1DSCONF(8) System Manager's Manual DSCONF(8)
2
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl,repl-agmt,repl-
12 winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
15 dsconf backend
16 Manage database suffixes and backends
17 dsconf backup
19 Manage online backups
20 dsconf chaining
22 Manage database chaining and database links
23 dsconf config
25 Manage the server configuration
26 dsconf directory_manager
28 Manage the Directory Manager account
29 dsconf monitor
31 Monitor the state of the instance
32 dsconf plugin
34 Manage plug-ins available on the server
35 dsconf pwpolicy
37 Manage the global password policy settings
38 dsconf localpwp
40 Manage the local user and subtree password policies
41 dsconf replication
43 Manage replication for a suffix
44 dsconf repl-agmt
46 Manage replication agreements
47 dsconf repl-winsync-agmt
49 Manage Winsync agreements
50 dsconf repl-tasks
52 Manage replication tasks
53 dsconf sasl
55 Manage SASL mappings
56 dsconf security
58 Manage security settings
59 dsconf schema
61 Manage the directory schema
62 dsconf repl-conflict
64 Manage replication conflicts
65
67 usage: dsconf instance backend [-h]
68 {suffix,index,vlv-index,attr-en‐
69 crypt,config,monitor,import,export,create,delete,get-tree,compact-db}
70 ...
71
74 dsconf backend suffix
75 Manage backend suffixes
76 dsconf backend index
78 Manage backend indexes
79 dsconf backend vlv-index
81 Manage VLV searches and indexes
82 dsconf backend attr-encrypt
84 Manage encrypted attribute settings
85 dsconf backend config
87 Manage the global database configuration settings
88 dsconf backend monitor
90 Displays global database or suffix monitoring information
91 dsconf backend import
93 Online import of a suffix
94 dsconf backend export
96 Online export of a suffix
97 dsconf backend create
99 Create a backend database
100 dsconf backend delete
102 Delete a backend database
103 dsconf backend get-tree
105 Display the suffix tree
106 dsconf backend compact-db
108 Compact the database and the replication changelog
109
111 usage: dsconf instance backend suffix [-h]
112 {list,get,get-dn,get-sub-suf‐
113 fixes,set}
114 ...
115
118 dsconf backend suffix list
119 List active backends and suffixes
120 dsconf backend suffix get
122 Display the suffix entry
123 dsconf backend suffix get-dn
125 Display the DN of a backend
126 dsconf backend suffix get-sub-suffixes
128 Display sub-suffixes
129 dsconf backend suffix set
131 Set configuration settings for a specific backend
132
134 usage: dsconf instance backend suffix list [-h] [--suffix]
135 [--skip-subsuffixes]
136
139 --suffix
140 Displays the suffixes without backend name
141 --skip-subsuffixes
144 Displays the list of suffixes without sub-suffixes
145
148 usage: dsconf instance backend suffix get [-h] [selector]
149 selector
152 The backend database name to search for
153
156 usage: dsconf instance backend suffix get-dn [-h] [dn]
157 dn The DN to the database entry in cn=ldbm database,cn=plug‐
160 ins,cn=config
161
164 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
165 be_name
166 be_name
169 The backend name or suffix
170
173 --suffix
174 Displays the list of suffixes without backend name
175
178 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
179 [--disable-readonly]
180 [--enable-orphan] [--disable-
181 orphan]
182 [--require-index] [--ignore-
183 index]
184 [--add-referral ADD_REFERRAL]
185 [--del-referral DEL_REFERRAL]
186 [--enable] [--disable]
187 [--cache-size CACHE_SIZE]
188 [--cache-memsize CACHE_MEM‐
189 SIZE]
190 [--dncache-memsize
191 DNCACHE_MEMSIZE]
192 [--state STATE]
193 be_name
194 be_name
197 The backend name or suffix
198
201 --enable-readonly
202 Enables read-only mode for the backend database
203 --disable-readonly
206 Disables read-only mode for the backend database
207 --enable-orphan
210 Disconnect a subsuffix from its parent suffix.
211 --disable-orphan
214 Let the subsuffix be connected to its parent suffix.
215 --require-index
218 Allows only indexed searches
219 --ignore-index
222 Allows all searches even if they are unindexed
223 --add-referral ADD_REFERRAL
226 Adds an LDAP referral to the backend
227 --del-referral DEL_REFERRAL
230 Removes an LDAP referral from the backend
231 --enable
234 Enables the backend database
235 --disable
238 Disables the backend database
239 --cache-size CACHE_SIZE
242 Sets the maximum number of entries to keep in the entry cache
243 --cache-memsize CACHE_MEMSIZE
246 Sets the maximum size in bytes that the entry cache can grow to
247 --dncache-memsize DNCACHE_MEMSIZE
250 Sets the maximum size in bytes that the DN cache can grow to
251 --state STATE
254 Changes the backend state to: "database", "disabled", "refer‐
255 ral", or "referral on update"
256
259 usage: dsconf instance backend index [-h]
260 {add,set,get,list,delete,reindex}
261 ...
262
265 dsconf backend index add
266 Add an index
267 dsconf backend index set
269 Update an index
270 dsconf backend index get
272 Display an index entry
273 dsconf backend index list
275 Display the index
276 dsconf backend index delete
278 Delete an index
279 dsconf backend index reindex
281 Re-index the database for a single index or all indexes
282
284 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
285 [--matching-rule MATCH‐
286 ING_RULE]
287 [--reindex] --attr ATTR
288 be_name
289 be_name
292 The backend name or suffix
293
296 --index-type INDEX_TYPE
297 Sets the indexing type (eq, sub, pres, or approx)
298 --matching-rule MATCHING_RULE
301 Sets the matching rule for the index
302 --reindex
305 Re-indexes the database after adding a new index
306 --attr ATTR
309 Sets the attribute name to index
310
313 usage: dsconf instance backend index set [-h] --attr ATTR
314 [--add-type ADD_TYPE]
315 [--del-type DEL_TYPE]
316 [--add-mr ADD_MR] [--del-mr
317 DEL_MR]
318 [--reindex]
319 be_name
320 be_name
323 The backend name or suffix
324
327 --attr ATTR
328 Sets the indexed attribute to update
329 --add-type ADD_TYPE
332 Adds an index type to the index (eq, sub, pres, or approx)
333 --del-type DEL_TYPE
336 Removes an index type from the index: (eq, sub, pres, or approx)
337 --add-mr ADD_MR
340 Adds a matching-rule to the index
341 --del-mr DEL_MR
344 Removes a matching-rule from the index
345 --reindex
348 Re-indexes the database after editing the index
349
352 usage: dsconf instance backend index get [-h] --attr ATTR be_name
353 be_name
356 The backend name or suffix
357
360 --attr ATTR
361 Sets the index name to display
362
365 usage: dsconf instance backend index list [-h] [--just-names] be_name
366 be_name
369 The backend name or suffix
370
373 --just-names
374 Displays only the names of indexed attributes
375
378 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
379 be_name
382 The backend name or suffix
383
386 --attr ATTR
387 Sets the name of the attribute to delete from the index
388
391 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
392 [--wait]
393 be_name
394 be_name
397 The backend name or suffix
398
401 --attr ATTR
402 Sets the name of the attribute to re-index. Omit this argument
403 to re-index all attributes
404 --wait Waits for the index task to complete and reports the status
407
410 usage: dsconf instance backend vlv-index [-h]
411 {list,get,add-search,edit-
412 search,del-search,add-index,del-index,reindex}
413 ...
414
417 dsconf backend vlv-index list
418 List VLV search and index entries
419 dsconf backend vlv-index get
421 Display a VLV search and indexes
422 dsconf backend vlv-index add-search
424 Add a VLV search entry. The search entry is the parent entry of
425 the VLV index entries, and it specifies the search parameters
426 that are used to match entries for those indexes.
427 dsconf backend vlv-index edit-search
429 Update a VLV search and index
430 dsconf backend vlv-index del-search
432 Delete VLV search & index
433 dsconf backend vlv-index add-index
435 Create a VLV index under a VLV search entry (parent entry). The
436 VLV index specifies the attributes to sort
437 dsconf backend vlv-index del-index
439 Delete a VLV index under a VLV search entry (parent entry)
440 dsconf backend vlv-index reindex
442 Index/re-index the VLV database index
443
445 usage: dsconf instance backend vlv-index list [-h] [--just-names]
446 be_name
447 be_name
450 The backend name of the VLV index
451
454 --just-names
455 Displays only the names of VLV search entries
456
459 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
460 be_name
463 The backend name of the VLV index
464
467 --name NAME
468 Displays the VLV search entry and its index entries
469
472 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
473 --search-base
474 SEARCH_BASE
475 --search-scope
476 SEARCH_SCOPE
477 --search-filter
478 SEARCH_FILTER
479 be_name
480 be_name
483 The backend name of the VLV index
484
487 --name NAME
488 Sets the name of the VLV search entry
489 --search-base SEARCH_BASE
492 Sets the VLV search base
493 --search-scope SEARCH_SCOPE
496 Sets the VLV search scope: 0 (base search), 1 (one-level
497 search), or 2 (subtree search)
498 --search-filter SEARCH_FILTER
501 Sets the VLV search filter
502
505 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
506 [--search-base
507 SEARCH_BASE]
508 [--search-scope
509 SEARCH_SCOPE]
510 [--search-filter
511 SEARCH_FILTER]
512 [--reindex]
513 be_name
514 be_name
517 The backend name of the VLV index to update
518
521 --name NAME
522 Sets the name of the VLV index
523 --search-base SEARCH_BASE
526 Sets the VLV search base
527 --search-scope SEARCH_SCOPE
530 Sets the VLV search scope: 0 (base search), 1 (one-level
531 search), or 2 (subtree search)
532 --search-filter SEARCH_FILTER
535 Sets the VLV search filter
536 --reindex
539 Re-indexes all VLV database indexes
540
543 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
544 be_name
545 be_name
548 The backend name of the VLV index
549
552 --name NAME
553 Sets the name of the VLV search index
554
557 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
558 PARENT_NAME --index-
559 name
560 INDEX_NAME --sort
561 SORT
562 [--index-it]
563 be_name
564 be_name
567 The backend name of the VLV index
568
571 --parent-name PARENT_NAME
572 Sets the name or "cn" attribute of the parent VLV search entry
573 --index-name INDEX_NAME
576 Sets the name of the new VLV index
577 --sort SORT
580 Sets a space-separated list of attributes to sort for this VLV
581 index
582 --index-it
585 Creates the database index for this VLV index definition
586
589 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
590 PARENT_NAME
591 [--index-name IN‐
592 DEX_NAME]
593 [--sort SORT]
594 be_name
595 be_name
598 The backend name of the VLV index
599
602 --parent-name PARENT_NAME
603 Sets the name or "cn" attribute value of the parent VLV search
604 entry
605 --index-name INDEX_NAME
608 Sets the name of the VLV index to delete
609 --sort SORT
612 Delete a VLV index that has this vlvsort value
613
616 usage: dsconf instance backend vlv-index reindex [-h]
617 [--index-name IN‐
618 DEX_NAME]
619 --parent-name PAR‐
620 ENT_NAME
621 be_name
622 be_name
625 The backend name of the VLV index
626
629 --index-name INDEX_NAME
630 Sets the name of the VLV index entry to re-index. If not set,
631 all indexes are re-indexed
632 --parent-name PARENT_NAME
635 Sets the name or "cn" attribute value of the parent VLV search
636 entry
637
640 usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-
641 names]
642 [--add-attr ADD_ATTR]
643 [--del-attr DEL_ATTR]
644 be_name
645 be_name
648 The backend name or suffix
649
652 --list Lists all encrypted attributes in the backend
653 --just-names
656 List only the names of the encrypted attributes when used with
657 --list
658 --add-attr ADD_ATTR
661 Enables encryption for the specified attribute
662 --del-attr DEL_ATTR
665 Disables encryption for the specified attribute
666
669 usage: dsconf instance backend config [-h] {get,set} ...
670
673 dsconf backend config get
674 Display the global database configuration
675 dsconf backend config set
677 Set the global database configuration
678
680 usage: dsconf instance backend config get [-h]
681
684 usage: dsconf instance backend config set [-h]
685 [--lookthroughlimit LOOK‐
686 THROUGHLIMIT]
687 [--mode MODE]
688 [--idlistscanlimit
689 IDLISTSCANLIMIT]
690 [--directory DIRECTORY]
691 [--dbcachesize DBCACHESIZE]
692 [--logdirectory LOGDIRECTORY]
693 [--txn-wait TXN_WAIT]
694 [--checkpoint-interval CHECK‐
695 POINT_INTERVAL]
696 [--compactdb-interval COM‐
697 PACTDB_INTERVAL]
698 [--compactdb-time COM‐
699 PACTDB_TIME]
700 [--txn-batch-val
701 TXN_BATCH_VAL]
702 [--txn-batch-min
703 TXN_BATCH_MIN]
704 [--txn-batch-max
705 TXN_BATCH_MAX]
706 [--logbufsize LOGBUFSIZE]
707 [--locks LOCKS]
708 [--locks-monitoring-enabled
709 LOCKS_MONITORING_ENABLED]
710 [--locks-monitoring-threshold
711 LOCKS_MONITORING_THRESHOLD]
712 [--locks-monitoring-pause
713 LOCKS_MONITORING_PAUSE]
714 [--import-cache-autosize IM‐
715 PORT_CACHE_AUTOSIZE]
716 [--cache-autosize CACHE_AUTO‐
717 SIZE]
718 [--cache-autosize-split
719 CACHE_AUTOSIZE_SPLIT]
720 [--import-cachesize IM‐
721 PORT_CACHESIZE]
722 [--exclude-from-export EX‐
723 CLUDE_FROM_EXPORT]
724 [--pagedlookthroughlimit
725 PAGEDLOOKTHROUGHLIMIT]
726 [--pagedidlistscanlimit PAGE‐
727 DIDLISTSCANLIMIT]
728 [--rangelookthroughlimit
729 RANGELOOKTHROUGHLIMIT]
730 [--backend-opt-level BACK‐
731 END_OPT_LEVEL]
732 [--deadlock-policy DEAD‐
733 LOCK_POLICY]
734 [--db-home-directory
735 DB_HOME_DIRECTORY]
736 [--db-lib DB_LIB]
737
740 --lookthroughlimit LOOKTHROUGHLIMIT
741 Specifies the maximum number of entries that the server will
742 check when examining candidate entries in response to a search
743 request
744 --mode MODE
747 Specifies the permissions used for newly created index files
748 --idlistscanlimit IDLISTSCANLIMIT
751 Specifies the number of entry IDs that are searched during a
752 search operation
753 --directory DIRECTORY
756 Specifies absolute path to database instance
757 --dbcachesize DBCACHESIZE
760 Specifies the database index cache size in bytes
761 --logdirectory LOGDIRECTORY
764 Specifies the path to the directory that contains the database
765 transaction logs
766 --txn-wait TXN_WAIT
769 Sets whether the server should should wait if there are no db
770 locks available
771 --checkpoint-interval CHECKPOINT_INTERVAL
774 Sets the amount of time in seconds after which the server sends
775 a checkpoint entry to the database transaction log
776 --compactdb-interval COMPACTDB_INTERVAL
779 Sets the interval in seconds when the database is compacted
780 --compactdb-time COMPACTDB_TIME
783 Sets the time (HH:MM format) of day when to compact the database
784 after the "compactdb interval" has been reached
785 --txn-batch-val TXN_BATCH_VAL
788 Specifies how many transactions will be batched before being
789 committed
790 --txn-batch-min TXN_BATCH_MIN
793 Controls when transactions should be flushed earliest, indepen‐
794 dently of the batch count. Requires that txn-batch-val is set
795 --txn-batch-max TXN_BATCH_MAX
798 Controls when transactions should be flushed latest, indepen‐
799 dently of the batch count. Requires that txn-batch-val is set)
800 --logbufsize LOGBUFSIZE
803 Specifies the transaction log information buffer size
804 --locks LOCKS
807 Sets the maximum number of database locks
808 --locks-monitoring-enabled LOCKS_MONITORING_ENABLED
811 Enables or disables monitoring of DB locks when the value
812 crosses the percentage set with "--locks-monitoring-threshold"
813 --locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD
816 Sets the DB lock exhaustion threshold in percentage (valid range
817 is 70-90). When the threshold is reached, all searches are
818 aborted until the number of active locks decreases below the
819 configured threshold and/or the administrator increases the num‐
820 ber of database locks (nsslapd-db-locks). This threshold is a
821 safeguard against DB corruption which might be caused by locks
822 exhaustion.
823 --locks-monitoring-pause LOCKS_MONITORING_PAUSE
826 Sets the DB lock monitoring value in milliseconds for the amount
827 of time that the monitoring thread spends waiting between
828 checks.
829 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
832 Enables or disables to automatically set the size of the import
833 cache to be used during the import process of LDIF files
834 --cache-autosize CACHE_AUTOSIZE
837 Sets the percentage of free memory that is used in total for the
838 database and entry cache. "0" disables this feature.
839 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
842 Sets the percentage of RAM that is used for the database cache.
843 The remaining percentage is used for the entry cache
844 --import-cachesize IMPORT_CACHESIZE
847 Sets the size in bytes of the database cache used in the import
848 process.
849 --exclude-from-export EXCLUDE_FROM_EXPORT
852 List of attributes to not include during database export opera‐
853 tions
854 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
857 Specifies the maximum number of entries that the server will
858 check when examining candidate entries for a search which uses
859 the simple paged results control
860 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
863 Specifies the number of entry IDs that are searched, specifi‐
864 cally, for a search operation using the simple paged results
865 control.
866 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
869 Specifies the maximum number of entries that the server will
870 check when examining candidate entries in response to a range
871 search request.
872 --backend-opt-level BACKEND_OPT_LEVEL
875 Sets the backend optimization level for write performance (0, 1,
876 2, or 4). WARNING: This parameter can trigger experimental
877 code.
878 --deadlock-policy DEADLOCK_POLICY
881 Adjusts the backend database deadlock policy (Advanced setting)
882 --db-home-directory DB_HOME_DIRECTORY
885 Sets the directory for the database mmapped files (Advanced set‐
886 ting)
887 --db-lib DB_LIB
890 Sets which db lib is used. Valid values are: bdb or mdb
891
894 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
895
898 --suffix SUFFIX
899 Displays monitoring information only for the specified suffix
900
903 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
904 [-g GEN_UNIQ_ID] [-O]
905 [-s INCLUDE_SUFFIXES [IN‐
906 CLUDE_SUFFIXES ...]]
907 [-x EXCLUDE_SUFFIXES [EX‐
908 CLUDE_SUFFIXES ...]]
909 [be_name] [ldifs ...]
910 be_name
913 The backend name or the root suffix
914 ldifs Specifies the filename of the input LDIF files. Multiple files
917 are imported in the specified order.
918
921 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
922 The number of chunks to have during the import operation
923 -E, --encrypted
926 Encrypt attributes configured in the database for encryption
927 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
930 Generate a unique id. Set "none" for no unique ID to be gener‐
931 ated and "deterministic" for the generated unique ID to be
932 name-based. By default, a time-based unique ID is generated.
933 When using the deterministic generation to have a name-based
934 unique ID, it is also possible to specify the namespace for the
935 server to use. namespaceId is a string of characters in the for‐
936 mat 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
937 -O, --only-core
940 Creates only the core database attribute indexes
941 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
944 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
945 Specifies the suffixes or the subtrees to be included
946 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
949 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
950 Specifies the suffixes to be excluded
951
954 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
955 [-N] [-r]
956 [-u] [-U]
957 [-s INCLUDE_SUFFIXES [IN‐
958 CLUDE_SUFFIXES ...]]
959 [-x EXCLUDE_SUFFIXES [EX‐
960 CLUDE_SUFFIXES ...]]
961 be_names [be_names ...]
962 be_names
965 The backend names or the root suffixes
966
969 -l LDIF, --ldif LDIF
970 Sets the filename of the output LDIF file. Separate multiple
971 file names with spaces.
972 -C, --use-id2entry
975 Uses only the main database file
976 -E, --encrypted
979 Decrypts encrypted data during export. This option is used only
980 if database encryption is enabled.
981 -m, --min-base64
984 Sets minimal base-64 encoding
985 -N, --no-seq-num
988 Suppresses printing the sequence numbers
989 -r, --replication
992 Exports the data with information required to initialize a
993 replica
994 -u, --no-dump-uniq-id
997 Omits exporting the unique ID
998 -U, --not-folded
1001 Disables folding the output
1002 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
1005 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
1006 Specifies the suffixes or the subtrees to be included
1007 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
1010 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
1011 Specifies the suffixes to be excluded
1012
1015 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
1016 FIX]
1017 --suffix SUFFIX --be-name BE_NAME
1018 [--create-entries] [--create-suf‐
1019 fix]
1020
1023 --parent-suffix PARENT_SUFFIX
1024 Sets the parent suffix only if this backend is a sub-suffix
1025 --suffix SUFFIX
1028 Sets the database suffix DN
1029 --be-name BE_NAME
1032 Sets the database backend name"
1033 --create-entries
1036 Adds sample entries to the database
1037 --create-suffix
1040 Creates the suffix object entry in the database. Only suffixes
1041 using the 'dc',
1042
1045 usage: dsconf instance backend delete [-h] be_name
1046 be_name
1049 The backend name or suffix
1050
1053 usage: dsconf instance backend get-tree [-h]
1054
1057 usage: dsconf instance backend compact-db [-h] [--only-changelog]
1058
1061 --only-changelog
1062 Compacts only the replication change log
1063
1066 usage: dsconf instance backup [-h] {create,restore} ...
1067
1070 dsconf backup create
1071 Creates a backup of the database
1072 dsconf backup restore
1074 Restores a database from a backup
1075
1077 usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]
1078 archive
1081 Sets the directory where to store the backup files. Format: in‐
1082 stance_name- year_month_date_hour_minutes_seconds. Default:
1083 /var/lib/dirsrv/slapd- instance/bak/
1084
1087 -t DB_TYPE, --db-type DB_TYPE
1088 Sets the database type. Default: ldbm database
1089
1092 usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive
1093 archive
1096 Set the directory that contains the backup files
1097
1100 -t DB_TYPE, --db-type DB_TYPE
1101 Sets the database type. Default: ldbm database
1102
1105 usage: dsconf instance chaining [-h]
1106 {config-get,config-set,config-get-
1107 def,config-set-def,link-create,link-get,link-set,link-delete,moni‐
1108 tor,link-list}
1109 ...
1110
1113 dsconf chaining config-get
1114 Display the chaining controls and server component lists
1115 dsconf chaining config-set
1117 Set the chaining controls and server component lists
1118 dsconf chaining config-get-def
1120 Display the default creation parameters for new database links
1121 dsconf chaining config-set-def
1123 Set the default creation parameters for new database links
1124 dsconf chaining link-create
1126 Create a database link to a remote server
1127 dsconf chaining link-get
1129 Displays chaining database links
1130 dsconf chaining link-set
1132 Edit a database link to a remote server
1133 dsconf chaining link-delete
1135 Delete a database link
1136 dsconf chaining monitor
1138 Display monitor information for a database chaining link
1139 dsconf chaining link-list
1141 List database links
1142
1144 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1145 [--avail-comps]
1146
1149 --avail-controls
1150 Lists available chaining controls
1151 --avail-comps
1154 Lists available chaining plugin components
1155
1158 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1159 TROL]
1160 [--del-control DEL_CONTROL]
1161 [--add-comp ADD_COMP]
1162 [--del-comp DEL_COMP]
1163
1166 --add-control ADD_CONTROL
1167 Adds a transmitted control OID
1168 --del-control DEL_CONTROL
1171 Deletes a transmitted control OID
1172 --add-comp ADD_COMP
1175 Adds a chaining component
1176 --del-comp DEL_COMP
1179 Deletes a chaining component
1180
1183 usage: dsconf instance chaining config-get-def [-h]
1184
1187 usage: dsconf instance chaining config-set-def [-h]
1188 [--conn-bind-limit
1189 CONN_BIND_LIMIT]
1190 [--conn-op-limit
1191 CONN_OP_LIMIT]
1192 [--abandon-check-inter‐
1193 val ABANDON_CHECK_INTERVAL]
1194 [--bind-limit
1195 BIND_LIMIT]
1196 [--op-limit OP_LIMIT]
1197 [--proxied-auth PROX‐
1198 IED_AUTH]
1199 [--conn-lifetime
1200 CONN_LIFETIME]
1201 [--bind-timeout
1202 BIND_TIMEOUT]
1203 [--return-ref RE‐
1204 TURN_REF]
1205 [--check-aci CHECK_ACI]
1206 [--bind-attempts
1207 BIND_ATTEMPTS]
1208 [--size-limit
1209 SIZE_LIMIT]
1210 [--time-limit
1211 TIME_LIMIT]
1212 [--hop-limit HOP_LIMIT]
1213 [--response-delay RE‐
1214 SPONSE_DELAY]
1215 [--test-response-delay
1216 TEST_RESPONSE_DELAY]
1217 [--use-starttls
1218 USE_STARTTLS]
1219
1222 --conn-bind-limit CONN_BIND_LIMIT
1223 Sets the maximum number of BIND connections the database link
1224 establishes with the remote server
1225 --conn-op-limit CONN_OP_LIMIT
1228 Sets the maximum number of LDAP connections the database link
1229 establishes with the remote server
1230 --abandon-check-interval ABANDON_CHECK_INTERVAL
1233 Sets the number of seconds that pass before the server checks
1234 for abandoned operations
1235 --bind-limit BIND_LIMIT
1238 Sets the maximum number of concurrent bind operations per TCP
1239 connection
1240 --op-limit OP_LIMIT
1243 Sets the maximum number of concurrent operations allowed
1244 --proxied-auth PROXIED_AUTH
1247 Enables or disables proxied authorization. If set to "off", the
1248 server executes bind for chained operations as the user set in
1249 the nsMultiplexorBindDn attribute.
1250 --conn-lifetime CONN_LIFETIME
1253 Specifies connection lifetime in seconds. "0" keeps the connec‐
1254 tion open forever.
1255 --bind-timeout BIND_TIMEOUT
1258 Sets the amount of time in seconds before a bind attempt times
1259 out
1260 --return-ref RETURN_REF
1263 Enables or disables whether referrals are returned by scoped
1264 searches
1265 --check-aci CHECK_ACI
1268 Enables or disables whether the server evaluates ACIs on the
1269 database link as well as the remote data server
1270 --bind-attempts BIND_ATTEMPTS
1273 Sets the number of times the server tries to bind to the remote
1274 server
1275 --size-limit SIZE_LIMIT
1278 Sets the maximum number of entries to return from a search oper‐
1279 ation
1280 --time-limit TIME_LIMIT
1283 Sets the maximum number of seconds allowed for an operation
1284 --hop-limit HOP_LIMIT
1287 Sets the maximum number of times a database is allowed to chain.
1288 That is the number of times a request can be forwarded from one
1289 database link to another.
1290 --response-delay RESPONSE_DELAY
1293 Sets the maximum amount of time it can take a remote server to
1294 respond to an LDAP operation request made by a database link be‐
1295 fore an error is suspected
1296 --test-response-delay TEST_RESPONSE_DELAY
1299 Sets the duration of the test issued by the database link to
1300 check whether the remote server is responding
1301 --use-starttls USE_STARTTLS
1304 Configured that database links use StartTLS if set to "on"
1305
1308 usage: dsconf instance chaining link-create [-h]
1309 [--conn-bind-limit
1310 CONN_BIND_LIMIT]
1311 [--conn-op-limit
1312 CONN_OP_LIMIT]
1313 [--abandon-check-interval
1314 ABANDON_CHECK_INTERVAL]
1315 [--bind-limit BIND_LIMIT]
1316 [--op-limit OP_LIMIT]
1317 [--proxied-auth PROX‐
1318 IED_AUTH]
1319 [--conn-lifetime CONN_LIFE‐
1320 TIME]
1321 [--bind-timeout BIND_TIME‐
1322 OUT]
1323 [--return-ref RETURN_REF]
1324 [--check-aci CHECK_ACI]
1325 [--bind-attempts BIND_AT‐
1326 TEMPTS]
1327 [--size-limit SIZE_LIMIT]
1328 [--time-limit TIME_LIMIT]
1329 [--hop-limit HOP_LIMIT]
1330 [--response-delay RE‐
1331 SPONSE_DELAY]
1332 [--test-response-delay
1333 TEST_RESPONSE_DELAY]
1334 [--use-starttls USE_START‐
1335 TLS]
1336 --suffix SUFFIX --server-
1337 url
1338 SERVER_URL --bind-mech
1339 BIND_MECH
1340 --bind-dn BIND_DN --bind-pw
1341 BIND_PW
1342 CHAIN_NAME
1343 CHAIN_NAME
1346 The name of the database link
1347
1350 --conn-bind-limit CONN_BIND_LIMIT
1351 Sets the maximum number of BIND connections the database link
1352 establishes with the remote server
1353 --conn-op-limit CONN_OP_LIMIT
1356 Sets the maximum number of LDAP connections the database link
1357 establishes with the remote server
1358 --abandon-check-interval ABANDON_CHECK_INTERVAL
1361 Sets the number of seconds that pass before the server checks
1362 for abandoned operations
1363 --bind-limit BIND_LIMIT
1366 Sets the maximum number of concurrent bind operations per TCP
1367 connection
1368 --op-limit OP_LIMIT
1371 Sets the maximum number of concurrent operations allowed
1372 --proxied-auth PROXIED_AUTH
1375 Enables or disables proxied authorization. If set to "off", the
1376 server executes bind for chained operations as the user set in
1377 the nsMultiplexorBindDn attribute.
1378 --conn-lifetime CONN_LIFETIME
1381 Specifies connection lifetime in seconds. "0" keeps the connec‐
1382 tion open forever.
1383 --bind-timeout BIND_TIMEOUT
1386 Sets the amount of time in seconds before a bind attempt times
1387 out
1388 --return-ref RETURN_REF
1391 Enables or disables whether referrals are returned by scoped
1392 searches
1393 --check-aci CHECK_ACI
1396 Enables or disables whether the server evaluates ACIs on the
1397 database link as well as the remote data server
1398 --bind-attempts BIND_ATTEMPTS
1401 Sets the number of times the server tries to bind to the remote
1402 server
1403 --size-limit SIZE_LIMIT
1406 Sets the maximum number of entries to return from a search oper‐
1407 ation
1408 --time-limit TIME_LIMIT
1411 Sets the maximum number of seconds allowed for an operation
1412 --hop-limit HOP_LIMIT
1415 Sets the maximum number of times a database is allowed to chain.
1416 That is the number of times a request can be forwarded from one
1417 database link to another.
1418 --response-delay RESPONSE_DELAY
1421 Sets the maximum amount of time it can take a remote server to
1422 respond to an LDAP operation request made by a database link be‐
1423 fore an error is suspected
1424 --test-response-delay TEST_RESPONSE_DELAY
1427 Sets the duration of the test issued by the database link to
1428 check whether the remote server is responding
1429 --use-starttls USE_STARTTLS
1432 Configured that database links use StartTLS if set to "on"
1433 --suffix SUFFIX
1436 Sets the suffix managed by the database link
1437 --server-url SERVER_URL
1440 Sets the LDAP/LDAPS URL to the remote server
1441 --bind-mech BIND_MECH
1444 Sets the authentication method to use to authenticate to the re‐
1445 mote server. Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1446 GEST-MD5", or "GSSAPI"
1447 --bind-dn BIND_DN
1450 Sets the DN of the administrative entry used to communicate with
1451 the remote server
1452 --bind-pw BIND_PW
1455 Sets the password of the administrative user
1456
1459 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1460 CHAIN_NAME
1463 The chaining link name or suffix to retrieve
1464
1467 usage: dsconf instance chaining link-set [-h]
1468 [--conn-bind-limit
1469 CONN_BIND_LIMIT]
1470 [--conn-op-limit
1471 CONN_OP_LIMIT]
1472 [--abandon-check-interval
1473 ABANDON_CHECK_INTERVAL]
1474 [--bind-limit BIND_LIMIT]
1475 [--op-limit OP_LIMIT]
1476 [--proxied-auth PROXIED_AUTH]
1477 [--conn-lifetime CONN_LIFE‐
1478 TIME]
1479 [--bind-timeout BIND_TIMEOUT]
1480 [--return-ref RETURN_REF]
1481 [--check-aci CHECK_ACI]
1482 [--bind-attempts BIND_AT‐
1483 TEMPTS]
1484 [--size-limit SIZE_LIMIT]
1485 [--time-limit TIME_LIMIT]
1486 [--hop-limit HOP_LIMIT]
1487 [--response-delay RESPONSE_DE‐
1488 LAY]
1489 [--test-response-delay
1490 TEST_RESPONSE_DELAY]
1491 [--use-starttls USE_STARTTLS]
1492 [--suffix SUFFIX]
1493 [--server-url SERVER_URL]
1494 [--bind-mech BIND_MECH]
1495 [--bind-dn BIND_DN]
1496 [--bind-pw BIND_PW]
1497 CHAIN_NAME
1498 CHAIN_NAME
1501 The name of the database link
1502
1505 --conn-bind-limit CONN_BIND_LIMIT
1506 Sets the maximum number of BIND connections the database link
1507 establishes with the remote server
1508 --conn-op-limit CONN_OP_LIMIT
1511 Sets the maximum number of LDAP connections the database link
1512 establishes with the remote server
1513 --abandon-check-interval ABANDON_CHECK_INTERVAL
1516 Sets the number of seconds that pass before the server checks
1517 for abandoned operations
1518 --bind-limit BIND_LIMIT
1521 Sets the maximum number of concurrent bind operations per TCP
1522 connection
1523 --op-limit OP_LIMIT
1526 Sets the maximum number of concurrent operations allowed
1527 --proxied-auth PROXIED_AUTH
1530 Enables or disables proxied authorization. If set to "off", the
1531 server executes bind for chained operations as the user set in
1532 the nsMultiplexorBindDn attribute.
1533 --conn-lifetime CONN_LIFETIME
1536 Specifies connection lifetime in seconds. "0" keeps the connec‐
1537 tion open forever.
1538 --bind-timeout BIND_TIMEOUT
1541 Sets the amount of time in seconds before a bind attempt times
1542 out
1543 --return-ref RETURN_REF
1546 Enables or disables whether referrals are returned by scoped
1547 searches
1548 --check-aci CHECK_ACI
1551 Enables or disables whether the server evaluates ACIs on the
1552 database link as well as the remote data server
1553 --bind-attempts BIND_ATTEMPTS
1556 Sets the number of times the server tries to bind to the remote
1557 server
1558 --size-limit SIZE_LIMIT
1561 Sets the maximum number of entries to return from a search oper‐
1562 ation
1563 --time-limit TIME_LIMIT
1566 Sets the maximum number of seconds allowed for an operation
1567 --hop-limit HOP_LIMIT
1570 Sets the maximum number of times a database is allowed to chain.
1571 That is the number of times a request can be forwarded from one
1572 database link to another.
1573 --response-delay RESPONSE_DELAY
1576 Sets the maximum amount of time it can take a remote server to
1577 respond to an LDAP operation request made by a database link be‐
1578 fore an error is suspected
1579 --test-response-delay TEST_RESPONSE_DELAY
1582 Sets the duration of the test issued by the database link to
1583 check whether the remote server is responding
1584 --use-starttls USE_STARTTLS
1587 Configured that database links use StartTLS if set to "on"
1588 --suffix SUFFIX
1591 Sets the suffix managed by the database link
1592 --server-url SERVER_URL
1595 Sets the LDAP/LDAPS URL to the remote server
1596 --bind-mech BIND_MECH
1599 Sets the authentication method to use to authenticate to the re‐
1600 mote server: Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1601 GEST-MD5", or "GSSAPI"
1602 --bind-dn BIND_DN
1605 Sets the DN of the administrative entry used to communicate with
1606 the remote server
1607 --bind-pw BIND_PW
1610 Sets the password of the administrative user
1611
1614 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1615 CHAIN_NAME
1618 The name of the database link
1619
1622 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1623 CHAIN_NAME
1626 The name of the database link
1627
1630 usage: dsconf instance chaining link-list [-h]
1631
1634 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1635
1638 dsconf config get
1639 get
1640 dsconf config add
1642 Add attribute value to configuration
1643 dsconf config replace
1645 Replace attribute value in configuration
1646 dsconf config delete
1648 Delete attribute value in configuration
1649
1651 usage: dsconf instance config get [-h] [attrs ...]
1652 attrs Configuration attribute(s) to get
1655
1658 usage: dsconf instance config add [-h] [attr ...]
1659 attr Configuration attribute to add
1662
1665 usage: dsconf instance config replace [-h] [attr ...]
1666 attr Configuration attribute to replace
1669
1672 usage: dsconf instance config delete [-h] [attr ...]
1673 attr Configuration attribute to delete
1676
1679 usage: dsconf instance directory_manager [-h] {password_change} ...
1680
1683 dsconf directory_manager password_change
1684 Changes the password of the Directory Manager account
1685
1687 usage: dsconf instance directory_manager password_change [-h]
1688
1691 usage: dsconf instance monitor [-h]
1692 {server,dbmon,ldbm,backend,snmp,chain‐
1693 ing,disk}
1694 ...
1695
1698 dsconf monitor server
1699 Displays the server statistics, connections, and operations
1700 dsconf monitor dbmon
1702 Monitor all database statistics in a single report
1703 dsconf monitor ldbm
1705 Monitor the LDBM statistics, such as dbcache
1706 dsconf monitor backend
1708 Monitor the behavior of a backend database
1709 dsconf monitor snmp
1711 Displays the SNMP statistics
1712 dsconf monitor chaining
1714 Monitor database chaining statistics
1715 dsconf monitor disk
1717 Displays the disk space statistics. All values are in bytes.
1718
1720 usage: dsconf instance monitor server [-h]
1721
1724 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1725
1728 -b BACKENDS, --backends BACKENDS
1729 Specifies a list of space-separated backends to monitor. Default
1730 is all backends.
1731 -x, --indexes
1734 Shows index stats for each backend
1735
1738 usage: dsconf instance monitor ldbm [-h]
1739
1742 usage: dsconf instance monitor backend [-h] [backend]
1743 backend
1746 The optional name of the backend to monitor
1747
1750 usage: dsconf instance monitor snmp [-h]
1751
1754 usage: dsconf instance monitor chaining [-h] [backend]
1755 backend
1758 The optional name of the chaining backend to monitor
1759
1762 usage: dsconf instance monitor disk [-h]
1763
1766 usage: dsconf instance plugin [-h]
1767 {memberof,automember,referential-integ‐
1768 rity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-en‐
1769 tries,pass-through-auth,retro-changelog,posix-winsync,contentsync,en‐
1770 tryuuid,list,show,set}
1771 ...
1772
1775 dsconf plugin memberof
1776 Manage and configure MemberOf plugin
1777 dsconf plugin automember
1779 Manage and configure Automembership plugin
1780 dsconf plugin referential-integrity
1782 Manage and configure Referential Integrity Postoperation plugin
1783 dsconf plugin root-dn
1785 Manage and configure RootDN Access Control plugin
1786 dsconf plugin usn
1788 Manage and configure USN plugin
1789 dsconf plugin account-policy
1791 Manage and configure Account Policy plugin
1792 dsconf plugin attr-uniq
1794 Manage and configure Attribute Uniqueness plugin
1795 dsconf plugin dna
1797 Manage and configure DNA plugin
1798 dsconf plugin linked-attr
1800 Manage and configure Linked Attributes plugin
1801 dsconf plugin managed-entries
1803 Manage and configure Managed Entries Plugin
1804 dsconf plugin pass-through-auth
1806 Manage and configure Pass-Through Authentication plugins (URLs
1807 and PAM)
1808 dsconf plugin retro-changelog
1810 Manage and configure Retro Changelog plugin
1811 dsconf plugin posix-winsync
1813 Manage and configure the Posix Winsync API plugin
1814 dsconf plugin contentsync
1816 Manage and configure Content Sync Plugin (aka syncrepl)
1817 dsconf plugin entryuuid
1819 Manage and configure EntryUUID plugin
1820 dsconf plugin list
1822 List current configured (enabled and disabled) plugins
1823 dsconf plugin show
1825 Show the plugin data
1826 dsconf plugin set
1828 Edit the plugin settings
1829
1831 usage: dsconf instance plugin memberof [-h]
1832 {show,enable,disable,sta‐
1833 tus,set,config-entry,fixup,fixup-status}
1834 ...
1835
1838 dsconf plugin memberof show
1839 Displays the plugin configuration
1840 dsconf plugin memberof enable
1842 Enables the plugin
1843 dsconf plugin memberof disable
1845 Disables the plugin
1846 dsconf plugin memberof status
1848 Displays the plugin status
1849 dsconf plugin memberof set
1851 Edit the plugin settings
1852 dsconf plugin memberof config-entry
1854 Manage the config entry
1855 dsconf plugin memberof fixup
1857 Run the fix-up task for memberOf plugin
1858 dsconf plugin memberof fixup-status
1860 Check the status of a fix-up task
1861
1863 usage: dsconf instance plugin memberof show [-h]
1864
1867 usage: dsconf instance plugin memberof enable [-h]
1868
1871 usage: dsconf instance plugin memberof disable [-h]
1872
1875 usage: dsconf instance plugin memberof status [-h]
1876
1879 usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
1880 [--groupattr GROUPATTR
1881 [GROUPATTR ...]]
1882 [--allbackends {on,off}]
1883 [--skipnested {on,off}]
1884 [--scope SCOPE [SCOPE ...]]
1885 [--exclude EXCLUDE [EXCLUDE
1886 ...]]
1887 [--autoaddoc AUTOADDOC]
1888 [--config-entry CONFIG_EN‐
1889 TRY]
1890
1893 --attr ATTR
1894 Specifies the attribute in the user entry for the Directory
1895 Server to manage to reflect group membership (memberOfAttr)
1896 --groupattr GROUPATTR [GROUPATTR ...]
1899 Specifies the attribute in the group entry to use to identify
1900 the DNs of group members (memberOfGroupAttr)
1901 --allbackends {on,off}
1904 Specifies whether to search the local suffix for user entries on
1905 all available suffixes (memberOfAllBackends)
1906 --skipnested {on,off}
1909 Specifies whether to skip nested groups or not (memberOfSkip‐
1910 Nested)
1911 --scope SCOPE [SCOPE ...]
1914 Specifies backends or multiple-nested suffixes for the MemberOf
1915 plug-in to work on (memberOfEntryScope)
1916 --exclude EXCLUDE [EXCLUDE ...]
1919 Specifies backends or multiple-nested suffixes for the MemberOf
1920 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1921 --autoaddoc AUTOADDOC
1924 If an entry does not have an object class that allows the mem‐
1925 berOf attribute then the memberOf plugin will automatically add
1926 the object class listed in the memberOfAutoAddOC parameter
1927 --config-entry CONFIG_ENTRY
1930 The value to set as nsslapd-pluginConfigArea
1931
1934 usage: dsconf instance plugin memberof config-entry [-h]
1935 {add,set,show,delete}
1936 ...
1937
1940 dsconf plugin memberof config-entry add
1941 Add the config entry
1942 dsconf plugin memberof config-entry set
1944 Edit the config entry
1945 dsconf plugin memberof config-entry show
1947 Display the config entry
1948 dsconf plugin memberof config-entry delete
1950 Delete the config entry
1951
1953 usage: dsconf instance plugin memberof config-entry add [-h] [--attr
1954 ATTR]
1955 [--groupattr
1956 GROUPATTR [GROUPATTR ...]]
1957 [--allbackends
1958 {on,off}]
1959 [--skipnested
1960 {on,off}]
1961 [--scope SCOPE
1962 [SCOPE ...]]
1963 [--exclude EX‐
1964 CLUDE [EXCLUDE ...]]
1965 [--autoaddoc
1966 AUTOADDOC]
1967 DN
1968 DN The config entry full DN
1971
1974 --attr ATTR
1975 Specifies the attribute in the user entry for the Directory
1976 Server to manage to reflect group membership (memberOfAttr)
1977 --groupattr GROUPATTR [GROUPATTR ...]
1980 Specifies the attribute in the group entry to use to identify
1981 the DNs of group members (memberOfGroupAttr)
1982 --allbackends {on,off}
1985 Specifies whether to search the local suffix for user entries on
1986 all available suffixes (memberOfAllBackends)
1987 --skipnested {on,off}
1990 Specifies whether to skip nested groups or not (memberOfSkip‐
1991 Nested)
1992 --scope SCOPE [SCOPE ...]
1995 Specifies backends or multiple-nested suffixes for the MemberOf
1996 plug-in to work on (memberOfEntryScope)
1997 --exclude EXCLUDE [EXCLUDE ...]
2000 Specifies backends or multiple-nested suffixes for the MemberOf
2001 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2002 --autoaddoc AUTOADDOC
2005 If an entry does not have an object class that allows the mem‐
2006 berOf attribute then the memberOf plugin will automatically add
2007 the object class listed in the memberOfAutoAddOC parameter
2008
2011 usage: dsconf instance plugin memberof config-entry set [-h] [--attr
2012 ATTR]
2013 [--groupattr
2014 GROUPATTR [GROUPATTR ...]]
2015 [--allbackends
2016 {on,off}]
2017 [--skipnested
2018 {on,off}]
2019 [--scope SCOPE
2020 [SCOPE ...]]
2021 [--exclude EX‐
2022 CLUDE [EXCLUDE ...]]
2023 [--autoaddoc
2024 AUTOADDOC]
2025 DN
2026 DN The config entry full DN
2029
2032 --attr ATTR
2033 Specifies the attribute in the user entry for the Directory
2034 Server to manage to reflect group membership (memberOfAttr)
2035 --groupattr GROUPATTR [GROUPATTR ...]
2038 Specifies the attribute in the group entry to use to identify
2039 the DNs of group members (memberOfGroupAttr)
2040 --allbackends {on,off}
2043 Specifies whether to search the local suffix for user entries on
2044 all available suffixes (memberOfAllBackends)
2045 --skipnested {on,off}
2048 Specifies whether to skip nested groups or not (memberOfSkip‐
2049 Nested)
2050 --scope SCOPE [SCOPE ...]
2053 Specifies backends or multiple-nested suffixes for the MemberOf
2054 plug-in to work on (memberOfEntryScope)
2055 --exclude EXCLUDE [EXCLUDE ...]
2058 Specifies backends or multiple-nested suffixes for the MemberOf
2059 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2060 --autoaddoc AUTOADDOC
2063 If an entry does not have an object class that allows the mem‐
2064 berOf attribute then the memberOf plugin will automatically add
2065 the object class listed in the memberOfAutoAddOC parameter
2066
2069 usage: dsconf instance plugin memberof config-entry show [-h] DN
2070 DN The config entry full DN
2073
2076 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2077 DN The config entry full DN
2080
2083 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] [--wait]
2084 DN
2085 DN Base DN that contains entries to fix up
2088
2091 -f FILTER, --filter FILTER
2092 Filter for entries to fix up. If omitted, all entries with ob‐
2093 jectclass inetuser/inetadmin/nsmemberof under the specified base
2094 will have their memberOf attribute regenerated.
2095 --wait Wait for the task to finish, this could take a long time
2098
2101 usage: dsconf instance plugin memberof fixup-status [-h] [--dn DN]
2102 [--show-log]
2103 [--watch]
2104
2107 --dn DN
2108 The task entry's DN
2109 --show-log
2112 Display the task log
2113 --watch
2116 Watch the task's status and wait for it to finish
2117
2120 usage: dsconf instance plugin automember [-h]
2121 {show,enable,disable,sta‐
2122 tus,list,definition,fixup,fixup-status,abort-fixup}
2123 ...
2124
2127 dsconf plugin automember show
2128 Displays the plugin configuration
2129 dsconf plugin automember enable
2131 Enables the plugin
2132 dsconf plugin automember disable
2134 Disables the plugin
2135 dsconf plugin automember status
2137 Displays the plugin status
2138 dsconf plugin automember list
2140 List Automembership definitions or regex rules.
2141 dsconf plugin automember definition
2143 Manage Automembership definition.
2144 dsconf plugin automember fixup
2146 Run a rebuild membership task.
2147 dsconf plugin automember fixup-status
2149 Check the status of a fix-up task
2150 dsconf plugin automember abort-fixup
2152 Abort the rebuild membership task.
2153
2155 usage: dsconf instance plugin automember show [-h]
2156
2159 usage: dsconf instance plugin automember enable [-h]
2160
2163 usage: dsconf instance plugin automember disable [-h]
2164
2167 usage: dsconf instance plugin automember status [-h]
2168
2171 usage: dsconf instance plugin automember list [-h] {defini‐
2172 tions,regexes} ...
2173
2176 dsconf plugin automember list definitions
2177 Lists Automembership definitions.
2178 dsconf plugin automember list regexes
2180 List Automembership regex rules.
2181
2183 usage: dsconf instance plugin automember list definitions [-h]
2184
2187 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2188 DEFNAME
2191 The definition entry CN
2192
2195 usage: dsconf instance plugin automember definition [-h]
2196 DEFNAME
2197 {add,set,delete,show,regex}
2198 ...
2199
2202 dsconf plugin automember definition add
2203 Creates Automembership definition.
2204 dsconf plugin automember definition set
2206 Edits Automembership definition.
2207 dsconf plugin automember definition delete
2209 Removes Automembership definition.
2210 dsconf plugin automember definition show
2212 Displays Automembership definition.
2213 dsconf plugin automember definition regex
2215 Manage Automembership regex rules.
2216
2218 usage: dsconf instance plugin automember definition DEFNAME add
2219 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2220 FAULT_GROUP]
2221 --scope SCOPE --filter FILTER
2222
2225 --grouping-attr GROUPING_ATTR
2226 Specifies the name of the member attribute in the group entry
2227 and the attribute in the object entry that supplies the member
2228 attribute value, in the format group_member_attr:entry_attr (au‐
2229 toMemberGroupingAttr)
2230 --default-group DEFAULT_GROUP
2233 Sets default or fallback group to add the entry to as a member
2234 attribute in group entry (autoMemberDefaultGroup)
2235 --scope SCOPE
2238 Sets the subtree DN to search for entries (autoMemberScope)
2239 --filter FILTER
2242 Sets a standard LDAP search filter to use to search for matching
2243 entries (autoMemberFilter)
2244
2247 usage: dsconf instance plugin automember definition DEFNAME set
2248 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2249 FAULT_GROUP]
2250 --scope SCOPE --filter FILTER
2251
2254 --grouping-attr GROUPING_ATTR
2255 Specifies the name of the member attribute in the group entry
2256 and the attribute in the object entry that supplies the member
2257 attribute value, in the format group_member_attr:entry_attr (au‐
2258 toMemberGroupingAttr)
2259 --default-group DEFAULT_GROUP
2262 Sets default or fallback group to add the entry to as a member
2263 attribute in group entry (autoMemberDefaultGroup)
2264 --scope SCOPE
2267 Sets the subtree DN to search for entries (autoMemberScope)
2268 --filter FILTER
2271 Sets a standard LDAP search filter to use to search for matching
2272 entries (autoMemberFilter)
2273
2276 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2277
2280 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2281
2284 usage: dsconf instance plugin automember definition DEFNAME regex
2285 [-h] REGEXNAME {add,set,delete,show} ...
2286
2289 dsconf plugin automember definition regex add
2290 Creates Automembership regex.
2291 dsconf plugin automember definition regex set
2293 Edits Automembership regex.
2294 dsconf plugin automember definition regex delete
2296 Removes Automembership regex.
2297 dsconf plugin automember definition regex show
2299 Displays Automembership regex.
2300
2302 usage: dsconf instance plugin automember definition DEFNAME regex
2303 REGEXNAME add
2304 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2305 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2306 GET_GROUP
2307
2310 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2311 Sets a single regular expression to use to identify entries to
2312 exclude (autoMemberExclusiveRegex)
2313 --inclusive INCLUSIVE [INCLUSIVE ...]
2316 Sets a single regular expression to use to identify entries to
2317 include (autoMemberInclusiveRegex)
2318 --target-group TARGET_GROUP
2321 Sets which group to add the entry to as a member, if it meets
2322 the regular expression conditions (autoMemberTargetGroup)
2323
2326 usage: dsconf instance plugin automember definition DEFNAME regex
2327 REGEXNAME set
2328 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2329 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2330 GET_GROUP
2331
2334 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2335 Sets a single regular expression to use to identify entries to
2336 exclude (autoMemberExclusiveRegex)
2337 --inclusive INCLUSIVE [INCLUSIVE ...]
2340 Sets a single regular expression to use to identify entries to
2341 include (autoMemberInclusiveRegex)
2342 --target-group TARGET_GROUP
2345 Sets which group to add the entry to as a member, if it meets
2346 the regular expression conditions (autoMemberTargetGroup)
2347
2350 usage: dsconf instance plugin automember definition DEFNAME regex
2351 REGEXNAME delete
2352 [-h]
2353
2356 usage: dsconf instance plugin automember definition DEFNAME regex
2357 REGEXNAME show
2358 [-h]
2359
2362 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2363 {sub,base,one} [--wait]
2364 DN
2365 DN Base DN that contains entries to fix up
2368
2371 -f FILTER, --filter FILTER
2372 Sets the LDAP filter for entries to fix up
2373 -s {sub,base,one}, --scope {sub,base,one}
2376 Sets the LDAP search scope for entries to fix up
2377 --wait Wait for the task to finish, this could take a long time
2380
2383 usage: dsconf instance plugin automember fixup-status [-h] [--dn DN]
2384 [--show-log]
2385 [--watch]
2386
2389 --dn DN
2390 The task entry's DN
2391 --show-log
2394 Display the task log
2395 --watch
2398 Watch the task's status and wait for it to finish
2399
2402 usage: dsconf instance plugin automember abort-fixup [-h]
2403
2406 usage: dsconf instance plugin referential-integrity [-h]
2407 {show,enable,dis‐
2408 able,status,set,config-entry}
2409 ...
2410
2413 dsconf plugin referential-integrity show
2414 Displays the plugin configuration
2415 dsconf plugin referential-integrity enable
2417 Enables the plugin
2418 dsconf plugin referential-integrity disable
2420 Disables the plugin
2421 dsconf plugin referential-integrity status
2423 Displays the plugin status
2424 dsconf plugin referential-integrity set
2426 Edit the plugin settings
2427 dsconf plugin referential-integrity config-entry
2429 Manage the config entry
2430
2432 usage: dsconf instance plugin referential-integrity show [-h]
2433
2436 usage: dsconf instance plugin referential-integrity enable [-h]
2437
2440 usage: dsconf instance plugin referential-integrity disable [-h]
2441
2444 usage: dsconf instance plugin referential-integrity status [-h]
2445
2448 usage: dsconf instance plugin referential-integrity set [-h]
2449 [--update-delay
2450 UPDATE_DELAY]
2451 [--membership-
2452 attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2453 [--entry-scope
2454 ENTRY_SCOPE]
2455 [--exclude-en‐
2456 try-scope EXCLUDE_ENTRY_SCOPE]
2457 [--container-
2458 scope CONTAINER_SCOPE]
2459 [--log-file
2460 LOG_FILE]
2461 [--config-entry
2462 CONFIG_ENTRY]
2463
2466 --update-delay UPDATE_DELAY
2467 Sets the update interval. Special values: 0 - The check is per‐
2468 formed immediately, -1 - No check is performed (referint-up‐
2469 date-delay)
2470 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2473 Specifies attributes to check for and update (referint-member‐
2474 ship-attr)
2475 --entry-scope ENTRY_SCOPE
2478 Defines the subtree in which the plug-in looks for the delete or
2479 rename operations of a user entry (nsslapd-pluginEntryScope)
2480 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2483 Defines the subtree in which the plug-in ignores any operations
2484 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2485 tryScope)
2486 --container-scope CONTAINER_SCOPE
2489 Specifies which branch the plug-in searches for the groups to
2490 which the user belongs. It only updates groups that are under
2491 the specified container branch, and leaves all other groups not
2492 updated (nsslapd-pluginContainerScope)
2493 --log-file LOG_FILE
2496 Specifies a path to the Referential integrity logfile.For exam‐
2497 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2498 --config-entry CONFIG_ENTRY
2501 The value to set as nsslapd-pluginConfigArea
2502
2505 usage: dsconf instance plugin referential-integrity config-entry
2506 [-h] {add,set,show,delete} ...
2507
2510 dsconf plugin referential-integrity config-entry add
2511 Add the config entry
2512 dsconf plugin referential-integrity config-entry set
2514 Edit the config entry
2515 dsconf plugin referential-integrity config-entry show
2517 Display the config entry
2518 dsconf plugin referential-integrity config-entry delete
2520 Delete the config entry
2521
2523 usage: dsconf instance plugin referential-integrity config-entry add
2524 [-h] [--update-delay UPDATE_DELAY]
2525 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2526 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2527 TRY_SCOPE]
2528 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2529 DN
2530 DN The config entry full DN
2533
2536 --update-delay UPDATE_DELAY
2537 Sets the update interval. Special values: 0 - The check is per‐
2538 formed immediately, -1 - No check is performed (referint-up‐
2539 date-delay)
2540 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2543 Specifies attributes to check for and update (referint-member‐
2544 ship-attr)
2545 --entry-scope ENTRY_SCOPE
2548 Defines the subtree in which the plug-in looks for the delete or
2549 rename operations of a user entry (nsslapd-pluginEntryScope)
2550 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2553 Defines the subtree in which the plug-in ignores any operations
2554 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2555 tryScope)
2556 --container-scope CONTAINER_SCOPE
2559 Specifies which branch the plug-in searches for the groups to
2560 which the user belongs. It only updates groups that are under
2561 the specified container branch, and leaves all other groups not
2562 updated (nsslapd-pluginContainerScope)
2563 --log-file LOG_FILE
2566 Specifies a path to the Referential integrity logfile.For exam‐
2567 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2568
2571 usage: dsconf instance plugin referential-integrity config-entry set
2572 [-h] [--update-delay UPDATE_DELAY]
2573 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2574 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2575 TRY_SCOPE]
2576 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2577 DN
2578 DN The config entry full DN
2581
2584 --update-delay UPDATE_DELAY
2585 Sets the update interval. Special values: 0 - The check is per‐
2586 formed immediately, -1 - No check is performed (referint-up‐
2587 date-delay)
2588 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2591 Specifies attributes to check for and update (referint-member‐
2592 ship-attr)
2593 --entry-scope ENTRY_SCOPE
2596 Defines the subtree in which the plug-in looks for the delete or
2597 rename operations of a user entry (nsslapd-pluginEntryScope)
2598 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2601 Defines the subtree in which the plug-in ignores any operations
2602 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2603 tryScope)
2604 --container-scope CONTAINER_SCOPE
2607 Specifies which branch the plug-in searches for the groups to
2608 which the user belongs. It only updates groups that are under
2609 the specified container branch, and leaves all other groups not
2610 updated (nsslapd-pluginContainerScope)
2611 --log-file LOG_FILE
2614 Specifies a path to the Referential integrity logfile.For exam‐
2615 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2616
2619 usage: dsconf instance plugin referential-integrity config-entry show
2620 [-h] DN
2621 DN The config entry full DN
2624
2627 usage: dsconf instance plugin referential-integrity config-entry delete
2628 [-h] DN
2629 DN The config entry full DN
2632
2635 usage: dsconf instance plugin root-dn [-h]
2636 {show,enable,disable,status,set}
2637 ...
2638
2641 dsconf plugin root-dn show
2642 Displays the plugin configuration
2643 dsconf plugin root-dn enable
2645 Enables the plugin
2646 dsconf plugin root-dn disable
2648 Disables the plugin
2649 dsconf plugin root-dn status
2651 Displays the plugin status
2652 dsconf plugin root-dn set
2654 Edit the plugin settings
2655
2657 usage: dsconf instance plugin root-dn show [-h]
2658
2661 usage: dsconf instance plugin root-dn enable [-h]
2662
2665 usage: dsconf instance plugin root-dn disable [-h]
2666
2669 usage: dsconf instance plugin root-dn status [-h]
2670
2673 usage: dsconf instance plugin root-dn set [-h]
2674 [--allow-host ALLOW_HOST [AL‐
2675 LOW_HOST ...]]
2676 [--deny-host DENY_HOST
2677 [DENY_HOST ...]]
2678 [--allow-ip ALLOW_IP [AL‐
2679 LOW_IP ...]]
2680 [--deny-ip DENY_IP [DENY_IP
2681 ...]]
2682 [--open-time OPEN_TIME]
2683 [--close-time CLOSE_TIME]
2684 [--days-allowed DAYS_ALLOWED]
2685
2688 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2689 Sets what hosts, by fully-qualified domain name, the root user
2690 is allowed to use to access Directory Server. Any hosts not
2691 listed are implicitly denied (rootdn-allow-host)
2692 --deny-host DENY_HOST [DENY_HOST ...]
2695 Sets what hosts, by fully-qualified domain name, the root user
2696 is not allowed to use to access Directory Server. Any hosts not
2697 listed are implicitly allowed (rootdn-deny-host). If a host ad‐
2698 dress is listed in both the rootdn-allow-host and
2699 rootdn-deny-host attributes, it is denied access.
2700 --allow-ip ALLOW_IP [ALLOW_IP ...]
2703 Sets what IP addresses, either IPv4 or IPv6, for machines the
2704 root user is allowed to use to access Directory Server. Any IP
2705 addresses not listed are implicitly denied (rootdn-allow-ip)
2706 --deny-ip DENY_IP [DENY_IP ...]
2709 Sets what IP addresses, either IPv4 or IPv6, for machines the
2710 root user is not allowed to use to access Directory Server. Any
2711 IP addresses not listed are implicitly allowed (rootdn-deny-ip).
2712 If an IP address is listed in both the rootdn-allow-ip and
2713 rootdn-deny-ip attributes, it is denied access.
2714 --open-time OPEN_TIME
2717 Sets part of a time period or range when the root user is al‐
2718 lowed to access Directory Server. This sets when the time-based
2719 access begins (rootdn-open- time)
2720 --close-time CLOSE_TIME
2723 Sets part of a time period or range when the root user is al‐
2724 lowed to access Directory Server. This sets when the time-based
2725 access ends (rootdn-close- time)
2726 --days-allowed DAYS_ALLOWED
2729 Sets a comma-separated list of what days the root user is al‐
2730 lowed to use to access Directory Server. Any days listed are im‐
2731 plicitly denied (rootdn-days- allowed)
2732
2735 usage: dsconf instance plugin usn [-h]
2736 {show,enable,disable,sta‐
2737 tus,global,cleanup}
2738 ...
2739
2742 dsconf plugin usn show
2743 Displays the plugin configuration
2744 dsconf plugin usn enable
2746 Enables the plugin
2747 dsconf plugin usn disable
2749 Disables the plugin
2750 dsconf plugin usn status
2752 Displays the plugin status
2753 dsconf plugin usn global
2755 Get or manage global USN mode (nsslapd-entryusn-global)
2756 dsconf plugin usn cleanup
2758 Runs the USN tombstone cleanup task
2759
2761 usage: dsconf instance plugin usn show [-h]
2762
2765 usage: dsconf instance plugin usn enable [-h]
2766
2769 usage: dsconf instance plugin usn disable [-h]
2770
2773 usage: dsconf instance plugin usn status [-h]
2774
2777 usage: dsconf instance plugin usn global [-h] {on,off} ...
2778
2781 dsconf plugin usn global on
2782 Enables USN global mode
2783 dsconf plugin usn global off
2785 Disables USN global mode
2786
2788 usage: dsconf instance plugin usn global on [-h]
2789
2792 usage: dsconf instance plugin usn global off [-h]
2793
2796 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2797 [-m MAX_USN]
2798
2801 -s SUFFIX, --suffix SUFFIX
2802 Sets the suffix or subtree in Directory Server to run the
2803 cleanup operation against. If the suffix is not specified, then
2804 the back end must be specified (suffix).
2805 -n BACKEND, --backend BACKEND
2808 Sets the Directory Server instance back end, or database, to run
2809 the cleanup operation against. If the back end is not specified,
2810 then the suffix must be specified. Backend instance in which USN
2811 tombstone entries (backend)
2812 -m MAX_USN, --max-usn MAX_USN
2815 Sets the highest USN value to delete when removing tombstone en‐
2816 tries (max_usn_to_delete)
2817
2820 usage: dsconf instance plugin account-policy [-h]
2821 {show,enable,disable,sta‐
2822 tus,set,config-entry}
2823 ...
2824
2827 dsconf plugin account-policy show
2828 Displays the plugin configuration
2829 dsconf plugin account-policy enable
2831 Enables the plugin
2832 dsconf plugin account-policy disable
2834 Disables the plugin
2835 dsconf plugin account-policy status
2837 Displays the plugin status
2838 dsconf plugin account-policy set
2840 Edit the plugin settings
2841 dsconf plugin account-policy config-entry
2843 Manage the config entry
2844
2846 usage: dsconf instance plugin account-policy show [-h]
2847
2850 usage: dsconf instance plugin account-policy enable [-h]
2851
2854 usage: dsconf instance plugin account-policy disable [-h]
2855
2858 usage: dsconf instance plugin account-policy status [-h]
2859
2862 usage: dsconf instance plugin account-policy set [-h]
2863 [--config-entry CON‐
2864 FIG_ENTRY]
2865
2868 --config-entry CONFIG_ENTRY
2869 Sets the nsslapd-pluginConfigArea attribute
2870
2873 usage: dsconf instance plugin account-policy config-entry [-h]
2874 {add,set,show,delete}
2875 ...
2876
2879 dsconf plugin account-policy config-entry add
2880 Add the config entry
2881 dsconf plugin account-policy config-entry set
2883 Edit the config entry
2884 dsconf plugin account-policy config-entry show
2886 Display the config entry
2887 dsconf plugin account-policy config-entry delete
2889 Delete the config entry
2890
2892 usage: dsconf instance plugin account-policy config-entry add
2893 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2894 ALT_STATE_ATTR]
2895 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2896 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2897 [--state-attr STATE_ATTR]
2898 DN
2899 DN The full DN of the config entry
2902
2905 --always-record-login {yes,no}
2906 Sets that every entry records its last login time (alwaysRecord‐
2907 Login)
2908 --alt-state-attr ALT_STATE_ATTR
2911 Provides a backup attribute for the server to reference to eval‐
2912 uate the expiration time (altStateAttrName)
2913 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2916 Specifies the attribute to store the time of the last successful
2917 login in this attribute in the users directory entry (al‐
2918 waysRecordLoginAttr)
2919 --limit-attr LIMIT_ATTR
2922 Specifies the attribute within the policy to use for the account
2923 inactivation limit (limitAttrName)
2924 --spec-attr SPEC_ATTR
2927 Specifies the attribute to identify which entries are account
2928 policy configuration entries (specAttrName)
2929 --state-attr STATE_ATTR
2932 Specifies the primary time attribute used to evaluate an account
2933 policy (stateAttrName)
2934
2937 usage: dsconf instance plugin account-policy config-entry set
2938 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2939 ALT_STATE_ATTR]
2940 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2941 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2942 [--state-attr STATE_ATTR]
2943 DN
2944 DN The full DN of the config entry
2947
2950 --always-record-login {yes,no}
2951 Sets that every entry records its last login time (alwaysRecord‐
2952 Login)
2953 --alt-state-attr ALT_STATE_ATTR
2956 Provides a backup attribute for the server to reference to eval‐
2957 uate the expiration time (altStateAttrName)
2958 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2961 Specifies the attribute to store the time of the last successful
2962 login in this attribute in the users directory entry (al‐
2963 waysRecordLoginAttr)
2964 --limit-attr LIMIT_ATTR
2967 Specifies the attribute within the policy to use for the account
2968 inactivation limit (limitAttrName)
2969 --spec-attr SPEC_ATTR
2972 Specifies the attribute to identify which entries are account
2973 policy configuration entries (specAttrName)
2974 --state-attr STATE_ATTR
2977 Specifies the primary time attribute used to evaluate an account
2978 policy (stateAttrName)
2979
2982 usage: dsconf instance plugin account-policy config-entry show [-h] DN
2983 DN The full DN of the config entry
2986
2989 usage: dsconf instance plugin account-policy config-entry delete [-h]
2990 DN
2991 DN The full DN of the config entry
2994
2997 usage: dsconf instance plugin attr-uniq [-h]
2998 {list,add,set,show,delete,en‐
2999 able,disable,status}
3000 ...
3001
3004 dsconf plugin attr-uniq list
3005 Lists available plugin configs
3006 dsconf plugin attr-uniq add
3008 Add the config entry
3009 dsconf plugin attr-uniq set
3011 Edit the config entry
3012 dsconf plugin attr-uniq show
3014 Display the config entry
3015 dsconf plugin attr-uniq delete
3017 Delete the config entry
3018 dsconf plugin attr-uniq enable
3020 enable plugin
3021 dsconf plugin attr-uniq disable
3023 disable plugin
3024 dsconf plugin attr-uniq status
3026 display plugin status
3027
3029 usage: dsconf instance plugin attr-uniq list [-h]
3030
3033 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3034 [--attr-name ATTR_NAME
3035 [ATTR_NAME ...]]
3036 [--subtree SUBTREE [SUBTREE
3037 ...]]
3038 [--across-all-subtrees
3039 {on,off}]
3040 [--top-entry-oc TOP_EN‐
3041 TRY_OC]
3042 [--subtree-entries-oc SUB‐
3043 TREE_ENTRIES_OC]
3044 NAME
3045 NAME The name of the plug-in configuration record. (cn) You can use
3048 any string, but "attribute_name Attribute Uniqueness" is recom‐
3049 mended.
3050
3053 --enabled {on,off}
3054 Identifies whether or not the config is enabled.
3055 --attr-name ATTR_NAME [ATTR_NAME ...]
3058 Sets the name of the attribute whose values must be unique. This
3059 attribute is multi-valued. (uniqueness-attribute-name)
3060 --subtree SUBTREE [SUBTREE ...]
3063 Sets the DN under which the plug-in checks for uniqueness of the
3064 attributes value. This attribute is multi-valued (unique‐
3065 ness-subtrees)
3066 --across-all-subtrees {on,off}
3069 If enabled (on), the plug-in checks that the attribute is unique
3070 across all subtrees set. If you set the attribute to off,
3071 uniqueness is only enforced within the subtree of the updated
3072 entry (uniqueness-across-all-subtrees)
3073 --top-entry-oc TOP_ENTRY_OC
3076 Verifies that the value of the attribute set in uniqueness-at‐
3077 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3078 --subtree-entries-oc SUBTREE_ENTRIES_OC
3081 Verifies if an attribute is unique, if the entry contains the
3082 object class set in this parameter (uniqueness-subtree-en‐
3083 tries-oc)
3084
3087 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3088 [--attr-name ATTR_NAME
3089 [ATTR_NAME ...]]
3090 [--subtree SUBTREE [SUBTREE
3091 ...]]
3092 [--across-all-subtrees
3093 {on,off}]
3094 [--top-entry-oc TOP_EN‐
3095 TRY_OC]
3096 [--subtree-entries-oc SUB‐
3097 TREE_ENTRIES_OC]
3098 NAME
3099 NAME The name of the plug-in configuration record. (cn) You can use
3102 any string, but "attribute_name Attribute Uniqueness" is recom‐
3103 mended.
3104
3107 --enabled {on,off}
3108 Identifies whether or not the config is enabled.
3109 --attr-name ATTR_NAME [ATTR_NAME ...]
3112 Sets the name of the attribute whose values must be unique. This
3113 attribute is multi-valued. (uniqueness-attribute-name)
3114 --subtree SUBTREE [SUBTREE ...]
3117 Sets the DN under which the plug-in checks for uniqueness of the
3118 attributes value. This attribute is multi-valued (unique‐
3119 ness-subtrees)
3120 --across-all-subtrees {on,off}
3123 If enabled (on), the plug-in checks that the attribute is unique
3124 across all subtrees set. If you set the attribute to off,
3125 uniqueness is only enforced within the subtree of the updated
3126 entry (uniqueness-across-all-subtrees)
3127 --top-entry-oc TOP_ENTRY_OC
3130 Verifies that the value of the attribute set in uniqueness-at‐
3131 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3132 --subtree-entries-oc SUBTREE_ENTRIES_OC
3135 Verifies if an attribute is unique, if the entry contains the
3136 object class set in this parameter (uniqueness-subtree-en‐
3137 tries-oc)
3138
3141 usage: dsconf instance plugin attr-uniq show [-h] NAME
3142 NAME The name of the plug-in configuration record
3145
3148 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3149 NAME The name of the plug-in configuration record
3152
3155 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3156 NAME The name of the plug-in configuration record
3159
3162 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3163 NAME The name of the plug-in configuration record
3166
3169 usage: dsconf instance plugin attr-uniq status [-h] NAME
3170 NAME The name of the plug-in configuration record
3173
3176 usage: dsconf instance plugin dna [-h]
3177 {show,enable,disable,status,list,con‐
3178 fig} ...
3179
3182 dsconf plugin dna show
3183 Displays the plugin configuration
3184 dsconf plugin dna enable
3186 Enables the plugin
3187 dsconf plugin dna disable
3189 Disables the plugin
3190 dsconf plugin dna status
3192 Displays the plugin status
3193 dsconf plugin dna list
3195 List available plugin configs
3196 dsconf plugin dna config
3198 Manage plugin configs
3199
3201 usage: dsconf instance plugin dna show [-h]
3202
3205 usage: dsconf instance plugin dna enable [-h]
3206
3209 usage: dsconf instance plugin dna disable [-h]
3210
3213 usage: dsconf instance plugin dna status [-h]
3214
3217 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3218 ...
3219
3222 dsconf plugin dna list configs
3223 List main DNA plugin config entries
3224 dsconf plugin dna list shared-configs
3226 List DNA plugin shared config entries
3227
3229 usage: dsconf instance plugin dna list configs [-h]
3230
3233 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3234 BASEDN The search DN
3237
3240 usage: dsconf instance plugin dna config [-h]
3241 NAME
3242 {add,set,show,delete,shared-
3243 config-entry}
3244 ...
3245
3248 dsconf plugin dna config add
3249 Add the config entry
3250 dsconf plugin dna config set
3252 Edit the config entry
3253 dsconf plugin dna config show
3255 Display the config entry
3256 dsconf plugin dna config delete
3258 Delete the config entry
3259 dsconf plugin dna config shared-config-entry
3261 Manage the shared config entry
3262
3264 usage: dsconf instance plugin dna config NAME add [-h]
3265 [--type TYPE [TYPE
3266 ...]]
3267 [--prefix PREFIX]
3268 [--next-value
3269 NEXT_VALUE]
3270 [--max-value
3271 MAX_VALUE]
3272 [--interval INTERVAL]
3273 [--magic-regen
3274 MAGIC_REGEN]
3275 [--filter FILTER]
3276 [--scope SCOPE]
3277 [--remote-bind-dn RE‐
3278 MOTE_BIND_DN]
3279 [--remote-bind-cred
3280 REMOTE_BIND_CRED]
3281 [--shared-config-en‐
3282 try SHARED_CONFIG_ENTRY]
3283 [--threshold THRESH‐
3284 OLD]
3285 [--next-range
3286 NEXT_RANGE]
3287 [--range-request-
3288 timeout RANGE_REQUEST_TIMEOUT]
3289
3292 --type TYPE [TYPE ...]
3293 Sets which attributes have unique numbers being generated for
3294 them (dnaType)
3295 --prefix PREFIX
3298 Defines a prefix that can be prepended to the generated number
3299 values for the attribute (dnaPrefix)
3300 --next-value NEXT_VALUE
3303 Sets the next available number which can be assigned
3304 (dnaNextValue)
3305 --max-value MAX_VALUE
3308 Sets the maximum value that can be assigned for the range (dna‐
3309 MaxValue)
3310 --interval INTERVAL
3313 Sets an interval to use to increment through numbers in a range
3314 (dnaInterval)
3315 --magic-regen MAGIC_REGEN
3318 Sets a user-defined value that instructs the plug-in to assign a
3319 new value for the entry (dnaMagicRegen)
3320 --filter FILTER
3323 Sets an LDAP filter to use to search for and identify the en‐
3324 tries to which to apply the distributed numeric assignment range
3325 (dnaFilter)
3326 --scope SCOPE
3329 Sets the base DN to search for entries to which to apply the
3330 distributed numeric assignment (dnaScope)
3331 --remote-bind-dn REMOTE_BIND_DN
3334 Specifies the Replication Manager DN (dnaRemoteBindDN)
3335 --remote-bind-cred REMOTE_BIND_CRED
3338 Specifies the Replication Manager's password (dnaRemoteBindCred)
3339 --shared-config-entry SHARED_CONFIG_ENTRY
3342 Defines a shared identity that the servers can use to transfer
3343 ranges to one another (dnaSharedCfgDN)
3344 --threshold THRESHOLD
3347 Sets a threshold of remaining available numbers in the range.
3348 When the server hits the threshold, it sends a request for a new
3349 range (dnaThreshold)
3350 --next-range NEXT_RANGE
3353 Defines the next range to use when the current range is ex‐
3354 hausted (dnaNextRange)
3355 --range-request-timeout RANGE_REQUEST_TIMEOUT
3358 Sets a timeout period, in seconds, for range requests so that
3359 the server does not stall waiting on a new range from one server
3360 and can request a range from a new server (dnaRangeRequestTime‐
3361 out)
3362
3365 usage: dsconf instance plugin dna config NAME set [-h]
3366 [--type TYPE [TYPE
3367 ...]]
3368 [--prefix PREFIX]
3369 [--next-value
3370 NEXT_VALUE]
3371 [--max-value
3372 MAX_VALUE]
3373 [--interval INTERVAL]
3374 [--magic-regen
3375 MAGIC_REGEN]
3376 [--filter FILTER]
3377 [--scope SCOPE]
3378 [--remote-bind-dn RE‐
3379 MOTE_BIND_DN]
3380 [--remote-bind-cred
3381 REMOTE_BIND_CRED]
3382 [--shared-config-en‐
3383 try SHARED_CONFIG_ENTRY]
3384 [--threshold THRESH‐
3385 OLD]
3386 [--next-range
3387 NEXT_RANGE]
3388 [--range-request-
3389 timeout RANGE_REQUEST_TIMEOUT]
3390
3393 --type TYPE [TYPE ...]
3394 Sets which attributes have unique numbers being generated for
3395 them (dnaType)
3396 --prefix PREFIX
3399 Defines a prefix that can be prepended to the generated number
3400 values for the attribute (dnaPrefix)
3401 --next-value NEXT_VALUE
3404 Sets the next available number which can be assigned
3405 (dnaNextValue)
3406 --max-value MAX_VALUE
3409 Sets the maximum value that can be assigned for the range (dna‐
3410 MaxValue)
3411 --interval INTERVAL
3414 Sets an interval to use to increment through numbers in a range
3415 (dnaInterval)
3416 --magic-regen MAGIC_REGEN
3419 Sets a user-defined value that instructs the plug-in to assign a
3420 new value for the entry (dnaMagicRegen)
3421 --filter FILTER
3424 Sets an LDAP filter to use to search for and identify the en‐
3425 tries to which to apply the distributed numeric assignment range
3426 (dnaFilter)
3427 --scope SCOPE
3430 Sets the base DN to search for entries to which to apply the
3431 distributed numeric assignment (dnaScope)
3432 --remote-bind-dn REMOTE_BIND_DN
3435 Specifies the Replication Manager DN (dnaRemoteBindDN)
3436 --remote-bind-cred REMOTE_BIND_CRED
3439 Specifies the Replication Manager's password (dnaRemoteBindCred)
3440 --shared-config-entry SHARED_CONFIG_ENTRY
3443 Defines a shared identity that the servers can use to transfer
3444 ranges to one another (dnaSharedCfgDN)
3445 --threshold THRESHOLD
3448 Sets a threshold of remaining available numbers in the range.
3449 When the server hits the threshold, it sends a request for a new
3450 range (dnaThreshold)
3451 --next-range NEXT_RANGE
3454 Defines the next range to use when the current range is ex‐
3455 hausted (dnaNextRange)
3456 --range-request-timeout RANGE_REQUEST_TIMEOUT
3459 Sets a timeout period, in seconds, for range requests so that
3460 the server does not stall waiting on a new range from one server
3461 and can request a range from a new server (dnaRangeRequestTime‐
3462 out)
3463
3466 usage: dsconf instance plugin dna config NAME show [-h]
3467
3470 usage: dsconf instance plugin dna config NAME delete [-h]
3471
3474 usage: dsconf instance plugin dna config NAME shared-config-entry
3475 [-h] SHARED_CFG {set,show,delete} ...
3476
3479 dsconf plugin dna config shared-config-entry set
3480 Edit the shared config entry
3481 dsconf plugin dna config shared-config-entry show
3483 Display the shared config entry
3484 dsconf plugin dna config shared-config-entry delete
3486 Delete the shared config entry
3487
3489 usage: dsconf instance plugin dna config NAME shared-config-entry
3490 SHARED_CFG set
3491 [-h] [--remote-bind-method REMOTE_BIND_METHOD]
3492 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3493
3496 --remote-bind-method REMOTE_BIND_METHOD
3497 Specifies the remote bind method "SIMPLE", "SSL" (for SSL client
3498 auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)
3499 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3502 Specifies the remote connection protocol "LDAP", or "TLS"
3503 (dnaRemoteConnProtocol)
3504
3507 usage: dsconf instance plugin dna config NAME shared-config-entry
3508 SHARED_CFG show
3509 [-h]
3510
3513 usage: dsconf instance plugin dna config NAME shared-config-entry
3514 SHARED_CFG delete
3515 [-h]
3516
3519 usage: dsconf instance plugin linked-attr [-h]
3520 {show,enable,disable,sta‐
3521 tus,fixup,fixup-status,list,config}
3522 ...
3523
3526 dsconf plugin linked-attr show
3527 Displays the plugin configuration
3528 dsconf plugin linked-attr enable
3530 Enables the plugin
3531 dsconf plugin linked-attr disable
3533 Disables the plugin
3534 dsconf plugin linked-attr status
3536 Displays the plugin status
3537 dsconf plugin linked-attr fixup
3539 Run the fix-up task for linked attributes plugin
3540 dsconf plugin linked-attr fixup-status
3542 Check the status of a fix-up task
3543 dsconf plugin linked-attr list
3545 List available plugin configs
3546 dsconf plugin linked-attr config
3548 Manage plugin configs
3549
3551 usage: dsconf instance plugin linked-attr show [-h]
3552
3555 usage: dsconf instance plugin linked-attr enable [-h]
3556
3559 usage: dsconf instance plugin linked-attr disable [-h]
3560
3563 usage: dsconf instance plugin linked-attr status [-h]
3564
3567 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3568 [--wait]
3569
3572 -l LINKDN, --linkdn LINKDN
3573 Sets the base DN that contains entries to fix up
3574 --wait Wait for the task to finish, this could take a long time
3577
3580 usage: dsconf instance plugin linked-attr fixup-status [-h] [--dn DN]
3581 [--show-log]
3582 [--watch]
3583
3586 --dn DN
3587 The task entry's DN
3588 --show-log
3591 Display the task log
3592 --watch
3595 Watch the task's status and wait for it to finish
3596
3599 usage: dsconf instance plugin linked-attr list [-h]
3600
3603 usage: dsconf instance plugin linked-attr config [-h]
3604 NAME
3605 {add,set,show,delete}
3606 ...
3607
3610 dsconf plugin linked-attr config add
3611 Add the config entry
3612 dsconf plugin linked-attr config set
3614 Edit the config entry
3615 dsconf plugin linked-attr config show
3617 Display the config entry
3618 dsconf plugin linked-attr config delete
3620 Delete the config entry
3621
3623 usage: dsconf instance plugin linked-attr config NAME add [-h]
3624 [--link-type
3625 LINK_TYPE]
3626 [--managed-
3627 type MANAGED_TYPE]
3628 [--link-scope
3629 LINK_SCOPE]
3630
3633 --link-type LINK_TYPE
3634 Sets the attribute that is managed manually by administrators
3635 (linkType)
3636 --managed-type MANAGED_TYPE
3639 Sets the attribute that is created dynamically by the plugin
3640 (managedType)
3641 --link-scope LINK_SCOPE
3644 Sets the scope that restricts the plugin to a specific part of
3645 the directory tree (linkScope)
3646
3649 usage: dsconf instance plugin linked-attr config NAME set [-h]
3650 [--link-type
3651 LINK_TYPE]
3652 [--managed-
3653 type MANAGED_TYPE]
3654 [--link-scope
3655 LINK_SCOPE]
3656
3659 --link-type LINK_TYPE
3660 Sets the attribute that is managed manually by administrators
3661 (linkType)
3662 --managed-type MANAGED_TYPE
3665 Sets the attribute that is created dynamically by the plugin
3666 (managedType)
3667 --link-scope LINK_SCOPE
3670 Sets the scope that restricts the plugin to a specific part of
3671 the directory tree (linkScope)
3672
3675 usage: dsconf instance plugin linked-attr config NAME show [-h]
3676
3679 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3680
3683 usage: dsconf instance plugin managed-entries [-h]
3684 {show,enable,disable,sta‐
3685 tus,set,list,config,template}
3686 ...
3687
3690 dsconf plugin managed-entries show
3691 Displays the plugin configuration
3692 dsconf plugin managed-entries enable
3694 Enables the plugin
3695 dsconf plugin managed-entries disable
3697 Disables the plugin
3698 dsconf plugin managed-entries status
3700 Displays the plugin status
3701 dsconf plugin managed-entries set
3703 Edit the plugin settings
3704 dsconf plugin managed-entries list
3706 List Managed Entries Plugin configs and templates
3707 dsconf plugin managed-entries config
3709 Handle Managed Entries Plugin configs
3710 dsconf plugin managed-entries template
3712 Handle Managed Entries Plugin templates
3713
3715 usage: dsconf instance plugin managed-entries show [-h]
3716
3719 usage: dsconf instance plugin managed-entries enable [-h]
3720
3723 usage: dsconf instance plugin managed-entries disable [-h]
3724
3727 usage: dsconf instance plugin managed-entries status [-h]
3728
3731 usage: dsconf instance plugin managed-entries set [-h]
3732 [--config-area CON‐
3733 FIG_AREA]
3734
3737 --config-area CONFIG_AREA
3738 Sets the value of the nsslapd-pluginConfigArea attribute
3739
3742 usage: dsconf instance plugin managed-entries list [-h]
3743 {configs,templates}
3744 ...
3745
3748 dsconf plugin managed-entries list configs
3749 List Managed Entries Plugin configs (list config-area if speci‐
3750 fied in the main plugin entry)
3751 dsconf plugin managed-entries list templates
3753 List Managed Entries Plugin templates in the directory
3754
3756 usage: dsconf instance plugin managed-entries list configs [-h]
3757
3760 usage: dsconf instance plugin managed-entries list templates [-h]
3761 [BASEDN]
3762 BASEDN The base DN where to search the templates
3765
3768 usage: dsconf instance plugin managed-entries config [-h]
3769 NAME
3770 {add,set,show,delete}
3771 ...
3772
3775 dsconf plugin managed-entries config add
3776 Add the config entry
3777 dsconf plugin managed-entries config set
3779 Edit the config entry
3780 dsconf plugin managed-entries config show
3782 Display the config entry
3783 dsconf plugin managed-entries config delete
3785 Delete the config entry
3786
3788 usage: dsconf instance plugin managed-entries config NAME add
3789 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3790 AGED_BASE]
3791 [--managed-template MANAGED_TEMPLATE]
3792
3795 --scope SCOPE
3796 Sets the scope of the search to use to see which entries the
3797 plug-in monitors (originScope)
3798 --filter FILTER
3801 Sets the search filter to use to search for and identify the en‐
3802 tries within the subtree which require a managed entry (origin‐
3803 Filter)
3804 --managed-base MANAGED_BASE
3807 Sets the subtree under which to create the managed entries (man‐
3808 agedBase)
3809 --managed-template MANAGED_TEMPLATE
3812 Identifies the template entry to use to create the managed entry
3813 (managedTemplate)
3814
3817 usage: dsconf instance plugin managed-entries config NAME set
3818 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3819 AGED_BASE]
3820 [--managed-template MANAGED_TEMPLATE]
3821
3824 --scope SCOPE
3825 Sets the scope of the search to use to see which entries the
3826 plug-in monitors (originScope)
3827 --filter FILTER
3830 Sets the search filter to use to search for and identify the en‐
3831 tries within the subtree which require a managed entry (origin‐
3832 Filter)
3833 --managed-base MANAGED_BASE
3836 Sets the subtree under which to create the managed entries (man‐
3837 agedBase)
3838 --managed-template MANAGED_TEMPLATE
3841 Identifies the template entry to use to create the managed entry
3842 (managedTemplate)
3843
3846 usage: dsconf instance plugin managed-entries config NAME show [-h]
3847
3850 usage: dsconf instance plugin managed-entries config NAME delete [-h]
3851
3854 usage: dsconf instance plugin managed-entries template [-h]
3855 DN
3856 {add,set,show,delete}
3857 ...
3858
3861 dsconf plugin managed-entries template add
3862 Add the template entry
3863 dsconf plugin managed-entries template set
3865 Edit the template entry
3866 dsconf plugin managed-entries template show
3868 Display the template entry
3869 dsconf plugin managed-entries template delete
3871 Delete the template entry
3872
3874 usage: dsconf instance plugin managed-entries template DN add
3875 [-h] [--rdn-attr RDN_ATTR]
3876 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
3877 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3878
3881 --rdn-attr RDN_ATTR
3882 Sets which attribute to use as the naming attribute in the auto‐
3883 matically- generated entry (mepRDNAttr)
3884 --static-attr STATIC_ATTR [STATIC_ATTR ...]
3887 Sets an attribute with a defined value that must be added to the
3888 automatically-generated entry (mepStaticAttr)
3889 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3892 Sets attributes in the Managed Entries template entry which must
3893 exist in the generated entry (mepMappedAttr)
3894
3897 usage: dsconf instance plugin managed-entries template DN set
3898 [-h] [--rdn-attr RDN_ATTR]
3899 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
3900 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3901
3904 --rdn-attr RDN_ATTR
3905 Sets which attribute to use as the naming attribute in the auto‐
3906 matically- generated entry (mepRDNAttr)
3907 --static-attr STATIC_ATTR [STATIC_ATTR ...]
3910 Sets an attribute with a defined value that must be added to the
3911 automatically-generated entry (mepStaticAttr)
3912 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3915 Sets attributes in the Managed Entries template entry which must
3916 exist in the generated entry (mepMappedAttr)
3917
3920 usage: dsconf instance plugin managed-entries template DN show [-h]
3921
3924 usage: dsconf instance plugin managed-entries template DN delete [-h]
3925
3928 usage: dsconf instance plugin pass-through-auth [-h]
3929 {show,enable,dis‐
3930 able,status,list,url,pam-config}
3931 ...
3932
3935 dsconf plugin pass-through-auth show
3936 Displays the plugin configuration
3937 dsconf plugin pass-through-auth enable
3939 Enables the plugin
3940 dsconf plugin pass-through-auth disable
3942 Disables the plugin
3943 dsconf plugin pass-through-auth status
3945 Displays the plugin status
3946 dsconf plugin pass-through-auth list
3948 List pass-though plugin URLs or PAM configurations
3949 dsconf plugin pass-through-auth url
3951 Manage PTA URL configurations
3952 dsconf plugin pass-through-auth pam-config
3954 Manage PAM PTA configurations.
3955
3957 usage: dsconf instance plugin pass-through-auth show [-h]
3958
3961 usage: dsconf instance plugin pass-through-auth enable [-h]
3962
3965 usage: dsconf instance plugin pass-through-auth disable [-h]
3966
3969 usage: dsconf instance plugin pass-through-auth status [-h]
3970
3973 usage: dsconf instance plugin pass-through-auth list [-h]
3974 {urls,pam-configs}
3975 ...
3976
3979 dsconf plugin pass-through-auth list urls
3980 Lists URLs
3981 dsconf plugin pass-through-auth list pam-configs
3983 Lists PAM configurations
3984
3986 usage: dsconf instance plugin pass-through-auth list urls [-h]
3987
3990 usage: dsconf instance plugin pass-through-auth list pam-configs [-h]
3991
3994 usage: dsconf instance plugin pass-through-auth url [-h]
3995 {add,modify,delete}
3996 ...
3997
4000 dsconf plugin pass-through-auth url add
4001 Add the config entry
4002 dsconf plugin pass-through-auth url modify
4004 Edit the config entry
4005 dsconf plugin pass-through-auth url delete
4007 Delete the config entry
4008
4010 usage: dsconf instance plugin pass-through-auth url add [-h] URL
4011 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
4014 conns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
4015 tional parameter is specified the rest should be specified too
4016
4019 usage: dsconf instance plugin pass-through-auth url modify [-h]
4020 OLD_URL
4021 NEW_URL
4022 OLD_URL
4025 The full LDAP URL you get from the "list" command
4026 NEW_URL
4029 Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree
4030 maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
4031 tional parameter is specified the rest should be specified too.
4032
4035 usage: dsconf instance plugin pass-through-auth url delete [-h] URL
4036 URL The full LDAP URL you get from the "list" command
4039
4042 usage: dsconf instance plugin pass-through-auth pam-config [-h]
4043 NAME
4044 {add,set,show,delete}
4045 ...
4046
4049 dsconf plugin pass-through-auth pam-config add
4050 Add the config entry
4051 dsconf plugin pass-through-auth pam-config set
4053 Edit the config entry
4054 dsconf plugin pass-through-auth pam-config show
4056 Display the config entry
4057 dsconf plugin pass-through-auth pam-config delete
4059 Delete the config entry
4060
4062 usage: dsconf instance plugin pass-through-auth pam-config NAME add
4063 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4064 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4065 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4066 TER]
4067 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4068 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4069 SERVICE]
4070
4073 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4074 Specifies a suffix to exclude from PAM authentication (pamEx‐
4075 cludeSuffix)
4076 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4079 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4080 fix)
4081 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4084 Identifies how to handle missing include or exclude suffixes
4085 (pamMissingSuffix)
4086 --filter FILTER
4089 Sets an LDAP filter to use to identify specific entries within
4090 the included suffixes for which to use PAM pass-through authen‐
4091 tication (pamFilter)
4092 --id-attr ID_ATTR
4095 Contains the attribute name which is used to hold the PAM user
4096 ID (pamIDAttr)
4097 --id_map_method ID_MAP_METHOD
4100 Sets the method to use to map the LDAP bind DN to a PAM identity
4101 (pamIDMapMethod)
4102 --fallback {TRUE,FALSE}
4105 Sets whether to fallback to regular LDAP authentication if PAM
4106 authentication fails (pamFallback)
4107 --secure {TRUE,FALSE}
4110 Requires secure TLS connection for PAM authentication (pamSe‐
4111 cure)
4112 --service SERVICE
4115 Contains the service name to pass to PAM (pamService)
4116
4119 usage: dsconf instance plugin pass-through-auth pam-config NAME set
4120 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4121 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4122 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4123 TER]
4124 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4125 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4126 SERVICE]
4127
4130 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4131 Specifies a suffix to exclude from PAM authentication (pamEx‐
4132 cludeSuffix)
4133 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4136 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4137 fix)
4138 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4141 Identifies how to handle missing include or exclude suffixes
4142 (pamMissingSuffix)
4143 --filter FILTER
4146 Sets an LDAP filter to use to identify specific entries within
4147 the included suffixes for which to use PAM pass-through authen‐
4148 tication (pamFilter)
4149 --id-attr ID_ATTR
4152 Contains the attribute name which is used to hold the PAM user
4153 ID (pamIDAttr)
4154 --id_map_method ID_MAP_METHOD
4157 Sets the method to use to map the LDAP bind DN to a PAM identity
4158 (pamIDMapMethod)
4159 --fallback {TRUE,FALSE}
4162 Sets whether to fallback to regular LDAP authentication if PAM
4163 authentication fails (pamFallback)
4164 --secure {TRUE,FALSE}
4167 Requires secure TLS connection for PAM authentication (pamSe‐
4168 cure)
4169 --service SERVICE
4172 Contains the service name to pass to PAM (pamService)
4173
4176 usage: dsconf instance plugin pass-through-auth pam-config NAME show
4177 [-h]
4178
4181 usage: dsconf instance plugin pass-through-auth pam-config NAME delete
4182 [-h]
4183
4186 usage: dsconf instance plugin retro-changelog [-h]
4187 {show,enable,disable,sta‐
4188 tus,set,add,del}
4189 ...
4190
4193 dsconf plugin retro-changelog show
4194 Displays the plugin configuration
4195 dsconf plugin retro-changelog enable
4197 Enables the plugin
4198 dsconf plugin retro-changelog disable
4200 Disables the plugin
4201 dsconf plugin retro-changelog status
4203 Displays the plugin status
4204 dsconf plugin retro-changelog set
4206 Edit the plugin
4207 dsconf plugin retro-changelog add
4209 Add attributes to the plugin
4210 dsconf plugin retro-changelog del
4212 Delete an attribute from plugin scope
4213
4215 usage: dsconf instance plugin retro-changelog show [-h]
4216
4219 usage: dsconf instance plugin retro-changelog enable [-h]
4220
4223 usage: dsconf instance plugin retro-changelog disable [-h]
4224
4227 usage: dsconf instance plugin retro-changelog status [-h]
4228
4231 usage: dsconf instance plugin retro-changelog set [-h]
4232 [--is-replicated
4233 {TRUE,FALSE}]
4234 [--attribute ATTRI‐
4235 BUTE]
4236 [--directory DIREC‐
4237 TORY]
4238 [--max-age MAX_AGE]
4239 [--trim-interval
4240 TRIM_INTERVAL]
4241 [--exclude-suffix
4242 [EXCLUDE_SUFFIX ...]]
4243 [--exclude-attrs [EX‐
4244 CLUDE_ATTRS ...]]
4245
4248 --is-replicated {TRUE,FALSE}
4249 Sets a flag to indicate on a change in the changelog whether the
4250 change is newly made on that server or whether it was replicated
4251 over from another server (isReplicated)
4252 --attribute ATTRIBUTE
4255 Specifies another Directory Server attribute which must be in‐
4256 cluded in the retro changelog entries (nsslapd-attribute)
4257 --directory DIRECTORY
4260 Specifies the name of the directory in which the changelog data‐
4261 base is created the first time the plug-in is run
4262 --max-age MAX_AGE
4265 Specifies the maximum age of any entry in the changelog. Used to
4266 trim the changelog (nsslapd-changelogmaxage)
4267 --trim-interval TRIM_INTERVAL
4270 --exclude-suffix [EXCLUDE_SUFFIX ...]
4273 Specifies the suffix which will be excluded from the scope of
4274 the plugin (nsslapd-exclude-suffix)
4275 --exclude-attrs [EXCLUDE_ATTRS ...]
4278 Specifies the attributes which will be excluded from the scope
4279 of the plugin (nsslapd-exclude-attrs)
4280
4283 usage: dsconf instance plugin retro-changelog add [-h]
4284 [--is-replicated
4285 {TRUE,FALSE}]
4286 [--attribute ATTRI‐
4287 BUTE]
4288 [--directory DIREC‐
4289 TORY]
4290 [--max-age MAX_AGE]
4291 [--trim-interval
4292 TRIM_INTERVAL]
4293 [--exclude-suffix
4294 [EXCLUDE_SUFFIX ...]]
4295 [--exclude-attrs [EX‐
4296 CLUDE_ATTRS ...]]
4297
4300 --is-replicated {TRUE,FALSE}
4301 Sets a flag to indicate on a change in the changelog whether the
4302 change is newly made on that server or whether it was replicated
4303 over from another server (isReplicated)
4304 --attribute ATTRIBUTE
4307 Specifies another Directory Server attribute which must be in‐
4308 cluded in the retro changelog entries (nsslapd-attribute)
4309 --directory DIRECTORY
4312 Specifies the name of the directory in which the changelog data‐
4313 base is created the first time the plug-in is run
4314 --max-age MAX_AGE
4317 Specifies the maximum age of any entry in the changelog. Used to
4318 trim the changelog (nsslapd-changelogmaxage)
4319 --trim-interval TRIM_INTERVAL
4322 --exclude-suffix [EXCLUDE_SUFFIX ...]
4325 Specifies the suffix which will be excluded from the scope of
4326 the plugin (nsslapd-exclude-suffix)
4327 --exclude-attrs [EXCLUDE_ATTRS ...]
4330 Specifies the attributes which will be excluded from the scope
4331 of the plugin (nsslapd-exclude-attrs)
4332
4335 usage: dsconf instance plugin retro-changelog del [-h]
4336 [--is-replicated
4337 {TRUE,FALSE}]
4338 [--attribute ATTRI‐
4339 BUTE]
4340 [--directory DIREC‐
4341 TORY]
4342 [--max-age MAX_AGE]
4343 [--trim-interval
4344 TRIM_INTERVAL]
4345 [--exclude-suffix
4346 [EXCLUDE_SUFFIX ...]]
4347 [--exclude-attrs [EX‐
4348 CLUDE_ATTRS ...]]
4349
4352 --is-replicated {TRUE,FALSE}
4353 Sets a flag to indicate on a change in the changelog whether the
4354 change is newly made on that server or whether it was replicated
4355 over from another server (isReplicated)
4356 --attribute ATTRIBUTE
4359 Specifies another Directory Server attribute which must be in‐
4360 cluded in the retro changelog entries (nsslapd-attribute)
4361 --directory DIRECTORY
4364 Specifies the name of the directory in which the changelog data‐
4365 base is created the first time the plug-in is run
4366 --max-age MAX_AGE
4369 Specifies the maximum age of any entry in the changelog. Used to
4370 trim the changelog (nsslapd-changelogmaxage)
4371 --trim-interval TRIM_INTERVAL
4374 --exclude-suffix [EXCLUDE_SUFFIX ...]
4377 Specifies the suffix which will be excluded from the scope of
4378 the plugin (nsslapd-exclude-suffix)
4379 --exclude-attrs [EXCLUDE_ATTRS ...]
4382 Specifies the attributes which will be excluded from the scope
4383 of the plugin (nsslapd-exclude-attrs)
4384
4387 usage: dsconf instance plugin posix-winsync [-h]
4388 {show,enable,disable,sta‐
4389 tus,set,fixup}
4390 ...
4391
4394 dsconf plugin posix-winsync show
4395 Displays the plugin configuration
4396 dsconf plugin posix-winsync enable
4398 Enables the plugin
4399 dsconf plugin posix-winsync disable
4401 Disables the plugin
4402 dsconf plugin posix-winsync status
4404 Displays the plugin status
4405 dsconf plugin posix-winsync set
4407 Edit the plugin settings
4408 dsconf plugin posix-winsync fixup
4410 Run the memberOf fix-up task to correct mismatched member and
4411 uniquemember values for synced users
4412
4414 usage: dsconf instance plugin posix-winsync show [-h]
4415
4418 usage: dsconf instance plugin posix-winsync enable [-h]
4419
4422 usage: dsconf instance plugin posix-winsync disable [-h]
4423
4426 usage: dsconf instance plugin posix-winsync status [-h]
4427
4430 usage: dsconf instance plugin posix-winsync set [-h]
4431 [--create-memberof-task
4432 {true,false}]
4433 [--lower-case-uid
4434 {true,false}]
4435 [--map-member-uid
4436 {true,false}]
4437 [--map-nested-grouping
4438 {true,false}]
4439 [--ms-sfu-schema
4440 {true,false}]
4441
4444 --create-memberof-task {true,false}
4445 Sets whether to run the memberUID fix-up task immediately after
4446 a sync run in order to update group memberships for synced users
4447 (posixWinsyncCreateMemberOfTask)
4448 --lower-case-uid {true,false}
4451 Sets whether to store (and, if necessary, convert) the UID value
4452 in the memberUID attribute in lower case.(posixWinsyncLower‐
4453 CaseUID)
4454 --map-member-uid {true,false}
4457 Sets whether to map the memberUID attribute in an Active Direc‐
4458 tory group to the uniqueMember attribute in a Directory Server
4459 group (posixWinsyncMapMemberUID)
4460 --map-nested-grouping {true,false}
4463 Manages if nested groups are updated when memberUID attributes
4464 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4465 edGrouping)
4466 --ms-sfu-schema {true,false}
4469 Sets whether to the older Microsoft System Services for Unix 3.0
4470 (msSFU30) schema when syncing Posix attributes from Active Di‐
4471 rectory (posixWinsyncMsSFUSchema)
4472
4475 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN
4476 DN Set the base DN that contains entries to fix up
4479
4482 -f FILTER, --filter FILTER
4483 Filter for entries to fix up. If omitted, all entries with ob‐
4484 jectclass inetuser/inetadmin/nsmemberof under the specified base
4485 will have their memberOf attribute regenerated.
4486
4489 usage: dsconf instance plugin contentsync [-h]
4490 {show,enable,disable,sta‐
4491 tus,set,add}
4492 ...
4493
4496 dsconf plugin contentsync show
4497 Displays the plugin configuration
4498 dsconf plugin contentsync enable
4500 Enables the plugin
4501 dsconf plugin contentsync disable
4503 Disables the plugin
4504 dsconf plugin contentsync status
4506 Displays the plugin status
4507 dsconf plugin contentsync set
4509 Edit the plugin settings
4510 dsconf plugin contentsync add
4512 Add attributes to the plugin
4513
4515 usage: dsconf instance plugin contentsync show [-h]
4516
4519 usage: dsconf instance plugin contentsync enable [-h]
4520
4523 usage: dsconf instance plugin contentsync disable [-h]
4524
4527 usage: dsconf instance plugin contentsync status [-h]
4528
4531 usage: dsconf instance plugin contentsync set [-h] [--allow-openldap
4532 {on,off}]
4533
4536 --allow-openldap {on,off}
4537 Allows openldap servers to act as read only consumers of this
4538 server via syncrepl
4539
4542 usage: dsconf instance plugin contentsync add [-h] [--allow-openldap
4543 {on,off}]
4544
4547 --allow-openldap {on,off}
4548 Allows openldap servers to act as read only consumers of this
4549 server via syncrepl
4550
4553 usage: dsconf instance plugin entryuuid [-h]
4554 {show,enable,disable,sta‐
4555 tus,fixup,fixup-status}
4556 ...
4557
4560 dsconf plugin entryuuid show
4561 Displays the plugin configuration
4562 dsconf plugin entryuuid enable
4564 Enables the plugin
4565 dsconf plugin entryuuid disable
4567 Disables the plugin
4568 dsconf plugin entryuuid status
4570 Displays the plugin status
4571 dsconf plugin entryuuid fixup
4573 Run the fix-up task for EntryUUID plugin
4574 dsconf plugin entryuuid fixup-status
4576 Check the status of a fix-up task
4577
4579 usage: dsconf instance plugin entryuuid show [-h]
4580
4583 usage: dsconf instance plugin entryuuid enable [-h]
4584
4587 usage: dsconf instance plugin entryuuid disable [-h]
4588
4591 usage: dsconf instance plugin entryuuid status [-h]
4592
4595 usage: dsconf instance plugin entryuuid fixup [-h] [-f FILTER] [--wait]
4596 DN
4597 DN Base DN that contains entries to fix up
4600
4603 -f FILTER, --filter FILTER
4604 Filter for entries to fix up. If omitted, all entries under base
4605 DNwill have their EntryUUID attribute regenerated if not
4606 present.
4607 --wait Wait for the task to finish, this could take a long time
4610
4613 usage: dsconf instance plugin entryuuid fixup-status [-h] [--dn DN]
4614 [--show-log]
4615 [--watch]
4616
4619 --dn DN
4620 The task entry's DN
4621 --show-log
4624 Display the task log
4625 --watch
4628 Watch the task's status and wait for it to finish
4629
4632 usage: dsconf instance plugin list [-h]
4633
4636 usage: dsconf instance plugin show [-h] [selector]
4637 selector
4640 The plugin to search for
4641
4644 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4645 {on,off}]
4646 [--path PATH] [--initfunc INITFUNC]
4647 [--id ID] [--vendor VENDOR]
4648 [--version VERSION]
4649 [--description DESCRIPTION]
4650 [--depends-on-type DEPENDS_ON_TYPE]
4651 [--depends-on-named DEPENDS_ON_NAMED]
4652 [--precedence PRECEDENCE]
4653 [selector]
4654 selector
4657 The plugin to edit
4658
4661 --type TYPE
4662 The type of plugin.
4663 --enabled {on,off}
4666 Identifies whether or not the plugin is enabled.
4667 --path PATH
4670 The plugin library name (without the library suffix).
4671 --initfunc INITFUNC
4674 An initialization function of the plugin.
4675 --id ID
4678 The plugin ID.
4679 --vendor VENDOR
4682 The vendor of plugin.
4683 --version VERSION
4686 The version of plugin.
4687 --description DESCRIPTION
4690 The description of the plugin.
4691 --depends-on-type DEPENDS_ON_TYPE
4694 All plug-ins with a type value which matches one of the values
4695 in the following valid range will be started by the server prior
4696 to this plug-in.
4697 --depends-on-named DEPENDS_ON_NAMED
4700 The plug-in name matching one of the following values will be
4701 started by the server prior to this plug-in
4702 --precedence PRECEDENCE
4705 The priority it has in the execution order of plug-ins
4706
4709 usage: dsconf instance pwpolicy [-h] {get,set} ...
4710
4713 dsconf pwpolicy get
4714 Get the global password policy entry
4715 dsconf pwpolicy set
4717 Set an attribute in a global password policy
4718
4720 usage: dsconf instance pwpolicy get [-h]
4721
4724 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4725 [--pwdchange PWDCHANGE]
4726 [--pwdmustchange PWDMUSTCHANGE]
4727 [--pwdhistory PWDHISTORY]
4728 [--pwdhistorycount PWDHISTORYCOUNT]
4729 [--pwdadmin PWDADMIN]
4730 [--pwdtrack PWDTRACK]
4731 [--pwdwarning PWDWARNING]
4732 [--pwdexpire PWDEXPIRE]
4733 [--pwdmaxage PWDMAXAGE]
4734 [--pwdminage PWDMINAGE]
4735 [--pwdgracelimit PWDGRACELIMIT]
4736 [--pwdsendexpiring PWDSENDEXPIRING]
4737 [--pwdlockout PWDLOCKOUT]
4738 [--pwdunlock PWDUNLOCK]
4739 [--pwdlockoutduration PWDLOCKOUTDU‐
4740 RATION]
4741 [--pwdmaxfailures PWDMAXFAILURES]
4742 [--pwdresetfailcount PWDRESETFAIL‐
4743 COUNT]
4744 [--pwdchecksyntax PWDCHECKSYNTAX]
4745 [--pwdminlen PWDMINLEN]
4746 [--pwdmindigits PWDMINDIGITS]
4747 [--pwdminalphas PWDMINALPHAS]
4748 [--pwdminuppers PWDMINUPPERS]
4749 [--pwdminlowers PWDMINLOWERS]
4750 [--pwdminspecials PWDMINSPECIALS]
4751 [--pwdmin8bits PWDMIN8BITS]
4752 [--pwdmaxrepeats PWDMAXREPEATS]
4753 [--pwdpalindrome PWDPALINDROME]
4754 [--pwdmaxseq PWDMAXSEQ]
4755 [--pwdmaxseqsets PWDMAXSEQSETS]
4756 [--pwdmaxclasschars PWDMAXCLASS‐
4757 CHARS]
4758 [--pwdmincatagories PWDMIN‐
4759 CATAGORIES]
4760 [--pwdmintokenlen PWDMINTOKENLEN]
4761 [--pwdbadwords PWDBADWORDS]
4762 [--pwduserattrs PWDUSERATTRS]
4763 [--pwddictcheck PWDDICTCHECK]
4764 [--pwddictpath PWDDICTPATH]
4765 [--pwptprmaxuse PWPTPRMAXUSE]
4766 [--pwptprdelayexpireat PWPTPRDELAY‐
4767 EXPIREAT]
4768 [--pwptprdelayvalidfrom PWPTPRDE‐
4769 LAYVALIDFROM]
4770 [--pwdlocal PWDLOCAL]
4771 [--pwdisglobal PWDISGLOBAL]
4772 [--pwdallowhash PWDALLOWHASH]
4773 [--pwpinheritglobal PWPINHERIT‐
4774 GLOBAL]
4775
4778 --pwdscheme PWDSCHEME
4779 The password storage scheme
4780 --pwdchange PWDCHANGE
4783 Allow users to change their passwords
4784 --pwdmustchange PWDMUSTCHANGE
4787 Users must change their password after it was reset by an admin‐
4788 istrator
4789 --pwdhistory PWDHISTORY
4792 To enable password history set this to "on", otherwise "off"
4793 --pwdhistorycount PWDHISTORYCOUNT
4796 The number of passwords to keep in history
4797 --pwdadmin PWDADMIN
4800 The DN of an entry or a group of account that can bypass pass‐
4801 word policy constraints
4802 --pwdtrack PWDTRACK
4805 Set to "on" to track the time the password was last changed
4806 --pwdwarning PWDWARNING
4809 Send an expiring warning if password expires within this time
4810 (in seconds)
4811 --pwdexpire PWDEXPIRE
4814 Set to "on" to enable password expiration
4815 --pwdmaxage PWDMAXAGE
4818 The password expiration time in seconds
4819 --pwdminage PWDMINAGE
4822 The number of seconds that must pass before a user can change
4823 their password
4824 --pwdgracelimit PWDGRACELIMIT
4827 The number of allowed logins after the password has expired
4828 --pwdsendexpiring PWDSENDEXPIRING
4831 Set to "on" to always send the expiring control regardless of
4832 the warning period
4833 --pwdlockout PWDLOCKOUT
4836 Set to "on" to enable account lockout
4837 --pwdunlock PWDUNLOCK
4840 Set to "on" to allow an account to become unlocked after the
4841 lockout duration
4842 --pwdlockoutduration PWDLOCKOUTDURATION
4845 The number of seconds an account stays locked out
4846 --pwdmaxfailures PWDMAXFAILURES
4849 The maximum number of allowed failed password attempts before
4850 the account gets locked
4851 --pwdresetfailcount PWDRESETFAILCOUNT
4854 The number of seconds to wait before reducing the failed login
4855 count on an account
4856 --pwdchecksyntax PWDCHECKSYNTAX
4859 Set to "on" to enable password syntax checking
4860 --pwdminlen PWDMINLEN
4863 The minimum number of characters required in a password
4864 --pwdmindigits PWDMINDIGITS
4867 The minimum number of digit/number characters in a password
4868 --pwdminalphas PWDMINALPHAS
4871 The minimum number of alpha characters required in a password
4872 --pwdminuppers PWDMINUPPERS
4875 The minimum number of uppercase characters required in a pass‐
4876 word
4877 --pwdminlowers PWDMINLOWERS
4880 The minimum number of lowercase characters required in a pass‐
4881 word
4882 --pwdminspecials PWDMINSPECIALS
4885 The minimum number of special characters required in a password
4886 --pwdmin8bits PWDMIN8BITS
4889 The minimum number of 8-bit characters required in a password
4890 --pwdmaxrepeats PWDMAXREPEATS
4893 The maximum number of times the same character can appear se‐
4894 quentially in the password
4895 --pwdpalindrome PWDPALINDROME
4898 Set to "on" to reject passwords that are palindromes
4899 --pwdmaxseq PWDMAXSEQ
4902 The maximum number of allowed monotonic character sequences in a
4903 password
4904 --pwdmaxseqsets PWDMAXSEQSETS
4907 The maximum number of allowed monotonic character sequences that
4908 can be duplicated in a password
4909 --pwdmaxclasschars PWDMAXCLASSCHARS
4912 The maximum number of sequential characters from the same char‐
4913 acter class that is allowed in a password
4914 --pwdmincatagories PWDMINCATAGORIES
4917 The minimum number of syntax category checks
4918 --pwdmintokenlen PWDMINTOKENLEN
4921 Sets the smallest attribute value length that is used for triv‐
4922 ial/user words checking. This also impacts "--pwduserattrs"
4923 --pwdbadwords PWDBADWORDS
4926 A space-separated list of words that can not be in a password
4927 --pwduserattrs PWDUSERATTRS
4930 A space-separated list of attributes whose values can not appear
4931 in the password (See "--pwdmintokenlen")
4932 --pwddictcheck PWDDICTCHECK
4935 Set to "on" to enforce CrackLib dictionary checking
4936 --pwddictpath PWDDICTPATH
4939 Filesystem path to specific/custom CrackLib dictionary files
4940 --pwptprmaxuse PWPTPRMAXUSE
4943 Number of times a reset password can be used for authentication
4944 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
4947 Number of seconds after which a reset password expires
4948 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
4951 Number of seconds to wait before using a reset password to au‐
4952 thenticated
4953 --pwdlocal PWDLOCAL
4956 Set to "on" to enable fine-grained (subtree/user-level) password
4957 policies
4958 --pwdisglobal PWDISGLOBAL
4961 Set to "on" to enable password policy state attributes to be
4962 replicated
4963 --pwdallowhash PWDALLOWHASH
4966 Set to "on" to allow adding prehashed passwords
4967 --pwpinheritglobal PWPINHERITGLOBAL
4970 Set to "on" to allow local policies to inherit the global policy
4971
4974 usage: dsconf instance localpwp [-h]
4975 {list,get,set,remove,adduser,addsub‐
4976 tree} ...
4977
4980 dsconf localpwp list
4981 List all the local password policies
4982 dsconf localpwp get
4984 Get local password policy entry
4985 dsconf localpwp set
4987 Set an attribute in a local password policy
4988 dsconf localpwp remove
4990 Remove a local password policy
4991 dsconf localpwp adduser
4993 Add new user password policy
4994 dsconf localpwp addsubtree
4996 Add new subtree password policy
4997
4999 usage: dsconf instance localpwp list [-h] [DN]
5000 DN Suffix to search for local password policies
5003
5006 usage: dsconf instance localpwp get [-h] DN
5007 DN Get the local policy for this entry DN
5010
5013 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
5014 [--pwdchange PWDCHANGE]
5015 [--pwdmustchange PWDMUSTCHANGE]
5016 [--pwdhistory PWDHISTORY]
5017 [--pwdhistorycount PWDHISTORYCOUNT]
5018 [--pwdadmin PWDADMIN]
5019 [--pwdtrack PWDTRACK]
5020 [--pwdwarning PWDWARNING]
5021 [--pwdexpire PWDEXPIRE]
5022 [--pwdmaxage PWDMAXAGE]
5023 [--pwdminage PWDMINAGE]
5024 [--pwdgracelimit PWDGRACELIMIT]
5025 [--pwdsendexpiring PWDSENDEXPIRING]
5026 [--pwdlockout PWDLOCKOUT]
5027 [--pwdunlock PWDUNLOCK]
5028 [--pwdlockoutduration PWDLOCKOUTDU‐
5029 RATION]
5030 [--pwdmaxfailures PWDMAXFAILURES]
5031 [--pwdresetfailcount PWDRESETFAIL‐
5032 COUNT]
5033 [--pwdchecksyntax PWDCHECKSYNTAX]
5034 [--pwdminlen PWDMINLEN]
5035 [--pwdmindigits PWDMINDIGITS]
5036 [--pwdminalphas PWDMINALPHAS]
5037 [--pwdminuppers PWDMINUPPERS]
5038 [--pwdminlowers PWDMINLOWERS]
5039 [--pwdminspecials PWDMINSPECIALS]
5040 [--pwdmin8bits PWDMIN8BITS]
5041 [--pwdmaxrepeats PWDMAXREPEATS]
5042 [--pwdpalindrome PWDPALINDROME]
5043 [--pwdmaxseq PWDMAXSEQ]
5044 [--pwdmaxseqsets PWDMAXSEQSETS]
5045 [--pwdmaxclasschars PWDMAXCLASS‐
5046 CHARS]
5047 [--pwdmincatagories PWDMIN‐
5048 CATAGORIES]
5049 [--pwdmintokenlen PWDMINTOKENLEN]
5050 [--pwdbadwords PWDBADWORDS]
5051 [--pwduserattrs PWDUSERATTRS]
5052 [--pwddictcheck PWDDICTCHECK]
5053 [--pwddictpath PWDDICTPATH]
5054 [--pwptprmaxuse PWPTPRMAXUSE]
5055 [--pwptprdelayexpireat PWPTPRDELAY‐
5056 EXPIREAT]
5057 [--pwptprdelayvalidfrom PWPTPRDE‐
5058 LAYVALIDFROM]
5059 DN
5060 DN Set the local policy for this entry DN
5063
5066 --pwdscheme PWDSCHEME
5067 The password storage scheme
5068 --pwdchange PWDCHANGE
5071 Allow users to change their passwords
5072 --pwdmustchange PWDMUSTCHANGE
5075 Users must change their password after it was reset by an admin‐
5076 istrator
5077 --pwdhistory PWDHISTORY
5080 To enable password history set this to "on", otherwise "off"
5081 --pwdhistorycount PWDHISTORYCOUNT
5084 The number of passwords to keep in history
5085 --pwdadmin PWDADMIN
5088 The DN of an entry or a group of account that can bypass pass‐
5089 word policy constraints
5090 --pwdtrack PWDTRACK
5093 Set to "on" to track the time the password was last changed
5094 --pwdwarning PWDWARNING
5097 Send an expiring warning if password expires within this time
5098 (in seconds)
5099 --pwdexpire PWDEXPIRE
5102 Set to "on" to enable password expiration
5103 --pwdmaxage PWDMAXAGE
5106 The password expiration time in seconds
5107 --pwdminage PWDMINAGE
5110 The number of seconds that must pass before a user can change
5111 their password
5112 --pwdgracelimit PWDGRACELIMIT
5115 The number of allowed logins after the password has expired
5116 --pwdsendexpiring PWDSENDEXPIRING
5119 Set to "on" to always send the expiring control regardless of
5120 the warning period
5121 --pwdlockout PWDLOCKOUT
5124 Set to "on" to enable account lockout
5125 --pwdunlock PWDUNLOCK
5128 Set to "on" to allow an account to become unlocked after the
5129 lockout duration
5130 --pwdlockoutduration PWDLOCKOUTDURATION
5133 The number of seconds an account stays locked out
5134 --pwdmaxfailures PWDMAXFAILURES
5137 The maximum number of allowed failed password attempts before
5138 the account gets locked
5139 --pwdresetfailcount PWDRESETFAILCOUNT
5142 The number of seconds to wait before reducing the failed login
5143 count on an account
5144 --pwdchecksyntax PWDCHECKSYNTAX
5147 Set to "on" to enable password syntax checking
5148 --pwdminlen PWDMINLEN
5151 The minimum number of characters required in a password
5152 --pwdmindigits PWDMINDIGITS
5155 The minimum number of digit/number characters in a password
5156 --pwdminalphas PWDMINALPHAS
5159 The minimum number of alpha characters required in a password
5160 --pwdminuppers PWDMINUPPERS
5163 The minimum number of uppercase characters required in a pass‐
5164 word
5165 --pwdminlowers PWDMINLOWERS
5168 The minimum number of lowercase characters required in a pass‐
5169 word
5170 --pwdminspecials PWDMINSPECIALS
5173 The minimum number of special characters required in a password
5174 --pwdmin8bits PWDMIN8BITS
5177 The minimum number of 8-bit characters required in a password
5178 --pwdmaxrepeats PWDMAXREPEATS
5181 The maximum number of times the same character can appear se‐
5182 quentially in the password
5183 --pwdpalindrome PWDPALINDROME
5186 Set to "on" to reject passwords that are palindromes
5187 --pwdmaxseq PWDMAXSEQ
5190 The maximum number of allowed monotonic character sequences in a
5191 password
5192 --pwdmaxseqsets PWDMAXSEQSETS
5195 The maximum number of allowed monotonic character sequences that
5196 can be duplicated in a password
5197 --pwdmaxclasschars PWDMAXCLASSCHARS
5200 The maximum number of sequential characters from the same char‐
5201 acter class that is allowed in a password
5202 --pwdmincatagories PWDMINCATAGORIES
5205 The minimum number of syntax category checks
5206 --pwdmintokenlen PWDMINTOKENLEN
5209 Sets the smallest attribute value length that is used for triv‐
5210 ial/user words checking. This also impacts "--pwduserattrs"
5211 --pwdbadwords PWDBADWORDS
5214 A space-separated list of words that can not be in a password
5215 --pwduserattrs PWDUSERATTRS
5218 A space-separated list of attributes whose values can not appear
5219 in the password (See "--pwdmintokenlen")
5220 --pwddictcheck PWDDICTCHECK
5223 Set to "on" to enforce CrackLib dictionary checking
5224 --pwddictpath PWDDICTPATH
5227 Filesystem path to specific/custom CrackLib dictionary files
5228 --pwptprmaxuse PWPTPRMAXUSE
5231 Number of times a reset password can be used for authentication
5232 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5235 Number of seconds after which a reset password expires
5236 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5239 Number of seconds to wait before using a reset password to au‐
5240 thenticated
5241
5244 usage: dsconf instance localpwp remove [-h] DN
5245 DN Remove local policy for this entry DN
5248
5251 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5252 [--pwdchange PWDCHANGE]
5253 [--pwdmustchange PWDMUSTCHANGE]
5254 [--pwdhistory PWDHISTORY]
5255 [--pwdhistorycount PWDHISTO‐
5256 RYCOUNT]
5257 [--pwdadmin PWDADMIN]
5258 [--pwdtrack PWDTRACK]
5259 [--pwdwarning PWDWARNING]
5260 [--pwdexpire PWDEXPIRE]
5261 [--pwdmaxage PWDMAXAGE]
5262 [--pwdminage PWDMINAGE]
5263 [--pwdgracelimit PWDGRACELIMIT]
5264 [--pwdsendexpiring PWDSENDEX‐
5265 PIRING]
5266 [--pwdlockout PWDLOCKOUT]
5267 [--pwdunlock PWDUNLOCK]
5268 [--pwdlockoutduration PWDLOCK‐
5269 OUTDURATION]
5270 [--pwdmaxfailures PWDMAXFAIL‐
5271 URES]
5272 [--pwdresetfailcount PWDRESET‐
5273 FAILCOUNT]
5274 [--pwdchecksyntax PWDCHECKSYN‐
5275 TAX]
5276 [--pwdminlen PWDMINLEN]
5277 [--pwdmindigits PWDMINDIGITS]
5278 [--pwdminalphas PWDMINALPHAS]
5279 [--pwdminuppers PWDMINUPPERS]
5280 [--pwdminlowers PWDMINLOWERS]
5281 [--pwdminspecials PWDMINSPE‐
5282 CIALS]
5283 [--pwdmin8bits PWDMIN8BITS]
5284 [--pwdmaxrepeats PWDMAXREPEATS]
5285 [--pwdpalindrome PWDPALINDROME]
5286 [--pwdmaxseq PWDMAXSEQ]
5287 [--pwdmaxseqsets PWDMAXSEQSETS]
5288 [--pwdmaxclasschars PWDMAX‐
5289 CLASSCHARS]
5290 [--pwdmincatagories PWDMIN‐
5291 CATAGORIES]
5292 [--pwdmintokenlen PWDMINTO‐
5293 KENLEN]
5294 [--pwdbadwords PWDBADWORDS]
5295 [--pwduserattrs PWDUSERATTRS]
5296 [--pwddictcheck PWDDICTCHECK]
5297 [--pwddictpath PWDDICTPATH]
5298 [--pwptprmaxuse PWPTPRMAXUSE]
5299 [--pwptprdelayexpireat PWPT‐
5300 PRDELAYEXPIREAT]
5301 [--pwptprdelayvalidfrom PWPT‐
5302 PRDELAYVALIDFROM]
5303 DN
5304 DN Add/replace the local password policy for this entry DN
5307
5310 --pwdscheme PWDSCHEME
5311 The password storage scheme
5312 --pwdchange PWDCHANGE
5315 Allow users to change their passwords
5316 --pwdmustchange PWDMUSTCHANGE
5319 Users must change their password after it was reset by an admin‐
5320 istrator
5321 --pwdhistory PWDHISTORY
5324 To enable password history set this to "on", otherwise "off"
5325 --pwdhistorycount PWDHISTORYCOUNT
5328 The number of passwords to keep in history
5329 --pwdadmin PWDADMIN
5332 The DN of an entry or a group of account that can bypass pass‐
5333 word policy constraints
5334 --pwdtrack PWDTRACK
5337 Set to "on" to track the time the password was last changed
5338 --pwdwarning PWDWARNING
5341 Send an expiring warning if password expires within this time
5342 (in seconds)
5343 --pwdexpire PWDEXPIRE
5346 Set to "on" to enable password expiration
5347 --pwdmaxage PWDMAXAGE
5350 The password expiration time in seconds
5351 --pwdminage PWDMINAGE
5354 The number of seconds that must pass before a user can change
5355 their password
5356 --pwdgracelimit PWDGRACELIMIT
5359 The number of allowed logins after the password has expired
5360 --pwdsendexpiring PWDSENDEXPIRING
5363 Set to "on" to always send the expiring control regardless of
5364 the warning period
5365 --pwdlockout PWDLOCKOUT
5368 Set to "on" to enable account lockout
5369 --pwdunlock PWDUNLOCK
5372 Set to "on" to allow an account to become unlocked after the
5373 lockout duration
5374 --pwdlockoutduration PWDLOCKOUTDURATION
5377 The number of seconds an account stays locked out
5378 --pwdmaxfailures PWDMAXFAILURES
5381 The maximum number of allowed failed password attempts before
5382 the account gets locked
5383 --pwdresetfailcount PWDRESETFAILCOUNT
5386 The number of seconds to wait before reducing the failed login
5387 count on an account
5388 --pwdchecksyntax PWDCHECKSYNTAX
5391 Set to "on" to enable password syntax checking
5392 --pwdminlen PWDMINLEN
5395 The minimum number of characters required in a password
5396 --pwdmindigits PWDMINDIGITS
5399 The minimum number of digit/number characters in a password
5400 --pwdminalphas PWDMINALPHAS
5403 The minimum number of alpha characters required in a password
5404 --pwdminuppers PWDMINUPPERS
5407 The minimum number of uppercase characters required in a pass‐
5408 word
5409 --pwdminlowers PWDMINLOWERS
5412 The minimum number of lowercase characters required in a pass‐
5413 word
5414 --pwdminspecials PWDMINSPECIALS
5417 The minimum number of special characters required in a password
5418 --pwdmin8bits PWDMIN8BITS
5421 The minimum number of 8-bit characters required in a password
5422 --pwdmaxrepeats PWDMAXREPEATS
5425 The maximum number of times the same character can appear se‐
5426 quentially in the password
5427 --pwdpalindrome PWDPALINDROME
5430 Set to "on" to reject passwords that are palindromes
5431 --pwdmaxseq PWDMAXSEQ
5434 The maximum number of allowed monotonic character sequences in a
5435 password
5436 --pwdmaxseqsets PWDMAXSEQSETS
5439 The maximum number of allowed monotonic character sequences that
5440 can be duplicated in a password
5441 --pwdmaxclasschars PWDMAXCLASSCHARS
5444 The maximum number of sequential characters from the same char‐
5445 acter class that is allowed in a password
5446 --pwdmincatagories PWDMINCATAGORIES
5449 The minimum number of syntax category checks
5450 --pwdmintokenlen PWDMINTOKENLEN
5453 Sets the smallest attribute value length that is used for triv‐
5454 ial/user words checking. This also impacts "--pwduserattrs"
5455 --pwdbadwords PWDBADWORDS
5458 A space-separated list of words that can not be in a password
5459 --pwduserattrs PWDUSERATTRS
5462 A space-separated list of attributes whose values can not appear
5463 in the password (See "--pwdmintokenlen")
5464 --pwddictcheck PWDDICTCHECK
5467 Set to "on" to enforce CrackLib dictionary checking
5468 --pwddictpath PWDDICTPATH
5471 Filesystem path to specific/custom CrackLib dictionary files
5472 --pwptprmaxuse PWPTPRMAXUSE
5475 Number of times a reset password can be used for authentication
5476 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5479 Number of seconds after which a reset password expires
5480 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5483 Number of seconds to wait before using a reset password to au‐
5484 thenticated
5485
5488 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5489 [--pwdchange PWDCHANGE]
5490 [--pwdmustchange PWD‐
5491 MUSTCHANGE]
5492 [--pwdhistory PWDHISTORY]
5493 [--pwdhistorycount PWDHISTO‐
5494 RYCOUNT]
5495 [--pwdadmin PWDADMIN]
5496 [--pwdtrack PWDTRACK]
5497 [--pwdwarning PWDWARNING]
5498 [--pwdexpire PWDEXPIRE]
5499 [--pwdmaxage PWDMAXAGE]
5500 [--pwdminage PWDMINAGE]
5501 [--pwdgracelimit PWDGRACE‐
5502 LIMIT]
5503 [--pwdsendexpiring PWDSEND‐
5504 EXPIRING]
5505 [--pwdlockout PWDLOCKOUT]
5506 [--pwdunlock PWDUNLOCK]
5507 [--pwdlockoutduration PWD‐
5508 LOCKOUTDURATION]
5509 [--pwdmaxfailures PWDMAX‐
5510 FAILURES]
5511 [--pwdresetfailcount PW‐
5512 DRESETFAILCOUNT]
5513 [--pwdchecksyntax PWD‐
5514 CHECKSYNTAX]
5515 [--pwdminlen PWDMINLEN]
5516 [--pwdmindigits PWDMINDIG‐
5517 ITS]
5518 [--pwdminalphas PWDMINAL‐
5519 PHAS]
5520 [--pwdminuppers PWDMINUP‐
5521 PERS]
5522 [--pwdminlowers PWDMINLOW‐
5523 ERS]
5524 [--pwdminspecials PWDMINSPE‐
5525 CIALS]
5526 [--pwdmin8bits PWDMIN8BITS]
5527 [--pwdmaxrepeats PWDMAXRE‐
5528 PEATS]
5529 [--pwdpalindrome PWDPALIN‐
5530 DROME]
5531 [--pwdmaxseq PWDMAXSEQ]
5532 [--pwdmaxseqsets PWDMAXSE‐
5533 QSETS]
5534 [--pwdmaxclasschars PWDMAX‐
5535 CLASSCHARS]
5536 [--pwdmincatagories PWDMIN‐
5537 CATAGORIES]
5538 [--pwdmintokenlen PWDMINTO‐
5539 KENLEN]
5540 [--pwdbadwords PWDBADWORDS]
5541 [--pwduserattrs PWDUSERAT‐
5542 TRS]
5543 [--pwddictcheck PWD‐
5544 DICTCHECK]
5545 [--pwddictpath PWDDICTPATH]
5546 [--pwptprmaxuse PWPT‐
5547 PRMAXUSE]
5548 [--pwptprdelayexpireat PWPT‐
5549 PRDELAYEXPIREAT]
5550 [--pwptprdelayvalidfrom PW‐
5551 PTPRDELAYVALIDFROM]
5552 DN
5553 DN Add/replace the subtree policy for this entry DN
5556
5559 --pwdscheme PWDSCHEME
5560 The password storage scheme
5561 --pwdchange PWDCHANGE
5564 Allow users to change their passwords
5565 --pwdmustchange PWDMUSTCHANGE
5568 Users must change their password after it was reset by an admin‐
5569 istrator
5570 --pwdhistory PWDHISTORY
5573 To enable password history set this to "on", otherwise "off"
5574 --pwdhistorycount PWDHISTORYCOUNT
5577 The number of passwords to keep in history
5578 --pwdadmin PWDADMIN
5581 The DN of an entry or a group of account that can bypass pass‐
5582 word policy constraints
5583 --pwdtrack PWDTRACK
5586 Set to "on" to track the time the password was last changed
5587 --pwdwarning PWDWARNING
5590 Send an expiring warning if password expires within this time
5591 (in seconds)
5592 --pwdexpire PWDEXPIRE
5595 Set to "on" to enable password expiration
5596 --pwdmaxage PWDMAXAGE
5599 The password expiration time in seconds
5600 --pwdminage PWDMINAGE
5603 The number of seconds that must pass before a user can change
5604 their password
5605 --pwdgracelimit PWDGRACELIMIT
5608 The number of allowed logins after the password has expired
5609 --pwdsendexpiring PWDSENDEXPIRING
5612 Set to "on" to always send the expiring control regardless of
5613 the warning period
5614 --pwdlockout PWDLOCKOUT
5617 Set to "on" to enable account lockout
5618 --pwdunlock PWDUNLOCK
5621 Set to "on" to allow an account to become unlocked after the
5622 lockout duration
5623 --pwdlockoutduration PWDLOCKOUTDURATION
5626 The number of seconds an account stays locked out
5627 --pwdmaxfailures PWDMAXFAILURES
5630 The maximum number of allowed failed password attempts before
5631 the account gets locked
5632 --pwdresetfailcount PWDRESETFAILCOUNT
5635 The number of seconds to wait before reducing the failed login
5636 count on an account
5637 --pwdchecksyntax PWDCHECKSYNTAX
5640 Set to "on" to enable password syntax checking
5641 --pwdminlen PWDMINLEN
5644 The minimum number of characters required in a password
5645 --pwdmindigits PWDMINDIGITS
5648 The minimum number of digit/number characters in a password
5649 --pwdminalphas PWDMINALPHAS
5652 The minimum number of alpha characters required in a password
5653 --pwdminuppers PWDMINUPPERS
5656 The minimum number of uppercase characters required in a pass‐
5657 word
5658 --pwdminlowers PWDMINLOWERS
5661 The minimum number of lowercase characters required in a pass‐
5662 word
5663 --pwdminspecials PWDMINSPECIALS
5666 The minimum number of special characters required in a password
5667 --pwdmin8bits PWDMIN8BITS
5670 The minimum number of 8-bit characters required in a password
5671 --pwdmaxrepeats PWDMAXREPEATS
5674 The maximum number of times the same character can appear se‐
5675 quentially in the password
5676 --pwdpalindrome PWDPALINDROME
5679 Set to "on" to reject passwords that are palindromes
5680 --pwdmaxseq PWDMAXSEQ
5683 The maximum number of allowed monotonic character sequences in a
5684 password
5685 --pwdmaxseqsets PWDMAXSEQSETS
5688 The maximum number of allowed monotonic character sequences that
5689 can be duplicated in a password
5690 --pwdmaxclasschars PWDMAXCLASSCHARS
5693 The maximum number of sequential characters from the same char‐
5694 acter class that is allowed in a password
5695 --pwdmincatagories PWDMINCATAGORIES
5698 The minimum number of syntax category checks
5699 --pwdmintokenlen PWDMINTOKENLEN
5702 Sets the smallest attribute value length that is used for triv‐
5703 ial/user words checking. This also impacts "--pwduserattrs"
5704 --pwdbadwords PWDBADWORDS
5707 A space-separated list of words that can not be in a password
5708 --pwduserattrs PWDUSERATTRS
5711 A space-separated list of attributes whose values can not appear
5712 in the password (See "--pwdmintokenlen")
5713 --pwddictcheck PWDDICTCHECK
5716 Set to "on" to enforce CrackLib dictionary checking
5717 --pwddictpath PWDDICTPATH
5720 Filesystem path to specific/custom CrackLib dictionary files
5721 --pwptprmaxuse PWPTPRMAXUSE
5724 Number of times a reset password can be used for authentication
5725 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5728 Number of seconds after which a reset password expires
5729 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5732 Number of seconds to wait before using a reset password to au‐
5733 thenticated
5734
5737 usage: dsconf instance replication [-h]
5738 {enable,disable,get-ruv,list,sta‐
5739 tus,winsync-status,promote,create-manager,delete-manager,de‐
5740 mote,get,set-changelog,get-changelog,export-changelog,import-
5741 changelog,set,monitor}
5742 ...
5743
5746 dsconf replication enable
5747 Enable replication for a suffix
5748 dsconf replication disable
5750 Disable replication for a suffix
5751 dsconf replication get-ruv
5753 Display the database RUV entry for a suffix
5754 dsconf replication list
5756 Lists all the replicated suffixes
5757 dsconf replication status
5759 Display the current status of all the replication agreements
5760 dsconf replication winsync-status
5762 Display the current status of all the replication agreements
5763 dsconf replication promote
5765 Promote a replica to a hub or supplier
5766 dsconf replication create-manager
5768 Create a replication manager entry
5769 dsconf replication delete-manager
5771 Delete a replication manager entry
5772 dsconf replication demote
5774 Demote replica to a hub or consumer
5775 dsconf replication get
5777 Display the replication configuration
5778 dsconf replication set-changelog
5780 Set replication changelog attributes
5781 dsconf replication get-changelog
5783 Display replication changelog attributes
5784 dsconf replication export-changelog
5786 Export the Directory Server replication changelog to an LDIF
5787 file
5788 dsconf replication import-changelog
5790 Restore/import Directory Server replication change log from an
5791 LDIF file. This is typically used when managing changelog en‐
5792 cryption
5793 dsconf replication set
5795 Set an attribute in the replication configuration
5796 dsconf replication monitor
5798 Display the full replication topology report
5799
5801 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
5802 ROLE
5803 [--replica-id REPLICA_ID]
5804 [--bind-group-dn
5805 BIND_GROUP_DN]
5806 [--bind-dn BIND_DN]
5807 [--bind-passwd BIND_PASSWD]
5808
5811 --suffix SUFFIX
5812 Sets the DN of the suffix to be enabled for replication
5813 --role ROLE
5816 Sets the replication role: "supplier", "hub", or "consumer"
5817 --replica-id REPLICA_ID
5820 Sets the replication identifier for a "supplier". Values range
5821 from 1 - 65534
5822 --bind-group-dn BIND_GROUP_DN
5825 Sets a group entry DN containing members that are "bind/sup‐
5826 plier" DNs
5827 --bind-dn BIND_DN
5830 Sets the bind or supplier DN that can make replication updates
5831 --bind-passwd BIND_PASSWD
5834 Sets the password for replication manager (--bind-dn). This will
5835 create the manager entry if a value is set
5836
5839 usage: dsconf instance replication disable [-h] --suffix SUFFIX
5840
5843 --suffix SUFFIX
5844 Sets the DN of the suffix to have replication disabled
5845
5848 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
5849
5852 --suffix SUFFIX
5853 Sets the DN of the replicated suffix
5854
5857 usage: dsconf instance replication list [-h]
5858
5861 usage: dsconf instance replication status [-h] --suffix SUFFIX
5862 [--bind-dn BIND_DN]
5863 [--bind-passwd BIND_PASSWD]
5864
5867 --suffix SUFFIX
5868 Sets the DN of the replication suffix
5869 --bind-dn BIND_DN
5872 Sets the DN to use to authenticate to the consumer
5873 --bind-passwd BIND_PASSWD
5876 Sets the password for the bind DN
5877
5880 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
5881 [--bind-dn BIND_DN]
5882 [--bind-passwd
5883 BIND_PASSWD]
5884
5887 --suffix SUFFIX
5888 Sets the DN of the replication suffix
5889 --bind-dn BIND_DN
5892 Sets the DN to use to authenticate to the consumer
5893 --bind-passwd BIND_PASSWD
5896 Sets the password of the bind DN
5897
5900 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
5901 role
5902 NEWROLE [--replica-id
5903 REPLICA_ID]
5904 [--bind-group-dn
5905 BIND_GROUP_DN]
5906 [--bind-dn BIND_DN]
5907
5910 --suffix SUFFIX
5911 Sets the DN of the replication suffix to promote
5912 --newrole NEWROLE
5915 Sets the new replica role to "hub" or "supplier"
5916 --replica-id REPLICA_ID
5919 Sets the replication identifier for a "supplier". Values range
5920 from 1 - 65534
5921 --bind-group-dn BIND_GROUP_DN
5924 Sets a group entry DN containing members that are "bind/sup‐
5925 plier" DNs
5926 --bind-dn BIND_DN
5929 Sets the bind or supplier DN that can make replication updates
5930
5933 usage: dsconf instance replication create-manager [-h] [--name NAME]
5934 [--passwd PASSWD]
5935 [--suffix SUFFIX]
5936
5939 --name NAME
5940 Sets the name of the new replication manager entry.For example,
5941 if the name is "replication manager" then the new manager en‐
5942 try's DN would be "cn=replication manager,cn=config".
5943 --passwd PASSWD
5946 Sets the password for replication manager. If not provided, you
5947 will be prompted for the password
5948 --suffix SUFFIX
5951 The DN of the replication suffix whose replication configuration
5952 you want to add this new manager to (OPTIONAL)
5953
5956 usage: dsconf instance replication delete-manager [-h] [--name NAME]
5957 [--suffix SUFFIX]
5958
5961 --name NAME
5962 Sets the name of the replication manager entry under cn=config:
5963 "cn=NAME,cn=config"
5964 --suffix SUFFIX
5967 Sets the DN of the replication suffix whose replication configu‐
5968 ration you want to remove this manager from (OPTIONAL)
5969
5972 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
5973 role
5974 NEWROLE
5975
5978 --suffix SUFFIX
5979 Sets the DN of the replication suffix
5980 --newrole NEWROLE
5983 Sets the new replication role to "hub", or "consumer"
5984
5987 usage: dsconf instance replication get [-h] --suffix SUFFIX
5988
5991 --suffix SUFFIX
5992 Sets the suffix DN for the replication configuration to display
5993
5996 usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
5997 [--max-entries MAX_EN‐
5998 TRIES]
5999 [--max-age MAX_AGE]
6000 [--trim-interval
6001 TRIM_INTERVAL]
6002 [--encrypt]
6003 [--disable-encrypt]
6004
6007 --suffix SUFFIX
6008 Sets the suffix that uses the changelog
6009 --max-entries MAX_ENTRIES
6012 Sets the maximum number of entries to get in the replication
6013 changelog
6014 --max-age MAX_AGE
6017 Set the maximum age of a replication changelog entry
6018 --trim-interval TRIM_INTERVAL
6021 Sets the interval to check if the replication changelog can be
6022 trimmed
6023 --encrypt
6026 Sets the replication changelog to use encryption. You must ex‐
6027 port and import the changelog after setting this.
6028 --disable-encrypt
6031 Sets the replication changelog to not use encryption. You must
6032 export and import the changelog after setting this.
6033
6036 usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
6037
6040 --suffix SUFFIX
6041 Sets the suffix that uses the changelog
6042
6045 usage: dsconf instance replication export-changelog [-h] {to-ldif,de‐
6046 fault} ...
6047
6050 dsconf replication export-changelog to-ldif
6051 Sets the LDIF file name. This is typically used for setting up
6052 changelog encryption
6053 dsconf replication export-changelog default
6055 Export the replication changelog to the server's default LDIF
6056 directory
6057
6059 usage: dsconf instance replication export-changelog to-ldif
6060 [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r
6061 REPLICA_ROOT
6062
6065 -c, --csn-only
6066 Enables to export and interpret CSN only. This option can be
6067 used with or without -i option. The LDIF file that is generated
6068 can not be imported and is only used for debugging purposes.
6069 -d, --decode
6072 Decodes the base64 values in each changelog entry. The LDIF file
6073 that is generated can not be imported and is only used for de‐
6074 bugging purposes.
6075 -l, --preserve-ldif-done
6078 Preserves generated LDIF "files.done" files in changelog direc‐
6079 tory.
6080 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
6083 Decodes changes in an LDIF file. Use this option if you already
6084 have a changelog LDIF file, but the changes in that file are en‐
6085 coded.
6086 -o OUTPUT_FILE, --output-file OUTPUT_FILE
6089 Sets the path name for the final result
6090 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6093 Specifies the replica root whose changelog you want to export
6094
6097 usage: dsconf instance replication export-changelog default
6098 [-h] -r REPLICA_ROOT
6099
6102 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6103 Specifies the replica root whose changelog you want to export
6104
6107 usage: dsconf instance replication import-changelog [-h]
6108 {from-ldif,default}
6109 ...
6110
6113 dsconf replication import-changelog from-ldif
6114 Restore/import a specific single LDIF file
6115 dsconf replication import-changelog default
6117 Import the default changelog LDIF file created by the server
6118
6120 usage: dsconf instance replication import-changelog from-ldif
6121 [-h] -r REPLICA_ROOT LDIF_PATH
6122 LDIF_PATH
6125 The path of the changelog LDIF file
6126
6129 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6130 Specifies the replica root whose changelog you want to import
6131
6134 usage: dsconf instance replication import-changelog default
6135 [-h] -r REPLICA_ROOT
6136
6139 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6140 Specifies the replica root whose changelog you want to import
6141
6144 usage: dsconf instance replication set [-h] --suffix SUFFIX
6145 [--repl-add-bind-dn
6146 REPL_ADD_BIND_DN]
6147 [--repl-del-bind-dn
6148 REPL_DEL_BIND_DN]
6149 [--repl-add-ref REPL_ADD_REF]
6150 [--repl-del-ref REPL_DEL_REF]
6151 [--repl-purge-delay
6152 REPL_PURGE_DELAY]
6153 [--repl-tombstone-purge-interval
6154 REPL_TOMBSTONE_PURGE_INTERVAL]
6155 [--repl-fast-tombstone-purging
6156 REPL_FAST_TOMBSTONE_PURGING]
6157 [--repl-bind-group
6158 REPL_BIND_GROUP]
6159 [--repl-bind-group-interval
6160 REPL_BIND_GROUP_INTERVAL]
6161 [--repl-protocol-timeout
6162 REPL_PROTOCOL_TIMEOUT]
6163 [--repl-backoff-max REPL_BACK‐
6164 OFF_MAX]
6165 [--repl-backoff-min REPL_BACK‐
6166 OFF_MIN]
6167 [--repl-release-timeout REPL_RE‐
6168 LEASE_TIMEOUT]
6169
6172 --suffix SUFFIX
6173 Sets the DN of the replication suffix
6174 --repl-add-bind-dn REPL_ADD_BIND_DN
6177 Adds a bind (supplier) DN
6178 --repl-del-bind-dn REPL_DEL_BIND_DN
6181 Removes a bind (supplier) DN
6182 --repl-add-ref REPL_ADD_REF
6185 Adds a replication referral (for consumers only)
6186 --repl-del-ref REPL_DEL_REF
6189 Removes a replication referral (for conusmers only)
6190 --repl-purge-delay REPL_PURGE_DELAY
6193 Sets the replication purge delay
6194 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
6197 Sets the interval in seconds to check for tombstones that can be
6198 purged
6199 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6202 Enables or disables improving the tombstone purging performance
6203 --repl-bind-group REPL_BIND_GROUP
6206 Sets a group entry DN containing members that are "bind/sup‐
6207 plier" DNs
6208 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6211 Sets an interval in seconds to check if the bind group has been
6212 updated
6213 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6216 Sets a timeout in seconds on how long to wait before stopping
6217 replication when the server is under load
6218 --repl-backoff-max REPL_BACKOFF_MAX
6221 The maximum time in seconds a replication agreement should stay
6222 in a backoff state while waiting to acquire the consumer. De‐
6223 fault is 300 seconds
6224 --repl-backoff-min REPL_BACKOFF_MIN
6227 The starting time in seconds a replication agreement should stay
6228 in a backoff state while waiting to acquire the consumer. De‐
6229 fault is 3 seconds
6230 --repl-release-timeout REPL_RELEASE_TIMEOUT
6233 A timeout in seconds a replication supplier should send updates
6234 before it yields its replication session
6235
6238 usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
6239 [-a [ALIASES ...]]
6240
6243 -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
6244 Sets the connection values for monitoring other not connected
6245 topologies. The format: 'host:port:binddn:bindpwd'. You can use
6246 regex for host and port. You can set bindpwd to * and it will be
6247 requested at the runtime or you can include the path to the
6248 password file in square brackets - [~/pwd.txt]
6249 -a [ALIASES ...], --aliases [ALIASES ...]
6252 Enables displaying an alias instead of host:port, if an alias is
6253 assigned to a host:port combination. The format: alias=host:port
6254
6257 usage: dsconf instance repl-agmt [-h]
6258 {list,enable,disable,init,init-sta‐
6259 tus,poke,status,delete,create,set,get}
6260 ...
6261
6264 dsconf repl-agmt list
6265 List all replication agreements
6266 dsconf repl-agmt enable
6268 Enable replication agreement
6269 dsconf repl-agmt disable
6271 Disable replication agreement
6272 dsconf repl-agmt init
6274 Initialize replication agreement
6275 dsconf repl-agmt init-status
6277 Check the agreement initialization status
6278 dsconf repl-agmt poke
6280 Trigger replication to send updates now
6281 dsconf repl-agmt status
6283 Displays the current status of the replication agreement
6284 dsconf repl-agmt delete
6286 Delete replication agreement
6287 dsconf repl-agmt create
6289 Initialize replication agreement
6290 dsconf repl-agmt set
6292 Set an attribute in the replication agreement
6293 dsconf repl-agmt get
6295 Get replication configuration
6296
6298 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry EN‐
6299 TRY]
6300
6303 --suffix SUFFIX
6304 Sets the DN of the suffix to look up replication agreements for
6305 --entry ENTRY
6308 Returns the entire entry for each agreement
6309
6312 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6313 AGMT_NAME
6316 The name of the replication agreement
6317
6320 --suffix SUFFIX
6321 Sets the DN of the replication suffix
6322
6325 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6326 AGMT_NAME
6329 The name of the replication agreement
6330
6333 --suffix SUFFIX
6334 Sets the DN of the replication suffix
6335
6338 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6339 AGMT_NAME
6342 The name of the replication agreement
6343
6346 --suffix SUFFIX
6347 Sets the DN of the replication suffix
6348
6351 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6352 AGMT_NAME
6353 AGMT_NAME
6356 The name of the replication agreement
6357
6360 --suffix SUFFIX
6361 Sets the DN of the replication suffix
6362
6365 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6366 AGMT_NAME
6369 The name of the replication agreement
6370
6373 --suffix SUFFIX
6374 Sets the DN of the replication suffix
6375
6378 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6379 [--bind-dn BIND_DN]
6380 [--bind-passwd BIND_PASSWD]
6381 AGMT_NAME
6382 AGMT_NAME
6385 The name of the replication agreement
6386
6389 --suffix SUFFIX
6390 Sets the DN of the replication suffix
6391 --bind-dn BIND_DN
6394 Sets the DN to use to authenticate to the consumer
6395 --bind-passwd BIND_PASSWD
6398 Sets the password for the bind DN
6399
6402 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6403 AGMT_NAME
6406 The name of the replication agreement
6407
6410 --suffix SUFFIX
6411 Sets the DN of the replication suffix
6412
6415 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6416 HOST
6417 --port PORT --conn-protocol
6418 CONN_PROTOCOL [--bind-dn
6419 BIND_DN]
6420 [--bind-passwd BIND_PASSWD]
6421 --bind-method BIND_METHOD
6422 [--frac-list FRAC_LIST]
6423 [--frac-list-total
6424 FRAC_LIST_TOTAL]
6425 [--strip-list STRIP_LIST]
6426 [--schedule SCHEDULE]
6427 [--conn-timeout CONN_TIMEOUT]
6428 [--protocol-timeout PROTO‐
6429 COL_TIMEOUT]
6430 [--wait-async-results
6431 WAIT_ASYNC_RESULTS]
6432 [--busy-wait-time
6433 BUSY_WAIT_TIME]
6434 [--session-pause-time SES‐
6435 SION_PAUSE_TIME]
6436 [--flow-control-window
6437 FLOW_CONTROL_WINDOW]
6438 [--flow-control-pause FLOW_CON‐
6439 TROL_PAUSE]
6440 [--bootstrap-bind-dn BOOT‐
6441 STRAP_BIND_DN]
6442 [--bootstrap-bind-passwd BOOT‐
6443 STRAP_BIND_PASSWD]
6444 [--bootstrap-conn-protocol
6445 BOOTSTRAP_CONN_PROTOCOL]
6446 [--bootstrap-bind-method BOOT‐
6447 STRAP_BIND_METHOD]
6448 [--init]
6449 AGMT_NAME
6450 AGMT_NAME
6453 The name of the replication agreement
6454
6457 --suffix SUFFIX
6458 Sets the DN of the replication suffix
6459 --host HOST
6462 Sets the hostname of the remote replica
6463 --port PORT
6466 Sets the port number of the remote replica
6467 --conn-protocol CONN_PROTOCOL
6470 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6471 TLS
6472 --bind-dn BIND_DN
6475 Sets the bind DN the agreement uses to authenticate to the
6476 replica
6477 --bind-passwd BIND_PASSWD
6480 Sets the credentials for the bind DN
6481 --bind-method BIND_METHOD
6484 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6485 or "SASL/GSSAPI"
6486 --frac-list FRAC_LIST
6489 Sets the list of attributes to NOT replicate to the consumer
6490 during incremental updates
6491 --frac-list-total FRAC_LIST_TOTAL
6494 Sets the list of attributes to NOT replicate during a total ini‐
6495 tialization
6496 --strip-list STRIP_LIST
6499 Sets a list of attributes that are removed from updates only if
6500 the event would otherwise be empty. Typically this is set to
6501 "modifiersname" and "modifytimestmap"
6502 --schedule SCHEDULE
6505 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6506 0-6 (Sunday - Saturday).
6507 --conn-timeout CONN_TIMEOUT
6510 Sets the timeout used for replication connections
6511 --protocol-timeout PROTOCOL_TIMEOUT
6514 Sets a timeout in seconds on how long to wait before stopping
6515 replication when the server is under load
6516 --wait-async-results WAIT_ASYNC_RESULTS
6519 Sets the amount of time in milliseconds the server waits if the
6520 consumer is not ready before resending data
6521 --busy-wait-time BUSY_WAIT_TIME
6524 Sets the amount of time in seconds a supplier should wait after
6525 a consumer sends back a busy response before making another at‐
6526 tempt to acquire access.
6527 --session-pause-time SESSION_PAUSE_TIME
6530 Sets the amount of time in seconds a supplier should wait be‐
6531 tween update sessions.
6532 --flow-control-window FLOW_CONTROL_WINDOW
6535 Sets the maximum number of entries and updates sent by a sup‐
6536 plier, which are not acknowledged by the consumer.
6537 --flow-control-pause FLOW_CONTROL_PAUSE
6540 Sets the time in milliseconds to pause after reaching the number
6541 of entries and updates set in "--flow-control-window"
6542 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6545 Sets an optional bind DN the agreement can use to bootstrap ini‐
6546 tialization when bind groups are being used
6547 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6550 Sets the bootstrap credentials for the bind DN
6551 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6554 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6555 or StartTLS
6556 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6559 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6560 --init Initializes the agreement after creating it
6563
6566 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6567 [--port PORT]
6568 [--conn-protocol CONN_PROTOCOL]
6569 [--bind-dn BIND_DN]
6570 [--bind-passwd BIND_PASSWD]
6571 [--bind-method BIND_METHOD]
6572 [--frac-list FRAC_LIST]
6573 [--frac-list-total FRAC_LIST_TO‐
6574 TAL]
6575 [--strip-list STRIP_LIST]
6576 [--schedule SCHEDULE]
6577 [--conn-timeout CONN_TIMEOUT]
6578 [--protocol-timeout PROTOCOL_TIME‐
6579 OUT]
6580 [--wait-async-results
6581 WAIT_ASYNC_RESULTS]
6582 [--busy-wait-time BUSY_WAIT_TIME]
6583 [--session-pause-time SES‐
6584 SION_PAUSE_TIME]
6585 [--flow-control-window FLOW_CON‐
6586 TROL_WINDOW]
6587 [--flow-control-pause FLOW_CON‐
6588 TROL_PAUSE]
6589 [--bootstrap-bind-dn BOOT‐
6590 STRAP_BIND_DN]
6591 [--bootstrap-bind-passwd BOOT‐
6592 STRAP_BIND_PASSWD]
6593 [--bootstrap-conn-protocol BOOT‐
6594 STRAP_CONN_PROTOCOL]
6595 [--bootstrap-bind-method BOOT‐
6596 STRAP_BIND_METHOD]
6597 AGMT_NAME
6598 AGMT_NAME
6601 The name of the replication agreement
6602
6605 --suffix SUFFIX
6606 Sets the DN of the replication suffix
6607 --host HOST
6610 Sets the hostname of the remote replica
6611 --port PORT
6614 Sets the port number of the remote replica
6615 --conn-protocol CONN_PROTOCOL
6618 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6619 TLS
6620 --bind-dn BIND_DN
6623 Sets the Bind DN the agreement uses to authenticate to the
6624 replica
6625 --bind-passwd BIND_PASSWD
6628 Sets the credentials for the bind DN
6629 --bind-method BIND_METHOD
6632 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6633 or "SASL/GSSAPI"
6634 --frac-list FRAC_LIST
6637 Sets a list of attributes to NOT replicate to the consumer dur‐
6638 ing incremental updates
6639 --frac-list-total FRAC_LIST_TOTAL
6642 Sets a list of attributes to NOT replicate during a total ini‐
6643 tialization
6644 --strip-list STRIP_LIST
6647 Sets a list of attributes that are removed from updates only if
6648 the event would otherwise be empty. Typically this is set to
6649 "modifiersname" and "modifytimestmap"
6650 --schedule SCHEDULE
6653 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6654 0-6 (Sunday - Saturday).
6655 --conn-timeout CONN_TIMEOUT
6658 Sets the timeout used for replication connections
6659 --protocol-timeout PROTOCOL_TIMEOUT
6662 Sets a timeout in seconds on how long to wait before stopping
6663 replication when the server is under load
6664 --wait-async-results WAIT_ASYNC_RESULTS
6667 Sets the amount of time in milliseconds the server waits if the
6668 consumer is not ready before resending data
6669 --busy-wait-time BUSY_WAIT_TIME
6672 Sets the amount of time in seconds a supplier should wait after
6673 a consumer sends back a busy response before making another at‐
6674 tempt to acquire access.
6675 --session-pause-time SESSION_PAUSE_TIME
6678 Sets the amount of time in seconds a supplier should wait be‐
6679 tween update sessions.
6680 --flow-control-window FLOW_CONTROL_WINDOW
6683 Sets the maximum number of entries and updates sent by a sup‐
6684 plier, which are not acknowledged by the consumer.
6685 --flow-control-pause FLOW_CONTROL_PAUSE
6688 Sets the time in milliseconds to pause after reaching the number
6689 of entries and updates set in "--flow-control-window"
6690 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6693 Sets an optional bind DN the agreement can use to bootstrap ini‐
6694 tialization when bind groups are being used
6695 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6698 sets the bootstrap credentials for the bind DN
6699 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6702 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6703 or StartTLS
6704 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6707 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6708
6711 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
6712 AGMT_NAME
6715 The suffix DN for which to display the replication configuration
6716
6719 --suffix SUFFIX
6720 Sets the DN of the replication suffix
6721
6724 usage: dsconf instance repl-winsync-agmt [-h]
6725 {list,enable,dis‐
6726 able,init,init-status,poke,status,delete,create,set,get}
6727 ...
6728
6731 dsconf repl-winsync-agmt list
6732 List all the replication winsync agreements
6733 dsconf repl-winsync-agmt enable
6735 Enable replication winsync agreement
6736 dsconf repl-winsync-agmt disable
6738 Disable replication winsync agreement
6739 dsconf repl-winsync-agmt init
6741 Initialize replication winsync agreement
6742 dsconf repl-winsync-agmt init-status
6744 Check the agreement initialization status
6745 dsconf repl-winsync-agmt poke
6747 Trigger replication to send updates now
6748 dsconf repl-winsync-agmt status
6750 Display the current status of the replication agreement
6751 dsconf repl-winsync-agmt delete
6753 Delete replication winsync agreement
6754 dsconf repl-winsync-agmt create
6756 Initialize replication winsync agreement
6757 dsconf repl-winsync-agmt set
6759 Set an attribute in the replication winsync agreement
6760 dsconf repl-winsync-agmt get
6762 Display replication configuration
6763
6765 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
6766
6769 --suffix SUFFIX
6770 Sets the DN of the suffix to look up replication winsync agree‐
6771 ments
6772
6775 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
6776 AGMT_NAME
6777 AGMT_NAME
6780 The name of the replication winsync agreement
6781
6784 --suffix SUFFIX
6785 Sets the DN of the replication winsync suffix
6786
6789 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
6790 AGMT_NAME
6791 AGMT_NAME
6794 The name of the replication winsync agreement
6795
6798 --suffix SUFFIX
6799 Sets the DN of the replication winsync suffix
6800
6803 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
6804 AGMT_NAME
6805 AGMT_NAME
6808 The name of the replication winsync agreement
6809
6812 --suffix SUFFIX
6813 Sets the DN of the replication winsync suffix
6814
6817 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
6818 FIX
6819 AGMT_NAME
6820 AGMT_NAME
6823 The name of the replication agreement
6824
6827 --suffix SUFFIX
6828 Sets the DN of the replication suffix
6829
6832 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
6833 AGMT_NAME
6834 AGMT_NAME
6837 The name of the replication winsync agreement
6838
6841 --suffix SUFFIX
6842 Sets the DN of the replication winsync suffix
6843
6846 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
6847 AGMT_NAME
6848 AGMT_NAME
6851 The name of the replication agreement
6852
6855 --suffix SUFFIX
6856 Sets the DN of the replication suffix
6857
6860 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
6861 AGMT_NAME
6862 AGMT_NAME
6865 The name of the replication winsync agreement
6866
6869 --suffix SUFFIX
6870 Sets the DN of the replication winsync suffix
6871
6874 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
6875 --host
6876 HOST --port PORT
6877 --conn-protocol
6878 CONN_PROTOCOL
6879 --bind-dn BIND_DN
6880 --bind-passwd
6881 BIND_PASSWD
6882 [--frac-list FRAC_LIST]
6883 [--schedule SCHEDULE]
6884 --win-subtree WIN_SUB‐
6885 TREE
6886 --ds-subtree DS_SUBTREE
6887 --win-domain WIN_DOMAIN
6888 [--sync-users
6889 SYNC_USERS]
6890 [--sync-groups
6891 SYNC_GROUPS]
6892 [--sync-interval
6893 SYNC_INTERVAL]
6894 [--one-way-sync
6895 ONE_WAY_SYNC]
6896 [--move-action MOVE_AC‐
6897 TION]
6898 [--win-filter WIN_FIL‐
6899 TER]
6900 [--ds-filter DS_FILTER]
6901 [--subtree-pair SUB‐
6902 TREE_PAIR]
6903 [--conn-timeout
6904 CONN_TIMEOUT]
6905 [--busy-wait-time
6906 BUSY_WAIT_TIME]
6907 [--session-pause-time
6908 SESSION_PAUSE_TIME]
6909 [--flatten-tree]
6910 [--init]
6911 AGMT_NAME
6912 AGMT_NAME
6915 The name of the replication winsync agreement
6916
6919 --suffix SUFFIX
6920 Sets the DN of the replication winsync suffix
6921 --host HOST
6924 Sets the hostname of the AD server
6925 --port PORT
6928 Sets the port number of the AD server
6929 --conn-protocol CONN_PROTOCOL
6932 Sets the replication winsync connection protocol: LDAP, LDAPS,
6933 or StartTLS
6934 --bind-dn BIND_DN
6937 Sets the bind DN the agreement uses to authenticate to the AD
6938 Server
6939 --bind-passwd BIND_PASSWD
6942 Sets the credentials for the Bind DN
6943 --frac-list FRAC_LIST
6946 Sets a list of attributes to NOT replicate to the consumer dur‐
6947 ing incremental updates
6948 --schedule SCHEDULE
6951 Sets the replication update schedule
6952 --win-subtree WIN_SUBTREE
6955 Sets the suffix of the AD Server
6956 --ds-subtree DS_SUBTREE
6959 Sets the Directory Server suffix
6960 --win-domain WIN_DOMAIN
6963 Sets the AD Domain
6964 --sync-users SYNC_USERS
6967 Synchronizes users between AD and DS
6968 --sync-groups SYNC_GROUPS
6971 Synchronizes groups between AD and DS
6972 --sync-interval SYNC_INTERVAL
6975 Sets the interval that DS checks AD for changes in entries
6976 --one-way-sync ONE_WAY_SYNC
6979 Sets which direction to perform synchronization: "toWindows", or
6980 "fromWindows\,. By default sync occurs in both directions.
6981 --move-action MOVE_ACTION
6984 Sets instructions on how to handle moved or deleted entries:
6985 "none", "unsync", or "delete"
6986 --win-filter WIN_FILTER
6989 Sets a custom filter for finding users in AD Server
6990 --ds-filter DS_FILTER
6993 Sets a custom filter for finding AD users in DS
6994 --subtree-pair SUBTREE_PAIR
6997 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
6998 --conn-timeout CONN_TIMEOUT
7001 Sets the timeout used for replicaton connections
7002 --busy-wait-time BUSY_WAIT_TIME
7005 Sets the amount of time in seconds a supplier should wait after
7006 a consumer sends back a busy response before making another at‐
7007 tempt to acquire access
7008 --session-pause-time SESSION_PAUSE_TIME
7011 Sets the amount of time in seconds a supplier should wait be‐
7012 tween update sessions
7013 --flatten-tree
7016 By default, the tree structure of AD is preserved into 389. This
7017 MAY cause replication to fail in some cases, as you may need to
7018 create missing OU's to recreate the same treestructure. This
7019 setting when enabled, removes the tree structure of AD and flat‐
7020 tens all entries into the ds-subtree. This does NOT affect or
7021 change the tree structure of the AD directory.
7022 --init Initializes the agreement after creating it
7025
7028 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
7029 [--host HOST] [--port
7030 PORT]
7031 [--conn-protocol CONN_PRO‐
7032 TOCOL]
7033 [--bind-dn BIND_DN]
7034 [--bind-passwd
7035 BIND_PASSWD]
7036 [--frac-list FRAC_LIST]
7037 [--schedule SCHEDULE]
7038 [--win-subtree WIN_SUB‐
7039 TREE]
7040 [--ds-subtree DS_SUBTREE]
7041 [--win-domain WIN_DOMAIN]
7042 [--sync-users SYNC_USERS]
7043 [--sync-groups
7044 SYNC_GROUPS]
7045 [--sync-interval SYNC_IN‐
7046 TERVAL]
7047 [--one-way-sync
7048 ONE_WAY_SYNC]
7049 [--move-action MOVE_AC‐
7050 TION]
7051 [--win-filter WIN_FILTER]
7052 [--ds-filter DS_FILTER]
7053 [--subtree-pair SUB‐
7054 TREE_PAIR]
7055 [--conn-timeout CONN_TIME‐
7056 OUT]
7057 [--busy-wait-time
7058 BUSY_WAIT_TIME]
7059 [--session-pause-time SES‐
7060 SION_PAUSE_TIME]
7061 AGMT_NAME
7062 AGMT_NAME
7065 The name of the replication winsync agreement
7066
7069 --suffix SUFFIX
7070 Sets the DN of the replication winsync suffix
7071 --host HOST
7074 Sets the hostname of the AD server
7075 --port PORT
7078 Sets the port number of the AD server
7079 --conn-protocol CONN_PROTOCOL
7082 Sets the replication winsync connection protocol: LDAP, LDAPS,
7083 or StartTLS
7084 --bind-dn BIND_DN
7087 Sets the bind DN the agreement uses to authenticate to the AD
7088 Server
7089 --bind-passwd BIND_PASSWD
7092 Sets the credentials for the Bind DN
7093 --frac-list FRAC_LIST
7096 Sets a list of attributes to NOT replicate to the consumer dur‐
7097 ing incremental updates
7098 --schedule SCHEDULE
7101 Sets the replication update schedule
7102 --win-subtree WIN_SUBTREE
7105 Sets the suffix of the AD Server
7106 --ds-subtree DS_SUBTREE
7109 Sets the Directory Server suffix
7110 --win-domain WIN_DOMAIN
7113 Sets the AD Domain
7114 --sync-users SYNC_USERS
7117 Synchronizes users between AD and DS
7118 --sync-groups SYNC_GROUPS
7121 Synchronizes groups between AD and DS
7122 --sync-interval SYNC_INTERVAL
7125 Sets the interval that DS checks AD for changes in entries
7126 --one-way-sync ONE_WAY_SYNC
7129 Sets which direction to perform synchronization: "toWindows", or
7130 "fromWindows". By default sync occurs in both directions.
7131 --move-action MOVE_ACTION
7134 Sets instructions on how to handle moved or deleted entries:
7135 "none", "unsync", or "delete"
7136 --win-filter WIN_FILTER
7139 Sets a custom filter for finding users in AD Server
7140 --ds-filter DS_FILTER
7143 Sets a custom filter for finding AD users in DS
7144 --subtree-pair SUBTREE_PAIR
7147 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7148 --conn-timeout CONN_TIMEOUT
7151 Sets the timeout used for replicaton connections
7152 --busy-wait-time BUSY_WAIT_TIME
7155 Sets the amount of time in seconds a supplier should wait after
7156 a consumer sends back a busy response before making another at‐
7157 tempt to acquire access
7158 --session-pause-time SESSION_PAUSE_TIME
7161 Sets the amount of time in seconds a supplier should wait be‐
7162 tween update sessions
7163
7166 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
7167 AGMT_NAME
7168 AGMT_NAME
7171 The suffix DN for the replication configuration to display
7172
7175 --suffix SUFFIX
7176 Sets the DN of the replication suffix
7177
7180 usage: dsconf instance repl-tasks [-h]
7181 {cleanallruv,list-cleanruv-
7182 tasks,abort-cleanallruv,list-abortruv-tasks}
7183 ...
7184
7187 dsconf repl-tasks cleanallruv
7188 Cleanup old/removed replica IDs
7189 dsconf repl-tasks list-cleanruv-tasks
7191 List all the running CleanAllRUV tasks
7192 dsconf repl-tasks abort-cleanallruv
7194 Abort cleanallruv tasks
7195 dsconf repl-tasks list-abortruv-tasks
7197 List all the running CleanAllRUV abort tasks
7198
7200 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
7201 --replica-id REPLICA_ID
7202 [--force-cleaning]
7203
7206 --suffix SUFFIX
7207 Sets the Directory Server suffix
7208 --replica-id REPLICA_ID
7211 Sets the replica ID to remove/clean
7212 --force-cleaning
7215 Ignores errors and make a best attempt to clean all replicas
7216
7219 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
7220 SUFFIX]
7221
7224 --suffix SUFFIX
7225 Lists only tasks for the specified suffix
7226
7229 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
7230 FIX
7231 --replica-id
7232 REPLICA_ID
7233 [--certify]
7234
7237 --suffix SUFFIX
7238 Sets the Directory Server suffix
7239 --replica-id REPLICA_ID
7242 Sets the replica ID of the cleaning task to abort
7243 --certify
7246 Enforces that the abort task completed on all replicas
7247
7250 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
7251 SUFFIX]
7252
7255 --suffix SUFFIX
7256 Lists only tasks for the specified suffix
7257
7260 usage: dsconf instance sasl [-h]
7261 {list,get-mechs,get-available-
7262 mechs,get,create,delete}
7263 ...
7264
7267 dsconf sasl list
7268 Display available SASL mappings
7269 dsconf sasl get-mechs
7271 Display the SASL mechanisms that the server will accept
7272 dsconf sasl get-available-mechs
7274 Display the SASL mechanisms that are available to the server
7275 dsconf sasl get
7277 Displays SASL mappings
7278 dsconf sasl create
7280 Create a SASL mapping
7281 dsconf sasl delete
7283 Deletes the SASL object
7284
7286 usage: dsconf instance sasl list [-h] [--details]
7287
7290 --details
7291 Displays each SASL mapping in detail
7292
7295 usage: dsconf instance sasl get-mechs [-h]
7296
7299 usage: dsconf instance sasl get-available-mechs [-h]
7300
7303 usage: dsconf instance sasl get [-h] [selector]
7304 selector
7307 The SASL mapping name to display
7308
7311 usage: dsconf instance sasl create [-h] [--cn [CN]]
7312 [--nsSaslMapRegexString
7313 [NSSASLMAPREGEXSTRING]]
7314 [--nsSaslMapBaseDNTemplate
7315 [NSSASLMAPBASEDNTEMPLATE]]
7316 [--nsSaslMapFilterTemplate
7317 [NSSASLMAPFILTERTEMPLATE]]
7318 [--nsSaslMapPriority [NSSASLMAPPRI‐
7319 ORITY]]
7320
7323 --cn [CN]
7324 Value of cn
7325 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7328 Value of nsSaslMapRegexString
7329 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7332 Value of nsSaslMapBaseDNTemplate
7333 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7336 Value of nsSaslMapFilterTemplate
7337 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7340 Value of nsSaslMapPriority
7341
7344 usage: dsconf instance sasl delete [-h] map_name
7345 map_name
7348 The SASL mapping name ("cn" value)
7349
7352 usage: dsconf instance security [-h]
7353 {set,get,enable,disable,dis‐
7354 able_plain_port,certificate,ca-certificate,rsa,ciphers}
7355 ...
7356
7359 dsconf security set
7360 Set general security options
7361 dsconf security get
7363 Display general security options
7364 dsconf security enable
7366 Enable security
7367 dsconf security disable
7369 Disable security
7370 dsconf security disable_plain_port
7372 Disables the plain text LDAP port, allowing only LDAPS to func‐
7373 tion
7374 dsconf security certificate
7376 Manage TLS certificates
7377 dsconf security ca-certificate
7379 Manage TLS certificate authorities
7380 dsconf security rsa
7382 Query and update RSA security options
7383 dsconf security ciphers
7385 Manage secure ciphers
7386
7388 usage: dsconf instance security set [-h] [--security SECURITY]
7389 [--listen-host LISTEN_HOST]
7390 [--secure-port SECURE_PORT]
7391 [--tls-client-auth TLS_CLIENT_AUTH]
7392 [--tls-client-renegotiation
7393 TLS_CLIENT_RENEGOTIATION]
7394 [--require-secure-authentication
7395 REQUIRE_SECURE_AUTHENTICATION]
7396 [--check-hostname CHECK_HOSTNAME]
7397 [--verify-cert-chain-on-startup
7398 VERIFY_CERT_CHAIN_ON_STARTUP]
7399 [--session-timeout SESSION_TIMEOUT]
7400 [--tls-protocol-min TLS_PROTO‐
7401 COL_MIN]
7402 [--tls-protocol-max TLS_PROTO‐
7403 COL_MAX]
7404 [--allow-insecure-ciphers ALLOW_IN‐
7405 SECURE_CIPHERS]
7406 [--allow-weak-dh-param AL‐
7407 LOW_WEAK_DH_PARAM]
7408 [--cipher-pref CIPHER_PREF]
7409 Use this command for setting security related options located in
7411 cn=config and cn=encryption,cn=config.
7412 To enable/disable security you can use enable and disable commands in‐
7414 stead.
7415
7418 --security SECURITY
7419 Enables or disables security (nsslapd-security)
7420 --listen-host LISTEN_HOST
7423 Sets the host or IP address to listen on for LDAPS (nsslapd-se‐
7424 curelistenhost)
7425 --secure-port SECURE_PORT
7428 Sets the port for LDAPS to listen on (nsslapd-securePort)
7429 --tls-client-auth TLS_CLIENT_AUTH
7432 Configures client authentication requirement (nsSSLClientAuth)
7433 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7436 Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)
7437 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7440 Configures whether binds over LDAPS, StartTLS, or SASL are re‐
7441 quired (nsslapd- require-secure-binds)
7442 --check-hostname CHECK_HOSTNAME
7445 Checks the subject of remote certificate against the hostname
7446 (nsslapd-ssl- check-hostname)
7447 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7450 Validates the server certificate during startup (nsslapd-vali‐
7451 date-cert)
7452 --session-timeout SESSION_TIMEOUT
7455 Sets the secure session timeout (nsSSLSessionTimeout)
7456 --tls-protocol-min TLS_PROTOCOL_MIN
7459 Sets the minimal allowed secure protocol version (sslVersionMin)
7460 --tls-protocol-max TLS_PROTOCOL_MAX
7463 Sets the maximal allowed secure protocol version (sslVersionMax)
7464 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7467 Allows weak ciphers for legacy use (allowWeakCipher)
7468 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7471 Allows short DH params for legacy use (allowWeakDHParam)
7472 --cipher-pref CIPHER_PREF
7475 Directly sets the nsSSL3Ciphers attribute. It is a comma-sepa‐
7476 rated list of cipher names (prefixed with + or -), optionally
7477 including +all or -all. The attribute may optionally be prefixed
7478 by keyword "default". Please refer to documentation of the at‐
7479 tribute for a more detailed description. (nsSSL3Ciphers)
7480
7483 usage: dsconf instance security get [-h]
7484
7487 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7488 If missing, create security database, then turn on security functional‐
7490 ity. Please note this is usually not enough for TLS connections to work
7491 - proper setup of CA and server certificate is necessary.
7492
7495 --cert-name CERT_NAME
7496 Sets the name of the certificate the server should use
7497
7500 usage: dsconf instance security disable [-h]
7501 Turn off security functionality. The rest of the configuration will be
7503 left untouched.
7504
7507 usage: dsconf instance security disable_plain_port [-h]
7508
7511 usage: dsconf instance security certificate [-h]
7512 {add,set-trust-
7513 flags,del,get,list}
7514 ...
7515
7518 dsconf security certificate add
7519 Add a server certificate
7520 dsconf security certificate set-trust-flags
7522 Set the Trust flags
7523 dsconf security certificate del
7525 Delete a certificate
7526 dsconf security certificate get
7528 Display a server certificate's information
7529 dsconf security certificate list
7531 List the server certificates
7532
7534 usage: dsconf instance security certificate add [-h] --file FILE --name
7535 NAME
7536 [--primary-cert]
7537 Add a server certificate to the NSS database
7539
7542 --file FILE
7543 Sets the file name of the certificate
7544 --name NAME
7547 Sets the name/nickname of the certificate
7548 --primary-cert
7551 Sets this certificate as the server's certificate
7552
7555 usage: dsconf instance security certificate set-trust-flags
7556 [-h] --flags FLAGS name
7557 Change the trust flags of a server certificate
7559 name The name/nickname of the certificate
7562
7565 --flags FLAGS
7566 Sets the trust flags for the server certificate
7567
7570 usage: dsconf instance security certificate del [-h] name
7571 Delete a certificate from the NSS database
7573 name The name/nickname of the certificate
7576
7579 usage: dsconf instance security certificate get [-h] name
7580 Displays detailed information about a certificate, such as trust at‐
7582 tributes, expiration dates, Subject and Issuer DNs
7583 name Set the name/nickname of the certificate
7586
7589 usage: dsconf instance security certificate list [-h]
7590 Lists the server certificates in the NSS database
7592
7595 usage: dsconf instance security ca-certificate [-h]
7596 {add,set-trust-
7597 flags,del,get,list}
7598 ...
7599
7602 dsconf security ca-certificate add
7603 Add a Certificate Authority
7604 dsconf security ca-certificate set-trust-flags
7606 Set the Trust flags
7607 dsconf security ca-certificate del
7609 Delete a certificate
7610 dsconf security ca-certificate get
7612 Displays a Certificate Authority's information
7613 dsconf security ca-certificate list
7615 List the Certificate Authorities
7616
7618 usage: dsconf instance security ca-certificate add [-h] --file FILE
7619 --name
7620 NAME
7621 Add a Certificate Authority to the NSS database
7623
7626 --file FILE
7627 Sets the file name of the CA certificate
7628 --name NAME
7631 Sets the name/nickname of the CA certificate
7632
7635 usage: dsconf instance security ca-certificate set-trust-flags
7636 [-h] --flags FLAGS name
7637 Change the trust attributes of a CA certificate. Certificate Authori‐
7639 ties typically use "CT,,"
7640 name The name/nickname of the CA certificate
7643
7646 --flags FLAGS
7647 Sets the trust flags for the CA certificate
7648
7651 usage: dsconf instance security ca-certificate del [-h] name
7652 Delete a CA certificate from the NSS database
7654 name The name/nickname of the CA certificate
7657
7660 usage: dsconf instance security ca-certificate get [-h] name
7661 Get detailed information about a CA certificate, like trust attributes,
7663 expiration dates, Subject and Issuer DN
7664 name The name/nickname of the CA certificate
7667
7670 usage: dsconf instance security ca-certificate list [-h]
7671 List the CA certificates in the NSS database
7673
7676 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
7677
7680 dsconf security rsa set
7681 Set RSA security options
7682 dsconf security rsa get
7684 Get RSA security options
7685 dsconf security rsa enable
7687 Enable RSA
7688 dsconf security rsa disable
7690 Disable RSA
7691
7693 usage: dsconf instance security rsa set [-h]
7694 [--tls-allow-rsa-certificates
7695 TLS_ALLOW_RSA_CERTIFICATES]
7696 [--nss-cert-name NSS_CERT_NAME]
7697 [--nss-token NSS_TOKEN]
7698 Use this command for setting RSA (private key) related options located
7700 in cn=RSA,cn=encryption,cn=config.
7701 To enable/disable RSA you can use enable and disable commands instead.
7703
7706 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
7707 Activates the use of RSA certificates (nsSSLActivation)
7708 --nss-cert-name NSS_CERT_NAME
7711 Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)
7712 --nss-token NSS_TOKEN
7715 Sets the security token name (module of NSS DB) (nsSSLToken)
7716
7719 usage: dsconf instance security rsa get [-h]
7720
7723 usage: dsconf instance security rsa enable [-h]
7724
7727 usage: dsconf instance security rsa disable [-h]
7728
7731 usage: dsconf instance security ciphers [-h] {enable,dis‐
7732 able,get,set,list} ...
7733
7736 dsconf security ciphers enable
7737 Enable ciphers
7738 dsconf security ciphers disable
7740 Disable ciphers
7741 dsconf security ciphers get
7743 Get ciphers attribute
7744 dsconf security ciphers set
7746 Set ciphers attribute
7747 dsconf security ciphers list
7749 List ciphers
7750
7752 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
7753 Use this command to enable specific ciphers.
7755 cipher
7758
7760 usage: dsconf instance security ciphers disable [-h] cipher [cipher
7761 ...]
7762 Use this command to disable specific ciphers.
7764 cipher
7767
7769 usage: dsconf instance security ciphers get [-h]
7770 Use this command to get contents of nsSSL3Ciphers attribute.
7772
7775 usage: dsconf instance security ciphers set [-h] cipher-string
7776 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
7778 separated list of cipher names (prefixed with + or -), optionally in‐
7779 cluding +all or -all. The attribute may optionally be set to keyword
7780 default. Please refer to documentation of the attribute for a more de‐
7781 tailed description.
7782 cipher-string
7785
7787 usage: dsconf instance security ciphers list [-h]
7788 [--enabled | --supported |
7789 --disabled]
7790 List secure ciphers. Without arguments, list ciphers as configured in
7792 nsSSL3Ciphers attribute.
7793
7796 --enabled
7797 Lists only enabled ciphers
7798 --supported
7801 Lists only supported ciphers
7802 --disabled
7805 Lists only supported ciphers but without enabled ciphers
7806
7809 usage: dsconf instance schema [-h]
7810 {list,attributetypes,objectclasses,match‐
7811 ingrules,reload,validate-syntax,import-openldap-file}
7812 ...
7813
7816 dsconf schema list
7817 List all schema objects on this system
7818 dsconf schema attributetypes
7820 Work with attribute types on this system
7821 dsconf schema objectclasses
7823 Work with objectClasses on this system
7824 dsconf schema matchingrules
7826 Work with matching rules on this system
7827 dsconf schema reload
7829 Dynamically reload schema while server is running
7830 dsconf schema validate-syntax
7832 Run a task to check every modification to attributes to make
7833 sure that the new value has the required syntax for that attri‐
7834 bute type
7835 dsconf schema import-openldap-file
7837 Import an openldap formatted dynamic schema ldifs. These will
7838 contain values like olcAttributeTypes and olcObjectClasses.
7839
7841 usage: dsconf instance schema list [-h]
7842
7845 usage: dsconf instance schema attributetypes [-h]
7846 {get_syn‐
7847 taxes,list,query,add,replace,remove}
7848 ...
7849
7852 dsconf schema attributetypes get_syntaxes
7853 List all available attribute type syntaxes
7854 dsconf schema attributetypes list
7856 List available attribute types on this system
7857 dsconf schema attributetypes query
7859 Query an attribute to determine object classes that may or must
7860 take it
7861 dsconf schema attributetypes add
7863 Add an attribute type to this system
7864 dsconf schema attributetypes replace
7866 Replace an attribute type on this system
7867 dsconf schema attributetypes remove
7869 Remove an attribute type on this system
7870
7872 usage: dsconf instance schema attributetypes get_syntaxes [-h]
7873
7876 usage: dsconf instance schema attributetypes list [-h]
7877
7880 usage: dsconf instance schema attributetypes query [-h] [name]
7881 name Attribute type to query
7884
7887 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
7888 [--desc DESC]
7889 [--x-origin X_ORIGIN]
7890 [--aliases ALIASES
7891 [ALIASES ...]]
7892 [--single-value]
7893 [--multi-value]
7894 [--no-user-mod]
7895 [--user-mod]
7896 [--equality EQUALITY
7897 [EQUALITY ...]]
7898 [--substr SUBSTR [SUB‐
7899 STR ...]]
7900 [--ordering ORDERING
7901 [ORDERING ...]]
7902 [--usage USAGE] [--sup
7903 SUP]
7904 --syntax SYNTAX
7905 name
7906 name NAME of the object
7909
7912 --oid OID
7913 OID assigned to the object
7914 --desc DESC
7917 Description text(DESC) of the object
7918 --x-origin X_ORIGIN
7921 Provides information about where the attribute type is defined
7922 --aliases ALIASES [ALIASES ...]
7925 Additional NAMEs of the object.
7926 --single-value
7929 True if the matching rule must have only one valueOnly one of
7930 the flags this or --multi-value should be specified
7931 --multi-value
7934 True if the matching rule may have multiple values (default)Only
7935 one of the flags this or --single-value should be specified
7936 --no-user-mod
7939 True if the attribute is not modifiable by a client applica‐
7940 tionOnly one of the flags this or --user-mod should be specified
7941 --user-mod
7944 True if the attribute is modifiable by a client application (de‐
7945 fault)Only one of the flags this or --no-user-mode should be
7946 specified
7947 --equality EQUALITY [EQUALITY ...]
7950 NAME or OID of the matching rules used for checkingwhether at‐
7951 tribute values are equal
7952 --substr SUBSTR [SUBSTR ...]
7955 NAME or OID of the matching rules used for checkingwhether an
7956 attribute value contains another value
7957 --ordering ORDERING [ORDERING ...]
7960 NAME or OID of the matching rules used for checkingwhether at‐
7961 tribute values are lesser - equal than
7962 --usage USAGE
7965 The flag indicates how the attribute type is to be used. Choose
7966 from the list: userApplications (default), directoryOperation,
7967 distributedOperation, dSAOperation
7968 --sup SUP
7971 The NAME or OID of attribute type this attribute type is derived
7972 from
7973 --syntax SYNTAX
7976 OID of the LDAP syntax assigned to the attribute
7977
7980 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
7981 [--desc DESC]
7982 [--x-origin X_ORI‐
7983 GIN]
7984 [--aliases ALIASES
7985 [ALIASES ...]]
7986 [--single-value]
7987 [--multi-value]
7988 [--no-user-mod]
7989 [--user-mod]
7990 [--equality EQUAL‐
7991 ITY [EQUALITY ...]]
7992 [--substr SUBSTR
7993 [SUBSTR ...]]
7994 [--ordering ORDER‐
7995 ING [ORDERING ...]]
7996 [--usage USAGE]
7997 [--sup SUP]
7998 [--syntax SYNTAX]
7999 name
8000 name NAME of the object
8003
8006 --oid OID
8007 OID assigned to the object
8008 --desc DESC
8011 Description text(DESC) of the object
8012 --x-origin X_ORIGIN
8015 Provides information about where the attribute type is defined
8016 --aliases ALIASES [ALIASES ...]
8019 Additional NAMEs of the object.
8020 --single-value
8023 True if the matching rule must have only one valueOnly one of
8024 the flags this or --multi-value should be specified
8025 --multi-value
8028 True if the matching rule may have multiple values (default)Only
8029 one of the flags this or --single-value should be specified
8030 --no-user-mod
8033 True if the attribute is not modifiable by a client applica‐
8034 tionOnly one of the flags this or --user-mod should be specified
8035 --user-mod
8038 True if the attribute is modifiable by a client application (de‐
8039 fault)Only one of the flags this or --no-user-mode should be
8040 specified
8041 --equality EQUALITY [EQUALITY ...]
8044 NAME or OID of the matching rules used for checkingwhether at‐
8045 tribute values are equal
8046 --substr SUBSTR [SUBSTR ...]
8049 NAME or OID of the matching rules used for checkingwhether an
8050 attribute value contains another value
8051 --ordering ORDERING [ORDERING ...]
8054 NAME or OID of the matching rules used for checkingwhether at‐
8055 tribute values are lesser - equal than
8056 --usage USAGE
8059 The flag indicates how the attribute type is to be used. Choose
8060 from the list: userApplications (default), directoryOperation,
8061 distributedOperation, dSAOperation
8062 --sup SUP
8065 The NAME or OID of attribute type this attribute type is derived
8066 from
8067 --syntax SYNTAX
8070 OID of the LDAP syntax assigned to the attribute
8071
8074 usage: dsconf instance schema attributetypes remove [-h] name
8075 name NAME of the object
8078
8081 usage: dsconf instance schema objectclasses [-h]
8082 {list,query,add,replace,re‐
8083 move}
8084 ...
8085
8088 dsconf schema objectclasses list
8089 List available objectClasses on this system
8090 dsconf schema objectclasses query
8092 Query an objectClass
8093 dsconf schema objectclasses add
8095 Add an objectClass to this system
8096 dsconf schema objectclasses replace
8098 Replace an objectClass on this system
8099 dsconf schema objectclasses remove
8101 Remove an objectClass on this system
8102
8104 usage: dsconf instance schema objectclasses list [-h]
8105
8108 usage: dsconf instance schema objectclasses query [-h] [name]
8109 name ObjectClass to query
8112
8115 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
8116 [--desc DESC]
8117 [--x-origin X_ORIGIN]
8118 [--must MUST [MUST
8119 ...]]
8120 [--may MAY [MAY ...]]
8121 [--kind KIND]
8122 [--sup SUP [SUP ...]]
8123 name
8124 name NAME of the object
8127
8130 --oid OID
8131 OID assigned to the object
8132 --desc DESC
8135 Description text(DESC) of the object
8136 --x-origin X_ORIGIN
8139 Provides information about where the attribute type is defined
8140 --must MUST [MUST ...]
8143 NAMEs or OIDs of all attributes an entry of the object must have
8144 --may MAY [MAY ...]
8147 NAMEs or OIDs of additional attributes an entry of the object
8148 may have
8149 --kind KIND
8152 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8153 --sup SUP [SUP ...]
8156 NAME or OIDs of object classes this object is derived from
8157
8160 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
8161 [--desc DESC]
8162 [--x-origin X_ORI‐
8163 GIN]
8164 [--must MUST [MUST
8165 ...]]
8166 [--may MAY [MAY
8167 ...]]
8168 [--kind KIND]
8169 [--sup SUP [SUP
8170 ...]]
8171 name
8172 name NAME of the object
8175
8178 --oid OID
8179 OID assigned to the object
8180 --desc DESC
8183 Description text(DESC) of the object
8184 --x-origin X_ORIGIN
8187 Provides information about where the attribute type is defined
8188 --must MUST [MUST ...]
8191 NAMEs or OIDs of all attributes an entry of the object must have
8192 --may MAY [MAY ...]
8195 NAMEs or OIDs of additional attributes an entry of the object
8196 may have
8197 --kind KIND
8200 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8201 --sup SUP [SUP ...]
8204 NAME or OIDs of object classes this object is derived from
8205
8208 usage: dsconf instance schema objectclasses remove [-h] name
8209 name NAME of the object
8212
8215 usage: dsconf instance schema matchingrules [-h] {list,query} ...
8216
8219 dsconf schema matchingrules list
8220 List available matching rules on this system
8221 dsconf schema matchingrules query
8223 Query a matching rule
8224
8226 usage: dsconf instance schema matchingrules list [-h]
8227
8230 usage: dsconf instance schema matchingrules query [-h] [name]
8231 name Matching rule to query
8234
8237 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
8238
8241 -d SCHEMADIR, --schemadir SCHEMADIR
8242 directory where schema files are located
8243 --wait Wait for the reload task to complete
8246
8249 usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN
8250 DN Base DN that contains entries to validate
8253
8256 -f FILTER, --filter FILTER
8257 Filter for entries to validate. If omitted, all entries with
8258 filter "(objectclass=*)" are validated
8259
8262 usage: dsconf instance schema import-openldap-file [-h] [--confirm]
8263 schema_file
8264 schema_file
8267 Path to the openldap dynamic schema ldif to import
8268
8271 --confirm
8272 Confirm that you want to apply these schema migration actions to
8273 the 389-ds instance. By default no actions are taken.
8274
8277 usage: dsconf instance repl-conflict [-h]
8278 {list,compare,delete,swap,con‐
8279 vert,list-glue,delete-glue,convert-glue}
8280 ...
8281
8284 dsconf repl-conflict list
8285 List conflict entries
8286 dsconf repl-conflict compare
8288 Compare the conflict entry with its valid counterpart
8289 dsconf repl-conflict delete
8291 Delete a conflict entry
8292 dsconf repl-conflict swap
8294 Replace the valid entry with the conflict entry
8295 dsconf repl-conflict convert
8297 Convert the conflict entry to a valid entry, while keeping the
8298 original valid entry counterpart. This requires that the con‐
8299 verted conflict entry have a new RDN value. For example:
8300 "cn=my_new_rdn_value".
8301 dsconf repl-conflict list-glue
8303 List replication glue entries
8304 dsconf repl-conflict delete-glue
8306 Delete the glue entry and its child entries
8307 dsconf repl-conflict convert-glue
8309 Convert the glue entry into a regular entry
8310
8312 usage: dsconf instance repl-conflict list [-h] suffix
8313 suffix Sets the backend name, or suffix, to look for conflict entries
8316
8319 usage: dsconf instance repl-conflict compare [-h] DN
8320 DN The DN of the conflict entry
8323
8326 usage: dsconf instance repl-conflict delete [-h] DN
8327 DN The DN of the conflict entry
8330
8333 usage: dsconf instance repl-conflict swap [-h] DN
8334 DN The DN of the conflict entry
8337
8340 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8341 DN The DN of the conflict entry
8344
8347 --new-rdn NEW_RDN
8348 Sets the new RDN for the converted conflict entry. For example:
8349 "cn=my_new_rdn_value"
8350
8353 usage: dsconf instance repl-conflict list-glue [-h] suffix
8354 suffix The backend name, or suffix, to look for glue entries
8357
8360 usage: dsconf instance repl-conflict delete-glue [-h] DN
8361 DN The DN of the glue entry
8364
8367 usage: dsconf instance repl-conflict convert-glue [-h] DN
8368 DN The DN of the glue entry
8371
8374 -v, --verbose
8375 Display verbose operation tracing during command execution
8376 -D BINDDN, --binddn BINDDN
8379 The account to bind as for executing operations
8380 -w BINDPW, --bindpw BINDPW
8383 Password for the bind DN
8384 -W, --prompt
8387 Prompt for password of the bind DN
8388 -y PWDFILE, --pwdfile PWDFILE
8391 Specifies a file containing the password of the bind DN
8392 -b BASEDN, --basedn BASEDN
8395 Base DN (root naming context) of the instance to manage
8396 -Z, --starttls
8399 Connect with StartTLS
8400 -j, --json
8403 Return result in JSON object
8404
8407 Red Hat Inc., and William Brown <389-devel@lists.fedoraproject.org>
8408
8411 The latest version of lib389 may be downloaded from
8412 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8413 Manual DSCONF(8)