properties
--plugin-name {name}The name of the Plugin
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-plugin-root-prop
Shows Plugin Root properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-replication-domain-prop
Shows Replication Domain properties
--provider-name {name}The name of the Replication Synchronization Provider
--domain-name {name}The name of the Replication Domain
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-replication-server-prop
Shows Replication Server properties
--provider-name {name}The name of the Replication Synchronization Provider
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-root-dn-prop
Shows Root DN properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-root-dse-backend-prop
Shows Root DSE Backend properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-sasl-mechanism-handler-prop
Shows SASL Mechanism Handler properties
--handler-name {name}The name of the SASL Mechanism Handler
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-synchronization-provider-prop
Shows Synchronization Provider properties
--provider-name {name}The name of the Synchronization Provider
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-trust-manager-provider-prop
Shows Trust Manager Provider properties
--provider-name {name}The name of the Trust Manager Provider
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-virtual-attribute-prop
Shows Virtual Attribute properties
--name {name}The name of the Virtual Attribute
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig get-work-queue-prop
Shows Work Queue properties
--property {property}The name of a property to be displayed
-E | --recordModifies the display output to show one property value per line
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-access-log-filtering-criteria
Lists existing Access Log Filtering Criteria
--publisher-name {name}The name of the Access Log Publisher
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-account-status-notification-handlers
Lists existing Account Status Notification Handlers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-alert-handlers
Lists existing Alert Handlers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-attribute-syntaxes
Lists existing Attribute Syntaxes
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-backends
Lists existing Backends
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-certificate-mappers
Lists existing Certificate Mappers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-connection-handlers
Lists existing Connection Handlers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-debug-targets
Lists existing Debug Targets
--publisher-name {name}The name of the Debug Log Publisher
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-entry-caches
Lists existing Entry Caches
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-extended-operation-handlers
Lists existing Extended Operation Handlers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-group-implementations
Lists existing Group Implementations
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-identity-mappers
Lists existing Identity Mappers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-key-manager-providers
Lists existing Key Manager Providers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-local-db-indexes
Lists existing Local DB Indexes
--backend-name {name}The name of the Local DB Backend
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-local-db-vlv-indexes
Lists existing Local DB VLV Indexes
--backend-name {name}The name of the Local DB Backend
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-log-publishers
Lists existing Log Publishers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-log-retention-policies
Lists existing Log Retention Policies
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-log-rotation-policies
Lists existing Log Rotation Policies
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-matching-rules
Lists existing Matching Rules
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-monitor-providers
Lists existing Monitor Providers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-password-generators
Lists existing Password Generators
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-password-policies
Lists existing Password Policies
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-password-storage-schemes
Lists existing Password Storage Schemes
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-password-validators
Lists existing Password Validators
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-plugins
Lists existing Plugins
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-properties
Describes managed objects and their properties
-c | --category {category}The category of components whose properties should be described
-t | --type {type}The type of components whose properties should be described. The value for TYPE must be one of the component types associated with the CATEGORY specified using the "--category" option
--inheritedModifies the display output to show the inherited properties of components
--property {property}The name of a property to be displayed
dsconfig list-replication-domains
Lists existing Replication Domains
--provider-name {name}The name of the Replication Synchronization Provider
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-replication-server
Lists existing Replication Server
--provider-name {name}The name of the Replication Synchronization Provider
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-sasl-mechanism-handlers
Lists existing SASL Mechanism Handlers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-synchronization-providers
Lists existing Synchronization Providers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-trust-manager-providers
Lists existing Trust Manager Providers
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig list-virtual-attributes
Lists existing Virtual Attributes
--property {property}The name of a property to be displayed
-z | --unit-size {unit}Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes)
-m | --unit-time {unit}Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks)
dsconfig set-access-control-handler-prop
Modifies Access Control Handler properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-access-log-filtering-criteria-prop
Modifies Access Log Filtering Criteria properties
--publisher-name {name}The name of the Access Log Publisher
--criteria-name {name}The name of the Access Log Filtering Criteria
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-account-status-notification-handler-prop
Modifies Account Status Notification Handler properties
--handler-name {name}The name of the Account Status Notification Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-administration-connector-prop
Modifies Administration Connector properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-alert-handler-prop
Modifies Alert Handler properties
--handler-name {name}The name of the Alert Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-attribute-syntax-prop
Modifies Attribute Syntax properties
--syntax-name {name}The name of the Attribute Syntax
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-backend-prop
Modifies Backend properties
--backend-name {name}The name of the Backend
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-certificate-mapper-prop
Modifies Certificate Mapper properties
--mapper-name {name}The name of the Certificate Mapper
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-connection-handler-prop
Modifies Connection Handler properties
--handler-name {name}The name of the Connection Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-crypto-manager-prop
Modifies Crypto Manager properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-debug-target-prop
Modifies Debug Target properties
--publisher-name {name}The name of the Debug Log Publisher
--target-name {name}The name of the Debug Target
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-entry-cache-prop
Modifies Entry Cache properties
--cache-name {name}The name of the Entry Cache
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-extended-operation-handler-prop
Modifies Extended Operation Handler properties
--handler-name {name}The name of the Extended Operation Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-external-changelog-domain-prop
Modifies External Changelog Domain properties
--provider-name {name}The name of the Replication Synchronization Provider
--domain-name {name}The name of the Replication Domain
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-global-configuration-prop
Modifies Global Configuration properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-group-implementation-prop
Modifies Group Implementation properties
--implementation-name {name}The name of the Group Implementation
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-identity-mapper-prop
Modifies Identity Mapper properties
--mapper-name {name}The name of the Identity Mapper
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-key-manager-provider-prop
Modifies Key Manager Provider properties
--provider-name {name}The name of the Key Manager Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-local-db-index-prop
Modifies Local DB Index properties
--backend-name {name}The name of the Local DB Backend
--index-name {name}The name of the Local DB Index
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-local-db-vlv-index-prop
Modifies Local DB VLV Index properties
--backend-name {name}The name of the Local DB Backend
--index-name {name}The name of the Local DB VLV Index
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-log-publisher-prop
Modifies Log Publisher properties
--publisher-name {name}The name of the Log Publisher
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-log-retention-policy-prop
Modifies Log Retention Policy properties
--policy-name {name}The name of the Log Retention Policy
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-log-rotation-policy-prop
Modifies Log Rotation Policy properties
--policy-name {name}The name of the Log Rotation Policy
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-matching-rule-prop
Modifies Matching Rule properties
--rule-name {name}The name of the Matching Rule
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-monitor-provider-prop
Modifies Monitor Provider properties
--provider-name {name}The name of the Monitor Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-password-generator-prop
Modifies Password Generator properties
--generator-name {name}The name of the Password Generator
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-password-policy-prop
Modifies Authentication Policy properties
--policy-name {name}The name of the Authentication Policy
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-password-storage-scheme-prop
Modifies Password Storage Scheme properties
--scheme-name {name}The name of the Password Storage Scheme
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-password-validator-prop
Modifies Password Validator properties
--validator-name {name}The name of the Password Validator
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-plugin-prop
Modifies Plugin properties
--plugin-name {name}The name of the Plugin
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-plugin-root-prop
Modifies Plugin Root properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-replication-domain-prop
Modifies Replication Domain properties
--provider-name {name}The name of the Replication Synchronization Provider
--domain-name {name}The name of the Replication Domain
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-replication-server-prop
Modifies Replication Server properties
--provider-name {name}The name of the Replication Synchronization Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-root-dn-prop
Modifies Root DN properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-root-dse-backend-prop
Modifies Root DSE Backend properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-sasl-mechanism-handler-prop
Modifies SASL Mechanism Handler properties
--handler-name {name}The name of the SASL Mechanism Handler
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-synchronization-provider-prop
Modifies Synchronization Provider properties
--provider-name {name}The name of the Synchronization Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-trust-manager-provider-prop
Modifies Trust Manager Provider properties
--provider-name {name}The name of the Trust Manager Provider
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-virtual-attribute-prop
Modifies Virtual Attribute properties
--name {name}The name of the Virtual Attribute
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
dsconfig set-work-queue-prop
Modifies Work Queue properties
--set {PROP:VALUE}Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it
--reset {property}Resets a property back to its default values where PROP is the name of the property to be reset
--add {PROP:VALUE}Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added
--remove {PROP:VALUE}Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed
Examples
Much of the OpenDJ Administration Guide consists of dsconfig examples with text in between. This section therefore remains short.
The following example starts dsconfig in interactive, menu-driven mode on the default port of the current host.
The following examples demonstrates generating a batch file that corresponds to an interactive session enabling the debug log. The example then demonstates using a modified batch file to disable the debug log.
Notice that the original command file looks like a shell script with
the bind password value replaced by asterisks. To pass the content as a batch
file to dsconfig, strip dsconfig
itself, and include the bind password for the administrative user (or
replace that option with an alternative, such as reading the password from
a file).
Name
dsframework — manage OpenDJ administration framework
Synopsis
dsframework subcommand
Description
This utility can be used to perform operations in the directory server administration framework.
This utility has no interactive mode. Consider using -X
if you authenticate over a secure connection protected with a self-signed
certificate.
Subcommands
The dsconfig command provides many subcommands. Use the following options to view help for subcommands.
--help-allDisplay all subcommands
--help-admin-userDisplay subcommands relating to admin-user
--help-serverDisplay subcommands relating to server
--help-server-groupDisplay subcommands relating to server-group
For help with individual subcommands, use dsframework
subcommand --help.
Options
The following options are supported.
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-I, --adminUID {adminUID}User ID of the global administrator to use to bind to the server. For the enable subcommand, if no global administrator was defined previously for any servers, the global administrator will be created using the UID provided.
Default value: admin
-j, --adminPasswordFile {bindPasswordFile}Global administrator password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
Default value: /path/to/OpenDJ/config/admin-truststore
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --adminPassword {bindPassword}Password for the global administrator
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Examples
This example lists server properties.
Name
dsjavaproperties — apply OpenDJ Java home and JVM settings
Synopsis
dsjavaproperties [options]
Description
This utility can be used to change the Java arguments and Java home that are used by other server commands.
Before launching the command, edit the properties file located in
/path/to/OpenDJ/config/java.properties to specify the
Java arguments and Java home. When you have edited the properties file, run
this command for the changes to be taken into account.
Changes apply to the current server installation. No modifications are made to your environment variables.
Name
dsreplication — manage OpenDJ directory data replication
Synopsis
dsreplication subcommand
Description
This utility can be used to configure replication between servers so that the data of the servers is synchronized. For replication to work you must first enable replication using the enable subcommand and then initialize the contents of one of the servers with the contents of the other using the initialize subcommand.
Subcommands
The following subcommands are supported.
- disable
Disable replication on the specified server for the provided base DN and removes references in the other servers with which it is replicating data.
- enable
Update the configuration of the servers to replicate the data under the specified base DN. If one of the specified servers is already replicating the data under the base DN with other servers, executing this subcommand will update the configuration of all the servers. Thus it is sufficient to execute the command line once for each server added to the replication topology.
- initialize
Initialize the contents of the data under the specified base DN on the destination server with the contents on the source server. This operation is required after enabling replication in order replication to work. initialize-all can also be used for this purpose.
- initialize-all
Initialize the contents of the data under the specified base DN on all the servers whose contents are being replicated with the contents on the specified server. This operation is required after enabling replication for replication to work. Run initialize for each server to achieve the same effect.
- post-external-initialization
This subcommand must be called after initializing the contents of all the replicated servers using the import-ldif command, or by copying the database. You must specify the list of base DNs that have been initialized, and you must provide the credentials of any of the servers that are being replicated. See pre-external-initialization --help for more information.
- pre-external-initialization
This subcommand must be called before initializing the contents of all the replicated servers using the import-ldif command, or by copying the database. You must specify the list of base DNs that have been initialized, and you must provide the credentials of any of the servers that are being replicated. After calling this subcommand, initialize the contents of all the servers in the topology, either by using the same LDIF file or by copying the database to each of the servers, then call the post-external-initialization subcommand.
- purge-historical
Launch a purge processing of the historical information stored in the user entries by replication. Since this processing may take a while, you must specify a maximum duration.
- status
Display a list with the basic replication configuration of the base DNs of the servers defined in the registration information. If no base DNs are specified as parameter, information for all base DNs is displayed.
Options
The following options are supported.
--advancedAccess advanced settings when running this command in interactive mode.
-b, --baseDN {baseDN}Base DN of the data to be replicated, initialized or for which you want to disable replication. Multiple base DNs can be provided by using this option multiple times.
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-I, --adminUID {adminUID}User ID of the global administrator to use to bind to the server. For the enable subcommand, if no global administrator was defined previously for any servers, the global administrator will be created using the UID provided.
Default value: admin
-j, --adminPasswordFile {bindPasswordFile}Global administrator password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
Default value: /path/to/OpenDJ/config/admin-truststore
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --adminPassword {bindPassword}Password for the global administrator
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Utility Input/Output Options
--commandFilePath {path}The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.
--displayCommandDisplay the equivalent non-interactive option on standard output when this command is run in interactive mode.
-n, --no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the command exits with an error.
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-Q, --quietDo not write progress information to standard output
Examples
The following example enables and then initializes replication for a new replica whose admin port is 5444 from an existing replica whose admin port is 4444.
Name
encode-password — encode a password with an OpenDJ storage scheme
Synopsis
encode-password {options}
Description
This utility can be used to encode user passwords with a specified storage scheme, or to determine whether a given clear-text value matches a provided encoded password.
Options
The following global options are supported.
-a, --authPasswordSyntaxUse the authentication password syntax rather than the user password syntax.
-c, --clearPassword {clearPW}Clear-text password to encode or to compare against an encoded password.
-e, --encodedPassword {encodedPW}Encoded password to compare against the clear-text password.
-E, --encodedPasswordFile {file}Encoded password file.
-f, --clearPasswordFile {file}Clear-text password file.
-i, --interactivePasswordThe password to encode or to compare against an encoded password is interactively asked to the user.
-l, --listSchemesList available password storage schemes.
-r, --useCompareResultCodeUse the LDAP compare result as an exit code for the password comparison.
-s, --storageScheme {scheme}Scheme to use for the encoded password.
-V, --versionDisplay version information.
-?, -H, --helpDisplay usage information.
Exit Codes
- 0
The command completed successfully.
- 5
The
-roption was used, and the compare did not match.- 6
The
-roption was used, and the compare did match.- other
An error occurred.
Examples
The following example encodes a password, and also shows comparison of a password with the encoded value.
Name
export-ldif — export OpenDJ directory data in LDIF
Synopsis
export-ldif {options}
Options
The following options are supported.
-a, --appendToLDIFAppend an existing LDIF file rather than overwriting it.
-b, --includeBranch {branchDN}Base DN of a branch to include in the LDIF export.
-B, --excludeBranch {branchDN}Base DN of a branch to exclude from the LDIF export.
-c, --compressCompress the LDIF data as it is exported.
-e, --excludeAttribute {attribute}Attribute to exclude from the LDIF export.
-E, --excludeFilter {filter}Filter to identify entries to exclude from the LDIF export.
-i, --includeAttribute {attribute}Attribute to include in the LDIF export.
-I, --includeFilter {filter}Filter to identify entries to include in the LDIF export.
-l, --ldifFile {ldifFile}Path to the LDIF file to be written.
-n, --backendID {backendName}Backend ID for the backend to export.
-O, --excludeOperationalExclude operational attributes from the LDIF export.
--wrapColumn {wrapColumn}Column at which to wrap long lines (0 for no wrapping).
Default value: 0
Task Backend Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Task Scheduling Options
--completionNotify {emailAddress}Email address of a recipient to be notified when the task completes. This option may be specified more than once.
--dependency {taskID}ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
--errorNotify {emailAddress}Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
--failedDependencyAction {action}Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS, CANCEL, DISABLE. If not specified defaults to CANCEL.
--recurringTask {schedulePattern}Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
-t, --start {startTime}Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
Examples
The following example exports data to a file,
Example.ldif, with the server offline.
Name
import-ldif — import OpenDJ directory data from LDIF
Synopsis
import-ldif {options}
Options
The following options are supported.
-a, --appendToLDIFAppend an existing LDIF file rather than overwriting it.
-A, --templateFile {templateFile}Path to a MakeLDIF template to use to generate the import data.
-b, --includeBranch {branchDN}Base DN of a branch to include in the LDIF import.
-B, --excludeBranch {branchDN}Base DN of a branch to exclude from the LDIF import.
-c, --isCompressedLDIF file is compressed.
--countRejectsCount the number of entries rejected by the server and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).
-e, --excludeAttribute {attribute}Attribute to exclude from the LDIF import.
-E, --excludeFilter {filter}Filter to identify entries to exclude from the LDIF import.
-F, --clearBackendRemove all entries for all base DNs in the backend before importing.
-i, --includeAttribute {attribute}Attribute to include in the LDIF import.
-I, --includeFilter {filter}Filter to identify entries to include in the LDIF import.
-l, --ldifFile {ldifFile}Path to the LDIF file to be imported.
-n, --backendID {backendName}Backend ID for the backend to import.
-O, --overwriteOverwrite an existing rejects and/or skip file rather than appending to it.
-r, --replaceExistingReplace existing entries when appending to the database.
-R, --rejectFile {rejectFile}Write rejected entries to the specified file.
-s, --randomSeed {seed}Seed for the MakeLDIF random number generator.
Default value: 0
-S, --skipSchemaValidationSkip schema validation during the LDIF import.
--skipDNValidationPerform DN validation during later part of LDIF import.
--skipFile {skipFile}Write skipped entries to the specified file.
--threadCount {count}Number of threads used to read LDIF file during import. Default value (0) equals: 2 x (number of CPUs).
--tmpdirectory {directory}Path to temporary directory for index scratch files during LDIF import.
Default value:
import-tmp
Task Backend Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Task Scheduling Options
--completionNotify {emailAddress}Email address of a recipient to be notified when the task completes. This option may be specified more than once.
--dependency {taskID}ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
--errorNotify {emailAddress}Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
--failedDependencyAction {action}Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS, CANCEL, DISABLE. If not specified defaults to CANCEL.
--recurringTask {schedulePattern}Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
-t, --start {startTime}Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
Examples
The following example imports the content of the LDIF file,
Example.ldif, with the server offline.
Name
ldapcompare — perform LDAP compare operations
Synopsis
ldapcompare {options} [[attribute] | [:] | [value]] [DN...]
Options
The following options are supported.
--assertionFilter {filter}Use the LDAP assertion control with the provided filter
-c, --continueOnErrorContinue processing even if there are errors
-f, --filename {file}LDIF file containing one DN per line of entries to compare
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information
-n, --dry-runShow what would be done but do not perform any operation
-Y, --proxyAs {authzID}Use the proxied authorization control with the given authorization ID
LDAP Connection Options
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-E, --reportAuthzIDUse the authorization identity control
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server port number
Default value: 389
-P, --trustStorePath {trustStorePath}Certificate trust store path
-q, --useStartTLSUse StartTLS to secure communication with the server
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
--usePasswordPolicyControlUse the password policy request control
-V, --ldapVersion {version}LDAP protocol version number
Default value: 3
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
-Z, --useSSLUse SSL for secure communication with the server
Utility Input/Output Options
-i, --encoding {encoding}Use the specified character set for command-line input
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-v, --verboseUse verbose mode
Exit Codes
- 0
The command completed successfully.
ldap-errorAn LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties to set
the defaults for bind DN, host name, and port number as in the following
example.
Examples
The following examples demonstrate comparing Babs Jensen's UID.
The following example uses a matching UID value.
The following example uses a UID value that does not match.
Name
ldapdelete — perform LDAP delete operations
Synopsis
ldapdelete {options} [DN]
Options
The following options are supported.
--assertionFilter {filter}Use the LDAP assertion control with the provided filter
-c, --continueOnErrorContinue processing even if there are errors
-f, --filename {file}LDIF file containing the changes to apply
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information
-n, --dry-runShow what would be done but do not perform any operation
-x, --deleteSubtreeDelete the specified entry and all entries below it
-Y, --proxyAs {authzID}Use the proxied authorization control with the given authorization ID
LDAP Connection Options
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-E, --reportAuthzIDUse the authorization identity control
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server port number
Default value: 389
-P, --trustStorePath {trustStorePath}Certificate trust store path
-q, --useStartTLSUse StartTLS to secure communication with the server
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
--usePasswordPolicyControlUse the password policy request control
-V, --ldapVersion {version}LDAP protocol version number
Default value: 3
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
-Z, --useSSLUse SSL for secure communication with the server
Utility Input/Output Options
-i, --encoding {encoding}Use the specified character set for command-line input
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-v, --verboseUse verbose mode
Exit Codes
- 0
The command completed successfully.
ldap-errorAn LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties to set
the defaults for bind DN, host name, and port number as in the following
example.
Examples
The following command deletes a user entry from the directory.
The following command deletes the ou=Groups entry and all entries underneath ou=Groups.
Name
ldapmodify — perform LDAP modify, add, delete, mod DN operations
Synopsis
ldapmodify {options}
Description
This utility can be used to perform LDAP modify, add, delete, and modify DN operations in the directory.
When not using a file to specify modifications, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).
Options
The following options are supported.
-a, --defaultAddTreat records with no changetype as add operations
--assertionFilter {filter}Use the LDAP assertion control with the provided filter
-c, --continueOnErrorContinue processing even if there are errors
-f, --filename {file}LDIF file containing the changes to apply
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information
-n, --dry-runShow what would be done but do not perform any operation
--postReadAttributes {attrList}Use the LDAP ReadEntry post-read control
--preReadAttributes {attrList}Use the LDAP ReadEntry pre-read control
-Y, --proxyAs {authzID}Use the proxied authorization control with the given authorization ID
LDAP Connection Options
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-E, --reportAuthzIDUse the authorization identity control
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server port number
Default value: 389
-P, --trustStorePath {trustStorePath}Certificate trust store path
-q, --useStartTLSUse StartTLS to secure communication with the server
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
--usePasswordPolicyControlUse the password policy request control
-V, --ldapVersion {version}LDAP protocol version number
Default value: 3
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
-Z, --useSSLUse SSL for secure communication with the server
Utility Input/Output Options
-i, --encoding {encoding}Use the specified character set for command-line input
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-v, --verboseUse verbose mode
Exit Codes
- 0
The command completed successfully.
ldap-errorAn LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties to set
the defaults for bind DN, host name, and port number as in the following
example.
Examples
The following example demonstrates use of the command to add an entry to the directory.
The following example demonstrates adding a Description attribute to the new user's entry.
The following example demonstrates changing the Description attribute for the new user's entry.
The following example demonstrates deleting the new user's entry.
Name
ldappasswordmodify — perform LDAP password modifications
Synopsis
ldappasswordmodify {options}
Options
The following options are supported.
-a, --authzID {authzID}Authorization ID for the user entry whose password should be changed
The authorization ID is a string having either the prefix
dn:followed by the user's distinguished name, or the prefixu:followed by a user identifier that depends on the identity mapping used to match the user identifier to an entry in the directory. Examples includedn:uid=bjensen,ou=People,dc=example,dc=com, and, if we assume thatbjensenis mapped to Barbara Jensen's entry,u:bjensen.-A, --provideDNForAuthzIDUse the bind DN as the authorization ID for the password modify operation
-c, --currentPassword {currentPassword}Current password for the target user
-C, --currentPasswordFile {file}Path to a file containing the current password for the target user
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information
-n, --newPassword {newPassword}New password to provide for the target user
-N, --newPasswordFile {file}Path to a file containing the new password to provide for the target user
LDAP Connection Options
--certNickname {nickname}Nickname of certificate for SSL client authentication
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-p, --port {port}Directory server port number
Default value: 389
-P, --trustStorePath {trustStorePath}Certificate trust store path
-q, --useStartTLSUse StartTLS to secure communication with the server
--trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
-Z, --useSSLUse SSL for secure communication with the server
Utility Input/Output Options
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-?, -H, --helpDisplay usage information
-V, --versionDisplay directory server version information
Exit Codes
- 0
The command completed successfully.
ldap-errorAn LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties to set
the defaults for bind DN, host name, and port number as in the following
example.
Examples
The following example demonstrates a user changing the password for her entry.
Name
ldapsearch — perform LDAP search operations
Synopsis
ldapsearch {options} [filter] [attributes...]
Description
This utility can be used to perform LDAP search operations in the directory.
In the list of attributes to return, you can specify
* to return all user attributes, + to
return all operational attributes, and
@ to return
all attributes associated with the object-classobject-class
such as @person.
Options
The following options are supported.
-a, --dereferencePolicy {dereferencePolicy}Alias dereference policy ('never', 'always', 'search', or 'find')
Default value: never
-A, --typesOnlyOnly retrieve attribute names but not their values
--assertionFilter {filter}Use the LDAP assertion control with the provided filter
-b, --baseDN {baseDN}Base DN format string
-c, --continueOnErrorContinue processing even if there are errors
-C, --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]Use the persistent search control
--countEntriesCount the number of entries returned by the server
-e, --getEffectiveRightsAttribute {attribute}Specifies geteffectiverights control specific attribute list
-f, --filename {file}LDIF file containing the changes to apply
-g, --getEffectiveRightsAuthzid {authzID}Use geteffectiverights control with the provided authzid
-G, --virtualListView {before:after:index:count | before:after:value}Use the virtual list view control to retrieve the specified results page
-J, --control {controloid[:criticality[:value|::b64value|:<filePath]]}Use a request control with the provided information
-l, --timeLimit {timeLimit}Maximum length of time in seconds to allow for the search
Default value: 0
--matchedValuesFilter {filter}Use the LDAP matched values control with the provided filter
-n, --dry-runShow what would be done but do not perform any operation
-s, --searchScope {searchScope}Search scope ('base', 'one', 'sub', or 'subordinate')
Default value: sub
subordinateis an LDAP extension that might not work with all LDAP servers.-S, --sortOrder {sortOrder}Sort the results using the provided sort order
--simplePageSize {numEntries}Use the simple paged results control with the given page size
Default value: 1000
-Y, --proxyAs {authzID}Use the proxied authorization control with the given authorization ID
-z, --sizeLimit {sizeLimit}Maximum number of entries to return from the search
Default value: 0
LDAP Connection Options
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-E, --reportAuthzIDUse the authorization identity control
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server port number
Default value: 389
-P, --trustStorePath {trustStorePath}Certificate trust store path
-q, --useStartTLSUse StartTLS to secure communication with the server
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
--usePasswordPolicyControlUse the password policy request control
-V, --ldapVersion {version}LDAP protocol version number
Default value: 3
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
-Z, --useSSLUse SSL for secure communication with the server
Utility Input/Output Options
-i, --encoding {encoding}Use the specified character set for command-line input
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-t, --dontWrapDo not wrap long lines
-v, --verboseUse verbose mode
Exit Codes
- 0
The command completed successfully.
ldap-errorAn LDAP error occurred while processing the operation.
LDAP result codes are described in RFC 4511. Also see the additional information for details.
- 89
An error occurred while parsing the command-line arguments.
Files
You can use ~/.opendj/tools.properties to set
the defaults for bind DN, host name, and port number as in the following
example.
Examples
The following example searches for entries with UID containing
jensen, returning only DNs and uid values.
Name
ldifdiff — compare small LDIF files
Synopsis
ldifdiff [options] source.ldif target.ldif
Description
This utility can be used to compare two LDIF files and report the differences in LDIF format.
Options
The following options are supported.
-a, --ignoreAttrs {file}File containing a list of attributes to ignore when computing the difference.
--checkSchemaTakes into account the syntax of the attributes as defined in the schema to make the value comparison. The provided LDIF files must conform to the server schema.
-e, --ignoreEntries {file}File containing a list of entries (DN) to ignore when computing the difference.
-S, --singleValueChangesEach attribute-level change should be written as a separate modification per attribute value rather than one modification per entry.
-V, --versionDisplay version information.
-?, -H, --helpDisplay usage information.
Examples
The following example demonstrates use of the command with two small LDIF files.
Name
ldifmodify — apply LDIF changes to LDIF
Synopsis
ldifmodify {options}
Description
This utility can be used to apply a set of modify, add, and delete operations against data in an LDIF file.
Options
The following options are supported.
-m, --changesLDIF {ldifFile}LDIF file containing the changes to apply.
-s, --sourceLDIF {ldifFile}LDIF file containing the data to be updated.
-t, --targetLDIF {ldifFile}File to which the updated data should be written.
-V, --versionDisplay version information.
-?, -H, --helpDisplay usage information.
Examples
The following example demonstrates use of the command.
Name
ldifsearch — search LDIF with LDAP filters
Synopsis
ldifsearch {options} [filter] [attribute...]
Options
The following options are supported.
-b, --baseDN {baseDN}The base DN for the search. Multiple base DNs may be specified by providing the option multiple times. If no base DN is provided, then the root DSE will be used.
-f, --filterFile {filterFile}The path to the file containing the search filter(s) to use. If this is not provided, then the filter must be provided on the command line after all configuration options.
-l, --ldifFile {ldifFile}LDIF file containing the data to search. Multiple files may be specified by providing the option multiple times. If no files are provided, the data will be read from standard input.
-o, --outputFile {outputFile}The path to the output file to which the matching entries should be written. If this is not provided, then the data will be written to standard output.
-O, --overwriteExistingAny existing output file should be overwritten rather than appending to it.
-s, --searchScope {scope}The scope for the search. It must be one of 'base', 'one', 'sub', or 'subordinate'. If it is not provided, then 'sub' will be used.
-t, --timeLimit {timeLimit}Maximum length of time (in seconds) to spend processing.
Default value: 0
-T, --dontWrapLong lines should not be wrapped.
-V, --versionDisplay version information.
-z, --sizeLimit {sizeLimit}Maximum number of matching entries to return.
Default value: 0
-?, -H, --helpDisplay usage information.
Examples
The following example demonstrates use of the command.
Name
list-backends — list OpenDJ backends and base DNs
Synopsis
list-backends [options]
Description
This utility can be used to list the backends and base DNs configured in the Directory Server.
Options
The following options are supported.
-b, --baseDN {baseDN}Base DN for which to list the backend ID.
-n, --backendID {backendName}Backend ID of the backend for which to list the base DNs.
-V, --versionDisplay version information.
-?, -H, --helpDisplay usage information.
Examples
Name
make-ldif — generate test LDIF
Synopsis
make-ldif {options}
Options
The following options are supported.
-o, --ldifFile {file}The path to the LDIF file to be written.
-s, --randomSeed {seed}The seed to use to initialize the random number generator.
Default value: 0
-t, --templateFile {file}The path to the template file with information about the LDIF data to generate.
-V, --versionDisplay version information.
-?, -H, --helpDisplay usage information.
Name
manage-account — manage state of directory server accounts
Synopsis
manage-account subcommand
Description
This utility can be used to retrieve and manipulate the values of password policy state variables.
Subcommands
The following subcommands are supported.
- manage-account clear-account-is-disabled
Clear account disabled state information from the user account
- manage-account get-account-expiration-time
Display when the user account will expire
- manage-account get-account-is-disabled
Display information about whether the user account has been administratively disabled
- manage-account get-all
Display all password policy state information for the user
- manage-account get-authentication-failure-times
Display the authentication failure times for the user
- manage-account get-grace-login-use-times
Display the grace login use times for the user
- manage-account get-last-login-time
Display the time that the user last authenticated to the server
- manage-account get-password-changed-by-required-time
Display the required password change time with which the user last complied
- manage-account get-password-changed-time
Display the time that the user's password was last changed
- manage-account get-password-expiration-warned-time
Display the time that the user first received an expiration warning notice
- manage-account get-password-history
Display password history state values for the user
- manage-account get-password-is-reset
Display information about whether the user will be required to change his or her password on the next successful authentication
- manage-account get-password-policy-dn
Display the DN of the password policy for the user
- manage-account get-remaining-authentication-failure-count
Display the number of remaining authentication failures until the user's account is locked
- manage-account get-remaining-grace-login-count
Display the number of grace logins remaining for the user
- manage-account get-seconds-until-account-expiration
Display the length of time in seconds until the user account expires
- manage-account get-seconds-until-authentication-failure-unlock
Display the length of time in seconds until the authentication failure lockout expires
- manage-account get-seconds-until-idle-lockout
Display the length of time in seconds until user's account is locked because it has remained idle for too long
- manage-account get-seconds-until-password-expiration
Display length of time in seconds until the user's password expires
- manage-account get-seconds-until-password-expiration-warning
Display the length of time in seconds until the user should start receiving password expiration warning notices
- manage-account get-seconds-until-password-reset-lockout
Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset
- manage-account get-seconds-until-required-change-time
Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time
- manage-account set-account-is-disabled
Specify whether the user account has been administratively disabled
Global Options
The following global options are supported.
-b, --targetDN {targetDN}The DN of the user entry for which to get and set password policy state information
LDAP Connection Options
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Exit Codes
- 0
The command completed successfully.
- 89
An error occurred while parsing the command-line arguments.
Examples
For the following examples, the directory admin user, Kirsten Vaughan,
has ds-privilege-name: password-reset, and the following
ACI on ou=People,dc=example,dc=com.
(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")( version 3.0;acl "Admins can run amok"; allow(all) groupdn = "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
The following command locks a user account.
The following command unlocks a user account.
Name
manage-tasks — manage OpenDJ server administration tasks
Synopsis
manage-tasks {options}
Description
This utility can be used to obtain a list of tasks scheduled to run within the directory server as well as information about individual tasks.
Options
The following options are supported.
-c, --cancel {taskID}ID of a particular task to cancel
-i, --info {taskID}ID of a particular task about which this tool will display information
-s, --summaryPrint a summary of tasks
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Utility Input/Output Options
-n, --no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
Examples
The following example demonstrates use of the command with a server that does daily backups at 2:00 AM.
Name
rebuild-index — rebuild index after configuration change
Synopsis
rebuild-index {options}
Description
This utility can be used to rebuild index data within a backend based on the Berkeley DB Java Edition.
Options
The following options are supported.
-b, --baseDN {baseDN}Base DN of a backend supporting indexing. Rebuild is performed on indexes within the scope of the given base DN.
-i, --index {index}Names of index(es) to rebuild. For an attribute index this is simply an attribute name. At least one index must be specified for rebuild. Cannot be used with the
--rebuildAllor--rebuildDegradedoptions.--rebuildAllRebuild all indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the
--indexor--rebuildDegradedoptions.--rebuildDegradedRebuild all degraded indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the
--indexor--rebuildAlloptions.--tmpdirectory {directory}Path to temporary directory for index scratch files during index rebuilding.
Default value: import-tmp
Task Backend Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Task Scheduling Options
--completionNotify {emailAddress}Email address of a recipient to be notified when the task completes. This option may be specified more than once.
--dependency {taskID}ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
--errorNotify {emailAddress}Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
--failedDependencyAction {action}Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS, CANCEL, DISABLE. If not specified defaults to CANCEL.
--recurringTask {schedulePattern}Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
-t, --start {startTime}Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
Exit Codes
- 0
The command completed successfully.
- 1
An error occurred while parsing the command-line arguments.
Examples
The following example schedules a task to start immediately that
rebuilds the cn (common name) index.
Name
restore — restore OpenDJ directory data backups
Synopsis
restore {options}
Options
The following options are supported.
-d, --backupDirectory {backupDir}Path to the target directory for the backup file(s)
-I, --backupID {backupID}Use the provided identifier for the backup
-l, --listBackupsList available backups in the backup directory
-n, --dry-runVerify the contents of the backup but do not restore it
Task Backend Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-h, --hostname {host}Directory server hostname or IP address
Default value: localhost.localdomain
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Task Scheduling Options
--completionNotify {emailAddress}Email address of a recipient to be notified when the task completes. This option may be specified more than once.
--dependency {taskID}ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.
--errorNotify {emailAddress}Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.
--failedDependencyAction {action}Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS, CANCEL, DISABLE. If not specified defaults to CANCEL.
--recurringTask {schedulePattern}Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.
-t, --start {startTime}Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
Name
setup — install OpenDJ directory server
Synopsis
setup [options]
Options
The following options are supported.
-a, --addBaseEntryIndicates whether to create the base entry in the directory server database
--adminConnectorPort {port}Port on which the Administration Connector should listen for communication
Default value: 4444
-b, --baseDN {baseDN}Base DN for user information in the directory server. Multiple base DNs may be provided by using this option multiple times
Default value: dc=example,dc=com
-d, --sampleData {numEntries}Specifies that the database should be populated with the specified number of sample entries
Default value: 0
-D, --rootUserDN {rootUserDN}DN for the initial root user for the directory server
Default value: cn=Directory Manager
--generateSelfSignedCertificateGenerate a self-signed certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation
-h, --hostname {host}The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication
Default value: localhost.localdomain
-i, --cliUse the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified
-j, --rootUserPasswordFile {rootUserPasswordFile}Path to a file containing the password for the initial root user for the directory server
-l, --ldifFile {ldifFile}Path to an LDIF file containing data that should be added to the directory server database. Multiple LDIF files may be provided by using this option multiple times
-N, --certNickname {nickname}Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation
-O, --doNotStartDo not start the server when the configuration is completed
-p, --ldapPort {port}Port on which the Directory Server should listen for LDAP communication
Default value: 389
-q, --enableStartTLSEnable StartTLS to allow secure communication with the server using the LDAP port
-R, --rejectFile {rejectFile}Write rejected entries to the specified file
-S, --skipPortCheckSkip the check to determine whether the specified ports are usable
--skipFile {skipFile}Write skipped entries to the specified file
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate
--useJavaKeystore {keyStorePath}Path of a Java Key Store (JKS) containing a certificate to be used as the server certificate
--useJCEKS {keyStorePath}Path of a JCEKS containing a certificate to be used as the server certificate
--usePkcs11KeystoreUse a certificate in a PKCS#11 token that the server should use when accepting SSL-based connections or performing StartTLS negotiation
--usePkcs12keyStore {keyStorePath}Path of a PKCS#12 key store containing the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation
-w, --rootUserPassword {rootUserPassword}Password for the initial root user for the Directory Server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate
-x, --jmxPort {jmxPort}Port on which the Directory Server should listen for JMX communication
Default value: 1689
-Z, --ldapsPort {port}Port on which the Directory Server should listen for LDAPS communication. The LDAPS port will be configured and SSL will be enabled only if this argument is explicitly specified
Default value: 636
Utility Input/Output Options
-n, --no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-Q, --quietRun setup in quiet mode. Quiet mode will not output progress information to standard output
-v, --verboseUse verbose mode
Examples
The following command installs OpenDJ directory server, enabling StartTLS and importing 100 example entries without interaction.
Name
start-ds — start OpenDJ directory server
Synopsis
start-ds [options]
Description
This utility can be used to start the directory server, as well as to obtain the server version and other forms of general server information.
Options
The following options are supported.
-L, --useLastKnownGoodConfigAttempt to start using the configuration that was in place at the last successful startup (if it is available) rather than using the current active configuration.
-N, --nodetachDo not detach from the terminal and continue running in the foreground. This option cannot be used with the -t, --timeout option.
-Q, --quietUse quiet mode.
-s, --systemInfoDisplay general system information.
-t, --timeout {seconds}Maximum time (in seconds) to wait before the command returns (the server continues the startup process, regardless). A value of '0' indicates an infinite timeout, which means that the command returns only when the server startup is completed. The default value is 60 seconds. This option cannot be used with the -N, --nodetach option.
Default value: 200
-V, --versionDisplay version information.
-?, -H, --helpDisplay usage information.
Name
status — display basic OpenDJ server information
Synopsis
status [options]
Options
The following options are supported.
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-D, --bindDN {bindDN}DN to use to bind to the server
Default value: cn=Directory Manager
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Utility Input/Output Options
-n, --no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail
--noPropertiesFileNo properties file will be used to get default command line argument values
-r, --refresh {period}When this argument is specified, the status command will display its contents periodically. Used to specify the period (in seconds) between two status displays
-s, --script-friendlyUse script-friendly mode
Examples
Name
stop-ds — stop OpenDJ directory server
Synopsis
stop-ds [options]
Description
This utility can be used to request that the directory server stop running or perform a restart.
When run without connection options, stop-ds sends a signal to the OpenDJ process to stop the server. When run with connection options, the stop-ds connects to the OpenDJ administration port and creates a shutdown task to stop the server.
Options
The following options are supported.
-r, --stopReason {stopReason}Reason the server is being stopped or restarted.
-R, --restartAttempt to automatically restart the server once it has stopped.
-t, --stopTime {stopTime}Indicates the date/time at which the shutdown operation will begin as a server task expressed in format YYYYMMDDhhmmssZ for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the shutdown to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.
-Y, --proxyAs {authzID}Use the proxied authorization control with the given authorization ID.
LDAP Connection Options
-D, --bindDN {bindDN}DN to use to bind to the server
-h, --hostname {host}Directory server hostname or IP address
Default value: 127.0.0.1
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-p, --port {port}Directory server administration port number
Default value: 4444
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
Use
-w -to have the command prompt for the password, rather than enter the password on the command line.-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Name
uninstall — remove OpenDJ directory server software
Synopsis
uninstall [options]
Options
The following options are supported.
-a, --remove-allRemove all components of the server (this option is not compatible with the rest of remove options)
-b, --backup-filesRemove backup files
-c, --configuration-filesRemove configuration files
-d, --databasesRemove database contents
-e, --ldif-filesRemove LDIF files
-f, --forceOnErrorSpecifies whether the uninstall should continue if there is an error updating references to this server in remote server instances or not. This option can only be used with the --no-prompt option.
-i, --cliSpecifies to use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified
-l, --server-librariesRemove Server Libraries and Administrative Tools
-L, --log-filesRemove log files
LDAP Connection Options
--connectTimeout {timeout}Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.
Default value: 30000
-h, --referencedHostName {host}The name of this host (or IP address) as it is referenced in remote servers for replication
Default value: localhost.localdomain
-I, --adminUID {adminUID}User ID of the Global Administrator to use to bind to the server.
Default value: admin
-j, --bindPasswordFile {bindPasswordFile}Bind password file
-K, --keyStorePath {keyStorePath}Certificate key store path
-N, --certNickname {nickname}Nickname of certificate for SSL client authentication
-o, --saslOption {name=value}SASL bind options
-P, --trustStorePath {trustStorePath}Certificate trust store path
-T, --trustStorePassword {trustStorePassword}Certificate trust store PIN
-u, --keyStorePasswordFile {keyStorePasswordFile}Certificate key store PIN file
-U, --trustStorePasswordFile {path}Certificate trust store PIN file
-w, --bindPassword {bindPassword}Password to use to bind to the server
-W, --keyStorePassword {keyStorePassword}Certificate key store PIN
-X, --trustAllTrust all server SSL certificates
Utility Input/Output Options
-n, --no-promptUse non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail
--noPropertiesFileNo properties file will be used to get default command line argument values
--propertiesFilePath {propertiesFilePath}Path to the file containing default property values used for command line arguments
-Q, --quietRun setup in quiet mode. Quiet mode will not output progress information to standard output
-v, --verboseUse verbose mode
Examples
The following command removes OpenDJ directory server without interaction.
Name
upgrade — upgrade OpenDJ directory server
Synopsis
upgrade {options}
Description
This utility can be used to upgrade the directory server to a newer version or revert to a previous version.
When using this tool to upgrade the server you should first downloaded an OpenDJ install package (.zip) file and specify its location using the -f/--file option. You can also upgrade your server using the Java Web Start version of this tool by visiting the OpenDJ web site at www.forgerock.org/opendj.html.
When using the tool to revert to a previous version you must either indicate that you want to revert to the version before the most recent upgrade using the -r/--revertMostRecent option or specify the location of a reversion archive using the -a/--reversionArchive option.
Options
The following options are supported.
-a, --reversionArchive {directory}Directory where reversion files are stored. This should be one of the child directories of the 'history' directory that is created when the upgrade tool is run.
-f, --file {file}Specifies an existing server package (.zip) file to which the current build will be upgraded using the command line version of this tool
-r, --revertMostRecentThe installation will be reverted to the state before the most recent upgrade
Examples
The following example demonstrates upgrade without interaction.
Name
verify-index — check index for consistency or errors
Synopsis
verify-index {options}
Description
This utility can be used to ensure that index data is consistent within a backend based on the Berkeley DB Java Edition.
Options
The following options are supported.
-b, --baseDN {baseDN}Base DN of a backend supporting indexing. Verification is performed on indexes within the scope of the given base DN.
-c, --cleanSpecifies that a single index should be verified to ensure it is clean. An index is clean if each index value references only entries containing that value. Only one index at a time may be verified in this way.
--countErrorsCount the number of errors found during the verification and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).
-i, --index {index}Name of an index to be verified. For an attribute index this is simply an attribute name. Multiple indexes may be verified for completeness, or all indexes if no indexes are specified. An index is complete if each index value references all entries containing that value.
Exit Codes
- 0
The command completed successfully.
- 1
An error occurred while parsing the command-line arguments.
- 0-255
The number of errors in the index, as indicated for the
--countErrorsoption.
Examples
The following example verifies the cn (common
name) index for completeness and for errors.
OpenDJ software installs and creates the following files and directories. The following list is not necessarily exhaustive.
QuickSetup.appMac OS X GUI for installing OpenDJ
Uninstall.appMac OS X GUI for removing OpenDJ
bakDirectory for saving backup files
batWindows command-line tools and control panel
binUNIX/Linux/Mac OS X command-line tools and control panel
changelogDbJE backend data for the external change log when using replication
classesDirectory added to the
CLASSPATHfor OpenDJ, permitting individual classes to be patchedconfigOpenDJ server configuration and schema, PKI stores, LDIF generation templates, resources for upgrade
config/MakeLDIFTemplates for use with the make-ldif LDIF generation tool
config/config.ldifLDIF representation of current OpenDJ server config
Use the dsconfig command to edit OpenDJ server configuration.
config/java.propertiesJVM settings for OpenDJ server and tools
config/schemaOpenDJ directory server LDAP schema definition files
config/tasks.ldifData used by task scheduler backend so that scheduled tasks and recurring tasks persist after server restart
config/tools.propertiesDefault settings for command-line tools
Use as a template when creating an
~/.opendj/tools.propertiesfile.config/upgradeResources used by the upgrade command to move to the next version of OpenDJ
config/wordlist.txtList of words used to check password strength
dbJE backend data for backends that you create
example-plugin.zipSample OpenDJ plugin code. Custom plugins are meant to be installed in
lib/extensions.import-tmpUsed when importing data into OpenDJ
install.htmlQuick installation instructions in case you are offline
install.txtText version of
install.htmlinstance.locPointer to OpenDJ on the file system, useful in installations where the program files are separate from the server instance files
ldifDirectory for saving LDIF export files
legal-noticesLicense information
libScripts and libraries needed by OpenDJ and added to the
CLASSPATHfor OpenDJlib/extensionsFile system directory to hold your custom plugins
locksDirectory to hold lock files used when OpenDJ is running to prevent backends from accidentally being used by more than one server process
logsAccess, errors, audit, and replication logs
logs/server.pidContains the process ID for the server when OpenDJ is running
setupUNIX setup utility
setup.batWindows setup utility
uninstallUNIX utility for removing OpenDJ
uninstall.batWindows utility for removing OpenDJ
upgradeUNIX utility for upgrading OpenDJ by pointing to the new .zip
upgrade.batWindows utility for upgrading OpenDJ by pointing to the new .zip
OpenDJ server software uses the following TCP/IP ports by default.
- LDAP: 389 (1389)
OpenDJ directory server listens for LDAP requests from client applications on port 389 by default. OpenDJ directory server uses port 1389 by default for non-root users. LDAP is enabled by default.
- LDAPS: 636 (1636)
OpenDJ directory server listens for LDAPS requests from client applications on port 636 by default. OpenDJ directory server uses port 1636 by default for non-root users. LDAPS is not enabled by default.
- Administrative connections: 4444
OpenDJ directory server listens for administrative traffic on port 4444 by default. The administration connector is enabled by default.
- SNMP: 161, 162
OpenDJ directory server listens for SNMP traffic on port 161 by default, and uses port 162 for traps. SNMP is not enabled by default.
- JMX: 1689
OpenDJ directory server listens for Java Management eXtension traffic on port 1689 by default. JMX is not enabled by default.
- Replication: 8989
OpenDJ directory server listens for replication traffic on port 8989 by default. Replication is not enabled by default.
OpenDJ 2.5.0 software implements the following RFCs, Internet-Drafts, and standards.
- RFC 1274: The COSINE and Internet X.500 Schema
X.500 Directory Schema, or Naming Architecture, for use in the COSINE and Internet X.500 pilots.
- RFC 1321: The MD5 Message-Digest Algorithm
MD5 message-digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.
- RFC 1777: Lightweight Directory Access Protocol (LDAPv2)
Provide access to the X.500 Directory while not incurring the resource requirements of the Directory Access Protocol.
Classified as an Historic document.
- RFC 1778: The String Representation of Standard Attribute Syntaxes
Defines the requirements that must be satisfied by encoding rules used to render X.500 Directory attribute syntaxes into a form suitable for use in the LDAP, then defines the encoding rules for the standard set of attribute syntaxes.
Classified as an Historic document.
- RFC 1779: A String Representation of Distinguished Names
Defines a string format for representing names, which is designed to give a clean representation of commonly used names, whilst being able to represent any distinguished name.
Classified as an Historic document.
- RFC 2079: Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)
Defines a new attribute type and an auxiliary object class to allow URIs, including URLs, to be stored in directory entries in a standard way.
- RFC 2222: Simple Authentication and Security Layer (SASL)
Describes a method for adding authentication support to connection-based protocols.
- RFC 2246: The TLS Protocol Version 1.0
Specifies Version 1.0 of the Transport Layer Security protocol.
- RFC 2247: Using Domains in LDAP/X.500 Distinguished Names
Defines an algorithm by which a name registered with the Internet Domain Name Service can be represented as an LDAP distinguished name.
- RFC 2251: Lightweight Directory Access Protocol (v3)
Describes a directory access protocol designed to provide access to directories supporting the X.500 models, while not incurring the resource requirements of the X.500 Directory Access Protocol.
- RFC 2252: Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions
Defines a set of syntaxes for LDAPv3, and the rules by which attribute values of these syntaxes are represented as octet strings for transmission in the LDAP protocol.
- RFC 2253: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
Defines a common UTF-8 format to represent distinguished names unambiguously.
- RFC 2254: The String Representation of LDAP Search Filters
Defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name.
- RFC 2255: The LDAP URL Format
Describes a format for an LDAP Uniform Resource Locator.
- RFC 2256: A Summary of the X.500(96) User Schema for use with LDAPv3
Provides an overview of the attribute types and object classes defined by the ISO and ITU-T committees in the X.500 documents, in particular those intended for use by directory clients.
- RFC 2307: An Approach for Using LDAP as a Network Information Service
Describes an experimental mechanism for mapping entities related to TCP/IP and the UNIX system into X.500 entries so that they may be resolved with the Lightweight Directory Access Protocol.
- RFC 2377: Naming Plan for Internet Directory-Enabled Applications
Proposes a new directory naming plan that leverages the strengths of the most popular and successful Internet naming schemes for naming objects in a hierarchical directory.
- RFC 2696: LDAP Control Extension for Simple Paged Results Manipulation
Allows a client to control the rate at which an LDAP server returns the results of an LDAP search operation.
- RFC 2713: Schema for Representing Java(tm) Objects in an LDAP Directory
Defines a common way for applications to store and retrieve Java objects from the directory.
- RFC 2714: Schema for Representing CORBA Object References in an LDAP Directory
Define a common way for applications to store and retrieve CORBA object references from the directory.
- RFC 2739: Calendar Attributes for vCard and LDAP
Defines a mechanism to locate a user calendar and free/busy time using the LDAP protocol.
- RFC 2798: Definition of the inetOrgPerson LDAP Object Class
Define an object class called inetOrgPerson for use in LDAP and X.500 directory services that extends the X.521 standard organizationalPerson class.
- RFC 2829: Authentication Methods for LDAP
Specifies particular combinations of security mechanisms which are required and recommended in LDAP implementations.
- RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
Defines the "Start Transport Layer Security (TLS) Operation" for LDAP.
- RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification
Describes a file format suitable for describing directory information or modifications made to directory information.
- RFC 2926: Conversion of LDAP Schemas to and from SLP Templates
Describes a procedure for mapping between Service Location Protocol service advertisements and lightweight directory access protocol descriptions of services.
- RFC 3045: Storing Vendor Information in the LDAP root DSE
Specifies two Lightweight Directory Access Protocol attributes, vendorName and vendorVersion that MAY be included in the root DSA-specific Entry (DSE) to advertise vendor-specific information.
- RFC 3062: LDAP Password Modify Extended Operation
Describes an LDAP extended operation to allow modification of user passwords which is not dependent upon the form of the authentication identity nor the password storage mechanism used.
- RFC 3112: LDAP Authentication Password Schema
Describes schema in support of user/password authentication in a LDAP directory including the authPassword attribute type. This attribute type holds values derived from the user's password(s) (commonly using cryptographic strength one-way hash).
- RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification
Specifies the set of RFCs comprising the Lightweight Directory Access Protocol Version 3 (LDAPv3), and addresses the "IESG Note" attached to RFCs 2251 through 2256.
- RFC 3383: Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)
Provides procedures for registering extensible elements of the Lightweight Directory Access Protocol (LDAP).
- RFC 3546: Transport Layer Security (TLS) Extensions
Describes extensions that may be used to add functionality to Transport Layer Security.
- RFC 3671: Collective Attributes in the Lightweight Directory Access Protocol (LDAP)
Summarizes the X.500 information model for collective attributes and describes use of collective attributes in LDAP.
- RFC 3672: Subentries in the Lightweight Directory Access Protocol (LDAP)
Adapts X.500 subentries mechanisms for use with the Lightweight Directory Access Protocol (LDAP).
- RFC 3673: Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes
Describes an LDAP extension which clients may use to request the return of all operational attributes.
- RFC 3674: Feature Discovery in Lightweight Directory Access Protocol (LDAP)
Introduces a general mechanism for discovery of elective features and extensions which cannot be discovered using existing mechanisms.
- RFC 3771: Lightweight Directory Access Protocol (LDAP) Intermediate Response Message
Defines and describes the IntermediateResponse message, a general mechanism for defining single-request/multiple-response operations in Lightweight Directory Access Protocol.
- RFC 3829: Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls
Extends the Lightweight Directory Access Protocol bind operation with a mechanism for requesting and returning the authorization identity it establishes.
- RFC 3876: Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3)
Describes a control for the Lightweight Directory Access Protocol version 3 that is used to return a subset of attribute values from an entry.
- RFC 3909: Lightweight Directory Access Protocol (LDAP) Cancel Operation
Describes a Lightweight Directory Access Protocol extended operation to cancel (or abandon) an outstanding operation, with a response to indicate the outcome of the operation.
- RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1
Specifies Version 1.1 of the Transport Layer Security protocol.
- RFC 4370: Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control
Defines the Proxy Authorization Control, that allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.
- RFC 4403: Lightweight Directory Access Protocol (LDAP) Schema for Universal Description, Discovery, and Integration version 3 (UDDIv3)
Defines the Lightweight Directory Access Protocol schema for representing Universal Description, Discovery, and Integration data types in an LDAP directory.
- RFC 4422: Simple Authentication and Security Layer (SASL)
Describes a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms.
- RFC 4505: Anonymous Simple Authentication and Security Layer (SASL) Mechanism
Describes a new way to provide anonymous login is needed within the context of the Simple Authentication and Security Layer framework.
- RFC 4510: Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map
Provides a road map of the LDAP Technical Specification.
- RFC 4511: Lightweight Directory Access Protocol (LDAP): The Protocol
Describes the protocol elements, along with their semantics and encodings, of the Lightweight Directory Access Protocol.
- RFC 4512: Lightweight Directory Access Protocol (LDAP): Directory Information Models
Describes the X.500 Directory Information Models as used in LDAP.
- RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms
Describes authentication methods and security mechanisms of the Lightweight Directory Access Protocol.
- RFC 4514: Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names
Defines the string representation used in the Lightweight Directory Access Protocol to transfer distinguished names.
- RFC 4515: Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters
Defines a human-readable string representation of LDAP search filters that is appropriate for use in LDAP URLs and in other applications.
- RFC 4516: Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator
Describes a format for a Lightweight Directory Access Protocol Uniform Resource Locator.
- RFC 4517: Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules
Defines a base set of syntaxes and matching rules for use in defining attributes for LDAP directories.
- RFC 4518: Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation
Defines string preparation algorithms for character-based matching rules defined for use in LDAP.
- RFC 4519: Lightweight Directory Access Protocol (LDAP): Schema for User Applications
Provides a technical specification of attribute types and object classes intended for use by LDAP directory clients for many directory services, such as White Pages.
- RFC 4524: COSINE LDAP/X.500 Schema
Provides a collection of schema elements for use with the Lightweight Directory Access Protocol from the COSINE and Internet X.500 pilot projects.
- RFC 4525: Lightweight Directory Access Protocol (LDAP) Modify-Increment Extension
Describes an extension to the Lightweight Directory Access Protocol Modify operation to support an increment capability.
- RFC 4526: Lightweight Directory Access Protocol (LDAP) Absolute True and False Filters
Extends the Lightweight Directory Access Protocol to support absolute True and False filters based upon similar capabilities found in X.500 directory systems.
- RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls
Specifies an extension to the Lightweight Directory Access Protocol to allow the client to read the target entry of an update operation.
- RFC 4528: Lightweight Directory Access Protocol (LDAP) Assertion Control
Defines the Lightweight Directory Access Protocol Assertion Control, which allows a client to specify that a directory operation should only be processed if an assertion applied to the target entry of the operation is true.
- RFC 4529: Requesting Attributes by Object Class in the Lightweight Directory Access Protocol (LDAP)
Extends LDAP to support a mechanism that LDAP clients may use to request the return of all attributes of an object class.
- RFC 4530: Lightweight Directory Access Protocol (LDAP) entryUUID Operational Attribute
Describes the LDAP/X.500 'entryUUID' operational attribute and associated matching rules and syntax.
- RFC 4532: Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation
Provides a mechanism for Lightweight Directory Access Protocol clients to obtain the authorization identity the server has associated with the user or application entity.
- RFC 4616: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism
Defines a simple clear-text user/password Simple Authentication and Security Layer mechanism called the PLAIN mechanism.
- RFC 4634: US Secure Hash Algorithms (SHA and HMAC-SHA)
Specifies Secure Hash Algorithms, SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file.
- RFC 4752: The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism
Describes the method for using the Generic Security Service Application Program Interface (GSS-API) Kerberos V5 in the Simple Authentication and Security Layer, called the GSSAPI mechanism.
- RFC 4876: A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents
Defines a schema for storing a profile for agents that make use of the Lightweight Directory Access protocol (LDAP).
- RFC 5020: The Lightweight Directory Access Protocol (LDAP) entryDN Operational Attribute
Describes the Lightweight Directory Access Protocol (LDAP) / X.500 'entryDN' operational attribute, that provides a copy of the entry's distinguished name for use in attribute value assertions.
- FIPS 180-1: Secure Hash Standard (SHA-1)
Specifies a Secure Hash Algorithm, SHA-1, for computing a condensed representation of a message or a data file.
- FIPS 180-2: Secure Hash Standard (SHA-1, SHA-256, SHA-384, SHA-512)
Specifies four Secure Hash Algorithms for computing a condensed representation of electronic data.
- DSMLv2: Directory Service Markup Language
Provides a method for expressing directory queries and updates as XML documents.
Controls provide a mechanism whereby the semantics and arguments of existing LDAP operations may be extended. One or more controls may be attached to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are termed request controls, and those sent by servers are termed response controls.
OpenDJ software supports the following LDAP controls.
- Account Usability Control
Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8
Control originally provided by Sun Microsystems, used to determine whether a user account can be used to authenticate to the directory.
- Assertion Request Control
Object Identifier: 1.3.6.1.1.12
RFC: RFC 4528 - Lightweight Directory Access Protocol (LDAP) Assertion Control
- Authorization Identity Request Control
Object Identifier: 2.16.840.1.113730.3.4.16
- Authorization Identity Response Control
Object Identifier: 2.16.840.1.113730.3.4.15
- Entry Change Notification Response Control
Object Identifier: 2.16.840.1.113730.3.4.7
Internet-Draft: draft-ietf-ldapext-psearch - Persistent Search: A Simple LDAP Change Notification Mechanism
- Get Effective Rights Request Control
Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2
Internet-Draft: draft-ietf-ldapext-acl-model - Access Control Model for LDAPv3
- Manage DSAIT Request Control
Object Identifier: 2.16.840.1.113730.3.4.2
RFC: RFC 3296 - Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories
- Matched Values Request Control
Object Identifier: 1.2.826.0.1.3344810.2.3
- No-Op Control
Object Identifier: 1.3.6.1.4.1.4203.1.10.2
Internet-Draft: draft-zeilenga-ldap-noop - LDAP No-Op Control
- Password Expired Response Control
Object Identifier: 2.16.840.1.113730.3.4.4
Internet-Draft: draft-vchu-ldap-pwd-policy - Password Policy for LDAP Directories
- Password Expiring Response Control
Object Identifier: 2.16.840.1.113730.3.4.5
Internet-Draft: draft-vchu-ldap-pwd-policy - Password Policy for LDAP Directories
- Password Policy Response Control
Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1
Internet-Draft: draft-behera-ldap-password-policy - Password Policy for LDAP Directories
- Permissive Modify Request Control
Object Identifier: 1.2.840.113556.1.4.1413
Microsoft defined this control that, "Allows an LDAP modify to work under less restrictive conditions. Without it, a delete will fail if an attribute done not exist, and an add will fail if an attribute already exists. No data is needed in this control." (source of quote)
- Persistent Search Request Control
Object Identifier: 2.16.840.1.113730.3.4.3
Internet-Draft: draft-ietf-ldapext-psearch - Persistent Search: A Simple LDAP Change Notification Mechanism
- Post-Read Request Control
Object Identifier: 1.3.6.1.1.13.2
RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls
- Post-Read Response Control
Object Identifier: 1.3.6.1.1.13.2
RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls
- Pre-Read Request Control
Object Identifier: 1.3.6.1.1.13.1
RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls
- Pre-Read Response Control
Object Identifier: 1.3.6.1.1.13.1
RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls
- Proxied Authorization v1 Request Control
Object Identifier: 2.16.840.1.113730.3.4.12
Internet-Draft: draft-weltman-ldapv3-proxy-04 - LDAP Proxied Authorization Control
- Proxied Authorization v2 Request Control
Object Identifier: 2.16.840.1.113730.3.4.18
RFC: RFC 4370 - Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control
- Public Changelog Exchange Control
Object Identifier: 1.3.6.1.4.1.26027.1.5.4
OpenDJ specific, for using the bookmark cookie when reading the external change log.
- Server Side Sort Request Control
Object Identifier: 1.2.840.113556.1.4.473
RFC: RFC 2891 - LDAP Control Extension for Server Side Sorting of Search Results
- Server Side Sort Response Control
Object Identifier: 1.2.840.113556.1.4.474
RFC: RFC 2891 - LDAP Control Extension for Server Side Sorting of Search Results
- Simple Paged Results Control
Object Identifier: 1.2.840.113556.1.4.319
RFC: RFC 2696 - LDAP Control Extension for Simple Paged Results Manipulation
- Subentries Request Controls
Object Identifier: 1.3.6.1.4.1.4203.1.10.1
RFC: Subentries in the Lightweight Directory Access Protocol (LDAP)
Object Identifier: 1.3.6.1.4.1.7628.5.101.1
Internet-Draft: draft-ietf-ldup-subentry - LDAP Subentry Schema
- Subtree Delete Request Control
Object Identifier: 1.2.840.113556.1.4.805
Internet-Draft: draft-armijo-ldap-treedelete - Tree Delete Control
- Virtual List View Request Control
Object Identifier: 2.16.840.1.113730.3.4.9
Internet-Draft: draft-ietf-ldapext-ldapv3-vlv - LDAP Extensions for Scrolling View Browsing of Search Results
- Virtual List View Response Control
Object Identifier: 2.16.840.1.113730.3.4.10
Internet-Draft: draft-ietf-ldapext-ldapv3-vlv - LDAP Extensions for Scrolling View Browsing of Search Results
Extended operations allow additional operations to be defined for services not already available in the protocol
OpenDJ software supports the following LDAP extended operations.
- Cancel Extended Request
Object Identifier: 1.3.6.1.1.8
RFC: RFC 3909 - Lightweight Directory Access Protocol (LDAP) Cancel Operation
- Get Connection ID Extended Request
Object Identifier: 1.3.6.1.4.1.26027.1.6.2
OpenDJ extended operation to return the connection ID of the associated client connection. This extended operation is intended for OpenDJ internal use.
- Password Modify Extended Request
Object Identifier: 1.3.6.1.4.1.4203.1.11.1
- Password Policy State Extended Operation
Object Identifier: 1.3.6.1.4.1.26027.1.6.1
OpenDJ extended operation to query and update password policy state for a given user entry. This extended operation is intended for OpenDJ internal use.
- Start Transport Layer Security Extended Request
Object Identifier: 1.3.6.1.4.1.1466.20037
RFC: RFC 4511 - Lightweight Directory Access Protocol (LDAP): The Protocol
- Who am I? Extended Request
Object Identifier: 1.3.6.1.4.1.4203.1.11.3
RFC: RFC 4532 - Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation
OpenDJ software stores data in UTF-8 format. It enables you to store and to search for attribute values according to a variety of language specific locales. OpenDJ software is also itself localized for a smaller variety of languages.
OpenDJ 2.5.0 software has been localized in the following languages.
French
German
Japanese
Simplified Chinese
Spanish
Note
Certain messages have also been translated into Catalan, Korean, Polish, and Traditional Chinese. Some error messages including messages labeled SEVERE and FATAL are provided only in English.
OpenDJ software supports the following locales, with their associated language and country codes, and their collation order object identifiers. Locale support depends on the underlying Java Virtual Machine.
- Albanian
Code tag: sq
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.127.1
- Arabic
Code tag: ar
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.3.1
- Arabic (Algeria)
Code tag: ar-DZ
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.6.1
- Arabic (Bahrain)
Code tag: ar-BH
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.5.1
- Arabic (Egypt)
Code tag: ar-EG
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.7.1
- Arabic (Iraq)
Code tag: ar-IQ
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.9.1
- Arabic (Jordan)
Code tag: ar-JO
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.10.1
- Arabic (Kuwait)
Code tag: ar-KW
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.11.1
- Arabic (Lebanon)
Code tag: ar-LB
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.12.1
- Arabic (Libya)
Code tag: ar-LY
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.13.1
- Arabic (Morocco)
Code tag: ar-MA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.14.1
- Arabic (Oman)
Code tag: ar-OM
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.15.1
- Arabic (Qatar)
Code tag: ar-QA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.16.1
- Arabic (Saudi Arabia)
Code tag: ar-SA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.17.1
- Arabic (Sudan)
Code tag: ar-SD
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.18.1
- Arabic (Syria)
Code tag: ar-SY
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.19.1
- Arabic (Tunisia)
Code tag: ar-TN
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.20.1
- Arabic (United Arab Emirates)
Code tag: ar-AE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.4.1
- Arabic (Yemen)
Code tag: ar-YE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.21.1
- Belarusian
Code tag: be
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.22.1
- Bulgarian
Code tag: bg
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.23.1
- Catalan
Code tag: ca
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.25.1
- Chinese
Code tag: zh
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.143.1
- Chinese (Simplified) (China)
Code tag: zh-CN
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.144.1
- Chinese (Traditional) (Hong Kong)
Code tag: zh-HK
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.145.1
- Chinese (Traditional) (Taiwan)
Code tag: zh-TW
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.148.1
- Croatian
Code tag: hr
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.87.1
- Czech
Code tag: cs
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.26.1
- Danish
Code tag: da
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.27.1
- Dutch
Code tag: nl
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.105.1
- Dutch (Belgium)
Code tag: nl-BE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.106.1
- Dutch (Netherlands)
Code tag: nl-NL
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.105.1
- English
Code tag: en
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.34.1
- English (Australia)
Code tag: en-AU
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.35.1
- English (Canada)
Code tag: en-CA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.36.1
- English (Great Britain)
Code tag: en-GB
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.37.1
- English (India)
Code tag: en-IN
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.40.1
- English (Ireland)
Code tag: en-IE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.39.1
- English (New Zealand)
Code tag: en-NZ
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.42.1
- English (South Africa)
Code tag: en-ZA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.46.1
- English (United States)
Code tag: en-US
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.34.1
- Estonian
Code tag: et
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.69.1
- Finnish
Code tag: fi
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.74.1
- French
Code tag: fr
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.76.1
- French (Belgium)
Code tag: fr-BE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.77.1
- French (Canada)
Code tag: fr-CA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.78.1
- French (France)
Code tag: fr-FR
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.76.1
- French (Luxembourg)
Code tag: fr-LU
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.80.1
- French (Switzerland)
Code tag: fr-CH
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.79.1
- German
Code tag: de
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.28.1
- German (Austria)
Code tag: de-AT
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.29.1
- German (Germany)
Code tag: de-DE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.28.1
- German (Luxembourg)
Code tag: de-LU
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.32.1
- German (Switzerland)
Code tag: de-CH
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.31.1
- Greek
Code tag: el
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.33.1
- Hebrew
Code tag: he
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.85.1
- Hungarian
Code tag: hu
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.88.1
- Icelandic
Code tag: is
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.91.1
- Italian
Code tag: it
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.92.1
- Italian (Switzerland)
Code tag: it-CH
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.93.1
- Japanese
Code tag: ja
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.94.1
- Korean
Code tag: ko
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.97.1
- Latvian
Code tag: lv
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.101.1
- Lithuanian
Code tag: lt
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.100.1
- Macedonian
Code tag: mk
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.102.1
- Norwegian
Code tag: no
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.107.1
- Norwegian (Bokmål)
Code tag: no-NO
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.107.1
- Norwegian (Nynorsk)
Code tag: no-NO-NY
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.108.1
- Polish
Code tag: pl
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.114.1
- Portuguese
Code tag: pt
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.115.1
- Portuguese (Brazil)
Code tag: pt-BR
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.116.1
- Portuguese (Portugal)
Code tag: pt-PT
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.115.1
- Romanian
Code tag: ro
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.117.1
- Russian
Code tag: ru
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.118.1
- Russian (Russia)
Code tag: ru-RU
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.118.1
- Serbian
Code tag: sr
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.128.1
- Slovak
Code tag: sk
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.121.1
- Slovenian
Code tag: sl
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.122.1
- Spanish
Code tag: es
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.49.1
- Spanish (Argentina)
Code tag: es-AR
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.50.1
- Spanish (Bolivia)
Code tag: es-BO
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.51.1
- Spanish (Chile)
Code tag: es-CL
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.52.1
- Spanish (Colombia)
Code tag: es-CO
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.53.1
- Spanish (Costa Rica)
Code tag: es-CR
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.54.1
- Spanish (Dominican Republic)
Code tag: es-DO
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.55.1
- Spanish (Ecuador)
Code tag: es-EC
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.56.1
- Spanish (El Salvador)
Code tag: es-SV
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.65.1
- Spanish (Guatemala)
Code tag: es-GT
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.57.1
- Spanish (Honduras)
Code tag: es-HN
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.58.1
- Spanish (Mexico)
Code tag: es-MX
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.59.1
- Spanish (Nicaragua)
Code tag: es-NI
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.60.1
- Spanish (Panama)
Code tag: es-PA
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.61.1
- Spanish (Paraguay)
Code tag: es-PY
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.64.1
- Spanish (Peru)
Code tag: es-PE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.62.1
- Spanish (Puerto Rico)
Code tag: es-PR
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.63.1
- Spanish (Spain)
Code tag: es-ES
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.49.1
- Spanish (Uruguay)
Code tag: es-UY
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.67.1
- Spanish (Venezuela)
Code tag: es-VE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.68.1
- Swedish
Code tag: sv
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.129.1
- Swedish (Sweden)
Code tag: sv-SE
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.129.1
- Thai
Code tag: th
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.136.1
- Turkish
Code tag: tr
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.140.1
- Ukranian
Code tag: uk
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.141.1
- Vietnamese
Code tag: vi
Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.142.1
OpenDJ software supports the following language subtypes.
Albanian, sq
Arabic, ar
Belarusian, be
Bulgarian, bg
Catalan, ca
Chinese, zh
Croatian, hr
Czech, cs
Danish, da
Dutch, nl
English, en
Estonian, et
Finnish, fi
French, fr
German, de
Greek, el
Hebrew, he
Hungarian, hu
Icelandic, is
Italian, it
Japanese, ja
Korean, ko
Latvian, lv
Lithuanian, lt
Macedonian, mk
Norwegian, no
Polish, pl
Portuguese, pt
Romanian, ro
Russian, ru
Serbian, sr
Slovak, sk
Slovenian, sl
Spanish, es
Swedish, sv
Thai, th
Turkish, tr
Ukranian, uk
Vietnamese, vi
A
- Access control, About Access Control Instructions
- Effective rights, Viewing Effective Rights
- Examples, Configuring Access Control
- Permissions, ACI Permissions
- Subjects, ACI Subjects
- Targets, ACI Targets
- Accounts
- Activating, Managing Accounts Manually
- Customizing notification messages, Managing Account Status Notification
- Disabling, Managing Accounts Manually
- Lockout, Configuring Account Lockout
- Status notifications, Managing Account Status Notification
- Active Directory (see Pass through authentication)
- Alerts, Alert Notifications
B
C
- Certificates, Preparing For Secure Communications, Overview, Moving a Server
- Collective attributes, Collective Attributes
- Commands, Command-Line Tools
- Comparing attribute values, Comparing Attribute Values
- Control panel, Control Panel
D
- Database backend
- Creating, Creating a New Database Backend
- DSML, DSML Client Access
E
- Exporting data, Importing & Exporting LDIF Data
- External change log, Change Notification For Your Applications
- Legacy format, Change Notification For Your Applications
F
- File layout, File Layout
G
- Groups
- Dynamic, Creating Dynamic Groups
- Membership, Looking Up Group Membership
- Referential integrity, Configuring Referential Integrity
- Static, Creating Static Groups
- Virtual static, Creating Virtual Static Groups
H
- High availability (see Replication)
I
- Importing data, Importing & Exporting LDIF Data
- Performance, LDIF Import Settings
- Test data, Generating Test Data
- Indexes, Indexing Attribute Values
- Approximate, Approximate Index, Configuring a Standard Index
- Configuring, Configuring & Rebuilding Indexes
- Debugging searches, Checking Indexes For a Search
- Default settings, Default Indexes
- Entry limits, Changing Index Entry Limits
- Equality, Equality Index
- Extensible matching rule, Extensible Matching Rule Index, Configuring a Standard Index
- Ordering, Ordering Index
- Presence, Presence Index
- Rebuilding, Rebuilding Indexes
- Substring, Substring Index
- Verifying, Verifying Indexes
- Virtual list view (browsing), Virtual List View (Browsing) Index, Configuring a Virtual List View Index
- Installed files, File Layout
L
- Language subtypes, Directory Support For Locales and Language Subtypes
- Languages, OpenDJ Languages
- LDAP controls
- Account usability, LDAP Controls
- Assertion, LDAP Controls
- Authorization identity, LDAP Controls
- Entry change notification, LDAP Controls
- Get effective rights, LDAP Controls
- Manage DSAIT, LDAP Controls
- Matched values, LDAP Controls
- No-op, LDAP Controls
- Password expired, LDAP Controls
- Password expiring, LDAP Controls
- Password policy, LDAP Controls
- Permissive modify, LDAP Controls
- Persistent search, LDAP Controls
- Post-read, LDAP Controls
- Pre-read, LDAP Controls
- Proxied authorization, LDAP Controls
- Public changelog exchange, LDAP Controls
- Server side sort, LDAP Controls
- Simple paged results, LDAP Controls
- Subentries, LDAP Controls
- Subtree delete, LDAP Controls
- Virtual list view (browsing), LDAP Controls
- LDAP extended operations
- Cancel, LDAP Extended Operations
- Get Connection ID, LDAP Extended Operations
- Password modify, LDAP Extended Operations
- Password policy state, LDAP Extended Operations
- StartTLS, LDAP Extended Operations
- What am I?, LDAP Extended Operations
- LDIF
- Examples, Updating the Directory
- Export, Importing & Exporting LDIF Data
- File as backend, LDIF File Access
- Import, Importing & Exporting LDIF Data
- Specification, Standards, RFCs, & Internet-Drafts
- Tools, Other Tools For Working With LDIF Data
- Locales, Directory Support For Locales and Language Subtypes
- Lockdown mode, Preventing Access While You Fix Issues
- Logs, Server Logs
- Filtering, Log Filtering
M
- Monitoring, Monitoring Servers
- Moving servers, Moving Servers
P
- Pass through authentication, Configuring Pass Through Authentication
- Password policy, Configuring Password Policy
- Behera Internet-Draft, Subentry Based Password Policies
- Default, Configuring Password Policies
- Passwords
- Changing, Changing Passwords
- Performance tuning, Tuning Servers For Performance
- Ports
- 161, Ports Used
- 162, Ports Used
- 1689, Ports Used
- 389 (1389), Ports Used
- 4444, Ports Used
- 636 (1636), Ports Used
- 8989, Ports Used
- Configuring, Configuring Servers For Client Application Access
- Settings for tools, Configuring Default Settings
- Privileges, About Privileges
- Provisioning, Importing & Exporting LDIF Data
- Proxied authorization, Configuring Proxied Authorization
R
- Referrals, Working With Referrals
- Replication
- Assured, Assured Replication
- Change notification, Change Notification For Your Applications
- Configuring, Configuring Replication
- Crash recovery, Server Recovery
- Data access, Configuring Access Control
- Dedicated servers, Stand-alone Replication Servers
- Fractional, Fractional Replication
- Grouping servers, Replication Groups
- Log, Server Logs
- Moving servers, Moving Servers
- Not for virtual attributes, Virtual Attributes
- Overview, About Replication
- Password policy, Subentry Based Password Policies
- Quick setup, Replication Quick Setup
- Read-only servers, Read-Only Replicas
- Restoring from backup, Restoring Directory Data From Backup
- Schema definitions, Updating Directory Schema
- Stopping, Stopping Replication
- Subtree, Subtree Replication
- Troubleshooting, Troubleshooting Replication
- Unique attributes, Implementing Attribute Value Uniqueness
- Write throughput, Service-Level Agreements
- Resource limits, Setting Resource Limits
- Restart server, Restarting a Server
- Restoring
- From backup, Restoring Directory Data From Backup
- From LDIF, Importing & Exporting LDIF Data
S
- Samba, Samba Password Synchronization
- Schema, Managing Schema
- Bundled definitions, Standard Schema Included With OpenDJ
- Legacy data, Relaxing Schema Checking to Import Legacy Data
- Searching data, Searching the Directory
- SNMP, SNMP-Based Monitoring
- SSL, LDAP Client Access Over SSL
- Start server, Starting a Server
- StartTLS, LDAP Client Access With Transport Layer Security
- Stop server, Stopping a Server
- Supported standards
- DSMLv2, Standards, RFCs, & Internet-Drafts
- FIPS 180-1, Standards, RFCs, & Internet-Drafts
- FIPS 180-2, Standards, RFCs, & Internet-Drafts
- RFC 1274, Standards, RFCs, & Internet-Drafts
- RFC 1321, Standards, RFCs, & Internet-Drafts
- RFC 1777, Standards, RFCs, & Internet-Drafts
- RFC 1778, Standards, RFCs, & Internet-Drafts
- RFC 1779, Standards, RFCs, & Internet-Drafts
- RFC 2079, Standards, RFCs, & Internet-Drafts
- RFC 2222, Standards, RFCs, & Internet-Drafts
- RFC 2246, Standards, RFCs, & Internet-Drafts
- RFC 2247, Standards, RFCs, & Internet-Drafts
- RFC 2251, Standards, RFCs, & Internet-Drafts
- RFC 2252, Standards, RFCs, & Internet-Drafts
- RFC 2253, Standards, RFCs, & Internet-Drafts
- RFC 2254, Standards, RFCs, & Internet-Drafts
- RFC 2255, Standards, RFCs, & Internet-Drafts
- RFC 2256, Standards, RFCs, & Internet-Drafts
- RFC 2307, Standards, RFCs, & Internet-Drafts
- RFC 2377, Standards, RFCs, & Internet-Drafts
- RFC 2696, Standards, RFCs, & Internet-Drafts
- RFC 2713, Standards, RFCs, & Internet-Drafts
- RFC 2714, Standards, RFCs, & Internet-Drafts
- RFC 2739, Standards, RFCs, & Internet-Drafts
- RFC 2798, Standards, RFCs, & Internet-Drafts
- RFC 2829, Standards, RFCs, & Internet-Drafts
- RFC 2830, Standards, RFCs, & Internet-Drafts
- RFC 2849, Standards, RFCs, & Internet-Drafts
- RFC 2926, Standards, RFCs, & Internet-Drafts
- RFC 3045, Standards, RFCs, & Internet-Drafts
- RFC 3062, Standards, RFCs, & Internet-Drafts
- RFC 3112, Standards, RFCs, & Internet-Drafts
- RFC 3377, Standards, RFCs, & Internet-Drafts
- RFC 3383, Standards, RFCs, & Internet-Drafts
- RFC 3546, Standards, RFCs, & Internet-Drafts
- RFC 3671, Standards, RFCs, & Internet-Drafts
- RFC 3672, Standards, RFCs, & Internet-Drafts
- RFC 3673, Standards, RFCs, & Internet-Drafts
- RFC 3674, Standards, RFCs, & Internet-Drafts
- RFC 3771, Standards, RFCs, & Internet-Drafts
- RFC 3829, Standards, RFCs, & Internet-Drafts
- RFC 3876, Standards, RFCs, & Internet-Drafts
- RFC 3909, Standards, RFCs, & Internet-Drafts
- RFC 4346, Standards, RFCs, & Internet-Drafts
- RFC 4370, Standards, RFCs, & Internet-Drafts
- RFC 4403, Standards, RFCs, & Internet-Drafts
- RFC 4422, Standards, RFCs, & Internet-Drafts
- RFC 4505, Standards, RFCs, & Internet-Drafts
- RFC 4510, Standards, RFCs, & Internet-Drafts
- RFC 4511, Standards, RFCs, & Internet-Drafts
- RFC 4512, Standards, RFCs, & Internet-Drafts
- RFC 4513, Standards, RFCs, & Internet-Drafts
- RFC 4514, Standards, RFCs, & Internet-Drafts
- RFC 4515, Standards, RFCs, & Internet-Drafts
- RFC 4516, Standards, RFCs, & Internet-Drafts
- RFC 4517, Standards, RFCs, & Internet-Drafts
- RFC 4518, Standards, RFCs, & Internet-Drafts
- RFC 4519, Standards, RFCs, & Internet-Drafts
- RFC 4524, Standards, RFCs, & Internet-Drafts
- RFC 4525, Standards, RFCs, & Internet-Drafts
- RFC 4526, Standards, RFCs, & Internet-Drafts
- RFC 4527, Standards, RFCs, & Internet-Drafts
- RFC 4528, Standards, RFCs, & Internet-Drafts
- RFC 4529, Standards, RFCs, & Internet-Drafts
- RFC 4530, Standards, RFCs, & Internet-Drafts
- RFC 4532, Standards, RFCs, & Internet-Drafts
- RFC 4616, Standards, RFCs, & Internet-Drafts
- RFC 4634, Standards, RFCs, & Internet-Drafts
- RFC 4752, Standards, RFCs, & Internet-Drafts
- RFC 4876, Standards, RFCs, & Internet-Drafts
- RFC 5020, Standards, RFCs, & Internet-Drafts
T
- Troubleshooting, Troubleshooting Server Problems
U
- Unique attribute values, Implementing Attribute Value Uniqueness
- Updating data, Updating the Directory
- Filtering, Filtering Add & Modify Operations
V
- Virtual attributes, Virtual Attributes