1dsconf(8) System Manager's Manual dsconf(8)
2
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl-agmt,repl-win‐
12 sync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
15 instance
16 The instance name OR the LDAP url to connect to, IE localhost,
17 ldap://mai.example.com:389
18 Sub-commands
21 dsconf backend
22 Manage database suffixes and backends
23 dsconf backup
25 Manage online backups
26 dsconf chaining
28 Manage database chaining/database links
29 dsconf config
31 Manage server configuration
32 dsconf directory_manager
34 Manage the directory manager account
35 dsconf monitor
37 Monitor the state of the instance
38 dsconf plugin
40 Manage plugins available on the server
41 dsconf pwpolicy
43 Get and set the global password policy settings
44 dsconf localpwp
46 Manage local (user/subtree) password policies
47 dsconf replication
49 Configure replication for a suffix
50 dsconf repl-agmt
52 Manage replication agreements
53 dsconf repl-winsync-agmt
55 Manage Winsync Agreements
56 dsconf repl-tasks
58 Manage replication tasks
59 dsconf sasl
61 Query and manipulate SASL mappings
62 dsconf security
64 Query and manipulate security options
65 dsconf schema
67 Query and manipulate schema
68 dsconf repl-conflict
70 Manage replication conflicts
71
73 usage: dsconf instance backend [-h]
74 {suffix,index,vlv-index,attr-
75 encrypt,config,monitor,import,export,create,delete,get-tree}
76 ...
77 Sub-commands
80 dsconf backend suffix
81 Manage a backend suffix
82 dsconf backend index
84 Manage backend indexes
85 dsconf backend vlv-index
87 Manage VLV searches and indexes
88 dsconf backend attr-encrypt
90 Encrypted attribute options
91 dsconf backend config
93 Manage the global database configuration settings
94 dsconf backend monitor
96 Get the global database monitor information
97 dsconf backend import
99 Do an online import of the suffix
100 dsconf backend export
102 Do an online export of the suffix
103 dsconf backend create
105 Create a backend database
106 dsconf backend delete
108 Delete a backend database
109 dsconf backend get-tree
111 Get a representation of the suffix tree
112
114 usage: dsconf instance backend suffix [-h]
115 {list,get,get-dn,get-sub-suf‐
116 fixes,set}
117 ...
118 Sub-commands
121 dsconf backend suffix list
122 List current active backends and suffixes
123 dsconf backend suffix get
125 Get the suffix entry
126 dsconf backend suffix get-dn
128 get_dn
129 dsconf backend suffix get-sub-suffixes
131 Get the sub-suffixes of this backend
132 dsconf backend suffix set
134 Set configuration settings for a single backend
135
137 usage: dsconf instance backend suffix list [-h] [--suffix]
138 [--skip-subsuffixes]
139 --suffix
143 Just display the suffix, and not the backend name
144 --skip-subsuffixes
147 Skip over sub-suffixes
148
151 usage: dsconf instance backend suffix get [-h] [selector]
152 selector
155 The backend to search for
156
160 usage: dsconf instance backend suffix get-dn [-h] [dn]
161 dn The backend dn to get
164
168 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
169 be_name
170 be_name
173 The backend name or suffix to search for sub-suffixes
174 --suffix
177 Just display the suffix, and not the backend name
178
181 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
182 [--disable-readonly]
183 [--require-index] [--ignore-
184 index]
185 [--add-referral ADD_REFERRAL]
186 [--del-referral DEL_REFERRAL]
187 [--enable] [--disable]
188 [--cache-size CACHE_SIZE]
189 [--cache-memsize CACHE_MEM‐
190 SIZE]
191 [--dncache-memsize
192 DNCACHE_MEMSIZE]
193 be_name
194 be_name
197 The backend name or suffix to delete
198 --enable-readonly
201 Set backend database to be read-only
202 --disable-readonly
205 Disable read-only mode for backend database
206 --require-index
209 Only allow indexed searches
210 --ignore-index
213 Allow all searches even if they are unindexed
214 --add-referral ADD_REFERRAL
217 Add a LDAP referral to the backend
218 --del-referral DEL_REFERRAL
221 Remove a LDAP referral to the backend
222 --enable
225 Enable the backend database
226 --disable
229 Disable the backend database
230 --cache-size CACHE_SIZE
233 The maximum number of entries to keep in the entry cache
234 --cache-memsize CACHE_MEMSIZE
237 The maximum size in bytes that the entry cache can grow to
238 --dncache-memsize DNCACHE_MEMSIZE
241 The maximum size in bytes that the DN cache can grow to
242
246 usage: dsconf instance backend index [-h]
247 {add,set,get,list,delete,reindex}
248 ...
249 Sub-commands
252 dsconf backend index add
253 Set configuration settings for a single backend
254 dsconf backend index set
256 Edit an index entry
257 dsconf backend index get
259 Get an index entry
260 dsconf backend index list
262 Set configuration settings for a single backend
263 dsconf backend index delete
265 Set configuration settings for a single backend
266 dsconf backend index reindex
268 Reindex the database (for a single index or all indexes
269
271 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
272 [--matching-rule MATCH‐
273 ING_RULE]
274 [--reindex] --attr ATTR
275 be_name
276 be_name
279 The backend name or suffix to delete
280 --index-type INDEX_TYPE
283 An indexing type: eq, sub, pres, or approximate
284 --matching-rule MATCHING_RULE
287 Matching rule for the index
288 --reindex
291 After adding new index, reindex the database
292 --attr ATTR
295 The index attribute's name
296
299 usage: dsconf instance backend index set [-h] --attr ATTR
300 [--add-type ADD_TYPE]
301 [--del-type DEL_TYPE]
302 [--add-mr ADD_MR] [--del-mr
303 DEL_MR]
304 [--reindex]
305 be_name
306 be_name
309 The backend name or suffix to edit an index from
310 --attr ATTR
313 The index name to edit
314 --add-type ADD_TYPE
317 An index type to add to the index: eq, sub, pres, or approx
318 --del-type DEL_TYPE
321 An index type to remove from the index: eq, sub, pres, or approx
322 --add-mr ADD_MR
325 A matching-rule to add to the index
326 --del-mr DEL_MR
329 A matching-rule to remove from the index
330 --reindex
333 After editing index, reindex the database
334
337 usage: dsconf instance backend index get [-h] --attr ATTR be_name
338 be_name
341 The backend name or suffix to get the index from
342 --attr ATTR
345 The index name to get
346
349 usage: dsconf instance backend index list [-h] [--just-names] be_name
350 be_name
353 The backend name or suffix to list indexes from
354 --just-names
357 Return a list of just the attribute names for a backend
358
361 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
362 be_name
365 The backend name or suffix to delete
366 --attr ATTR
369 The index attribute's name
370
373 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
374 [--wait]
375 be_name
376 be_name
379 The backend name or suffix to reindex
380 --attr ATTR
383 The index attribute's name to reindex. Skip this argument to
384 reindex all attributes
385 --wait Wait for the index task to complete and report the status
388
392 usage: dsconf instance backend vlv-index [-h]
393 {list,get,add-search,edit-
394 search,del-search,add-index,del-index,reindex}
395 ...
396 Sub-commands
399 dsconf backend vlv-index list
400 List VLV search and index entries
401 dsconf backend vlv-index get
403 Get a VLV search & index
404 dsconf backend vlv-index add-search
406 Add a VLV search entry. The search entry is the parent entry of
407 the VLV index entries, and it specifies the search params that
408 are used to match entries for those indexes.
409 dsconf backend vlv-index edit-search
411 Edit a VLV search & index
412 dsconf backend vlv-index del-search
414 Delete VLV search & index
415 dsconf backend vlv-index add-index
417 Create a VLV index under a VLV search entry(parent entry). The
418 VLV index just specifies the attributes to sort
419 dsconf backend vlv-index del-index
421 Delete a VLV index under a VLV search entry(parent entry).
422 dsconf backend vlv-index reindex
424 Index/reindex the VLV database index
425
427 usage: dsconf instance backend vlv-index list [-h] [--just-names]
428 be_name
429 be_name
432 The backend name of the VLV index
433 --just-names
436 List just the names of the VLV search entries
437
440 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
441 be_name
444 The backend name of the VLV index
445 --name NAME
448 Get the VLV search entry and its index entries
449
452 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
453 --search-base
454 SEARCH_BASE
455 --search-scope
456 SEARCH_SCOPE
457 --search-filter
458 SEARCH_FILTER
459 be_name
460 be_name
463 The backend name of the VLV index
464 --name NAME
467 Name of the VLV search entry
468 --search-base SEARCH_BASE
471 The VLV search base
472 --search-scope SEARCH_SCOPE
475 The VLV search scope: 0 (base search), 1 (one-level search), or
476 2 (subtree search)
477 --search-filter SEARCH_FILTER
480 The VLV search filter
481
484 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
485 [--search-base
486 SEARCH_BASE]
487 [--search-scope
488 SEARCH_SCOPE]
489 [--search-filter
490 SEARCH_FILTER]
491 [--reindex]
492 be_name
493 be_name
496 The backend name of the VLV index
497 --name NAME
500 Name of the VLV index
501 --search-base SEARCH_BASE
504 The VLV search base
505 --search-scope SEARCH_SCOPE
508 The VLV search scope: 0 (base search), 1 (one-level search), or
509 2 (subtree search)
510 --search-filter SEARCH_FILTER
513 The VLV search filter
514 --reindex
517 Reindex all the VLV database indexes
518
521 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
522 be_name
523 be_name
526 The backend name of the VLV index
527 --name NAME
530 Name of the VLV search index
531
534 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
535 PARENT_NAME --index-
536 name
537 INDEX_NAME --sort
538 SORT
539 [--index-it]
540 be_name
541 be_name
544 The backend name of the VLV index
545 --parent-name PARENT_NAME
548 Name, or "cn" attribute value, of the parent VLV search entry
549 --index-name INDEX_NAME
552 Name of the new VLV index
553 --sort SORT
556 A space separated list of attributes to sort for this VLV index
557 --index-it
560 Create the database index for this VLV index definition
561
564 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
565 PARENT_NAME
566 [--index-name
567 INDEX_NAME]
568 [--sort SORT]
569 be_name
570 be_name
573 The backend name of the VLV index
574 --parent-name PARENT_NAME
577 Name, or "cn" attribute value, of the parent VLV search entry
578 --index-name INDEX_NAME
581 Name of the VLV index to delete
582 --sort SORT
585 Delete a VLV index that has this vlvsort value
586
589 usage: dsconf instance backend vlv-index reindex [-h]
590 [--index-name
591 INDEX_NAME]
592 --parent-name PAR‐
593 ENT_NAME
594 be_name
595 be_name
598 The backend name of the VLV index
599 --index-name INDEX_NAME
602 Name of the VLV Index entry to reindex. If not set, all indexes
603 are reindexed
604 --parent-name PARENT_NAME
607 Name, or "cn" attribute value, of the parent VLV search entry
608
612 usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-
613 names]
614 [--add-attr ADD_ATTR]
615 [--del-attr DEL_ATTR]
616 be_name
617 be_name
620 The backend name or suffix to to reindex
621 --list List all the encrypted attributes for this backend
624 --just-names
627 List just the names of the encrypted attributes (used with
628 --list)
629 --add-attr ADD_ATTR
632 Add an attribute to be encrypted
633 --del-attr DEL_ATTR
636 Remove an attribute from being encrypted
637
640 usage: dsconf instance backend config [-h] {get,set} ...
641 Sub-commands
644 dsconf backend config get
645 Get the global database configuration
646 dsconf backend config set
648 Set the global database configuration
649
651 usage: dsconf instance backend config get [-h]
652
657 usage: dsconf instance backend config set [-h]
658 [--lookthroughlimit LOOK‐
659 THROUGHLIMIT]
660 [--mode MODE]
661 [--idlistscanlimit
662 IDLISTSCANLIMIT]
663 [--directory DIRECTORY]
664 [--dbcachesize DBCACHESIZE]
665 [--logdirectory LOGDIRECTORY]
666 [--durable-txn DURABLE_TXN]
667 [--txn-wait TXN_WAIT]
668 [--checkpoint-interval CHECK‐
669 POINT_INTERVAL]
670 [--compactdb-interval COM‐
671 PACTDB_INTERVAL]
672 [--txn-batch-val
673 TXN_BATCH_VAL]
674 [--txn-batch-min
675 TXN_BATCH_MIN]
676 [--txn-batch-max
677 TXN_BATCH_MAX]
678 [--logbufsize LOGBUFSIZE]
679 [--locks LOCKS]
680 [--import-cache-autosize
681 IMPORT_CACHE_AUTOSIZE]
682 [--cache-autosize CACHE_AUTO‐
683 SIZE]
684 [--cache-autosize-split
685 CACHE_AUTOSIZE_SPLIT]
686 [--import-cachesize
687 IMPORT_CACHESIZE]
688 [--exclude-from-export
689 EXCLUDE_FROM_EXPORT]
690 [--pagedlookthroughlimit
691 PAGEDLOOKTHROUGHLIMIT]
692 [--pagedidlistscanlimit PAGE‐
693 DIDLISTSCANLIMIT]
694 [--rangelookthroughlimit
695 RANGELOOKTHROUGHLIMIT]
696 [--backend-opt-level BACK‐
697 END_OPT_LEVEL]
698 [--deadlock-policy DEAD‐
699 LOCK_POLICY]
700 [--db-home-directory
701 DB_HOME_DIRECTORY]
702 --lookthroughlimit LOOKTHROUGHLIMIT
706 specifies the maximum number of entries that the Directory
707 Server will check when examining candidate entries in response
708 to a search request
709 --mode MODE
712 Specifies the permissions used for newly created index files
713 --idlistscanlimit IDLISTSCANLIMIT
716 Specifies the number of entry IDs that are searched during a
717 search operation
718 --directory DIRECTORY
721 Specifies absolute path to database instance
722 --dbcachesize DBCACHESIZE
725 Specifies the database index cache size, in bytes.
726 --logdirectory LOGDIRECTORY
729 Specifies the path to the directory that contains the database
730 transaction logs
731 --durable-txn DURABLE_TXN
734 Sets whether database transaction log entries are immediately
735 written to the disk.
736 --txn-wait TXN_WAIT
739 Sets whether the server should should wait if there are no db
740 locks available
741 --checkpoint-interval CHECKPOINT_INTERVAL
744 Sets the amount of time in seconds after which the Directory
745 Server sends a checkpoint entry to the database transaction log
746 --compactdb-interval COMPACTDB_INTERVAL
749 Sets the interval in seconds when the database is compacted
750 --txn-batch-val TXN_BATCH_VAL
753 Specifies how many transactions will be batched before being
754 committed
755 --txn-batch-min TXN_BATCH_MIN
758 Controls when transactions should be flushed earliest, indepen‐
759 dently of the batch count (only works when txn-batch-val is set)
760 --txn-batch-max TXN_BATCH_MAX
763 Controls when transactions should be flushed latest, indepen‐
764 dently of the batch count (only works when txn-batch-val is set)
765 --logbufsize LOGBUFSIZE
768 Specifies the transaction log information buffer size
769 --locks LOCKS
772 Sets the maximum number of database locks
773 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
776 Set to "on" or "off" to automatically set the size of the import
777 cache to be used during the the import process of LDIF files
778 --cache-autosize CACHE_AUTOSIZE
781 Sets the percentage of free memory that is used in total for the
782 database and entry cache. Set to "0" to disable this feature.
783 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
786 Sets the percentage of RAM that is used for the database cache.
787 The remaining percentage is used for the entry cache
788 --import-cachesize IMPORT_CACHESIZE
791 Sets the size, in bytes, of the database cache used in the
792 import process.
793 --exclude-from-export EXCLUDE_FROM_EXPORT
796 List of attributes to not include during database export opera‐
797 tions
798 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
801 Specifies the maximum number of entries that the Directory
802 Server will check when examining candidate entries for a search
803 which uses the simple paged results control
804 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
807 Specifies the number of entry IDs that are searched, specifi‐
808 cally, for a search operation using the simple paged results
809 control.
810 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
813 Specifies the maximum number of entries that the Directory
814 Server will check when examining candidate entries in response
815 to a range search request.
816 --backend-opt-level BACKEND_OPT_LEVEL
819 WARNING this parameter can trigger experimental code to improve
820 write performance. Valid values are: 0, 1, 2, or 4
821 --deadlock-policy DEADLOCK_POLICY
824 Adjusts the backend database deadlock policy (Advanced setting)
825 --db-home-directory DB_HOME_DIRECTORY
828 Sets the directory for the database mmapped files (Advanced set‐
829 ting)
830
834 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
835 --suffix SUFFIX
839 Get just the suffix monitor entry
840
843 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
844 [-g GEN_UNIQ_ID] [-O]
845 [-s INCLUDE_SUFFIXES
846 [INCLUDE_SUFFIXES ...]]
847 [-x EXCLUDE_SUFFIXES
848 [EXCLUDE_SUFFIXES ...]]
849 [be_name] [ldifs ...]
850 be_name
853 The backend name or the root suffix where to import
854 ldifs Specifies the filename of the input LDIF files.When multiple
857 files are imported, they are imported in the orderthey are spec‐
858 ified on the command line.
859 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
862 The number of chunks to have during the import operation.
863 -E, --encrypted
866 Decrypts encrypted data during export. This option is used
867 onlyif database encryption is enabled.
868 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
871 Generate a unique id. Type none for no unique ID to be gener‐
872 atedand deterministic for the generated unique ID to be
873 name-based.By default, a time- based unique ID is generated.When
874 using the deterministic generation to have a name-based unique
875 ID,it is also possible to specify the namespace for the server
876 to use.namespaceId is a string of charactersin the format
877 00-xxxxxxxx- xxxxxxxx-xxxxxxxx-xxxxxxxx.
878 -O, --only-core
881 Requests that only the core database is created without
882 attribute indexes.
883 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes
886 INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
887 Specifies the suffixes or the subtrees to be included.
888 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes
891 EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
892 Specifies the suffixes to be excluded.
893
896 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
897 [-N] [-r]
898 [-u] [-U]
899 [-s INCLUDE_SUFFIXES
900 [INCLUDE_SUFFIXES ...]]
901 [-x EXCLUDE_SUFFIXES
902 [EXCLUDE_SUFFIXES ...]]
903 be_names [be_names ...]
904 be_names
907 The backend names or the root suffixes from where to export.
908 -l LDIF, --ldif LDIF
911 Gives the filename of the output LDIF file.If more than one are
912 specified, use a space as a separator
913 -C, --use-id2entry
916 Uses only the main database file.
917 -E, --encrypted
920 Decrypts encrypted data during export. This option is used only
921 if database encryption is enabled.
922 -m, --min-base64
925 Sets minimal base-64 encoding.
926 -N, --no-seq-num
929 Enables you to suppress printing the sequence number.
930 -r, --replication
933 Exports the information required to initialize a replica when
934 the LDIF is imported
935 -u, --no-dump-uniq-id
938 Requests that the unique ID is not exported.
939 -U, --not-folded
942 Requests that the output LDIF is not folded.
943 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes
946 INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
947 Specifies the suffixes or the subtrees to be included.
948 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes
951 EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
952 Specifies the suffixes to be excluded.
953
956 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
957 FIX]
958 --suffix SUFFIX --be-name BE_NAME
959 [--create-entries] [--create-suf‐
960 fix]
961 --parent-suffix PARENT_SUFFIX
965 Sets the parent suffix only if this backend is a sub-suffix
966 --suffix SUFFIX
969 The database suffix DN, for example "dc=example,dc=com"
970 --be-name BE_NAME
973 The database backend name, for example "userroot"
974 --create-entries
977 Create sample entries in the database
978 --create-suffix
981 Create the suffix object entry in the database. Only suffixes
982 using the attributes 'dc', 'o', 'ou', or 'cn' are supported in
983 this feature
984
987 usage: dsconf instance backend delete [-h] be_name
988 be_name
991 The backend name or suffix to delete
992
996 usage: dsconf instance backend get-tree [-h]
997
1003 usage: dsconf instance backup [-h] {create,restore} ...
1004 Sub-commands
1007 dsconf backup create
1008 Creates a backup of the database
1009 dsconf backup restore
1011 Restores a database from a backup
1012
1014 usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]
1015 archive
1018 The directory where the backup files will be stored.The
1019 /var/lib/dirsrv/slapd- instance/bak directory is used by
1020 default.The backup file is named according to the
1021 year-month-day-hour format.
1022 -t DB_TYPE, --db-type DB_TYPE
1025 Database type (default: ldbm database).
1026
1029 usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive
1030 archive
1033 The directory of the backup files.
1034 -t DB_TYPE, --db-type DB_TYPE
1037 Database type (default: ldbm database).
1038
1042 usage: dsconf instance chaining [-h]
1043 {config-get,config-set,config-get-
1044 def,config-set-def,link-create,link-get,link-set,link-delete,moni‐
1045 tor,link-list}
1046 ...
1047 Sub-commands
1050 dsconf chaining config-get
1051 Get the chaining controls and server component lists
1052 dsconf chaining config-set
1054 Set the chaining controls and server component lists
1055 dsconf chaining config-get-def
1057 Get the default creation parameters for new database links
1058 dsconf chaining config-set-def
1060 Set the default creation parameters for new database links
1061 dsconf chaining link-create
1063 Create a database link to a remote server
1064 dsconf chaining link-get
1066 get chaining database link
1067 dsconf chaining link-set
1069 Edit a database link to a remote server
1070 dsconf chaining link-delete
1072 Delete a database link
1073 dsconf chaining monitor
1075 Get the monitor information for a database chaining link
1076 dsconf chaining link-list
1078 List database links
1079
1081 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1082 [--avail-comps]
1083 --avail-controls
1087 List available controls for chaining
1088 --avail-comps
1091 List available plugin components for chaining
1092
1095 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1096 TROL]
1097 [--del-control DEL_CONTROL]
1098 [--add-comp ADD_COMP]
1099 [--del-comp DEL_COMP]
1100 --add-control ADD_CONTROL
1104 Add a transmitted control OID
1105 --del-control DEL_CONTROL
1108 Delete a transmitted control OID
1109 --add-comp ADD_COMP
1112 Add a chaining component
1113 --del-comp DEL_COMP
1116 Delete a chaining component
1117
1120 usage: dsconf instance chaining config-get-def [-h]
1121
1126 usage: dsconf instance chaining config-set-def [-h]
1127 [--conn-bind-limit
1128 CONN_BIND_LIMIT]
1129 [--conn-op-limit
1130 CONN_OP_LIMIT]
1131 [--abandon-check-inter‐
1132 val ABANDON_CHECK_INTERVAL]
1133 [--bind-limit
1134 BIND_LIMIT]
1135 [--op-limit OP_LIMIT]
1136 [--proxied-auth PROX‐
1137 IED_AUTH]
1138 [--conn-lifetime
1139 CONN_LIFETIME]
1140 [--bind-timeout
1141 BIND_TIMEOUT]
1142 [--return-ref
1143 RETURN_REF]
1144 [--check-aci CHECK_ACI]
1145 [--bind-attempts
1146 BIND_ATTEMPTS]
1147 [--size-limit
1148 SIZE_LIMIT]
1149 [--time-limit
1150 TIME_LIMIT]
1151 [--hop-limit HOP_LIMIT]
1152 [--response-delay
1153 RESPONSE_DELAY]
1154 [--test-response-delay
1155 TEST_RESPONSE_DELAY]
1156 [--use-starttls
1157 USE_STARTTLS]
1158 --conn-bind-limit CONN_BIND_LIMIT
1162 The maximum number of BIND connections the database link estab‐
1163 lishes with the remote server.
1164 --conn-op-limit CONN_OP_LIMIT
1167 The maximum number of LDAP connections the database link estab‐
1168 lishes with the remote server.
1169 --abandon-check-interval ABANDON_CHECK_INTERVAL
1172 The number of seconds that pass before the server checks for
1173 abandoned operations.
1174 --bind-limit BIND_LIMIT
1177 The maximum number of concurrent bind operations per TCP connec‐
1178 tion.
1179 --op-limit OP_LIMIT
1182 The maximum number of concurrent operations allowed.
1183 --proxied-auth PROXIED_AUTH
1186 Set to "off" to disable proxied authorization, then binds for
1187 chained operations are executed as the user set in the nsMulti‐
1188 plexorBindDn attribute (on/off).
1189 --conn-lifetime CONN_LIFETIME
1192 Specifies connection lifetime in seconds. 0 keeps connection
1193 open forever.
1194 --bind-timeout BIND_TIMEOUT
1197 The amount of time in seconds before a bind attempt times out.
1198 --return-ref RETURN_REF
1201 Sets whether referrals are returned by scoped searches (on/off).
1202 --check-aci CHECK_ACI
1205 Set whether ACIs are evaluated on the database link as well as
1206 the remote data server (on/off).
1207 --bind-attempts BIND_ATTEMPTS
1210 Sets the number of times the server tries to bind with the
1211 remote server.
1212 --size-limit SIZE_LIMIT
1215 Sets the maximum number of entries to return from a search oper‐
1216 ation.
1217 --time-limit TIME_LIMIT
1220 Sets the maximum number of seconds allowed for an operation.
1221 --hop-limit HOP_LIMIT
1224 Sets the maximum number of times a database is allowed to chain;
1225 that is, the number of times a request can be forwarded from one
1226 database link to another.
1227 --response-delay RESPONSE_DELAY
1230 The maximum amount of time it can take a remote server to
1231 respond to an LDAP operation request made by a database link
1232 before an error is suspected.
1233 --test-response-delay TEST_RESPONSE_DELAY
1236 Sets the duration of the test issued by the database link to
1237 check whether the remote server is responding.
1238 --use-starttls USE_STARTTLS
1241 Set to "on" specifies that the database links should use Start‐
1242 TLS for its secure connections.
1243
1246 usage: dsconf instance chaining link-create [-h]
1247 [--conn-bind-limit
1248 CONN_BIND_LIMIT]
1249 [--conn-op-limit
1250 CONN_OP_LIMIT]
1251 [--abandon-check-interval
1252 ABANDON_CHECK_INTERVAL]
1253 [--bind-limit BIND_LIMIT]
1254 [--op-limit OP_LIMIT]
1255 [--proxied-auth PROX‐
1256 IED_AUTH]
1257 [--conn-lifetime CONN_LIFE‐
1258 TIME]
1259 [--bind-timeout BIND_TIME‐
1260 OUT]
1261 [--return-ref RETURN_REF]
1262 [--check-aci CHECK_ACI]
1263 [--bind-attempts
1264 BIND_ATTEMPTS]
1265 [--size-limit SIZE_LIMIT]
1266 [--time-limit TIME_LIMIT]
1267 [--hop-limit HOP_LIMIT]
1268 [--response-delay
1269 RESPONSE_DELAY]
1270 [--test-response-delay
1271 TEST_RESPONSE_DELAY]
1272 [--use-starttls USE_START‐
1273 TLS]
1274 --suffix SUFFIX --server-
1275 url
1276 SERVER_URL --bind-mech
1277 BIND_MECH
1278 --bind-dn BIND_DN --bind-pw
1279 BIND_PW
1280 CHAIN_NAME
1281 CHAIN_NAME
1284 The name of the database link
1285 --conn-bind-limit CONN_BIND_LIMIT
1288 The maximum number of BIND connections the database link estab‐
1289 lishes with the remote server.
1290 --conn-op-limit CONN_OP_LIMIT
1293 The maximum number of LDAP connections the database link estab‐
1294 lishes with the remote server.
1295 --abandon-check-interval ABANDON_CHECK_INTERVAL
1298 The number of seconds that pass before the server checks for
1299 abandoned operations.
1300 --bind-limit BIND_LIMIT
1303 The maximum number of concurrent bind operations per TCP connec‐
1304 tion.
1305 --op-limit OP_LIMIT
1308 The maximum number of concurrent operations allowed.
1309 --proxied-auth PROXIED_AUTH
1312 Set to "off" to disable proxied authorization, then binds for
1313 chained operations are executed as the user set in the nsMulti‐
1314 plexorBindDn attribute (on/off).
1315 --conn-lifetime CONN_LIFETIME
1318 Specifies connection lifetime in seconds. 0 keeps connection
1319 open forever.
1320 --bind-timeout BIND_TIMEOUT
1323 The amount of time in seconds before a bind attempt times out.
1324 --return-ref RETURN_REF
1327 Sets whether referrals are returned by scoped searches (on/off).
1328 --check-aci CHECK_ACI
1331 Set whether ACIs are evaluated on the database link as well as
1332 the remote data server (on/off).
1333 --bind-attempts BIND_ATTEMPTS
1336 Sets the number of times the server tries to bind with the
1337 remote server.
1338 --size-limit SIZE_LIMIT
1341 Sets the maximum number of entries to return from a search oper‐
1342 ation.
1343 --time-limit TIME_LIMIT
1346 Sets the maximum number of seconds allowed for an operation.
1347 --hop-limit HOP_LIMIT
1350 Sets the maximum number of times a database is allowed to chain;
1351 that is, the number of times a request can be forwarded from one
1352 database link to another.
1353 --response-delay RESPONSE_DELAY
1356 The maximum amount of time it can take a remote server to
1357 respond to an LDAP operation request made by a database link
1358 before an error is suspected.
1359 --test-response-delay TEST_RESPONSE_DELAY
1362 Sets the duration of the test issued by the database link to
1363 check whether the remote server is responding.
1364 --use-starttls USE_STARTTLS
1367 Set to "on" specifies that the database links should use Start‐
1368 TLS for its secure connections.
1369 --suffix SUFFIX
1372 The suffix managed by the database link.
1373 --server-url SERVER_URL
1376 Gives the LDAP/LDAPS URL of the remote server.
1377 --bind-mech BIND_MECH
1380 Sets the authentication method to use to authenticate to the
1381 remote server: SIMPLE, EXTERNAL, DIGEST-MD5, or GSSAPI. Default
1382 if unset is SIMPLE.
1383 --bind-dn BIND_DN
1386 DN of the administrative entry used to communicate with the
1387 remote server
1388 --bind-pw BIND_PW
1391 Password for the administrative user.
1392
1395 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1396 CHAIN_NAME
1399 The chaining link name, or suffix, to retrieve
1400
1404 usage: dsconf instance chaining link-set [-h]
1405 [--conn-bind-limit
1406 CONN_BIND_LIMIT]
1407 [--conn-op-limit
1408 CONN_OP_LIMIT]
1409 [--abandon-check-interval
1410 ABANDON_CHECK_INTERVAL]
1411 [--bind-limit BIND_LIMIT]
1412 [--op-limit OP_LIMIT]
1413 [--proxied-auth PROXIED_AUTH]
1414 [--conn-lifetime CONN_LIFE‐
1415 TIME]
1416 [--bind-timeout BIND_TIMEOUT]
1417 [--return-ref RETURN_REF]
1418 [--check-aci CHECK_ACI]
1419 [--bind-attempts
1420 BIND_ATTEMPTS]
1421 [--size-limit SIZE_LIMIT]
1422 [--time-limit TIME_LIMIT]
1423 [--hop-limit HOP_LIMIT]
1424 [--response-delay
1425 RESPONSE_DELAY]
1426 [--test-response-delay
1427 TEST_RESPONSE_DELAY]
1428 [--use-starttls USE_STARTTLS]
1429 [--suffix SUFFIX]
1430 [--server-url SERVER_URL]
1431 [--bind-mech BIND_MECH]
1432 [--bind-dn BIND_DN]
1433 [--bind-pw BIND_PW]
1434 CHAIN_NAME
1435 CHAIN_NAME
1438 The name of the database link
1439 --conn-bind-limit CONN_BIND_LIMIT
1442 The maximum number of BIND connections the database link estab‐
1443 lishes with the remote server.
1444 --conn-op-limit CONN_OP_LIMIT
1447 The maximum number of LDAP connections the database link estab‐
1448 lishes with the remote server.
1449 --abandon-check-interval ABANDON_CHECK_INTERVAL
1452 The number of seconds that pass before the server checks for
1453 abandoned operations.
1454 --bind-limit BIND_LIMIT
1457 The maximum number of concurrent bind operations per TCP connec‐
1458 tion.
1459 --op-limit OP_LIMIT
1462 The maximum number of concurrent operations allowed.
1463 --proxied-auth PROXIED_AUTH
1466 Set to "off" to disable proxied authorization, then binds for
1467 chained operations are executed as the user set in the nsMulti‐
1468 plexorBindDn attribute (on/off).
1469 --conn-lifetime CONN_LIFETIME
1472 Specifies connection lifetime in seconds. 0 keeps connection
1473 open forever.
1474 --bind-timeout BIND_TIMEOUT
1477 The amount of time in seconds before a bind attempt times out.
1478 --return-ref RETURN_REF
1481 Sets whether referrals are returned by scoped searches (on/off).
1482 --check-aci CHECK_ACI
1485 Set whether ACIs are evaluated on the database link as well as
1486 the remote data server (on/off).
1487 --bind-attempts BIND_ATTEMPTS
1490 Sets the number of times the server tries to bind with the
1491 remote server.
1492 --size-limit SIZE_LIMIT
1495 Sets the maximum number of entries to return from a search oper‐
1496 ation.
1497 --time-limit TIME_LIMIT
1500 Sets the maximum number of seconds allowed for an operation.
1501 --hop-limit HOP_LIMIT
1504 Sets the maximum number of times a database is allowed to chain;
1505 that is, the number of times a request can be forwarded from one
1506 database link to another.
1507 --response-delay RESPONSE_DELAY
1510 The maximum amount of time it can take a remote server to
1511 respond to an LDAP operation request made by a database link
1512 before an error is suspected.
1513 --test-response-delay TEST_RESPONSE_DELAY
1516 Sets the duration of the test issued by the database link to
1517 check whether the remote server is responding.
1518 --use-starttls USE_STARTTLS
1521 Set to "on" specifies that the database links should use Start‐
1522 TLS for its secure connections.
1523 --suffix SUFFIX
1526 The suffix managed by the database link.
1527 --server-url SERVER_URL
1530 Gives the LDAP/LDAPS URL of the remote server.
1531 --bind-mech BIND_MECH
1534 Sets the authentication method to use to authenticate to the
1535 remote server: SIMPLE, EXTERNAL, DIGEST-MD5, or GSSAPI. Default
1536 if unset is SIMPLE.
1537 --bind-dn BIND_DN
1540 DN of the administrative entry used to communicate with the
1541 remote server
1542 --bind-pw BIND_PW
1545 Password for the administrative user.
1546
1549 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1550 CHAIN_NAME
1553 The name of the database link
1554
1558 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1559 CHAIN_NAME
1562 The name of the database link
1563
1567 usage: dsconf instance chaining link-list [-h]
1568
1574 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1575 Sub-commands
1578 dsconf config get
1579 get
1580 dsconf config add
1582 Add attribute value to configuration
1583 dsconf config replace
1585 Replace attribute value in configuration
1586 dsconf config delete
1588 Delete attribute value in configuration
1589
1591 usage: dsconf instance config get [-h] [attrs ...]
1592 attrs Configuration attribute(s) to get
1595
1599 usage: dsconf instance config add [-h] [attr ...]
1600 attr Configuration attribute to add
1603
1607 usage: dsconf instance config replace [-h] [attr ...]
1608 attr Configuration attribute to replace
1611
1615 usage: dsconf instance config delete [-h] [attr ...]
1616 attr Configuration attribute to delete
1619
1624 usage: dsconf instance directory_manager [-h] {password_change} ...
1625 Sub-commands
1628 dsconf directory_manager password_change
1629 Change the directory manager password
1630
1632 usage: dsconf instance directory_manager password_change [-h]
1633
1639 usage: dsconf instance monitor [-h]
1640 {server,dbmon,ldbm,backend,snmp,chain‐
1641 ing,disk}
1642 ...
1643 Sub-commands
1646 dsconf monitor server
1647 Monitor the server statistics, connections and operations
1648 dsconf monitor dbmon
1650 Monitor the all the database statistics in a single report
1651 dsconf monitor ldbm
1653 Monitor the ldbm statistics, such as dbcache
1654 dsconf monitor backend
1656 Monitor the behavior of a backend database
1657 dsconf monitor snmp
1659 Monitor the SNMP statistics
1660 dsconf monitor chaining
1662 Monitor database chaining statistics
1663 dsconf monitor disk
1665 Disk space statistics. All values are in bytes
1666
1668 usage: dsconf instance monitor server [-h]
1669
1674 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1675 -b BACKENDS, --backends BACKENDS
1679 List of space separated backends to monitor. Default is all
1680 backends.
1681 -x, --indexes
1684 Show index stats for each backend
1685
1688 usage: dsconf instance monitor ldbm [-h]
1689
1694 usage: dsconf instance monitor backend [-h] [backend]
1695 backend
1698 Optional name of the backend to monitor
1699
1703 usage: dsconf instance monitor snmp [-h]
1704
1709 usage: dsconf instance monitor chaining [-h] [backend]
1710 backend
1713 Optional name of the chaining backend to monitor
1714
1718 usage: dsconf instance monitor disk [-h]
1719
1725 usage: dsconf instance plugin [-h]
1726 {memberof,automember,referential-
1727 integrity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-
1728 entries,pass-through-auth,retro-changelog,posix-winsync,con‐
1729 tentsync,list,show,set}
1730 ...
1731 Sub-commands
1734 dsconf plugin memberof
1735 Manage and configure MemberOf plugin
1736 dsconf plugin automember
1738 Manage and configure Automembership plugin
1739 dsconf plugin referential-integrity
1741 Manage and configure Referential Integrity Postoperation plugin
1742 dsconf plugin root-dn
1744 Manage and configure RootDN Access Control plugin
1745 dsconf plugin usn
1747 Manage and configure USN plugin
1748 dsconf plugin account-policy
1750 Manage and configure Account Policy plugin
1751 dsconf plugin attr-uniq
1753 Manage and configure Attribute Uniqueness plugin
1754 dsconf plugin dna
1756 Manage and configure DNA plugin
1757 dsconf plugin linked-attr
1759 Manage and configure Linked Attributes plugin
1760 dsconf plugin managed-entries
1762 Manage and configure Managed Entries Plugin
1763 dsconf plugin pass-through-auth
1765 Manage and configure Pass-Through Authentication plugins (URLs
1766 and PAM)
1767 dsconf plugin retro-changelog
1769 Manage and configure Retro Changelog plugin
1770 dsconf plugin posix-winsync
1772 Manage and configure The Posix Winsync API plugin
1773 dsconf plugin contentsync
1775 Manage and configure Content Sync Plugin (aka syncrepl)
1776 dsconf plugin list
1778 List current configured (enabled and disabled) plugins
1779 dsconf plugin show
1781 Show the plugin data
1782 dsconf plugin set
1784 Edit the plugin
1785
1787 usage: dsconf instance plugin memberof [-h]
1788 {show,enable,disable,sta‐
1789 tus,set,config-entry,fixup}
1790 ...
1791 Sub-commands
1794 dsconf plugin memberof show
1795 display plugin configuration
1796 dsconf plugin memberof enable
1798 enable plugin
1799 dsconf plugin memberof disable
1801 disable plugin
1802 dsconf plugin memberof status
1804 display plugin status
1805 dsconf plugin memberof set
1807 Edit the plugin
1808 dsconf plugin memberof config-entry
1810 Manage the config entry
1811 dsconf plugin memberof fixup
1813 Run the fix-up task for memberOf plugin
1814
1816 usage: dsconf instance plugin memberof show [-h]
1817
1822 usage: dsconf instance plugin memberof enable [-h]
1823
1828 usage: dsconf instance plugin memberof disable [-h]
1829
1834 usage: dsconf instance plugin memberof status [-h]
1835
1840 usage: dsconf instance plugin memberof set [-h] [--attr ATTR [ATTR
1841 ...]]
1842 [--groupattr GROUPATTR
1843 [GROUPATTR ...]]
1844 [--allbackends {on,off}]
1845 [--skipnested {on,off}]
1846 [--scope SCOPE] [--exclude
1847 EXCLUDE]
1848 [--autoaddoc AUTOADDOC]
1849 [--config-entry CON‐
1850 FIG_ENTRY]
1851 --attr ATTR [ATTR ...]
1855 Specifies the attribute in the user entry for the Directory
1856 Server to manage to reflect group membership (memberOfAttr)
1857 --groupattr GROUPATTR [GROUPATTR ...]
1860 Specifies the attribute in the group entry to use to identify
1861 the DNs of group members (memberOfGroupAttr)
1862 --allbackends {on,off}
1865 Specifies whether to search the local suffix for user entries on
1866 all available suffixes (memberOfAllBackends)
1867 --skipnested {on,off}
1870 Specifies wherher to skip nested groups or not (memberOfSkip‐
1871 Nested)
1872 --scope SCOPE
1875 Specifies backends or multiple-nested suffixes for the MemberOf
1876 plug-in to work on (memberOfEntryScope)
1877 --exclude EXCLUDE
1880 Specifies backends or multiple-nested suffixes for the MemberOf
1881 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1882 --autoaddoc AUTOADDOC
1885 If an entry does not have an object class that allows the mem‐
1886 berOf attribute then the memberOf plugin will automatically add
1887 the object class listed in the memberOfAutoAddOC parameter
1888 --config-entry CONFIG_ENTRY
1891 The value to set as nsslapd-pluginConfigArea
1892
1895 usage: dsconf instance plugin memberof config-entry [-h]
1896 {add,set,show,delete}
1897 ...
1898 Sub-commands
1901 dsconf plugin memberof config-entry add
1902 Add the config entry
1903 dsconf plugin memberof config-entry set
1905 Edit the config entry
1906 dsconf plugin memberof config-entry show
1908 Display the config entry
1909 dsconf plugin memberof config-entry delete
1911 Delete the config entry
1912
1914 usage: dsconf instance plugin memberof config-entry add [-h]
1915 [--attr ATTR
1916 [ATTR ...]]
1917 [--groupattr
1918 GROUPATTR [GROUPATTR ...]]
1919 [--allbackends
1920 {on,off}]
1921 [--skipnested
1922 {on,off}]
1923 [--scope SCOPE]
1924 [--exclude
1925 EXCLUDE]
1926 [--autoaddoc
1927 AUTOADDOC]
1928 DN
1929 DN The config entry full DN
1932 --attr ATTR [ATTR ...]
1935 Specifies the attribute in the user entry for the Directory
1936 Server to manage to reflect group membership (memberOfAttr)
1937 --groupattr GROUPATTR [GROUPATTR ...]
1940 Specifies the attribute in the group entry to use to identify
1941 the DNs of group members (memberOfGroupAttr)
1942 --allbackends {on,off}
1945 Specifies whether to search the local suffix for user entries on
1946 all available suffixes (memberOfAllBackends)
1947 --skipnested {on,off}
1950 Specifies wherher to skip nested groups or not (memberOfSkip‐
1951 Nested)
1952 --scope SCOPE
1955 Specifies backends or multiple-nested suffixes for the MemberOf
1956 plug-in to work on (memberOfEntryScope)
1957 --exclude EXCLUDE
1960 Specifies backends or multiple-nested suffixes for the MemberOf
1961 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1962 --autoaddoc AUTOADDOC
1965 If an entry does not have an object class that allows the mem‐
1966 berOf attribute then the memberOf plugin will automatically add
1967 the object class listed in the memberOfAutoAddOC parameter
1968
1971 usage: dsconf instance plugin memberof config-entry set [-h]
1972 [--attr ATTR
1973 [ATTR ...]]
1974 [--groupattr
1975 GROUPATTR [GROUPATTR ...]]
1976 [--allbackends
1977 {on,off}]
1978 [--skipnested
1979 {on,off}]
1980 [--scope SCOPE]
1981 [--exclude
1982 EXCLUDE]
1983 [--autoaddoc
1984 AUTOADDOC]
1985 DN
1986 DN The config entry full DN
1989 --attr ATTR [ATTR ...]
1992 Specifies the attribute in the user entry for the Directory
1993 Server to manage to reflect group membership (memberOfAttr)
1994 --groupattr GROUPATTR [GROUPATTR ...]
1997 Specifies the attribute in the group entry to use to identify
1998 the DNs of group members (memberOfGroupAttr)
1999 --allbackends {on,off}
2002 Specifies whether to search the local suffix for user entries on
2003 all available suffixes (memberOfAllBackends)
2004 --skipnested {on,off}
2007 Specifies wherher to skip nested groups or not (memberOfSkip‐
2008 Nested)
2009 --scope SCOPE
2012 Specifies backends or multiple-nested suffixes for the MemberOf
2013 plug-in to work on (memberOfEntryScope)
2014 --exclude EXCLUDE
2017 Specifies backends or multiple-nested suffixes for the MemberOf
2018 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2019 --autoaddoc AUTOADDOC
2022 If an entry does not have an object class that allows the mem‐
2023 berOf attribute then the memberOf plugin will automatically add
2024 the object class listed in the memberOfAutoAddOC parameter
2025
2028 usage: dsconf instance plugin memberof config-entry show [-h] DN
2029 DN The config entry full DN
2032
2036 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2037 DN The config entry full DN
2040
2045 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] DN
2046 DN Base DN that contains entries to fix up
2049 -f FILTER, --filter FILTER
2052 Filter for entries to fix up. If omitted, all entries with
2053 objectclass inetuser/inetadmin/nsmemberof under the specified
2054 base will have their memberOf attribute regenerated.
2055
2059 usage: dsconf instance plugin automember [-h]
2060 {show,enable,disable,sta‐
2061 tus,list,definition,fixup}
2062 ...
2063 Sub-commands
2066 dsconf plugin automember show
2067 display plugin configuration
2068 dsconf plugin automember enable
2070 enable plugin
2071 dsconf plugin automember disable
2073 disable plugin
2074 dsconf plugin automember status
2076 display plugin status
2077 dsconf plugin automember list
2079 List Automembership definitions or regex rules.
2080 dsconf plugin automember definition
2082 Manage Automembership definition.
2083 dsconf plugin automember fixup
2085 Run a rebuild membership task.
2086
2088 usage: dsconf instance plugin automember show [-h]
2089
2094 usage: dsconf instance plugin automember enable [-h]
2095
2100 usage: dsconf instance plugin automember disable [-h]
2101
2106 usage: dsconf instance plugin automember status [-h]
2107
2112 usage: dsconf instance plugin automember list [-h] {defini‐
2113 tions,regexes} ...
2114 Sub-commands
2117 dsconf plugin automember list definitions
2118 List Automembership definitions.
2119 dsconf plugin automember list regexes
2121 List Automembership regex rules.
2122
2124 usage: dsconf instance plugin automember list definitions [-h]
2125
2130 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2131 DEFNAME
2134 The definition entry CN.
2135
2140 usage: dsconf instance plugin automember definition [-h]
2141 DEFNAME
2142 {add,set,delete,show,regex}
2143 ...
2144 DEFNAME
2147 The definition entry CN.
2148 Sub-commands
2151 dsconf plugin automember definition add
2152 Create Automembership definition.
2153 dsconf plugin automember definition set
2155 Edit Automembership definition.
2156 dsconf plugin automember definition delete
2158 Remove Automembership definition.
2159 dsconf plugin automember definition show
2161 Display Automembership definition.
2162 dsconf plugin automember definition regex
2164 Manage Automembership regex rules.
2165
2167 usage: dsconf instance plugin automember definition DEFNAME add
2168 [-h] --grouping-attr GROUPING_ATTR [--default-group
2169 DEFAULT_GROUP]
2170 --scope SCOPE --filter FILTER
2171 --grouping-attr GROUPING_ATTR
2175 Specifies the name of the member attribute in the group entry
2176 and the attribute in the object entry that supplies the member
2177 attribute value, in the format group_member_attr:entry_attr
2178 (autoMemberGroupingAttr)
2179 --default-group DEFAULT_GROUP
2182 Sets default or fallback group to add the entry to as a member
2183 attribute in group entry (autoMemberDefaultGroup)
2184 --scope SCOPE
2187 Sets the subtree DN to search for entries (autoMemberScope)
2188 --filter FILTER
2191 Sets a standard LDAP search filter to use to search for matching
2192 entries (autoMemberFilter)
2193
2196 usage: dsconf instance plugin automember definition DEFNAME set
2197 [-h] --grouping-attr GROUPING_ATTR [--default-group
2198 DEFAULT_GROUP]
2199 --scope SCOPE --filter FILTER
2200 --grouping-attr GROUPING_ATTR
2204 Specifies the name of the member attribute in the group entry
2205 and the attribute in the object entry that supplies the member
2206 attribute value, in the format group_member_attr:entry_attr
2207 (autoMemberGroupingAttr)
2208 --default-group DEFAULT_GROUP
2211 Sets default or fallback group to add the entry to as a member
2212 attribute in group entry (autoMemberDefaultGroup)
2213 --scope SCOPE
2216 Sets the subtree DN to search for entries (autoMemberScope)
2217 --filter FILTER
2220 Sets a standard LDAP search filter to use to search for matching
2221 entries (autoMemberFilter)
2222
2225 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2226
2231 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2232
2237 usage: dsconf instance plugin automember definition DEFNAME regex
2238 [-h] REGEXNAME {add,set,delete,show} ...
2239 REGEXNAME
2242 The regex entry CN.
2243 Sub-commands
2246 dsconf plugin automember definition regex add
2247 Create Automembership regex.
2248 dsconf plugin automember definition regex set
2250 Edit Automembership regex.
2251 dsconf plugin automember definition regex delete
2253 Remove Automembership regex.
2254 dsconf plugin automember definition regex show
2256 Display Automembership regex.
2257
2259 usage: dsconf instance plugin automember definition DEFNAME regex
2260 REGEXNAME add
2261 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2262 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2263 GET_GROUP
2264 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2268 Sets a single regular expression to use to identify entries to
2269 exclude (autoMemberExclusiveRegex)
2270 --inclusive INCLUSIVE [INCLUSIVE ...]
2273 Sets a single regular expression to use to identify entries to
2274 include (autoMemberInclusiveRegex)
2275 --target-group TARGET_GROUP
2278 Sets which group to add the entry to as a member, if it meets
2279 the regular expression conditions (autoMemberTargetGroup)
2280
2283 usage: dsconf instance plugin automember definition DEFNAME regex
2284 REGEXNAME set
2285 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2286 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2287 GET_GROUP
2288 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2292 Sets a single regular expression to use to identify entries to
2293 exclude (autoMemberExclusiveRegex)
2294 --inclusive INCLUSIVE [INCLUSIVE ...]
2297 Sets a single regular expression to use to identify entries to
2298 include (autoMemberInclusiveRegex)
2299 --target-group TARGET_GROUP
2302 Sets which group to add the entry to as a member, if it meets
2303 the regular expression conditions (autoMemberTargetGroup)
2304
2307 usage: dsconf instance plugin automember definition DEFNAME regex
2308 REGEXNAME delete
2309 [-h]
2310
2315 usage: dsconf instance plugin automember definition DEFNAME regex
2316 REGEXNAME show
2317 [-h]
2318
2325 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2326 {sub,base,one}
2327 DN
2328 DN Base DN that contains entries to fix up
2331 -f FILTER, --filter FILTER
2334 LDAP filter for entries to fix up.
2335 -s {sub,base,one}, --scope {sub,base,one}
2338 LDAP search scope for entries to fix up
2339
2343 usage: dsconf instance plugin referential-integrity [-h]
2344 {show,enable,dis‐
2345 able,status,set,config-entry}
2346 ...
2347 Sub-commands
2350 dsconf plugin referential-integrity show
2351 display plugin configuration
2352 dsconf plugin referential-integrity enable
2354 enable plugin
2355 dsconf plugin referential-integrity disable
2357 disable plugin
2358 dsconf plugin referential-integrity status
2360 display plugin status
2361 dsconf plugin referential-integrity set
2363 Edit the plugin
2364 dsconf plugin referential-integrity config-entry
2366 Manage the config entry
2367
2369 usage: dsconf instance plugin referential-integrity show [-h]
2370
2375 usage: dsconf instance plugin referential-integrity enable [-h]
2376
2381 usage: dsconf instance plugin referential-integrity disable [-h]
2382
2387 usage: dsconf instance plugin referential-integrity status [-h]
2388
2393 usage: dsconf instance plugin referential-integrity set [-h]
2394 [--update-delay
2395 UPDATE_DELAY]
2396 [--membership-
2397 attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2398 [--entry-scope
2399 ENTRY_SCOPE]
2400 [--exclude-
2401 entry-scope EXCLUDE_ENTRY_SCOPE]
2402 [--container-
2403 scope CONTAINER_SCOPE]
2404 [--log-file
2405 LOG_FILE]
2406 [--config-entry
2407 CONFIG_ENTRY]
2408 --update-delay UPDATE_DELAY
2412 Sets the update interval. Special values: 0 - The check is per‐
2413 formed immediately, -1 - No check is performed
2414 (referint-update-delay)
2415 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2418 Specifies attributes to check for and update (referint-member‐
2419 ship-attr)
2420 --entry-scope ENTRY_SCOPE
2423 Defines the subtree in which the plug-in looks for the delete or
2424 rename operations of a user entry (nsslapd-pluginEntryScope)
2425 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2428 Defines the subtree in which the plug-in ignores any operations
2429 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2430 tryScope)
2431 --container-scope CONTAINER_SCOPE
2434 Specifies which branch the plug-in searches for the groups to
2435 which the user belongs. It only updates groups that are under
2436 the specified container branch, and leaves all other groups not
2437 updated (nsslapd-pluginContainerScope)
2438 --log-file LOG_FILE
2441 Specifies a path to the Referential integrity logfile.For exam‐
2442 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2443 --config-entry CONFIG_ENTRY
2446 The value to set as nsslapd-pluginConfigArea
2447
2450 usage: dsconf instance plugin referential-integrity config-entry
2451 [-h] {add,set,show,delete} ...
2452 Sub-commands
2455 dsconf plugin referential-integrity config-entry add
2456 Add the config entry
2457 dsconf plugin referential-integrity config-entry set
2459 Edit the config entry
2460 dsconf plugin referential-integrity config-entry show
2462 Display the config entry
2463 dsconf plugin referential-integrity config-entry delete
2465 Delete the config entry
2466
2468 usage: dsconf instance plugin referential-integrity config-entry add
2469 [-h] [--update-delay UPDATE_DELAY]
2470 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2471 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope
2472 EXCLUDE_ENTRY_SCOPE]
2473 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2474 DN
2475 DN The config entry full DN
2478 --update-delay UPDATE_DELAY
2481 Sets the update interval. Special values: 0 - The check is per‐
2482 formed immediately, -1 - No check is performed
2483 (referint-update-delay)
2484 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2487 Specifies attributes to check for and update (referint-member‐
2488 ship-attr)
2489 --entry-scope ENTRY_SCOPE
2492 Defines the subtree in which the plug-in looks for the delete or
2493 rename operations of a user entry (nsslapd-pluginEntryScope)
2494 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2497 Defines the subtree in which the plug-in ignores any operations
2498 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2499 tryScope)
2500 --container-scope CONTAINER_SCOPE
2503 Specifies which branch the plug-in searches for the groups to
2504 which the user belongs. It only updates groups that are under
2505 the specified container branch, and leaves all other groups not
2506 updated (nsslapd-pluginContainerScope)
2507 --log-file LOG_FILE
2510 Specifies a path to the Referential integrity logfile.For exam‐
2511 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2512
2515 usage: dsconf instance plugin referential-integrity config-entry set
2516 [-h] [--update-delay UPDATE_DELAY]
2517 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2518 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope
2519 EXCLUDE_ENTRY_SCOPE]
2520 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2521 DN
2522 DN The config entry full DN
2525 --update-delay UPDATE_DELAY
2528 Sets the update interval. Special values: 0 - The check is per‐
2529 formed immediately, -1 - No check is performed
2530 (referint-update-delay)
2531 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2534 Specifies attributes to check for and update (referint-member‐
2535 ship-attr)
2536 --entry-scope ENTRY_SCOPE
2539 Defines the subtree in which the plug-in looks for the delete or
2540 rename operations of a user entry (nsslapd-pluginEntryScope)
2541 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2544 Defines the subtree in which the plug-in ignores any operations
2545 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2546 tryScope)
2547 --container-scope CONTAINER_SCOPE
2550 Specifies which branch the plug-in searches for the groups to
2551 which the user belongs. It only updates groups that are under
2552 the specified container branch, and leaves all other groups not
2553 updated (nsslapd-pluginContainerScope)
2554 --log-file LOG_FILE
2557 Specifies a path to the Referential integrity logfile.For exam‐
2558 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2559
2562 usage: dsconf instance plugin referential-integrity config-entry show
2563 [-h] DN
2564 DN The config entry full DN
2567
2571 usage: dsconf instance plugin referential-integrity config-entry delete
2572 [-h] DN
2573 DN The config entry full DN
2576
2582 usage: dsconf instance plugin root-dn [-h]
2583 {show,enable,disable,status,set}
2584 ...
2585 Sub-commands
2588 dsconf plugin root-dn show
2589 display plugin configuration
2590 dsconf plugin root-dn enable
2592 enable plugin
2593 dsconf plugin root-dn disable
2595 disable plugin
2596 dsconf plugin root-dn status
2598 display plugin status
2599 dsconf plugin root-dn set
2601 Edit the plugin
2602
2604 usage: dsconf instance plugin root-dn show [-h]
2605
2610 usage: dsconf instance plugin root-dn enable [-h]
2611
2616 usage: dsconf instance plugin root-dn disable [-h]
2617
2622 usage: dsconf instance plugin root-dn status [-h]
2623
2628 usage: dsconf instance plugin root-dn set [-h]
2629 [--allow-host ALLOW_HOST
2630 [ALLOW_HOST ...]]
2631 [--deny-host DENY_HOST
2632 [DENY_HOST ...]]
2633 [--allow-ip ALLOW_IP
2634 [ALLOW_IP ...]]
2635 [--deny-ip DENY_IP [DENY_IP
2636 ...]]
2637 [--open-time OPEN_TIME]
2638 [--close-time CLOSE_TIME]
2639 [--days-allowed DAYS_ALLOWED]
2640 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2644 Sets what hosts, by fully-qualified domain name, the root user
2645 is allowed to use to access the Directory Server. Any hosts not
2646 listed are implicitly denied (rootdn-allow-host)
2647 --deny-host DENY_HOST [DENY_HOST ...]
2650 Sets what hosts, by fully-qualified domain name, the root user
2651 is not allowed to use to access the Directory Server Any hosts
2652 not listed are implicitly allowed (rootdn-deny-host). If an host
2653 address is listed in both the rootdn- allow-host and
2654 rootdn-deny-host attributes, it is denied access.
2655 --allow-ip ALLOW_IP [ALLOW_IP ...]
2658 Sets what IP addresses, either IPv4 or IPv6, for machines the
2659 root user is allowed to use to access the Directory Server Any
2660 IP addresses not listed are implicitly denied (rootdn-allow-ip)
2661 --deny-ip DENY_IP [DENY_IP ...]
2664 Sets what IP addresses, either IPv4 or IPv6, for machines the
2665 root user is not allowed to use to access the Directory Server.
2666 Any IP addresses not listed are implicitly allowed
2667 (rootdn-deny-ip) If an IP address is listed in both the
2668 rootdn-allow-ip and rootdn-deny-ip attributes, it is denied
2669 access.
2670 --open-time OPEN_TIME
2673 Sets part of a time period or range when the root user is
2674 allowed to access the Directory Server. This sets when the
2675 time-based access begins (rootdn- open-time)
2676 --close-time CLOSE_TIME
2679 Sets part of a time period or range when the root user is
2680 allowed to access the Directory Server. This sets when the
2681 time-based access ends (rootdn-close- time)
2682 --days-allowed DAYS_ALLOWED
2685 Gives a comma-separated list of what days the root user is
2686 allowed to use to access the Directory Server. Any days listed
2687 are implicitly denied (rootdn- days-allowed)
2688
2692 usage: dsconf instance plugin usn [-h]
2693 {show,enable,disable,sta‐
2694 tus,global,cleanup}
2695 ...
2696 Sub-commands
2699 dsconf plugin usn show
2700 display plugin configuration
2701 dsconf plugin usn enable
2703 enable plugin
2704 dsconf plugin usn disable
2706 disable plugin
2707 dsconf plugin usn status
2709 display plugin status
2710 dsconf plugin usn global
2712 Get or manage global usn mode (nsslapd-entryusn-global)
2713 dsconf plugin usn cleanup
2715 Run the USN tombstone cleanup task
2716
2718 usage: dsconf instance plugin usn show [-h]
2719
2724 usage: dsconf instance plugin usn enable [-h]
2725
2730 usage: dsconf instance plugin usn disable [-h]
2731
2736 usage: dsconf instance plugin usn status [-h]
2737
2742 usage: dsconf instance plugin usn global [-h] {on,off} ...
2743 Sub-commands
2746 dsconf plugin usn global on
2747 Enable usn global mode
2748 dsconf plugin usn global off
2750 Disable usn global mode
2751
2753 usage: dsconf instance plugin usn global on [-h]
2754
2759 usage: dsconf instance plugin usn global off [-h]
2760
2766 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2767 [-m MAX_USN]
2768 -s SUFFIX, --suffix SUFFIX
2772 Gives the suffix or subtree in the Directory Server to run the
2773 cleanup operation against. If the suffix is not specified, then
2774 the back end must be given (suffix)
2775 -n BACKEND, --backend BACKEND
2778 Gives the Directory Server instance back end, or database, to
2779 run the cleanup operation against. If the back end is not speci‐
2780 fied, then the suffix must be specified. Backend instance in
2781 which USN tombstone entries (backend)
2782 -m MAX_USN, --max-usn MAX_USN
2785 Gives the highest USN value to delete when removing tombstone
2786 entries (max_usn_to_delete)
2787
2791 usage: dsconf instance plugin account-policy [-h]
2792 {show,enable,disable,sta‐
2793 tus,set,config-entry}
2794 ...
2795 Sub-commands
2798 dsconf plugin account-policy show
2799 display plugin configuration
2800 dsconf plugin account-policy enable
2802 enable plugin
2803 dsconf plugin account-policy disable
2805 disable plugin
2806 dsconf plugin account-policy status
2808 display plugin status
2809 dsconf plugin account-policy set
2811 Edit the plugin
2812 dsconf plugin account-policy config-entry
2814 Manage the config entry
2815
2817 usage: dsconf instance plugin account-policy show [-h]
2818
2823 usage: dsconf instance plugin account-policy enable [-h]
2824
2829 usage: dsconf instance plugin account-policy disable [-h]
2830
2835 usage: dsconf instance plugin account-policy status [-h]
2836
2841 usage: dsconf instance plugin account-policy set [-h]
2842 [--config-entry CON‐
2843 FIG_ENTRY]
2844 --config-entry CONFIG_ENTRY
2848 The value to set as nsslapd-pluginConfigArea
2849
2852 usage: dsconf instance plugin account-policy config-entry [-h]
2853 {add,set,show,delete}
2854 ...
2855 Sub-commands
2858 dsconf plugin account-policy config-entry add
2859 Add the config entry
2860 dsconf plugin account-policy config-entry set
2862 Edit the config entry
2863 dsconf plugin account-policy config-entry show
2865 Display the config entry
2866 dsconf plugin account-policy config-entry delete
2868 Delete the config entry
2869
2871 usage: dsconf instance plugin account-policy config-entry add
2872 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2873 ALT_STATE_ATTR]
2874 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2875 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2876 [--state-attr STATE_ATTR]
2877 DN
2878 DN The config entry full DN
2881 --always-record-login {yes,no}
2884 Sets that every entry records its last login time (alwaysRecord‐
2885 Login)
2886 --alt-state-attr ALT_STATE_ATTR
2889 Provides a backup attribute for the server to reference to eval‐
2890 uate the expiration time (altStateAttrName)
2891 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2894 Specifies the attribute to store the time of the last successful
2895 login in this attribute in the users directory entry
2896 (alwaysRecordLoginAttr)
2897 --limit-attr LIMIT_ATTR
2900 Specifies the attribute within the policy to use for the account
2901 inactivation limit (limitAttrName)
2902 --spec-attr SPEC_ATTR
2905 Specifies the attribute to identify which entries are account
2906 policy configuration entries (specAttrName)
2907 --state-attr STATE_ATTR
2910 Specifies the primary time attribute used to evaluate an account
2911 policy (stateAttrName)
2912
2915 usage: dsconf instance plugin account-policy config-entry set
2916 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2917 ALT_STATE_ATTR]
2918 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2919 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2920 [--state-attr STATE_ATTR]
2921 DN
2922 DN The config entry full DN
2925 --always-record-login {yes,no}
2928 Sets that every entry records its last login time (alwaysRecord‐
2929 Login)
2930 --alt-state-attr ALT_STATE_ATTR
2933 Provides a backup attribute for the server to reference to eval‐
2934 uate the expiration time (altStateAttrName)
2935 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2938 Specifies the attribute to store the time of the last successful
2939 login in this attribute in the users directory entry
2940 (alwaysRecordLoginAttr)
2941 --limit-attr LIMIT_ATTR
2944 Specifies the attribute within the policy to use for the account
2945 inactivation limit (limitAttrName)
2946 --spec-attr SPEC_ATTR
2949 Specifies the attribute to identify which entries are account
2950 policy configuration entries (specAttrName)
2951 --state-attr STATE_ATTR
2954 Specifies the primary time attribute used to evaluate an account
2955 policy (stateAttrName)
2956
2959 usage: dsconf instance plugin account-policy config-entry show [-h] DN
2960 DN The config entry full DN
2963
2967 usage: dsconf instance plugin account-policy config-entry delete [-h]
2968 DN
2969 DN The config entry full DN
2972
2978 usage: dsconf instance plugin attr-uniq [-h]
2979 {list,add,set,show,delete,enable,dis‐
2980 able,status}
2981 ...
2982 Sub-commands
2985 dsconf plugin attr-uniq list
2986 List available plugin configs
2987 dsconf plugin attr-uniq add
2989 Add the config entry
2990 dsconf plugin attr-uniq set
2992 Edit the config entry
2993 dsconf plugin attr-uniq show
2995 Display the config entry
2996 dsconf plugin attr-uniq delete
2998 Delete the config entry
2999 dsconf plugin attr-uniq enable
3001 enable plugin
3002 dsconf plugin attr-uniq disable
3004 disable plugin
3005 dsconf plugin attr-uniq status
3007 display plugin status
3008
3010 usage: dsconf instance plugin attr-uniq list [-h]
3011
3016 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3017 [--attr-name ATTR_NAME
3018 [ATTR_NAME ...]]
3019 [--subtree SUBTREE [SUBTREE
3020 ...]]
3021 [--across-all-subtrees
3022 {on,off}]
3023 [--top-entry-oc
3024 TOP_ENTRY_OC]
3025 [--subtree-entries-oc SUB‐
3026 TREE_ENTRIES_OC]
3027 NAME
3028 NAME Sets the name of the plug-in configuration record. (cn) You can
3031 use any string, but "attribute_name Attribute Uniqueness" is
3032 recommended.
3033 --enabled {on,off}
3036 Identifies whether or not the config is enabled.
3037 --attr-name ATTR_NAME [ATTR_NAME ...]
3040 Sets the name of the attribute whose values must be unique. This
3041 attribute is multi-valued. (uniqueness-attribute-name)
3042 --subtree SUBTREE [SUBTREE ...]
3045 Sets the DN under which the plug-in checks for uniqueness of the
3046 attributes value. This attribute is multi-valued (unique‐
3047 ness-subtrees)
3048 --across-all-subtrees {on,off}
3051 If enabled (on), the plug-in checks that the attribute is unique
3052 across all subtrees set. If you set the attribute to off,
3053 uniqueness is only enforced within the subtree of the updated
3054 entry (uniqueness-across-all-subtrees)
3055 --top-entry-oc TOP_ENTRY_OC
3058 Verifies that the value of the attribute set in unique‐
3059 ness-attribute-name is unique in this subtree (unique‐
3060 ness-top-entry-oc)
3061 --subtree-entries-oc SUBTREE_ENTRIES_OC
3064 Verifies if an attribute is unique, if the entry contains the
3065 object class set in this parameter (uniqueness-sub‐
3066 tree-entries-oc)
3067
3070 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3071 [--attr-name ATTR_NAME
3072 [ATTR_NAME ...]]
3073 [--subtree SUBTREE [SUBTREE
3074 ...]]
3075 [--across-all-subtrees
3076 {on,off}]
3077 [--top-entry-oc
3078 TOP_ENTRY_OC]
3079 [--subtree-entries-oc SUB‐
3080 TREE_ENTRIES_OC]
3081 NAME
3082 NAME Sets the name of the plug-in configuration record. (cn) You can
3085 use any string, but "attribute_name Attribute Uniqueness" is
3086 recommended.
3087 --enabled {on,off}
3090 Identifies whether or not the config is enabled.
3091 --attr-name ATTR_NAME [ATTR_NAME ...]
3094 Sets the name of the attribute whose values must be unique. This
3095 attribute is multi-valued. (uniqueness-attribute-name)
3096 --subtree SUBTREE [SUBTREE ...]
3099 Sets the DN under which the plug-in checks for uniqueness of the
3100 attributes value. This attribute is multi-valued (unique‐
3101 ness-subtrees)
3102 --across-all-subtrees {on,off}
3105 If enabled (on), the plug-in checks that the attribute is unique
3106 across all subtrees set. If you set the attribute to off,
3107 uniqueness is only enforced within the subtree of the updated
3108 entry (uniqueness-across-all-subtrees)
3109 --top-entry-oc TOP_ENTRY_OC
3112 Verifies that the value of the attribute set in unique‐
3113 ness-attribute-name is unique in this subtree (unique‐
3114 ness-top-entry-oc)
3115 --subtree-entries-oc SUBTREE_ENTRIES_OC
3118 Verifies if an attribute is unique, if the entry contains the
3119 object class set in this parameter (uniqueness-sub‐
3120 tree-entries-oc)
3121
3124 usage: dsconf instance plugin attr-uniq show [-h] NAME
3125 NAME The name of the plug-in configuration record
3128
3132 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3133 NAME Sets the name of the plug-in configuration record
3136
3140 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3141 NAME Sets the name of the plug-in configuration record
3144
3148 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3149 NAME Sets the name of the plug-in configuration record
3152
3156 usage: dsconf instance plugin attr-uniq status [-h] NAME
3157 NAME Sets the name of the plug-in configuration record
3160
3165 usage: dsconf instance plugin dna [-h]
3166 {show,enable,disable,status,list,con‐
3167 fig} ...
3168 Sub-commands
3171 dsconf plugin dna show
3172 display plugin configuration
3173 dsconf plugin dna enable
3175 enable plugin
3176 dsconf plugin dna disable
3178 disable plugin
3179 dsconf plugin dna status
3181 display plugin status
3182 dsconf plugin dna list
3184 List available plugin configs
3185 dsconf plugin dna config
3187 Manage plugin configs
3188
3190 usage: dsconf instance plugin dna show [-h]
3191
3196 usage: dsconf instance plugin dna enable [-h]
3197
3202 usage: dsconf instance plugin dna disable [-h]
3203
3208 usage: dsconf instance plugin dna status [-h]
3209
3214 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3215 ...
3216 Sub-commands
3219 dsconf plugin dna list configs
3220 List main DNA plugin config entries
3221 dsconf plugin dna list shared-configs
3223 List DNA plugin shared config entries
3224
3226 usage: dsconf instance plugin dna list configs [-h]
3227
3232 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3233 BASEDN The search DN
3236
3241 usage: dsconf instance plugin dna config [-h]
3242 NAME
3243 {add,set,show,delete,shared-
3244 config-entry}
3245 ...
3246 NAME The DNA configuration name
3249 Sub-commands
3252 dsconf plugin dna config add
3253 Add the config entry
3254 dsconf plugin dna config set
3256 Edit the config entry
3257 dsconf plugin dna config show
3259 Display the config entry
3260 dsconf plugin dna config delete
3262 Delete the config entry
3263 dsconf plugin dna config shared-config-entry
3265 Manage the shared config entry
3266
3268 usage: dsconf instance plugin dna config NAME add [-h]
3269 [--type TYPE [TYPE
3270 ...]]
3271 [--prefix PREFIX]
3272 [--next-value
3273 NEXT_VALUE]
3274 [--max-value
3275 MAX_VALUE]
3276 [--interval INTERVAL]
3277 [--magic-regen
3278 MAGIC_REGEN]
3279 [--filter FILTER]
3280 [--scope SCOPE]
3281 [--remote-bind-dn
3282 REMOTE_BIND_DN]
3283 [--remote-bind-cred
3284 REMOTE_BIND_CRED]
3285 [--shared-config-
3286 entry SHARED_CONFIG_ENTRY]
3287 [--threshold THRESH‐
3288 OLD]
3289 [--next-range
3290 NEXT_RANGE]
3291 [--range-request-
3292 timeout RANGE_REQUEST_TIMEOUT]
3293 --type TYPE [TYPE ...]
3297 Sets which attributes have unique numbers being generated for
3298 them (dnaType)
3299 --prefix PREFIX
3302 Defines a prefix that can be prepended to the generated number
3303 values for the attribute (dnaPrefix)
3304 --next-value NEXT_VALUE
3307 Gives the next available number which can be assigned
3308 (dnaNextValue)
3309 --max-value MAX_VALUE
3312 Sets the maximum value that can be assigned for the range (dna‐
3313 MaxValue)
3314 --interval INTERVAL
3317 Sets an interval to use to increment through numbers in a range
3318 (dnaInterval)
3319 --magic-regen MAGIC_REGEN
3322 Sets a user-defined value that instructs the plug-in to assign a
3323 new value for the entry (dnaMagicRegen)
3324 --filter FILTER
3327 Sets an LDAP filter to use to search for and identify the
3328 entries to which to apply the distributed numeric assignment
3329 range (dnaFilter)
3330 --scope SCOPE
3333 Sets the base DN to search for entries to which to apply the
3334 distributed numeric assignment (dnaScope)
3335 --remote-bind-dn REMOTE_BIND_DN
3338 Specifies the Replication Manager DN (dnaRemoteBindDN)
3339 --remote-bind-cred REMOTE_BIND_CRED
3342 Specifies the Replication Manager's password (dnaRemoteBindCred)
3343 --shared-config-entry SHARED_CONFIG_ENTRY
3346 Defines a shared identity that the servers can use to transfer
3347 ranges to one another (dnaSharedCfgDN)
3348 --threshold THRESHOLD
3351 Sets a threshold of remaining available numbers in the range.
3352 When the server hits the threshold, it sends a request for a new
3353 range (dnaThreshold)
3354 --next-range NEXT_RANGE
3357 Defines the next range to use when the current range is
3358 exhausted (dnaNextRange)
3359 --range-request-timeout RANGE_REQUEST_TIMEOUT
3362 sets a timeout period, in seconds, for range requests so that
3363 the server does not stall waiting on a new range from one server
3364 and can request a range from a new server (dnaRangeRequestTime‐
3365 out)
3366
3369 usage: dsconf instance plugin dna config NAME set [-h]
3370 [--type TYPE [TYPE
3371 ...]]
3372 [--prefix PREFIX]
3373 [--next-value
3374 NEXT_VALUE]
3375 [--max-value
3376 MAX_VALUE]
3377 [--interval INTERVAL]
3378 [--magic-regen
3379 MAGIC_REGEN]
3380 [--filter FILTER]
3381 [--scope SCOPE]
3382 [--remote-bind-dn
3383 REMOTE_BIND_DN]
3384 [--remote-bind-cred
3385 REMOTE_BIND_CRED]
3386 [--shared-config-
3387 entry SHARED_CONFIG_ENTRY]
3388 [--threshold THRESH‐
3389 OLD]
3390 [--next-range
3391 NEXT_RANGE]
3392 [--range-request-
3393 timeout RANGE_REQUEST_TIMEOUT]
3394 --type TYPE [TYPE ...]
3398 Sets which attributes have unique numbers being generated for
3399 them (dnaType)
3400 --prefix PREFIX
3403 Defines a prefix that can be prepended to the generated number
3404 values for the attribute (dnaPrefix)
3405 --next-value NEXT_VALUE
3408 Gives the next available number which can be assigned
3409 (dnaNextValue)
3410 --max-value MAX_VALUE
3413 Sets the maximum value that can be assigned for the range (dna‐
3414 MaxValue)
3415 --interval INTERVAL
3418 Sets an interval to use to increment through numbers in a range
3419 (dnaInterval)
3420 --magic-regen MAGIC_REGEN
3423 Sets a user-defined value that instructs the plug-in to assign a
3424 new value for the entry (dnaMagicRegen)
3425 --filter FILTER
3428 Sets an LDAP filter to use to search for and identify the
3429 entries to which to apply the distributed numeric assignment
3430 range (dnaFilter)
3431 --scope SCOPE
3434 Sets the base DN to search for entries to which to apply the
3435 distributed numeric assignment (dnaScope)
3436 --remote-bind-dn REMOTE_BIND_DN
3439 Specifies the Replication Manager DN (dnaRemoteBindDN)
3440 --remote-bind-cred REMOTE_BIND_CRED
3443 Specifies the Replication Manager's password (dnaRemoteBindCred)
3444 --shared-config-entry SHARED_CONFIG_ENTRY
3447 Defines a shared identity that the servers can use to transfer
3448 ranges to one another (dnaSharedCfgDN)
3449 --threshold THRESHOLD
3452 Sets a threshold of remaining available numbers in the range.
3453 When the server hits the threshold, it sends a request for a new
3454 range (dnaThreshold)
3455 --next-range NEXT_RANGE
3458 Defines the next range to use when the current range is
3459 exhausted (dnaNextRange)
3460 --range-request-timeout RANGE_REQUEST_TIMEOUT
3463 sets a timeout period, in seconds, for range requests so that
3464 the server does not stall waiting on a new range from one server
3465 and can request a range from a new server (dnaRangeRequestTime‐
3466 out)
3467
3470 usage: dsconf instance plugin dna config NAME show [-h]
3471
3476 usage: dsconf instance plugin dna config NAME delete [-h]
3477
3482 usage: dsconf instance plugin dna config NAME shared-config-entry
3483 [-h] SHARED_CFG {set,show,delete} ...
3484 SHARED_CFG
3487 Use HOSTNAME:PORT for this argument to identify the host name
3488 and port of a server in a shared range, as part of the DNA range
3489 configuration for that specific host in multi-supplier replica‐
3490 tion. (dnaHostname+dnaPortNum)
3491 Sub-commands
3494 dsconf plugin dna config shared-config-entry set
3495 Edit the shared config entry
3496 dsconf plugin dna config shared-config-entry show
3498 Display the shared config entry
3499 dsconf plugin dna config shared-config-entry delete
3501 Delete the shared config entry
3502
3504 usage: dsconf instance plugin dna config NAME shared-config-entry
3505 SHARED_CFG set
3506 [-h] [--remote-bind-method REMOTE_BIND_METHOD]
3507 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3508 --remote-bind-method REMOTE_BIND_METHOD
3512 Specifies the remote bind method "SIMPLE", "SSL" (for SSL client
3513 auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)
3514 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3517 Specifies the remote connection protocol "LDAP", or "TLS"
3518 (dnaRemoteConnProtocol)
3519
3522 usage: dsconf instance plugin dna config NAME shared-config-entry
3523 SHARED_CFG show
3524 [-h]
3525
3530 usage: dsconf instance plugin dna config NAME shared-config-entry
3531 SHARED_CFG delete
3532 [-h]
3533
3541 usage: dsconf instance plugin linked-attr [-h]
3542 {show,enable,disable,sta‐
3543 tus,fixup,list,config}
3544 ...
3545 Sub-commands
3548 dsconf plugin linked-attr show
3549 display plugin configuration
3550 dsconf plugin linked-attr enable
3552 enable plugin
3553 dsconf plugin linked-attr disable
3555 disable plugin
3556 dsconf plugin linked-attr status
3558 display plugin status
3559 dsconf plugin linked-attr fixup
3561 Run the fix-up task for linked attributes plugin
3562 dsconf plugin linked-attr list
3564 List available plugin configs
3565 dsconf plugin linked-attr config
3567 Manage plugin configs
3568
3570 usage: dsconf instance plugin linked-attr show [-h]
3571
3576 usage: dsconf instance plugin linked-attr enable [-h]
3577
3582 usage: dsconf instance plugin linked-attr disable [-h]
3583
3588 usage: dsconf instance plugin linked-attr status [-h]
3589
3594 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3595 -l LINKDN, --linkdn LINKDN
3599 Base DN that contains entries to fix up
3600
3603 usage: dsconf instance plugin linked-attr list [-h]
3604
3609 usage: dsconf instance plugin linked-attr config [-h]
3610 NAME
3611 {add,set,show,delete}
3612 ...
3613 NAME The Linked Attributes configuration name
3616 Sub-commands
3619 dsconf plugin linked-attr config add
3620 Add the config entry
3621 dsconf plugin linked-attr config set
3623 Edit the config entry
3624 dsconf plugin linked-attr config show
3626 Display the config entry
3627 dsconf plugin linked-attr config delete
3629 Delete the config entry
3630
3632 usage: dsconf instance plugin linked-attr config NAME add [-h]
3633 [--link-type
3634 LINK_TYPE]
3635 [--managed-
3636 type MANAGED_TYPE]
3637 [--link-scope
3638 LINK_SCOPE]
3639 --link-type LINK_TYPE
3643 Sets the attribute that is managed manually by administrators
3644 (linkType)
3645 --managed-type MANAGED_TYPE
3648 Sets the attribute that is created dynamically by the plugin
3649 (managedType)
3650 --link-scope LINK_SCOPE
3653 Sets the scope that restricts the plugin to a specific part of
3654 the directory tree (linkScope)
3655
3658 usage: dsconf instance plugin linked-attr config NAME set [-h]
3659 [--link-type
3660 LINK_TYPE]
3661 [--managed-
3662 type MANAGED_TYPE]
3663 [--link-scope
3664 LINK_SCOPE]
3665 --link-type LINK_TYPE
3669 Sets the attribute that is managed manually by administrators
3670 (linkType)
3671 --managed-type MANAGED_TYPE
3674 Sets the attribute that is created dynamically by the plugin
3675 (managedType)
3676 --link-scope LINK_SCOPE
3679 Sets the scope that restricts the plugin to a specific part of
3680 the directory tree (linkScope)
3681
3684 usage: dsconf instance plugin linked-attr config NAME show [-h]
3685
3690 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3691
3698 usage: dsconf instance plugin managed-entries [-h]
3699 {show,enable,disable,sta‐
3700 tus,set,list,config,template}
3701 ...
3702 Sub-commands
3705 dsconf plugin managed-entries show
3706 display plugin configuration
3707 dsconf plugin managed-entries enable
3709 enable plugin
3710 dsconf plugin managed-entries disable
3712 disable plugin
3713 dsconf plugin managed-entries status
3715 display plugin status
3716 dsconf plugin managed-entries set
3718 Edit the plugin
3719 dsconf plugin managed-entries list
3721 List Managed Entries Plugin configs and templates
3722 dsconf plugin managed-entries config
3724 Handle Managed Entries Plugin configs
3725 dsconf plugin managed-entries template
3727 Handle Managed Entries Plugin templates
3728
3730 usage: dsconf instance plugin managed-entries show [-h]
3731
3736 usage: dsconf instance plugin managed-entries enable [-h]
3737
3742 usage: dsconf instance plugin managed-entries disable [-h]
3743
3748 usage: dsconf instance plugin managed-entries status [-h]
3749
3754 usage: dsconf instance plugin managed-entries set [-h]
3755 [--config-area CON‐
3756 FIG_AREA]
3757 --config-area CONFIG_AREA
3761 The value to set as nsslapd-pluginConfigArea
3762
3765 usage: dsconf instance plugin managed-entries list [-h]
3766 {configs,templates}
3767 ...
3768 Sub-commands
3771 dsconf plugin managed-entries list configs
3772 List Managed Entries Plugin configs (list config-area if speci‐
3773 fied in the main plugin entry)
3774 dsconf plugin managed-entries list templates
3776 List Managed Entries Plugin templates in the directory
3777
3779 usage: dsconf instance plugin managed-entries list configs [-h]
3780
3785 usage: dsconf instance plugin managed-entries list templates [-h]
3786 BASEDN
3787 BASEDN The base DN where to search the templates.
3790
3795 usage: dsconf instance plugin managed-entries config [-h]
3796 NAME
3797 {add,set,show,delete}
3798 ...
3799 NAME The config entry CN.
3802 Sub-commands
3805 dsconf plugin managed-entries config add
3806 Add the config entry
3807 dsconf plugin managed-entries config set
3809 Edit the config entry
3810 dsconf plugin managed-entries config show
3812 Display the config entry
3813 dsconf plugin managed-entries config delete
3815 Delete the config entry
3816
3818 usage: dsconf instance plugin managed-entries config NAME add
3819 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3820 AGED_BASE]
3821 [--managed-template MANAGED_TEMPLATE]
3822 --scope SCOPE
3826 Sets the scope of the search to use to see which entries the
3827 plug-in monitors (originScope)
3828 --filter FILTER
3831 Sets the search filter to use to search for and identify the
3832 entries within the subtree which require a managed entry (orig‐
3833 inFilter)
3834 --managed-base MANAGED_BASE
3837 Sets the subtree under which to create the managed entries (man‐
3838 agedBase)
3839 --managed-template MANAGED_TEMPLATE
3842 Identifies the template entry to use to create the managed entry
3843 (managedTemplate)
3844
3847 usage: dsconf instance plugin managed-entries config NAME set
3848 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3849 AGED_BASE]
3850 [--managed-template MANAGED_TEMPLATE]
3851 --scope SCOPE
3855 Sets the scope of the search to use to see which entries the
3856 plug-in monitors (originScope)
3857 --filter FILTER
3860 Sets the search filter to use to search for and identify the
3861 entries within the subtree which require a managed entry (orig‐
3862 inFilter)
3863 --managed-base MANAGED_BASE
3866 Sets the subtree under which to create the managed entries (man‐
3867 agedBase)
3868 --managed-template MANAGED_TEMPLATE
3871 Identifies the template entry to use to create the managed entry
3872 (managedTemplate)
3873
3876 usage: dsconf instance plugin managed-entries config NAME show [-h]
3877
3882 usage: dsconf instance plugin managed-entries config NAME delete [-h]
3883
3889 usage: dsconf instance plugin managed-entries template [-h]
3890 DN
3891 {add,set,show,delete}
3892 ...
3893 DN The template entry DN.
3896 Sub-commands
3899 dsconf plugin managed-entries template add
3900 Add the template entry
3901 dsconf plugin managed-entries template set
3903 Edit the template entry
3904 dsconf plugin managed-entries template show
3906 Display the template entry
3907 dsconf plugin managed-entries template delete
3909 Delete the template entry
3910
3912 usage: dsconf instance plugin managed-entries template DN add
3913 [-h] [--rdn-attr RDN_ATTR] [--static-attr STATIC_ATTR]
3914 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3915 --rdn-attr RDN_ATTR
3919 Sets which attribute to use as the naming attribute in the auto‐
3920 matically- generated entry (mepRDNAttr)
3921 --static-attr STATIC_ATTR
3924 Sets an attribute with a defined value that must be added to the
3925 automatically-generated entry (mepStaticAttr)
3926 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3929 Sets attributes in the Managed Entries template entry which must
3930 exist in the generated entry (mepMappedAttr)
3931
3934 usage: dsconf instance plugin managed-entries template DN set
3935 [-h] [--rdn-attr RDN_ATTR] [--static-attr STATIC_ATTR]
3936 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3937 --rdn-attr RDN_ATTR
3941 Sets which attribute to use as the naming attribute in the auto‐
3942 matically- generated entry (mepRDNAttr)
3943 --static-attr STATIC_ATTR
3946 Sets an attribute with a defined value that must be added to the
3947 automatically-generated entry (mepStaticAttr)
3948 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3951 Sets attributes in the Managed Entries template entry which must
3952 exist in the generated entry (mepMappedAttr)
3953
3956 usage: dsconf instance plugin managed-entries template DN show [-h]
3957
3962 usage: dsconf instance plugin managed-entries template DN delete [-h]
3963
3970 usage: dsconf instance plugin pass-through-auth [-h]
3971 {show,enable,dis‐
3972 able,status,list,url,pam-config}
3973 ...
3974 Sub-commands
3977 dsconf plugin pass-through-auth show
3978 display plugin configuration
3979 dsconf plugin pass-through-auth enable
3981 enable plugin
3982 dsconf plugin pass-through-auth disable
3984 disable plugin
3985 dsconf plugin pass-through-auth status
3987 display plugin status
3988 dsconf plugin pass-through-auth list
3990 List pass-though plugin URLs or PAM configurations.
3991 dsconf plugin pass-through-auth url
3993 Manage PTA URL configurations.
3994 dsconf plugin pass-through-auth pam-config
3996 Manage PAM PTA configurations.
3997
3999 usage: dsconf instance plugin pass-through-auth show [-h]
4000
4005 usage: dsconf instance plugin pass-through-auth enable [-h]
4006
4011 usage: dsconf instance plugin pass-through-auth disable [-h]
4012
4017 usage: dsconf instance plugin pass-through-auth status [-h]
4018
4023 usage: dsconf instance plugin pass-through-auth list [-h]
4024 {urls,pam-configs}
4025 ...
4026 Sub-commands
4029 dsconf plugin pass-through-auth list urls
4030 List URLs.
4031 dsconf plugin pass-through-auth list pam-configs
4033 List PAM configurations.
4034
4036 usage: dsconf instance plugin pass-through-auth list urls [-h]
4037
4042 usage: dsconf instance plugin pass-through-auth list pam-configs [-h]
4043
4049 usage: dsconf instance plugin pass-through-auth url [-h]
4050 {add,modify,delete}
4051 ...
4052 Sub-commands
4055 dsconf plugin pass-through-auth url add
4056 Add the config entry
4057 dsconf plugin pass-through-auth url modify
4059 Edit the config entry
4060 dsconf plugin pass-through-auth url delete
4062 Delete the config entry
4063
4065 usage: dsconf instance plugin pass-through-auth url add [-h] URL
4066 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
4069 conns,maxops,timeout,ldver,connlifetime,startTLS". If one
4070 optional parameter is specified the rest should be specified too
4071
4075 usage: dsconf instance plugin pass-through-auth url modify [-h]
4076 OLD_URL
4077 NEW_URL
4078 OLD_URL
4081 The full LDAP URL you get from the "list" command
4082 NEW_URL
4085 The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
4086 conns,maxops,timeout,ldver,connlifetime,startTLS". If one
4087 optional parameter is specified the rest should be specified too
4088
4092 usage: dsconf instance plugin pass-through-auth url delete [-h] URL
4093 URL The full LDAP URL you get from the "list" command
4096
4101 usage: dsconf instance plugin pass-through-auth pam-config [-h]
4102 NAME
4103 {add,set,show,delete}
4104 ...
4105 NAME The PAM PTA configuration name
4108 Sub-commands
4111 dsconf plugin pass-through-auth pam-config add
4112 Add the config entry
4113 dsconf plugin pass-through-auth pam-config set
4115 Edit the config entry
4116 dsconf plugin pass-through-auth pam-config show
4118 Display the config entry
4119 dsconf plugin pass-through-auth pam-config delete
4121 Delete the config entry
4122
4124 usage: dsconf instance plugin pass-through-auth pam-config NAME add
4125 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4126 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4127 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4128 TER]
4129 [--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method
4130 ID_MAP_METHOD]
4131 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4132 SERVICE]
4133 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4137 Specifies a suffix to exclude from PAM authentication (pamEx‐
4138 cludeSuffix)
4139 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4142 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4143 fix)
4144 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4147 Identifies how to handle missing include or exclude suffixes
4148 (pamMissingSuffix)
4149 --filter FILTER
4152 Sets an LDAP filter to use to identify specific entries within
4153 the included suffixes for which to use PAM pass-through authen‐
4154 tication (pamFilter)
4155 --id-attr ID_ATTR [ID_ATTR ...]
4158 Contains the attribute name which is used to hold the PAM user
4159 ID (pamIDAttr)
4160 --id_map_method ID_MAP_METHOD
4163 Gives the method to use to map the LDAP bind DN to a PAM iden‐
4164 tity (pamIDMapMethod)
4165 --fallback {TRUE,FALSE}
4168 Sets whether to fallback to regular LDAP authentication if PAM
4169 authentication fails (pamFallback)
4170 --secure {TRUE,FALSE}
4173 Requires secure TLS connection for PAM authentication (pamSe‐
4174 cure)
4175 --service SERVICE
4178 Contains the service name to pass to PAM (pamService)
4179
4182 usage: dsconf instance plugin pass-through-auth pam-config NAME set
4183 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4184 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4185 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4186 TER]
4187 [--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method
4188 ID_MAP_METHOD]
4189 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4190 SERVICE]
4191 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4195 Specifies a suffix to exclude from PAM authentication (pamEx‐
4196 cludeSuffix)
4197 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4200 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4201 fix)
4202 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4205 Identifies how to handle missing include or exclude suffixes
4206 (pamMissingSuffix)
4207 --filter FILTER
4210 Sets an LDAP filter to use to identify specific entries within
4211 the included suffixes for which to use PAM pass-through authen‐
4212 tication (pamFilter)
4213 --id-attr ID_ATTR [ID_ATTR ...]
4216 Contains the attribute name which is used to hold the PAM user
4217 ID (pamIDAttr)
4218 --id_map_method ID_MAP_METHOD
4221 Gives the method to use to map the LDAP bind DN to a PAM iden‐
4222 tity (pamIDMapMethod)
4223 --fallback {TRUE,FALSE}
4226 Sets whether to fallback to regular LDAP authentication if PAM
4227 authentication fails (pamFallback)
4228 --secure {TRUE,FALSE}
4231 Requires secure TLS connection for PAM authentication (pamSe‐
4232 cure)
4233 --service SERVICE
4236 Contains the service name to pass to PAM (pamService)
4237
4240 usage: dsconf instance plugin pass-through-auth pam-config NAME show
4241 [-h]
4242
4247 usage: dsconf instance plugin pass-through-auth pam-config NAME delete
4248 [-h]
4249
4256 usage: dsconf instance plugin retro-changelog [-h]
4257 {show,enable,disable,sta‐
4258 tus,set,add}
4259 ...
4260 Sub-commands
4263 dsconf plugin retro-changelog show
4264 display plugin configuration
4265 dsconf plugin retro-changelog enable
4267 enable plugin
4268 dsconf plugin retro-changelog disable
4270 disable plugin
4271 dsconf plugin retro-changelog status
4273 display plugin status
4274 dsconf plugin retro-changelog set
4276 Edit the plugin
4277 dsconf plugin retro-changelog add
4279 Add attributes to the plugin
4280
4282 usage: dsconf instance plugin retro-changelog show [-h]
4283
4288 usage: dsconf instance plugin retro-changelog enable [-h]
4289
4294 usage: dsconf instance plugin retro-changelog disable [-h]
4295
4300 usage: dsconf instance plugin retro-changelog status [-h]
4301
4306 usage: dsconf instance plugin retro-changelog set [-h]
4307 [--is-replicated
4308 {TRUE,FALSE}]
4309 [--attribute
4310 ATTRIBUTE]
4311 [--directory DIREC‐
4312 TORY]
4313 [--max-age MAX_AGE]
4314 [--exclude-suffix
4315 EXCLUDE_SUFFIX]
4316 --is-replicated {TRUE,FALSE}
4320 Sets a flag to indicate on a change in the changelog whether the
4321 change is newly made on that server or whether it was replicated
4322 over from another server (isReplicated)
4323 --attribute ATTRIBUTE
4326 Specifies another Directory Server attribute which must be
4327 included in the retro changelog entries (nsslapd-attribute)
4328 --directory DIRECTORY
4331 Specifies the name of the directory in which the changelog data‐
4332 base is created the first time the plug-in is run
4333 --max-age MAX_AGE
4336 This attribute specifies the maximum age of any entry in the
4337 changelog (nsslapd-changelogmaxage)
4338 --exclude-suffix EXCLUDE_SUFFIX
4341 This attribute specifies the suffix which will be excluded from
4342 the scope of the plugin (nsslapd-exclude-suffix)
4343
4346 usage: dsconf instance plugin retro-changelog add [-h]
4347 [--is-replicated
4348 {TRUE,FALSE}]
4349 [--attribute
4350 ATTRIBUTE]
4351 [--directory DIREC‐
4352 TORY]
4353 [--max-age MAX_AGE]
4354 [--exclude-suffix
4355 EXCLUDE_SUFFIX]
4356 --is-replicated {TRUE,FALSE}
4360 Sets a flag to indicate on a change in the changelog whether the
4361 change is newly made on that server or whether it was replicated
4362 over from another server (isReplicated)
4363 --attribute ATTRIBUTE
4366 Specifies another Directory Server attribute which must be
4367 included in the retro changelog entries (nsslapd-attribute)
4368 --directory DIRECTORY
4371 Specifies the name of the directory in which the changelog data‐
4372 base is created the first time the plug-in is run
4373 --max-age MAX_AGE
4376 This attribute specifies the maximum age of any entry in the
4377 changelog (nsslapd-changelogmaxage)
4378 --exclude-suffix EXCLUDE_SUFFIX
4381 This attribute specifies the suffix which will be excluded from
4382 the scope of the plugin (nsslapd-exclude-suffix)
4383
4387 usage: dsconf instance plugin posix-winsync [-h]
4388 {show,enable,disable,sta‐
4389 tus,set,fixup}
4390 ...
4391 Sub-commands
4394 dsconf plugin posix-winsync show
4395 display plugin configuration
4396 dsconf plugin posix-winsync enable
4398 enable plugin
4399 dsconf plugin posix-winsync disable
4401 disable plugin
4402 dsconf plugin posix-winsync status
4404 display plugin status
4405 dsconf plugin posix-winsync set
4407 Edit the plugin
4408 dsconf plugin posix-winsync fixup
4410 Run the memberOf fix-up task to correct mismatched member and
4411 uniquemember values for synced users
4412
4414 usage: dsconf instance plugin posix-winsync show [-h]
4415
4420 usage: dsconf instance plugin posix-winsync enable [-h]
4421
4426 usage: dsconf instance plugin posix-winsync disable [-h]
4427
4432 usage: dsconf instance plugin posix-winsync status [-h]
4433
4438 usage: dsconf instance plugin posix-winsync set [-h]
4439 [--create-memberof-task
4440 {true,false}]
4441 [--lower-case-uid
4442 {true,false}]
4443 [--map-member-uid
4444 {true,false}]
4445 [--map-nested-grouping
4446 {true,false}]
4447 [--ms-sfu-schema
4448 {true,false}]
4449 --create-memberof-task {true,false}
4453 Sets whether to run the memberUID fix-up task immediately after
4454 a sync run in order to update group memberships for synced users
4455 (posixWinsyncCreateMemberOfTask)
4456 --lower-case-uid {true,false}
4459 Sets whether to store (and, if necessary, convert) the UID value
4460 in the memberUID attribute in lower case.(posixWinsyncLower‐
4461 CaseUID)
4462 --map-member-uid {true,false}
4465 Sets whether to map the memberUID attribute in an Active Direc‐
4466 tory group to the uniqueMember attribute in a Directory Server
4467 group (posixWinsyncMapMemberUID)
4468 --map-nested-grouping {true,false}
4471 Manages if nested groups are updated when memberUID attributes
4472 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4473 edGrouping)
4474 --ms-sfu-schema {true,false}
4477 Sets whether to the older Microsoft System Services for Unix 3.0
4478 (msSFU30) schema when syncing Posix attributes from Active
4479 Directory (posixWinsyncMsSFUSchema)
4480
4483 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN
4484 DN Base DN that contains entries to fix up
4487 -f FILTER, --filter FILTER
4490 Filter for entries to fix up. If omitted, all entries with
4491 objectclass inetuser/inetadmin/nsmemberof under the specified
4492 base will have their memberOf attribute regenerated.
4493
4497 usage: dsconf instance plugin contentsync [-h]
4498 {show,enable,disable,sta‐
4499 tus,set,add}
4500 ...
4501 Sub-commands
4504 dsconf plugin contentsync show
4505 display plugin configuration
4506 dsconf plugin contentsync enable
4508 enable plugin
4509 dsconf plugin contentsync disable
4511 disable plugin
4512 dsconf plugin contentsync status
4514 display plugin status
4515 dsconf plugin contentsync set
4517 Edit the plugin
4518 dsconf plugin contentsync add
4520 Add attributes to the plugin
4521
4523 usage: dsconf instance plugin contentsync show [-h]
4524
4529 usage: dsconf instance plugin contentsync enable [-h]
4530
4535 usage: dsconf instance plugin contentsync disable [-h]
4536
4541 usage: dsconf instance plugin contentsync status [-h]
4542
4547 usage: dsconf instance plugin contentsync set [-h] [--allow-openldap
4548 {on,off}]
4549 --allow-openldap {on,off}
4553 Allows openldap servers to act as read only consumers of this
4554 server via syncrepl
4555
4558 usage: dsconf instance plugin contentsync add [-h] [--allow-openldap
4559 {on,off}]
4560 --allow-openldap {on,off}
4564 Allows openldap servers to act as read only consumers of this
4565 server via syncrepl
4566
4570 usage: dsconf instance plugin list [-h]
4571
4576 usage: dsconf instance plugin show [-h] [selector]
4577 selector
4580 The plugin to search for
4581
4585 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4586 {on,off}]
4587 [--path PATH] [--initfunc INITFUNC]
4588 [--id ID] [--vendor VENDOR]
4589 [--version VERSION]
4590 [--description DESCRIPTION]
4591 [--depends-on-type DEPENDS_ON_TYPE]
4592 [--depends-on-named DEPENDS_ON_NAMED]
4593 [--precedence PRECEDENCE]
4594 [selector]
4595 selector
4598 The plugin to edit
4599 --type TYPE
4602 The type of plugin.
4603 --enabled {on,off}
4606 Identifies whether or not the plugin is enabled.
4607 --path PATH
4610 The plugin library name (without the library suffix).
4611 --initfunc INITFUNC
4614 An initialization function of the plugin.
4615 --id ID
4618 The plugin ID.
4619 --vendor VENDOR
4622 The vendor of plugin.
4623 --version VERSION
4626 The version of plugin.
4627 --description DESCRIPTION
4630 The description of the plugin.
4631 --depends-on-type DEPENDS_ON_TYPE
4634 All plug-ins with a type value which matches one of the values
4635 in the following valid range will be started by the server prior
4636 to this plug-in.
4637 --depends-on-named DEPENDS_ON_NAMED
4640 The plug-in name matching one of the following values will be
4641 started by the server prior to this plug-in
4642 --precedence PRECEDENCE
4645 The priority it has in the execution order of plug-ins
4646
4650 usage: dsconf instance pwpolicy [-h] {get,set} ...
4651 Sub-commands
4654 dsconf pwpolicy get
4655 Get the global password policy entry
4656 dsconf pwpolicy set
4658 Set an attribute in a global password policy
4659
4661 usage: dsconf instance pwpolicy get [-h]
4662
4667 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4668 [--pwdchange PWDCHANGE]
4669 [--pwdmustchange PWDMUSTCHANGE]
4670 [--pwdhistory PWDHISTORY]
4671 [--pwdhistorycount PWDHISTORYCOUNT]
4672 [--pwdadmin PWDADMIN]
4673 [--pwdtrack PWDTRACK]
4674 [--pwdwarning PWDWARNING]
4675 [--pwdexpire PWDEXPIRE]
4676 [--pwdmaxage PWDMAXAGE]
4677 [--pwdminage PWDMINAGE]
4678 [--pwdgracelimit PWDGRACELIMIT]
4679 [--pwdsendexpiring PWDSENDEXPIRING]
4680 [--pwdlockout PWDLOCKOUT]
4681 [--pwdunlock PWDUNLOCK]
4682 [--pwdlockoutduration PWDLOCKOUTDU‐
4683 RATION]
4684 [--pwdmaxfailures PWDMAXFAILURES]
4685 [--pwdresetfailcount PWDRESETFAIL‐
4686 COUNT]
4687 [--pwdchecksyntax PWDCHECKSYNTAX]
4688 [--pwdminlen PWDMINLEN]
4689 [--pwdmindigits PWDMINDIGITS]
4690 [--pwdminalphas PWDMINALPHAS]
4691 [--pwdminuppers PWDMINUPPERS]
4692 [--pwdminlowers PWDMINLOWERS]
4693 [--pwdminspecials PWDMINSPECIALS]
4694 [--pwdmin8bits PWDMIN8BITS]
4695 [--pwdmaxrepeats PWDMAXREPEATS]
4696 [--pwdpalindrome PWDPALINDROME]
4697 [--pwdmaxseq PWDMAXSEQ]
4698 [--pwdmaxseqsets PWDMAXSEQSETS]
4699 [--pwdmaxclasschars PWDMAXCLASS‐
4700 CHARS]
4701 [--pwdmincatagories PWDMIN‐
4702 CATAGORIES]
4703 [--pwdmintokenlen PWDMINTOKENLEN]
4704 [--pwdbadwords PWDBADWORDS]
4705 [--pwduserattrs PWDUSERATTRS]
4706 [--pwpinheritglobal PWPINHERIT‐
4707 GLOBAL]
4708 [--pwddictcheck PWDDICTCHECK]
4709 [--pwddictpath PWDDICTPATH]
4710 [--pwdlocal PWDLOCAL]
4711 [--pwdisglobal PWDISGLOBAL]
4712 [--pwdallowhash PWDALLOWHASH]
4713 --pwdscheme PWDSCHEME
4717 The password storage scheme
4718 --pwdchange PWDCHANGE
4721 Allow users to change their passwords
4722 --pwdmustchange PWDMUSTCHANGE
4725 User must change their passwrod after it is reset by an Adminis‐
4726 trator
4727 --pwdhistory PWDHISTORY
4730 To enable password history set this to "on", otherwise "off"
4731 --pwdhistorycount PWDHISTORYCOUNT
4734 The number of password to keep in history
4735 --pwdadmin PWDADMIN
4738 The DN of an entry or a group of account that can bypass pass‐
4739 word policy constraints
4740 --pwdtrack PWDTRACK
4743 Set to "on" to track the time the password was last changed
4744 --pwdwarning PWDWARNING
4747 Send an expiring warning if password expires within this time
4748 (in seconds)
4749 --pwdexpire PWDEXPIRE
4752 Set to "on" to enable password expiration
4753 --pwdmaxage PWDMAXAGE
4756 The password expiration time in seconds
4757 --pwdminage PWDMINAGE
4760 The number of seconds that must pass before a user can change
4761 their password
4762 --pwdgracelimit PWDGRACELIMIT
4765 The number of allowed logins after the password has expired
4766 --pwdsendexpiring PWDSENDEXPIRING
4769 Set to "on" to always send the expiring control regardless of
4770 the warning period
4771 --pwdlockout PWDLOCKOUT
4774 Set to "on" to enable account lockout
4775 --pwdunlock PWDUNLOCK
4778 Set to "on" to allow an account to become unlocked after the
4779 lockout duration
4780 --pwdlockoutduration PWDLOCKOUTDURATION
4783 The number of seconds an account stays locked out
4784 --pwdmaxfailures PWDMAXFAILURES
4787 The maximum number of allowed failed password attempts before
4788 the account gets locked
4789 --pwdresetfailcount PWDRESETFAILCOUNT
4792 The number of seconds to wait before reducing the failed login
4793 count on an account
4794 --pwdchecksyntax PWDCHECKSYNTAX
4797 Set to "on" to Enable password syntax checking
4798 --pwdminlen PWDMINLEN
4801 The minimum number of characters required in a password
4802 --pwdmindigits PWDMINDIGITS
4805 The minimum number of digit/number characters in a password
4806 --pwdminalphas PWDMINALPHAS
4809 The minimum number of alpha characters required in a password
4810 --pwdminuppers PWDMINUPPERS
4813 The minimum number of uppercase characters required in a pass‐
4814 word
4815 --pwdminlowers PWDMINLOWERS
4818 The minimum number of lowercase characters required in a pass‐
4819 word
4820 --pwdminspecials PWDMINSPECIALS
4823 The minimum number of special characters required in a password
4824 --pwdmin8bits PWDMIN8BITS
4827 The minimum number of 8-bit characters required in a password
4828 --pwdmaxrepeats PWDMAXREPEATS
4831 The maximum number of times the same character can appear
4832 sequentially in the password
4833 --pwdpalindrome PWDPALINDROME
4836 Set to "on" to reject passwords that are palindromes
4837 --pwdmaxseq PWDMAXSEQ
4840 The maximum number of allowed monotonic character sequences in a
4841 password
4842 --pwdmaxseqsets PWDMAXSEQSETS
4845 The maximum number of allowed monotonic character sequences that
4846 can be duplicated in a password
4847 --pwdmaxclasschars PWDMAXCLASSCHARS
4850 The maximum number of sequential characters from the same char‐
4851 acter class that is allowed in a password
4852 --pwdmincatagories PWDMINCATAGORIES
4855 The minimum number of syntax category checks
4856 --pwdmintokenlen PWDMINTOKENLEN
4859 Sets the smallest attribute value length that is used for triv‐
4860 ial/user words checking. This also impacts "--pwduserattrs"
4861 --pwdbadwords PWDBADWORDS
4864 A space-separated list of words that can not be in a password
4865 --pwduserattrs PWDUSERATTRS
4868 A space-separated list of attributes whose values can not appear
4869 in the password (See "--pwdmintokenlen")
4870 --pwpinheritglobal PWPINHERITGLOBAL
4873 Set to "on" to allow local policies to inherit the global policy
4874 --pwddictcheck PWDDICTCHECK
4877 Set to "on" to enforce CrackLib dictionary checking
4878 --pwddictpath PWDDICTPATH
4881 Filesystem path to specific/custom CrackLib dictionary files
4882 --pwdlocal PWDLOCAL
4885 Set to "on" to enable fine-grained (subtree/user-level) password
4886 policies
4887 --pwdisglobal PWDISGLOBAL
4890 Set to "on" to enable password policy state attributesto be
4891 replicated
4892 --pwdallowhash PWDALLOWHASH
4895 Set to "on" to allow adding prehashed passwords
4896
4900 usage: dsconf instance localpwp [-h]
4901 {list,get,set,remove,adduser,addsub‐
4902 tree} ...
4903 Sub-commands
4906 dsconf localpwp list
4907 List all the local password policies
4908 dsconf localpwp get
4910 Get local password policy entry
4911 dsconf localpwp set
4913 Set an attribute in a local password policy
4914 dsconf localpwp remove
4916 Remove a local password policy
4917 dsconf localpwp adduser
4919 Add new user password policy
4920 dsconf localpwp addsubtree
4922 Add new subtree password policy
4923
4925 usage: dsconf instance localpwp list [-h] [DN]
4926 DN Suffix to search for local password policies
4929
4933 usage: dsconf instance localpwp get [-h] DN
4934 DN Get the local policy for this entry DN
4937
4941 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
4942 [--pwdchange PWDCHANGE]
4943 [--pwdmustchange PWDMUSTCHANGE]
4944 [--pwdhistory PWDHISTORY]
4945 [--pwdhistorycount PWDHISTORYCOUNT]
4946 [--pwdadmin PWDADMIN]
4947 [--pwdtrack PWDTRACK]
4948 [--pwdwarning PWDWARNING]
4949 [--pwdexpire PWDEXPIRE]
4950 [--pwdmaxage PWDMAXAGE]
4951 [--pwdminage PWDMINAGE]
4952 [--pwdgracelimit PWDGRACELIMIT]
4953 [--pwdsendexpiring PWDSENDEXPIRING]
4954 [--pwdlockout PWDLOCKOUT]
4955 [--pwdunlock PWDUNLOCK]
4956 [--pwdlockoutduration PWDLOCKOUTDU‐
4957 RATION]
4958 [--pwdmaxfailures PWDMAXFAILURES]
4959 [--pwdresetfailcount PWDRESETFAIL‐
4960 COUNT]
4961 [--pwdchecksyntax PWDCHECKSYNTAX]
4962 [--pwdminlen PWDMINLEN]
4963 [--pwdmindigits PWDMINDIGITS]
4964 [--pwdminalphas PWDMINALPHAS]
4965 [--pwdminuppers PWDMINUPPERS]
4966 [--pwdminlowers PWDMINLOWERS]
4967 [--pwdminspecials PWDMINSPECIALS]
4968 [--pwdmin8bits PWDMIN8BITS]
4969 [--pwdmaxrepeats PWDMAXREPEATS]
4970 [--pwdpalindrome PWDPALINDROME]
4971 [--pwdmaxseq PWDMAXSEQ]
4972 [--pwdmaxseqsets PWDMAXSEQSETS]
4973 [--pwdmaxclasschars PWDMAXCLASS‐
4974 CHARS]
4975 [--pwdmincatagories PWDMIN‐
4976 CATAGORIES]
4977 [--pwdmintokenlen PWDMINTOKENLEN]
4978 [--pwdbadwords PWDBADWORDS]
4979 [--pwduserattrs PWDUSERATTRS]
4980 [--pwpinheritglobal PWPINHERIT‐
4981 GLOBAL]
4982 [--pwddictcheck PWDDICTCHECK]
4983 [--pwddictpath PWDDICTPATH]
4984 DN
4985 DN Set the local policy for this entry DN
4988 --pwdscheme PWDSCHEME
4991 The password storage scheme
4992 --pwdchange PWDCHANGE
4995 Allow users to change their passwords
4996 --pwdmustchange PWDMUSTCHANGE
4999 User must change their passwrod after it is reset by an Adminis‐
5000 trator
5001 --pwdhistory PWDHISTORY
5004 To enable password history set this to "on", otherwise "off"
5005 --pwdhistorycount PWDHISTORYCOUNT
5008 The number of password to keep in history
5009 --pwdadmin PWDADMIN
5012 The DN of an entry or a group of account that can bypass pass‐
5013 word policy constraints
5014 --pwdtrack PWDTRACK
5017 Set to "on" to track the time the password was last changed
5018 --pwdwarning PWDWARNING
5021 Send an expiring warning if password expires within this time
5022 (in seconds)
5023 --pwdexpire PWDEXPIRE
5026 Set to "on" to enable password expiration
5027 --pwdmaxage PWDMAXAGE
5030 The password expiration time in seconds
5031 --pwdminage PWDMINAGE
5034 The number of seconds that must pass before a user can change
5035 their password
5036 --pwdgracelimit PWDGRACELIMIT
5039 The number of allowed logins after the password has expired
5040 --pwdsendexpiring PWDSENDEXPIRING
5043 Set to "on" to always send the expiring control regardless of
5044 the warning period
5045 --pwdlockout PWDLOCKOUT
5048 Set to "on" to enable account lockout
5049 --pwdunlock PWDUNLOCK
5052 Set to "on" to allow an account to become unlocked after the
5053 lockout duration
5054 --pwdlockoutduration PWDLOCKOUTDURATION
5057 The number of seconds an account stays locked out
5058 --pwdmaxfailures PWDMAXFAILURES
5061 The maximum number of allowed failed password attempts before
5062 the account gets locked
5063 --pwdresetfailcount PWDRESETFAILCOUNT
5066 The number of seconds to wait before reducing the failed login
5067 count on an account
5068 --pwdchecksyntax PWDCHECKSYNTAX
5071 Set to "on" to Enable password syntax checking
5072 --pwdminlen PWDMINLEN
5075 The minimum number of characters required in a password
5076 --pwdmindigits PWDMINDIGITS
5079 The minimum number of digit/number characters in a password
5080 --pwdminalphas PWDMINALPHAS
5083 The minimum number of alpha characters required in a password
5084 --pwdminuppers PWDMINUPPERS
5087 The minimum number of uppercase characters required in a pass‐
5088 word
5089 --pwdminlowers PWDMINLOWERS
5092 The minimum number of lowercase characters required in a pass‐
5093 word
5094 --pwdminspecials PWDMINSPECIALS
5097 The minimum number of special characters required in a password
5098 --pwdmin8bits PWDMIN8BITS
5101 The minimum number of 8-bit characters required in a password
5102 --pwdmaxrepeats PWDMAXREPEATS
5105 The maximum number of times the same character can appear
5106 sequentially in the password
5107 --pwdpalindrome PWDPALINDROME
5110 Set to "on" to reject passwords that are palindromes
5111 --pwdmaxseq PWDMAXSEQ
5114 The maximum number of allowed monotonic character sequences in a
5115 password
5116 --pwdmaxseqsets PWDMAXSEQSETS
5119 The maximum number of allowed monotonic character sequences that
5120 can be duplicated in a password
5121 --pwdmaxclasschars PWDMAXCLASSCHARS
5124 The maximum number of sequential characters from the same char‐
5125 acter class that is allowed in a password
5126 --pwdmincatagories PWDMINCATAGORIES
5129 The minimum number of syntax category checks
5130 --pwdmintokenlen PWDMINTOKENLEN
5133 Sets the smallest attribute value length that is used for triv‐
5134 ial/user words checking. This also impacts "--pwduserattrs"
5135 --pwdbadwords PWDBADWORDS
5138 A space-separated list of words that can not be in a password
5139 --pwduserattrs PWDUSERATTRS
5142 A space-separated list of attributes whose values can not appear
5143 in the password (See "--pwdmintokenlen")
5144 --pwpinheritglobal PWPINHERITGLOBAL
5147 Set to "on" to allow local policies to inherit the global policy
5148 --pwddictcheck PWDDICTCHECK
5151 Set to "on" to enforce CrackLib dictionary checking
5152 --pwddictpath PWDDICTPATH
5155 Filesystem path to specific/custom CrackLib dictionary files
5156
5159 usage: dsconf instance localpwp remove [-h] DN
5160 DN Remove local policy for this entry DN
5163
5167 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5168 [--pwdchange PWDCHANGE]
5169 [--pwdmustchange PWDMUSTCHANGE]
5170 [--pwdhistory PWDHISTORY]
5171 [--pwdhistorycount PWDHISTO‐
5172 RYCOUNT]
5173 [--pwdadmin PWDADMIN]
5174 [--pwdtrack PWDTRACK]
5175 [--pwdwarning PWDWARNING]
5176 [--pwdexpire PWDEXPIRE]
5177 [--pwdmaxage PWDMAXAGE]
5178 [--pwdminage PWDMINAGE]
5179 [--pwdgracelimit PWDGRACELIMIT]
5180 [--pwdsendexpiring PWDSENDEX‐
5181 PIRING]
5182 [--pwdlockout PWDLOCKOUT]
5183 [--pwdunlock PWDUNLOCK]
5184 [--pwdlockoutduration PWDLOCK‐
5185 OUTDURATION]
5186 [--pwdmaxfailures PWDMAXFAIL‐
5187 URES]
5188 [--pwdresetfailcount PWDRESET‐
5189 FAILCOUNT]
5190 [--pwdchecksyntax PWDCHECKSYN‐
5191 TAX]
5192 [--pwdminlen PWDMINLEN]
5193 [--pwdmindigits PWDMINDIGITS]
5194 [--pwdminalphas PWDMINALPHAS]
5195 [--pwdminuppers PWDMINUPPERS]
5196 [--pwdminlowers PWDMINLOWERS]
5197 [--pwdminspecials PWDMINSPE‐
5198 CIALS]
5199 [--pwdmin8bits PWDMIN8BITS]
5200 [--pwdmaxrepeats PWDMAXREPEATS]
5201 [--pwdpalindrome PWDPALINDROME]
5202 [--pwdmaxseq PWDMAXSEQ]
5203 [--pwdmaxseqsets PWDMAXSEQSETS]
5204 [--pwdmaxclasschars PWDMAX‐
5205 CLASSCHARS]
5206 [--pwdmincatagories PWDMIN‐
5207 CATAGORIES]
5208 [--pwdmintokenlen PWDMINTO‐
5209 KENLEN]
5210 [--pwdbadwords PWDBADWORDS]
5211 [--pwduserattrs PWDUSERATTRS]
5212 [--pwpinheritglobal PWPINHERIT‐
5213 GLOBAL]
5214 [--pwddictcheck PWDDICTCHECK]
5215 [--pwddictpath PWDDICTPATH]
5216 DN
5217 DN Add/replace the local password policy for this entry DN
5220 --pwdscheme PWDSCHEME
5223 The password storage scheme
5224 --pwdchange PWDCHANGE
5227 Allow users to change their passwords
5228 --pwdmustchange PWDMUSTCHANGE
5231 User must change their passwrod after it is reset by an Adminis‐
5232 trator
5233 --pwdhistory PWDHISTORY
5236 To enable password history set this to "on", otherwise "off"
5237 --pwdhistorycount PWDHISTORYCOUNT
5240 The number of password to keep in history
5241 --pwdadmin PWDADMIN
5244 The DN of an entry or a group of account that can bypass pass‐
5245 word policy constraints
5246 --pwdtrack PWDTRACK
5249 Set to "on" to track the time the password was last changed
5250 --pwdwarning PWDWARNING
5253 Send an expiring warning if password expires within this time
5254 (in seconds)
5255 --pwdexpire PWDEXPIRE
5258 Set to "on" to enable password expiration
5259 --pwdmaxage PWDMAXAGE
5262 The password expiration time in seconds
5263 --pwdminage PWDMINAGE
5266 The number of seconds that must pass before a user can change
5267 their password
5268 --pwdgracelimit PWDGRACELIMIT
5271 The number of allowed logins after the password has expired
5272 --pwdsendexpiring PWDSENDEXPIRING
5275 Set to "on" to always send the expiring control regardless of
5276 the warning period
5277 --pwdlockout PWDLOCKOUT
5280 Set to "on" to enable account lockout
5281 --pwdunlock PWDUNLOCK
5284 Set to "on" to allow an account to become unlocked after the
5285 lockout duration
5286 --pwdlockoutduration PWDLOCKOUTDURATION
5289 The number of seconds an account stays locked out
5290 --pwdmaxfailures PWDMAXFAILURES
5293 The maximum number of allowed failed password attempts before
5294 the account gets locked
5295 --pwdresetfailcount PWDRESETFAILCOUNT
5298 The number of seconds to wait before reducing the failed login
5299 count on an account
5300 --pwdchecksyntax PWDCHECKSYNTAX
5303 Set to "on" to Enable password syntax checking
5304 --pwdminlen PWDMINLEN
5307 The minimum number of characters required in a password
5308 --pwdmindigits PWDMINDIGITS
5311 The minimum number of digit/number characters in a password
5312 --pwdminalphas PWDMINALPHAS
5315 The minimum number of alpha characters required in a password
5316 --pwdminuppers PWDMINUPPERS
5319 The minimum number of uppercase characters required in a pass‐
5320 word
5321 --pwdminlowers PWDMINLOWERS
5324 The minimum number of lowercase characters required in a pass‐
5325 word
5326 --pwdminspecials PWDMINSPECIALS
5329 The minimum number of special characters required in a password
5330 --pwdmin8bits PWDMIN8BITS
5333 The minimum number of 8-bit characters required in a password
5334 --pwdmaxrepeats PWDMAXREPEATS
5337 The maximum number of times the same character can appear
5338 sequentially in the password
5339 --pwdpalindrome PWDPALINDROME
5342 Set to "on" to reject passwords that are palindromes
5343 --pwdmaxseq PWDMAXSEQ
5346 The maximum number of allowed monotonic character sequences in a
5347 password
5348 --pwdmaxseqsets PWDMAXSEQSETS
5351 The maximum number of allowed monotonic character sequences that
5352 can be duplicated in a password
5353 --pwdmaxclasschars PWDMAXCLASSCHARS
5356 The maximum number of sequential characters from the same char‐
5357 acter class that is allowed in a password
5358 --pwdmincatagories PWDMINCATAGORIES
5361 The minimum number of syntax category checks
5362 --pwdmintokenlen PWDMINTOKENLEN
5365 Sets the smallest attribute value length that is used for triv‐
5366 ial/user words checking. This also impacts "--pwduserattrs"
5367 --pwdbadwords PWDBADWORDS
5370 A space-separated list of words that can not be in a password
5371 --pwduserattrs PWDUSERATTRS
5374 A space-separated list of attributes whose values can not appear
5375 in the password (See "--pwdmintokenlen")
5376 --pwpinheritglobal PWPINHERITGLOBAL
5379 Set to "on" to allow local policies to inherit the global policy
5380 --pwddictcheck PWDDICTCHECK
5383 Set to "on" to enforce CrackLib dictionary checking
5384 --pwddictpath PWDDICTPATH
5387 Filesystem path to specific/custom CrackLib dictionary files
5388
5391 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5392 [--pwdchange PWDCHANGE]
5393 [--pwdmustchange PWD‐
5394 MUSTCHANGE]
5395 [--pwdhistory PWDHISTORY]
5396 [--pwdhistorycount PWDHISTO‐
5397 RYCOUNT]
5398 [--pwdadmin PWDADMIN]
5399 [--pwdtrack PWDTRACK]
5400 [--pwdwarning PWDWARNING]
5401 [--pwdexpire PWDEXPIRE]
5402 [--pwdmaxage PWDMAXAGE]
5403 [--pwdminage PWDMINAGE]
5404 [--pwdgracelimit PWDGRACE‐
5405 LIMIT]
5406 [--pwdsendexpiring PWDSEND‐
5407 EXPIRING]
5408 [--pwdlockout PWDLOCKOUT]
5409 [--pwdunlock PWDUNLOCK]
5410 [--pwdlockoutduration PWD‐
5411 LOCKOUTDURATION]
5412 [--pwdmaxfailures PWDMAX‐
5413 FAILURES]
5414 [--pwdresetfailcount
5415 PWDRESETFAILCOUNT]
5416 [--pwdchecksyntax PWD‐
5417 CHECKSYNTAX]
5418 [--pwdminlen PWDMINLEN]
5419 [--pwdmindigits PWDMINDIG‐
5420 ITS]
5421 [--pwdminalphas PWDMINAL‐
5422 PHAS]
5423 [--pwdminuppers PWDMINUP‐
5424 PERS]
5425 [--pwdminlowers PWDMINLOW‐
5426 ERS]
5427 [--pwdminspecials PWDMINSPE‐
5428 CIALS]
5429 [--pwdmin8bits PWDMIN8BITS]
5430 [--pwdmaxrepeats PWDMAXRE‐
5431 PEATS]
5432 [--pwdpalindrome PWDPALIN‐
5433 DROME]
5434 [--pwdmaxseq PWDMAXSEQ]
5435 [--pwdmaxseqsets PWDMAXSE‐
5436 QSETS]
5437 [--pwdmaxclasschars PWDMAX‐
5438 CLASSCHARS]
5439 [--pwdmincatagories PWDMIN‐
5440 CATAGORIES]
5441 [--pwdmintokenlen PWDMINTO‐
5442 KENLEN]
5443 [--pwdbadwords PWDBADWORDS]
5444 [--pwduserattrs PWDUSERAT‐
5445 TRS]
5446 [--pwpinheritglobal PWPIN‐
5447 HERITGLOBAL]
5448 [--pwddictcheck PWD‐
5449 DICTCHECK]
5450 [--pwddictpath PWDDICTPATH]
5451 DN
5452 DN Add/replace the subtree policy for this entry DN
5455 --pwdscheme PWDSCHEME
5458 The password storage scheme
5459 --pwdchange PWDCHANGE
5462 Allow users to change their passwords
5463 --pwdmustchange PWDMUSTCHANGE
5466 User must change their passwrod after it is reset by an Adminis‐
5467 trator
5468 --pwdhistory PWDHISTORY
5471 To enable password history set this to "on", otherwise "off"
5472 --pwdhistorycount PWDHISTORYCOUNT
5475 The number of password to keep in history
5476 --pwdadmin PWDADMIN
5479 The DN of an entry or a group of account that can bypass pass‐
5480 word policy constraints
5481 --pwdtrack PWDTRACK
5484 Set to "on" to track the time the password was last changed
5485 --pwdwarning PWDWARNING
5488 Send an expiring warning if password expires within this time
5489 (in seconds)
5490 --pwdexpire PWDEXPIRE
5493 Set to "on" to enable password expiration
5494 --pwdmaxage PWDMAXAGE
5497 The password expiration time in seconds
5498 --pwdminage PWDMINAGE
5501 The number of seconds that must pass before a user can change
5502 their password
5503 --pwdgracelimit PWDGRACELIMIT
5506 The number of allowed logins after the password has expired
5507 --pwdsendexpiring PWDSENDEXPIRING
5510 Set to "on" to always send the expiring control regardless of
5511 the warning period
5512 --pwdlockout PWDLOCKOUT
5515 Set to "on" to enable account lockout
5516 --pwdunlock PWDUNLOCK
5519 Set to "on" to allow an account to become unlocked after the
5520 lockout duration
5521 --pwdlockoutduration PWDLOCKOUTDURATION
5524 The number of seconds an account stays locked out
5525 --pwdmaxfailures PWDMAXFAILURES
5528 The maximum number of allowed failed password attempts before
5529 the account gets locked
5530 --pwdresetfailcount PWDRESETFAILCOUNT
5533 The number of seconds to wait before reducing the failed login
5534 count on an account
5535 --pwdchecksyntax PWDCHECKSYNTAX
5538 Set to "on" to Enable password syntax checking
5539 --pwdminlen PWDMINLEN
5542 The minimum number of characters required in a password
5543 --pwdmindigits PWDMINDIGITS
5546 The minimum number of digit/number characters in a password
5547 --pwdminalphas PWDMINALPHAS
5550 The minimum number of alpha characters required in a password
5551 --pwdminuppers PWDMINUPPERS
5554 The minimum number of uppercase characters required in a pass‐
5555 word
5556 --pwdminlowers PWDMINLOWERS
5559 The minimum number of lowercase characters required in a pass‐
5560 word
5561 --pwdminspecials PWDMINSPECIALS
5564 The minimum number of special characters required in a password
5565 --pwdmin8bits PWDMIN8BITS
5568 The minimum number of 8-bit characters required in a password
5569 --pwdmaxrepeats PWDMAXREPEATS
5572 The maximum number of times the same character can appear
5573 sequentially in the password
5574 --pwdpalindrome PWDPALINDROME
5577 Set to "on" to reject passwords that are palindromes
5578 --pwdmaxseq PWDMAXSEQ
5581 The maximum number of allowed monotonic character sequences in a
5582 password
5583 --pwdmaxseqsets PWDMAXSEQSETS
5586 The maximum number of allowed monotonic character sequences that
5587 can be duplicated in a password
5588 --pwdmaxclasschars PWDMAXCLASSCHARS
5591 The maximum number of sequential characters from the same char‐
5592 acter class that is allowed in a password
5593 --pwdmincatagories PWDMINCATAGORIES
5596 The minimum number of syntax category checks
5597 --pwdmintokenlen PWDMINTOKENLEN
5600 Sets the smallest attribute value length that is used for triv‐
5601 ial/user words checking. This also impacts "--pwduserattrs"
5602 --pwdbadwords PWDBADWORDS
5605 A space-separated list of words that can not be in a password
5606 --pwduserattrs PWDUSERATTRS
5609 A space-separated list of attributes whose values can not appear
5610 in the password (See "--pwdmintokenlen")
5611 --pwpinheritglobal PWPINHERITGLOBAL
5614 Set to "on" to allow local policies to inherit the global policy
5615 --pwddictcheck PWDDICTCHECK
5618 Set to "on" to enforce CrackLib dictionary checking
5619 --pwddictpath PWDDICTPATH
5622 Filesystem path to specific/custom CrackLib dictionary files
5623
5627 usage: dsconf instance replication [-h]
5628 {enable,disable,get-ruv,list,sta‐
5629 tus,winsync-status,promote,create-manager,delete-man‐
5630 ager,demote,get,set-changelog,get-changelog,export-changelog,import-
5631 changelog,set,monitor}
5632 ...
5633 Sub-commands
5636 dsconf replication enable
5637 Enable replication for a suffix
5638 dsconf replication disable
5640 Disable replication for a suffix
5641 dsconf replication get-ruv
5643 Get the database RUV entry for his suffix
5644 dsconf replication list
5646 List all the replicated suffixes
5647 dsconf replication status
5649 Get the current status of all the replication agreements
5650 dsconf replication winsync-status
5652 Get the current status of all the replication agreements
5653 dsconf replication promote
5655 Promote replica to a Hub or Supplier
5656 dsconf replication create-manager
5658 Create a replication manager entry
5659 dsconf replication delete-manager
5661 Delete a replication manager entry
5662 dsconf replication demote
5664 Demote replica to a Hub or Consumer
5665 dsconf replication get
5667 Get replication configuration
5668 dsconf replication set-changelog
5670 Set replication changelog attributes.
5671 dsconf replication get-changelog
5673 Display replication changelog attributes.
5674 dsconf replication export-changelog
5676 Export the Directory Server replication changelog to an LDIF
5677 dsconf replication import-changelog
5679 Restore/Import Directory Server replication change log from an
5680 LDIF file. This is typically used when managing changelog
5681 encryption
5682 dsconf replication set
5684 Set an attribute in the replication configuration
5685 dsconf replication monitor
5687 Get the full replication topology report
5688
5690 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
5691 ROLE
5692 [--replica-id REPLICA_ID]
5693 [--bind-group-dn
5694 BIND_GROUP_DN]
5695 [--bind-dn BIND_DN]
5696 [--bind-passwd BIND_PASSWD]
5697 --suffix SUFFIX
5701 The DN of the suffix to be enabled for replication
5702 --role ROLE
5705 The Replication role: "supplier", "hub", or "consumer"
5706 --replica-id REPLICA_ID
5709 The replication identifier for a "supplier". Values range from 1
5710 - 65534
5711 --bind-group-dn BIND_GROUP_DN
5714 A group entry DN containing members that are "bind/supplier" DNs
5715 --bind-dn BIND_DN
5718 The Bind or Supplier DN that can make replication updates
5719 --bind-passwd BIND_PASSWD
5722 Password for replication manager(--bind-dn). This will create
5723 the manager entry if a value is set
5724
5727 usage: dsconf instance replication disable [-h] --suffix SUFFIX
5728 --suffix SUFFIX
5732 The DN of the suffix to have replication disabled
5733
5736 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
5737 --suffix SUFFIX
5741 The DN of the replicated suffix
5742
5745 usage: dsconf instance replication list [-h]
5746
5751 usage: dsconf instance replication status [-h] --suffix SUFFIX
5752 [--bind-dn BIND_DN]
5753 [--bind-passwd BIND_PASSWD]
5754 --suffix SUFFIX
5758 The DN of the replication suffix
5759 --bind-dn BIND_DN
5762 The DN to use to authenticate to the consumer
5763 --bind-passwd BIND_PASSWD
5766 The password for the bind DN
5767
5770 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
5771 [--bind-dn BIND_DN]
5772 [--bind-passwd
5773 BIND_PASSWD]
5774 --suffix SUFFIX
5778 The DN of the replication suffix
5779 --bind-dn BIND_DN
5782 The DN to use to authenticate to the consumer
5783 --bind-passwd BIND_PASSWD
5786 The password for the bind DN
5787
5790 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
5791 role
5792 NEWROLE [--replica-id
5793 REPLICA_ID]
5794 [--bind-group-dn
5795 BIND_GROUP_DN]
5796 [--bind-dn BIND_DN]
5797 --suffix SUFFIX
5801 The DN of the replication suffix to promote
5802 --newrole NEWROLE
5805 Promote this replica to a "hub" or "supplier"
5806 --replica-id REPLICA_ID
5809 The replication identifier for a "supplier". Values range from 1
5810 - 65534
5811 --bind-group-dn BIND_GROUP_DN
5814 A group entry DN containing members that are "bind/supplier" DNs
5815 --bind-dn BIND_DN
5818 The Bind or Supplier DN that can make replication updates
5819
5822 usage: dsconf instance replication create-manager [-h] [--name NAME]
5823 [--passwd PASSWD]
5824 [--suffix SUFFIX]
5825 --name NAME
5829 The NAME of the new replication manager entry. For example, if
5830 the NAME is "replication manager" then the new manager entry's
5831 DN would be "cn=replication manager,cn=config".
5832 --passwd PASSWD
5835 Password for replication manager. If not provided, you will be
5836 prompted for the password
5837 --suffix SUFFIX
5840 The DN of the replication suffix whose replication configuration
5841 you want to add this new manager to (OPTIONAL)
5842
5845 usage: dsconf instance replication delete-manager [-h] [--name NAME]
5846 [--suffix SUFFIX]
5847 --name NAME
5851 The NAME of the replication manager entry under cn=config:
5852 "cn=NAME,cn=config"
5853 --suffix SUFFIX
5856 The DN of the replication suffix whose replication configuration
5857 you want to remove this manager from (OPTIONAL)
5858
5861 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
5862 role
5863 NEWROLE
5864 --suffix SUFFIX
5868 Promote this replica to a "hub" or "consumer"
5869 --newrole NEWROLE
5872 The Replication role: "hub", or "consumer"
5873
5876 usage: dsconf instance replication get [-h] --suffix SUFFIX
5877 --suffix SUFFIX
5881 Get the replication configuration for this suffix DN
5882
5885 usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
5886 [--max-entries
5887 MAX_ENTRIES]
5888 [--max-age MAX_AGE]
5889 [--trim-interval
5890 TRIM_INTERVAL]
5891 [--encrypt]
5892 [--disable-encrypt]
5893 --suffix SUFFIX
5897 The suffix that uses the changelog
5898 --max-entries MAX_ENTRIES
5901 The maximum number of entries to get in the replication
5902 changelog
5903 --max-age MAX_AGE
5906 The maximum age of a replication changelog entry
5907 --trim-interval TRIM_INTERVAL
5910 The interval to check if the replication changelog can be
5911 trimmed
5912 --encrypt
5915 Set the replication changelog to use encryption. You must export
5916 & import the changelog after setting this.
5917 --disable-encrypt
5920 Set the replication changelog to not use encryption. You must
5921 export & import the changelog after setting this.
5922
5925 usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
5926 --suffix SUFFIX
5930 The suffix that uses the changelog
5931
5934 usage: dsconf instance replication export-changelog [-h] {to-
5935 ldif,default} ...
5936 Sub-commands
5939 dsconf replication export-changelog to-ldif
5940 Export the specific single LDIF file. This is typically used
5941 for setting up changelog encryption
5942 dsconf replication export-changelog default
5944 Export the replication changelog to the server's default LDIF
5945 directory.
5946
5948 usage: dsconf instance replication export-changelog to-ldif
5949 [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r
5950 REPLICA_ROOT
5951 -c, --csn-only
5955 Export and interpret CSN only. This option can be used with or
5956 without -i option. The LDIF file that is generated can not be
5957 imported and is only used debugging purposes
5958 -d, --decode
5961 Decode the base64 values in each changelog entry. The LDIF file
5962 that is generated can not be imported and is only used debugging
5963 purposes
5964 -l, --preserve-ldif-done
5967 Preserve generated ldif.done files in changelog dirextory.
5968 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
5971 If you already have a changelog LDIF file, but the changes in
5972 that file are encoded, you may use this option to decode the
5973 changes in that LDIF file.
5974 -o OUTPUT_FILE, --output-file OUTPUT_FILE
5977 Path name for the final result.
5978 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
5981 Specify replica root whose changelog you want to export.
5982
5985 usage: dsconf instance replication export-changelog default
5986 [-h] -r REPLICA_ROOT
5987 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
5991 Specify replica root whose changelog you want to export.
5992
5996 usage: dsconf instance replication import-changelog [-h]
5997 {from-ldif,default}
5998 ...
5999 Sub-commands
6002 dsconf replication import-changelog from-ldif
6003 Restore/Import a specific single LDIF file.
6004 dsconf replication import-changelog default
6006 Import the default changelog LDIF file created by the server.
6007
6009 usage: dsconf instance replication import-changelog from-ldif
6010 [-h] -r REPLICA_ROOT LDIF_PATH
6011 LDIF_PATH
6014 The path of the changelog LDIF file.
6015 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6018 Specify the replica root whose changelog you want to import.
6019
6022 usage: dsconf instance replication import-changelog default
6023 [-h] -r REPLICA_ROOT
6024 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6028 Specify the replica root whose changelog you want to import.
6029
6033 usage: dsconf instance replication set [-h] --suffix SUFFIX
6034 [--repl-add-bind-dn
6035 REPL_ADD_BIND_DN]
6036 [--repl-del-bind-dn
6037 REPL_DEL_BIND_DN]
6038 [--repl-add-ref REPL_ADD_REF]
6039 [--repl-del-ref REPL_DEL_REF]
6040 [--repl-purge-delay
6041 REPL_PURGE_DELAY]
6042 [--repl-tombstone-purge-interval
6043 REPL_TOMBSTONE_PURGE_INTERVAL]
6044 [--repl-fast-tombstone-purging
6045 REPL_FAST_TOMBSTONE_PURGING]
6046 [--repl-bind-group
6047 REPL_BIND_GROUP]
6048 [--repl-bind-group-interval
6049 REPL_BIND_GROUP_INTERVAL]
6050 [--repl-protocol-timeout
6051 REPL_PROTOCOL_TIMEOUT]
6052 [--repl-backoff-max REPL_BACK‐
6053 OFF_MAX]
6054 [--repl-backoff-min REPL_BACK‐
6055 OFF_MIN]
6056 [--repl-release-timeout
6057 REPL_RELEASE_TIMEOUT]
6058 --suffix SUFFIX
6062 The DN of the replication suffix
6063 --repl-add-bind-dn REPL_ADD_BIND_DN
6066 Add a bind (supplier) DN
6067 --repl-del-bind-dn REPL_DEL_BIND_DN
6070 Remove a bind (supplier) DN
6071 --repl-add-ref REPL_ADD_REF
6074 Add a replication referral (for consumers only)
6075 --repl-del-ref REPL_DEL_REF
6078 Remove a replication referral (for conusmers only)
6079 --repl-purge-delay REPL_PURGE_DELAY
6082 The replication purge delay
6083 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
6086 The interval in seconds to check for tombstones that can be
6087 purged
6088 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6091 Set to "on" to improve tombstone purging performance
6092 --repl-bind-group REPL_BIND_GROUP
6095 A group entry DN containing members that are "bind/supplier" DNs
6096 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6099 An interval in seconds to check if the bind group has been
6100 updated
6101 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6104 A timeout in seconds on how long to wait before stopping repli‐
6105 cation when the server is under load
6106 --repl-backoff-max REPL_BACKOFF_MAX
6109 The maximum time in seconds a replication agreement should stay
6110 in a backoff state while waiting to acquire the consumer.
6111 Default is 300 seconds
6112 --repl-backoff-min REPL_BACKOFF_MIN
6115 The starting time in seconds a replication agreement should stay
6116 in a backoff state while waiting to acquire the consumer.
6117 Default is 3 seconds
6118 --repl-release-timeout REPL_RELEASE_TIMEOUT
6121 A timeout in seconds a replication supplier should send updates
6122 before it yields its replication session
6123
6126 usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
6127 [-a [ALIASES ...]]
6128 -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
6132 The connection values for monitoring other not connected topolo‐
6133 gies. The format: 'host:port:binddn:bindpwd'. You can use regex
6134 for host and port. You can set bindpwd to * and it will be
6135 requested at the runtime or you can include the path to the
6136 password file in square brackets - [~/pwd.txt]
6137 -a [ALIASES ...], --aliases [ALIASES ...]
6140 If a host:port is assigned an alias, then the alias instead of
6141 host:port will be displayed in the output. The format:
6142 alias=host:port
6143
6147 usage: dsconf instance repl-agmt [-h]
6148 {list,enable,disable,init,init-sta‐
6149 tus,poke,status,delete,create,set,get}
6150 ...
6151 Sub-commands
6154 dsconf repl-agmt list
6155 List all the replication agreements
6156 dsconf repl-agmt enable
6158 Enable replication agreement
6159 dsconf repl-agmt disable
6161 Disable replication agreement
6162 dsconf repl-agmt init
6164 Initialize replication agreement
6165 dsconf repl-agmt init-status
6167 Check the agreement initialization status
6168 dsconf repl-agmt poke
6170 Trigger replication to send updates now
6171 dsconf repl-agmt status
6173 Get the current status of the replication agreement
6174 dsconf repl-agmt delete
6176 Delete replication agreement
6177 dsconf repl-agmt create
6179 Initialize replication agreement
6180 dsconf repl-agmt set
6182 Set an attribute in the replication agreement
6183 dsconf repl-agmt get
6185 Get replication configuration
6186
6188 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry
6189 ENTRY]
6190 --suffix SUFFIX
6194 The DN of the suffix to look up replication agreements
6195 --entry ENTRY
6198 Return the entire entry for each agreement
6199
6202 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6203 AGMT_NAME
6206 The name of the replication agreement
6207 --suffix SUFFIX
6210 The DN of the replication suffix
6211
6214 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6215 AGMT_NAME
6218 The name of the replication agreement
6219 --suffix SUFFIX
6222 The DN of the replication suffix
6223
6226 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6227 AGMT_NAME
6230 The name of the replication agreement
6231 --suffix SUFFIX
6234 The DN of the replication suffix
6235
6238 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6239 AGMT_NAME
6240 AGMT_NAME
6243 The name of the replication agreement
6244 --suffix SUFFIX
6247 The DN of the replication suffix
6248
6251 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6252 AGMT_NAME
6255 The name of the replication agreement
6256 --suffix SUFFIX
6259 The DN of the replication suffix
6260
6263 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6264 [--bind-dn BIND_DN]
6265 [--bind-passwd BIND_PASSWD]
6266 AGMT_NAME
6267 AGMT_NAME
6270 The name of the replication agreement
6271 --suffix SUFFIX
6274 The DN of the replication suffix
6275 --bind-dn BIND_DN
6278 The DN to use to authenticate to the consumer
6279 --bind-passwd BIND_PASSWD
6282 The password for the bind DN
6283
6286 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6287 AGMT_NAME
6290 The name of the replication agreement
6291 --suffix SUFFIX
6294 The DN of the replication suffix
6295
6298 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6299 HOST
6300 --port PORT --conn-protocol
6301 CONN_PROTOCOL [--bind-dn
6302 BIND_DN]
6303 [--bind-passwd BIND_PASSWD]
6304 --bind-method BIND_METHOD
6305 [--frac-list FRAC_LIST]
6306 [--frac-list-total
6307 FRAC_LIST_TOTAL]
6308 [--strip-list STRIP_LIST]
6309 [--schedule SCHEDULE]
6310 [--conn-timeout CONN_TIMEOUT]
6311 [--protocol-timeout PROTO‐
6312 COL_TIMEOUT]
6313 [--wait-async-results
6314 WAIT_ASYNC_RESULTS]
6315 [--busy-wait-time
6316 BUSY_WAIT_TIME]
6317 [--session-pause-time SES‐
6318 SION_PAUSE_TIME]
6319 [--flow-control-window
6320 FLOW_CONTROL_WINDOW]
6321 [--flow-control-pause FLOW_CON‐
6322 TROL_PAUSE]
6323 [--bootstrap-bind-dn BOOT‐
6324 STRAP_BIND_DN]
6325 [--bootstrap-bind-passwd BOOT‐
6326 STRAP_BIND_PASSWD]
6327 [--bootstrap-conn-protocol
6328 BOOTSTRAP_CONN_PROTOCOL]
6329 [--bootstrap-bind-method BOOT‐
6330 STRAP_BIND_METHOD]
6331 [--init]
6332 AGMT_NAME
6333 AGMT_NAME
6336 The name of the replication agreement
6337 --suffix SUFFIX
6340 The DN of the replication suffix
6341 --host HOST
6344 The hostname of the remote replica
6345 --port PORT
6348 The port number of the remote replica
6349 --conn-protocol CONN_PROTOCOL
6352 The replication connection protocol: LDAP, LDAPS, or StartTLS
6353 --bind-dn BIND_DN
6356 The Bind DN the agreement uses to authenticate to the replica
6357 --bind-passwd BIND_PASSWD
6360 The credentials for the Bind DN
6361 --bind-method BIND_METHOD
6364 The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or
6365 "SASL/GSSAPI"
6366 --frac-list FRAC_LIST
6369 List of attributes to NOT replicate to the consumer during
6370 incremental updates
6371 --frac-list-total FRAC_LIST_TOTAL
6374 List of attributes to NOT replicate during a total initializa‐
6375 tion
6376 --strip-list STRIP_LIST
6379 A list of attributes that are removed from updates only if the
6380 event would otherwise be empty. Typically this is set to "modi‐
6381 fiersname" and "modifytimestmap"
6382 --schedule SCHEDULE
6385 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6386 0-6 (Sunday - Saturday).
6387 --conn-timeout CONN_TIMEOUT
6390 The timeout used for replication connections
6391 --protocol-timeout PROTOCOL_TIMEOUT
6394 A timeout in seconds on how long to wait before stopping repli‐
6395 cation when the server is under load
6396 --wait-async-results WAIT_ASYNC_RESULTS
6399 The amount of time in milliseconds the server waits if the con‐
6400 sumer is not ready before resending data
6401 --busy-wait-time BUSY_WAIT_TIME
6404 The amount of time in seconds a supplier should wait after a
6405 consumer sends back a busy response before making another
6406 attempt to acquire access.
6407 --session-pause-time SESSION_PAUSE_TIME
6410 The amount of time in seconds a supplier should wait between
6411 update sessions.
6412 --flow-control-window FLOW_CONTROL_WINDOW
6415 Sets the maximum number of entries and updates sent by a sup‐
6416 plier, which are not acknowledged by the consumer.
6417 --flow-control-pause FLOW_CONTROL_PAUSE
6420 The time in milliseconds to pause after reaching the number of
6421 entries and updates set in "--flow-control-window"
6422 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6425 An optional Bind DN the agreement can use to bootstrap initial‐
6426 ization when bind groups are being used
6427 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6430 The bootstrap credentials for the Bind DN
6431 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6434 The replication bootstrap connection protocol: LDAP, LDAPS, or
6435 StartTLS
6436 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6439 The bind method: "SIMPLE", or "SSLCLIENTAUTH"
6440 --init Initialize the agreement after creating it.
6443
6446 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6447 [--port PORT]
6448 [--conn-protocol CONN_PROTOCOL]
6449 [--bind-dn BIND_DN]
6450 [--bind-passwd BIND_PASSWD]
6451 [--bind-method BIND_METHOD]
6452 [--frac-list FRAC_LIST]
6453 [--frac-list-total
6454 FRAC_LIST_TOTAL]
6455 [--strip-list STRIP_LIST]
6456 [--schedule SCHEDULE]
6457 [--conn-timeout CONN_TIMEOUT]
6458 [--protocol-timeout PROTOCOL_TIME‐
6459 OUT]
6460 [--wait-async-results
6461 WAIT_ASYNC_RESULTS]
6462 [--busy-wait-time BUSY_WAIT_TIME]
6463 [--session-pause-time SES‐
6464 SION_PAUSE_TIME]
6465 [--flow-control-window FLOW_CON‐
6466 TROL_WINDOW]
6467 [--flow-control-pause FLOW_CON‐
6468 TROL_PAUSE]
6469 [--bootstrap-bind-dn BOOT‐
6470 STRAP_BIND_DN]
6471 [--bootstrap-bind-passwd BOOT‐
6472 STRAP_BIND_PASSWD]
6473 [--bootstrap-conn-protocol BOOT‐
6474 STRAP_CONN_PROTOCOL]
6475 [--bootstrap-bind-method BOOT‐
6476 STRAP_BIND_METHOD]
6477 AGMT_NAME
6478 AGMT_NAME
6481 The name of the replication agreement
6482 --suffix SUFFIX
6485 The DN of the replication suffix
6486 --host HOST
6489 The hostname of the remote replica
6490 --port PORT
6493 The port number of the remote replica
6494 --conn-protocol CONN_PROTOCOL
6497 The replication connection protocol: LDAP, LDAPS, or StartTLS
6498 --bind-dn BIND_DN
6501 The Bind DN the agreement uses to authenticate to the replica
6502 --bind-passwd BIND_PASSWD
6505 The credentials for the Bind DN
6506 --bind-method BIND_METHOD
6509 The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or
6510 "SASL/GSSAPI"
6511 --frac-list FRAC_LIST
6514 List of attributes to NOT replicate to the consumer during
6515 incremental updates
6516 --frac-list-total FRAC_LIST_TOTAL
6519 List of attributes to NOT replicate during a total initializa‐
6520 tion
6521 --strip-list STRIP_LIST
6524 A list of attributes that are removed from updates only if the
6525 event would otherwise be empty. Typically this is set to "modi‐
6526 fiersname" and "modifytimestmap"
6527 --schedule SCHEDULE
6530 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6531 0-6 (Sunday - Saturday).
6532 --conn-timeout CONN_TIMEOUT
6535 The timeout used for replication connections
6536 --protocol-timeout PROTOCOL_TIMEOUT
6539 A timeout in seconds on how long to wait before stopping repli‐
6540 cation when the server is under load
6541 --wait-async-results WAIT_ASYNC_RESULTS
6544 The amount of time in milliseconds the server waits if the con‐
6545 sumer is not ready before resending data
6546 --busy-wait-time BUSY_WAIT_TIME
6549 The amount of time in seconds a supplier should wait after a
6550 consumer sends back a busy response before making another
6551 attempt to acquire access.
6552 --session-pause-time SESSION_PAUSE_TIME
6555 The amount of time in seconds a supplier should wait between
6556 update sessions.
6557 --flow-control-window FLOW_CONTROL_WINDOW
6560 Sets the maximum number of entries and updates sent by a sup‐
6561 plier, which are not acknowledged by the consumer.
6562 --flow-control-pause FLOW_CONTROL_PAUSE
6565 The time in milliseconds to pause after reaching the number of
6566 entries and updates set in "--flow-control-window"
6567 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6570 An optional Bind DN the agreement can use to bootstrap initial‐
6571 ization when bind groups are being used
6572 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6575 The bootstrap credentials for the Bind DN
6576 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6579 The replication bootstrap connection protocol: LDAP, LDAPS, or
6580 StartTLS
6581 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6584 The bind method: "SIMPLE", or "SSLCLIENTAUTH"
6585
6588 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
6589 AGMT_NAME
6592 Get the replication configuration for this suffix DN
6593 --suffix SUFFIX
6596 The DN of the replication suffix
6597
6601 usage: dsconf instance repl-winsync-agmt [-h]
6602 {list,enable,dis‐
6603 able,init,init-status,poke,status,delete,create,set,get}
6604 ...
6605 Sub-commands
6608 dsconf repl-winsync-agmt list
6609 List all the replication winsync agreements
6610 dsconf repl-winsync-agmt enable
6612 Enable replication winsync agreement
6613 dsconf repl-winsync-agmt disable
6615 Disable replication winsync agreement
6616 dsconf repl-winsync-agmt init
6618 Initialize replication winsync agreement
6619 dsconf repl-winsync-agmt init-status
6621 Check the agreement initialization status
6622 dsconf repl-winsync-agmt poke
6624 Trigger replication to send updates now
6625 dsconf repl-winsync-agmt status
6627 Get the current status of the replication agreement
6628 dsconf repl-winsync-agmt delete
6630 Delete replication winsync agreement
6631 dsconf repl-winsync-agmt create
6633 Initialize replication winsync agreement
6634 dsconf repl-winsync-agmt set
6636 Set an attribute in the replication winsync agreement
6637 dsconf repl-winsync-agmt get
6639 Get replication configuration
6640
6642 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
6643 --suffix SUFFIX
6647 The DN of the suffix to look up replication winsync agreements
6648
6651 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
6652 AGMT_NAME
6653 AGMT_NAME
6656 The name of the replication winsync agreement
6657 --suffix SUFFIX
6660 The DN of the replication winsync suffix
6661
6664 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
6665 AGMT_NAME
6666 AGMT_NAME
6669 The name of the replication winsync agreement
6670 --suffix SUFFIX
6673 The DN of the replication winsync suffix
6674
6677 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
6678 AGMT_NAME
6679 AGMT_NAME
6682 The name of the replication winsync agreement
6683 --suffix SUFFIX
6686 The DN of the replication winsync suffix
6687
6690 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
6691 FIX
6692 AGMT_NAME
6693 AGMT_NAME
6696 The name of the replication agreement
6697 --suffix SUFFIX
6700 The DN of the replication suffix
6701
6704 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
6705 AGMT_NAME
6706 AGMT_NAME
6709 The name of the replication winsync agreement
6710 --suffix SUFFIX
6713 The DN of the replication winsync suffix
6714
6717 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
6718 AGMT_NAME
6719 AGMT_NAME
6722 The name of the replication agreement
6723 --suffix SUFFIX
6726 The DN of the replication suffix
6727
6730 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
6731 AGMT_NAME
6732 AGMT_NAME
6735 The name of the replication winsync agreement
6736 --suffix SUFFIX
6739 The DN of the replication winsync suffix
6740
6743 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
6744 --host
6745 HOST --port PORT
6746 --conn-protocol
6747 CONN_PROTOCOL
6748 --bind-dn BIND_DN
6749 --bind-passwd
6750 BIND_PASSWD
6751 [--frac-list FRAC_LIST]
6752 [--schedule SCHEDULE]
6753 --win-subtree WIN_SUB‐
6754 TREE
6755 --ds-subtree DS_SUBTREE
6756 --win-domain WIN_DOMAIN
6757 [--sync-users
6758 SYNC_USERS]
6759 [--sync-groups
6760 SYNC_GROUPS]
6761 [--sync-interval
6762 SYNC_INTERVAL]
6763 [--one-way-sync
6764 ONE_WAY_SYNC]
6765 [--move-action
6766 MOVE_ACTION]
6767 [--win-filter WIN_FIL‐
6768 TER]
6769 [--ds-filter DS_FILTER]
6770 [--subtree-pair SUB‐
6771 TREE_PAIR]
6772 [--conn-timeout
6773 CONN_TIMEOUT]
6774 [--busy-wait-time
6775 BUSY_WAIT_TIME]
6776 [--session-pause-time
6777 SESSION_PAUSE_TIME]
6778 [--init]
6779 AGMT_NAME
6780 AGMT_NAME
6783 The name of the replication winsync agreement
6784 --suffix SUFFIX
6787 The DN of the replication winsync suffix
6788 --host HOST
6791 The hostname of the AD server
6792 --port PORT
6795 The port number of the AD server
6796 --conn-protocol CONN_PROTOCOL
6799 The replication winsync connection protocol: LDAP, LDAPS, or
6800 StartTLS
6801 --bind-dn BIND_DN
6804 The Bind DN the agreement uses to authenticate to the AD Server
6805 --bind-passwd BIND_PASSWD
6808 The credentials for the Bind DN
6809 --frac-list FRAC_LIST
6812 List of attributes to NOT replicate to the consumer during
6813 incremental updates
6814 --schedule SCHEDULE
6817 Sets the replication update schedule
6818 --win-subtree WIN_SUBTREE
6821 The suffix of the AD Server
6822 --ds-subtree DS_SUBTREE
6825 The Directory Server suffix
6826 --win-domain WIN_DOMAIN
6829 The AD Domain
6830 --sync-users SYNC_USERS
6833 Synchronize Users between AD and DS
6834 --sync-groups SYNC_GROUPS
6837 Synchronize Groups between AD and DS
6838 --sync-interval SYNC_INTERVAL
6841 The interval that DS checks AD for changes in entries
6842 --one-way-sync ONE_WAY_SYNC
6845 Sets which direction to perform synchronization: "toWindows",
6846 "fromWindows", "both"
6847 --move-action MOVE_ACTION
6850 Sets instructions on how to handle moved or deleted entries:
6851 "none", "unsync", or "delete"
6852 --win-filter WIN_FILTER
6855 Custom filter for finding users in AD Server
6856 --ds-filter DS_FILTER
6859 Custom filter for finding AD users in DS Server
6860 --subtree-pair SUBTREE_PAIR
6863 Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
6864 --conn-timeout CONN_TIMEOUT
6867 The timeout used for replicaton connections
6868 --busy-wait-time BUSY_WAIT_TIME
6871 The amount of time in seconds a supplier should wait after a
6872 consumer sends back a busy response before making another
6873 attempt to acquire access.
6874 --session-pause-time SESSION_PAUSE_TIME
6877 The amount of time in seconds a supplier should wait between
6878 update sessions.
6879 --init Initialize the agreement after creating it.
6882
6885 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
6886 [--host HOST] [--port
6887 PORT]
6888 [--conn-protocol CONN_PRO‐
6889 TOCOL]
6890 [--bind-dn BIND_DN]
6891 [--bind-passwd
6892 BIND_PASSWD]
6893 [--frac-list FRAC_LIST]
6894 [--schedule SCHEDULE]
6895 [--win-subtree WIN_SUB‐
6896 TREE]
6897 [--ds-subtree DS_SUBTREE]
6898 [--win-domain WIN_DOMAIN]
6899 [--sync-users SYNC_USERS]
6900 [--sync-groups
6901 SYNC_GROUPS]
6902 [--sync-interval
6903 SYNC_INTERVAL]
6904 [--one-way-sync
6905 ONE_WAY_SYNC]
6906 [--move-action
6907 MOVE_ACTION]
6908 [--win-filter WIN_FILTER]
6909 [--ds-filter DS_FILTER]
6910 [--subtree-pair SUB‐
6911 TREE_PAIR]
6912 [--conn-timeout CONN_TIME‐
6913 OUT]
6914 [--busy-wait-time
6915 BUSY_WAIT_TIME]
6916 [--session-pause-time SES‐
6917 SION_PAUSE_TIME]
6918 AGMT_NAME
6919 AGMT_NAME
6922 The name of the replication winsync agreement
6923 --suffix SUFFIX
6926 The DN of the replication winsync suffix
6927 --host HOST
6930 The hostname of the AD server
6931 --port PORT
6934 The port number of the AD server
6935 --conn-protocol CONN_PROTOCOL
6938 The replication winsync connection protocol: LDAP, LDAPS, or
6939 StartTLS
6940 --bind-dn BIND_DN
6943 The Bind DN the agreement uses to authenticate to the AD Server
6944 --bind-passwd BIND_PASSWD
6947 The credentials for the Bind DN
6948 --frac-list FRAC_LIST
6951 List of attributes to NOT replicate to the consumer during
6952 incremental updates
6953 --schedule SCHEDULE
6956 Sets the replication update schedule
6957 --win-subtree WIN_SUBTREE
6960 The suffix of the AD Server
6961 --ds-subtree DS_SUBTREE
6964 The Directory Server suffix
6965 --win-domain WIN_DOMAIN
6968 The AD Domain
6969 --sync-users SYNC_USERS
6972 Synchronize Users between AD and DS
6973 --sync-groups SYNC_GROUPS
6976 Synchronize Groups between AD and DS
6977 --sync-interval SYNC_INTERVAL
6980 The interval that DS checks AD for changes in entries
6981 --one-way-sync ONE_WAY_SYNC
6984 Sets which direction to perform synchronization: "toWindows",
6985 "fromWindows", "both"
6986 --move-action MOVE_ACTION
6989 Sets instructions on how to handle moved or deleted entries:
6990 "none", "unsync", or "delete"
6991 --win-filter WIN_FILTER
6994 Custom filter for finding users in AD Server
6995 --ds-filter DS_FILTER
6998 Custom filter for finding AD users in DS Server
6999 --subtree-pair SUBTREE_PAIR
7002 Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7003 --conn-timeout CONN_TIMEOUT
7006 The timeout used for replicaton connections
7007 --busy-wait-time BUSY_WAIT_TIME
7010 The amount of time in seconds a supplier should wait after a
7011 consumer sends back a busy response before making another
7012 attempt to acquire access.
7013 --session-pause-time SESSION_PAUSE_TIME
7016 The amount of time in seconds a supplier should wait between
7017 update sessions.
7018
7021 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
7022 AGMT_NAME
7023 AGMT_NAME
7026 Get the replication configuration for this suffix DN
7027 --suffix SUFFIX
7030 The DN of the replication suffix
7031
7035 usage: dsconf instance repl-tasks [-h]
7036 {cleanallruv,list-cleanruv-
7037 tasks,abort-cleanallruv,list-abortruv-tasks}
7038 ...
7039 Sub-commands
7042 dsconf repl-tasks cleanallruv
7043 Cleanup old/removed replica IDs
7044 dsconf repl-tasks list-cleanruv-tasks
7046 List all the running CleanAllRUV tasks
7047 dsconf repl-tasks abort-cleanallruv
7049 Abort cleanallruv tasks
7050 dsconf repl-tasks list-abortruv-tasks
7052 List all the running CleanAllRUV abort Tasks
7053
7055 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
7056 --replica-id REPLICA_ID
7057 [--force-cleaning]
7058 --suffix SUFFIX
7062 The Directory Server suffix
7063 --replica-id REPLICA_ID
7066 The replica ID to remove/clean
7067 --force-cleaning
7070 Ignore errors and do a best attempt to clean all the replicas
7071
7074 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
7075 SUFFIX]
7076 --suffix SUFFIX
7080 List only tasks from for suffix
7081
7084 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
7085 FIX
7086 --replica-id
7087 REPLICA_ID
7088 [--certify]
7089 --suffix SUFFIX
7093 The Directory Server suffix
7094 --replica-id REPLICA_ID
7097 The replica ID of the cleaning task to abort
7098 --certify
7101 Enforce that the abort task completed on all replicas
7102
7105 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
7106 SUFFIX]
7107 --suffix SUFFIX
7111 List only tasks from for suffix
7112
7116 usage: dsconf instance sasl [-h] {list,get-mechs,get,create,delete} ...
7117 Sub-commands
7120 dsconf sasl list
7121 List available SASL mappings
7122 dsconf sasl get-mechs
7124 List available SASL mechanisms
7125 dsconf sasl get
7127 get
7128 dsconf sasl create
7130 create
7131 dsconf sasl delete
7133 deletes the object
7134
7136 usage: dsconf instance sasl list [-h] [--details]
7137 --details
7141 Get each SASL Mapping in detail.
7142
7145 usage: dsconf instance sasl get-mechs [-h]
7146
7151 usage: dsconf instance sasl get [-h] [selector]
7152 selector
7155 SASL mapping name to get
7156
7160 usage: dsconf instance sasl create [-h] [--cn [CN]]
7161 [--nsSaslMapRegexString
7162 [NSSASLMAPREGEXSTRING]]
7163 [--nsSaslMapBaseDNTemplate
7164 [NSSASLMAPBASEDNTEMPLATE]]
7165 [--nsSaslMapFilterTemplate
7166 [NSSASLMAPFILTERTEMPLATE]]
7167 [--nsSaslMapPriority [NSSASLMAPPRI‐
7168 ORITY]]
7169 --cn [CN]
7173 Value of cn
7174 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7177 Value of nsSaslMapRegexString
7178 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7181 Value of nsSaslMapBaseDNTemplate
7182 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7185 Value of nsSaslMapFilterTemplate
7186 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7189 Value of nsSaslMapPriority
7190
7193 usage: dsconf instance sasl delete [-h] map_name
7194 map_name
7197 The SASL Mapping name ("cn" value)
7198
7203 usage: dsconf instance security [-h]
7204 {set,get,enable,disable,dis‐
7205 able_plain_port,certificate,ca-certificate,rsa,ciphers}
7206 ...
7207 Sub-commands
7210 dsconf security set
7211 Set general security options
7212 dsconf security get
7214 Get general security options
7215 dsconf security enable
7217 Enable security
7218 dsconf security disable
7220 Disable security
7221 dsconf security disable_plain_port
7223 Disables the plain text LDAP port, allowing only LDAPS to func‐
7224 tion
7225 dsconf security certificate
7227 Manage TLS certificates
7228 dsconf security ca-certificate
7230 Manage TLS Certificate Authorities
7231 dsconf security rsa
7233 Query and manipulate RSA security options
7234 dsconf security ciphers
7236 Manage secure ciphers
7237
7239 usage: dsconf instance security set [-h] [--security SECURITY]
7240 [--listen-host LISTEN_HOST]
7241 [--secure-port SECURE_PORT]
7242 [--tls-client-auth TLS_CLIENT_AUTH]
7243 [--tls-client-renegotiation
7244 TLS_CLIENT_RENEGOTIATION]
7245 [--require-secure-authentication
7246 REQUIRE_SECURE_AUTHENTICATION]
7247 [--check-hostname CHECK_HOSTNAME]
7248 [--verify-cert-chain-on-startup
7249 VERIFY_CERT_CHAIN_ON_STARTUP]
7250 [--session-timeout SESSION_TIMEOUT]
7251 [--tls-protocol-min TLS_PROTO‐
7252 COL_MIN]
7253 [--tls-protocol-max TLS_PROTO‐
7254 COL_MAX]
7255 [--allow-insecure-ciphers
7256 ALLOW_INSECURE_CIPHERS]
7257 [--allow-weak-dh-param
7258 ALLOW_WEAK_DH_PARAM]
7259 [--cipher-pref CIPHER_PREF]
7260 Use this command for setting security related options located in
7262 cn=config and cn=encryption,cn=config.
7263 To enable/disable security you can use enable and disable commands
7265 instead.
7266 --security SECURITY
7270 Enable or disable security (nsslapd-security)
7271 --listen-host LISTEN_HOST
7274 Host/address to listen on for LDAPS (nsslapd-securelistenhost)
7275 --secure-port SECURE_PORT
7278 Port for LDAPS to listen on (nsslapd-securePort)
7279 --tls-client-auth TLS_CLIENT_AUTH
7282 Client authentication requirement (nsSSLClientAuth)
7283 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7286 Allow client TLS renegotiation (nsTLSAllowClientRenegotiation)
7287 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7290 Require binds over LDAPS, StartTLS, or SASL (nss‐
7291 lapd-require-secure-binds)
7292 --check-hostname CHECK_HOSTNAME
7295 Check Subject of remote certificate against the hostname (nss‐
7296 lapd-ssl-check- hostname)
7297 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7300 Validate server certificate during startup (nsslapd-vali‐
7301 date-cert)
7302 --session-timeout SESSION_TIMEOUT
7305 Secure session timeout (nsSSLSessionTimeout)
7306 --tls-protocol-min TLS_PROTOCOL_MIN
7309 Secure protocol minimal allowed version (sslVersionMin)
7310 --tls-protocol-max TLS_PROTOCOL_MAX
7313 Secure protocol maximal allowed version (sslVersionMax)
7314 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7317 Allow weak ciphers for legacy use (allowWeakCipher)
7318 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7321 Allow short DH params for legacy use (allowWeakDHParam)
7322 --cipher-pref CIPHER_PREF
7325 Use this command to directly set nsSSL3Ciphers attribute. It is
7326 a comma separated list of cipher names (prefixed with + or -),
7327 optionally including +all or -all. The attribute may optionally
7328 be prefixed by keyword default. Please refer to documentation
7329 of the attribute for a more detailed description.
7330 (nsSSL3Ciphers)
7331
7334 usage: dsconf instance security get [-h]
7335
7340 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7341 If missing, create security database, then turn on security functional‐
7343 ity. Please note this is usually not enough for TLS connections to work
7344 - proper setup of CA and server certificate is necessary.
7345 --cert-name CERT_NAME
7349 The name of the certificate the server should use
7350
7353 usage: dsconf instance security disable [-h]
7354 Turn off security functionality. The rest of the configuration will be
7356 left untouched.
7357
7362 usage: dsconf instance security disable_plain_port [-h]
7363
7368 usage: dsconf instance security certificate [-h]
7369 {add,set-trust-
7370 flags,del,get,list}
7371 ...
7372 Sub-commands
7375 dsconf security certificate add
7376 Add a server certificate
7377 dsconf security certificate set-trust-flags
7379 Set the Trust flags
7380 dsconf security certificate del
7382 Delete a certificate
7383 dsconf security certificate get
7385 Get a server certificate's information
7386 dsconf security certificate list
7388 List the server certificates
7389
7391 usage: dsconf instance security certificate add [-h] --file FILE --name
7392 NAME
7393 [--primary-cert]
7394 Add a server certificate to the NSS database
7396 --file FILE
7400 The file name of the certificate
7401 --name NAME
7404 The name/nickname of the certificate
7405 --primary-cert
7408 Set this certificate as the server's certificate
7409
7412 usage: dsconf instance security certificate set-trust-flags
7413 [-h] --flags FLAGS name
7414 Change the trust flags of a server certificate
7416 name The name/nickname of the certificate
7419 --flags FLAGS
7422 The trust flags for the server certificate
7423
7426 usage: dsconf instance security certificate del [-h] name
7427 Delete a certificate from the NSS database
7429 name The name/nickname of the certificate
7432
7436 usage: dsconf instance security certificate get [-h] name
7437 Get detailed information about a certificate, like trust attributes,
7439 expiration dates, Subject and Issuer DNs
7440 name The name/nickname of the certificate
7443
7447 usage: dsconf instance security certificate list [-h]
7448 List the server certificates in the NSS database
7450
7456 usage: dsconf instance security ca-certificate [-h]
7457 {add,set-trust-
7458 flags,del,get,list}
7459 ...
7460 Sub-commands
7463 dsconf security ca-certificate add
7464 Add a Certificate Authority
7465 dsconf security ca-certificate set-trust-flags
7467 Set the Trust flags
7468 dsconf security ca-certificate del
7470 Delete a certificate
7471 dsconf security ca-certificate get
7473 Get a Certificate Authority's information
7474 dsconf security ca-certificate list
7476 List the Certificate Authorities
7477
7479 usage: dsconf instance security ca-certificate add [-h] --file FILE
7480 --name
7481 NAME
7482 Add a Certificate Authority to the NSS database
7484 --file FILE
7488 The file name of the CA certificate
7489 --name NAME
7492 The name/nickname of the CA certificate
7493
7496 usage: dsconf instance security ca-certificate set-trust-flags
7497 [-h] --flags FLAGS name
7498 Change the trust attributes of a CA certificate. Certificate Authori‐
7500 ties typically use "CT,,"
7501 name The name/nickname of the CA certificate
7504 --flags FLAGS
7507 The trust flags for the CA certificate
7508
7511 usage: dsconf instance security ca-certificate del [-h] name
7512 Delete a CA certificate from the NSS database
7514 name The name/nickname of the CA certificate
7517
7521 usage: dsconf instance security ca-certificate get [-h] name
7522 Get detailed information about a CA certificate, like trust attributes,
7524 expiration dates, Subject and Issuer DN
7525 name The name/nickname of the CA certificate
7528
7532 usage: dsconf instance security ca-certificate list [-h]
7533 List the CA certificates in the NSS database
7535
7541 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
7542 Sub-commands
7545 dsconf security rsa set
7546 Set RSA security options
7547 dsconf security rsa get
7549 Get RSA security options
7550 dsconf security rsa enable
7552 Enable RSA
7553 dsconf security rsa disable
7555 Disable RSA
7556
7558 usage: dsconf instance security rsa set [-h]
7559 [--tls-allow-rsa-certificates
7560 TLS_ALLOW_RSA_CERTIFICATES]
7561 [--nss-cert-name NSS_CERT_NAME]
7562 [--nss-token NSS_TOKEN]
7563 Use this command for setting RSA (private key) related options located
7565 in cn=RSA,cn=encryption,cn=config.
7566 To enable/disable RSA you can use enable and disable commands instead.
7568 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
7572 Activate use of RSA certificates (nsSSLActivation)
7573 --nss-cert-name NSS_CERT_NAME
7576 Server certificate name in NSS DB (nsSSLPersonalitySSL)
7577 --nss-token NSS_TOKEN
7580 Security token name (module of NSS DB) (nsSSLToken)
7581
7584 usage: dsconf instance security rsa get [-h]
7585
7590 usage: dsconf instance security rsa enable [-h]
7591
7596 usage: dsconf instance security rsa disable [-h]
7597
7603 usage: dsconf instance security ciphers [-h] {enable,dis‐
7604 able,get,set,list} ...
7605 Sub-commands
7608 dsconf security ciphers enable
7609 Enable ciphers
7610 dsconf security ciphers disable
7612 Disable ciphers
7613 dsconf security ciphers get
7615 Get ciphers attribute
7616 dsconf security ciphers set
7618 Set ciphers attribute
7619 dsconf security ciphers list
7621 List ciphers
7622
7624 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
7625 Use this command to enable specific ciphers.
7627 cipher
7630
7633 usage: dsconf instance security ciphers disable [-h] cipher [cipher
7634 ...]
7635 Use this command to disable specific ciphers.
7637 cipher
7640
7643 usage: dsconf instance security ciphers get [-h]
7644 Use this command to get contents of nsSSL3Ciphers attribute.
7646
7651 usage: dsconf instance security ciphers set [-h] cipher-string
7652 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
7654 separated list of cipher names (prefixed with + or -), optionally
7655 including +all or -all. The attribute may optionally be prefixed by
7656 keyword default. Please refer to documentation of the attribute for a
7657 more detailed description.
7658 cipher-string
7661
7664 usage: dsconf instance security ciphers list [-h]
7665 [--enabled | --supported |
7666 --disabled]
7667 List secure ciphers. Without arguments, list ciphers as configured in
7669 nsSSL3Ciphers attribute.
7670 --enabled
7674 Only enabled ciphers
7675 --supported
7678 Only supported ciphers
7679 --disabled
7682 Only supported ciphers without enabled ciphers
7683
7688 usage: dsconf instance schema [-h]
7689 {list,attributetypes,objectclasses,match‐
7690 ingrules,reload,validate-syntax,import-openldap-file}
7691 ...
7692 Sub-commands
7695 dsconf schema list
7696 List all schema objects on this system
7697 dsconf schema attributetypes
7699 Work with attribute types on this system
7700 dsconf schema objectclasses
7702 Work with objectClasses on this system
7703 dsconf schema matchingrules
7705 Work with matching rules on this system
7706 dsconf schema reload
7708 Dynamically reload schema while server is running
7709 dsconf schema validate-syntax
7711 Run a task to check every modification to attributes to make
7712 sure that the new value has the required syntax for that
7713 attribute type
7714 dsconf schema import-openldap-file
7716 Import an openldap formatted dynamic schema ldifs. These will
7717 contain values like olcAttributeTypes and olcObjectClasses.
7718
7720 usage: dsconf instance schema list [-h]
7721
7726 usage: dsconf instance schema attributetypes [-h]
7727 {get_syn‐
7728 taxes,list,query,add,replace,remove}
7729 ...
7730 Sub-commands
7733 dsconf schema attributetypes get_syntaxes
7734 List all available attribute type syntaxes
7735 dsconf schema attributetypes list
7737 List available attribute types on this system
7738 dsconf schema attributetypes query
7740 Query an attribute to determine object classes that may or must
7741 take it
7742 dsconf schema attributetypes add
7744 Add an attribute type to this system
7745 dsconf schema attributetypes replace
7747 Replace an attribute type on this system
7748 dsconf schema attributetypes remove
7750 Remove an attribute type on this system
7751
7753 usage: dsconf instance schema attributetypes get_syntaxes [-h]
7754
7759 usage: dsconf instance schema attributetypes list [-h]
7760
7765 usage: dsconf instance schema attributetypes query [-h] [name]
7766 name Attribute type to query
7769
7773 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
7774 [--desc DESC]
7775 [--x-origin X_ORIGIN]
7776 [--aliases ALIASES
7777 [ALIASES ...]]
7778 [--single-value]
7779 [--multi-value]
7780 [--no-user-mod]
7781 [--user-mod]
7782 [--equality EQUALITY]
7783 [--substr SUBSTR]
7784 [--ordering ORDERING]
7785 [--usage USAGE]
7786 [--sup SUP [SUP ...]]
7787 --syntax SYNTAX
7788 name
7789 name NAME of the object
7792 --oid OID
7795 OID assigned to the object
7796 --desc DESC
7799 Description text(DESC) of the object
7800 --x-origin X_ORIGIN
7803 Provides information about where the attribute type is defined
7804 --aliases ALIASES [ALIASES ...]
7807 Additional NAMEs of the object.
7808 --single-value
7811 True if the matching rule must have only one valueOnly one of
7812 the flags this or --multi-value should be specified
7813 --multi-value
7816 True if the matching rule may have multiple values (default)Only
7817 one of the flags this or --single-value should be specified
7818 --no-user-mod
7821 True if the attribute is not modifiable by a client applica‐
7822 tionOnly one of the flags this or --user-mod should be specified
7823 --user-mod
7826 True if the attribute is modifiable by a client application
7827 (default)Only one of the flags this or --no-user-mode should be
7828 specified
7829 --equality EQUALITY
7832 NAME or OID of the matching rule used for checkingwhether
7833 attribute values are equal
7834 --substr SUBSTR
7837 NAME or OID of the matching rule used for checkingwhether an
7838 attribute value contains another value
7839 --ordering ORDERING
7842 NAME or OID of the matching rule used for checkingwhether
7843 attribute values are lesser - equal than
7844 --usage USAGE
7847 The flag indicates how the attribute type is to be used. Choose
7848 from the list: userApplications (default), directoryOperation,
7849 distributedOperation, dSAOperation
7850 --sup SUP [SUP ...]
7853 The list of NAMEs or OIDs of attribute typesthis attribute type
7854 is derived from
7855 --syntax SYNTAX
7858 OID of the LDAP syntax assigned to the attribute
7859
7862 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
7863 [--desc DESC]
7864 [--x-origin X_ORI‐
7865 GIN]
7866 [--aliases ALIASES
7867 [ALIASES ...]]
7868 [--single-value]
7869 [--multi-value]
7870 [--no-user-mod]
7871 [--user-mod]
7872 [--equality EQUAL‐
7873 ITY]
7874 [--substr SUBSTR]
7875 [--ordering ORDER‐
7876 ING]
7877 [--usage USAGE]
7878 [--sup SUP [SUP
7879 ...]]
7880 [--syntax SYNTAX]
7881 name
7882 name NAME of the object
7885 --oid OID
7888 OID assigned to the object
7889 --desc DESC
7892 Description text(DESC) of the object
7893 --x-origin X_ORIGIN
7896 Provides information about where the attribute type is defined
7897 --aliases ALIASES [ALIASES ...]
7900 Additional NAMEs of the object.
7901 --single-value
7904 True if the matching rule must have only one valueOnly one of
7905 the flags this or --multi-value should be specified
7906 --multi-value
7909 True if the matching rule may have multiple values (default)Only
7910 one of the flags this or --single-value should be specified
7911 --no-user-mod
7914 True if the attribute is not modifiable by a client applica‐
7915 tionOnly one of the flags this or --user-mod should be specified
7916 --user-mod
7919 True if the attribute is modifiable by a client application
7920 (default)Only one of the flags this or --no-user-mode should be
7921 specified
7922 --equality EQUALITY
7925 NAME or OID of the matching rule used for checkingwhether
7926 attribute values are equal
7927 --substr SUBSTR
7930 NAME or OID of the matching rule used for checkingwhether an
7931 attribute value contains another value
7932 --ordering ORDERING
7935 NAME or OID of the matching rule used for checkingwhether
7936 attribute values are lesser - equal than
7937 --usage USAGE
7940 The flag indicates how the attribute type is to be used. Choose
7941 from the list: userApplications (default), directoryOperation,
7942 distributedOperation, dSAOperation
7943 --sup SUP [SUP ...]
7946 The list of NAMEs or OIDs of attribute typesthis attribute type
7947 is derived from
7948 --syntax SYNTAX
7951 OID of the LDAP syntax assigned to the attribute
7952
7955 usage: dsconf instance schema attributetypes remove [-h] name
7956 name NAME of the object
7959
7964 usage: dsconf instance schema objectclasses [-h]
7965 {list,query,add,replace,remove}
7966 ...
7967 Sub-commands
7970 dsconf schema objectclasses list
7971 List available objectClasses on this system
7972 dsconf schema objectclasses query
7974 Query an objectClass
7975 dsconf schema objectclasses add
7977 Add an objectClass to this system
7978 dsconf schema objectclasses replace
7980 Replace an objectClass on this system
7981 dsconf schema objectclasses remove
7983 Remove an objectClass on this system
7984
7986 usage: dsconf instance schema objectclasses list [-h]
7987
7992 usage: dsconf instance schema objectclasses query [-h] [name]
7993 name ObjectClass to query
7996
8000 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
8001 [--desc DESC]
8002 [--x-origin X_ORIGIN]
8003 [--must MUST [MUST
8004 ...]]
8005 [--may MAY [MAY ...]]
8006 [--kind KIND]
8007 [--sup SUP [SUP ...]]
8008 name
8009 name NAME of the object
8012 --oid OID
8015 OID assigned to the object
8016 --desc DESC
8019 Description text(DESC) of the object
8020 --x-origin X_ORIGIN
8023 Provides information about where the attribute type is defined
8024 --must MUST [MUST ...]
8027 NAMEs or OIDs of all attributes an entry of the object must have
8028 --may MAY [MAY ...]
8031 NAMEs or OIDs of additional attributes an entry of the object
8032 may have
8033 --kind KIND
8036 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8037 --sup SUP [SUP ...]
8040 NAMEs or OIDs of object classes this object is derived from
8041
8044 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
8045 [--desc DESC]
8046 [--x-origin X_ORI‐
8047 GIN]
8048 [--must MUST [MUST
8049 ...]]
8050 [--may MAY [MAY
8051 ...]]
8052 [--kind KIND]
8053 [--sup SUP [SUP
8054 ...]]
8055 name
8056 name NAME of the object
8059 --oid OID
8062 OID assigned to the object
8063 --desc DESC
8066 Description text(DESC) of the object
8067 --x-origin X_ORIGIN
8070 Provides information about where the attribute type is defined
8071 --must MUST [MUST ...]
8074 NAMEs or OIDs of all attributes an entry of the object must have
8075 --may MAY [MAY ...]
8078 NAMEs or OIDs of additional attributes an entry of the object
8079 may have
8080 --kind KIND
8083 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8084 --sup SUP [SUP ...]
8087 NAMEs or OIDs of object classes this object is derived from
8088
8091 usage: dsconf instance schema objectclasses remove [-h] name
8092 name NAME of the object
8095
8100 usage: dsconf instance schema matchingrules [-h] {list,query} ...
8101 Sub-commands
8104 dsconf schema matchingrules list
8105 List available matching rules on this system
8106 dsconf schema matchingrules query
8108 Query a matching rule
8109
8111 usage: dsconf instance schema matchingrules list [-h]
8112
8117 usage: dsconf instance schema matchingrules query [-h] [name]
8118 name Matching rule to query
8121
8126 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
8127 -d SCHEMADIR, --schemadir SCHEMADIR
8131 directory where schema files are located
8132 --wait Wait for the reload task to complete
8135
8138 usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN
8139 DN Base DN that contains entries to validate
8142 -f FILTER, --filter FILTER
8145 Filter for entries to validate. If omitted, all entries with
8146 filter "(objectclass=*)" are validated
8147
8150 usage: dsconf instance schema import-openldap-file [-h] [--confirm]
8151 schema_file
8152 schema_file
8155 Path to the openldap dynamic schema ldif to import
8156 --confirm
8159 Confirm that you want to apply these schema migration actions to
8160 the 389-ds instance. By default no actions are taken.
8161
8165 usage: dsconf instance repl-conflict [-h]
8166 {list,compare,delete,swap,con‐
8167 vert,list-glue,delete-glue,convert-glue}
8168 ...
8169 Sub-commands
8172 dsconf repl-conflict list
8173 List conflict entries
8174 dsconf repl-conflict compare
8176 Compare the conflict entry with its valid counterpart
8177 dsconf repl-conflict delete
8179 Delete a conflict entry
8180 dsconf repl-conflict swap
8182 Replace the valid entry with the conflict entry
8183 dsconf repl-conflict convert
8185 Convert the conflict entry to a valid entry, while keeping the
8186 original valid entry counterpart. This requires that the con‐
8187 verted conflict entry have a new RDN value. For example:
8188 "cn=my_new_rdn_value".
8189 dsconf repl-conflict list-glue
8191 List replication glue entries
8192 dsconf repl-conflict delete-glue
8194 Delete the glue entry and its child entries
8195 dsconf repl-conflict convert-glue
8197 Convert the glue entry into a regular entry
8198
8200 usage: dsconf instance repl-conflict list [-h] suffix
8201 suffix The backend name, or suffix, to look for conflict entries
8204
8208 usage: dsconf instance repl-conflict compare [-h] DN
8209 DN The DN of the conflict entry
8212
8216 usage: dsconf instance repl-conflict delete [-h] DN
8217 DN The DN of the conflict entry
8220
8224 usage: dsconf instance repl-conflict swap [-h] DN
8225 DN The DN of the conflict entry
8228
8232 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8233 DN The DN of the conflict entry
8236 --new-rdn NEW_RDN
8239 The new RDN for the converted conflict entry. For example:
8240 "cn=my_new_rdn_value"
8241
8244 usage: dsconf instance repl-conflict list-glue [-h] suffix
8245 suffix The backend name, or suffix, to look for glue entries
8248
8252 usage: dsconf instance repl-conflict delete-glue [-h] DN
8253 DN The DN of the glue entry
8256
8260 usage: dsconf instance repl-conflict convert-glue [-h] DN
8261 DN The DN of the glue entry
8264 -v, --verbose
8269 Display verbose operation tracing during command execution
8270 -D BINDDN, --binddn BINDDN
8273 The account to bind as for executing operations
8274 -w BINDPW, --bindpw BINDPW
8277 Password for binddn
8278 -W, --prompt
8281 Prompt for password for the bind DN
8282 -y PWDFILE, --pwdfile PWDFILE
8285 Specifies a file containing the password for the binddn
8286 -b BASEDN, --basedn BASEDN
8289 Basedn (root naming context) of the instance to manage
8290 -Z, --starttls
8293 Connect with StartTLS
8294 -j, --json
8297 Return result in JSON object
8298
8301 lib389 was written by Red Hat Inc., and William Brown
8302 <389-devel@lists.fedoraproject.org>.
8303
8305 The latest version of lib389 may be downloaded from
8306 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8307 Manual dsconf(8)