1DSCONF(8) Generated Python Manual DSCONF(8)
2
3
4
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl,repl-agmt,repl-
12 winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
14
16 dsconf backend
17 Manage database suffixes and backends
18
19 dsconf backup
20 Manage online backups
21
22 dsconf chaining
23 Manage database chaining and database links
24
25 dsconf config
26 Manage the server configuration
27
28 dsconf directory_manager
29 Manage the Directory Manager account
30
31 dsconf monitor
32 Monitor the state of the instance
33
34 dsconf plugin
35 Manage plug-ins available on the server
36
37 dsconf pwpolicy
38 Manage the global password policy settings
39
40 dsconf localpwp
41 Manage the local user and subtree password policies
42
43 dsconf replication
44 Manage replication for a suffix
45
46 dsconf repl-agmt
47 Manage replication agreements
48
49 dsconf repl-winsync-agmt
50 Manage Winsync agreements
51
52 dsconf repl-tasks
53 Manage replication tasks
54
55 dsconf sasl
56 Manage SASL mappings
57
58 dsconf security
59 Manage security settings
60
61 dsconf schema
62 Manage the directory schema
63
64 dsconf repl-conflict
65 Manage replication conflicts
66
67
69 usage: dsconf instance backend [-h]
70 {suffix,index,vlv-index,attr-en‐
71 crypt,config,monitor,import,export,create,delete,get-tree,compact-db}
72 ...
73
74
76 dsconf backend suffix
77 Manage backend suffixes
78
79 dsconf backend index
80 Manage backend indexes
81
82 dsconf backend vlv-index
83 Manage VLV searches and indexes
84
85 dsconf backend attr-encrypt
86 Manage encrypted attribute settings
87
88 dsconf backend config
89 Manage the global database configuration settings
90
91 dsconf backend monitor
92 Displays global database or suffix monitoring information
93
94 dsconf backend import
95 Online import of a suffix
96
97 dsconf backend export
98 Online export of a suffix
99
100 dsconf backend create
101 Create a backend database
102
103 dsconf backend delete
104 Delete a backend database
105
106 dsconf backend get-tree
107 Display the suffix tree
108
109 dsconf backend compact-db
110 Compact the database and the replication changelog
111
112
114 usage: dsconf instance backend suffix [-h]
115 {list,get,get-dn,get-sub-suf‐
116 fixes,set}
117 ...
118
119
121 dsconf backend suffix list
122 List active backends and suffixes
123
124 dsconf backend suffix get
125 Display the suffix entry
126
127 dsconf backend suffix get-dn
128 Display the DN of a backend
129
130 dsconf backend suffix get-sub-suffixes
131 Display sub-suffixes
132
133 dsconf backend suffix set
134 Set configuration settings for a specific backend
135
136
138 usage: dsconf instance backend suffix list [-h] [--suffix]
139 [--skip-subsuffixes]
140
141
143 --suffix
144 Displays the suffixes without backend name
145
146
147 --skip-subsuffixes
148 Displays the list of suffixes without sub-suffixes
149
150
152 usage: dsconf instance backend suffix get [-h] [selector]
153
154
155 selector
156 The backend database name to search for
157
158
160 usage: dsconf instance backend suffix get-dn [-h] [dn]
161
162
163 dn The DN to the database entry in cn=ldbm database,cn=plug‐
164 ins,cn=config
165
166
168 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
169 be_name
170
171
172 be_name
173 The backend name or suffix
174
175
177 --suffix
178 Displays the list of suffixes without backend name
179
180
182 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
183 [--disable-readonly]
184 [--enable-orphan] [--dis‐
185 able-orphan]
186 [--require-index] [--ig‐
187 nore-index]
188 [--add-referral ADD_REFERRAL]
189 [--del-referral DEL_REFERRAL]
190 [--enable] [--disable]
191 [--cache-size CACHE_SIZE]
192 [--cache-memsize CACHE_MEM‐
193 SIZE]
194 [--dncache-memsize
195 DNCACHE_MEMSIZE]
196 [--state STATE]
197 be_name
198
199
200 be_name
201 The backend name or suffix
202
203
205 --enable-readonly
206 Enables read-only mode for the backend database
207
208
209 --disable-readonly
210 Disables read-only mode for the backend database
211
212
213 --enable-orphan
214 Disconnect a subsuffix from its parent suffix.
215
216
217 --disable-orphan
218 Let the subsuffix be connected to its parent suffix.
219
220
221 --require-index
222 Allows only indexed searches
223
224
225 --ignore-index
226 Allows all searches even if they are unindexed
227
228
229 --add-referral ADD_REFERRAL
230 Adds an LDAP referral to the backend
231
232
233 --del-referral DEL_REFERRAL
234 Removes an LDAP referral from the backend
235
236
237 --enable
238 Enables the backend database
239
240
241 --disable
242 Disables the backend database
243
244
245 --cache-size CACHE_SIZE
246 Sets the maximum number of entries to keep in the entry cache
247
248
249 --cache-memsize CACHE_MEMSIZE
250 Sets the maximum size in bytes that the entry cache can grow to
251
252
253 --dncache-memsize DNCACHE_MEMSIZE
254 Sets the maximum size in bytes that the DN cache can grow to
255
256
257 --state STATE
258 Changes the backend state to: "backend", "disabled", "referral",
259 or "referral on update"
260
261
263 usage: dsconf instance backend index [-h]
264 {add,set,get,list,delete,reindex}
265 ...
266
267
269 dsconf backend index add
270 Add an index
271
272 dsconf backend index set
273 Update an index
274
275 dsconf backend index get
276 Display an index entry
277
278 dsconf backend index list
279 Display the index
280
281 dsconf backend index delete
282 Delete an index
283
284 dsconf backend index reindex
285 Re-index the database for a single index or all indexes
286
287
289 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
290 [--matching-rule MATCH‐
291 ING_RULE]
292 [--reindex] --attr ATTR
293 be_name
294
295
296 be_name
297 The backend name or suffix
298
299
301 --index-type INDEX_TYPE
302 Sets the indexing type (eq, sub, pres, or approx)
303
304
305 --matching-rule MATCHING_RULE
306 Sets the matching rule for the index
307
308
309 --reindex
310 Re-indexes the database after adding a new index
311
312
313 --attr ATTR
314 Sets the attribute name to index
315
316
318 usage: dsconf instance backend index set [-h] --attr ATTR
319 [--add-type ADD_TYPE]
320 [--del-type DEL_TYPE]
321 [--add-mr ADD_MR] [--del-mr
322 DEL_MR]
323 [--reindex]
324 be_name
325
326
327 be_name
328 The backend name or suffix
329
330
332 --attr ATTR
333 Sets the indexed attribute to update
334
335
336 --add-type ADD_TYPE
337 Adds an index type to the index (eq, sub, pres, or approx)
338
339
340 --del-type DEL_TYPE
341 Removes an index type from the index: (eq, sub, pres, or approx)
342
343
344 --add-mr ADD_MR
345 Adds a matching-rule to the index
346
347
348 --del-mr DEL_MR
349 Removes a matching-rule from the index
350
351
352 --reindex
353 Re-indexes the database after editing the index
354
355
357 usage: dsconf instance backend index get [-h] --attr ATTR be_name
358
359
360 be_name
361 The backend name or suffix
362
363
365 --attr ATTR
366 Sets the index name to display
367
368
370 usage: dsconf instance backend index list [-h] [--just-names] be_name
371
372
373 be_name
374 The backend name or suffix
375
376
378 --just-names
379 Displays only the names of indexed attributes
380
381
383 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
384
385
386 be_name
387 The backend name or suffix
388
389
391 --attr ATTR
392 Sets the name of the attribute to delete from the index
393
394
396 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
397 [--wait]
398 be_name
399
400
401 be_name
402 The backend name or suffix
403
404
406 --attr ATTR
407 Sets the name of the attribute to re-index. Omit this argument
408 to re-index all attributes
409
410
411 --wait Waits for the index task to complete and reports the status
412
413
415 usage: dsconf instance backend vlv-index [-h]
416 {list,get,add-search,edit-search,del-search,add-in‐
417 dex,del-index,reindex}
418 ...
419
420
422 dsconf backend vlv-index list
423 List VLV search and index entries
424
425 dsconf backend vlv-index get
426 Display a VLV search and indexes
427
428 dsconf backend vlv-index add-search
429 Add a VLV search entry. The search entry is the parent entry of
430 the VLV index entries, and it specifies the search parameters
431 that are used to match entries for those indexes.
432
433 dsconf backend vlv-index edit-search
434 Update a VLV search and index
435
436 dsconf backend vlv-index del-search
437 Delete VLV search & index
438
439 dsconf backend vlv-index add-index
440 Create a VLV index under a VLV search entry (parent entry). The
441 VLV index specifies the attributes to sort
442
443 dsconf backend vlv-index del-index
444 Delete a VLV index under a VLV search entry (parent entry)
445
446 dsconf backend vlv-index reindex
447 Index/re-index the VLV database index
448
449
451 usage: dsconf instance backend vlv-index list [-h] [--just-names]
452 be_name
453
454
455 be_name
456 The backend name of the VLV index
457
458
460 --just-names
461 Displays only the names of VLV search entries
462
463
465 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
466
467
468 be_name
469 The backend name of the VLV index
470
471
473 --name NAME
474 Displays the VLV search entry and its index entries
475
476
478 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
479 --search-base
480 SEARCH_BASE
481 --search-scope
482 SEARCH_SCOPE
483 --search-filter
484 SEARCH_FILTER
485 be_name
486
487
488 be_name
489 The backend name of the VLV index
490
491
493 --name NAME
494 Sets the name of the VLV search entry
495
496
497 --search-base SEARCH_BASE
498 Sets the VLV search base
499
500
501 --search-scope SEARCH_SCOPE
502 Sets the VLV search scope: 0 (base search), 1 (one-level
503 search), or 2 (subtree search)
504
505
506 --search-filter SEARCH_FILTER
507 Sets the VLV search filter
508
509
511 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
512 [--search-base
513 SEARCH_BASE]
514 [--search-scope
515 SEARCH_SCOPE]
516 [--search-filter
517 SEARCH_FILTER]
518 [--reindex]
519 be_name
520
521
522 be_name
523 The backend name of the VLV index to update
524
525
527 --name NAME
528 Sets the name of the VLV index
529
530
531 --search-base SEARCH_BASE
532 Sets the VLV search base
533
534
535 --search-scope SEARCH_SCOPE
536 Sets the VLV search scope: 0 (base search), 1 (one-level
537 search), or 2 (subtree search)
538
539
540 --search-filter SEARCH_FILTER
541 Sets the VLV search filter
542
543
544 --reindex
545 Re-indexes all VLV database indexes
546
547
549 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
550 be_name
551
552
553 be_name
554 The backend name of the VLV index
555
556
558 --name NAME
559 Sets the name of the VLV search index
560
561
563 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
564 PARENT_NAME --in‐
565 dex-name
566 INDEX_NAME --sort
567 SORT
568 [--index-it]
569 be_name
570
571
572 be_name
573 The backend name of the VLV index
574
575
577 --parent-name PARENT_NAME
578 Sets the name or "cn" attribute of the parent VLV search entry
579
580
581 --index-name INDEX_NAME
582 Sets the name of the new VLV index
583
584
585 --sort SORT
586 Sets a space-separated list of attributes to sort for this VLV
587 index
588
589
590 --index-it
591 Creates the database index for this VLV index definition
592
593
595 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
596 PARENT_NAME
597 [--index-name IN‐
598 DEX_NAME]
599 [--sort SORT]
600 be_name
601
602
603 be_name
604 The backend name of the VLV index
605
606
608 --parent-name PARENT_NAME
609 Sets the name or "cn" attribute value of the parent VLV search
610 entry
611
612
613 --index-name INDEX_NAME
614 Sets the name of the VLV index to delete
615
616
617 --sort SORT
618 Delete a VLV index that has this vlvsort value
619
620
622 usage: dsconf instance backend vlv-index reindex [-h]
623 [--index-name IN‐
624 DEX_NAME]
625 --parent-name PAR‐
626 ENT_NAME
627 be_name
628
629
630 be_name
631 The backend name of the VLV index
632
633
635 --index-name INDEX_NAME
636 Sets the name of the VLV index entry to re-index. If not set,
637 all indexes are re-indexed
638
639
640 --parent-name PARENT_NAME
641 Sets the name or "cn" attribute value of the parent VLV search
642 entry
643
644
646 usage: dsconf instance backend attr-encrypt [-h] [--list]
647 [--just-names]
648 [--add-attr ADD_ATTR]
649 [--del-attr DEL_ATTR]
650 be_name
651
652
653 be_name
654 The backend name or suffix
655
656
658 --list Lists all encrypted attributes in the backend
659
660
661 --just-names
662 List only the names of the encrypted attributes when used with
663 --list
664
665
666 --add-attr ADD_ATTR
667 Enables encryption for the specified attribute
668
669
670 --del-attr DEL_ATTR
671 Disables encryption for the specified attribute
672
673
675 usage: dsconf instance backend config [-h] {get,set} ...
676
677
679 dsconf backend config get
680 Display the global database configuration
681
682 dsconf backend config set
683 Set the global database configuration
684
685
687 usage: dsconf instance backend config get [-h]
688
689
691 usage: dsconf instance backend config set [-h]
692 [--lookthroughlimit LOOK‐
693 THROUGHLIMIT]
694 [--mode MODE]
695 [--idlistscanlimit
696 IDLISTSCANLIMIT]
697 [--directory DIRECTORY]
698 [--dbcachesize DBCACHESIZE]
699 [--logdirectory LOGDIRECTORY]
700 [--txn-wait TXN_WAIT]
701 [--checkpoint-interval CHECK‐
702 POINT_INTERVAL]
703 [--compactdb-interval COM‐
704 PACTDB_INTERVAL]
705 [--compactdb-time COM‐
706 PACTDB_TIME]
707 [--txn-batch-val
708 TXN_BATCH_VAL]
709 [--txn-batch-min
710 TXN_BATCH_MIN]
711 [--txn-batch-max
712 TXN_BATCH_MAX]
713 [--logbufsize LOGBUFSIZE]
714 [--locks LOCKS]
715 [--locks-monitoring-enabled
716 LOCKS_MONITORING_ENABLED]
717 [--locks-monitoring-threshold
718 LOCKS_MONITORING_THRESHOLD]
719 [--locks-monitoring-pause
720 LOCKS_MONITORING_PAUSE]
721 [--import-cache-autosize IM‐
722 PORT_CACHE_AUTOSIZE]
723 [--cache-autosize CACHE_AUTO‐
724 SIZE]
725 [--cache-autosize-split
726 CACHE_AUTOSIZE_SPLIT]
727 [--import-cachesize IM‐
728 PORT_CACHESIZE]
729 [--exclude-from-export EX‐
730 CLUDE_FROM_EXPORT]
731 [--pagedlookthroughlimit
732 PAGEDLOOKTHROUGHLIMIT]
733 [--pagedidlistscanlimit PAGE‐
734 DIDLISTSCANLIMIT]
735 [--rangelookthroughlimit
736 RANGELOOKTHROUGHLIMIT]
737 [--backend-opt-level BACK‐
738 END_OPT_LEVEL]
739 [--deadlock-policy DEAD‐
740 LOCK_POLICY]
741 [--db-home-directory
742 DB_HOME_DIRECTORY]
743 [--db-lib DB_LIB]
744 [--mdb-max-size MDB_MAX_SIZE]
745 [--mdb-max-readers
746 MDB_MAX_READERS]
747 [--mdb-max-dbs MDB_MAX_DBS]
748
749
751 --lookthroughlimit LOOKTHROUGHLIMIT
752 Specifies the maximum number of entries that the server will
753 check when examining candidate entries in response to a search
754 request
755
756
757 --mode MODE
758 Specifies the permissions used for newly created index files
759
760
761 --idlistscanlimit IDLISTSCANLIMIT
762 Specifies the number of entry IDs that are searched during a
763 search operation
764
765
766 --directory DIRECTORY
767 Specifies absolute path to database instance
768
769
770 --dbcachesize DBCACHESIZE
771 Specifies the database index cache size in bytes
772
773
774 --logdirectory LOGDIRECTORY
775 Specifies the path to the directory that contains the database
776 transaction logs
777
778
779 --txn-wait TXN_WAIT
780 Sets whether the server should should wait if there are no db
781 locks available
782
783
784 --checkpoint-interval CHECKPOINT_INTERVAL
785 Sets the amount of time in seconds after which the server sends
786 a checkpoint entry to the database transaction log
787
788
789 --compactdb-interval COMPACTDB_INTERVAL
790 Sets the interval in seconds when the database is compacted
791
792
793 --compactdb-time COMPACTDB_TIME
794 Sets the time (HH:MM format) of day when to compact the database
795 after the "compactdb interval" has been reached
796
797
798 --txn-batch-val TXN_BATCH_VAL
799 Specifies how many transactions will be batched before being
800 committed
801
802
803 --txn-batch-min TXN_BATCH_MIN
804 Controls when transactions should be flushed earliest, indepen‐
805 dently of the batch count. Requires that txn-batch-val is set
806
807
808 --txn-batch-max TXN_BATCH_MAX
809 Controls when transactions should be flushed latest, indepen‐
810 dently of the batch count. Requires that txn-batch-val is set)
811
812
813 --logbufsize LOGBUFSIZE
814 Specifies the transaction log information buffer size
815
816
817 --locks LOCKS
818 Sets the maximum number of database locks
819
820
821 --locks-monitoring-enabled LOCKS_MONITORING_ENABLED
822 Enables or disables monitoring of DB locks when the value
823 crosses the percentage set with "--locks-monitoring-threshold"
824
825
826 --locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD
827 Sets the DB lock exhaustion threshold in percentage (valid range
828 is 70-90). When the threshold is reached, all searches are
829 aborted until the number of active locks decreases below the
830 configured threshold and/or the administrator increases the num‐
831 ber of database locks (nsslapd-db-locks). This threshold is a
832 safeguard against DB corruption which might be caused by locks
833 exhaustion.
834
835
836 --locks-monitoring-pause LOCKS_MONITORING_PAUSE
837 Sets the DB lock monitoring value in milliseconds for the amount
838 of time that the monitoring thread spends waiting between
839 checks.
840
841
842 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
843 Enables or disables to automatically set the size of the import
844 cache to be used during the import process of LDIF files
845
846
847 --cache-autosize CACHE_AUTOSIZE
848 Sets the percentage of free memory that is used in total for the
849 database and entry cache. "0" disables this feature.
850
851
852 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
853 Sets the percentage of RAM that is used for the database cache.
854 The remaining percentage is used for the entry cache
855
856
857 --import-cachesize IMPORT_CACHESIZE
858 Sets the size in bytes of the database cache used in the import
859 process.
860
861
862 --exclude-from-export EXCLUDE_FROM_EXPORT
863 List of attributes to not include during database export opera‐
864 tions
865
866
867 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
868 Specifies the maximum number of entries that the server will
869 check when examining candidate entries for a search which uses
870 the simple paged results control
871
872
873 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
874 Specifies the number of entry IDs that are searched, specifi‐
875 cally, for a search operation using the simple paged results
876 control.
877
878
879 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
880 Specifies the maximum number of entries that the server will
881 check when examining candidate entries in response to a range
882 search request.
883
884
885 --backend-opt-level BACKEND_OPT_LEVEL
886 Sets the backend optimization level for write performance (0, 1,
887 2, or 4). WARNING: This parameter can trigger experimental
888 code.
889
890
891 --deadlock-policy DEADLOCK_POLICY
892 Adjusts the backend database deadlock policy (Advanced setting)
893
894
895 --db-home-directory DB_HOME_DIRECTORY
896 Sets the directory for the database mmapped files (Advanced set‐
897 ting)
898
899
900 --db-lib DB_LIB
901 Sets which db lib is used. Valid values are: bdb or mdb
902
903
904 --mdb-max-size MDB_MAX_SIZE
905 Sets the lmdb database maximum size (in bytes).
906
907
908 --mdb-max-readers MDB_MAX_READERS
909 Sets the lmdb database maximum number of readers (Advanced set‐
910 ting)
911
912
913 --mdb-max-dbs MDB_MAX_DBS
914 Sets the lmdb database maximum number of sub databases (Advanced
915 setting)
916
917
919 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
920
921
923 --suffix SUFFIX
924 Displays monitoring information only for the specified suffix
925
926
928 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
929 [-g GEN_UNIQ_ID] [-O]
930 [-s INCLUDE_SUFFIXES [IN‐
931 CLUDE_SUFFIXES ...]]
932 [-x EXCLUDE_SUFFIXES [EX‐
933 CLUDE_SUFFIXES ...]]
934 [--timeout TIMEOUT]
935 [be_name] [ldifs ...]
936
937
938 be_name
939 The backend name or the root suffix
940
941
942 ldifs Specifies the filename of the input LDIF files. Multiple files
943 are imported in the specified order.
944
945
947 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
948 The number of chunks to have during the import operation
949
950
951 -E, --encrypted
952 Encrypt attributes configured in the database for encryption
953
954
955 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
956 Generate a unique id. Set "none" for no unique ID to be gener‐
957 ated and "deterministic" for the generated unique ID to be
958 name-based. By default, a time-based unique ID is generated.
959 When using the deterministic generation to have a name-based
960 unique ID, it is also possible to specify the namespace for the
961 server to use. namespaceId is a string of characters in the for‐
962 mat 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
963
964
965 -O, --only-core
966 Creates only the core database attribute indexes
967
968
969 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
970 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
971 Specifies the suffixes or the subtrees to be included
972
973
974 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
975 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
976 Specifies the suffixes to be excluded
977
978
979 --timeout TIMEOUT
980 Set a timeout to wait for the export task. Default is 0 (no
981 timeout)
982
983
985 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
986 [-N] [-r]
987 [-u] [-U]
988 [-s INCLUDE_SUFFIXES [IN‐
989 CLUDE_SUFFIXES ...]]
990 [-x EXCLUDE_SUFFIXES [EX‐
991 CLUDE_SUFFIXES ...]]
992 [--timeout TIMEOUT]
993 be_names [be_names ...]
994
995
996 be_names
997 The backend names or the root suffixes
998
999
1001 -l LDIF, --ldif LDIF
1002 Sets the filename of the output LDIF file. Separate multiple
1003 file names with spaces.
1004
1005
1006 -C, --use-id2entry
1007 Uses only the main database file
1008
1009
1010 -E, --encrypted
1011 Decrypts encrypted data during export. This option is used only
1012 if database encryption is enabled.
1013
1014
1015 -m, --min-base64
1016 Sets minimal base-64 encoding
1017
1018
1019 -N, --no-seq-num
1020 Suppresses printing the sequence numbers
1021
1022
1023 -r, --replication
1024 Exports the data with information required to initialize a
1025 replica
1026
1027
1028 -u, --no-dump-uniq-id
1029 Omits exporting the unique ID
1030
1031
1032 -U, --not-folded
1033 Disables folding the output
1034
1035
1036 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
1037 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
1038 Specifies the suffixes or the subtrees to be included
1039
1040
1041 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
1042 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
1043 Specifies the suffixes to be excluded
1044
1045
1046 --timeout TIMEOUT
1047 Set a timeout to wait for the export task. Default is 0 (no
1048 timeout)
1049
1050
1052 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
1053 FIX]
1054 --suffix SUFFIX --be-name BE_NAME
1055 [--create-entries] [--create-suf‐
1056 fix]
1057
1058
1060 --parent-suffix PARENT_SUFFIX
1061 Sets the parent suffix only if this backend is a sub-suffix
1062
1063
1064 --suffix SUFFIX
1065 Sets the database suffix DN
1066
1067
1068 --be-name BE_NAME
1069 Sets the database backend name"
1070
1071
1072 --create-entries
1073 Adds sample entries to the database
1074
1075
1076 --create-suffix
1077 Creates the suffix object entry in the database. Only suffixes
1078 using the 'dc',
1079
1080
1082 usage: dsconf instance backend delete [-h] [--do-it] be_name
1083
1084
1085 be_name
1086 The backend name or suffix
1087
1088
1090 --do-it
1091 Remove backend and its subsuffixes
1092
1093
1095 usage: dsconf instance backend get-tree [-h]
1096
1097
1099 usage: dsconf instance backend compact-db [-h] [--only-changelog]
1100 [--timeout TIMEOUT]
1101
1102
1104 --only-changelog
1105 Compacts only the replication change log
1106
1107
1108 --timeout TIMEOUT
1109 Set a timeout to wait for the compaction task. Default is 0 (no
1110 timeout)
1111
1112
1114 usage: dsconf instance backup [-h] {create,restore} ...
1115
1116
1118 dsconf backup create
1119 Creates a backup of the database
1120
1121 dsconf backup restore
1122 Restores a database from a backup
1123
1124
1126 usage: dsconf instance backup create [-h] [-t DB_TYPE] [--timeout TIME‐
1127 OUT]
1128 [archive]
1129
1130
1131 archive
1132 Sets the directory where to store the backup files. Format: in‐
1133 stance_name- year_month_date_hour_minutes_seconds. Default:
1134 /var/lib/dirsrv/slapd- instance/bak/
1135
1136
1138 -t DB_TYPE, --db-type DB_TYPE
1139 Sets the database type. Default: ldbm database
1140
1141
1142 --timeout TIMEOUT
1143 Sets the task timeout. Default is 120 seconds,
1144
1145
1147 usage: dsconf instance backup restore [-h] [-t DB_TYPE] [--timeout
1148 TIMEOUT]
1149 archive
1150
1151
1152 archive
1153 Set the directory that contains the backup files
1154
1155
1157 -t DB_TYPE, --db-type DB_TYPE
1158 Sets the database type. Default: ldbm database
1159
1160
1161 --timeout TIMEOUT
1162 Sets the task timeout. Default is 120 seconds.
1163
1164
1166 usage: dsconf instance chaining [-h]
1167 {config-get,config-set,con‐
1168 fig-get-def,config-set-def,link-cre‐
1169 ate,link-get,link-set,link-delete,monitor,link-list}
1170 ...
1171
1172
1174 dsconf chaining config-get
1175 Display the chaining controls and server component lists
1176
1177 dsconf chaining config-set
1178 Set the chaining controls and server component lists
1179
1180 dsconf chaining config-get-def
1181 Display the default creation parameters for new database links
1182
1183 dsconf chaining config-set-def
1184 Set the default creation parameters for new database links
1185
1186 dsconf chaining link-create
1187 Create a database link to a remote server
1188
1189 dsconf chaining link-get
1190 Displays chaining database links
1191
1192 dsconf chaining link-set
1193 Edit a database link to a remote server
1194
1195 dsconf chaining link-delete
1196 Delete a database link
1197
1198 dsconf chaining monitor
1199 Display monitor information for a database chaining link
1200
1201 dsconf chaining link-list
1202 List database links
1203
1204
1206 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1207 [--avail-comps]
1208
1209
1211 --avail-controls
1212 Lists available chaining controls
1213
1214
1215 --avail-comps
1216 Lists available chaining plugin components
1217
1218
1220 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1221 TROL]
1222 [--del-control DEL_CONTROL]
1223 [--add-comp ADD_COMP]
1224 [--del-comp DEL_COMP]
1225
1226
1228 --add-control ADD_CONTROL
1229 Adds a transmitted control OID
1230
1231
1232 --del-control DEL_CONTROL
1233 Deletes a transmitted control OID
1234
1235
1236 --add-comp ADD_COMP
1237 Adds a chaining component
1238
1239
1240 --del-comp DEL_COMP
1241 Deletes a chaining component
1242
1243
1245 usage: dsconf instance chaining config-get-def [-h]
1246
1247
1249 usage: dsconf instance chaining config-set-def [-h]
1250 [--conn-bind-limit
1251 CONN_BIND_LIMIT]
1252 [--conn-op-limit
1253 CONN_OP_LIMIT]
1254 [--abandon-check-inter‐
1255 val ABANDON_CHECK_INTERVAL]
1256 [--bind-limit
1257 BIND_LIMIT]
1258 [--op-limit OP_LIMIT]
1259 [--proxied-auth PROX‐
1260 IED_AUTH]
1261 [--conn-lifetime
1262 CONN_LIFETIME]
1263 [--bind-timeout
1264 BIND_TIMEOUT]
1265 [--return-ref RE‐
1266 TURN_REF]
1267 [--check-aci CHECK_ACI]
1268 [--bind-attempts
1269 BIND_ATTEMPTS]
1270 [--size-limit
1271 SIZE_LIMIT]
1272 [--time-limit
1273 TIME_LIMIT]
1274 [--hop-limit HOP_LIMIT]
1275 [--response-delay RE‐
1276 SPONSE_DELAY]
1277 [--test-response-delay
1278 TEST_RESPONSE_DELAY]
1279 [--use-starttls
1280 USE_STARTTLS]
1281
1282
1284 --conn-bind-limit CONN_BIND_LIMIT
1285 Sets the maximum number of BIND connections the database link
1286 establishes with the remote server
1287
1288
1289 --conn-op-limit CONN_OP_LIMIT
1290 Sets the maximum number of LDAP connections the database link
1291 establishes with the remote server
1292
1293
1294 --abandon-check-interval ABANDON_CHECK_INTERVAL
1295 Sets the number of seconds that pass before the server checks
1296 for abandoned operations
1297
1298
1299 --bind-limit BIND_LIMIT
1300 Sets the maximum number of concurrent bind operations per TCP
1301 connection
1302
1303
1304 --op-limit OP_LIMIT
1305 Sets the maximum number of concurrent operations allowed
1306
1307
1308 --proxied-auth PROXIED_AUTH
1309 Enables or disables proxied authorization. If set to "off", the
1310 server executes bind for chained operations as the user set in
1311 the nsMultiplexorBindDn attribute.
1312
1313
1314 --conn-lifetime CONN_LIFETIME
1315 Specifies connection lifetime in seconds. "0" keeps the connec‐
1316 tion open forever.
1317
1318
1319 --bind-timeout BIND_TIMEOUT
1320 Sets the amount of time in seconds before a bind attempt times
1321 out
1322
1323
1324 --return-ref RETURN_REF
1325 Enables or disables whether referrals are returned by scoped
1326 searches
1327
1328
1329 --check-aci CHECK_ACI
1330 Enables or disables whether the server evaluates ACIs on the
1331 database link as well as the remote data server
1332
1333
1334 --bind-attempts BIND_ATTEMPTS
1335 Sets the number of times the server tries to bind to the remote
1336 server
1337
1338
1339 --size-limit SIZE_LIMIT
1340 Sets the maximum number of entries to return from a search oper‐
1341 ation
1342
1343
1344 --time-limit TIME_LIMIT
1345 Sets the maximum number of seconds allowed for an operation
1346
1347
1348 --hop-limit HOP_LIMIT
1349 Sets the maximum number of times a database is allowed to chain.
1350 That is the number of times a request can be forwarded from one
1351 database link to another.
1352
1353
1354 --response-delay RESPONSE_DELAY
1355 Sets the maximum amount of time it can take a remote server to
1356 respond to an LDAP operation request made by a database link be‐
1357 fore an error is suspected
1358
1359
1360 --test-response-delay TEST_RESPONSE_DELAY
1361 Sets the duration of the test issued by the database link to
1362 check whether the remote server is responding
1363
1364
1365 --use-starttls USE_STARTTLS
1366 Configured that database links use StartTLS if set to "on"
1367
1368
1370 usage: dsconf instance chaining link-create [-h]
1371 [--conn-bind-limit
1372 CONN_BIND_LIMIT]
1373 [--conn-op-limit
1374 CONN_OP_LIMIT]
1375 [--abandon-check-interval
1376 ABANDON_CHECK_INTERVAL]
1377 [--bind-limit BIND_LIMIT]
1378 [--op-limit OP_LIMIT]
1379 [--proxied-auth PROX‐
1380 IED_AUTH]
1381 [--conn-lifetime CONN_LIFE‐
1382 TIME]
1383 [--bind-timeout BIND_TIME‐
1384 OUT]
1385 [--return-ref RETURN_REF]
1386 [--check-aci CHECK_ACI]
1387 [--bind-attempts BIND_AT‐
1388 TEMPTS]
1389 [--size-limit SIZE_LIMIT]
1390 [--time-limit TIME_LIMIT]
1391 [--hop-limit HOP_LIMIT]
1392 [--response-delay RE‐
1393 SPONSE_DELAY]
1394 [--test-response-delay
1395 TEST_RESPONSE_DELAY]
1396 [--use-starttls USE_START‐
1397 TLS]
1398 --suffix SUFFIX
1399 --server-url
1400 SERVER_URL --bind-mech
1401 BIND_MECH
1402 --bind-dn BIND_DN
1403 [--bind-pw BIND_PW]
1404 [--bind-pw-file
1405 BIND_PW_FILE]
1406 [--bind-pw-prompt]
1407 CHAIN_NAME
1408
1409
1410 CHAIN_NAME
1411 The name of the database link
1412
1413
1415 --conn-bind-limit CONN_BIND_LIMIT
1416 Sets the maximum number of BIND connections the database link
1417 establishes with the remote server
1418
1419
1420 --conn-op-limit CONN_OP_LIMIT
1421 Sets the maximum number of LDAP connections the database link
1422 establishes with the remote server
1423
1424
1425 --abandon-check-interval ABANDON_CHECK_INTERVAL
1426 Sets the number of seconds that pass before the server checks
1427 for abandoned operations
1428
1429
1430 --bind-limit BIND_LIMIT
1431 Sets the maximum number of concurrent bind operations per TCP
1432 connection
1433
1434
1435 --op-limit OP_LIMIT
1436 Sets the maximum number of concurrent operations allowed
1437
1438
1439 --proxied-auth PROXIED_AUTH
1440 Enables or disables proxied authorization. If set to "off", the
1441 server executes bind for chained operations as the user set in
1442 the nsMultiplexorBindDn attribute.
1443
1444
1445 --conn-lifetime CONN_LIFETIME
1446 Specifies connection lifetime in seconds. "0" keeps the connec‐
1447 tion open forever.
1448
1449
1450 --bind-timeout BIND_TIMEOUT
1451 Sets the amount of time in seconds before a bind attempt times
1452 out
1453
1454
1455 --return-ref RETURN_REF
1456 Enables or disables whether referrals are returned by scoped
1457 searches
1458
1459
1460 --check-aci CHECK_ACI
1461 Enables or disables whether the server evaluates ACIs on the
1462 database link as well as the remote data server
1463
1464
1465 --bind-attempts BIND_ATTEMPTS
1466 Sets the number of times the server tries to bind to the remote
1467 server
1468
1469
1470 --size-limit SIZE_LIMIT
1471 Sets the maximum number of entries to return from a search oper‐
1472 ation
1473
1474
1475 --time-limit TIME_LIMIT
1476 Sets the maximum number of seconds allowed for an operation
1477
1478
1479 --hop-limit HOP_LIMIT
1480 Sets the maximum number of times a database is allowed to chain.
1481 That is the number of times a request can be forwarded from one
1482 database link to another.
1483
1484
1485 --response-delay RESPONSE_DELAY
1486 Sets the maximum amount of time it can take a remote server to
1487 respond to an LDAP operation request made by a database link be‐
1488 fore an error is suspected
1489
1490
1491 --test-response-delay TEST_RESPONSE_DELAY
1492 Sets the duration of the test issued by the database link to
1493 check whether the remote server is responding
1494
1495
1496 --use-starttls USE_STARTTLS
1497 Configured that database links use StartTLS if set to "on"
1498
1499
1500 --suffix SUFFIX
1501 Sets the suffix managed by the database link
1502
1503
1504 --server-url SERVER_URL
1505 Sets the LDAP/LDAPS URL to the remote server
1506
1507
1508 --bind-mech BIND_MECH
1509 Sets the authentication method to use to authenticate to the re‐
1510 mote server. Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1511 GEST-MD5", or "GSSAPI"
1512
1513
1514 --bind-dn BIND_DN
1515 Sets the DN of the administrative entry used to communicate with
1516 the remote server
1517
1518
1519 --bind-pw BIND_PW
1520 Sets the password of the administrative user
1521
1522
1523 --bind-pw-file BIND_PW_FILE
1524 File containing the password
1525
1526
1527 --bind-pw-prompt
1528 Prompt for password
1529
1530
1532 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1533
1534
1535 CHAIN_NAME
1536 The chaining link name or suffix to retrieve
1537
1538
1540 usage: dsconf instance chaining link-set [-h]
1541 [--conn-bind-limit
1542 CONN_BIND_LIMIT]
1543 [--conn-op-limit
1544 CONN_OP_LIMIT]
1545 [--abandon-check-interval
1546 ABANDON_CHECK_INTERVAL]
1547 [--bind-limit BIND_LIMIT]
1548 [--op-limit OP_LIMIT]
1549 [--proxied-auth PROXIED_AUTH]
1550 [--conn-lifetime CONN_LIFE‐
1551 TIME]
1552 [--bind-timeout BIND_TIMEOUT]
1553 [--return-ref RETURN_REF]
1554 [--check-aci CHECK_ACI]
1555 [--bind-attempts BIND_AT‐
1556 TEMPTS]
1557 [--size-limit SIZE_LIMIT]
1558 [--time-limit TIME_LIMIT]
1559 [--hop-limit HOP_LIMIT]
1560 [--response-delay RESPONSE_DE‐
1561 LAY]
1562 [--test-response-delay
1563 TEST_RESPONSE_DELAY]
1564 [--use-starttls USE_STARTTLS]
1565 [--suffix SUFFIX]
1566 [--server-url SERVER_URL]
1567 [--bind-mech BIND_MECH]
1568 [--bind-dn BIND_DN]
1569 [--bind-pw BIND_PW]
1570 [--bind-pw-file BIND_PW_FILE]
1571 [--bind-pw-prompt]
1572 CHAIN_NAME
1573
1574
1575 CHAIN_NAME
1576 The name of the database link
1577
1578
1580 --conn-bind-limit CONN_BIND_LIMIT
1581 Sets the maximum number of BIND connections the database link
1582 establishes with the remote server
1583
1584
1585 --conn-op-limit CONN_OP_LIMIT
1586 Sets the maximum number of LDAP connections the database link
1587 establishes with the remote server
1588
1589
1590 --abandon-check-interval ABANDON_CHECK_INTERVAL
1591 Sets the number of seconds that pass before the server checks
1592 for abandoned operations
1593
1594
1595 --bind-limit BIND_LIMIT
1596 Sets the maximum number of concurrent bind operations per TCP
1597 connection
1598
1599
1600 --op-limit OP_LIMIT
1601 Sets the maximum number of concurrent operations allowed
1602
1603
1604 --proxied-auth PROXIED_AUTH
1605 Enables or disables proxied authorization. If set to "off", the
1606 server executes bind for chained operations as the user set in
1607 the nsMultiplexorBindDn attribute.
1608
1609
1610 --conn-lifetime CONN_LIFETIME
1611 Specifies connection lifetime in seconds. "0" keeps the connec‐
1612 tion open forever.
1613
1614
1615 --bind-timeout BIND_TIMEOUT
1616 Sets the amount of time in seconds before a bind attempt times
1617 out
1618
1619
1620 --return-ref RETURN_REF
1621 Enables or disables whether referrals are returned by scoped
1622 searches
1623
1624
1625 --check-aci CHECK_ACI
1626 Enables or disables whether the server evaluates ACIs on the
1627 database link as well as the remote data server
1628
1629
1630 --bind-attempts BIND_ATTEMPTS
1631 Sets the number of times the server tries to bind to the remote
1632 server
1633
1634
1635 --size-limit SIZE_LIMIT
1636 Sets the maximum number of entries to return from a search oper‐
1637 ation
1638
1639
1640 --time-limit TIME_LIMIT
1641 Sets the maximum number of seconds allowed for an operation
1642
1643
1644 --hop-limit HOP_LIMIT
1645 Sets the maximum number of times a database is allowed to chain.
1646 That is the number of times a request can be forwarded from one
1647 database link to another.
1648
1649
1650 --response-delay RESPONSE_DELAY
1651 Sets the maximum amount of time it can take a remote server to
1652 respond to an LDAP operation request made by a database link be‐
1653 fore an error is suspected
1654
1655
1656 --test-response-delay TEST_RESPONSE_DELAY
1657 Sets the duration of the test issued by the database link to
1658 check whether the remote server is responding
1659
1660
1661 --use-starttls USE_STARTTLS
1662 Configured that database links use StartTLS if set to "on"
1663
1664
1665 --suffix SUFFIX
1666 Sets the suffix managed by the database link
1667
1668
1669 --server-url SERVER_URL
1670 Sets the LDAP/LDAPS URL to the remote server
1671
1672
1673 --bind-mech BIND_MECH
1674 Sets the authentication method to use to authenticate to the re‐
1675 mote server: Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1676 GEST-MD5", or "GSSAPI"
1677
1678
1679 --bind-dn BIND_DN
1680 Sets the DN of the administrative entry used to communicate with
1681 the remote server
1682
1683
1684 --bind-pw BIND_PW
1685 Sets the password of the administrative user
1686
1687
1688 --bind-pw-file BIND_PW_FILE
1689 File containing the password
1690
1691
1692 --bind-pw-prompt
1693 Prompt for password
1694
1695
1697 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1698
1699
1700 CHAIN_NAME
1701 The name of the database link
1702
1703
1705 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1706
1707
1708 CHAIN_NAME
1709 The name of the database link
1710
1711
1713 usage: dsconf instance chaining link-list [-h]
1714
1715
1717 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1718
1719
1721 dsconf config get
1722 get
1723
1724 dsconf config add
1725 Add attribute value to configuration
1726
1727 dsconf config replace
1728 Replace attribute value in configuration
1729
1730 dsconf config delete
1731 Delete attribute value in configuration
1732
1733
1735 usage: dsconf instance config get [-h] [attrs ...]
1736
1737
1738 attrs Configuration attribute(s) to get
1739
1740
1742 usage: dsconf instance config add [-h] [attr ...]
1743
1744
1745 attr Configuration attribute to add
1746
1747
1749 usage: dsconf instance config replace [-h] [attr ...]
1750
1751
1752 attr Configuration attribute to replace
1753
1754
1756 usage: dsconf instance config delete [-h] [attr ...]
1757
1758
1759 attr Configuration attribute to delete
1760
1761
1763 usage: dsconf instance directory_manager [-h] {password_change} ...
1764
1765
1767 dsconf directory_manager password_change
1768 Changes the password of the Directory Manager account
1769
1770
1772 usage: dsconf instance directory_manager password_change [-h]
1773
1774
1776 usage: dsconf instance monitor [-h]
1777 {server,dbmon,ldbm,backend,snmp,chain‐
1778 ing,disk}
1779 ...
1780
1781
1783 dsconf monitor server
1784 Displays the server statistics, connections, and operations
1785
1786 dsconf monitor dbmon
1787 Monitor all database statistics in a single report
1788
1789 dsconf monitor ldbm
1790 Monitor the LDBM statistics, such as dbcache
1791
1792 dsconf monitor backend
1793 Monitor the behavior of a backend database
1794
1795 dsconf monitor snmp
1796 Displays the SNMP statistics
1797
1798 dsconf monitor chaining
1799 Monitor database chaining statistics
1800
1801 dsconf monitor disk
1802 Displays the disk space statistics. All values are in bytes.
1803
1804
1806 usage: dsconf instance monitor server [-h]
1807
1808
1810 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1811
1812
1814 -b BACKENDS, --backends BACKENDS
1815 Specifies a list of space-separated backends to monitor. Default
1816 is all backends.
1817
1818
1819 -x, --indexes
1820 Shows index stats for each backend
1821
1822
1824 usage: dsconf instance monitor ldbm [-h]
1825
1826
1828 usage: dsconf instance monitor backend [-h] [backend]
1829
1830
1831 backend
1832 The optional name of the backend to monitor
1833
1834
1836 usage: dsconf instance monitor snmp [-h]
1837
1838
1840 usage: dsconf instance monitor chaining [-h] [backend]
1841
1842
1843 backend
1844 The optional name of the chaining backend to monitor
1845
1846
1848 usage: dsconf instance monitor disk [-h]
1849
1850
1852 usage: dsconf instance plugin [-h]
1853 {memberof,automember,referential-integ‐
1854 rity,root-dn,usn,account-pol‐
1855 icy,attr-uniq,dna,ldap-pass-through-auth,linked-attr,managed-en‐
1856 tries,pam-pass-through-auth,retro-changelog,posix-winsync,con‐
1857 tentsync,entryuuid,list,show,set}
1858 ...
1859
1860
1862 dsconf plugin memberof
1863 Manage and configure MemberOf plugin
1864
1865 dsconf plugin automember
1866 Manage and configure Automembership plugin
1867
1868 dsconf plugin referential-integrity
1869 Manage and configure Referential Integrity Postoperation plugin
1870
1871 dsconf plugin root-dn
1872 Manage and configure RootDN Access Control plugin
1873
1874 dsconf plugin usn
1875 Manage and configure USN plugin
1876
1877 dsconf plugin account-policy
1878 Manage and configure Account Policy plugin
1879
1880 dsconf plugin attr-uniq
1881 Manage and configure Attribute Uniqueness plugin
1882
1883 dsconf plugin dna
1884 Manage and configure DNA plugin
1885
1886 dsconf plugin ldap-pass-through-auth
1887 Manage and configure LDAP Pass-Through Authentication Plugin
1888
1889 dsconf plugin linked-attr
1890 Manage and configure Linked Attributes plugin
1891
1892 dsconf plugin managed-entries
1893 Manage and configure Managed Entries Plugin
1894
1895 dsconf plugin pam-pass-through-auth
1896 Manage and configure Pass-Through Authentication plugins (LDAP
1897 URLs and PAM)
1898
1899 dsconf plugin retro-changelog
1900 Manage and configure Retro Changelog plugin
1901
1902 dsconf plugin posix-winsync
1903 Manage and configure the Posix Winsync API plugin
1904
1905 dsconf plugin contentsync
1906 Manage and configure Content Sync Plugin (aka syncrepl)
1907
1908 dsconf plugin entryuuid
1909 Manage and configure EntryUUID plugin
1910
1911 dsconf plugin list
1912 List current configured (enabled and disabled) plugins
1913
1914 dsconf plugin show
1915 Show the plugin data
1916
1917 dsconf plugin set
1918 Edit the plugin settings
1919
1920
1922 usage: dsconf instance plugin memberof [-h]
1923 {show,enable,disable,sta‐
1924 tus,set,config-entry,fixup,fixup-status}
1925 ...
1926
1927
1929 dsconf plugin memberof show
1930 Displays the plugin configuration
1931
1932 dsconf plugin memberof enable
1933 Enables the plugin
1934
1935 dsconf plugin memberof disable
1936 Disables the plugin
1937
1938 dsconf plugin memberof status
1939 Displays the plugin status
1940
1941 dsconf plugin memberof set
1942 Edit the plugin settings
1943
1944 dsconf plugin memberof config-entry
1945 Manage the config entry
1946
1947 dsconf plugin memberof fixup
1948 Run the fix-up task for memberOf plugin
1949
1950 dsconf plugin memberof fixup-status
1951 Check the status of a fix-up task
1952
1953
1955 usage: dsconf instance plugin memberof show [-h]
1956
1957
1959 usage: dsconf instance plugin memberof enable [-h]
1960
1961
1963 usage: dsconf instance plugin memberof disable [-h]
1964
1965
1967 usage: dsconf instance plugin memberof status [-h]
1968
1969
1971 usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
1972 [--groupattr GROUPATTR
1973 [GROUPATTR ...]]
1974 [--allbackends {on,off}]
1975 [--skipnested {on,off}]
1976 [--scope SCOPE [SCOPE ...]]
1977 [--exclude EXCLUDE [EXCLUDE
1978 ...]]
1979 [--autoaddoc AUTOADDOC]
1980 [--config-entry CONFIG_EN‐
1981 TRY]
1982
1983
1985 --attr ATTR
1986 Specifies the attribute in the user entry for the Directory
1987 Server to manage to reflect group membership (memberOfAttr)
1988
1989
1990 --groupattr GROUPATTR [GROUPATTR ...]
1991 Specifies the attribute in the group entry to use to identify
1992 the DNs of group members (memberOfGroupAttr)
1993
1994
1995 --allbackends {on,off}
1996 Specifies whether to search the local suffix for user entries on
1997 all available suffixes (memberOfAllBackends)
1998
1999
2000 --skipnested {on,off}
2001 Specifies whether to skip nested groups or not (memberOfSkip‐
2002 Nested)
2003
2004
2005 --scope SCOPE [SCOPE ...]
2006 Specifies backends or multiple-nested suffixes for the MemberOf
2007 plug-in to work on (memberOfEntryScope)
2008
2009
2010 --exclude EXCLUDE [EXCLUDE ...]
2011 Specifies backends or multiple-nested suffixes for the MemberOf
2012 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2013
2014
2015 --autoaddoc AUTOADDOC
2016 If an entry does not have an object class that allows the mem‐
2017 berOf attribute then the memberOf plugin will automatically add
2018 the object class listed in the memberOfAutoAddOC parameter
2019
2020
2021 --config-entry CONFIG_ENTRY
2022 The value to set as nsslapd-pluginConfigArea
2023
2024
2026 usage: dsconf instance plugin memberof config-entry [-h]
2027 {add,set,show,delete}
2028 ...
2029
2030
2032 dsconf plugin memberof config-entry add
2033 Add the config entry
2034
2035 dsconf plugin memberof config-entry set
2036 Edit the config entry
2037
2038 dsconf plugin memberof config-entry show
2039 Display the config entry
2040
2041 dsconf plugin memberof config-entry delete
2042 Delete the config entry
2043
2044
2046 usage: dsconf instance plugin memberof config-entry add [-h] [--attr
2047 ATTR]
2048 [--groupattr
2049 GROUPATTR [GROUPATTR ...]]
2050 [--allbackends
2051 {on,off}]
2052 [--skipnested
2053 {on,off}]
2054 [--scope SCOPE
2055 [SCOPE ...]]
2056 [--exclude EX‐
2057 CLUDE [EXCLUDE ...]]
2058 [--autoaddoc
2059 AUTOADDOC]
2060 DN
2061
2062
2063 DN The config entry full DN
2064
2065
2067 --attr ATTR
2068 Specifies the attribute in the user entry for the Directory
2069 Server to manage to reflect group membership (memberOfAttr)
2070
2071
2072 --groupattr GROUPATTR [GROUPATTR ...]
2073 Specifies the attribute in the group entry to use to identify
2074 the DNs of group members (memberOfGroupAttr)
2075
2076
2077 --allbackends {on,off}
2078 Specifies whether to search the local suffix for user entries on
2079 all available suffixes (memberOfAllBackends)
2080
2081
2082 --skipnested {on,off}
2083 Specifies whether to skip nested groups or not (memberOfSkip‐
2084 Nested)
2085
2086
2087 --scope SCOPE [SCOPE ...]
2088 Specifies backends or multiple-nested suffixes for the MemberOf
2089 plug-in to work on (memberOfEntryScope)
2090
2091
2092 --exclude EXCLUDE [EXCLUDE ...]
2093 Specifies backends or multiple-nested suffixes for the MemberOf
2094 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2095
2096
2097 --autoaddoc AUTOADDOC
2098 If an entry does not have an object class that allows the mem‐
2099 berOf attribute then the memberOf plugin will automatically add
2100 the object class listed in the memberOfAutoAddOC parameter
2101
2102
2104 usage: dsconf instance plugin memberof config-entry set [-h] [--attr
2105 ATTR]
2106 [--groupattr
2107 GROUPATTR [GROUPATTR ...]]
2108 [--allbackends
2109 {on,off}]
2110 [--skipnested
2111 {on,off}]
2112 [--scope SCOPE
2113 [SCOPE ...]]
2114 [--exclude EX‐
2115 CLUDE [EXCLUDE ...]]
2116 [--autoaddoc
2117 AUTOADDOC]
2118 DN
2119
2120
2121 DN The config entry full DN
2122
2123
2125 --attr ATTR
2126 Specifies the attribute in the user entry for the Directory
2127 Server to manage to reflect group membership (memberOfAttr)
2128
2129
2130 --groupattr GROUPATTR [GROUPATTR ...]
2131 Specifies the attribute in the group entry to use to identify
2132 the DNs of group members (memberOfGroupAttr)
2133
2134
2135 --allbackends {on,off}
2136 Specifies whether to search the local suffix for user entries on
2137 all available suffixes (memberOfAllBackends)
2138
2139
2140 --skipnested {on,off}
2141 Specifies whether to skip nested groups or not (memberOfSkip‐
2142 Nested)
2143
2144
2145 --scope SCOPE [SCOPE ...]
2146 Specifies backends or multiple-nested suffixes for the MemberOf
2147 plug-in to work on (memberOfEntryScope)
2148
2149
2150 --exclude EXCLUDE [EXCLUDE ...]
2151 Specifies backends or multiple-nested suffixes for the MemberOf
2152 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2153
2154
2155 --autoaddoc AUTOADDOC
2156 If an entry does not have an object class that allows the mem‐
2157 berOf attribute then the memberOf plugin will automatically add
2158 the object class listed in the memberOfAutoAddOC parameter
2159
2160
2162 usage: dsconf instance plugin memberof config-entry show [-h] DN
2163
2164
2165 DN The config entry full DN
2166
2167
2169 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2170
2171
2172 DN The config entry full DN
2173
2174
2176 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] [--wait]
2177 [--timeout TIMEOUT]
2178 DN
2179
2180
2181 DN Base DN that contains entries to fix up
2182
2183
2185 -f FILTER, --filter FILTER
2186 Filter for entries to fix up. If omitted, all entries with ob‐
2187 jectclass inetuser/inetadmin/nsmemberof under the specified base
2188 will have their memberOf attribute regenerated.
2189
2190
2191 --wait Wait for the task to finish, this could take a long time
2192
2193
2194 --timeout TIMEOUT
2195 Sets the task timeout. ,Default is 0 (no timeout)
2196
2197
2199 usage: dsconf instance plugin memberof fixup-status [-h] [--dn DN]
2200 [--show-log]
2201 [--watch]
2202
2203
2205 --dn DN
2206 The task entry's DN
2207
2208
2209 --show-log
2210 Display the task log
2211
2212
2213 --watch
2214 Watch the task's status and wait for it to finish
2215
2216
2218 usage: dsconf instance plugin automember [-h]
2219 {show,enable,disable,sta‐
2220 tus,list,definition,fixup,fixup-status,abort-fixup}
2221 ...
2222
2223
2225 dsconf plugin automember show
2226 Displays the plugin configuration
2227
2228 dsconf plugin automember enable
2229 Enables the plugin
2230
2231 dsconf plugin automember disable
2232 Disables the plugin
2233
2234 dsconf plugin automember status
2235 Displays the plugin status
2236
2237 dsconf plugin automember list
2238 List Automembership definitions or regex rules.
2239
2240 dsconf plugin automember definition
2241 Manage Automembership definition.
2242
2243 dsconf plugin automember fixup
2244 Run a rebuild membership task.
2245
2246 dsconf plugin automember fixup-status
2247 Check the status of a fix-up task
2248
2249 dsconf plugin automember abort-fixup
2250 Abort the rebuild membership task.
2251
2252
2254 usage: dsconf instance plugin automember show [-h]
2255
2256
2258 usage: dsconf instance plugin automember enable [-h]
2259
2260
2262 usage: dsconf instance plugin automember disable [-h]
2263
2264
2266 usage: dsconf instance plugin automember status [-h]
2267
2268
2270 usage: dsconf instance plugin automember list [-h] {defini‐
2271 tions,regexes} ...
2272
2273
2275 dsconf plugin automember list definitions
2276 Lists Automembership definitions.
2277
2278 dsconf plugin automember list regexes
2279 List Automembership regex rules.
2280
2281
2283 usage: dsconf instance plugin automember list definitions [-h]
2284
2285
2287 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2288
2289
2290 DEFNAME
2291 The definition entry CN
2292
2293
2295 usage: dsconf instance plugin automember definition [-h]
2296 DEFNAME
2297 {add,set,delete,show,regex}
2298 ...
2299
2300
2302 dsconf plugin automember definition add
2303 Creates Automembership definition.
2304
2305 dsconf plugin automember definition set
2306 Edits Automembership definition.
2307
2308 dsconf plugin automember definition delete
2309 Removes Automembership definition.
2310
2311 dsconf plugin automember definition show
2312 Displays Automembership definition.
2313
2314 dsconf plugin automember definition regex
2315 Manage Automembership regex rules.
2316
2317
2319 usage: dsconf instance plugin automember definition DEFNAME add
2320 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2321 FAULT_GROUP]
2322 --scope SCOPE --filter FILTER
2323
2324
2326 --grouping-attr GROUPING_ATTR
2327 Specifies the name of the member attribute in the group entry
2328 and the attribute in the object entry that supplies the member
2329 attribute value, in the format group_member_attr:entry_attr (au‐
2330 toMemberGroupingAttr)
2331
2332
2333 --default-group DEFAULT_GROUP
2334 Sets default or fallback group to add the entry to as a member
2335 attribute in group entry (autoMemberDefaultGroup)
2336
2337
2338 --scope SCOPE
2339 Sets the subtree DN to search for entries (autoMemberScope)
2340
2341
2342 --filter FILTER
2343 Sets a standard LDAP search filter to use to search for matching
2344 entries (autoMemberFilter)
2345
2346
2348 usage: dsconf instance plugin automember definition DEFNAME set
2349 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2350 FAULT_GROUP]
2351 --scope SCOPE --filter FILTER
2352
2353
2355 --grouping-attr GROUPING_ATTR
2356 Specifies the name of the member attribute in the group entry
2357 and the attribute in the object entry that supplies the member
2358 attribute value, in the format group_member_attr:entry_attr (au‐
2359 toMemberGroupingAttr)
2360
2361
2362 --default-group DEFAULT_GROUP
2363 Sets default or fallback group to add the entry to as a member
2364 attribute in group entry (autoMemberDefaultGroup)
2365
2366
2367 --scope SCOPE
2368 Sets the subtree DN to search for entries (autoMemberScope)
2369
2370
2371 --filter FILTER
2372 Sets a standard LDAP search filter to use to search for matching
2373 entries (autoMemberFilter)
2374
2375
2377 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2378
2379
2381 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2382
2383
2385 usage: dsconf instance plugin automember definition DEFNAME regex
2386 [-h] REGEXNAME {add,set,delete,show} ...
2387
2388
2390 dsconf plugin automember definition regex add
2391 Creates Automembership regex.
2392
2393 dsconf plugin automember definition regex set
2394 Edits Automembership regex.
2395
2396 dsconf plugin automember definition regex delete
2397 Removes Automembership regex.
2398
2399 dsconf plugin automember definition regex show
2400 Displays Automembership regex.
2401
2402
2404 usage: dsconf instance plugin automember definition DEFNAME regex
2405 REGEXNAME add
2406 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2407 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2408 GET_GROUP
2409
2410
2412 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2413 Sets a single regular expression to use to identify entries to
2414 exclude (autoMemberExclusiveRegex)
2415
2416
2417 --inclusive INCLUSIVE [INCLUSIVE ...]
2418 Sets a single regular expression to use to identify entries to
2419 include (autoMemberInclusiveRegex)
2420
2421
2422 --target-group TARGET_GROUP
2423 Sets which group to add the entry to as a member, if it meets
2424 the regular expression conditions (autoMemberTargetGroup)
2425
2426
2428 usage: dsconf instance plugin automember definition DEFNAME regex
2429 REGEXNAME set
2430 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2431 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2432 GET_GROUP
2433
2434
2436 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2437 Sets a single regular expression to use to identify entries to
2438 exclude (autoMemberExclusiveRegex)
2439
2440
2441 --inclusive INCLUSIVE [INCLUSIVE ...]
2442 Sets a single regular expression to use to identify entries to
2443 include (autoMemberInclusiveRegex)
2444
2445
2446 --target-group TARGET_GROUP
2447 Sets which group to add the entry to as a member, if it meets
2448 the regular expression conditions (autoMemberTargetGroup)
2449
2450
2452 usage: dsconf instance plugin automember definition DEFNAME regex
2453 REGEXNAME delete
2454 [-h]
2455
2456
2458 usage: dsconf instance plugin automember definition DEFNAME regex
2459 REGEXNAME show
2460 [-h]
2461
2462
2464 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2465 {sub,base,one}
2466 [--cleanup]
2467 [--wait] [--timeout
2468 TIMEOUT]
2469 DN
2470
2471
2472 DN Base DN that contains entries to fix up
2473
2474
2476 -f FILTER, --filter FILTER
2477 Sets the LDAP filter for entries to fix up
2478
2479
2480 -s {sub,base,one}, --scope {sub,base,one}
2481 Sets the LDAP search scope for entries to fix up
2482
2483
2484 --cleanup
2485 Clean up previous group memberships before rebuilding
2486
2487
2488 --wait Wait for the task to finish, this could take a long time
2489
2490
2491 --timeout TIMEOUT
2492 Set a timeout to wait for the fixup task. Default is 0 (no time‐
2493 out)
2494
2495
2497 usage: dsconf instance plugin automember fixup-status [-h] [--dn DN]
2498 [--show-log]
2499 [--watch]
2500
2501
2503 --dn DN
2504 The task entry's DN
2505
2506
2507 --show-log
2508 Display the task log
2509
2510
2511 --watch
2512 Watch the task's status and wait for it to finish
2513
2514
2516 usage: dsconf instance plugin automember abort-fixup [-h] [--timeout
2517 TIMEOUT]
2518
2519
2521 --timeout TIMEOUT
2522 Set a timeout to wait for the abort task. Default is 0 (no time‐
2523 out)
2524
2525
2527 usage: dsconf instance plugin referential-integrity [-h]
2528 {show,enable,dis‐
2529 able,status,set,config-entry}
2530 ...
2531
2532
2534 dsconf plugin referential-integrity show
2535 Displays the plugin configuration
2536
2537 dsconf plugin referential-integrity enable
2538 Enables the plugin
2539
2540 dsconf plugin referential-integrity disable
2541 Disables the plugin
2542
2543 dsconf plugin referential-integrity status
2544 Displays the plugin status
2545
2546 dsconf plugin referential-integrity set
2547 Edit the plugin settings
2548
2549 dsconf plugin referential-integrity config-entry
2550 Manage the config entry
2551
2552
2554 usage: dsconf instance plugin referential-integrity show [-h]
2555
2556
2558 usage: dsconf instance plugin referential-integrity enable [-h]
2559
2560
2562 usage: dsconf instance plugin referential-integrity disable [-h]
2563
2564
2566 usage: dsconf instance plugin referential-integrity status [-h]
2567
2568
2570 usage: dsconf instance plugin referential-integrity set [-h]
2571 [--update-delay
2572 UPDATE_DELAY]
2573 [--member‐
2574 ship-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2575 [--entry-scope
2576 ENTRY_SCOPE]
2577 [--exclude-en‐
2578 try-scope EXCLUDE_ENTRY_SCOPE]
2579 [--con‐
2580 tainer-scope CONTAINER_SCOPE]
2581 [--log-file
2582 LOG_FILE]
2583 [--config-entry
2584 CONFIG_ENTRY]
2585
2586
2588 --update-delay UPDATE_DELAY
2589 Sets the update interval. Special values: 0 - The check is per‐
2590 formed immediately, -1 - No check is performed (referint-up‐
2591 date-delay)
2592
2593
2594 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2595 Specifies attributes to check for and update (referint-member‐
2596 ship-attr)
2597
2598
2599 --entry-scope ENTRY_SCOPE
2600 Defines the subtree in which the plug-in looks for the delete or
2601 rename operations of a user entry (nsslapd-pluginEntryScope)
2602
2603
2604 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2605 Defines the subtree in which the plug-in ignores any operations
2606 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2607 tryScope)
2608
2609
2610 --container-scope CONTAINER_SCOPE
2611 Specifies which branch the plug-in searches for the groups to
2612 which the user belongs. It only updates groups that are under
2613 the specified container branch, and leaves all other groups not
2614 updated (nsslapd-pluginContainerScope)
2615
2616
2617 --log-file LOG_FILE
2618 Specifies a path to the Referential integrity logfile.For exam‐
2619 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2620
2621
2622 --config-entry CONFIG_ENTRY
2623 The value to set as nsslapd-pluginConfigArea
2624
2625
2627 usage: dsconf instance plugin referential-integrity config-entry
2628 [-h] {add,set,show,delete} ...
2629
2630
2632 dsconf plugin referential-integrity config-entry add
2633 Add the config entry
2634
2635 dsconf plugin referential-integrity config-entry set
2636 Edit the config entry
2637
2638 dsconf plugin referential-integrity config-entry show
2639 Display the config entry
2640
2641 dsconf plugin referential-integrity config-entry delete
2642 Delete the config entry
2643
2644
2646 usage: dsconf instance plugin referential-integrity config-entry add
2647 [-h] [--update-delay UPDATE_DELAY]
2648 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2649 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2650 TRY_SCOPE]
2651 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2652 DN
2653
2654
2655 DN The config entry full DN
2656
2657
2659 --update-delay UPDATE_DELAY
2660 Sets the update interval. Special values: 0 - The check is per‐
2661 formed immediately, -1 - No check is performed (referint-up‐
2662 date-delay)
2663
2664
2665 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2666 Specifies attributes to check for and update (referint-member‐
2667 ship-attr)
2668
2669
2670 --entry-scope ENTRY_SCOPE
2671 Defines the subtree in which the plug-in looks for the delete or
2672 rename operations of a user entry (nsslapd-pluginEntryScope)
2673
2674
2675 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2676 Defines the subtree in which the plug-in ignores any operations
2677 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2678 tryScope)
2679
2680
2681 --container-scope CONTAINER_SCOPE
2682 Specifies which branch the plug-in searches for the groups to
2683 which the user belongs. It only updates groups that are under
2684 the specified container branch, and leaves all other groups not
2685 updated (nsslapd-pluginContainerScope)
2686
2687
2688 --log-file LOG_FILE
2689 Specifies a path to the Referential integrity logfile.For exam‐
2690 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2691
2692
2694 usage: dsconf instance plugin referential-integrity config-entry set
2695 [-h] [--update-delay UPDATE_DELAY]
2696 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2697 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2698 TRY_SCOPE]
2699 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2700 DN
2701
2702
2703 DN The config entry full DN
2704
2705
2707 --update-delay UPDATE_DELAY
2708 Sets the update interval. Special values: 0 - The check is per‐
2709 formed immediately, -1 - No check is performed (referint-up‐
2710 date-delay)
2711
2712
2713 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2714 Specifies attributes to check for and update (referint-member‐
2715 ship-attr)
2716
2717
2718 --entry-scope ENTRY_SCOPE
2719 Defines the subtree in which the plug-in looks for the delete or
2720 rename operations of a user entry (nsslapd-pluginEntryScope)
2721
2722
2723 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2724 Defines the subtree in which the plug-in ignores any operations
2725 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2726 tryScope)
2727
2728
2729 --container-scope CONTAINER_SCOPE
2730 Specifies which branch the plug-in searches for the groups to
2731 which the user belongs. It only updates groups that are under
2732 the specified container branch, and leaves all other groups not
2733 updated (nsslapd-pluginContainerScope)
2734
2735
2736 --log-file LOG_FILE
2737 Specifies a path to the Referential integrity logfile.For exam‐
2738 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2739
2740
2742 usage: dsconf instance plugin referential-integrity config-entry show
2743 [-h] DN
2744
2745
2746 DN The config entry full DN
2747
2748
2750 usage: dsconf instance plugin referential-integrity config-entry delete
2751 [-h] DN
2752
2753
2754 DN The config entry full DN
2755
2756
2758 usage: dsconf instance plugin root-dn [-h]
2759 {show,enable,disable,status,set}
2760 ...
2761
2762
2764 dsconf plugin root-dn show
2765 Displays the plugin configuration
2766
2767 dsconf plugin root-dn enable
2768 Enables the plugin
2769
2770 dsconf plugin root-dn disable
2771 Disables the plugin
2772
2773 dsconf plugin root-dn status
2774 Displays the plugin status
2775
2776 dsconf plugin root-dn set
2777 Edit the plugin settings
2778
2779
2781 usage: dsconf instance plugin root-dn show [-h]
2782
2783
2785 usage: dsconf instance plugin root-dn enable [-h]
2786
2787
2789 usage: dsconf instance plugin root-dn disable [-h]
2790
2791
2793 usage: dsconf instance plugin root-dn status [-h]
2794
2795
2797 usage: dsconf instance plugin root-dn set [-h]
2798 [--allow-host ALLOW_HOST [AL‐
2799 LOW_HOST ...]]
2800 [--deny-host DENY_HOST
2801 [DENY_HOST ...]]
2802 [--allow-ip ALLOW_IP [AL‐
2803 LOW_IP ...]]
2804 [--deny-ip DENY_IP [DENY_IP
2805 ...]]
2806 [--open-time OPEN_TIME]
2807 [--close-time CLOSE_TIME]
2808 [--days-allowed DAYS_ALLOWED]
2809
2810
2812 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2813 Sets what hosts, by fully-qualified domain name, the root user
2814 is allowed to use to access Directory Server. Any hosts not
2815 listed are implicitly denied (rootdn-allow-host)
2816
2817
2818 --deny-host DENY_HOST [DENY_HOST ...]
2819 Sets what hosts, by fully-qualified domain name, the root user
2820 is not allowed to use to access Directory Server. Any hosts not
2821 listed are implicitly allowed (rootdn-deny-host). If a host ad‐
2822 dress is listed in both the rootdn-allow-host and
2823 rootdn-deny-host attributes, it is denied access.
2824
2825
2826 --allow-ip ALLOW_IP [ALLOW_IP ...]
2827 Sets what IP addresses, either IPv4 or IPv6, for machines the
2828 root user is allowed to use to access Directory Server. Any IP
2829 addresses not listed are implicitly denied (rootdn-allow-ip)
2830
2831
2832 --deny-ip DENY_IP [DENY_IP ...]
2833 Sets what IP addresses, either IPv4 or IPv6, for machines the
2834 root user is not allowed to use to access Directory Server. Any
2835 IP addresses not listed are implicitly allowed (rootdn-deny-ip).
2836 If an IP address is listed in both the rootdn-allow-ip and
2837 rootdn-deny-ip attributes, it is denied access.
2838
2839
2840 --open-time OPEN_TIME
2841 Sets part of a time period or range when the root user is al‐
2842 lowed to access Directory Server. This sets when the time-based
2843 access begins (rootdn-open- time)
2844
2845
2846 --close-time CLOSE_TIME
2847 Sets part of a time period or range when the root user is al‐
2848 lowed to access Directory Server. This sets when the time-based
2849 access ends (rootdn-close- time)
2850
2851
2852 --days-allowed DAYS_ALLOWED
2853 Sets a comma-separated list of what days the root user is al‐
2854 lowed to use to access Directory Server. Any days listed are im‐
2855 plicitly denied (rootdn-days- allowed)
2856
2857
2859 usage: dsconf instance plugin usn [-h]
2860 {show,enable,disable,sta‐
2861 tus,global,cleanup}
2862 ...
2863
2864
2866 dsconf plugin usn show
2867 Displays the plugin configuration
2868
2869 dsconf plugin usn enable
2870 Enables the plugin
2871
2872 dsconf plugin usn disable
2873 Disables the plugin
2874
2875 dsconf plugin usn status
2876 Displays the plugin status
2877
2878 dsconf plugin usn global
2879 Get or manage global USN mode (nsslapd-entryusn-global)
2880
2881 dsconf plugin usn cleanup
2882 Runs the USN tombstone cleanup task
2883
2884
2886 usage: dsconf instance plugin usn show [-h]
2887
2888
2890 usage: dsconf instance plugin usn enable [-h]
2891
2892
2894 usage: dsconf instance plugin usn disable [-h]
2895
2896
2898 usage: dsconf instance plugin usn status [-h]
2899
2900
2902 usage: dsconf instance plugin usn global [-h] {on,off} ...
2903
2904
2906 dsconf plugin usn global on
2907 Enables USN global mode
2908
2909 dsconf plugin usn global off
2910 Disables USN global mode
2911
2912
2914 usage: dsconf instance plugin usn global on [-h]
2915
2916
2918 usage: dsconf instance plugin usn global off [-h]
2919
2920
2922 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2923 [-m MAX_USN] [--timeout TIME‐
2924 OUT]
2925
2926
2928 -s SUFFIX, --suffix SUFFIX
2929 Sets the suffix or subtree in Directory Server to run the
2930 cleanup operation against. If the suffix is not specified, then
2931 the back end must be specified (suffix).
2932
2933
2934 -n BACKEND, --backend BACKEND
2935 Sets the Directory Server instance back end, or database, to run
2936 the cleanup operation against. If the back end is not specified,
2937 then the suffix must be specified. Backend instance in which USN
2938 tombstone entries (backend)
2939
2940
2941 -m MAX_USN, --max-usn MAX_USN
2942 Sets the highest USN value to delete when removing tombstone en‐
2943 tries (max_usn_to_delete)
2944
2945
2946 --timeout TIMEOUT
2947 Sets the cleanup task timeout. Default is 120 seconds,
2948
2949
2951 usage: dsconf instance plugin account-policy [-h]
2952 {show,enable,disable,sta‐
2953 tus,set,config-entry}
2954 ...
2955
2956
2958 dsconf plugin account-policy show
2959 Displays the plugin configuration
2960
2961 dsconf plugin account-policy enable
2962 Enables the plugin
2963
2964 dsconf plugin account-policy disable
2965 Disables the plugin
2966
2967 dsconf plugin account-policy status
2968 Displays the plugin status
2969
2970 dsconf plugin account-policy set
2971 Edit the plugin settings
2972
2973 dsconf plugin account-policy config-entry
2974 Manage the config entry
2975
2976
2978 usage: dsconf instance plugin account-policy show [-h]
2979
2980
2982 usage: dsconf instance plugin account-policy enable [-h]
2983
2984
2986 usage: dsconf instance plugin account-policy disable [-h]
2987
2988
2990 usage: dsconf instance plugin account-policy status [-h]
2991
2992
2994 usage: dsconf instance plugin account-policy set [-h]
2995 [--config-entry CON‐
2996 FIG_ENTRY]
2997
2998
3000 --config-entry CONFIG_ENTRY
3001 Sets the nsslapd-pluginConfigArea attribute
3002
3003
3005 usage: dsconf instance plugin account-policy config-entry [-h]
3006 {add,set,show,delete}
3007 ...
3008
3009
3011 dsconf plugin account-policy config-entry add
3012 Add the config entry
3013
3014 dsconf plugin account-policy config-entry set
3015 Edit the config entry
3016
3017 dsconf plugin account-policy config-entry show
3018 Display the config entry
3019
3020 dsconf plugin account-policy config-entry delete
3021 Delete the config entry
3022
3023
3025 usage: dsconf instance plugin account-policy config-entry add
3026 [-h] [--always-record-login {yes,no}] [--alt-state-attr
3027 ALT_STATE_ATTR]
3028 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
3029 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
3030 [--state-attr STATE_ATTR] [--login-history-size LOGIN_HIS‐
3031 TORY_SIZE]
3032 [--check-all-state-attrs {yes,no}]
3033 DN
3034
3035
3036 DN The full DN of the config entry
3037
3038
3040 --always-record-login {yes,no}
3041 Sets that every entry records its last login time (alwaysRecord‐
3042 Login)
3043
3044
3045 --alt-state-attr ALT_STATE_ATTR
3046 Provides a backup attribute for the server to reference to eval‐
3047 uate the expiration time (altStateAttrName)
3048
3049
3050 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
3051 Specifies the attribute to store the time of the last successful
3052 login in this attribute in the users directory entry (al‐
3053 waysRecordLoginAttr)
3054
3055
3056 --limit-attr LIMIT_ATTR
3057 Specifies the attribute within the policy to use for the account
3058 inactivation limit (limitAttrName)
3059
3060
3061 --spec-attr SPEC_ATTR
3062 Specifies the attribute to identify which entries are account
3063 policy configuration entries (specAttrName)
3064
3065
3066 --state-attr STATE_ATTR
3067 Specifies the primary time attribute used to evaluate an account
3068 policy (stateAttrName)
3069
3070
3071 --login-history-size LOGIN_HISTORY_SIZE
3072 Specifies the number of login timestamps to store (lastLogin‐
3073 HistSize) )
3074
3075
3076 --check-all-state-attrs {yes,no}
3077 Check both state and alternate state attributes for account
3078 state
3079
3080
3082 usage: dsconf instance plugin account-policy config-entry set
3083 [-h] [--always-record-login {yes,no}] [--alt-state-attr
3084 ALT_STATE_ATTR]
3085 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
3086 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
3087 [--state-attr STATE_ATTR] [--login-history-size LOGIN_HIS‐
3088 TORY_SIZE]
3089 [--check-all-state-attrs {yes,no}]
3090 DN
3091
3092
3093 DN The full DN of the config entry
3094
3095
3097 --always-record-login {yes,no}
3098 Sets that every entry records its last login time (alwaysRecord‐
3099 Login)
3100
3101
3102 --alt-state-attr ALT_STATE_ATTR
3103 Provides a backup attribute for the server to reference to eval‐
3104 uate the expiration time (altStateAttrName)
3105
3106
3107 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
3108 Specifies the attribute to store the time of the last successful
3109 login in this attribute in the users directory entry (al‐
3110 waysRecordLoginAttr)
3111
3112
3113 --limit-attr LIMIT_ATTR
3114 Specifies the attribute within the policy to use for the account
3115 inactivation limit (limitAttrName)
3116
3117
3118 --spec-attr SPEC_ATTR
3119 Specifies the attribute to identify which entries are account
3120 policy configuration entries (specAttrName)
3121
3122
3123 --state-attr STATE_ATTR
3124 Specifies the primary time attribute used to evaluate an account
3125 policy (stateAttrName)
3126
3127
3128 --login-history-size LOGIN_HISTORY_SIZE
3129 Specifies the number of login timestamps to store (lastLogin‐
3130 HistSize) )
3131
3132
3133 --check-all-state-attrs {yes,no}
3134 Check both state and alternate state attributes for account
3135 state
3136
3137
3139 usage: dsconf instance plugin account-policy config-entry show [-h] DN
3140
3141
3142 DN The full DN of the config entry
3143
3144
3146 usage: dsconf instance plugin account-policy config-entry delete [-h]
3147 DN
3148
3149
3150 DN The full DN of the config entry
3151
3152
3154 usage: dsconf instance plugin attr-uniq [-h]
3155 {list,add,set,show,delete,en‐
3156 able,disable,status}
3157 ...
3158
3159
3161 dsconf plugin attr-uniq list
3162 Lists available plugin configs
3163
3164 dsconf plugin attr-uniq add
3165 Add the config entry
3166
3167 dsconf plugin attr-uniq set
3168 Edit the config entry
3169
3170 dsconf plugin attr-uniq show
3171 Display the config entry
3172
3173 dsconf plugin attr-uniq delete
3174 Delete the config entry
3175
3176 dsconf plugin attr-uniq enable
3177 enable plugin
3178
3179 dsconf plugin attr-uniq disable
3180 disable plugin
3181
3182 dsconf plugin attr-uniq status
3183 display plugin status
3184
3185
3187 usage: dsconf instance plugin attr-uniq list [-h]
3188
3189
3191 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3192 [--attr-name ATTR_NAME
3193 [ATTR_NAME ...]]
3194 [--subtree SUBTREE [SUBTREE
3195 ...]]
3196 [--across-all-subtrees
3197 {on,off}]
3198 [--top-entry-oc TOP_EN‐
3199 TRY_OC]
3200 [--subtree-entries-oc SUB‐
3201 TREE_ENTRIES_OC]
3202 NAME
3203
3204
3205 NAME The name of the plug-in configuration record. (cn) You can use
3206 any string, but "attribute_name Attribute Uniqueness" is recom‐
3207 mended.
3208
3209
3211 --enabled {on,off}
3212 Identifies whether or not the config is enabled.
3213
3214
3215 --attr-name ATTR_NAME [ATTR_NAME ...]
3216 Sets the name of the attribute whose values must be unique. This
3217 attribute is multi-valued. (uniqueness-attribute-name)
3218
3219
3220 --subtree SUBTREE [SUBTREE ...]
3221 Sets the DN under which the plug-in checks for uniqueness of the
3222 attributes value. This attribute is multi-valued (unique‐
3223 ness-subtrees)
3224
3225
3226 --across-all-subtrees {on,off}
3227 If enabled (on), the plug-in checks that the attribute is unique
3228 across all subtrees set. If you set the attribute to off,
3229 uniqueness is only enforced within the subtree of the updated
3230 entry (uniqueness-across-all-subtrees)
3231
3232
3233 --top-entry-oc TOP_ENTRY_OC
3234 Verifies that the value of the attribute set in uniqueness-at‐
3235 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3236
3237
3238 --subtree-entries-oc SUBTREE_ENTRIES_OC
3239 Verifies if an attribute is unique, if the entry contains the
3240 object class set in this parameter (uniqueness-subtree-en‐
3241 tries-oc)
3242
3243
3245 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3246 [--attr-name ATTR_NAME
3247 [ATTR_NAME ...]]
3248 [--subtree SUBTREE [SUBTREE
3249 ...]]
3250 [--across-all-subtrees
3251 {on,off}]
3252 [--top-entry-oc TOP_EN‐
3253 TRY_OC]
3254 [--subtree-entries-oc SUB‐
3255 TREE_ENTRIES_OC]
3256 NAME
3257
3258
3259 NAME The name of the plug-in configuration record. (cn) You can use
3260 any string, but "attribute_name Attribute Uniqueness" is recom‐
3261 mended.
3262
3263
3265 --enabled {on,off}
3266 Identifies whether or not the config is enabled.
3267
3268
3269 --attr-name ATTR_NAME [ATTR_NAME ...]
3270 Sets the name of the attribute whose values must be unique. This
3271 attribute is multi-valued. (uniqueness-attribute-name)
3272
3273
3274 --subtree SUBTREE [SUBTREE ...]
3275 Sets the DN under which the plug-in checks for uniqueness of the
3276 attributes value. This attribute is multi-valued (unique‐
3277 ness-subtrees)
3278
3279
3280 --across-all-subtrees {on,off}
3281 If enabled (on), the plug-in checks that the attribute is unique
3282 across all subtrees set. If you set the attribute to off,
3283 uniqueness is only enforced within the subtree of the updated
3284 entry (uniqueness-across-all-subtrees)
3285
3286
3287 --top-entry-oc TOP_ENTRY_OC
3288 Verifies that the value of the attribute set in uniqueness-at‐
3289 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3290
3291
3292 --subtree-entries-oc SUBTREE_ENTRIES_OC
3293 Verifies if an attribute is unique, if the entry contains the
3294 object class set in this parameter (uniqueness-subtree-en‐
3295 tries-oc)
3296
3297
3299 usage: dsconf instance plugin attr-uniq show [-h] NAME
3300
3301
3302 NAME The name of the plug-in configuration record
3303
3304
3306 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3307
3308
3309 NAME The name of the plug-in configuration record
3310
3311
3313 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3314
3315
3316 NAME The name of the plug-in configuration record
3317
3318
3320 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3321
3322
3323 NAME The name of the plug-in configuration record
3324
3325
3327 usage: dsconf instance plugin attr-uniq status [-h] NAME
3328
3329
3330 NAME The name of the plug-in configuration record
3331
3332
3334 usage: dsconf instance plugin dna [-h]
3335 {show,enable,disable,status,list,con‐
3336 fig} ...
3337
3338
3340 dsconf plugin dna show
3341 Displays the plugin configuration
3342
3343 dsconf plugin dna enable
3344 Enables the plugin
3345
3346 dsconf plugin dna disable
3347 Disables the plugin
3348
3349 dsconf plugin dna status
3350 Displays the plugin status
3351
3352 dsconf plugin dna list
3353 List available plugin configs
3354
3355 dsconf plugin dna config
3356 Manage plugin configs
3357
3358
3360 usage: dsconf instance plugin dna show [-h]
3361
3362
3364 usage: dsconf instance plugin dna enable [-h]
3365
3366
3368 usage: dsconf instance plugin dna disable [-h]
3369
3370
3372 usage: dsconf instance plugin dna status [-h]
3373
3374
3376 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3377 ...
3378
3379
3381 dsconf plugin dna list configs
3382 List main DNA plugin config entries
3383
3384 dsconf plugin dna list shared-configs
3385 List DNA plugin shared config entries
3386
3387
3389 usage: dsconf instance plugin dna list configs [-h]
3390
3391
3393 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3394
3395
3396 BASEDN The search DN
3397
3398
3400 usage: dsconf instance plugin dna config [-h]
3401 NAME
3402 {add,set,show,delete,shared-con‐
3403 fig-entry}
3404 ...
3405
3406
3408 dsconf plugin dna config add
3409 Add the config entry
3410
3411 dsconf plugin dna config set
3412 Edit the config entry
3413
3414 dsconf plugin dna config show
3415 Display the config entry
3416
3417 dsconf plugin dna config delete
3418 Delete the config entry
3419
3420 dsconf plugin dna config shared-config-entry
3421 Manage the shared config entry
3422
3423
3425 usage: dsconf instance plugin dna config NAME add [-h]
3426 [--type TYPE [TYPE
3427 ...]]
3428 [--prefix PREFIX]
3429 [--next-value
3430 NEXT_VALUE]
3431 [--max-value
3432 MAX_VALUE]
3433 [--interval INTERVAL]
3434 [--magic-regen
3435 MAGIC_REGEN]
3436 [--filter FILTER]
3437 [--scope SCOPE]
3438 [--remote-bind-dn RE‐
3439 MOTE_BIND_DN]
3440 [--remote-bind-cred
3441 REMOTE_BIND_CRED]
3442 [--shared-config-en‐
3443 try SHARED_CONFIG_ENTRY]
3444 [--threshold THRESH‐
3445 OLD]
3446 [--next-range
3447 NEXT_RANGE]
3448 [--range-re‐
3449 quest-timeout RANGE_REQUEST_TIMEOUT]
3450
3451
3453 --type TYPE [TYPE ...]
3454 Sets which attributes have unique numbers being generated for
3455 them (dnaType)
3456
3457
3458 --prefix PREFIX
3459 Defines a prefix that can be prepended to the generated number
3460 values for the attribute (dnaPrefix)
3461
3462
3463 --next-value NEXT_VALUE
3464 Sets the next available number which can be assigned
3465 (dnaNextValue)
3466
3467
3468 --max-value MAX_VALUE
3469 Sets the maximum value that can be assigned for the range (dna‐
3470 MaxValue)
3471
3472
3473 --interval INTERVAL
3474 Sets an interval to use to increment through numbers in a range
3475 (dnaInterval)
3476
3477
3478 --magic-regen MAGIC_REGEN
3479 Sets a user-defined value that instructs the plug-in to assign a
3480 new value for the entry (dnaMagicRegen)
3481
3482
3483 --filter FILTER
3484 Sets an LDAP filter to use to search for and identify the en‐
3485 tries to which to apply the distributed numeric assignment range
3486 (dnaFilter)
3487
3488
3489 --scope SCOPE
3490 Sets the base DN to search for entries to which to apply the
3491 distributed numeric assignment (dnaScope)
3492
3493
3494 --remote-bind-dn REMOTE_BIND_DN
3495 Specifies the Replication Manager DN (dnaRemoteBindDN)
3496
3497
3498 --remote-bind-cred REMOTE_BIND_CRED
3499 Specifies the Replication Manager's password (dnaRemoteBindCred)
3500
3501
3502 --shared-config-entry SHARED_CONFIG_ENTRY
3503 Defines a shared identity that the servers can use to transfer
3504 ranges to one another (dnaSharedCfgDN)
3505
3506
3507 --threshold THRESHOLD
3508 Sets a threshold of remaining available numbers in the range.
3509 When the server hits the threshold, it sends a request for a new
3510 range (dnaThreshold)
3511
3512
3513 --next-range NEXT_RANGE
3514 Defines the next range to use when the current range is ex‐
3515 hausted (dnaNextRange)
3516
3517
3518 --range-request-timeout RANGE_REQUEST_TIMEOUT
3519 Sets a timeout period, in seconds, for range requests so that
3520 the server does not stall waiting on a new range from one server
3521 and can request a range from a new server (dnaRangeRequestTime‐
3522 out)
3523
3524
3526 usage: dsconf instance plugin dna config NAME set [-h]
3527 [--type TYPE [TYPE
3528 ...]]
3529 [--prefix PREFIX]
3530 [--next-value
3531 NEXT_VALUE]
3532 [--max-value
3533 MAX_VALUE]
3534 [--interval INTERVAL]
3535 [--magic-regen
3536 MAGIC_REGEN]
3537 [--filter FILTER]
3538 [--scope SCOPE]
3539 [--remote-bind-dn RE‐
3540 MOTE_BIND_DN]
3541 [--remote-bind-cred
3542 REMOTE_BIND_CRED]
3543 [--shared-config-en‐
3544 try SHARED_CONFIG_ENTRY]
3545 [--threshold THRESH‐
3546 OLD]
3547 [--next-range
3548 NEXT_RANGE]
3549 [--range-re‐
3550 quest-timeout RANGE_REQUEST_TIMEOUT]
3551
3552
3554 --type TYPE [TYPE ...]
3555 Sets which attributes have unique numbers being generated for
3556 them (dnaType)
3557
3558
3559 --prefix PREFIX
3560 Defines a prefix that can be prepended to the generated number
3561 values for the attribute (dnaPrefix)
3562
3563
3564 --next-value NEXT_VALUE
3565 Sets the next available number which can be assigned
3566 (dnaNextValue)
3567
3568
3569 --max-value MAX_VALUE
3570 Sets the maximum value that can be assigned for the range (dna‐
3571 MaxValue)
3572
3573
3574 --interval INTERVAL
3575 Sets an interval to use to increment through numbers in a range
3576 (dnaInterval)
3577
3578
3579 --magic-regen MAGIC_REGEN
3580 Sets a user-defined value that instructs the plug-in to assign a
3581 new value for the entry (dnaMagicRegen)
3582
3583
3584 --filter FILTER
3585 Sets an LDAP filter to use to search for and identify the en‐
3586 tries to which to apply the distributed numeric assignment range
3587 (dnaFilter)
3588
3589
3590 --scope SCOPE
3591 Sets the base DN to search for entries to which to apply the
3592 distributed numeric assignment (dnaScope)
3593
3594
3595 --remote-bind-dn REMOTE_BIND_DN
3596 Specifies the Replication Manager DN (dnaRemoteBindDN)
3597
3598
3599 --remote-bind-cred REMOTE_BIND_CRED
3600 Specifies the Replication Manager's password (dnaRemoteBindCred)
3601
3602
3603 --shared-config-entry SHARED_CONFIG_ENTRY
3604 Defines a shared identity that the servers can use to transfer
3605 ranges to one another (dnaSharedCfgDN)
3606
3607
3608 --threshold THRESHOLD
3609 Sets a threshold of remaining available numbers in the range.
3610 When the server hits the threshold, it sends a request for a new
3611 range (dnaThreshold)
3612
3613
3614 --next-range NEXT_RANGE
3615 Defines the next range to use when the current range is ex‐
3616 hausted (dnaNextRange)
3617
3618
3619 --range-request-timeout RANGE_REQUEST_TIMEOUT
3620 Sets a timeout period, in seconds, for range requests so that
3621 the server does not stall waiting on a new range from one server
3622 and can request a range from a new server (dnaRangeRequestTime‐
3623 out)
3624
3625
3627 usage: dsconf instance plugin dna config NAME show [-h]
3628
3629
3631 usage: dsconf instance plugin dna config NAME delete [-h]
3632
3633
3635 usage: dsconf instance plugin dna config NAME shared-config-entry
3636 [-h] SHARED_CFG {set,show,delete} ...
3637
3638
3640 dsconf plugin dna config shared-config-entry set
3641 Edit the shared config entry
3642
3643 dsconf plugin dna config shared-config-entry show
3644 Display the shared config entry
3645
3646 dsconf plugin dna config shared-config-entry delete
3647 Delete the shared config entry
3648
3649
3651 usage: dsconf instance plugin dna config NAME shared-config-entry
3652 SHARED_CFG set
3653 [-h] [--remote-bind-method REMOTE_BIND_METHOD]
3654 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3655
3656
3658 --remote-bind-method REMOTE_BIND_METHOD
3659 Specifies the remote bind method "SIMPLE", "SSL" (for SSL client
3660 auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)
3661
3662
3663 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3664 Specifies the remote connection protocol "LDAP", or "TLS"
3665 (dnaRemoteConnProtocol)
3666
3667
3669 usage: dsconf instance plugin dna config NAME shared-config-entry
3670 SHARED_CFG show
3671 [-h]
3672
3673
3675 usage: dsconf instance plugin dna config NAME shared-config-entry
3676 SHARED_CFG delete
3677 [-h]
3678
3679
3681 usage: dsconf instance plugin ldap-pass-through-auth [-h]
3682 {show,enable,dis‐
3683 able,status,list,add,modify,delete}
3684 ...
3685
3686
3688 dsconf plugin ldap-pass-through-auth show
3689 Displays the plugin configuration
3690
3691 dsconf plugin ldap-pass-through-auth enable
3692 Enables the plugin
3693
3694 dsconf plugin ldap-pass-through-auth disable
3695 Disables the plugin
3696
3697 dsconf plugin ldap-pass-through-auth status
3698 Displays the plugin status
3699
3700 dsconf plugin ldap-pass-through-auth list
3701 Lists LDAP URLs
3702
3703 dsconf plugin ldap-pass-through-auth add
3704 Add an LDAP url to the config entry
3705
3706 dsconf plugin ldap-pass-through-auth modify
3707 Edit the LDAP pass through config entry
3708
3709 dsconf plugin ldap-pass-through-auth delete
3710 Delete a URL from the config entry
3711
3712
3714 usage: dsconf instance plugin ldap-pass-through-auth show [-h]
3715
3716
3718 usage: dsconf instance plugin ldap-pass-through-auth enable [-h]
3719
3720
3722 usage: dsconf instance plugin ldap-pass-through-auth disable [-h]
3723
3724
3726 usage: dsconf instance plugin ldap-pass-through-auth status [-h]
3727
3728
3730 usage: dsconf instance plugin ldap-pass-through-auth list [-h]
3731
3732
3734 usage: dsconf instance plugin ldap-pass-through-auth add [-h] URL
3735
3736
3737 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
3738 conns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
3739 tional parameter is specified the rest should be specified too
3740
3741
3743 usage: dsconf instance plugin ldap-pass-through-auth modify
3744 [-h] OLD_URL NEW_URL
3745
3746
3747 OLD_URL
3748 The full LDAP URL you get from the "list" command
3749
3750
3751 NEW_URL
3752 Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree
3753 maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
3754 tional parameter is specified the rest should be specified too.
3755
3756
3758 usage: dsconf instance plugin ldap-pass-through-auth delete [-h] URL
3759
3760
3761 URL The full LDAP URL you get from the "list" command
3762
3763
3765 usage: dsconf instance plugin linked-attr [-h]
3766 {show,enable,disable,sta‐
3767 tus,fixup,fixup-status,list,config}
3768 ...
3769
3770
3772 dsconf plugin linked-attr show
3773 Displays the plugin configuration
3774
3775 dsconf plugin linked-attr enable
3776 Enables the plugin
3777
3778 dsconf plugin linked-attr disable
3779 Disables the plugin
3780
3781 dsconf plugin linked-attr status
3782 Displays the plugin status
3783
3784 dsconf plugin linked-attr fixup
3785 Run the fix-up task for linked attributes plugin
3786
3787 dsconf plugin linked-attr fixup-status
3788 Check the status of a fix-up task
3789
3790 dsconf plugin linked-attr list
3791 List available plugin configs
3792
3793 dsconf plugin linked-attr config
3794 Manage plugin configs
3795
3796
3798 usage: dsconf instance plugin linked-attr show [-h]
3799
3800
3802 usage: dsconf instance plugin linked-attr enable [-h]
3803
3804
3806 usage: dsconf instance plugin linked-attr disable [-h]
3807
3808
3810 usage: dsconf instance plugin linked-attr status [-h]
3811
3812
3814 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3815 [--wait]
3816
3817
3819 -l LINKDN, --linkdn LINKDN
3820 Sets the base DN that contains entries to fix up
3821
3822
3823 --wait Wait for the task to finish, this could take a long time
3824
3825
3827 usage: dsconf instance plugin linked-attr fixup-status [-h] [--dn DN]
3828 [--show-log]
3829 [--watch]
3830
3831
3833 --dn DN
3834 The task entry's DN
3835
3836
3837 --show-log
3838 Display the task log
3839
3840
3841 --watch
3842 Watch the task's status and wait for it to finish
3843
3844
3846 usage: dsconf instance plugin linked-attr list [-h]
3847
3848
3850 usage: dsconf instance plugin linked-attr config [-h]
3851 NAME
3852 {add,set,show,delete}
3853 ...
3854
3855
3857 dsconf plugin linked-attr config add
3858 Add the config entry
3859
3860 dsconf plugin linked-attr config set
3861 Edit the config entry
3862
3863 dsconf plugin linked-attr config show
3864 Display the config entry
3865
3866 dsconf plugin linked-attr config delete
3867 Delete the config entry
3868
3869
3871 usage: dsconf instance plugin linked-attr config NAME add [-h]
3872 [--link-type
3873 LINK_TYPE]
3874 [--man‐
3875 aged-type MANAGED_TYPE]
3876 [--link-scope
3877 LINK_SCOPE]
3878
3879
3881 --link-type LINK_TYPE
3882 Sets the attribute that is managed manually by administrators
3883 (linkType)
3884
3885
3886 --managed-type MANAGED_TYPE
3887 Sets the attribute that is created dynamically by the plugin
3888 (managedType)
3889
3890
3891 --link-scope LINK_SCOPE
3892 Sets the scope that restricts the plugin to a specific part of
3893 the directory tree (linkScope)
3894
3895
3897 usage: dsconf instance plugin linked-attr config NAME set [-h]
3898 [--link-type
3899 LINK_TYPE]
3900 [--man‐
3901 aged-type MANAGED_TYPE]
3902 [--link-scope
3903 LINK_SCOPE]
3904
3905
3907 --link-type LINK_TYPE
3908 Sets the attribute that is managed manually by administrators
3909 (linkType)
3910
3911
3912 --managed-type MANAGED_TYPE
3913 Sets the attribute that is created dynamically by the plugin
3914 (managedType)
3915
3916
3917 --link-scope LINK_SCOPE
3918 Sets the scope that restricts the plugin to a specific part of
3919 the directory tree (linkScope)
3920
3921
3923 usage: dsconf instance plugin linked-attr config NAME show [-h]
3924
3925
3927 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3928
3929
3931 usage: dsconf instance plugin managed-entries [-h]
3932 {show,enable,disable,sta‐
3933 tus,set,list,config,template}
3934 ...
3935
3936
3938 dsconf plugin managed-entries show
3939 Displays the plugin configuration
3940
3941 dsconf plugin managed-entries enable
3942 Enables the plugin
3943
3944 dsconf plugin managed-entries disable
3945 Disables the plugin
3946
3947 dsconf plugin managed-entries status
3948 Displays the plugin status
3949
3950 dsconf plugin managed-entries set
3951 Edit the plugin settings
3952
3953 dsconf plugin managed-entries list
3954 List Managed Entries Plugin configs and templates
3955
3956 dsconf plugin managed-entries config
3957 Handle Managed Entries Plugin configs
3958
3959 dsconf plugin managed-entries template
3960 Handle Managed Entries Plugin templates
3961
3962
3964 usage: dsconf instance plugin managed-entries show [-h]
3965
3966
3968 usage: dsconf instance plugin managed-entries enable [-h]
3969
3970
3972 usage: dsconf instance plugin managed-entries disable [-h]
3973
3974
3976 usage: dsconf instance plugin managed-entries status [-h]
3977
3978
3980 usage: dsconf instance plugin managed-entries set [-h]
3981 [--config-area CON‐
3982 FIG_AREA]
3983
3984
3986 --config-area CONFIG_AREA
3987 Sets the value of the nsslapd-pluginConfigArea attribute
3988
3989
3991 usage: dsconf instance plugin managed-entries list [-h]
3992 {configs,templates}
3993 ...
3994
3995
3997 dsconf plugin managed-entries list configs
3998 List Managed Entries Plugin configs (list config-area if speci‐
3999 fied in the main plugin entry)
4000
4001 dsconf plugin managed-entries list templates
4002 List Managed Entries Plugin templates in the directory
4003
4004
4006 usage: dsconf instance plugin managed-entries list configs [-h]
4007
4008
4010 usage: dsconf instance plugin managed-entries list templates [-h]
4011 [BASEDN]
4012
4013
4014 BASEDN The base DN where to search the templates
4015
4016
4018 usage: dsconf instance plugin managed-entries config [-h]
4019 NAME
4020 {add,set,show,delete}
4021 ...
4022
4023
4025 dsconf plugin managed-entries config add
4026 Add the config entry
4027
4028 dsconf plugin managed-entries config set
4029 Edit the config entry
4030
4031 dsconf plugin managed-entries config show
4032 Display the config entry
4033
4034 dsconf plugin managed-entries config delete
4035 Delete the config entry
4036
4037
4039 usage: dsconf instance plugin managed-entries config NAME add
4040 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
4041 AGED_BASE]
4042 [--managed-template MANAGED_TEMPLATE]
4043
4044
4046 --scope SCOPE
4047 Sets the scope of the search to use to see which entries the
4048 plug-in monitors (originScope)
4049
4050
4051 --filter FILTER
4052 Sets the search filter to use to search for and identify the en‐
4053 tries within the subtree which require a managed entry (origin‐
4054 Filter)
4055
4056
4057 --managed-base MANAGED_BASE
4058 Sets the subtree under which to create the managed entries (man‐
4059 agedBase)
4060
4061
4062 --managed-template MANAGED_TEMPLATE
4063 Identifies the template entry to use to create the managed entry
4064 (managedTemplate)
4065
4066
4068 usage: dsconf instance plugin managed-entries config NAME set
4069 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
4070 AGED_BASE]
4071 [--managed-template MANAGED_TEMPLATE]
4072
4073
4075 --scope SCOPE
4076 Sets the scope of the search to use to see which entries the
4077 plug-in monitors (originScope)
4078
4079
4080 --filter FILTER
4081 Sets the search filter to use to search for and identify the en‐
4082 tries within the subtree which require a managed entry (origin‐
4083 Filter)
4084
4085
4086 --managed-base MANAGED_BASE
4087 Sets the subtree under which to create the managed entries (man‐
4088 agedBase)
4089
4090
4091 --managed-template MANAGED_TEMPLATE
4092 Identifies the template entry to use to create the managed entry
4093 (managedTemplate)
4094
4095
4097 usage: dsconf instance plugin managed-entries config NAME show [-h]
4098
4099
4101 usage: dsconf instance plugin managed-entries config NAME delete [-h]
4102
4103
4105 usage: dsconf instance plugin managed-entries template [-h]
4106 DN
4107 {add,set,show,delete}
4108 ...
4109
4110
4112 dsconf plugin managed-entries template add
4113 Add the template entry
4114
4115 dsconf plugin managed-entries template set
4116 Edit the template entry
4117
4118 dsconf plugin managed-entries template show
4119 Display the template entry
4120
4121 dsconf plugin managed-entries template delete
4122 Delete the template entry
4123
4124
4126 usage: dsconf instance plugin managed-entries template DN add
4127 [-h] [--rdn-attr RDN_ATTR]
4128 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
4129 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
4130
4131
4133 --rdn-attr RDN_ATTR
4134 Sets which attribute to use as the naming attribute in the auto‐
4135 matically- generated entry (mepRDNAttr)
4136
4137
4138 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4139 Sets an attribute with a defined value that must be added to the
4140 automatically-generated entry (mepStaticAttr)
4141
4142
4143 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4144 Sets attributes in the Managed Entries template entry which must
4145 exist in the generated entry (mepMappedAttr)
4146
4147
4149 usage: dsconf instance plugin managed-entries template DN set
4150 [-h] [--rdn-attr RDN_ATTR]
4151 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
4152 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
4153
4154
4156 --rdn-attr RDN_ATTR
4157 Sets which attribute to use as the naming attribute in the auto‐
4158 matically- generated entry (mepRDNAttr)
4159
4160
4161 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4162 Sets an attribute with a defined value that must be added to the
4163 automatically-generated entry (mepStaticAttr)
4164
4165
4166 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4167 Sets attributes in the Managed Entries template entry which must
4168 exist in the generated entry (mepMappedAttr)
4169
4170
4172 usage: dsconf instance plugin managed-entries template DN show [-h]
4173
4174
4176 usage: dsconf instance plugin managed-entries template DN delete [-h]
4177
4178
4180 usage: dsconf instance plugin pam-pass-through-auth [-h]
4181 {show,enable,dis‐
4182 able,status,list,config}
4183 ...
4184
4185
4187 dsconf plugin pam-pass-through-auth show
4188 Displays the plugin configuration
4189
4190 dsconf plugin pam-pass-through-auth enable
4191 Enables the plugin
4192
4193 dsconf plugin pam-pass-through-auth disable
4194 Disables the plugin
4195
4196 dsconf plugin pam-pass-through-auth status
4197 Displays the plugin status
4198
4199 dsconf plugin pam-pass-through-auth list
4200 Lists PAM configurations
4201
4202 dsconf plugin pam-pass-through-auth config
4203 Manage PAM PTA configurations.
4204
4205
4207 usage: dsconf instance plugin pam-pass-through-auth show [-h]
4208
4209
4211 usage: dsconf instance plugin pam-pass-through-auth enable [-h]
4212
4213
4215 usage: dsconf instance plugin pam-pass-through-auth disable [-h]
4216
4217
4219 usage: dsconf instance plugin pam-pass-through-auth status [-h]
4220
4221
4223 usage: dsconf instance plugin pam-pass-through-auth list [-h]
4224
4225
4227 usage: dsconf instance plugin pam-pass-through-auth config [-h]
4228 NAME
4229 {add,set,show,delete}
4230 ...
4231
4232
4234 dsconf plugin pam-pass-through-auth config add
4235 Add the config entry
4236
4237 dsconf plugin pam-pass-through-auth config set
4238 Edit the config entry
4239
4240 dsconf plugin pam-pass-through-auth config show
4241 Display the config entry
4242
4243 dsconf plugin pam-pass-through-auth config delete
4244 Delete the config entry
4245
4246
4248 usage: dsconf instance plugin pam-pass-through-auth config NAME add
4249 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4250 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4251 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4252 TER]
4253 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4254 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4255 SERVICE]
4256
4257
4259 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4260 Specifies a suffix to exclude from PAM authentication (pamEx‐
4261 cludeSuffix)
4262
4263
4264 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4265 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4266 fix)
4267
4268
4269 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4270 Identifies how to handle missing include or exclude suffixes
4271 (pamMissingSuffix)
4272
4273
4274 --filter FILTER
4275 Sets an LDAP filter to use to identify specific entries within
4276 the included suffixes for which to use PAM pass-through authen‐
4277 tication (pamFilter)
4278
4279
4280 --id-attr ID_ATTR
4281 Contains the attribute name which is used to hold the PAM user
4282 ID (pamIDAttr)
4283
4284
4285 --id_map_method ID_MAP_METHOD
4286 Sets the method to use to map the LDAP bind DN to a PAM identity
4287 (pamIDMapMethod)
4288
4289
4290 --fallback {TRUE,FALSE}
4291 Sets whether to fallback to regular LDAP authentication if PAM
4292 authentication fails (pamFallback)
4293
4294
4295 --secure {TRUE,FALSE}
4296 Requires secure TLS connection for PAM authentication (pamSe‐
4297 cure)
4298
4299
4300 --service SERVICE
4301 Contains the service name to pass to PAM (pamService)
4302
4303
4305 usage: dsconf instance plugin pam-pass-through-auth config NAME set
4306 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4307 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4308 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4309 TER]
4310 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4311 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4312 SERVICE]
4313
4314
4316 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4317 Specifies a suffix to exclude from PAM authentication (pamEx‐
4318 cludeSuffix)
4319
4320
4321 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4322 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4323 fix)
4324
4325
4326 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4327 Identifies how to handle missing include or exclude suffixes
4328 (pamMissingSuffix)
4329
4330
4331 --filter FILTER
4332 Sets an LDAP filter to use to identify specific entries within
4333 the included suffixes for which to use PAM pass-through authen‐
4334 tication (pamFilter)
4335
4336
4337 --id-attr ID_ATTR
4338 Contains the attribute name which is used to hold the PAM user
4339 ID (pamIDAttr)
4340
4341
4342 --id_map_method ID_MAP_METHOD
4343 Sets the method to use to map the LDAP bind DN to a PAM identity
4344 (pamIDMapMethod)
4345
4346
4347 --fallback {TRUE,FALSE}
4348 Sets whether to fallback to regular LDAP authentication if PAM
4349 authentication fails (pamFallback)
4350
4351
4352 --secure {TRUE,FALSE}
4353 Requires secure TLS connection for PAM authentication (pamSe‐
4354 cure)
4355
4356
4357 --service SERVICE
4358 Contains the service name to pass to PAM (pamService)
4359
4360
4362 usage: dsconf instance plugin pam-pass-through-auth config NAME show
4363 [-h]
4364
4365
4367 usage: dsconf instance plugin pam-pass-through-auth config NAME delete
4368 [-h]
4369
4370
4372 usage: dsconf instance plugin retro-changelog [-h]
4373 {show,enable,disable,sta‐
4374 tus,set,add,del}
4375 ...
4376
4377
4379 dsconf plugin retro-changelog show
4380 Displays the plugin configuration
4381
4382 dsconf plugin retro-changelog enable
4383 Enables the plugin
4384
4385 dsconf plugin retro-changelog disable
4386 Disables the plugin
4387
4388 dsconf plugin retro-changelog status
4389 Displays the plugin status
4390
4391 dsconf plugin retro-changelog set
4392 Edit the plugin
4393
4394 dsconf plugin retro-changelog add
4395 Add attributes to the plugin
4396
4397 dsconf plugin retro-changelog del
4398 Delete an attribute from plugin scope
4399
4400
4402 usage: dsconf instance plugin retro-changelog show [-h]
4403
4404
4406 usage: dsconf instance plugin retro-changelog enable [-h]
4407
4408
4410 usage: dsconf instance plugin retro-changelog disable [-h]
4411
4412
4414 usage: dsconf instance plugin retro-changelog status [-h]
4415
4416
4418 usage: dsconf instance plugin retro-changelog set [-h]
4419 [--is-replicated
4420 {TRUE,FALSE}]
4421 [--attribute ATTRI‐
4422 BUTE]
4423 [--directory DIREC‐
4424 TORY]
4425 [--max-age MAX_AGE]
4426 [--trim-interval
4427 TRIM_INTERVAL]
4428 [--exclude-suffix
4429 [EXCLUDE_SUFFIX ...]]
4430 [--exclude-attrs [EX‐
4431 CLUDE_ATTRS ...]]
4432
4433
4435 --is-replicated {TRUE,FALSE}
4436 Sets a flag to indicate on a change in the changelog whether the
4437 change is newly made on that server or whether it was replicated
4438 over from another server (isReplicated)
4439
4440
4441 --attribute ATTRIBUTE
4442 Specifies another Directory Server attribute which must be in‐
4443 cluded in the retro changelog entries (nsslapd-attribute)
4444
4445
4446 --directory DIRECTORY
4447 Specifies the name of the directory in which the changelog data‐
4448 base is created the first time the plug-in is run
4449
4450
4451 --max-age MAX_AGE
4452 Specifies the maximum age of any entry in the changelog. Used to
4453 trim the changelog (nsslapd-changelogmaxage)
4454
4455
4456 --trim-interval TRIM_INTERVAL
4457
4458
4459 --exclude-suffix [EXCLUDE_SUFFIX ...]
4460 Specifies the suffix which will be excluded from the scope of
4461 the plugin (nsslapd-exclude-suffix)
4462
4463
4464 --exclude-attrs [EXCLUDE_ATTRS ...]
4465 Specifies the attributes which will be excluded from the scope
4466 of the plugin (nsslapd-exclude-attrs)
4467
4468
4470 usage: dsconf instance plugin retro-changelog add [-h]
4471 [--is-replicated
4472 {TRUE,FALSE}]
4473 [--attribute ATTRI‐
4474 BUTE]
4475 [--directory DIREC‐
4476 TORY]
4477 [--max-age MAX_AGE]
4478 [--trim-interval
4479 TRIM_INTERVAL]
4480 [--exclude-suffix
4481 [EXCLUDE_SUFFIX ...]]
4482 [--exclude-attrs [EX‐
4483 CLUDE_ATTRS ...]]
4484
4485
4487 --is-replicated {TRUE,FALSE}
4488 Sets a flag to indicate on a change in the changelog whether the
4489 change is newly made on that server or whether it was replicated
4490 over from another server (isReplicated)
4491
4492
4493 --attribute ATTRIBUTE
4494 Specifies another Directory Server attribute which must be in‐
4495 cluded in the retro changelog entries (nsslapd-attribute)
4496
4497
4498 --directory DIRECTORY
4499 Specifies the name of the directory in which the changelog data‐
4500 base is created the first time the plug-in is run
4501
4502
4503 --max-age MAX_AGE
4504 Specifies the maximum age of any entry in the changelog. Used to
4505 trim the changelog (nsslapd-changelogmaxage)
4506
4507
4508 --trim-interval TRIM_INTERVAL
4509
4510
4511 --exclude-suffix [EXCLUDE_SUFFIX ...]
4512 Specifies the suffix which will be excluded from the scope of
4513 the plugin (nsslapd-exclude-suffix)
4514
4515
4516 --exclude-attrs [EXCLUDE_ATTRS ...]
4517 Specifies the attributes which will be excluded from the scope
4518 of the plugin (nsslapd-exclude-attrs)
4519
4520
4522 usage: dsconf instance plugin retro-changelog del [-h]
4523 [--is-replicated
4524 {TRUE,FALSE}]
4525 [--attribute ATTRI‐
4526 BUTE]
4527 [--directory DIREC‐
4528 TORY]
4529 [--max-age MAX_AGE]
4530 [--trim-interval
4531 TRIM_INTERVAL]
4532 [--exclude-suffix
4533 [EXCLUDE_SUFFIX ...]]
4534 [--exclude-attrs [EX‐
4535 CLUDE_ATTRS ...]]
4536
4537
4539 --is-replicated {TRUE,FALSE}
4540 Sets a flag to indicate on a change in the changelog whether the
4541 change is newly made on that server or whether it was replicated
4542 over from another server (isReplicated)
4543
4544
4545 --attribute ATTRIBUTE
4546 Specifies another Directory Server attribute which must be in‐
4547 cluded in the retro changelog entries (nsslapd-attribute)
4548
4549
4550 --directory DIRECTORY
4551 Specifies the name of the directory in which the changelog data‐
4552 base is created the first time the plug-in is run
4553
4554
4555 --max-age MAX_AGE
4556 Specifies the maximum age of any entry in the changelog. Used to
4557 trim the changelog (nsslapd-changelogmaxage)
4558
4559
4560 --trim-interval TRIM_INTERVAL
4561
4562
4563 --exclude-suffix [EXCLUDE_SUFFIX ...]
4564 Specifies the suffix which will be excluded from the scope of
4565 the plugin (nsslapd-exclude-suffix)
4566
4567
4568 --exclude-attrs [EXCLUDE_ATTRS ...]
4569 Specifies the attributes which will be excluded from the scope
4570 of the plugin (nsslapd-exclude-attrs)
4571
4572
4574 usage: dsconf instance plugin posix-winsync [-h]
4575 {show,enable,disable,sta‐
4576 tus,set,fixup}
4577 ...
4578
4579
4581 dsconf plugin posix-winsync show
4582 Displays the plugin configuration
4583
4584 dsconf plugin posix-winsync enable
4585 Enables the plugin
4586
4587 dsconf plugin posix-winsync disable
4588 Disables the plugin
4589
4590 dsconf plugin posix-winsync status
4591 Displays the plugin status
4592
4593 dsconf plugin posix-winsync set
4594 Edit the plugin settings
4595
4596 dsconf plugin posix-winsync fixup
4597 Run the memberOf fix-up task to correct mismatched member and
4598 uniquemember values for synced users
4599
4600
4602 usage: dsconf instance plugin posix-winsync show [-h]
4603
4604
4606 usage: dsconf instance plugin posix-winsync enable [-h]
4607
4608
4610 usage: dsconf instance plugin posix-winsync disable [-h]
4611
4612
4614 usage: dsconf instance plugin posix-winsync status [-h]
4615
4616
4618 usage: dsconf instance plugin posix-winsync set [-h]
4619 [--create-memberof-task
4620 {true,false}]
4621 [--lower-case-uid
4622 {true,false}]
4623 [--map-member-uid
4624 {true,false}]
4625 [--map-nested-grouping
4626 {true,false}]
4627 [--ms-sfu-schema
4628 {true,false}]
4629
4630
4632 --create-memberof-task {true,false}
4633 Sets whether to run the memberUID fix-up task immediately after
4634 a sync run in order to update group memberships for synced users
4635 (posixWinsyncCreateMemberOfTask)
4636
4637
4638 --lower-case-uid {true,false}
4639 Sets whether to store (and, if necessary, convert) the UID value
4640 in the memberUID attribute in lower case.(posixWinsyncLower‐
4641 CaseUID)
4642
4643
4644 --map-member-uid {true,false}
4645 Sets whether to map the memberUID attribute in an Active Direc‐
4646 tory group to the uniqueMember attribute in a Directory Server
4647 group (posixWinsyncMapMemberUID)
4648
4649
4650 --map-nested-grouping {true,false}
4651 Manages if nested groups are updated when memberUID attributes
4652 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4653 edGrouping)
4654
4655
4656 --ms-sfu-schema {true,false}
4657 Sets whether to the older Microsoft System Services for Unix 3.0
4658 (msSFU30) schema when syncing Posix attributes from Active Di‐
4659 rectory (posixWinsyncMsSFUSchema)
4660
4661
4663 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER]
4664 [--timeout TIMEOUT]
4665 DN
4666
4667
4668 DN Set the base DN that contains entries to fix up
4669
4670
4672 -f FILTER, --filter FILTER
4673 Filter for entries to fix up. If omitted, all entries with ob‐
4674 jectclass inetuser/inetadmin/nsmemberof under the specified base
4675 will have their memberOf attribute regenerated.
4676
4677
4678 --timeout TIMEOUT
4679 Set a timeout to wait for the fixup task. Default is 120 seconds
4680
4681
4683 usage: dsconf instance plugin contentsync [-h]
4684 {show,enable,disable,sta‐
4685 tus,set,add}
4686 ...
4687
4688
4690 dsconf plugin contentsync show
4691 Displays the plugin configuration
4692
4693 dsconf plugin contentsync enable
4694 Enables the plugin
4695
4696 dsconf plugin contentsync disable
4697 Disables the plugin
4698
4699 dsconf plugin contentsync status
4700 Displays the plugin status
4701
4702 dsconf plugin contentsync set
4703 Edit the plugin settings
4704
4705 dsconf plugin contentsync add
4706 Add attributes to the plugin
4707
4708
4710 usage: dsconf instance plugin contentsync show [-h]
4711
4712
4714 usage: dsconf instance plugin contentsync enable [-h]
4715
4716
4718 usage: dsconf instance plugin contentsync disable [-h]
4719
4720
4722 usage: dsconf instance plugin contentsync status [-h]
4723
4724
4726 usage: dsconf instance plugin contentsync set [-h] [--allow-openldap
4727 {on,off}]
4728
4729
4731 --allow-openldap {on,off}
4732 Allows openldap servers to act as read only consumers of this
4733 server via syncrepl
4734
4735
4737 usage: dsconf instance plugin contentsync add [-h] [--allow-openldap
4738 {on,off}]
4739
4740
4742 --allow-openldap {on,off}
4743 Allows openldap servers to act as read only consumers of this
4744 server via syncrepl
4745
4746
4748 usage: dsconf instance plugin entryuuid [-h]
4749 {show,enable,disable,sta‐
4750 tus,fixup,fixup-status}
4751 ...
4752
4753
4755 dsconf plugin entryuuid show
4756 Displays the plugin configuration
4757
4758 dsconf plugin entryuuid enable
4759 Enables the plugin
4760
4761 dsconf plugin entryuuid disable
4762 Disables the plugin
4763
4764 dsconf plugin entryuuid status
4765 Displays the plugin status
4766
4767 dsconf plugin entryuuid fixup
4768 Run the fix-up task for EntryUUID plugin
4769
4770 dsconf plugin entryuuid fixup-status
4771 Check the status of a fix-up task
4772
4773
4775 usage: dsconf instance plugin entryuuid show [-h]
4776
4777
4779 usage: dsconf instance plugin entryuuid enable [-h]
4780
4781
4783 usage: dsconf instance plugin entryuuid disable [-h]
4784
4785
4787 usage: dsconf instance plugin entryuuid status [-h]
4788
4789
4791 usage: dsconf instance plugin entryuuid fixup [-h] [-f FILTER] [--wait]
4792 [--timeout TIMEOUT]
4793 DN
4794
4795
4796 DN Base DN that contains entries to fix up
4797
4798
4800 -f FILTER, --filter FILTER
4801 Filter for entries to fix up. If omitted, all entries under base
4802 DNwill have their EntryUUID attribute regenerated if not
4803 present.
4804
4805
4806 --wait Wait for the task to finish, this could take a long time
4807
4808
4809 --timeout TIMEOUT
4810 Sets the task timeout. Default is 0 (no timeout)
4811
4812
4814 usage: dsconf instance plugin entryuuid fixup-status [-h] [--dn DN]
4815 [--show-log]
4816 [--watch]
4817
4818
4820 --dn DN
4821 The task entry's DN
4822
4823
4824 --show-log
4825 Display the task log
4826
4827
4828 --watch
4829 Watch the task's status and wait for it to finish
4830
4831
4833 usage: dsconf instance plugin list [-h]
4834
4835
4837 usage: dsconf instance plugin show [-h] [selector]
4838
4839
4840 selector
4841 The plugin to search for
4842
4843
4845 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4846 {on,off}]
4847 [--path PATH] [--initfunc INITFUNC]
4848 [--id ID] [--vendor VENDOR]
4849 [--version VERSION]
4850 [--description DESCRIPTION]
4851 [--depends-on-type DEPENDS_ON_TYPE]
4852 [--depends-on-named DEPENDS_ON_NAMED]
4853 [--precedence PRECEDENCE]
4854 [selector]
4855
4856
4857 selector
4858 The plugin to edit
4859
4860
4862 --type TYPE
4863 The type of plugin.
4864
4865
4866 --enabled {on,off}
4867 Identifies whether or not the plugin is enabled.
4868
4869
4870 --path PATH
4871 The plugin library name (without the library suffix).
4872
4873
4874 --initfunc INITFUNC
4875 An initialization function of the plugin.
4876
4877
4878 --id ID
4879 The plugin ID.
4880
4881
4882 --vendor VENDOR
4883 The vendor of plugin.
4884
4885
4886 --version VERSION
4887 The version of plugin.
4888
4889
4890 --description DESCRIPTION
4891 The description of the plugin.
4892
4893
4894 --depends-on-type DEPENDS_ON_TYPE
4895 All plug-ins with a type value which matches one of the values
4896 in the following valid range will be started by the server prior
4897 to this plug-in.
4898
4899
4900 --depends-on-named DEPENDS_ON_NAMED
4901 The plug-in name matching one of the following values will be
4902 started by the server prior to this plug-in
4903
4904
4905 --precedence PRECEDENCE
4906 The priority it has in the execution order of plug-ins
4907
4908
4910 usage: dsconf instance pwpolicy [-h] {get,set,list-schemes} ...
4911
4912
4914 dsconf pwpolicy get
4915 Get the global password policy entry
4916
4917 dsconf pwpolicy set
4918 Set an attribute in a global password policy
4919
4920 dsconf pwpolicy list-schemes
4921 Get a list of the current password storage schemes
4922
4923
4925 usage: dsconf instance pwpolicy get [-h]
4926
4927
4929 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4930 [--pwdchange PWDCHANGE]
4931 [--pwdmustchange PWDMUSTCHANGE]
4932 [--pwdhistory PWDHISTORY]
4933 [--pwdhistorycount PWDHISTORYCOUNT]
4934 [--pwdadmin PWDADMIN]
4935 [--pwdadminskipupdates PWDADMIN‐
4936 SKIPUPDATES]
4937 [--pwdtrack PWDTRACK]
4938 [--pwdwarning PWDWARNING]
4939 [--pwdexpire PWDEXPIRE]
4940 [--pwdmaxage PWDMAXAGE]
4941 [--pwdminage PWDMINAGE]
4942 [--pwdgracelimit PWDGRACELIMIT]
4943 [--pwdsendexpiring PWDSENDEXPIRING]
4944 [--pwdlockout PWDLOCKOUT]
4945 [--pwdunlock PWDUNLOCK]
4946 [--pwdlockoutduration PWDLOCKOUTDU‐
4947 RATION]
4948 [--pwdmaxfailures PWDMAXFAILURES]
4949 [--pwdresetfailcount PWDRESETFAIL‐
4950 COUNT]
4951 [--pwdchecksyntax PWDCHECKSYNTAX]
4952 [--pwdminlen PWDMINLEN]
4953 [--pwdmindigits PWDMINDIGITS]
4954 [--pwdminalphas PWDMINALPHAS]
4955 [--pwdminuppers PWDMINUPPERS]
4956 [--pwdminlowers PWDMINLOWERS]
4957 [--pwdminspecials PWDMINSPECIALS]
4958 [--pwdmin8bits PWDMIN8BITS]
4959 [--pwdmaxrepeats PWDMAXREPEATS]
4960 [--pwdpalindrome PWDPALINDROME]
4961 [--pwdmaxseq PWDMAXSEQ]
4962 [--pwdmaxseqsets PWDMAXSEQSETS]
4963 [--pwdmaxclasschars PWDMAXCLASS‐
4964 CHARS]
4965 [--pwdmincatagories PWDMIN‐
4966 CATAGORIES]
4967 [--pwdmintokenlen PWDMINTOKENLEN]
4968 [--pwdbadwords PWDBADWORDS]
4969 [--pwduserattrs PWDUSERATTRS]
4970 [--pwddictcheck PWDDICTCHECK]
4971 [--pwddictpath PWDDICTPATH]
4972 [--pwptprmaxuse PWPTPRMAXUSE]
4973 [--pwptprdelayexpireat PWPTPRDELAY‐
4974 EXPIREAT]
4975 [--pwptprdelayvalidfrom PWPTPRDE‐
4976 LAYVALIDFROM]
4977 [--pwdlocal PWDLOCAL]
4978 [--pwdisglobal PWDISGLOBAL]
4979 [--pwdallowhash PWDALLOWHASH]
4980 [--pwpinheritglobal PWPINHERIT‐
4981 GLOBAL]
4982
4983
4985 --pwdscheme PWDSCHEME
4986 The password storage scheme
4987
4988
4989 --pwdchange PWDCHANGE
4990 Allow users to change their passwords
4991
4992
4993 --pwdmustchange PWDMUSTCHANGE
4994 Users must change their password after it was reset by an admin‐
4995 istrator
4996
4997
4998 --pwdhistory PWDHISTORY
4999 To enable password history set this to "on", otherwise "off"
5000
5001
5002 --pwdhistorycount PWDHISTORYCOUNT
5003 The number of passwords to keep in history
5004
5005
5006 --pwdadmin PWDADMIN
5007 The DN of an entry or a group of account that can bypass pass‐
5008 word policy constraints
5009
5010
5011 --pwdadminskipupdates PWDADMINSKIPUPDATES
5012 Set to "on" if the Password Admin's password update should not
5013 trigger updates to the password state attributes (passwordExpi‐
5014 rationtime, passwordHistory, etc).
5015
5016
5017 --pwdtrack PWDTRACK
5018 Set to "on" to track the time the password was last changed
5019
5020
5021 --pwdwarning PWDWARNING
5022 Send an expiring warning if password expires within this time
5023 (in seconds)
5024
5025
5026 --pwdexpire PWDEXPIRE
5027 Set to "on" to enable password expiration
5028
5029
5030 --pwdmaxage PWDMAXAGE
5031 The password expiration time in seconds
5032
5033
5034 --pwdminage PWDMINAGE
5035 The number of seconds that must pass before a user can change
5036 their password
5037
5038
5039 --pwdgracelimit PWDGRACELIMIT
5040 The number of allowed logins after the password has expired
5041
5042
5043 --pwdsendexpiring PWDSENDEXPIRING
5044 Set to "on" to always send the expiring control regardless of
5045 the warning period
5046
5047
5048 --pwdlockout PWDLOCKOUT
5049 Set to "on" to enable account lockout
5050
5051
5052 --pwdunlock PWDUNLOCK
5053 Set to "on" to allow an account to become unlocked after the
5054 lockout duration
5055
5056
5057 --pwdlockoutduration PWDLOCKOUTDURATION
5058 The number of seconds an account stays locked out
5059
5060
5061 --pwdmaxfailures PWDMAXFAILURES
5062 The maximum number of allowed failed password attempts before
5063 the account gets locked
5064
5065
5066 --pwdresetfailcount PWDRESETFAILCOUNT
5067 The number of seconds to wait before reducing the failed login
5068 count on an account
5069
5070
5071 --pwdchecksyntax PWDCHECKSYNTAX
5072 Set to "on" to enable password syntax checking
5073
5074
5075 --pwdminlen PWDMINLEN
5076 The minimum number of characters required in a password
5077
5078
5079 --pwdmindigits PWDMINDIGITS
5080 The minimum number of digit/number characters in a password
5081
5082
5083 --pwdminalphas PWDMINALPHAS
5084 The minimum number of alpha characters required in a password
5085
5086
5087 --pwdminuppers PWDMINUPPERS
5088 The minimum number of uppercase characters required in a pass‐
5089 word
5090
5091
5092 --pwdminlowers PWDMINLOWERS
5093 The minimum number of lowercase characters required in a pass‐
5094 word
5095
5096
5097 --pwdminspecials PWDMINSPECIALS
5098 The minimum number of special characters required in a password
5099
5100
5101 --pwdmin8bits PWDMIN8BITS
5102 The minimum number of 8-bit characters required in a password
5103
5104
5105 --pwdmaxrepeats PWDMAXREPEATS
5106 The maximum number of times the same character can appear se‐
5107 quentially in the password
5108
5109
5110 --pwdpalindrome PWDPALINDROME
5111 Set to "on" to reject passwords that are palindromes
5112
5113
5114 --pwdmaxseq PWDMAXSEQ
5115 The maximum number of allowed monotonic character sequences in a
5116 password
5117
5118
5119 --pwdmaxseqsets PWDMAXSEQSETS
5120 The maximum number of allowed monotonic character sequences that
5121 can be duplicated in a password
5122
5123
5124 --pwdmaxclasschars PWDMAXCLASSCHARS
5125 The maximum number of sequential characters from the same char‐
5126 acter class that is allowed in a password
5127
5128
5129 --pwdmincatagories PWDMINCATAGORIES
5130 The minimum number of syntax category checks
5131
5132
5133 --pwdmintokenlen PWDMINTOKENLEN
5134 Sets the smallest attribute value length that is used for triv‐
5135 ial/user words checking. This also impacts "--pwduserattrs"
5136
5137
5138 --pwdbadwords PWDBADWORDS
5139 A space-separated list of words that can not be in a password
5140
5141
5142 --pwduserattrs PWDUSERATTRS
5143 A space-separated list of attributes whose values can not appear
5144 in the password (See "--pwdmintokenlen")
5145
5146
5147 --pwddictcheck PWDDICTCHECK
5148 Set to "on" to enforce CrackLib dictionary checking
5149
5150
5151 --pwddictpath PWDDICTPATH
5152 Filesystem path to specific/custom CrackLib dictionary files
5153
5154
5155 --pwptprmaxuse PWPTPRMAXUSE
5156 Number of times a reset password can be used for authentication
5157
5158
5159 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5160 Number of seconds after which a reset password expires
5161
5162
5163 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5164 Number of seconds to wait before using a reset password to au‐
5165 thenticated
5166
5167
5168 --pwdlocal PWDLOCAL
5169 Set to "on" to enable fine-grained (subtree/user-level) password
5170 policies
5171
5172
5173 --pwdisglobal PWDISGLOBAL
5174 Set to "on" to enable password policy state attributes to be
5175 replicated
5176
5177
5178 --pwdallowhash PWDALLOWHASH
5179 Set to "on" to allow adding prehashed passwords
5180
5181
5182 --pwpinheritglobal PWPINHERITGLOBAL
5183 Set to "on" to allow local policies to inherit the global policy
5184
5185
5187 usage: dsconf instance pwpolicy list-schemes [-h]
5188
5189
5191 usage: dsconf instance localpwp [-h]
5192 {list,get,set,remove,adduser,addsub‐
5193 tree} ...
5194
5195
5197 dsconf localpwp list
5198 List all the local password policies
5199
5200 dsconf localpwp get
5201 Get local password policy entry
5202
5203 dsconf localpwp set
5204 Set an attribute in a local password policy
5205
5206 dsconf localpwp remove
5207 Remove a local password policy
5208
5209 dsconf localpwp adduser
5210 Add new user password policy
5211
5212 dsconf localpwp addsubtree
5213 Add new subtree password policy
5214
5215
5217 usage: dsconf instance localpwp list [-h] [DN]
5218
5219
5220 DN Suffix to search for local password policies
5221
5222
5224 usage: dsconf instance localpwp get [-h] DN
5225
5226
5227 DN Get the local policy for this entry DN
5228
5229
5231 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
5232 [--pwdchange PWDCHANGE]
5233 [--pwdmustchange PWDMUSTCHANGE]
5234 [--pwdhistory PWDHISTORY]
5235 [--pwdhistorycount PWDHISTORYCOUNT]
5236 [--pwdadmin PWDADMIN]
5237 [--pwdadminskipupdates PWDADMIN‐
5238 SKIPUPDATES]
5239 [--pwdtrack PWDTRACK]
5240 [--pwdwarning PWDWARNING]
5241 [--pwdexpire PWDEXPIRE]
5242 [--pwdmaxage PWDMAXAGE]
5243 [--pwdminage PWDMINAGE]
5244 [--pwdgracelimit PWDGRACELIMIT]
5245 [--pwdsendexpiring PWDSENDEXPIRING]
5246 [--pwdlockout PWDLOCKOUT]
5247 [--pwdunlock PWDUNLOCK]
5248 [--pwdlockoutduration PWDLOCKOUTDU‐
5249 RATION]
5250 [--pwdmaxfailures PWDMAXFAILURES]
5251 [--pwdresetfailcount PWDRESETFAIL‐
5252 COUNT]
5253 [--pwdchecksyntax PWDCHECKSYNTAX]
5254 [--pwdminlen PWDMINLEN]
5255 [--pwdmindigits PWDMINDIGITS]
5256 [--pwdminalphas PWDMINALPHAS]
5257 [--pwdminuppers PWDMINUPPERS]
5258 [--pwdminlowers PWDMINLOWERS]
5259 [--pwdminspecials PWDMINSPECIALS]
5260 [--pwdmin8bits PWDMIN8BITS]
5261 [--pwdmaxrepeats PWDMAXREPEATS]
5262 [--pwdpalindrome PWDPALINDROME]
5263 [--pwdmaxseq PWDMAXSEQ]
5264 [--pwdmaxseqsets PWDMAXSEQSETS]
5265 [--pwdmaxclasschars PWDMAXCLASS‐
5266 CHARS]
5267 [--pwdmincatagories PWDMIN‐
5268 CATAGORIES]
5269 [--pwdmintokenlen PWDMINTOKENLEN]
5270 [--pwdbadwords PWDBADWORDS]
5271 [--pwduserattrs PWDUSERATTRS]
5272 [--pwddictcheck PWDDICTCHECK]
5273 [--pwddictpath PWDDICTPATH]
5274 [--pwptprmaxuse PWPTPRMAXUSE]
5275 [--pwptprdelayexpireat PWPTPRDELAY‐
5276 EXPIREAT]
5277 [--pwptprdelayvalidfrom PWPTPRDE‐
5278 LAYVALIDFROM]
5279 DN
5280
5281
5282 DN Set the local policy for this entry DN
5283
5284
5286 --pwdscheme PWDSCHEME
5287 The password storage scheme
5288
5289
5290 --pwdchange PWDCHANGE
5291 Allow users to change their passwords
5292
5293
5294 --pwdmustchange PWDMUSTCHANGE
5295 Users must change their password after it was reset by an admin‐
5296 istrator
5297
5298
5299 --pwdhistory PWDHISTORY
5300 To enable password history set this to "on", otherwise "off"
5301
5302
5303 --pwdhistorycount PWDHISTORYCOUNT
5304 The number of passwords to keep in history
5305
5306
5307 --pwdadmin PWDADMIN
5308 The DN of an entry or a group of account that can bypass pass‐
5309 word policy constraints
5310
5311
5312 --pwdadminskipupdates PWDADMINSKIPUPDATES
5313 Set to "on" if the Password Admin's password update should not
5314 trigger updates to the password state attributes (passwordExpi‐
5315 rationtime, passwordHistory, etc).
5316
5317
5318 --pwdtrack PWDTRACK
5319 Set to "on" to track the time the password was last changed
5320
5321
5322 --pwdwarning PWDWARNING
5323 Send an expiring warning if password expires within this time
5324 (in seconds)
5325
5326
5327 --pwdexpire PWDEXPIRE
5328 Set to "on" to enable password expiration
5329
5330
5331 --pwdmaxage PWDMAXAGE
5332 The password expiration time in seconds
5333
5334
5335 --pwdminage PWDMINAGE
5336 The number of seconds that must pass before a user can change
5337 their password
5338
5339
5340 --pwdgracelimit PWDGRACELIMIT
5341 The number of allowed logins after the password has expired
5342
5343
5344 --pwdsendexpiring PWDSENDEXPIRING
5345 Set to "on" to always send the expiring control regardless of
5346 the warning period
5347
5348
5349 --pwdlockout PWDLOCKOUT
5350 Set to "on" to enable account lockout
5351
5352
5353 --pwdunlock PWDUNLOCK
5354 Set to "on" to allow an account to become unlocked after the
5355 lockout duration
5356
5357
5358 --pwdlockoutduration PWDLOCKOUTDURATION
5359 The number of seconds an account stays locked out
5360
5361
5362 --pwdmaxfailures PWDMAXFAILURES
5363 The maximum number of allowed failed password attempts before
5364 the account gets locked
5365
5366
5367 --pwdresetfailcount PWDRESETFAILCOUNT
5368 The number of seconds to wait before reducing the failed login
5369 count on an account
5370
5371
5372 --pwdchecksyntax PWDCHECKSYNTAX
5373 Set to "on" to enable password syntax checking
5374
5375
5376 --pwdminlen PWDMINLEN
5377 The minimum number of characters required in a password
5378
5379
5380 --pwdmindigits PWDMINDIGITS
5381 The minimum number of digit/number characters in a password
5382
5383
5384 --pwdminalphas PWDMINALPHAS
5385 The minimum number of alpha characters required in a password
5386
5387
5388 --pwdminuppers PWDMINUPPERS
5389 The minimum number of uppercase characters required in a pass‐
5390 word
5391
5392
5393 --pwdminlowers PWDMINLOWERS
5394 The minimum number of lowercase characters required in a pass‐
5395 word
5396
5397
5398 --pwdminspecials PWDMINSPECIALS
5399 The minimum number of special characters required in a password
5400
5401
5402 --pwdmin8bits PWDMIN8BITS
5403 The minimum number of 8-bit characters required in a password
5404
5405
5406 --pwdmaxrepeats PWDMAXREPEATS
5407 The maximum number of times the same character can appear se‐
5408 quentially in the password
5409
5410
5411 --pwdpalindrome PWDPALINDROME
5412 Set to "on" to reject passwords that are palindromes
5413
5414
5415 --pwdmaxseq PWDMAXSEQ
5416 The maximum number of allowed monotonic character sequences in a
5417 password
5418
5419
5420 --pwdmaxseqsets PWDMAXSEQSETS
5421 The maximum number of allowed monotonic character sequences that
5422 can be duplicated in a password
5423
5424
5425 --pwdmaxclasschars PWDMAXCLASSCHARS
5426 The maximum number of sequential characters from the same char‐
5427 acter class that is allowed in a password
5428
5429
5430 --pwdmincatagories PWDMINCATAGORIES
5431 The minimum number of syntax category checks
5432
5433
5434 --pwdmintokenlen PWDMINTOKENLEN
5435 Sets the smallest attribute value length that is used for triv‐
5436 ial/user words checking. This also impacts "--pwduserattrs"
5437
5438
5439 --pwdbadwords PWDBADWORDS
5440 A space-separated list of words that can not be in a password
5441
5442
5443 --pwduserattrs PWDUSERATTRS
5444 A space-separated list of attributes whose values can not appear
5445 in the password (See "--pwdmintokenlen")
5446
5447
5448 --pwddictcheck PWDDICTCHECK
5449 Set to "on" to enforce CrackLib dictionary checking
5450
5451
5452 --pwddictpath PWDDICTPATH
5453 Filesystem path to specific/custom CrackLib dictionary files
5454
5455
5456 --pwptprmaxuse PWPTPRMAXUSE
5457 Number of times a reset password can be used for authentication
5458
5459
5460 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5461 Number of seconds after which a reset password expires
5462
5463
5464 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5465 Number of seconds to wait before using a reset password to au‐
5466 thenticated
5467
5468
5470 usage: dsconf instance localpwp remove [-h] DN
5471
5472
5473 DN Remove local policy for this entry DN
5474
5475
5477 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5478 [--pwdchange PWDCHANGE]
5479 [--pwdmustchange PWDMUSTCHANGE]
5480 [--pwdhistory PWDHISTORY]
5481 [--pwdhistorycount PWDHISTO‐
5482 RYCOUNT]
5483 [--pwdadmin PWDADMIN]
5484 [--pwdadminskipupdates PWDAD‐
5485 MINSKIPUPDATES]
5486 [--pwdtrack PWDTRACK]
5487 [--pwdwarning PWDWARNING]
5488 [--pwdexpire PWDEXPIRE]
5489 [--pwdmaxage PWDMAXAGE]
5490 [--pwdminage PWDMINAGE]
5491 [--pwdgracelimit PWDGRACELIMIT]
5492 [--pwdsendexpiring PWDSENDEX‐
5493 PIRING]
5494 [--pwdlockout PWDLOCKOUT]
5495 [--pwdunlock PWDUNLOCK]
5496 [--pwdlockoutduration PWDLOCK‐
5497 OUTDURATION]
5498 [--pwdmaxfailures PWDMAXFAIL‐
5499 URES]
5500 [--pwdresetfailcount PWDRESET‐
5501 FAILCOUNT]
5502 [--pwdchecksyntax PWDCHECKSYN‐
5503 TAX]
5504 [--pwdminlen PWDMINLEN]
5505 [--pwdmindigits PWDMINDIGITS]
5506 [--pwdminalphas PWDMINALPHAS]
5507 [--pwdminuppers PWDMINUPPERS]
5508 [--pwdminlowers PWDMINLOWERS]
5509 [--pwdminspecials PWDMINSPE‐
5510 CIALS]
5511 [--pwdmin8bits PWDMIN8BITS]
5512 [--pwdmaxrepeats PWDMAXREPEATS]
5513 [--pwdpalindrome PWDPALINDROME]
5514 [--pwdmaxseq PWDMAXSEQ]
5515 [--pwdmaxseqsets PWDMAXSEQSETS]
5516 [--pwdmaxclasschars PWDMAX‐
5517 CLASSCHARS]
5518 [--pwdmincatagories PWDMIN‐
5519 CATAGORIES]
5520 [--pwdmintokenlen PWDMINTO‐
5521 KENLEN]
5522 [--pwdbadwords PWDBADWORDS]
5523 [--pwduserattrs PWDUSERATTRS]
5524 [--pwddictcheck PWDDICTCHECK]
5525 [--pwddictpath PWDDICTPATH]
5526 [--pwptprmaxuse PWPTPRMAXUSE]
5527 [--pwptprdelayexpireat PWPT‐
5528 PRDELAYEXPIREAT]
5529 [--pwptprdelayvalidfrom PWPT‐
5530 PRDELAYVALIDFROM]
5531 DN
5532
5533
5534 DN Add/replace the local password policy for this entry DN
5535
5536
5538 --pwdscheme PWDSCHEME
5539 The password storage scheme
5540
5541
5542 --pwdchange PWDCHANGE
5543 Allow users to change their passwords
5544
5545
5546 --pwdmustchange PWDMUSTCHANGE
5547 Users must change their password after it was reset by an admin‐
5548 istrator
5549
5550
5551 --pwdhistory PWDHISTORY
5552 To enable password history set this to "on", otherwise "off"
5553
5554
5555 --pwdhistorycount PWDHISTORYCOUNT
5556 The number of passwords to keep in history
5557
5558
5559 --pwdadmin PWDADMIN
5560 The DN of an entry or a group of account that can bypass pass‐
5561 word policy constraints
5562
5563
5564 --pwdadminskipupdates PWDADMINSKIPUPDATES
5565 Set to "on" if the Password Admin's password update should not
5566 trigger updates to the password state attributes (passwordExpi‐
5567 rationtime, passwordHistory, etc).
5568
5569
5570 --pwdtrack PWDTRACK
5571 Set to "on" to track the time the password was last changed
5572
5573
5574 --pwdwarning PWDWARNING
5575 Send an expiring warning if password expires within this time
5576 (in seconds)
5577
5578
5579 --pwdexpire PWDEXPIRE
5580 Set to "on" to enable password expiration
5581
5582
5583 --pwdmaxage PWDMAXAGE
5584 The password expiration time in seconds
5585
5586
5587 --pwdminage PWDMINAGE
5588 The number of seconds that must pass before a user can change
5589 their password
5590
5591
5592 --pwdgracelimit PWDGRACELIMIT
5593 The number of allowed logins after the password has expired
5594
5595
5596 --pwdsendexpiring PWDSENDEXPIRING
5597 Set to "on" to always send the expiring control regardless of
5598 the warning period
5599
5600
5601 --pwdlockout PWDLOCKOUT
5602 Set to "on" to enable account lockout
5603
5604
5605 --pwdunlock PWDUNLOCK
5606 Set to "on" to allow an account to become unlocked after the
5607 lockout duration
5608
5609
5610 --pwdlockoutduration PWDLOCKOUTDURATION
5611 The number of seconds an account stays locked out
5612
5613
5614 --pwdmaxfailures PWDMAXFAILURES
5615 The maximum number of allowed failed password attempts before
5616 the account gets locked
5617
5618
5619 --pwdresetfailcount PWDRESETFAILCOUNT
5620 The number of seconds to wait before reducing the failed login
5621 count on an account
5622
5623
5624 --pwdchecksyntax PWDCHECKSYNTAX
5625 Set to "on" to enable password syntax checking
5626
5627
5628 --pwdminlen PWDMINLEN
5629 The minimum number of characters required in a password
5630
5631
5632 --pwdmindigits PWDMINDIGITS
5633 The minimum number of digit/number characters in a password
5634
5635
5636 --pwdminalphas PWDMINALPHAS
5637 The minimum number of alpha characters required in a password
5638
5639
5640 --pwdminuppers PWDMINUPPERS
5641 The minimum number of uppercase characters required in a pass‐
5642 word
5643
5644
5645 --pwdminlowers PWDMINLOWERS
5646 The minimum number of lowercase characters required in a pass‐
5647 word
5648
5649
5650 --pwdminspecials PWDMINSPECIALS
5651 The minimum number of special characters required in a password
5652
5653
5654 --pwdmin8bits PWDMIN8BITS
5655 The minimum number of 8-bit characters required in a password
5656
5657
5658 --pwdmaxrepeats PWDMAXREPEATS
5659 The maximum number of times the same character can appear se‐
5660 quentially in the password
5661
5662
5663 --pwdpalindrome PWDPALINDROME
5664 Set to "on" to reject passwords that are palindromes
5665
5666
5667 --pwdmaxseq PWDMAXSEQ
5668 The maximum number of allowed monotonic character sequences in a
5669 password
5670
5671
5672 --pwdmaxseqsets PWDMAXSEQSETS
5673 The maximum number of allowed monotonic character sequences that
5674 can be duplicated in a password
5675
5676
5677 --pwdmaxclasschars PWDMAXCLASSCHARS
5678 The maximum number of sequential characters from the same char‐
5679 acter class that is allowed in a password
5680
5681
5682 --pwdmincatagories PWDMINCATAGORIES
5683 The minimum number of syntax category checks
5684
5685
5686 --pwdmintokenlen PWDMINTOKENLEN
5687 Sets the smallest attribute value length that is used for triv‐
5688 ial/user words checking. This also impacts "--pwduserattrs"
5689
5690
5691 --pwdbadwords PWDBADWORDS
5692 A space-separated list of words that can not be in a password
5693
5694
5695 --pwduserattrs PWDUSERATTRS
5696 A space-separated list of attributes whose values can not appear
5697 in the password (See "--pwdmintokenlen")
5698
5699
5700 --pwddictcheck PWDDICTCHECK
5701 Set to "on" to enforce CrackLib dictionary checking
5702
5703
5704 --pwddictpath PWDDICTPATH
5705 Filesystem path to specific/custom CrackLib dictionary files
5706
5707
5708 --pwptprmaxuse PWPTPRMAXUSE
5709 Number of times a reset password can be used for authentication
5710
5711
5712 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5713 Number of seconds after which a reset password expires
5714
5715
5716 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5717 Number of seconds to wait before using a reset password to au‐
5718 thenticated
5719
5720
5722 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5723 [--pwdchange PWDCHANGE]
5724 [--pwdmustchange PWD‐
5725 MUSTCHANGE]
5726 [--pwdhistory PWDHISTORY]
5727 [--pwdhistorycount PWDHISTO‐
5728 RYCOUNT]
5729 [--pwdadmin PWDADMIN]
5730 [--pwdadminskipupdates PW‐
5731 DADMINSKIPUPDATES]
5732 [--pwdtrack PWDTRACK]
5733 [--pwdwarning PWDWARNING]
5734 [--pwdexpire PWDEXPIRE]
5735 [--pwdmaxage PWDMAXAGE]
5736 [--pwdminage PWDMINAGE]
5737 [--pwdgracelimit PWDGRACE‐
5738 LIMIT]
5739 [--pwdsendexpiring PWDSEND‐
5740 EXPIRING]
5741 [--pwdlockout PWDLOCKOUT]
5742 [--pwdunlock PWDUNLOCK]
5743 [--pwdlockoutduration PWD‐
5744 LOCKOUTDURATION]
5745 [--pwdmaxfailures PWDMAX‐
5746 FAILURES]
5747 [--pwdresetfailcount PW‐
5748 DRESETFAILCOUNT]
5749 [--pwdchecksyntax PWD‐
5750 CHECKSYNTAX]
5751 [--pwdminlen PWDMINLEN]
5752 [--pwdmindigits PWDMINDIG‐
5753 ITS]
5754 [--pwdminalphas PWDMINAL‐
5755 PHAS]
5756 [--pwdminuppers PWDMINUP‐
5757 PERS]
5758 [--pwdminlowers PWDMINLOW‐
5759 ERS]
5760 [--pwdminspecials PWDMINSPE‐
5761 CIALS]
5762 [--pwdmin8bits PWDMIN8BITS]
5763 [--pwdmaxrepeats PWDMAXRE‐
5764 PEATS]
5765 [--pwdpalindrome PWDPALIN‐
5766 DROME]
5767 [--pwdmaxseq PWDMAXSEQ]
5768 [--pwdmaxseqsets PWDMAXSE‐
5769 QSETS]
5770 [--pwdmaxclasschars PWDMAX‐
5771 CLASSCHARS]
5772 [--pwdmincatagories PWDMIN‐
5773 CATAGORIES]
5774 [--pwdmintokenlen PWDMINTO‐
5775 KENLEN]
5776 [--pwdbadwords PWDBADWORDS]
5777 [--pwduserattrs PWDUSERAT‐
5778 TRS]
5779 [--pwddictcheck PWD‐
5780 DICTCHECK]
5781 [--pwddictpath PWDDICTPATH]
5782 [--pwptprmaxuse PWPT‐
5783 PRMAXUSE]
5784 [--pwptprdelayexpireat PWPT‐
5785 PRDELAYEXPIREAT]
5786 [--pwptprdelayvalidfrom PW‐
5787 PTPRDELAYVALIDFROM]
5788 DN
5789
5790
5791 DN Add/replace the subtree policy for this entry DN
5792
5793
5795 --pwdscheme PWDSCHEME
5796 The password storage scheme
5797
5798
5799 --pwdchange PWDCHANGE
5800 Allow users to change their passwords
5801
5802
5803 --pwdmustchange PWDMUSTCHANGE
5804 Users must change their password after it was reset by an admin‐
5805 istrator
5806
5807
5808 --pwdhistory PWDHISTORY
5809 To enable password history set this to "on", otherwise "off"
5810
5811
5812 --pwdhistorycount PWDHISTORYCOUNT
5813 The number of passwords to keep in history
5814
5815
5816 --pwdadmin PWDADMIN
5817 The DN of an entry or a group of account that can bypass pass‐
5818 word policy constraints
5819
5820
5821 --pwdadminskipupdates PWDADMINSKIPUPDATES
5822 Set to "on" if the Password Admin's password update should not
5823 trigger updates to the password state attributes (passwordExpi‐
5824 rationtime, passwordHistory, etc).
5825
5826
5827 --pwdtrack PWDTRACK
5828 Set to "on" to track the time the password was last changed
5829
5830
5831 --pwdwarning PWDWARNING
5832 Send an expiring warning if password expires within this time
5833 (in seconds)
5834
5835
5836 --pwdexpire PWDEXPIRE
5837 Set to "on" to enable password expiration
5838
5839
5840 --pwdmaxage PWDMAXAGE
5841 The password expiration time in seconds
5842
5843
5844 --pwdminage PWDMINAGE
5845 The number of seconds that must pass before a user can change
5846 their password
5847
5848
5849 --pwdgracelimit PWDGRACELIMIT
5850 The number of allowed logins after the password has expired
5851
5852
5853 --pwdsendexpiring PWDSENDEXPIRING
5854 Set to "on" to always send the expiring control regardless of
5855 the warning period
5856
5857
5858 --pwdlockout PWDLOCKOUT
5859 Set to "on" to enable account lockout
5860
5861
5862 --pwdunlock PWDUNLOCK
5863 Set to "on" to allow an account to become unlocked after the
5864 lockout duration
5865
5866
5867 --pwdlockoutduration PWDLOCKOUTDURATION
5868 The number of seconds an account stays locked out
5869
5870
5871 --pwdmaxfailures PWDMAXFAILURES
5872 The maximum number of allowed failed password attempts before
5873 the account gets locked
5874
5875
5876 --pwdresetfailcount PWDRESETFAILCOUNT
5877 The number of seconds to wait before reducing the failed login
5878 count on an account
5879
5880
5881 --pwdchecksyntax PWDCHECKSYNTAX
5882 Set to "on" to enable password syntax checking
5883
5884
5885 --pwdminlen PWDMINLEN
5886 The minimum number of characters required in a password
5887
5888
5889 --pwdmindigits PWDMINDIGITS
5890 The minimum number of digit/number characters in a password
5891
5892
5893 --pwdminalphas PWDMINALPHAS
5894 The minimum number of alpha characters required in a password
5895
5896
5897 --pwdminuppers PWDMINUPPERS
5898 The minimum number of uppercase characters required in a pass‐
5899 word
5900
5901
5902 --pwdminlowers PWDMINLOWERS
5903 The minimum number of lowercase characters required in a pass‐
5904 word
5905
5906
5907 --pwdminspecials PWDMINSPECIALS
5908 The minimum number of special characters required in a password
5909
5910
5911 --pwdmin8bits PWDMIN8BITS
5912 The minimum number of 8-bit characters required in a password
5913
5914
5915 --pwdmaxrepeats PWDMAXREPEATS
5916 The maximum number of times the same character can appear se‐
5917 quentially in the password
5918
5919
5920 --pwdpalindrome PWDPALINDROME
5921 Set to "on" to reject passwords that are palindromes
5922
5923
5924 --pwdmaxseq PWDMAXSEQ
5925 The maximum number of allowed monotonic character sequences in a
5926 password
5927
5928
5929 --pwdmaxseqsets PWDMAXSEQSETS
5930 The maximum number of allowed monotonic character sequences that
5931 can be duplicated in a password
5932
5933
5934 --pwdmaxclasschars PWDMAXCLASSCHARS
5935 The maximum number of sequential characters from the same char‐
5936 acter class that is allowed in a password
5937
5938
5939 --pwdmincatagories PWDMINCATAGORIES
5940 The minimum number of syntax category checks
5941
5942
5943 --pwdmintokenlen PWDMINTOKENLEN
5944 Sets the smallest attribute value length that is used for triv‐
5945 ial/user words checking. This also impacts "--pwduserattrs"
5946
5947
5948 --pwdbadwords PWDBADWORDS
5949 A space-separated list of words that can not be in a password
5950
5951
5952 --pwduserattrs PWDUSERATTRS
5953 A space-separated list of attributes whose values can not appear
5954 in the password (See "--pwdmintokenlen")
5955
5956
5957 --pwddictcheck PWDDICTCHECK
5958 Set to "on" to enforce CrackLib dictionary checking
5959
5960
5961 --pwddictpath PWDDICTPATH
5962 Filesystem path to specific/custom CrackLib dictionary files
5963
5964
5965 --pwptprmaxuse PWPTPRMAXUSE
5966 Number of times a reset password can be used for authentication
5967
5968
5969 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5970 Number of seconds after which a reset password expires
5971
5972
5973 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5974 Number of seconds to wait before using a reset password to au‐
5975 thenticated
5976
5977
5979 usage: dsconf instance replication [-h]
5980 {enable,disable,get-ruv,list,sta‐
5981 tus,winsync-status,promote,create-manager,delete-manager,de‐
5982 mote,get,set-changelog,get-changelog,export-changelog,im‐
5983 port-changelog,set,monitor}
5984 ...
5985
5986
5988 dsconf replication enable
5989 Enable replication for a suffix
5990
5991 dsconf replication disable
5992 Disable replication for a suffix
5993
5994 dsconf replication get-ruv
5995 Display the database RUV entry for a suffix
5996
5997 dsconf replication list
5998 Lists all the replicated suffixes
5999
6000 dsconf replication status
6001 Display the current status of all the replication agreements
6002
6003 dsconf replication winsync-status
6004 Display the current status of all the replication agreements
6005
6006 dsconf replication promote
6007 Promote a replica to a hub or supplier
6008
6009 dsconf replication create-manager
6010 Create a replication manager entry
6011
6012 dsconf replication delete-manager
6013 Delete a replication manager entry
6014
6015 dsconf replication demote
6016 Demote replica to a hub or consumer
6017
6018 dsconf replication get
6019 Display the replication configuration
6020
6021 dsconf replication set-changelog
6022 Set replication changelog attributes
6023
6024 dsconf replication get-changelog
6025 Display replication changelog attributes
6026
6027 dsconf replication export-changelog
6028 Export the Directory Server replication changelog to an LDIF
6029 file
6030
6031 dsconf replication import-changelog
6032 Restore/import Directory Server replication change log from an
6033 LDIF file. This is typically used when managing changelog en‐
6034 cryption
6035
6036 dsconf replication set
6037 Set an attribute in the replication configuration
6038
6039 dsconf replication monitor
6040 Display the full replication topology report
6041
6042
6044 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
6045 ROLE
6046 [--replica-id REPLICA_ID]
6047 [--bind-group-dn
6048 BIND_GROUP_DN]
6049 [--bind-dn BIND_DN]
6050 [--bind-passwd BIND_PASSWD]
6051 [--bind-passwd-file
6052 BIND_PASSWD_FILE]
6053 [--bind-passwd-prompt]
6054
6055
6057 --suffix SUFFIX
6058 Sets the DN of the suffix to be enabled for replication
6059
6060
6061 --role ROLE
6062 Sets the replication role: "supplier", "hub", or "consumer"
6063
6064
6065 --replica-id REPLICA_ID
6066 Sets the replication identifier for a "supplier". Values range
6067 from 1 - 65534
6068
6069
6070 --bind-group-dn BIND_GROUP_DN
6071 Sets a group entry DN containing members that are "bind/sup‐
6072 plier" DNs
6073
6074
6075 --bind-dn BIND_DN
6076 Sets the bind or supplier DN that can make replication updates
6077
6078
6079 --bind-passwd BIND_PASSWD
6080 Sets the password for replication manager (--bind-dn). This will
6081 create the manager entry if a value is set
6082
6083
6084 --bind-passwd-file BIND_PASSWD_FILE
6085 File containing the password
6086
6087
6088 --bind-passwd-prompt
6089 Prompt for password
6090
6091
6093 usage: dsconf instance replication disable [-h] --suffix SUFFIX
6094
6095
6097 --suffix SUFFIX
6098 Sets the DN of the suffix to have replication disabled
6099
6100
6102 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
6103
6104
6106 --suffix SUFFIX
6107 Sets the DN of the replicated suffix
6108
6109
6111 usage: dsconf instance replication list [-h]
6112
6113
6115 usage: dsconf instance replication status [-h] --suffix SUFFIX
6116 [--bind-dn BIND_DN]
6117 [--bind-passwd BIND_PASSWD]
6118 [--bind-passwd-file
6119 BIND_PASSWD_FILE]
6120 [--bind-passwd-prompt]
6121
6122
6124 --suffix SUFFIX
6125 Sets the DN of the replication suffix
6126
6127
6128 --bind-dn BIND_DN
6129 Sets the DN to use to authenticate to the consumer. If not set,
6130 current instance's root DN will be used. It will be used for all
6131 agreements
6132
6133
6134 --bind-passwd BIND_PASSWD
6135 Sets the password for the bind DN. It will be used for all
6136 agreements
6137
6138
6139 --bind-passwd-file BIND_PASSWD_FILE
6140 File containing the password. It will be used for all agreements
6141
6142
6143 --bind-passwd-prompt
6144 Prompt for passwords for each agreement's instance separately
6145
6146
6148 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
6149 [--bind-dn BIND_DN]
6150 [--bind-passwd
6151 BIND_PASSWD]
6152 [--bind-passwd-file
6153 BIND_PASSWD_FILE]
6154 [--bind-passwd-prompt]
6155
6156
6158 --suffix SUFFIX
6159 Sets the DN of the replication suffix
6160
6161
6162 --bind-dn BIND_DN
6163 Sets the DN to use to authenticate to the consumer. Currectly
6164 not used
6165
6166
6167 --bind-passwd BIND_PASSWD
6168 Sets the password of the bind DN. Currectly not used
6169
6170
6171 --bind-passwd-file BIND_PASSWD_FILE
6172 File containing the password. Currectly not used
6173
6174
6175 --bind-passwd-prompt
6176 Prompt for password. Currectly not used
6177
6178
6180 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
6181 role
6182 NEWROLE [--replica-id
6183 REPLICA_ID]
6184 [--bind-group-dn
6185 BIND_GROUP_DN]
6186 [--bind-dn BIND_DN]
6187
6188
6190 --suffix SUFFIX
6191 Sets the DN of the replication suffix to promote
6192
6193
6194 --newrole NEWROLE
6195 Sets the new replica role to "hub" or "supplier"
6196
6197
6198 --replica-id REPLICA_ID
6199 Sets the replication identifier for a "supplier". Values range
6200 from 1 - 65534
6201
6202
6203 --bind-group-dn BIND_GROUP_DN
6204 Sets a group entry DN containing members that are "bind/sup‐
6205 plier" DNs
6206
6207
6208 --bind-dn BIND_DN
6209 Sets the bind or supplier DN that can make replication updates
6210
6211
6213 usage: dsconf instance replication create-manager [-h] [--name NAME]
6214 [--passwd PASSWD]
6215 [--passwd-file
6216 PASSWD_FILE]
6217 [--bind-passwd-file
6218 BIND_PASSWD_FILE]
6219 [--suffix SUFFIX]
6220
6221
6223 --name NAME
6224 Sets the name of the new replication manager entry.For example,
6225 if the name is "replication manager" then the new manager en‐
6226 try's DN would be "cn=replication manager,cn=config".
6227
6228
6229 --passwd PASSWD
6230 Sets the password for replication manager. If not provided, you
6231 will be prompted for the password
6232
6233
6234 --passwd-file PASSWD_FILE
6235 File containing the password for back compatibility
6236
6237
6238 --bind-passwd-file BIND_PASSWD_FILE
6239 File containing the password
6240
6241
6242 --suffix SUFFIX
6243 The DN of the replication suffix whose replication configuration
6244 you want to add this new manager to (OPTIONAL)
6245
6246
6248 usage: dsconf instance replication delete-manager [-h] [--name NAME]
6249 [--suffix SUFFIX]
6250
6251
6253 --name NAME
6254 Sets the name of the replication manager entry under cn=config:
6255 "cn=NAME,cn=config"
6256
6257
6258 --suffix SUFFIX
6259 Sets the DN of the replication suffix whose replication configu‐
6260 ration you want to remove this manager from (OPTIONAL)
6261
6262
6264 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
6265 role
6266 NEWROLE
6267
6268
6270 --suffix SUFFIX
6271 Sets the DN of the replication suffix
6272
6273
6274 --newrole NEWROLE
6275 Sets the new replication role to "hub", or "consumer"
6276
6277
6279 usage: dsconf instance replication get [-h] --suffix SUFFIX
6280
6281
6283 --suffix SUFFIX
6284 Sets the suffix DN for the replication configuration to display
6285
6286
6288 usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
6289 [--max-entries MAX_EN‐
6290 TRIES]
6291 [--max-age MAX_AGE]
6292 [--trim-interval
6293 TRIM_INTERVAL]
6294 [--encrypt]
6295 [--disable-encrypt]
6296
6297
6299 --suffix SUFFIX
6300 Sets the suffix that uses the changelog
6301
6302
6303 --max-entries MAX_ENTRIES
6304 Sets the maximum number of entries to get in the replication
6305 changelog
6306
6307
6308 --max-age MAX_AGE
6309 Set the maximum age of a replication changelog entry
6310
6311
6312 --trim-interval TRIM_INTERVAL
6313 Sets the interval to check if the replication changelog can be
6314 trimmed
6315
6316
6317 --encrypt
6318 Sets the replication changelog to use encryption. You must ex‐
6319 port and import the changelog after setting this.
6320
6321
6322 --disable-encrypt
6323 Sets the replication changelog to not use encryption. You must
6324 export and import the changelog after setting this.
6325
6326
6328 usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
6329
6330
6332 --suffix SUFFIX
6333 Sets the suffix that uses the changelog
6334
6335
6337 usage: dsconf instance replication export-changelog [-h] {to-ldif,de‐
6338 fault} ...
6339
6340
6342 dsconf replication export-changelog to-ldif
6343 Sets the LDIF file name. This is typically used for setting up
6344 changelog encryption
6345
6346 dsconf replication export-changelog default
6347 Export the replication changelog to the server's default LDIF
6348 directory
6349
6350
6352 usage: dsconf instance replication export-changelog to-ldif
6353 [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r
6354 REPLICA_ROOT
6355
6356
6358 -c, --csn-only
6359 Enables to export and interpret CSN only. This option can be
6360 used with or without -i option. The LDIF file that is generated
6361 can not be imported and is only used for debugging purposes.
6362
6363
6364 -d, --decode
6365 Decodes the base64 values in each changelog entry. The LDIF file
6366 that is generated can not be imported and is only used for de‐
6367 bugging purposes.
6368
6369
6370 -l, --preserve-ldif-done
6371 Preserves generated LDIF "files.done" files in changelog direc‐
6372 tory.
6373
6374
6375 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
6376 Decodes changes in an LDIF file. Use this option if you already
6377 have a changelog LDIF file, but the changes in that file are en‐
6378 coded.
6379
6380
6381 -o OUTPUT_FILE, --output-file OUTPUT_FILE
6382 Sets the path name for the final result
6383
6384
6385 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6386 Specifies the replica root whose changelog you want to export
6387
6388
6390 usage: dsconf instance replication export-changelog default
6391 [-h] -r REPLICA_ROOT
6392
6393
6395 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6396 Specifies the replica root whose changelog you want to export
6397
6398
6400 usage: dsconf instance replication import-changelog [-h]
6401 {from-ldif,default}
6402 ...
6403
6404
6406 dsconf replication import-changelog from-ldif
6407 Restore/import a specific single LDIF file
6408
6409 dsconf replication import-changelog default
6410 Import the default changelog LDIF file created by the server
6411
6412
6414 usage: dsconf instance replication import-changelog from-ldif
6415 [-h] -r REPLICA_ROOT LDIF_PATH
6416
6417
6418 LDIF_PATH
6419 The path of the changelog LDIF file
6420
6421
6423 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6424 Specifies the replica root whose changelog you want to import
6425
6426
6428 usage: dsconf instance replication import-changelog default
6429 [-h] -r REPLICA_ROOT
6430
6431
6433 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6434 Specifies the replica root whose changelog you want to import
6435
6436
6438 usage: dsconf instance replication set [-h] --suffix SUFFIX
6439 [--repl-add-bind-dn
6440 REPL_ADD_BIND_DN]
6441 [--repl-del-bind-dn
6442 REPL_DEL_BIND_DN]
6443 [--repl-add-ref REPL_ADD_REF]
6444 [--repl-del-ref REPL_DEL_REF]
6445 [--repl-purge-delay
6446 REPL_PURGE_DELAY]
6447 [--repl-tombstone-purge-interval
6448 REPL_TOMBSTONE_PURGE_INTERVAL]
6449 [--repl-fast-tombstone-purging
6450 REPL_FAST_TOMBSTONE_PURGING]
6451 [--repl-bind-group
6452 REPL_BIND_GROUP]
6453 [--repl-bind-group-interval
6454 REPL_BIND_GROUP_INTERVAL]
6455 [--repl-protocol-timeout
6456 REPL_PROTOCOL_TIMEOUT]
6457 [--repl-backoff-max REPL_BACK‐
6458 OFF_MAX]
6459 [--repl-backoff-min REPL_BACK‐
6460 OFF_MIN]
6461 [--repl-release-timeout REPL_RE‐
6462 LEASE_TIMEOUT]
6463 [--repl-keepalive-update-inter‐
6464 val REPL_KEEPALIVE_UPDATE_INTERVAL]
6465
6466
6468 --suffix SUFFIX
6469 Sets the DN of the replication suffix
6470
6471
6472 --repl-add-bind-dn REPL_ADD_BIND_DN
6473 Adds a bind (supplier) DN
6474
6475
6476 --repl-del-bind-dn REPL_DEL_BIND_DN
6477 Removes a bind (supplier) DN
6478
6479
6480 --repl-add-ref REPL_ADD_REF
6481 Adds a replication referral (for consumers only)
6482
6483
6484 --repl-del-ref REPL_DEL_REF
6485 Removes a replication referral (for conusmers only)
6486
6487
6488 --repl-purge-delay REPL_PURGE_DELAY
6489 Sets the replication purge delay
6490
6491
6492 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
6493 Sets the interval in seconds to check for tombstones that can be
6494 purged
6495
6496
6497 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6498 Enables or disables improving the tombstone purging performance
6499
6500
6501 --repl-bind-group REPL_BIND_GROUP
6502 Sets a group entry DN containing members that are "bind/sup‐
6503 plier" DNs
6504
6505
6506 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6507 Sets an interval in seconds to check if the bind group has been
6508 updated
6509
6510
6511 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6512 Sets a timeout in seconds on how long to wait before stopping
6513 replication when the server is under load
6514
6515
6516 --repl-backoff-max REPL_BACKOFF_MAX
6517 The maximum time in seconds a replication agreement should stay
6518 in a backoff state while waiting to acquire the consumer. De‐
6519 fault is 300 seconds
6520
6521
6522 --repl-backoff-min REPL_BACKOFF_MIN
6523 The starting time in seconds a replication agreement should stay
6524 in a backoff state while waiting to acquire the consumer. De‐
6525 fault is 3 seconds
6526
6527
6528 --repl-release-timeout REPL_RELEASE_TIMEOUT
6529 A timeout in seconds a replication supplier should send updates
6530 before it yields its replication session
6531
6532
6533 --repl-keepalive-update-interval REPL_KEEPALIVE_UPDATE_INTERVAL
6534 Interval in seconds for how often the server will apply an in‐
6535 ternal update to keep the RUV from getting stale. The default is
6536 1 hour (3600 seconds)
6537
6538
6540 usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
6541 [-a [ALIASES ...]]
6542
6543
6545 -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
6546 Sets the connection values for monitoring other not connected
6547 topologies. The format: 'host:port:binddn:bindpwd'. You can use
6548 regex for host and port. You can set bindpwd to * and it will be
6549 requested at the runtime or you can include the path to the
6550 password file in square brackets - [~/pwd.txt]
6551
6552
6553 -a [ALIASES ...], --aliases [ALIASES ...]
6554 Enables displaying an alias instead of host:port, if an alias is
6555 assigned to a host:port combination. The format: alias=host:port
6556
6557
6559 usage: dsconf instance repl-agmt [-h]
6560 {list,enable,disable,init,init-sta‐
6561 tus,poke,status,delete,create,set,get}
6562 ...
6563
6564
6566 dsconf repl-agmt list
6567 List all replication agreements
6568
6569 dsconf repl-agmt enable
6570 Enable replication agreement
6571
6572 dsconf repl-agmt disable
6573 Disable replication agreement
6574
6575 dsconf repl-agmt init
6576 Initialize replication agreement
6577
6578 dsconf repl-agmt init-status
6579 Check the agreement initialization status
6580
6581 dsconf repl-agmt poke
6582 Trigger replication to send updates now
6583
6584 dsconf repl-agmt status
6585 Displays the current status of the replication agreement
6586
6587 dsconf repl-agmt delete
6588 Delete replication agreement
6589
6590 dsconf repl-agmt create
6591 Initialize replication agreement
6592
6593 dsconf repl-agmt set
6594 Set an attribute in the replication agreement
6595
6596 dsconf repl-agmt get
6597 Get replication configuration
6598
6599
6601 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry EN‐
6602 TRY]
6603
6604
6606 --suffix SUFFIX
6607 Sets the DN of the suffix to look up replication agreements for
6608
6609
6610 --entry ENTRY
6611 Returns the entire entry for each agreement
6612
6613
6615 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6616
6617
6618 AGMT_NAME
6619 The name of the replication agreement
6620
6621
6623 --suffix SUFFIX
6624 Sets the DN of the replication suffix
6625
6626
6628 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6629
6630
6631 AGMT_NAME
6632 The name of the replication agreement
6633
6634
6636 --suffix SUFFIX
6637 Sets the DN of the replication suffix
6638
6639
6641 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6642
6643
6644 AGMT_NAME
6645 The name of the replication agreement
6646
6647
6649 --suffix SUFFIX
6650 Sets the DN of the replication suffix
6651
6652
6654 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6655 AGMT_NAME
6656
6657
6658 AGMT_NAME
6659 The name of the replication agreement
6660
6661
6663 --suffix SUFFIX
6664 Sets the DN of the replication suffix
6665
6666
6668 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6669
6670
6671 AGMT_NAME
6672 The name of the replication agreement
6673
6674
6676 --suffix SUFFIX
6677 Sets the DN of the replication suffix
6678
6679
6681 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6682 [--bind-dn BIND_DN]
6683 [--bind-passwd BIND_PASSWD]
6684 [--bind-passwd-file
6685 BIND_PASSWD_FILE]
6686 [--bind-passwd-prompt]
6687 AGMT_NAME
6688
6689
6690 AGMT_NAME
6691 The name of the replication agreement
6692
6693
6695 --suffix SUFFIX
6696 Sets the DN of the replication suffix
6697
6698
6699 --bind-dn BIND_DN
6700 Sets the DN to use to authenticate to the consumer. If not set,
6701 current instance's root DN will be used. It will be used for all
6702 agreements
6703
6704
6705 --bind-passwd BIND_PASSWD
6706 Sets the password for the bind DN. It will be used for all
6707 agreements
6708
6709
6710 --bind-passwd-file BIND_PASSWD_FILE
6711 File containing the password. It will be used for all agreements
6712
6713
6714 --bind-passwd-prompt
6715 Prompt for passwords for each agreement's instance separately
6716
6717
6719 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6720
6721
6722 AGMT_NAME
6723 The name of the replication agreement
6724
6725
6727 --suffix SUFFIX
6728 Sets the DN of the replication suffix
6729
6730
6732 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6733 HOST
6734 --port PORT --conn-protocol
6735 CONN_PROTOCOL [--bind-dn
6736 BIND_DN]
6737 [--bind-passwd BIND_PASSWD]
6738 [--bind-passwd-file
6739 BIND_PASSWD_FILE]
6740 [--bind-passwd-prompt]
6741 --bind-method
6742 BIND_METHOD [--frac-list
6743 FRAC_LIST]
6744 [--frac-list-total
6745 FRAC_LIST_TOTAL]
6746 [--strip-list STRIP_LIST]
6747 [--schedule SCHEDULE]
6748 [--conn-timeout CONN_TIMEOUT]
6749 [--protocol-timeout PROTO‐
6750 COL_TIMEOUT]
6751 [--wait-async-results
6752 WAIT_ASYNC_RESULTS]
6753 [--busy-wait-time
6754 BUSY_WAIT_TIME]
6755 [--session-pause-time SES‐
6756 SION_PAUSE_TIME]
6757 [--flow-control-window
6758 FLOW_CONTROL_WINDOW]
6759 [--flow-control-pause FLOW_CON‐
6760 TROL_PAUSE]
6761 [--bootstrap-bind-dn BOOT‐
6762 STRAP_BIND_DN]
6763 [--bootstrap-bind-passwd BOOT‐
6764 STRAP_BIND_PASSWD]
6765 [--bootstrap-bind-passwd-file
6766 BOOTSTRAP_BIND_PASSWD_FILE]
6767 [--boot‐
6768 strap-bind-passwd-prompt]
6769 [--bootstrap-conn-protocol
6770 BOOTSTRAP_CONN_PROTOCOL]
6771 [--bootstrap-bind-method BOOT‐
6772 STRAP_BIND_METHOD]
6773 [--init]
6774 AGMT_NAME
6775
6776
6777 AGMT_NAME
6778 The name of the replication agreement
6779
6780
6782 --suffix SUFFIX
6783 Sets the DN of the replication suffix
6784
6785
6786 --host HOST
6787 Sets the hostname of the remote replica
6788
6789
6790 --port PORT
6791 Sets the port number of the remote replica
6792
6793
6794 --conn-protocol CONN_PROTOCOL
6795 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6796 TLS
6797
6798
6799 --bind-dn BIND_DN
6800 Sets the bind DN the agreement uses to authenticate to the
6801 replica
6802
6803
6804 --bind-passwd BIND_PASSWD
6805 Sets the credentials for the bind DN
6806
6807
6808 --bind-passwd-file BIND_PASSWD_FILE
6809 File containing the password
6810
6811
6812 --bind-passwd-prompt
6813 Prompt for password
6814
6815
6816 --bind-method BIND_METHOD
6817 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6818 or "SASL/GSSAPI"
6819
6820
6821 --frac-list FRAC_LIST
6822 Sets the list of attributes to NOT replicate to the consumer
6823 during incremental updates
6824
6825
6826 --frac-list-total FRAC_LIST_TOTAL
6827 Sets the list of attributes to NOT replicate during a total ini‐
6828 tialization
6829
6830
6831 --strip-list STRIP_LIST
6832 Sets a list of attributes that are removed from updates only if
6833 the event would otherwise be empty. Typically this is set to
6834 "modifiersname" and "modifytimestmap"
6835
6836
6837 --schedule SCHEDULE
6838 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6839 0-6 (Sunday - Saturday).
6840
6841
6842 --conn-timeout CONN_TIMEOUT
6843 Sets the timeout used for replication connections
6844
6845
6846 --protocol-timeout PROTOCOL_TIMEOUT
6847 Sets a timeout in seconds on how long to wait before stopping
6848 replication when the server is under load
6849
6850
6851 --wait-async-results WAIT_ASYNC_RESULTS
6852 Sets the amount of time in milliseconds the server waits if the
6853 consumer is not ready before resending data
6854
6855
6856 --busy-wait-time BUSY_WAIT_TIME
6857 Sets the amount of time in seconds a supplier should wait after
6858 a consumer sends back a busy response before making another at‐
6859 tempt to acquire access.
6860
6861
6862 --session-pause-time SESSION_PAUSE_TIME
6863 Sets the amount of time in seconds a supplier should wait be‐
6864 tween update sessions.
6865
6866
6867 --flow-control-window FLOW_CONTROL_WINDOW
6868 Sets the maximum number of entries and updates sent by a sup‐
6869 plier, which are not acknowledged by the consumer.
6870
6871
6872 --flow-control-pause FLOW_CONTROL_PAUSE
6873 Sets the time in milliseconds to pause after reaching the number
6874 of entries and updates set in "--flow-control-window"
6875
6876
6877 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6878 Sets an optional bind DN the agreement can use to bootstrap ini‐
6879 tialization when bind groups are being used
6880
6881
6882 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6883 Sets the bootstrap credentials for the bind DN
6884
6885
6886 --bootstrap-bind-passwd-file BOOTSTRAP_BIND_PASSWD_FILE
6887 File containing the password
6888
6889
6890 --bootstrap-bind-passwd-prompt
6891 File containing the password
6892
6893
6894 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6895 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6896 or StartTLS
6897
6898
6899 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6900 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6901
6902
6903 --init Initializes the agreement after creating it
6904
6905
6907 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6908 [--port PORT]
6909 [--conn-protocol CONN_PROTOCOL]
6910 [--bind-dn BIND_DN]
6911 [--bind-passwd BIND_PASSWD]
6912 [--bind-passwd-file
6913 BIND_PASSWD_FILE]
6914 [--bind-passwd-prompt]
6915 [--bind-method BIND_METHOD]
6916 [--frac-list FRAC_LIST]
6917 [--frac-list-total FRAC_LIST_TO‐
6918 TAL]
6919 [--strip-list STRIP_LIST]
6920 [--schedule SCHEDULE]
6921 [--conn-timeout CONN_TIMEOUT]
6922 [--protocol-timeout PROTOCOL_TIME‐
6923 OUT]
6924 [--wait-async-results
6925 WAIT_ASYNC_RESULTS]
6926 [--busy-wait-time BUSY_WAIT_TIME]
6927 [--session-pause-time SES‐
6928 SION_PAUSE_TIME]
6929 [--flow-control-window FLOW_CON‐
6930 TROL_WINDOW]
6931 [--flow-control-pause FLOW_CON‐
6932 TROL_PAUSE]
6933 [--bootstrap-bind-dn BOOT‐
6934 STRAP_BIND_DN]
6935 [--bootstrap-bind-passwd BOOT‐
6936 STRAP_BIND_PASSWD]
6937 [--bootstrap-bind-passwd-file
6938 BOOTSTRAP_BIND_PASSWD_FILE]
6939 [--bootstrap-bind-passwd-prompt]
6940 [--bootstrap-conn-protocol BOOT‐
6941 STRAP_CONN_PROTOCOL]
6942 [--bootstrap-bind-method BOOT‐
6943 STRAP_BIND_METHOD]
6944 AGMT_NAME
6945
6946
6947 AGMT_NAME
6948 The name of the replication agreement
6949
6950
6952 --suffix SUFFIX
6953 Sets the DN of the replication suffix
6954
6955
6956 --host HOST
6957 Sets the hostname of the remote replica
6958
6959
6960 --port PORT
6961 Sets the port number of the remote replica
6962
6963
6964 --conn-protocol CONN_PROTOCOL
6965 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6966 TLS
6967
6968
6969 --bind-dn BIND_DN
6970 Sets the Bind DN the agreement uses to authenticate to the
6971 replica
6972
6973
6974 --bind-passwd BIND_PASSWD
6975 Sets the credentials for the bind DN
6976
6977
6978 --bind-passwd-file BIND_PASSWD_FILE
6979 File containing the password
6980
6981
6982 --bind-passwd-prompt
6983 Prompt for password
6984
6985
6986 --bind-method BIND_METHOD
6987 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6988 or "SASL/GSSAPI"
6989
6990
6991 --frac-list FRAC_LIST
6992 Sets a list of attributes to NOT replicate to the consumer dur‐
6993 ing incremental updates
6994
6995
6996 --frac-list-total FRAC_LIST_TOTAL
6997 Sets a list of attributes to NOT replicate during a total ini‐
6998 tialization
6999
7000
7001 --strip-list STRIP_LIST
7002 Sets a list of attributes that are removed from updates only if
7003 the event would otherwise be empty. Typically this is set to
7004 "modifiersname" and "modifytimestmap"
7005
7006
7007 --schedule SCHEDULE
7008 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
7009 0-6 (Sunday - Saturday).
7010
7011
7012 --conn-timeout CONN_TIMEOUT
7013 Sets the timeout used for replication connections
7014
7015
7016 --protocol-timeout PROTOCOL_TIMEOUT
7017 Sets a timeout in seconds on how long to wait before stopping
7018 replication when the server is under load
7019
7020
7021 --wait-async-results WAIT_ASYNC_RESULTS
7022 Sets the amount of time in milliseconds the server waits if the
7023 consumer is not ready before resending data
7024
7025
7026 --busy-wait-time BUSY_WAIT_TIME
7027 Sets the amount of time in seconds a supplier should wait after
7028 a consumer sends back a busy response before making another at‐
7029 tempt to acquire access.
7030
7031
7032 --session-pause-time SESSION_PAUSE_TIME
7033 Sets the amount of time in seconds a supplier should wait be‐
7034 tween update sessions.
7035
7036
7037 --flow-control-window FLOW_CONTROL_WINDOW
7038 Sets the maximum number of entries and updates sent by a sup‐
7039 plier, which are not acknowledged by the consumer.
7040
7041
7042 --flow-control-pause FLOW_CONTROL_PAUSE
7043 Sets the time in milliseconds to pause after reaching the number
7044 of entries and updates set in "--flow-control-window"
7045
7046
7047 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
7048 Sets an optional bind DN the agreement can use to bootstrap ini‐
7049 tialization when bind groups are being used
7050
7051
7052 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
7053 sets the bootstrap credentials for the bind DN
7054
7055
7056 --bootstrap-bind-passwd-file BOOTSTRAP_BIND_PASSWD_FILE
7057 File containing the password
7058
7059
7060 --bootstrap-bind-passwd-prompt
7061 Prompt for password
7062
7063
7064 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
7065 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
7066 or StartTLS
7067
7068
7069 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
7070 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
7071
7072
7074 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
7075
7076
7077 AGMT_NAME
7078 The suffix DN for which to display the replication configuration
7079
7080
7082 --suffix SUFFIX
7083 Sets the DN of the replication suffix
7084
7085
7087 usage: dsconf instance repl-winsync-agmt [-h]
7088 {list,enable,dis‐
7089 able,init,init-status,poke,status,delete,create,set,get}
7090 ...
7091
7092
7094 dsconf repl-winsync-agmt list
7095 List all the replication winsync agreements
7096
7097 dsconf repl-winsync-agmt enable
7098 Enable replication winsync agreement
7099
7100 dsconf repl-winsync-agmt disable
7101 Disable replication winsync agreement
7102
7103 dsconf repl-winsync-agmt init
7104 Initialize replication winsync agreement
7105
7106 dsconf repl-winsync-agmt init-status
7107 Check the agreement initialization status
7108
7109 dsconf repl-winsync-agmt poke
7110 Trigger replication to send updates now
7111
7112 dsconf repl-winsync-agmt status
7113 Display the current status of the replication agreement
7114
7115 dsconf repl-winsync-agmt delete
7116 Delete replication winsync agreement
7117
7118 dsconf repl-winsync-agmt create
7119 Initialize replication winsync agreement
7120
7121 dsconf repl-winsync-agmt set
7122 Set an attribute in the replication winsync agreement
7123
7124 dsconf repl-winsync-agmt get
7125 Display replication configuration
7126
7127
7129 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
7130
7131
7133 --suffix SUFFIX
7134 Sets the DN of the suffix to look up replication winsync agree‐
7135 ments
7136
7137
7139 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
7140 AGMT_NAME
7141
7142
7143 AGMT_NAME
7144 The name of the replication winsync agreement
7145
7146
7148 --suffix SUFFIX
7149 Sets the DN of the replication winsync suffix
7150
7151
7153 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
7154 AGMT_NAME
7155
7156
7157 AGMT_NAME
7158 The name of the replication winsync agreement
7159
7160
7162 --suffix SUFFIX
7163 Sets the DN of the replication winsync suffix
7164
7165
7167 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
7168 AGMT_NAME
7169
7170
7171 AGMT_NAME
7172 The name of the replication winsync agreement
7173
7174
7176 --suffix SUFFIX
7177 Sets the DN of the replication winsync suffix
7178
7179
7181 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
7182 FIX
7183 AGMT_NAME
7184
7185
7186 AGMT_NAME
7187 The name of the replication agreement
7188
7189
7191 --suffix SUFFIX
7192 Sets the DN of the replication suffix
7193
7194
7196 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
7197 AGMT_NAME
7198
7199
7200 AGMT_NAME
7201 The name of the replication winsync agreement
7202
7203
7205 --suffix SUFFIX
7206 Sets the DN of the replication winsync suffix
7207
7208
7210 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
7211 AGMT_NAME
7212
7213
7214 AGMT_NAME
7215 The name of the replication agreement
7216
7217
7219 --suffix SUFFIX
7220 Sets the DN of the replication suffix
7221
7222
7224 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
7225 AGMT_NAME
7226
7227
7228 AGMT_NAME
7229 The name of the replication winsync agreement
7230
7231
7233 --suffix SUFFIX
7234 Sets the DN of the replication winsync suffix
7235
7236
7238 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
7239 --host
7240 HOST --port PORT
7241 --conn-protocol
7242 CONN_PROTOCOL
7243 --bind-dn BIND_DN
7244 [--bind-passwd
7245 BIND_PASSWD]
7246 [--bind-passwd-file
7247 BIND_PASSWD_FILE]
7248 [--bind-passwd-prompt]
7249 [--frac-list FRAC_LIST]
7250 [--schedule SCHEDULE]
7251 --win-subtree WIN_SUB‐
7252 TREE
7253 --ds-subtree DS_SUBTREE
7254 --win-domain WIN_DOMAIN
7255 [--sync-users
7256 SYNC_USERS]
7257 [--sync-groups
7258 SYNC_GROUPS]
7259 [--sync-interval
7260 SYNC_INTERVAL]
7261 [--one-way-sync
7262 ONE_WAY_SYNC]
7263 [--move-action MOVE_AC‐
7264 TION]
7265 [--win-filter WIN_FIL‐
7266 TER]
7267 [--ds-filter DS_FILTER]
7268 [--subtree-pair SUB‐
7269 TREE_PAIR]
7270 [--conn-timeout
7271 CONN_TIMEOUT]
7272 [--busy-wait-time
7273 BUSY_WAIT_TIME]
7274 [--session-pause-time
7275 SESSION_PAUSE_TIME]
7276 [--flatten-tree]
7277 [--init]
7278 AGMT_NAME
7279
7280
7281 AGMT_NAME
7282 The name of the replication winsync agreement
7283
7284
7286 --suffix SUFFIX
7287 Sets the DN of the replication winsync suffix
7288
7289
7290 --host HOST
7291 Sets the hostname of the AD server
7292
7293
7294 --port PORT
7295 Sets the port number of the AD server
7296
7297
7298 --conn-protocol CONN_PROTOCOL
7299 Sets the replication winsync connection protocol: LDAP, LDAPS,
7300 or StartTLS
7301
7302
7303 --bind-dn BIND_DN
7304 Sets the bind DN the agreement uses to authenticate to the AD
7305 Server
7306
7307
7308 --bind-passwd BIND_PASSWD
7309 Sets the credentials for the Bind DN
7310
7311
7312 --bind-passwd-file BIND_PASSWD_FILE
7313 File containing the password
7314
7315
7316 --bind-passwd-prompt
7317 Prompt for password
7318
7319
7320 --frac-list FRAC_LIST
7321 Sets a list of attributes to NOT replicate to the consumer dur‐
7322 ing incremental updates
7323
7324
7325 --schedule SCHEDULE
7326 Sets the replication update schedule
7327
7328
7329 --win-subtree WIN_SUBTREE
7330 Sets the suffix of the AD Server
7331
7332
7333 --ds-subtree DS_SUBTREE
7334 Sets the Directory Server suffix
7335
7336
7337 --win-domain WIN_DOMAIN
7338 Sets the AD Domain
7339
7340
7341 --sync-users SYNC_USERS
7342 Synchronizes users between AD and DS
7343
7344
7345 --sync-groups SYNC_GROUPS
7346 Synchronizes groups between AD and DS
7347
7348
7349 --sync-interval SYNC_INTERVAL
7350 Sets the interval that DS checks AD for changes in entries
7351
7352
7353 --one-way-sync ONE_WAY_SYNC
7354 Sets which direction to perform synchronization: "toWindows", or
7355 "fromWindows". By default sync occurs in both directions.
7356
7357
7358 --move-action MOVE_ACTION
7359 Sets instructions on how to handle moved or deleted entries:
7360 "none", "unsync", or "delete"
7361
7362
7363 --win-filter WIN_FILTER
7364 Sets a custom filter for finding users in AD Server
7365
7366
7367 --ds-filter DS_FILTER
7368 Sets a custom filter for finding AD users in DS
7369
7370
7371 --subtree-pair SUBTREE_PAIR
7372 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7373
7374
7375 --conn-timeout CONN_TIMEOUT
7376 Sets the timeout used for replicaton connections
7377
7378
7379 --busy-wait-time BUSY_WAIT_TIME
7380 Sets the amount of time in seconds a supplier should wait after
7381 a consumer sends back a busy response before making another at‐
7382 tempt to acquire access
7383
7384
7385 --session-pause-time SESSION_PAUSE_TIME
7386 Sets the amount of time in seconds a supplier should wait be‐
7387 tween update sessions
7388
7389
7390 --flatten-tree
7391 By default, the tree structure of AD is preserved into 389. This
7392 MAY cause replication to fail in some cases, as you may need to
7393 create missing OU's to recreate the same treestructure. This
7394 setting when enabled, removes the tree structure of AD and flat‐
7395 tens all entries into the ds-subtree. This does NOT affect or
7396 change the tree structure of the AD directory.
7397
7398
7399 --init Initializes the agreement after creating it
7400
7401
7403 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
7404 [--host HOST] [--port
7405 PORT]
7406 [--conn-protocol CONN_PRO‐
7407 TOCOL]
7408 [--bind-dn BIND_DN]
7409 [--bind-passwd
7410 BIND_PASSWD]
7411 [--bind-passwd-file
7412 BIND_PASSWD_FILE]
7413 [--bind-passwd-prompt]
7414 [--frac-list FRAC_LIST]
7415 [--schedule SCHEDULE]
7416 [--win-subtree WIN_SUB‐
7417 TREE]
7418 [--ds-subtree DS_SUBTREE]
7419 [--win-domain WIN_DOMAIN]
7420 [--sync-users SYNC_USERS]
7421 [--sync-groups
7422 SYNC_GROUPS]
7423 [--sync-interval SYNC_IN‐
7424 TERVAL]
7425 [--one-way-sync
7426 ONE_WAY_SYNC]
7427 [--move-action MOVE_AC‐
7428 TION]
7429 [--win-filter WIN_FILTER]
7430 [--ds-filter DS_FILTER]
7431 [--subtree-pair SUB‐
7432 TREE_PAIR]
7433 [--conn-timeout CONN_TIME‐
7434 OUT]
7435 [--busy-wait-time
7436 BUSY_WAIT_TIME]
7437 [--session-pause-time SES‐
7438 SION_PAUSE_TIME]
7439 AGMT_NAME
7440
7441
7442 AGMT_NAME
7443 The name of the replication winsync agreement
7444
7445
7447 --suffix SUFFIX
7448 Sets the DN of the replication winsync suffix
7449
7450
7451 --host HOST
7452 Sets the hostname of the AD server
7453
7454
7455 --port PORT
7456 Sets the port number of the AD server
7457
7458
7459 --conn-protocol CONN_PROTOCOL
7460 Sets the replication winsync connection protocol: LDAP, LDAPS,
7461 or StartTLS
7462
7463
7464 --bind-dn BIND_DN
7465 Sets the bind DN the agreement uses to authenticate to the AD
7466 Server
7467
7468
7469 --bind-passwd BIND_PASSWD
7470 Sets the credentials for the Bind DN
7471
7472
7473 --bind-passwd-file BIND_PASSWD_FILE
7474 File containing the password
7475
7476
7477 --bind-passwd-prompt
7478 Prompt for password
7479
7480
7481 --frac-list FRAC_LIST
7482 Sets a list of attributes to NOT replicate to the consumer dur‐
7483 ing incremental updates
7484
7485
7486 --schedule SCHEDULE
7487 Sets the replication update schedule
7488
7489
7490 --win-subtree WIN_SUBTREE
7491 Sets the suffix of the AD Server
7492
7493
7494 --ds-subtree DS_SUBTREE
7495 Sets the Directory Server suffix
7496
7497
7498 --win-domain WIN_DOMAIN
7499 Sets the AD Domain
7500
7501
7502 --sync-users SYNC_USERS
7503 Synchronizes users between AD and DS
7504
7505
7506 --sync-groups SYNC_GROUPS
7507 Synchronizes groups between AD and DS
7508
7509
7510 --sync-interval SYNC_INTERVAL
7511 Sets the interval that DS checks AD for changes in entries
7512
7513
7514 --one-way-sync ONE_WAY_SYNC
7515 Sets which direction to perform synchronization: "toWindows", or
7516 "fromWindows". By default sync occurs in both directions.
7517
7518
7519 --move-action MOVE_ACTION
7520 Sets instructions on how to handle moved or deleted entries:
7521 "none", "unsync", or "delete"
7522
7523
7524 --win-filter WIN_FILTER
7525 Sets a custom filter for finding users in AD Server
7526
7527
7528 --ds-filter DS_FILTER
7529 Sets a custom filter for finding AD users in DS
7530
7531
7532 --subtree-pair SUBTREE_PAIR
7533 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7534
7535
7536 --conn-timeout CONN_TIMEOUT
7537 Sets the timeout used for replicaton connections
7538
7539
7540 --busy-wait-time BUSY_WAIT_TIME
7541 Sets the amount of time in seconds a supplier should wait after
7542 a consumer sends back a busy response before making another at‐
7543 tempt to acquire access
7544
7545
7546 --session-pause-time SESSION_PAUSE_TIME
7547 Sets the amount of time in seconds a supplier should wait be‐
7548 tween update sessions
7549
7550
7552 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
7553 AGMT_NAME
7554
7555
7556 AGMT_NAME
7557 The suffix DN for the replication configuration to display
7558
7559
7561 --suffix SUFFIX
7562 Sets the DN of the replication suffix
7563
7564
7566 usage: dsconf instance repl-tasks [-h]
7567 {cleanallruv,list-clean‐
7568 ruv-tasks,abort-cleanallruv,list-abortruv-tasks}
7569 ...
7570
7571
7573 dsconf repl-tasks cleanallruv
7574 Cleanup old/removed replica IDs
7575
7576 dsconf repl-tasks list-cleanruv-tasks
7577 List all the running CleanAllRUV tasks
7578
7579 dsconf repl-tasks abort-cleanallruv
7580 Abort cleanallruv tasks
7581
7582 dsconf repl-tasks list-abortruv-tasks
7583 List all the running CleanAllRUV abort tasks
7584
7585
7587 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
7588 --replica-id REPLICA_ID
7589 [--force-cleaning]
7590
7591
7593 --suffix SUFFIX
7594 Sets the Directory Server suffix
7595
7596
7597 --replica-id REPLICA_ID
7598 Sets the replica ID to remove/clean
7599
7600
7601 --force-cleaning
7602 Ignores errors and make a best attempt to clean all replicas
7603
7604
7606 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
7607 SUFFIX]
7608
7609
7611 --suffix SUFFIX
7612 Lists only tasks for the specified suffix
7613
7614
7616 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
7617 FIX
7618 --replica-id
7619 REPLICA_ID
7620 [--certify]
7621
7622
7624 --suffix SUFFIX
7625 Sets the Directory Server suffix
7626
7627
7628 --replica-id REPLICA_ID
7629 Sets the replica ID of the cleaning task to abort
7630
7631
7632 --certify
7633 Enforces that the abort task completed on all replicas
7634
7635
7637 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
7638 SUFFIX]
7639
7640
7642 --suffix SUFFIX
7643 Lists only tasks for the specified suffix
7644
7645
7647 usage: dsconf instance sasl [-h]
7648 {list,get-mechs,get-avail‐
7649 able-mechs,get,create,delete}
7650 ...
7651
7652
7654 dsconf sasl list
7655 Display available SASL mappings
7656
7657 dsconf sasl get-mechs
7658 Display the SASL mechanisms that the server will accept
7659
7660 dsconf sasl get-available-mechs
7661 Display the SASL mechanisms that are available to the server
7662
7663 dsconf sasl get
7664 Displays SASL mappings
7665
7666 dsconf sasl create
7667 Create a SASL mapping
7668
7669 dsconf sasl delete
7670 Deletes the SASL object
7671
7672
7674 usage: dsconf instance sasl list [-h] [--details]
7675
7676
7678 --details
7679 Displays each SASL mapping in detail
7680
7681
7683 usage: dsconf instance sasl get-mechs [-h]
7684
7685
7687 usage: dsconf instance sasl get-available-mechs [-h]
7688
7689
7691 usage: dsconf instance sasl get [-h] [selector]
7692
7693
7694 selector
7695 The SASL mapping name to display
7696
7697
7699 usage: dsconf instance sasl create [-h] [--cn [CN]]
7700 [--nsSaslMapRegexString
7701 [NSSASLMAPREGEXSTRING]]
7702 [--nsSaslMapBaseDNTemplate
7703 [NSSASLMAPBASEDNTEMPLATE]]
7704 [--nsSaslMapFilterTemplate
7705 [NSSASLMAPFILTERTEMPLATE]]
7706 [--nsSaslMapPriority [NSSASLMAPPRI‐
7707 ORITY]]
7708
7709
7711 --cn [CN]
7712 Value of cn
7713
7714
7715 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7716 Value of nsSaslMapRegexString
7717
7718
7719 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7720 Value of nsSaslMapBaseDNTemplate
7721
7722
7723 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7724 Value of nsSaslMapFilterTemplate
7725
7726
7727 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7728 Value of nsSaslMapPriority
7729
7730
7732 usage: dsconf instance sasl delete [-h] map_name
7733
7734
7735 map_name
7736 The SASL mapping name ("cn" value)
7737
7738
7740 usage: dsconf instance security [-h]
7741 {set,get,enable,disable,dis‐
7742 able_plain_port,certificate,ca-certificate,rsa,ciphers,csr,key,ex‐
7743 port-cert}
7744 ...
7745
7746
7748 dsconf security set
7749 Set general security options
7750
7751 dsconf security get
7752 Display general security options
7753
7754 dsconf security enable
7755 Enable security
7756
7757 dsconf security disable
7758 Disable security
7759
7760 dsconf security disable_plain_port
7761 Disables the plain text LDAP port, allowing only LDAPS to func‐
7762 tion
7763
7764 dsconf security certificate
7765 Manage TLS certificates
7766
7767 dsconf security ca-certificate
7768 Manage TLS certificate authorities
7769
7770 dsconf security rsa
7771 Query and update RSA security options
7772
7773 dsconf security ciphers
7774 Manage secure ciphers
7775
7776 dsconf security csr
7777 Manage certificate signing requests
7778
7779 dsconf security key
7780 Manage keys in NSS DB
7781
7782 dsconf security export-cert
7783 Export a certificate to PEM or DER/Binary format. PEM format is
7784 the default
7785
7786
7788 usage: dsconf instance security set [-h] [--security SECURITY]
7789 [--listen-host LISTEN_HOST]
7790 [--secure-port SECURE_PORT]
7791 [--tls-client-auth TLS_CLIENT_AUTH]
7792 [--tls-client-renegotiation
7793 TLS_CLIENT_RENEGOTIATION]
7794 [--require-secure-authentication
7795 REQUIRE_SECURE_AUTHENTICATION]
7796 [--check-hostname CHECK_HOSTNAME]
7797 [--verify-cert-chain-on-startup
7798 VERIFY_CERT_CHAIN_ON_STARTUP]
7799 [--session-timeout SESSION_TIMEOUT]
7800 [--tls-protocol-min TLS_PROTO‐
7801 COL_MIN]
7802 [--tls-protocol-max TLS_PROTO‐
7803 COL_MAX]
7804 [--allow-insecure-ciphers ALLOW_IN‐
7805 SECURE_CIPHERS]
7806 [--allow-weak-dh-param AL‐
7807 LOW_WEAK_DH_PARAM]
7808 [--cipher-pref CIPHER_PREF]
7809
7810 Use this command for setting security related options located in
7811 cn=config and cn=encryption,cn=config.
7812
7813 To enable/disable security you can use enable and disable commands in‐
7814 stead.
7815
7816
7818 --security SECURITY
7819 Enables or disables security (nsslapd-security)
7820
7821
7822 --listen-host LISTEN_HOST
7823 Sets the host or IP address to listen on for LDAPS (nsslapd-se‐
7824 curelistenhost)
7825
7826
7827 --secure-port SECURE_PORT
7828 Sets the port for LDAPS to listen on (nsslapd-securePort)
7829
7830
7831 --tls-client-auth TLS_CLIENT_AUTH
7832 Configures client authentication requirement (nsSSLClientAuth)
7833
7834
7835 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7836 Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)
7837
7838
7839 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7840 Configures whether binds over LDAPS, StartTLS, or SASL are re‐
7841 quired (nsslapd- require-secure-binds)
7842
7843
7844 --check-hostname CHECK_HOSTNAME
7845 Checks the subject of remote certificate against the hostname
7846 (nsslapd-ssl- check-hostname)
7847
7848
7849 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7850 Validates the server certificate during startup (nsslapd-vali‐
7851 date-cert)
7852
7853
7854 --session-timeout SESSION_TIMEOUT
7855 Sets the secure session timeout (nsSSLSessionTimeout)
7856
7857
7858 --tls-protocol-min TLS_PROTOCOL_MIN
7859 Sets the minimal allowed secure protocol version (sslVersionMin)
7860
7861
7862 --tls-protocol-max TLS_PROTOCOL_MAX
7863 Sets the maximal allowed secure protocol version (sslVersionMax)
7864
7865
7866 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7867 Allows weak ciphers for legacy use (allowWeakCipher)
7868
7869
7870 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7871 Allows short DH params for legacy use (allowWeakDHParam)
7872
7873
7874 --cipher-pref CIPHER_PREF
7875 Directly sets the nsSSL3Ciphers attribute. It is a comma-sepa‐
7876 rated list of cipher names (prefixed with + or -), optionally
7877 including +all or -all. The attribute may optionally be prefixed
7878 by keyword "default". Please refer to documentation of the at‐
7879 tribute for a more detailed description. (nsSSL3Ciphers)
7880
7881
7883 usage: dsconf instance security get [-h]
7884
7885
7887 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7888
7889 If missing, create security database, then turn on security functional‐
7890 ity. Please note this is usually not enough for TLS connections to work
7891 - proper setup of CA and server certificate is necessary.
7892
7893
7895 --cert-name CERT_NAME
7896 Sets the name of the certificate the server should use
7897
7898
7900 usage: dsconf instance security disable [-h]
7901
7902 Turn off security functionality. The rest of the configuration will be
7903 left untouched.
7904
7905
7907 usage: dsconf instance security disable_plain_port [-h]
7908
7909
7911 usage: dsconf instance security certificate [-h]
7912 {add,set-trust-flags,del,get,list}
7913 ...
7914
7915
7917 dsconf security certificate add
7918 Add a server certificate
7919
7920 dsconf security certificate set-trust-flags
7921 Set the Trust flags
7922
7923 dsconf security certificate del
7924 Delete a certificate
7925
7926 dsconf security certificate get
7927 Display a server certificate's information
7928
7929 dsconf security certificate list
7930 List the server certificates
7931
7932
7934 usage: dsconf instance security certificate add [-h] --file FILE --name
7935 NAME
7936 [--primary-cert]
7937
7938 Add a server certificate to the NSS database
7939
7940
7942 --file FILE
7943 Sets the file name of the certificate
7944
7945
7946 --name NAME
7947 Sets the name/nickname of the certificate
7948
7949
7950 --primary-cert
7951 Sets this certificate as the server's certificate
7952
7953
7955 usage: dsconf instance security certificate set-trust-flags
7956 [-h] --flags FLAGS name
7957
7958 Change the trust flags of a server certificate
7959
7960
7961 name The name/nickname of the certificate
7962
7963
7965 --flags FLAGS
7966 Sets the trust flags for the server certificate
7967
7968
7970 usage: dsconf instance security certificate del [-h] name
7971
7972 Delete a certificate from the NSS database
7973
7974
7975 name The name/nickname of the certificate
7976
7977
7979 usage: dsconf instance security certificate get [-h] name
7980
7981 Displays detailed information about a certificate, such as trust at‐
7982 tributes, expiration dates, Subject and Issuer DNs
7983
7984
7985 name Set the name/nickname of the certificate
7986
7987
7989 usage: dsconf instance security certificate list [-h]
7990
7991 Lists the server certificates in the NSS database
7992
7993
7995 usage: dsconf instance security ca-certificate [-h]
7996 {add,set-trust-flags,del,get,list}
7997 ...
7998
7999
8001 dsconf security ca-certificate add
8002 Add a Certificate Authority
8003
8004 dsconf security ca-certificate set-trust-flags
8005 Set the Trust flags
8006
8007 dsconf security ca-certificate del
8008 Delete a certificate
8009
8010 dsconf security ca-certificate get
8011 Displays a Certificate Authority's information
8012
8013 dsconf security ca-certificate list
8014 List the Certificate Authorities
8015
8016
8018 usage: dsconf instance security ca-certificate add [-h] --file FILE
8019 --name
8020 NAME [NAME ...]
8021
8022 Add a Certificate Authority to the NSS database
8023
8024
8026 --file FILE
8027 Sets the file name of the CA certificate
8028
8029
8030 --name NAME [NAME ...]
8031 Sets the name/nickname of the CA certificate, if adding a PEM
8032 bundle then specify multiple names one for each certificate,
8033 otherwise a number increment will be added to the previous name.
8034
8035
8037 usage: dsconf instance security ca-certificate set-trust-flags
8038 [-h] --flags FLAGS name
8039
8040 Change the trust attributes of a CA certificate. Certificate Authori‐
8041 ties typically use "CT,,"
8042
8043
8044 name The name/nickname of the CA certificate
8045
8046
8048 --flags FLAGS
8049 Sets the trust flags for the CA certificate
8050
8051
8053 usage: dsconf instance security ca-certificate del [-h] name
8054
8055 Delete a CA certificate from the NSS database
8056
8057
8058 name The name/nickname of the CA certificate
8059
8060
8062 usage: dsconf instance security ca-certificate get [-h] name
8063
8064 Get detailed information about a CA certificate, like trust attributes,
8065 expiration dates, Subject and Issuer DN
8066
8067
8068 name The name/nickname of the CA certificate
8069
8070
8072 usage: dsconf instance security ca-certificate list [-h]
8073
8074 List the CA certificates in the NSS database
8075
8076
8078 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
8079
8080
8082 dsconf security rsa set
8083 Set RSA security options
8084
8085 dsconf security rsa get
8086 Get RSA security options
8087
8088 dsconf security rsa enable
8089 Enable RSA
8090
8091 dsconf security rsa disable
8092 Disable RSA
8093
8094
8096 usage: dsconf instance security rsa set [-h]
8097 [--tls-allow-rsa-certificates
8098 TLS_ALLOW_RSA_CERTIFICATES]
8099 [--nss-cert-name NSS_CERT_NAME]
8100 [--nss-token NSS_TOKEN]
8101
8102 Use this command for setting RSA (private key) related options located
8103 in cn=RSA,cn=encryption,cn=config.
8104
8105 To enable/disable RSA you can use enable and disable commands instead.
8106
8107
8109 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
8110 Activates the use of RSA certificates (nsSSLActivation)
8111
8112
8113 --nss-cert-name NSS_CERT_NAME
8114 Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)
8115
8116
8117 --nss-token NSS_TOKEN
8118 Sets the security token name (module of NSS DB) (nsSSLToken)
8119
8120
8122 usage: dsconf instance security rsa get [-h]
8123
8124
8126 usage: dsconf instance security rsa enable [-h]
8127
8128
8130 usage: dsconf instance security rsa disable [-h]
8131
8132
8134 usage: dsconf instance security ciphers [-h] {enable,dis‐
8135 able,get,set,list} ...
8136
8137
8139 dsconf security ciphers enable
8140 Enable ciphers
8141
8142 dsconf security ciphers disable
8143 Disable ciphers
8144
8145 dsconf security ciphers get
8146 Get ciphers attribute
8147
8148 dsconf security ciphers set
8149 Set ciphers attribute
8150
8151 dsconf security ciphers list
8152 List ciphers
8153
8154
8156 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
8157
8158 Use this command to enable specific ciphers.
8159
8160
8161 cipher
8162
8163
8165 usage: dsconf instance security ciphers disable [-h] cipher [cipher
8166 ...]
8167
8168 Use this command to disable specific ciphers.
8169
8170
8171 cipher
8172
8173
8175 usage: dsconf instance security ciphers get [-h]
8176
8177 Use this command to get contents of nsSSL3Ciphers attribute.
8178
8179
8181 usage: dsconf instance security ciphers set [-h] cipher-string
8182
8183 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
8184 separated list of cipher names (prefixed with + or -), optionally in‐
8185 cluding +all or -all. The attribute may optionally be set to keyword
8186 default. Please refer to documentation of the attribute for a more de‐
8187 tailed description.
8188
8189
8190 cipher-string
8191
8192
8194 usage: dsconf instance security ciphers list [-h]
8195 [--enabled | --supported |
8196 --disabled]
8197
8198 List secure ciphers. Without arguments, list ciphers as configured in
8199 nsSSL3Ciphers attribute.
8200
8201
8203 --enabled
8204 Lists only enabled ciphers
8205
8206
8207 --supported
8208 Lists only supported ciphers
8209
8210
8211 --disabled
8212 Lists only supported ciphers but without enabled ciphers
8213
8214
8216 usage: dsconf instance security csr [-h] {list,get,req,del} ...
8217
8218
8220 dsconf security csr list
8221 List CSRs
8222
8223 dsconf security csr get
8224 Display CSR content
8225
8226 dsconf security csr req
8227 Generate a Certificate Signing Request
8228
8229 dsconf security csr del
8230 Delete a CSR file
8231
8232
8234 usage: dsconf instance security csr list [-h] [--path PATH]
8235
8236 List all CSR files in instance configuration directiory
8237
8238
8240 --path PATH, -p PATH
8241 Directory contanining CSR file
8242
8243
8245 usage: dsconf instance security csr get [-h] name
8246
8247 Displays the contents of a CSR, which can be used for submittal to CA
8248
8249
8250 name Name of the CSR file to display
8251
8252
8254 usage: dsconf instance security csr req [-h] --subject SUBJECT --name
8255 NAME
8256 [alt_names ...]
8257
8258 Generate a CSR that can be submitted to a CA for verification
8259
8260
8261 alt_names
8262 CSR alternative names. These are auto-detected if not provided
8263
8264
8266 --subject SUBJECT, -s SUBJECT
8267 Subject field
8268
8269
8270 --name NAME, -n NAME
8271 Name
8272
8273
8275 usage: dsconf instance security csr del [-h] name
8276
8277 Delete a CSR file
8278
8279
8280 name Name of the CSR file to delete
8281
8282
8284 usage: dsconf instance security key [-h] {list,del} ...
8285
8286
8288 dsconf security key list
8289 List all keys in NSS DB
8290
8291 dsconf security key del
8292 Delete a key from NSS DB
8293
8294
8296 usage: dsconf instance security key list [-h] [--orphan]
8297
8298
8300 --orphan
8301 List orphan keys (An orphan key is a private key in the NSS DB
8302 for which there is NO cert with the corresponding public key).
8303 An orphan key is created during CSR generation, when the associ‐
8304 ated certificate is imported into the NSS DB, its orphan state
8305 will be removed.
8306
8307
8309 usage: dsconf instance security key del [-h] key_id
8310
8311 Remove a key from the NSS DB. Make sure the key is not in use before
8312 you delete
8313
8314
8315 key_id This is the key ID displayed when listing keys
8316
8317
8319 usage: dsconf instance security export-cert [-h] [--binary-format]
8320 [--output-file OUTPUT_FILE]
8321 nickname
8322
8323
8324 nickname
8325 The name of the certificate to export
8326
8327
8329 --binary-format
8330 Export certificate in DER/binary format
8331
8332
8333 --output-file OUTPUT_FILE
8334 The name for the exported certificate. Default name is the cer‐
8335 tificate nickname with an extension of ".pem" or ".crt"
8336
8337
8339 usage: dsconf instance schema [-h]
8340 {list,attributetypes,objectclasses,match‐
8341 ingrules,reload,validate-syntax,import-openldap-file}
8342 ...
8343
8344
8346 dsconf schema list
8347 List all schema objects on this system
8348
8349 dsconf schema attributetypes
8350 Work with attribute types on this system
8351
8352 dsconf schema objectclasses
8353 Work with objectClasses on this system
8354
8355 dsconf schema matchingrules
8356 Work with matching rules on this system
8357
8358 dsconf schema reload
8359 Dynamically reload schema while server is running
8360
8361 dsconf schema validate-syntax
8362 Run a task to check that all attributes in an entry have the
8363 correct syntax
8364
8365 dsconf schema import-openldap-file
8366 Import an openldap formatted dynamic schema ldifs. These will
8367 contain values like olcAttributeTypes and olcObjectClasses.
8368
8369
8371 usage: dsconf instance schema list [-h]
8372
8373
8375 usage: dsconf instance schema attributetypes [-h]
8376 {get_syn‐
8377 taxes,list,query,add,replace,remove}
8378 ...
8379
8380
8382 dsconf schema attributetypes get_syntaxes
8383 List all available attribute type syntaxes
8384
8385 dsconf schema attributetypes list
8386 List available attribute types on this system
8387
8388 dsconf schema attributetypes query
8389 Query an attribute to determine object classes that may or must
8390 take it
8391
8392 dsconf schema attributetypes add
8393 Add an attribute type to this system
8394
8395 dsconf schema attributetypes replace
8396 Replace an attribute type on this system
8397
8398 dsconf schema attributetypes remove
8399 Remove an attribute type on this system
8400
8401
8403 usage: dsconf instance schema attributetypes get_syntaxes [-h]
8404
8405
8407 usage: dsconf instance schema attributetypes list [-h]
8408
8409
8411 usage: dsconf instance schema attributetypes query [-h] [name]
8412
8413
8414 name Attribute type to query
8415
8416
8418 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
8419 [--desc DESC]
8420 [--x-origin X_ORIGIN]
8421 [--aliases ALIASES
8422 [ALIASES ...]]
8423 [--single-value]
8424 [--multi-value]
8425 [--no-user-mod]
8426 [--user-mod]
8427 [--equality EQUALITY]
8428 [--substr SUBSTR]
8429 [--ordering ORDERING]
8430 [--usage USAGE] [--sup
8431 SUP]
8432 --syntax SYNTAX
8433 name
8434
8435
8436 name NAME of the object
8437
8438
8440 --oid OID
8441 OID assigned to the object
8442
8443
8444 --desc DESC
8445 Description text(DESC) of the object
8446
8447
8448 --x-origin X_ORIGIN
8449 Provides information about where the attribute type is defined
8450
8451
8452 --aliases ALIASES [ALIASES ...]
8453 Additional NAMEs of the object.
8454
8455
8456 --single-value
8457 True if the matching rule must have only one valueOnly one of
8458 the flags this or --multi-value should be specified
8459
8460
8461 --multi-value
8462 True if the matching rule may have multiple values (default)Only
8463 one of the flags this or --single-value should be specified
8464
8465
8466 --no-user-mod
8467 True if the attribute is not modifiable by a client applica‐
8468 tionOnly one of the flags this or --user-mod should be specified
8469
8470
8471 --user-mod
8472 True if the attribute is modifiable by a client application (de‐
8473 fault)Only one of the flags this or --no-user-mode should be
8474 specified
8475
8476
8477 --equality EQUALITY
8478 NAME or OID of the matching rule used for checkingwhether attri‐
8479 bute values are equal
8480
8481
8482 --substr SUBSTR
8483 NAME or OID of the matching rule used for checkingwhether an at‐
8484 tribute value contains another value
8485
8486
8487 --ordering ORDERING
8488 NAME or OID of the matching rule used for checkingwhether attri‐
8489 bute values are lesser - equal than
8490
8491
8492 --usage USAGE
8493 The flag indicates how the attribute type is to be used. Choose
8494 from the list: userApplications (default), directoryOperation,
8495 distributedOperation, dSAOperation
8496
8497
8498 --sup SUP
8499 The NAME or OID of attribute type this attribute type is derived
8500 from
8501
8502
8503 --syntax SYNTAX
8504 OID of the LDAP syntax assigned to the attribute
8505
8506
8508 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
8509 [--desc DESC]
8510 [--x-origin X_ORI‐
8511 GIN]
8512 [--aliases ALIASES
8513 [ALIASES ...]]
8514 [--single-value]
8515 [--multi-value]
8516 [--no-user-mod]
8517 [--user-mod]
8518 [--equality EQUAL‐
8519 ITY]
8520 [--substr SUBSTR]
8521 [--ordering ORDER‐
8522 ING]
8523 [--usage USAGE]
8524 [--sup SUP]
8525 [--syntax SYNTAX]
8526 name
8527
8528
8529 name NAME of the object
8530
8531
8533 --oid OID
8534 OID assigned to the object
8535
8536
8537 --desc DESC
8538 Description text(DESC) of the object
8539
8540
8541 --x-origin X_ORIGIN
8542 Provides information about where the attribute type is defined
8543
8544
8545 --aliases ALIASES [ALIASES ...]
8546 Additional NAMEs of the object.
8547
8548
8549 --single-value
8550 True if the matching rule must have only one valueOnly one of
8551 the flags this or --multi-value should be specified
8552
8553
8554 --multi-value
8555 True if the matching rule may have multiple values (default)Only
8556 one of the flags this or --single-value should be specified
8557
8558
8559 --no-user-mod
8560 True if the attribute is not modifiable by a client applica‐
8561 tionOnly one of the flags this or --user-mod should be specified
8562
8563
8564 --user-mod
8565 True if the attribute is modifiable by a client application (de‐
8566 fault)Only one of the flags this or --no-user-mode should be
8567 specified
8568
8569
8570 --equality EQUALITY
8571 NAME or OID of the matching rule used for checkingwhether attri‐
8572 bute values are equal
8573
8574
8575 --substr SUBSTR
8576 NAME or OID of the matching rule used for checkingwhether an at‐
8577 tribute value contains another value
8578
8579
8580 --ordering ORDERING
8581 NAME or OID of the matching rule used for checkingwhether attri‐
8582 bute values are lesser - equal than
8583
8584
8585 --usage USAGE
8586 The flag indicates how the attribute type is to be used. Choose
8587 from the list: userApplications (default), directoryOperation,
8588 distributedOperation, dSAOperation
8589
8590
8591 --sup SUP
8592 The NAME or OID of attribute type this attribute type is derived
8593 from
8594
8595
8596 --syntax SYNTAX
8597 OID of the LDAP syntax assigned to the attribute
8598
8599
8601 usage: dsconf instance schema attributetypes remove [-h] name
8602
8603
8604 name NAME of the object
8605
8606
8608 usage: dsconf instance schema objectclasses [-h]
8609 {list,query,add,replace,re‐
8610 move}
8611 ...
8612
8613
8615 dsconf schema objectclasses list
8616 List available objectClasses on this system
8617
8618 dsconf schema objectclasses query
8619 Query an objectClass
8620
8621 dsconf schema objectclasses add
8622 Add an objectClass to this system
8623
8624 dsconf schema objectclasses replace
8625 Replace an objectClass on this system
8626
8627 dsconf schema objectclasses remove
8628 Remove an objectClass on this system
8629
8630
8632 usage: dsconf instance schema objectclasses list [-h]
8633
8634
8636 usage: dsconf instance schema objectclasses query [-h] [name]
8637
8638
8639 name ObjectClass to query
8640
8641
8643 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
8644 [--desc DESC]
8645 [--x-origin X_ORIGIN]
8646 [--must MUST [MUST
8647 ...]]
8648 [--may MAY [MAY ...]]
8649 [--kind KIND]
8650 [--sup SUP [SUP ...]]
8651 name
8652
8653
8654 name NAME of the object
8655
8656
8658 --oid OID
8659 OID assigned to the object
8660
8661
8662 --desc DESC
8663 Description text(DESC) of the object
8664
8665
8666 --x-origin X_ORIGIN
8667 Provides information about where the attribute type is defined
8668
8669
8670 --must MUST [MUST ...]
8671 NAMEs or OIDs of all attributes an entry of the object must have
8672
8673
8674 --may MAY [MAY ...]
8675 NAMEs or OIDs of additional attributes an entry of the object
8676 may have
8677
8678
8679 --kind KIND
8680 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8681
8682
8683 --sup SUP [SUP ...]
8684 NAME or OIDs of object classes this object is derived from
8685
8686
8688 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
8689 [--desc DESC]
8690 [--x-origin X_ORI‐
8691 GIN]
8692 [--must MUST [MUST
8693 ...]]
8694 [--may MAY [MAY
8695 ...]]
8696 [--kind KIND]
8697 [--sup SUP [SUP
8698 ...]]
8699 name
8700
8701
8702 name NAME of the object
8703
8704
8706 --oid OID
8707 OID assigned to the object
8708
8709
8710 --desc DESC
8711 Description text(DESC) of the object
8712
8713
8714 --x-origin X_ORIGIN
8715 Provides information about where the attribute type is defined
8716
8717
8718 --must MUST [MUST ...]
8719 NAMEs or OIDs of all attributes an entry of the object must have
8720
8721
8722 --may MAY [MAY ...]
8723 NAMEs or OIDs of additional attributes an entry of the object
8724 may have
8725
8726
8727 --kind KIND
8728 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8729
8730
8731 --sup SUP [SUP ...]
8732 NAME or OIDs of object classes this object is derived from
8733
8734
8736 usage: dsconf instance schema objectclasses remove [-h] name
8737
8738
8739 name NAME of the object
8740
8741
8743 usage: dsconf instance schema matchingrules [-h] {list,query} ...
8744
8745
8747 dsconf schema matchingrules list
8748 List available matching rules on this system
8749
8750 dsconf schema matchingrules query
8751 Query a matching rule
8752
8753
8755 usage: dsconf instance schema matchingrules list [-h]
8756
8757
8759 usage: dsconf instance schema matchingrules query [-h] [name]
8760
8761
8762 name Matching rule to query
8763
8764
8766 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
8767 [--timeout TIMEOUT]
8768
8769
8771 -d SCHEMADIR, --schemadir SCHEMADIR
8772 directory where schema files are located
8773
8774
8775 --wait Wait for the reload task to complete
8776
8777
8778 --timeout TIMEOUT
8779 Set a timeout to wait for the reload task. Default is 120 sec‐
8780 onds
8781
8782
8784 usage: dsconf instance schema validate-syntax [-h] [-f FILTER]
8785 [--timeout TIMEOUT]
8786 DN
8787
8788
8789 DN Base DN that contains entries to validate
8790
8791
8793 -f FILTER, --filter FILTER
8794 Filter for entries to validate. If omitted, all entries with
8795 filter "(objectclass=*)" are validated
8796
8797
8798 --timeout TIMEOUT
8799 Set a timeout to wait for the validation task. Default is 120
8800 seconds
8801
8802
8804 usage: dsconf instance schema import-openldap-file [-h] [--confirm]
8805 schema_file
8806
8807
8808 schema_file
8809 Path to the openldap dynamic schema ldif to import
8810
8811
8813 --confirm
8814 Confirm that you want to apply these schema migration actions to
8815 the 389-ds instance. By default no actions are taken.
8816
8817
8819 usage: dsconf instance repl-conflict [-h]
8820 {list,compare,delete,swap,con‐
8821 vert,list-glue,delete-glue,convert-glue}
8822 ...
8823
8824
8826 dsconf repl-conflict list
8827 List conflict entries
8828
8829 dsconf repl-conflict compare
8830 Compare the conflict entry with its valid counterpart
8831
8832 dsconf repl-conflict delete
8833 Delete a conflict entry
8834
8835 dsconf repl-conflict swap
8836 Replace the valid entry with the conflict entry
8837
8838 dsconf repl-conflict convert
8839 Convert the conflict entry to a valid entry, while keeping the
8840 original valid entry counterpart. This requires that the con‐
8841 verted conflict entry have a new RDN value. For example:
8842 "cn=my_new_rdn_value".
8843
8844 dsconf repl-conflict list-glue
8845 List replication glue entries
8846
8847 dsconf repl-conflict delete-glue
8848 Delete the glue entry and its child entries
8849
8850 dsconf repl-conflict convert-glue
8851 Convert the glue entry into a regular entry
8852
8853
8855 usage: dsconf instance repl-conflict list [-h] suffix
8856
8857
8858 suffix Sets the backend name, or suffix, to look for conflict entries
8859
8860
8862 usage: dsconf instance repl-conflict compare [-h] DN
8863
8864
8865 DN The DN of the conflict entry
8866
8867
8869 usage: dsconf instance repl-conflict delete [-h] DN
8870
8871
8872 DN The DN of the conflict entry
8873
8874
8876 usage: dsconf instance repl-conflict swap [-h] DN
8877
8878
8879 DN The DN of the conflict entry
8880
8881
8883 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8884
8885
8886 DN The DN of the conflict entry
8887
8888
8890 --new-rdn NEW_RDN
8891 Sets the new RDN for the converted conflict entry. For example:
8892 "cn=my_new_rdn_value"
8893
8894
8896 usage: dsconf instance repl-conflict list-glue [-h] suffix
8897
8898
8899 suffix The backend name, or suffix, to look for glue entries
8900
8901
8903 usage: dsconf instance repl-conflict delete-glue [-h] DN
8904
8905
8906 DN The DN of the glue entry
8907
8908
8910 usage: dsconf instance repl-conflict convert-glue [-h] DN
8911
8912
8913 DN The DN of the glue entry
8914
8915
8917 -v, --verbose
8918 Display verbose operation tracing during command execution
8919
8920
8921 -D BINDDN, --binddn BINDDN
8922 The account to bind as for executing operations
8923
8924
8925 -w BINDPW, --bindpw BINDPW
8926 Password for the bind DN
8927
8928
8929 -W, --prompt
8930 Prompt for password of the bind DN
8931
8932
8933 -y PWDFILE, --pwdfile PWDFILE
8934 Specifies a file containing the password of the bind DN
8935
8936
8937 -b BASEDN, --basedn BASEDN
8938 Base DN (root naming context) of the instance to manage
8939
8940
8941 -Z, --starttls
8942 Connect with StartTLS
8943
8944
8945 -j, --json
8946 Return result in JSON object
8947
8948
8950 Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>
8951
8952
8954 The latest version of lib389 may be downloaded from
8955 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8956
8957
8958
8959lib389 2.4.4 2023-11-15 DSCONF(8)