1DSCONF(8) Generated Python Manual DSCONF(8)
2
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl,repl-agmt,repl-
12 winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
16 dsconf backend
17 Manage database suffixes and backends
18 dsconf backup
20 Manage online backups
21 dsconf chaining
23 Manage database chaining and database links
24 dsconf config
26 Manage the server configuration
27 dsconf directory_manager
29 Manage the Directory Manager account
30 dsconf monitor
32 Monitor the state of the instance
33 dsconf plugin
35 Manage plug-ins available on the server
36 dsconf pwpolicy
38 Manage the global password policy settings
39 dsconf localpwp
41 Manage the local user and subtree password policies
42 dsconf replication
44 Manage replication for a suffix
45 dsconf repl-agmt
47 Manage replication agreements
48 dsconf repl-winsync-agmt
50 Manage Winsync agreements
51 dsconf repl-tasks
53 Manage replication tasks
54 dsconf sasl
56 Manage SASL mappings
57 dsconf security
59 Manage security settings
60 dsconf schema
62 Manage the directory schema
63 dsconf repl-conflict
65 Manage replication conflicts
66
69 usage: dsconf instance backend [-h]
70 {suffix,index,vlv-index,attr-en‐
71 crypt,config,monitor,import,export,create,delete,get-tree,compact-db}
72 ...
73
76 dsconf backend suffix
77 Manage backend suffixes
78 dsconf backend index
80 Manage backend indexes
81 dsconf backend vlv-index
83 Manage VLV searches and indexes
84 dsconf backend attr-encrypt
86 Manage encrypted attribute settings
87 dsconf backend config
89 Manage the global database configuration settings
90 dsconf backend monitor
92 Displays global database or suffix monitoring information
93 dsconf backend import
95 Online import of a suffix
96 dsconf backend export
98 Online export of a suffix
99 dsconf backend create
101 Create a backend database
102 dsconf backend delete
104 Delete a backend database
105 dsconf backend get-tree
107 Display the suffix tree
108 dsconf backend compact-db
110 Compact the database and the replication changelog
111
114 usage: dsconf instance backend suffix [-h]
115 {list,get,get-dn,get-sub-suf‐
116 fixes,set}
117 ...
118
121 dsconf backend suffix list
122 List active backends and suffixes
123 dsconf backend suffix get
125 Display the suffix entry
126 dsconf backend suffix get-dn
128 Display the DN of a backend
129 dsconf backend suffix get-sub-suffixes
131 Display sub-suffixes
132 dsconf backend suffix set
134 Set configuration settings for a specific backend
135
138 usage: dsconf instance backend suffix list [-h] [--suffix]
139 [--skip-subsuffixes]
140
143 --suffix
144 Displays the suffixes without backend name
145 --skip-subsuffixes
148 Displays the list of suffixes without sub-suffixes
149
152 usage: dsconf instance backend suffix get [-h] [selector]
153 selector
156 The backend database name to search for
157
160 usage: dsconf instance backend suffix get-dn [-h] [dn]
161 dn The DN to the database entry in cn=ldbm database,cn=plug‐
164 ins,cn=config
165
168 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
169 be_name
170 be_name
173 The backend name or suffix
174
177 --suffix
178 Displays the list of suffixes without backend name
179
182 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
183 [--disable-readonly]
184 [--enable-orphan] [--dis‐
185 able-orphan]
186 [--require-index] [--ig‐
187 nore-index]
188 [--add-referral ADD_REFERRAL]
189 [--del-referral DEL_REFERRAL]
190 [--enable] [--disable]
191 [--cache-size CACHE_SIZE]
192 [--cache-memsize CACHE_MEM‐
193 SIZE]
194 [--dncache-memsize
195 DNCACHE_MEMSIZE]
196 [--state STATE]
197 be_name
198 be_name
201 The backend name or suffix
202
205 --enable-readonly
206 Enables read-only mode for the backend database
207 --disable-readonly
210 Disables read-only mode for the backend database
211 --enable-orphan
214 Disconnect a subsuffix from its parent suffix.
215 --disable-orphan
218 Let the subsuffix be connected to its parent suffix.
219 --require-index
222 Allows only indexed searches
223 --ignore-index
226 Allows all searches even if they are unindexed
227 --add-referral ADD_REFERRAL
230 Adds an LDAP referral to the backend
231 --del-referral DEL_REFERRAL
234 Removes an LDAP referral from the backend
235 --enable
238 Enables the backend database
239 --disable
242 Disables the backend database
243 --cache-size CACHE_SIZE
246 Sets the maximum number of entries to keep in the entry cache
247 --cache-memsize CACHE_MEMSIZE
250 Sets the maximum size in bytes that the entry cache can grow to
251 --dncache-memsize DNCACHE_MEMSIZE
254 Sets the maximum size in bytes that the DN cache can grow to
255 --state STATE
258 Changes the backend state to: "backend", "disabled", "referral",
259 or "referral on update"
260
263 usage: dsconf instance backend index [-h]
264 {add,set,get,list,delete,reindex}
265 ...
266
269 dsconf backend index add
270 Add an index
271 dsconf backend index set
273 Update an index
274 dsconf backend index get
276 Display an index entry
277 dsconf backend index list
279 Display the index
280 dsconf backend index delete
282 Delete an index
283 dsconf backend index reindex
285 Re-index the database for a single index or all indexes
286
289 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
290 [--matching-rule MATCH‐
291 ING_RULE]
292 [--reindex] --attr ATTR
293 be_name
294 be_name
297 The backend name or suffix
298
301 --index-type INDEX_TYPE
302 Sets the indexing type (eq, sub, pres, or approx)
303 --matching-rule MATCHING_RULE
306 Sets the matching rule for the index
307 --reindex
310 Re-indexes the database after adding a new index
311 --attr ATTR
314 Sets the attribute name to index
315
318 usage: dsconf instance backend index set [-h] --attr ATTR
319 [--add-type ADD_TYPE]
320 [--del-type DEL_TYPE]
321 [--add-mr ADD_MR] [--del-mr
322 DEL_MR]
323 [--reindex]
324 be_name
325 be_name
328 The backend name or suffix
329
332 --attr ATTR
333 Sets the indexed attribute to update
334 --add-type ADD_TYPE
337 Adds an index type to the index (eq, sub, pres, or approx)
338 --del-type DEL_TYPE
341 Removes an index type from the index: (eq, sub, pres, or approx)
342 --add-mr ADD_MR
345 Adds a matching-rule to the index
346 --del-mr DEL_MR
349 Removes a matching-rule from the index
350 --reindex
353 Re-indexes the database after editing the index
354
357 usage: dsconf instance backend index get [-h] --attr ATTR be_name
358 be_name
361 The backend name or suffix
362
365 --attr ATTR
366 Sets the index name to display
367
370 usage: dsconf instance backend index list [-h] [--just-names] be_name
371 be_name
374 The backend name or suffix
375
378 --just-names
379 Displays only the names of indexed attributes
380
383 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
384 be_name
387 The backend name or suffix
388
391 --attr ATTR
392 Sets the name of the attribute to delete from the index
393
396 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
397 [--wait]
398 be_name
399 be_name
402 The backend name or suffix
403
406 --attr ATTR
407 Sets the name of the attribute to re-index. Omit this argument
408 to re-index all attributes
409 --wait Waits for the index task to complete and reports the status
412
415 usage: dsconf instance backend vlv-index [-h]
416 {list,get,add-search,edit-search,del-search,add-in‐
417 dex,del-index,reindex}
418 ...
419
422 dsconf backend vlv-index list
423 List VLV search and index entries
424 dsconf backend vlv-index get
426 Display a VLV search and indexes
427 dsconf backend vlv-index add-search
429 Add a VLV search entry. The search entry is the parent entry of
430 the VLV index entries, and it specifies the search parameters
431 that are used to match entries for those indexes.
432 dsconf backend vlv-index edit-search
434 Update a VLV search and index
435 dsconf backend vlv-index del-search
437 Delete VLV search & index
438 dsconf backend vlv-index add-index
440 Create a VLV index under a VLV search entry (parent entry). The
441 VLV index specifies the attributes to sort
442 dsconf backend vlv-index del-index
444 Delete a VLV index under a VLV search entry (parent entry)
445 dsconf backend vlv-index reindex
447 Index/re-index the VLV database index
448
451 usage: dsconf instance backend vlv-index list [-h] [--just-names]
452 be_name
453 be_name
456 The backend name of the VLV index
457
460 --just-names
461 Displays only the names of VLV search entries
462
465 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
466 be_name
469 The backend name of the VLV index
470
473 --name NAME
474 Displays the VLV search entry and its index entries
475
478 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
479 --search-base
480 SEARCH_BASE
481 --search-scope
482 SEARCH_SCOPE
483 --search-filter
484 SEARCH_FILTER
485 be_name
486 be_name
489 The backend name of the VLV index
490
493 --name NAME
494 Sets the name of the VLV search entry
495 --search-base SEARCH_BASE
498 Sets the VLV search base
499 --search-scope SEARCH_SCOPE
502 Sets the VLV search scope: 0 (base search), 1 (one-level
503 search), or 2 (subtree search)
504 --search-filter SEARCH_FILTER
507 Sets the VLV search filter
508
511 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
512 [--search-base
513 SEARCH_BASE]
514 [--search-scope
515 SEARCH_SCOPE]
516 [--search-filter
517 SEARCH_FILTER]
518 [--reindex]
519 be_name
520 be_name
523 The backend name of the VLV index to update
524
527 --name NAME
528 Sets the name of the VLV index
529 --search-base SEARCH_BASE
532 Sets the VLV search base
533 --search-scope SEARCH_SCOPE
536 Sets the VLV search scope: 0 (base search), 1 (one-level
537 search), or 2 (subtree search)
538 --search-filter SEARCH_FILTER
541 Sets the VLV search filter
542 --reindex
545 Re-indexes all VLV database indexes
546
549 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
550 be_name
551 be_name
554 The backend name of the VLV index
555
558 --name NAME
559 Sets the name of the VLV search index
560
563 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
564 PARENT_NAME --in‐
565 dex-name
566 INDEX_NAME --sort
567 SORT
568 [--index-it]
569 be_name
570 be_name
573 The backend name of the VLV index
574
577 --parent-name PARENT_NAME
578 Sets the name or "cn" attribute of the parent VLV search entry
579 --index-name INDEX_NAME
582 Sets the name of the new VLV index
583 --sort SORT
586 Sets a space-separated list of attributes to sort for this VLV
587 index
588 --index-it
591 Creates the database index for this VLV index definition
592
595 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
596 PARENT_NAME
597 [--index-name IN‐
598 DEX_NAME]
599 [--sort SORT]
600 be_name
601 be_name
604 The backend name of the VLV index
605
608 --parent-name PARENT_NAME
609 Sets the name or "cn" attribute value of the parent VLV search
610 entry
611 --index-name INDEX_NAME
614 Sets the name of the VLV index to delete
615 --sort SORT
618 Delete a VLV index that has this vlvsort value
619
622 usage: dsconf instance backend vlv-index reindex [-h]
623 [--index-name IN‐
624 DEX_NAME]
625 --parent-name PAR‐
626 ENT_NAME
627 be_name
628 be_name
631 The backend name of the VLV index
632
635 --index-name INDEX_NAME
636 Sets the name of the VLV index entry to re-index. If not set,
637 all indexes are re-indexed
638 --parent-name PARENT_NAME
641 Sets the name or "cn" attribute value of the parent VLV search
642 entry
643
646 usage: dsconf instance backend attr-encrypt [-h] [--list]
647 [--just-names]
648 [--add-attr ADD_ATTR]
649 [--del-attr DEL_ATTR]
650 be_name
651 be_name
654 The backend name or suffix
655
658 --list Lists all encrypted attributes in the backend
659 --just-names
662 List only the names of the encrypted attributes when used with
663 --list
664 --add-attr ADD_ATTR
667 Enables encryption for the specified attribute
668 --del-attr DEL_ATTR
671 Disables encryption for the specified attribute
672
675 usage: dsconf instance backend config [-h] {get,set} ...
676
679 dsconf backend config get
680 Display the global database configuration
681 dsconf backend config set
683 Set the global database configuration
684
687 usage: dsconf instance backend config get [-h]
688
691 usage: dsconf instance backend config set [-h]
692 [--lookthroughlimit LOOK‐
693 THROUGHLIMIT]
694 [--mode MODE]
695 [--idlistscanlimit
696 IDLISTSCANLIMIT]
697 [--directory DIRECTORY]
698 [--dbcachesize DBCACHESIZE]
699 [--logdirectory LOGDIRECTORY]
700 [--txn-wait TXN_WAIT]
701 [--checkpoint-interval CHECK‐
702 POINT_INTERVAL]
703 [--compactdb-interval COM‐
704 PACTDB_INTERVAL]
705 [--compactdb-time COM‐
706 PACTDB_TIME]
707 [--txn-batch-val
708 TXN_BATCH_VAL]
709 [--txn-batch-min
710 TXN_BATCH_MIN]
711 [--txn-batch-max
712 TXN_BATCH_MAX]
713 [--logbufsize LOGBUFSIZE]
714 [--locks LOCKS]
715 [--locks-monitoring-enabled
716 LOCKS_MONITORING_ENABLED]
717 [--locks-monitoring-threshold
718 LOCKS_MONITORING_THRESHOLD]
719 [--locks-monitoring-pause
720 LOCKS_MONITORING_PAUSE]
721 [--import-cache-autosize IM‐
722 PORT_CACHE_AUTOSIZE]
723 [--cache-autosize CACHE_AUTO‐
724 SIZE]
725 [--cache-autosize-split
726 CACHE_AUTOSIZE_SPLIT]
727 [--import-cachesize IM‐
728 PORT_CACHESIZE]
729 [--exclude-from-export EX‐
730 CLUDE_FROM_EXPORT]
731 [--pagedlookthroughlimit
732 PAGEDLOOKTHROUGHLIMIT]
733 [--pagedidlistscanlimit PAGE‐
734 DIDLISTSCANLIMIT]
735 [--rangelookthroughlimit
736 RANGELOOKTHROUGHLIMIT]
737 [--backend-opt-level BACK‐
738 END_OPT_LEVEL]
739 [--deadlock-policy DEAD‐
740 LOCK_POLICY]
741 [--db-home-directory
742 DB_HOME_DIRECTORY]
743 [--db-lib DB_LIB]
744 [--mdb-max-size MDB_MAX_SIZE]
745 [--mdb-max-readers
746 MDB_MAX_READERS]
747 [--mdb-max-dbs MDB_MAX_DBS]
748
751 --lookthroughlimit LOOKTHROUGHLIMIT
752 Specifies the maximum number of entries that the server will
753 check when examining candidate entries in response to a search
754 request
755 --mode MODE
758 Specifies the permissions used for newly created index files
759 --idlistscanlimit IDLISTSCANLIMIT
762 Specifies the number of entry IDs that are searched during a
763 search operation
764 --directory DIRECTORY
767 Specifies absolute path to database instance
768 --dbcachesize DBCACHESIZE
771 Specifies the database index cache size in bytes
772 --logdirectory LOGDIRECTORY
775 Specifies the path to the directory that contains the database
776 transaction logs
777 --txn-wait TXN_WAIT
780 Sets whether the server should should wait if there are no db
781 locks available
782 --checkpoint-interval CHECKPOINT_INTERVAL
785 Sets the amount of time in seconds after which the server sends
786 a checkpoint entry to the database transaction log
787 --compactdb-interval COMPACTDB_INTERVAL
790 Sets the interval in seconds when the database is compacted
791 --compactdb-time COMPACTDB_TIME
794 Sets the time (HH:MM format) of day when to compact the database
795 after the "compactdb interval" has been reached
796 --txn-batch-val TXN_BATCH_VAL
799 Specifies how many transactions will be batched before being
800 committed
801 --txn-batch-min TXN_BATCH_MIN
804 Controls when transactions should be flushed earliest, indepen‐
805 dently of the batch count. Requires that txn-batch-val is set
806 --txn-batch-max TXN_BATCH_MAX
809 Controls when transactions should be flushed latest, indepen‐
810 dently of the batch count. Requires that txn-batch-val is set)
811 --logbufsize LOGBUFSIZE
814 Specifies the transaction log information buffer size
815 --locks LOCKS
818 Sets the maximum number of database locks
819 --locks-monitoring-enabled LOCKS_MONITORING_ENABLED
822 Enables or disables monitoring of DB locks when the value
823 crosses the percentage set with "--locks-monitoring-threshold"
824 --locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD
827 Sets the DB lock exhaustion threshold in percentage (valid range
828 is 70-90). When the threshold is reached, all searches are
829 aborted until the number of active locks decreases below the
830 configured threshold and/or the administrator increases the num‐
831 ber of database locks (nsslapd-db-locks). This threshold is a
832 safeguard against DB corruption which might be caused by locks
833 exhaustion.
834 --locks-monitoring-pause LOCKS_MONITORING_PAUSE
837 Sets the DB lock monitoring value in milliseconds for the amount
838 of time that the monitoring thread spends waiting between
839 checks.
840 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
843 Enables or disables to automatically set the size of the import
844 cache to be used during the import process of LDIF files
845 --cache-autosize CACHE_AUTOSIZE
848 Sets the percentage of free memory that is used in total for the
849 database and entry cache. "0" disables this feature.
850 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
853 Sets the percentage of RAM that is used for the database cache.
854 The remaining percentage is used for the entry cache
855 --import-cachesize IMPORT_CACHESIZE
858 Sets the size in bytes of the database cache used in the import
859 process.
860 --exclude-from-export EXCLUDE_FROM_EXPORT
863 List of attributes to not include during database export opera‐
864 tions
865 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
868 Specifies the maximum number of entries that the server will
869 check when examining candidate entries for a search which uses
870 the simple paged results control
871 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
874 Specifies the number of entry IDs that are searched, specifi‐
875 cally, for a search operation using the simple paged results
876 control.
877 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
880 Specifies the maximum number of entries that the server will
881 check when examining candidate entries in response to a range
882 search request.
883 --backend-opt-level BACKEND_OPT_LEVEL
886 Sets the backend optimization level for write performance (0, 1,
887 2, or 4). WARNING: This parameter can trigger experimental
888 code.
889 --deadlock-policy DEADLOCK_POLICY
892 Adjusts the backend database deadlock policy (Advanced setting)
893 --db-home-directory DB_HOME_DIRECTORY
896 Sets the directory for the database mmapped files (Advanced set‐
897 ting)
898 --db-lib DB_LIB
901 Sets which db lib is used. Valid values are: bdb or mdb
902 --mdb-max-size MDB_MAX_SIZE
905 Sets the lmdb database maximum size (in bytes).
906 --mdb-max-readers MDB_MAX_READERS
909 Sets the lmdb database maximum number of readers (Advanced set‐
910 ting)
911 --mdb-max-dbs MDB_MAX_DBS
914 Sets the lmdb database maximum number of sub databases (Advanced
915 setting)
916
919 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
920
923 --suffix SUFFIX
924 Displays monitoring information only for the specified suffix
925
928 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
929 [-g GEN_UNIQ_ID] [-O]
930 [-s INCLUDE_SUFFIXES [IN‐
931 CLUDE_SUFFIXES ...]]
932 [-x EXCLUDE_SUFFIXES [EX‐
933 CLUDE_SUFFIXES ...]]
934 [--timeout TIMEOUT]
935 [be_name] [ldifs ...]
936 be_name
939 The backend name or the root suffix
940 ldifs Specifies the filename of the input LDIF files. Multiple files
943 are imported in the specified order.
944
947 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
948 The number of chunks to have during the import operation
949 -E, --encrypted
952 Encrypt attributes configured in the database for encryption
953 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
956 Generate a unique id. Set "none" for no unique ID to be gener‐
957 ated and "deterministic" for the generated unique ID to be
958 name-based. By default, a time-based unique ID is generated.
959 When using the deterministic generation to have a name-based
960 unique ID, it is also possible to specify the namespace for the
961 server to use. namespaceId is a string of characters in the for‐
962 mat 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
963 -O, --only-core
966 Creates only the core database attribute indexes
967 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
970 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
971 Specifies the suffixes or the subtrees to be included
972 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
975 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
976 Specifies the suffixes to be excluded
977 --timeout TIMEOUT
980 Set a timeout to wait for the export task. Default is 0 (no
981 timeout)
982
985 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
986 [-N] [-r]
987 [-u] [-U]
988 [-s INCLUDE_SUFFIXES [IN‐
989 CLUDE_SUFFIXES ...]]
990 [-x EXCLUDE_SUFFIXES [EX‐
991 CLUDE_SUFFIXES ...]]
992 [--timeout TIMEOUT]
993 be_names [be_names ...]
994 be_names
997 The backend names or the root suffixes
998
1001 -l LDIF, --ldif LDIF
1002 Sets the filename of the output LDIF file. Separate multiple
1003 file names with spaces.
1004 -C, --use-id2entry
1007 Uses only the main database file
1008 -E, --encrypted
1011 Decrypts encrypted data during export. This option is used only
1012 if database encryption is enabled.
1013 -m, --min-base64
1016 Sets minimal base-64 encoding
1017 -N, --no-seq-num
1020 Suppresses printing the sequence numbers
1021 -r, --replication
1024 Exports the data with information required to initialize a
1025 replica
1026 -u, --no-dump-uniq-id
1029 Omits exporting the unique ID
1030 -U, --not-folded
1033 Disables folding the output
1034 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
1037 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
1038 Specifies the suffixes or the subtrees to be included
1039 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
1042 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
1043 Specifies the suffixes to be excluded
1044 --timeout TIMEOUT
1047 Set a timeout to wait for the export task. Default is 0 (no
1048 timeout)
1049
1052 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
1053 FIX]
1054 --suffix SUFFIX --be-name BE_NAME
1055 [--create-entries] [--create-suf‐
1056 fix]
1057
1060 --parent-suffix PARENT_SUFFIX
1061 Sets the parent suffix only if this backend is a sub-suffix
1062 --suffix SUFFIX
1065 Sets the database suffix DN
1066 --be-name BE_NAME
1069 Sets the database backend name"
1070 --create-entries
1073 Adds sample entries to the database
1074 --create-suffix
1077 Creates the suffix object entry in the database. Only suffixes
1078 using the 'dc',
1079
1082 usage: dsconf instance backend delete [-h] [--do-it] be_name
1083 be_name
1086 The backend name or suffix
1087
1090 --do-it
1091 Remove backend and its subsuffixes
1092
1095 usage: dsconf instance backend get-tree [-h]
1096
1099 usage: dsconf instance backend compact-db [-h] [--only-changelog]
1100 [--timeout TIMEOUT]
1101
1104 --only-changelog
1105 Compacts only the replication change log
1106 --timeout TIMEOUT
1109 Set a timeout to wait for the compaction task. Default is 0 (no
1110 timeout)
1111
1114 usage: dsconf instance backup [-h] {create,restore} ...
1115
1118 dsconf backup create
1119 Creates a backup of the database
1120 dsconf backup restore
1122 Restores a database from a backup
1123
1126 usage: dsconf instance backup create [-h] [-t DB_TYPE] [--timeout TIME‐
1127 OUT]
1128 [archive]
1129 archive
1132 Sets the directory where to store the backup files. Format: in‐
1133 stance_name- year_month_date_hour_minutes_seconds. Default:
1134 /var/lib/dirsrv/slapd- instance/bak/
1135
1138 -t DB_TYPE, --db-type DB_TYPE
1139 Sets the database type. Default: ldbm database
1140 --timeout TIMEOUT
1143 Sets the task timeout. Default is 120 seconds,
1144
1147 usage: dsconf instance backup restore [-h] [-t DB_TYPE] [--timeout
1148 TIMEOUT]
1149 archive
1150 archive
1153 Set the directory that contains the backup files
1154
1157 -t DB_TYPE, --db-type DB_TYPE
1158 Sets the database type. Default: ldbm database
1159 --timeout TIMEOUT
1162 Sets the task timeout. Default is 120 seconds.
1163
1166 usage: dsconf instance chaining [-h]
1167 {config-get,config-set,con‐
1168 fig-get-def,config-set-def,link-cre‐
1169 ate,link-get,link-set,link-delete,monitor,link-list}
1170 ...
1171
1174 dsconf chaining config-get
1175 Display the chaining controls and server component lists
1176 dsconf chaining config-set
1178 Set the chaining controls and server component lists
1179 dsconf chaining config-get-def
1181 Display the default creation parameters for new database links
1182 dsconf chaining config-set-def
1184 Set the default creation parameters for new database links
1185 dsconf chaining link-create
1187 Create a database link to a remote server
1188 dsconf chaining link-get
1190 Displays chaining database links
1191 dsconf chaining link-set
1193 Edit a database link to a remote server
1194 dsconf chaining link-delete
1196 Delete a database link
1197 dsconf chaining monitor
1199 Display monitor information for a database chaining link
1200 dsconf chaining link-list
1202 List database links
1203
1206 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1207 [--avail-comps]
1208
1211 --avail-controls
1212 Lists available chaining controls
1213 --avail-comps
1216 Lists available chaining plugin components
1217
1220 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1221 TROL]
1222 [--del-control DEL_CONTROL]
1223 [--add-comp ADD_COMP]
1224 [--del-comp DEL_COMP]
1225
1228 --add-control ADD_CONTROL
1229 Adds a transmitted control OID
1230 --del-control DEL_CONTROL
1233 Deletes a transmitted control OID
1234 --add-comp ADD_COMP
1237 Adds a chaining component
1238 --del-comp DEL_COMP
1241 Deletes a chaining component
1242
1245 usage: dsconf instance chaining config-get-def [-h]
1246
1249 usage: dsconf instance chaining config-set-def [-h]
1250 [--conn-bind-limit
1251 CONN_BIND_LIMIT]
1252 [--conn-op-limit
1253 CONN_OP_LIMIT]
1254 [--abandon-check-inter‐
1255 val ABANDON_CHECK_INTERVAL]
1256 [--bind-limit
1257 BIND_LIMIT]
1258 [--op-limit OP_LIMIT]
1259 [--proxied-auth PROX‐
1260 IED_AUTH]
1261 [--conn-lifetime
1262 CONN_LIFETIME]
1263 [--bind-timeout
1264 BIND_TIMEOUT]
1265 [--return-ref RE‐
1266 TURN_REF]
1267 [--check-aci CHECK_ACI]
1268 [--bind-attempts
1269 BIND_ATTEMPTS]
1270 [--size-limit
1271 SIZE_LIMIT]
1272 [--time-limit
1273 TIME_LIMIT]
1274 [--hop-limit HOP_LIMIT]
1275 [--response-delay RE‐
1276 SPONSE_DELAY]
1277 [--test-response-delay
1278 TEST_RESPONSE_DELAY]
1279 [--use-starttls
1280 USE_STARTTLS]
1281
1284 --conn-bind-limit CONN_BIND_LIMIT
1285 Sets the maximum number of BIND connections the database link
1286 establishes with the remote server
1287 --conn-op-limit CONN_OP_LIMIT
1290 Sets the maximum number of LDAP connections the database link
1291 establishes with the remote server
1292 --abandon-check-interval ABANDON_CHECK_INTERVAL
1295 Sets the number of seconds that pass before the server checks
1296 for abandoned operations
1297 --bind-limit BIND_LIMIT
1300 Sets the maximum number of concurrent bind operations per TCP
1301 connection
1302 --op-limit OP_LIMIT
1305 Sets the maximum number of concurrent operations allowed
1306 --proxied-auth PROXIED_AUTH
1309 Enables or disables proxied authorization. If set to "off", the
1310 server executes bind for chained operations as the user set in
1311 the nsMultiplexorBindDn attribute.
1312 --conn-lifetime CONN_LIFETIME
1315 Specifies connection lifetime in seconds. "0" keeps the connec‐
1316 tion open forever.
1317 --bind-timeout BIND_TIMEOUT
1320 Sets the amount of time in seconds before a bind attempt times
1321 out
1322 --return-ref RETURN_REF
1325 Enables or disables whether referrals are returned by scoped
1326 searches
1327 --check-aci CHECK_ACI
1330 Enables or disables whether the server evaluates ACIs on the
1331 database link as well as the remote data server
1332 --bind-attempts BIND_ATTEMPTS
1335 Sets the number of times the server tries to bind to the remote
1336 server
1337 --size-limit SIZE_LIMIT
1340 Sets the maximum number of entries to return from a search oper‐
1341 ation
1342 --time-limit TIME_LIMIT
1345 Sets the maximum number of seconds allowed for an operation
1346 --hop-limit HOP_LIMIT
1349 Sets the maximum number of times a database is allowed to chain.
1350 That is the number of times a request can be forwarded from one
1351 database link to another.
1352 --response-delay RESPONSE_DELAY
1355 Sets the maximum amount of time it can take a remote server to
1356 respond to an LDAP operation request made by a database link be‐
1357 fore an error is suspected
1358 --test-response-delay TEST_RESPONSE_DELAY
1361 Sets the duration of the test issued by the database link to
1362 check whether the remote server is responding
1363 --use-starttls USE_STARTTLS
1366 Configured that database links use StartTLS if set to "on"
1367
1370 usage: dsconf instance chaining link-create [-h]
1371 [--conn-bind-limit
1372 CONN_BIND_LIMIT]
1373 [--conn-op-limit
1374 CONN_OP_LIMIT]
1375 [--abandon-check-interval
1376 ABANDON_CHECK_INTERVAL]
1377 [--bind-limit BIND_LIMIT]
1378 [--op-limit OP_LIMIT]
1379 [--proxied-auth PROX‐
1380 IED_AUTH]
1381 [--conn-lifetime CONN_LIFE‐
1382 TIME]
1383 [--bind-timeout BIND_TIME‐
1384 OUT]
1385 [--return-ref RETURN_REF]
1386 [--check-aci CHECK_ACI]
1387 [--bind-attempts BIND_AT‐
1388 TEMPTS]
1389 [--size-limit SIZE_LIMIT]
1390 [--time-limit TIME_LIMIT]
1391 [--hop-limit HOP_LIMIT]
1392 [--response-delay RE‐
1393 SPONSE_DELAY]
1394 [--test-response-delay
1395 TEST_RESPONSE_DELAY]
1396 [--use-starttls USE_START‐
1397 TLS]
1398 --suffix SUFFIX
1399 --server-url
1400 SERVER_URL --bind-mech
1401 BIND_MECH
1402 --bind-dn BIND_DN
1403 [--bind-pw BIND_PW]
1404 [--bind-pw-file
1405 BIND_PW_FILE]
1406 [--bind-pw-prompt]
1407 CHAIN_NAME
1408 CHAIN_NAME
1411 The name of the database link
1412
1415 --conn-bind-limit CONN_BIND_LIMIT
1416 Sets the maximum number of BIND connections the database link
1417 establishes with the remote server
1418 --conn-op-limit CONN_OP_LIMIT
1421 Sets the maximum number of LDAP connections the database link
1422 establishes with the remote server
1423 --abandon-check-interval ABANDON_CHECK_INTERVAL
1426 Sets the number of seconds that pass before the server checks
1427 for abandoned operations
1428 --bind-limit BIND_LIMIT
1431 Sets the maximum number of concurrent bind operations per TCP
1432 connection
1433 --op-limit OP_LIMIT
1436 Sets the maximum number of concurrent operations allowed
1437 --proxied-auth PROXIED_AUTH
1440 Enables or disables proxied authorization. If set to "off", the
1441 server executes bind for chained operations as the user set in
1442 the nsMultiplexorBindDn attribute.
1443 --conn-lifetime CONN_LIFETIME
1446 Specifies connection lifetime in seconds. "0" keeps the connec‐
1447 tion open forever.
1448 --bind-timeout BIND_TIMEOUT
1451 Sets the amount of time in seconds before a bind attempt times
1452 out
1453 --return-ref RETURN_REF
1456 Enables or disables whether referrals are returned by scoped
1457 searches
1458 --check-aci CHECK_ACI
1461 Enables or disables whether the server evaluates ACIs on the
1462 database link as well as the remote data server
1463 --bind-attempts BIND_ATTEMPTS
1466 Sets the number of times the server tries to bind to the remote
1467 server
1468 --size-limit SIZE_LIMIT
1471 Sets the maximum number of entries to return from a search oper‐
1472 ation
1473 --time-limit TIME_LIMIT
1476 Sets the maximum number of seconds allowed for an operation
1477 --hop-limit HOP_LIMIT
1480 Sets the maximum number of times a database is allowed to chain.
1481 That is the number of times a request can be forwarded from one
1482 database link to another.
1483 --response-delay RESPONSE_DELAY
1486 Sets the maximum amount of time it can take a remote server to
1487 respond to an LDAP operation request made by a database link be‐
1488 fore an error is suspected
1489 --test-response-delay TEST_RESPONSE_DELAY
1492 Sets the duration of the test issued by the database link to
1493 check whether the remote server is responding
1494 --use-starttls USE_STARTTLS
1497 Configured that database links use StartTLS if set to "on"
1498 --suffix SUFFIX
1501 Sets the suffix managed by the database link
1502 --server-url SERVER_URL
1505 Sets the LDAP/LDAPS URL to the remote server
1506 --bind-mech BIND_MECH
1509 Sets the authentication method to use to authenticate to the re‐
1510 mote server. Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1511 GEST-MD5", or "GSSAPI"
1512 --bind-dn BIND_DN
1515 Sets the DN of the administrative entry used to communicate with
1516 the remote server
1517 --bind-pw BIND_PW
1520 Sets the password of the administrative user
1521 --bind-pw-file BIND_PW_FILE
1524 File containing the password
1525 --bind-pw-prompt
1528 Prompt for password
1529
1532 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1533 CHAIN_NAME
1536 The chaining link name or suffix to retrieve
1537
1540 usage: dsconf instance chaining link-set [-h]
1541 [--conn-bind-limit
1542 CONN_BIND_LIMIT]
1543 [--conn-op-limit
1544 CONN_OP_LIMIT]
1545 [--abandon-check-interval
1546 ABANDON_CHECK_INTERVAL]
1547 [--bind-limit BIND_LIMIT]
1548 [--op-limit OP_LIMIT]
1549 [--proxied-auth PROXIED_AUTH]
1550 [--conn-lifetime CONN_LIFE‐
1551 TIME]
1552 [--bind-timeout BIND_TIMEOUT]
1553 [--return-ref RETURN_REF]
1554 [--check-aci CHECK_ACI]
1555 [--bind-attempts BIND_AT‐
1556 TEMPTS]
1557 [--size-limit SIZE_LIMIT]
1558 [--time-limit TIME_LIMIT]
1559 [--hop-limit HOP_LIMIT]
1560 [--response-delay RESPONSE_DE‐
1561 LAY]
1562 [--test-response-delay
1563 TEST_RESPONSE_DELAY]
1564 [--use-starttls USE_STARTTLS]
1565 [--suffix SUFFIX]
1566 [--server-url SERVER_URL]
1567 [--bind-mech BIND_MECH]
1568 [--bind-dn BIND_DN]
1569 [--bind-pw BIND_PW]
1570 [--bind-pw-file BIND_PW_FILE]
1571 [--bind-pw-prompt]
1572 CHAIN_NAME
1573 CHAIN_NAME
1576 The name of the database link
1577
1580 --conn-bind-limit CONN_BIND_LIMIT
1581 Sets the maximum number of BIND connections the database link
1582 establishes with the remote server
1583 --conn-op-limit CONN_OP_LIMIT
1586 Sets the maximum number of LDAP connections the database link
1587 establishes with the remote server
1588 --abandon-check-interval ABANDON_CHECK_INTERVAL
1591 Sets the number of seconds that pass before the server checks
1592 for abandoned operations
1593 --bind-limit BIND_LIMIT
1596 Sets the maximum number of concurrent bind operations per TCP
1597 connection
1598 --op-limit OP_LIMIT
1601 Sets the maximum number of concurrent operations allowed
1602 --proxied-auth PROXIED_AUTH
1605 Enables or disables proxied authorization. If set to "off", the
1606 server executes bind for chained operations as the user set in
1607 the nsMultiplexorBindDn attribute.
1608 --conn-lifetime CONN_LIFETIME
1611 Specifies connection lifetime in seconds. "0" keeps the connec‐
1612 tion open forever.
1613 --bind-timeout BIND_TIMEOUT
1616 Sets the amount of time in seconds before a bind attempt times
1617 out
1618 --return-ref RETURN_REF
1621 Enables or disables whether referrals are returned by scoped
1622 searches
1623 --check-aci CHECK_ACI
1626 Enables or disables whether the server evaluates ACIs on the
1627 database link as well as the remote data server
1628 --bind-attempts BIND_ATTEMPTS
1631 Sets the number of times the server tries to bind to the remote
1632 server
1633 --size-limit SIZE_LIMIT
1636 Sets the maximum number of entries to return from a search oper‐
1637 ation
1638 --time-limit TIME_LIMIT
1641 Sets the maximum number of seconds allowed for an operation
1642 --hop-limit HOP_LIMIT
1645 Sets the maximum number of times a database is allowed to chain.
1646 That is the number of times a request can be forwarded from one
1647 database link to another.
1648 --response-delay RESPONSE_DELAY
1651 Sets the maximum amount of time it can take a remote server to
1652 respond to an LDAP operation request made by a database link be‐
1653 fore an error is suspected
1654 --test-response-delay TEST_RESPONSE_DELAY
1657 Sets the duration of the test issued by the database link to
1658 check whether the remote server is responding
1659 --use-starttls USE_STARTTLS
1662 Configured that database links use StartTLS if set to "on"
1663 --suffix SUFFIX
1666 Sets the suffix managed by the database link
1667 --server-url SERVER_URL
1670 Sets the LDAP/LDAPS URL to the remote server
1671 --bind-mech BIND_MECH
1674 Sets the authentication method to use to authenticate to the re‐
1675 mote server: Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1676 GEST-MD5", or "GSSAPI"
1677 --bind-dn BIND_DN
1680 Sets the DN of the administrative entry used to communicate with
1681 the remote server
1682 --bind-pw BIND_PW
1685 Sets the password of the administrative user
1686 --bind-pw-file BIND_PW_FILE
1689 File containing the password
1690 --bind-pw-prompt
1693 Prompt for password
1694
1697 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1698 CHAIN_NAME
1701 The name of the database link
1702
1705 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1706 CHAIN_NAME
1709 The name of the database link
1710
1713 usage: dsconf instance chaining link-list [-h]
1714
1717 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1718
1721 dsconf config get
1722 get
1723 dsconf config add
1725 Add attribute value to configuration
1726 dsconf config replace
1728 Replace attribute value in configuration
1729 dsconf config delete
1731 Delete attribute value in configuration
1732
1735 usage: dsconf instance config get [-h] [attrs ...]
1736 attrs Configuration attribute(s) to get
1739
1742 usage: dsconf instance config add [-h] [attr ...]
1743 attr Configuration attribute to add
1746
1749 usage: dsconf instance config replace [-h] [attr ...]
1750 attr Configuration attribute to replace
1753
1756 usage: dsconf instance config delete [-h] [attr ...]
1757 attr Configuration attribute to delete
1760
1763 usage: dsconf instance directory_manager [-h] {password_change} ...
1764
1767 dsconf directory_manager password_change
1768 Changes the password of the Directory Manager account
1769
1772 usage: dsconf instance directory_manager password_change [-h]
1773
1776 usage: dsconf instance monitor [-h]
1777 {server,dbmon,ldbm,backend,snmp,chain‐
1778 ing,disk}
1779 ...
1780
1783 dsconf monitor server
1784 Displays the server statistics, connections, and operations
1785 dsconf monitor dbmon
1787 Monitor all database statistics in a single report
1788 dsconf monitor ldbm
1790 Monitor the LDBM statistics, such as dbcache
1791 dsconf monitor backend
1793 Monitor the behavior of a backend database
1794 dsconf monitor snmp
1796 Displays the SNMP statistics
1797 dsconf monitor chaining
1799 Monitor database chaining statistics
1800 dsconf monitor disk
1802 Displays the disk space statistics. All values are in bytes.
1803
1806 usage: dsconf instance monitor server [-h]
1807
1810 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1811
1814 -b BACKENDS, --backends BACKENDS
1815 Specifies a list of space-separated backends to monitor. Default
1816 is all backends.
1817 -x, --indexes
1820 Shows index stats for each backend
1821
1824 usage: dsconf instance monitor ldbm [-h]
1825
1828 usage: dsconf instance monitor backend [-h] [backend]
1829 backend
1832 The optional name of the backend to monitor
1833
1836 usage: dsconf instance monitor snmp [-h]
1837
1840 usage: dsconf instance monitor chaining [-h] [backend]
1841 backend
1844 The optional name of the chaining backend to monitor
1845
1848 usage: dsconf instance monitor disk [-h]
1849
1852 usage: dsconf instance plugin [-h]
1853 {memberof,automember,referential-integ‐
1854 rity,root-dn,usn,account-pol‐
1855 icy,attr-uniq,dna,ldap-pass-through-auth,linked-attr,managed-en‐
1856 tries,pam-pass-through-auth,retro-changelog,posix-winsync,con‐
1857 tentsync,entryuuid,list,show,set}
1858 ...
1859
1862 dsconf plugin memberof
1863 Manage and configure MemberOf plugin
1864 dsconf plugin automember
1866 Manage and configure Automembership plugin
1867 dsconf plugin referential-integrity
1869 Manage and configure Referential Integrity Postoperation plugin
1870 dsconf plugin root-dn
1872 Manage and configure RootDN Access Control plugin
1873 dsconf plugin usn
1875 Manage and configure USN plugin
1876 dsconf plugin account-policy
1878 Manage and configure Account Policy plugin
1879 dsconf plugin attr-uniq
1881 Manage and configure Attribute Uniqueness plugin
1882 dsconf plugin dna
1884 Manage and configure DNA plugin
1885 dsconf plugin ldap-pass-through-auth
1887 Manage and configure LDAP Pass-Through Authentication Plugin
1888 dsconf plugin linked-attr
1890 Manage and configure Linked Attributes plugin
1891 dsconf plugin managed-entries
1893 Manage and configure Managed Entries Plugin
1894 dsconf plugin pam-pass-through-auth
1896 Manage and configure Pass-Through Authentication plugins (LDAP
1897 URLs and PAM)
1898 dsconf plugin retro-changelog
1900 Manage and configure Retro Changelog plugin
1901 dsconf plugin posix-winsync
1903 Manage and configure the Posix Winsync API plugin
1904 dsconf plugin contentsync
1906 Manage and configure Content Sync Plugin (aka syncrepl)
1907 dsconf plugin entryuuid
1909 Manage and configure EntryUUID plugin
1910 dsconf plugin list
1912 List current configured (enabled and disabled) plugins
1913 dsconf plugin show
1915 Show the plugin data
1916 dsconf plugin set
1918 Edit the plugin settings
1919
1922 usage: dsconf instance plugin memberof [-h]
1923 {show,enable,disable,sta‐
1924 tus,set,config-entry,fixup,fixup-status}
1925 ...
1926
1929 dsconf plugin memberof show
1930 Displays the plugin configuration
1931 dsconf plugin memberof enable
1933 Enables the plugin
1934 dsconf plugin memberof disable
1936 Disables the plugin
1937 dsconf plugin memberof status
1939 Displays the plugin status
1940 dsconf plugin memberof set
1942 Edit the plugin settings
1943 dsconf plugin memberof config-entry
1945 Manage the config entry
1946 dsconf plugin memberof fixup
1948 Run the fix-up task for memberOf plugin
1949 dsconf plugin memberof fixup-status
1951 Check the status of a fix-up task
1952
1955 usage: dsconf instance plugin memberof show [-h]
1956
1959 usage: dsconf instance plugin memberof enable [-h]
1960
1963 usage: dsconf instance plugin memberof disable [-h]
1964
1967 usage: dsconf instance plugin memberof status [-h]
1968
1971 usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
1972 [--groupattr GROUPATTR
1973 [GROUPATTR ...]]
1974 [--allbackends {on,off}]
1975 [--skipnested {on,off}]
1976 [--scope SCOPE [SCOPE ...]]
1977 [--exclude EXCLUDE [EXCLUDE
1978 ...]]
1979 [--autoaddoc AUTOADDOC]
1980 [--config-entry CONFIG_EN‐
1981 TRY]
1982
1985 --attr ATTR
1986 Specifies the attribute in the user entry for the Directory
1987 Server to manage to reflect group membership (memberOfAttr)
1988 --groupattr GROUPATTR [GROUPATTR ...]
1991 Specifies the attribute in the group entry to use to identify
1992 the DNs of group members (memberOfGroupAttr)
1993 --allbackends {on,off}
1996 Specifies whether to search the local suffix for user entries on
1997 all available suffixes (memberOfAllBackends)
1998 --skipnested {on,off}
2001 Specifies whether to skip nested groups or not (memberOfSkip‐
2002 Nested)
2003 --scope SCOPE [SCOPE ...]
2006 Specifies backends or multiple-nested suffixes for the MemberOf
2007 plug-in to work on (memberOfEntryScope)
2008 --exclude EXCLUDE [EXCLUDE ...]
2011 Specifies backends or multiple-nested suffixes for the MemberOf
2012 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2013 --autoaddoc AUTOADDOC
2016 If an entry does not have an object class that allows the mem‐
2017 berOf attribute then the memberOf plugin will automatically add
2018 the object class listed in the memberOfAutoAddOC parameter
2019 --config-entry CONFIG_ENTRY
2022 The value to set as nsslapd-pluginConfigArea
2023
2026 usage: dsconf instance plugin memberof config-entry [-h]
2027 {add,set,show,delete}
2028 ...
2029
2032 dsconf plugin memberof config-entry add
2033 Add the config entry
2034 dsconf plugin memberof config-entry set
2036 Edit the config entry
2037 dsconf plugin memberof config-entry show
2039 Display the config entry
2040 dsconf plugin memberof config-entry delete
2042 Delete the config entry
2043
2046 usage: dsconf instance plugin memberof config-entry add [-h] [--attr
2047 ATTR]
2048 [--groupattr
2049 GROUPATTR [GROUPATTR ...]]
2050 [--allbackends
2051 {on,off}]
2052 [--skipnested
2053 {on,off}]
2054 [--scope SCOPE
2055 [SCOPE ...]]
2056 [--exclude EX‐
2057 CLUDE [EXCLUDE ...]]
2058 [--autoaddoc
2059 AUTOADDOC]
2060 DN
2061 DN The config entry full DN
2064
2067 --attr ATTR
2068 Specifies the attribute in the user entry for the Directory
2069 Server to manage to reflect group membership (memberOfAttr)
2070 --groupattr GROUPATTR [GROUPATTR ...]
2073 Specifies the attribute in the group entry to use to identify
2074 the DNs of group members (memberOfGroupAttr)
2075 --allbackends {on,off}
2078 Specifies whether to search the local suffix for user entries on
2079 all available suffixes (memberOfAllBackends)
2080 --skipnested {on,off}
2083 Specifies whether to skip nested groups or not (memberOfSkip‐
2084 Nested)
2085 --scope SCOPE [SCOPE ...]
2088 Specifies backends or multiple-nested suffixes for the MemberOf
2089 plug-in to work on (memberOfEntryScope)
2090 --exclude EXCLUDE [EXCLUDE ...]
2093 Specifies backends or multiple-nested suffixes for the MemberOf
2094 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2095 --autoaddoc AUTOADDOC
2098 If an entry does not have an object class that allows the mem‐
2099 berOf attribute then the memberOf plugin will automatically add
2100 the object class listed in the memberOfAutoAddOC parameter
2101
2104 usage: dsconf instance plugin memberof config-entry set [-h] [--attr
2105 ATTR]
2106 [--groupattr
2107 GROUPATTR [GROUPATTR ...]]
2108 [--allbackends
2109 {on,off}]
2110 [--skipnested
2111 {on,off}]
2112 [--scope SCOPE
2113 [SCOPE ...]]
2114 [--exclude EX‐
2115 CLUDE [EXCLUDE ...]]
2116 [--autoaddoc
2117 AUTOADDOC]
2118 DN
2119 DN The config entry full DN
2122
2125 --attr ATTR
2126 Specifies the attribute in the user entry for the Directory
2127 Server to manage to reflect group membership (memberOfAttr)
2128 --groupattr GROUPATTR [GROUPATTR ...]
2131 Specifies the attribute in the group entry to use to identify
2132 the DNs of group members (memberOfGroupAttr)
2133 --allbackends {on,off}
2136 Specifies whether to search the local suffix for user entries on
2137 all available suffixes (memberOfAllBackends)
2138 --skipnested {on,off}
2141 Specifies whether to skip nested groups or not (memberOfSkip‐
2142 Nested)
2143 --scope SCOPE [SCOPE ...]
2146 Specifies backends or multiple-nested suffixes for the MemberOf
2147 plug-in to work on (memberOfEntryScope)
2148 --exclude EXCLUDE [EXCLUDE ...]
2151 Specifies backends or multiple-nested suffixes for the MemberOf
2152 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2153 --autoaddoc AUTOADDOC
2156 If an entry does not have an object class that allows the mem‐
2157 berOf attribute then the memberOf plugin will automatically add
2158 the object class listed in the memberOfAutoAddOC parameter
2159
2162 usage: dsconf instance plugin memberof config-entry show [-h] DN
2163 DN The config entry full DN
2166
2169 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2170 DN The config entry full DN
2173
2176 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] [--wait]
2177 [--timeout TIMEOUT]
2178 DN
2179 DN Base DN that contains entries to fix up
2182
2185 -f FILTER, --filter FILTER
2186 Filter for entries to fix up. If omitted, all entries with ob‐
2187 jectclass inetuser/inetadmin/nsmemberof under the specified base
2188 will have their memberOf attribute regenerated.
2189 --wait Wait for the task to finish, this could take a long time
2192 --timeout TIMEOUT
2195 Sets the task timeout. ,Default is 0 (no timeout)
2196
2199 usage: dsconf instance plugin memberof fixup-status [-h] [--dn DN]
2200 [--show-log]
2201 [--watch]
2202
2205 --dn DN
2206 The task entry's DN
2207 --show-log
2210 Display the task log
2211 --watch
2214 Watch the task's status and wait for it to finish
2215
2218 usage: dsconf instance plugin automember [-h]
2219 {show,enable,disable,sta‐
2220 tus,list,definition,fixup,fixup-status,abort-fixup}
2221 ...
2222
2225 dsconf plugin automember show
2226 Displays the plugin configuration
2227 dsconf plugin automember enable
2229 Enables the plugin
2230 dsconf plugin automember disable
2232 Disables the plugin
2233 dsconf plugin automember status
2235 Displays the plugin status
2236 dsconf plugin automember list
2238 List Automembership definitions or regex rules.
2239 dsconf plugin automember definition
2241 Manage Automembership definition.
2242 dsconf plugin automember fixup
2244 Run a rebuild membership task.
2245 dsconf plugin automember fixup-status
2247 Check the status of a fix-up task
2248 dsconf plugin automember abort-fixup
2250 Abort the rebuild membership task.
2251
2254 usage: dsconf instance plugin automember show [-h]
2255
2258 usage: dsconf instance plugin automember enable [-h]
2259
2262 usage: dsconf instance plugin automember disable [-h]
2263
2266 usage: dsconf instance plugin automember status [-h]
2267
2270 usage: dsconf instance plugin automember list [-h] {defini‐
2271 tions,regexes} ...
2272
2275 dsconf plugin automember list definitions
2276 Lists Automembership definitions.
2277 dsconf plugin automember list regexes
2279 List Automembership regex rules.
2280
2283 usage: dsconf instance plugin automember list definitions [-h]
2284
2287 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2288 DEFNAME
2291 The definition entry CN
2292
2295 usage: dsconf instance plugin automember definition [-h]
2296 DEFNAME
2297 {add,set,delete,show,regex}
2298 ...
2299
2302 dsconf plugin automember definition add
2303 Creates Automembership definition.
2304 dsconf plugin automember definition set
2306 Edits Automembership definition.
2307 dsconf plugin automember definition delete
2309 Removes Automembership definition.
2310 dsconf plugin automember definition show
2312 Displays Automembership definition.
2313 dsconf plugin automember definition regex
2315 Manage Automembership regex rules.
2316
2319 usage: dsconf instance plugin automember definition DEFNAME add
2320 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2321 FAULT_GROUP]
2322 --scope SCOPE --filter FILTER
2323
2326 --grouping-attr GROUPING_ATTR
2327 Specifies the name of the member attribute in the group entry
2328 and the attribute in the object entry that supplies the member
2329 attribute value, in the format group_member_attr:entry_attr (au‐
2330 toMemberGroupingAttr)
2331 --default-group DEFAULT_GROUP
2334 Sets default or fallback group to add the entry to as a member
2335 attribute in group entry (autoMemberDefaultGroup)
2336 --scope SCOPE
2339 Sets the subtree DN to search for entries (autoMemberScope)
2340 --filter FILTER
2343 Sets a standard LDAP search filter to use to search for matching
2344 entries (autoMemberFilter)
2345
2348 usage: dsconf instance plugin automember definition DEFNAME set
2349 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2350 FAULT_GROUP]
2351 --scope SCOPE --filter FILTER
2352
2355 --grouping-attr GROUPING_ATTR
2356 Specifies the name of the member attribute in the group entry
2357 and the attribute in the object entry that supplies the member
2358 attribute value, in the format group_member_attr:entry_attr (au‐
2359 toMemberGroupingAttr)
2360 --default-group DEFAULT_GROUP
2363 Sets default or fallback group to add the entry to as a member
2364 attribute in group entry (autoMemberDefaultGroup)
2365 --scope SCOPE
2368 Sets the subtree DN to search for entries (autoMemberScope)
2369 --filter FILTER
2372 Sets a standard LDAP search filter to use to search for matching
2373 entries (autoMemberFilter)
2374
2377 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2378
2381 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2382
2385 usage: dsconf instance plugin automember definition DEFNAME regex
2386 [-h] REGEXNAME {add,set,delete,show} ...
2387
2390 dsconf plugin automember definition regex add
2391 Creates Automembership regex.
2392 dsconf plugin automember definition regex set
2394 Edits Automembership regex.
2395 dsconf plugin automember definition regex delete
2397 Removes Automembership regex.
2398 dsconf plugin automember definition regex show
2400 Displays Automembership regex.
2401
2404 usage: dsconf instance plugin automember definition DEFNAME regex
2405 REGEXNAME add
2406 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2407 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2408 GET_GROUP
2409
2412 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2413 Sets a single regular expression to use to identify entries to
2414 exclude (autoMemberExclusiveRegex)
2415 --inclusive INCLUSIVE [INCLUSIVE ...]
2418 Sets a single regular expression to use to identify entries to
2419 include (autoMemberInclusiveRegex)
2420 --target-group TARGET_GROUP
2423 Sets which group to add the entry to as a member, if it meets
2424 the regular expression conditions (autoMemberTargetGroup)
2425
2428 usage: dsconf instance plugin automember definition DEFNAME regex
2429 REGEXNAME set
2430 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2431 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2432 GET_GROUP
2433
2436 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2437 Sets a single regular expression to use to identify entries to
2438 exclude (autoMemberExclusiveRegex)
2439 --inclusive INCLUSIVE [INCLUSIVE ...]
2442 Sets a single regular expression to use to identify entries to
2443 include (autoMemberInclusiveRegex)
2444 --target-group TARGET_GROUP
2447 Sets which group to add the entry to as a member, if it meets
2448 the regular expression conditions (autoMemberTargetGroup)
2449
2452 usage: dsconf instance plugin automember definition DEFNAME regex
2453 REGEXNAME delete
2454 [-h]
2455
2458 usage: dsconf instance plugin automember definition DEFNAME regex
2459 REGEXNAME show
2460 [-h]
2461
2464 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2465 {sub,base,one}
2466 [--cleanup]
2467 [--wait] [--timeout
2468 TIMEOUT]
2469 DN
2470 DN Base DN that contains entries to fix up
2473
2476 -f FILTER, --filter FILTER
2477 Sets the LDAP filter for entries to fix up
2478 -s {sub,base,one}, --scope {sub,base,one}
2481 Sets the LDAP search scope for entries to fix up
2482 --cleanup
2485 Clean up previous group memberships before rebuilding
2486 --wait Wait for the task to finish, this could take a long time
2489 --timeout TIMEOUT
2492 Set a timeout to wait for the fixup task. Default is 0 (no time‐
2493 out)
2494
2497 usage: dsconf instance plugin automember fixup-status [-h] [--dn DN]
2498 [--show-log]
2499 [--watch]
2500
2503 --dn DN
2504 The task entry's DN
2505 --show-log
2508 Display the task log
2509 --watch
2512 Watch the task's status and wait for it to finish
2513
2516 usage: dsconf instance plugin automember abort-fixup [-h] [--timeout
2517 TIMEOUT]
2518
2521 --timeout TIMEOUT
2522 Set a timeout to wait for the abort task. Default is 0 (no time‐
2523 out)
2524
2527 usage: dsconf instance plugin referential-integrity [-h]
2528 {show,enable,dis‐
2529 able,status,set,config-entry}
2530 ...
2531
2534 dsconf plugin referential-integrity show
2535 Displays the plugin configuration
2536 dsconf plugin referential-integrity enable
2538 Enables the plugin
2539 dsconf plugin referential-integrity disable
2541 Disables the plugin
2542 dsconf plugin referential-integrity status
2544 Displays the plugin status
2545 dsconf plugin referential-integrity set
2547 Edit the plugin settings
2548 dsconf plugin referential-integrity config-entry
2550 Manage the config entry
2551
2554 usage: dsconf instance plugin referential-integrity show [-h]
2555
2558 usage: dsconf instance plugin referential-integrity enable [-h]
2559
2562 usage: dsconf instance plugin referential-integrity disable [-h]
2563
2566 usage: dsconf instance plugin referential-integrity status [-h]
2567
2570 usage: dsconf instance plugin referential-integrity set [-h]
2571 [--update-delay
2572 UPDATE_DELAY]
2573 [--member‐
2574 ship-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2575 [--entry-scope
2576 ENTRY_SCOPE]
2577 [--exclude-en‐
2578 try-scope EXCLUDE_ENTRY_SCOPE]
2579 [--con‐
2580 tainer-scope CONTAINER_SCOPE]
2581 [--log-file
2582 LOG_FILE]
2583 [--config-entry
2584 CONFIG_ENTRY]
2585
2588 --update-delay UPDATE_DELAY
2589 Sets the update interval. Special values: 0 - The check is per‐
2590 formed immediately, -1 - No check is performed (referint-up‐
2591 date-delay)
2592 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2595 Specifies attributes to check for and update (referint-member‐
2596 ship-attr)
2597 --entry-scope ENTRY_SCOPE
2600 Defines the subtree in which the plug-in looks for the delete or
2601 rename operations of a user entry (nsslapd-pluginEntryScope)
2602 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2605 Defines the subtree in which the plug-in ignores any operations
2606 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2607 tryScope)
2608 --container-scope CONTAINER_SCOPE
2611 Specifies which branch the plug-in searches for the groups to
2612 which the user belongs. It only updates groups that are under
2613 the specified container branch, and leaves all other groups not
2614 updated (nsslapd-pluginContainerScope)
2615 --log-file LOG_FILE
2618 Specifies a path to the Referential integrity logfile.For exam‐
2619 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2620 --config-entry CONFIG_ENTRY
2623 The value to set as nsslapd-pluginConfigArea
2624
2627 usage: dsconf instance plugin referential-integrity config-entry
2628 [-h] {add,set,show,delete} ...
2629
2632 dsconf plugin referential-integrity config-entry add
2633 Add the config entry
2634 dsconf plugin referential-integrity config-entry set
2636 Edit the config entry
2637 dsconf plugin referential-integrity config-entry show
2639 Display the config entry
2640 dsconf plugin referential-integrity config-entry delete
2642 Delete the config entry
2643
2646 usage: dsconf instance plugin referential-integrity config-entry add
2647 [-h] [--update-delay UPDATE_DELAY]
2648 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2649 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2650 TRY_SCOPE]
2651 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2652 DN
2653 DN The config entry full DN
2656
2659 --update-delay UPDATE_DELAY
2660 Sets the update interval. Special values: 0 - The check is per‐
2661 formed immediately, -1 - No check is performed (referint-up‐
2662 date-delay)
2663 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2666 Specifies attributes to check for and update (referint-member‐
2667 ship-attr)
2668 --entry-scope ENTRY_SCOPE
2671 Defines the subtree in which the plug-in looks for the delete or
2672 rename operations of a user entry (nsslapd-pluginEntryScope)
2673 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2676 Defines the subtree in which the plug-in ignores any operations
2677 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2678 tryScope)
2679 --container-scope CONTAINER_SCOPE
2682 Specifies which branch the plug-in searches for the groups to
2683 which the user belongs. It only updates groups that are under
2684 the specified container branch, and leaves all other groups not
2685 updated (nsslapd-pluginContainerScope)
2686 --log-file LOG_FILE
2689 Specifies a path to the Referential integrity logfile.For exam‐
2690 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2691
2694 usage: dsconf instance plugin referential-integrity config-entry set
2695 [-h] [--update-delay UPDATE_DELAY]
2696 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2697 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2698 TRY_SCOPE]
2699 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2700 DN
2701 DN The config entry full DN
2704
2707 --update-delay UPDATE_DELAY
2708 Sets the update interval. Special values: 0 - The check is per‐
2709 formed immediately, -1 - No check is performed (referint-up‐
2710 date-delay)
2711 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2714 Specifies attributes to check for and update (referint-member‐
2715 ship-attr)
2716 --entry-scope ENTRY_SCOPE
2719 Defines the subtree in which the plug-in looks for the delete or
2720 rename operations of a user entry (nsslapd-pluginEntryScope)
2721 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2724 Defines the subtree in which the plug-in ignores any operations
2725 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2726 tryScope)
2727 --container-scope CONTAINER_SCOPE
2730 Specifies which branch the plug-in searches for the groups to
2731 which the user belongs. It only updates groups that are under
2732 the specified container branch, and leaves all other groups not
2733 updated (nsslapd-pluginContainerScope)
2734 --log-file LOG_FILE
2737 Specifies a path to the Referential integrity logfile.For exam‐
2738 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2739
2742 usage: dsconf instance plugin referential-integrity config-entry show
2743 [-h] DN
2744 DN The config entry full DN
2747
2750 usage: dsconf instance plugin referential-integrity config-entry delete
2751 [-h] DN
2752 DN The config entry full DN
2755
2758 usage: dsconf instance plugin root-dn [-h]
2759 {show,enable,disable,status,set}
2760 ...
2761
2764 dsconf plugin root-dn show
2765 Displays the plugin configuration
2766 dsconf plugin root-dn enable
2768 Enables the plugin
2769 dsconf plugin root-dn disable
2771 Disables the plugin
2772 dsconf plugin root-dn status
2774 Displays the plugin status
2775 dsconf plugin root-dn set
2777 Edit the plugin settings
2778
2781 usage: dsconf instance plugin root-dn show [-h]
2782
2785 usage: dsconf instance plugin root-dn enable [-h]
2786
2789 usage: dsconf instance plugin root-dn disable [-h]
2790
2793 usage: dsconf instance plugin root-dn status [-h]
2794
2797 usage: dsconf instance plugin root-dn set [-h]
2798 [--allow-host ALLOW_HOST [AL‐
2799 LOW_HOST ...]]
2800 [--deny-host DENY_HOST
2801 [DENY_HOST ...]]
2802 [--allow-ip ALLOW_IP [AL‐
2803 LOW_IP ...]]
2804 [--deny-ip DENY_IP [DENY_IP
2805 ...]]
2806 [--open-time OPEN_TIME]
2807 [--close-time CLOSE_TIME]
2808 [--days-allowed DAYS_ALLOWED]
2809
2812 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2813 Sets what hosts, by fully-qualified domain name, the root user
2814 is allowed to use to access Directory Server. Any hosts not
2815 listed are implicitly denied (rootdn-allow-host)
2816 --deny-host DENY_HOST [DENY_HOST ...]
2819 Sets what hosts, by fully-qualified domain name, the root user
2820 is not allowed to use to access Directory Server. Any hosts not
2821 listed are implicitly allowed (rootdn-deny-host). If a host ad‐
2822 dress is listed in both the rootdn-allow-host and
2823 rootdn-deny-host attributes, it is denied access.
2824 --allow-ip ALLOW_IP [ALLOW_IP ...]
2827 Sets what IP addresses, either IPv4 or IPv6, for machines the
2828 root user is allowed to use to access Directory Server. Any IP
2829 addresses not listed are implicitly denied (rootdn-allow-ip)
2830 --deny-ip DENY_IP [DENY_IP ...]
2833 Sets what IP addresses, either IPv4 or IPv6, for machines the
2834 root user is not allowed to use to access Directory Server. Any
2835 IP addresses not listed are implicitly allowed (rootdn-deny-ip).
2836 If an IP address is listed in both the rootdn-allow-ip and
2837 rootdn-deny-ip attributes, it is denied access.
2838 --open-time OPEN_TIME
2841 Sets part of a time period or range when the root user is al‐
2842 lowed to access Directory Server. This sets when the time-based
2843 access begins (rootdn-open- time)
2844 --close-time CLOSE_TIME
2847 Sets part of a time period or range when the root user is al‐
2848 lowed to access Directory Server. This sets when the time-based
2849 access ends (rootdn-close- time)
2850 --days-allowed DAYS_ALLOWED
2853 Sets a comma-separated list of what days the root user is al‐
2854 lowed to use to access Directory Server. Any days listed are im‐
2855 plicitly denied (rootdn-days- allowed)
2856
2859 usage: dsconf instance plugin usn [-h]
2860 {show,enable,disable,sta‐
2861 tus,global,cleanup}
2862 ...
2863
2866 dsconf plugin usn show
2867 Displays the plugin configuration
2868 dsconf plugin usn enable
2870 Enables the plugin
2871 dsconf plugin usn disable
2873 Disables the plugin
2874 dsconf plugin usn status
2876 Displays the plugin status
2877 dsconf plugin usn global
2879 Get or manage global USN mode (nsslapd-entryusn-global)
2880 dsconf plugin usn cleanup
2882 Runs the USN tombstone cleanup task
2883
2886 usage: dsconf instance plugin usn show [-h]
2887
2890 usage: dsconf instance plugin usn enable [-h]
2891
2894 usage: dsconf instance plugin usn disable [-h]
2895
2898 usage: dsconf instance plugin usn status [-h]
2899
2902 usage: dsconf instance plugin usn global [-h] {on,off} ...
2903
2906 dsconf plugin usn global on
2907 Enables USN global mode
2908 dsconf plugin usn global off
2910 Disables USN global mode
2911
2914 usage: dsconf instance plugin usn global on [-h]
2915
2918 usage: dsconf instance plugin usn global off [-h]
2919
2922 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2923 [-m MAX_USN] [--timeout TIME‐
2924 OUT]
2925
2928 -s SUFFIX, --suffix SUFFIX
2929 Sets the suffix or subtree in Directory Server to run the
2930 cleanup operation against. If the suffix is not specified, then
2931 the back end must be specified (suffix).
2932 -n BACKEND, --backend BACKEND
2935 Sets the Directory Server instance back end, or database, to run
2936 the cleanup operation against. If the back end is not specified,
2937 then the suffix must be specified. Backend instance in which USN
2938 tombstone entries (backend)
2939 -m MAX_USN, --max-usn MAX_USN
2942 Sets the highest USN value to delete when removing tombstone en‐
2943 tries (max_usn_to_delete)
2944 --timeout TIMEOUT
2947 Sets the cleanup task timeout. Default is 120 seconds,
2948
2951 usage: dsconf instance plugin account-policy [-h]
2952 {show,enable,disable,sta‐
2953 tus,set,config-entry}
2954 ...
2955
2958 dsconf plugin account-policy show
2959 Displays the plugin configuration
2960 dsconf plugin account-policy enable
2962 Enables the plugin
2963 dsconf plugin account-policy disable
2965 Disables the plugin
2966 dsconf plugin account-policy status
2968 Displays the plugin status
2969 dsconf plugin account-policy set
2971 Edit the plugin settings
2972 dsconf plugin account-policy config-entry
2974 Manage the config entry
2975
2978 usage: dsconf instance plugin account-policy show [-h]
2979
2982 usage: dsconf instance plugin account-policy enable [-h]
2983
2986 usage: dsconf instance plugin account-policy disable [-h]
2987
2990 usage: dsconf instance plugin account-policy status [-h]
2991
2994 usage: dsconf instance plugin account-policy set [-h]
2995 [--config-entry CON‐
2996 FIG_ENTRY]
2997
3000 --config-entry CONFIG_ENTRY
3001 Sets the nsslapd-pluginConfigArea attribute
3002
3005 usage: dsconf instance plugin account-policy config-entry [-h]
3006 {add,set,show,delete}
3007 ...
3008
3011 dsconf plugin account-policy config-entry add
3012 Add the config entry
3013 dsconf plugin account-policy config-entry set
3015 Edit the config entry
3016 dsconf plugin account-policy config-entry show
3018 Display the config entry
3019 dsconf plugin account-policy config-entry delete
3021 Delete the config entry
3022
3025 usage: dsconf instance plugin account-policy config-entry add
3026 [-h] [--always-record-login {yes,no}] [--alt-state-attr
3027 ALT_STATE_ATTR]
3028 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
3029 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
3030 [--state-attr STATE_ATTR] [--login-history-size LOGIN_HIS‐
3031 TORY_SIZE]
3032 [--check-all-state-attrs {yes,no}]
3033 DN
3034 DN The full DN of the config entry
3037
3040 --always-record-login {yes,no}
3041 Sets that every entry records its last login time (alwaysRecord‐
3042 Login)
3043 --alt-state-attr ALT_STATE_ATTR
3046 Provides a backup attribute for the server to reference to eval‐
3047 uate the expiration time (altStateAttrName)
3048 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
3051 Specifies the attribute to store the time of the last successful
3052 login in this attribute in the users directory entry (al‐
3053 waysRecordLoginAttr)
3054 --limit-attr LIMIT_ATTR
3057 Specifies the attribute within the policy to use for the account
3058 inactivation limit (limitAttrName)
3059 --spec-attr SPEC_ATTR
3062 Specifies the attribute to identify which entries are account
3063 policy configuration entries (specAttrName)
3064 --state-attr STATE_ATTR
3067 Specifies the primary time attribute used to evaluate an account
3068 policy (stateAttrName)
3069 --login-history-size LOGIN_HISTORY_SIZE
3072 Specifies the number of login timestamps to store (lastLogin‐
3073 HistSize) )
3074 --check-all-state-attrs {yes,no}
3077 Check both state and alternate state attributes for account
3078 state
3079
3082 usage: dsconf instance plugin account-policy config-entry set
3083 [-h] [--always-record-login {yes,no}] [--alt-state-attr
3084 ALT_STATE_ATTR]
3085 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
3086 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
3087 [--state-attr STATE_ATTR] [--login-history-size LOGIN_HIS‐
3088 TORY_SIZE]
3089 [--check-all-state-attrs {yes,no}]
3090 DN
3091 DN The full DN of the config entry
3094
3097 --always-record-login {yes,no}
3098 Sets that every entry records its last login time (alwaysRecord‐
3099 Login)
3100 --alt-state-attr ALT_STATE_ATTR
3103 Provides a backup attribute for the server to reference to eval‐
3104 uate the expiration time (altStateAttrName)
3105 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
3108 Specifies the attribute to store the time of the last successful
3109 login in this attribute in the users directory entry (al‐
3110 waysRecordLoginAttr)
3111 --limit-attr LIMIT_ATTR
3114 Specifies the attribute within the policy to use for the account
3115 inactivation limit (limitAttrName)
3116 --spec-attr SPEC_ATTR
3119 Specifies the attribute to identify which entries are account
3120 policy configuration entries (specAttrName)
3121 --state-attr STATE_ATTR
3124 Specifies the primary time attribute used to evaluate an account
3125 policy (stateAttrName)
3126 --login-history-size LOGIN_HISTORY_SIZE
3129 Specifies the number of login timestamps to store (lastLogin‐
3130 HistSize) )
3131 --check-all-state-attrs {yes,no}
3134 Check both state and alternate state attributes for account
3135 state
3136
3139 usage: dsconf instance plugin account-policy config-entry show [-h] DN
3140 DN The full DN of the config entry
3143
3146 usage: dsconf instance plugin account-policy config-entry delete [-h]
3147 DN
3148 DN The full DN of the config entry
3151
3154 usage: dsconf instance plugin attr-uniq [-h]
3155 {list,add,set,show,delete,en‐
3156 able,disable,status}
3157 ...
3158
3161 dsconf plugin attr-uniq list
3162 Lists available plugin configs
3163 dsconf plugin attr-uniq add
3165 Add the config entry
3166 dsconf plugin attr-uniq set
3168 Edit the config entry
3169 dsconf plugin attr-uniq show
3171 Display the config entry
3172 dsconf plugin attr-uniq delete
3174 Delete the config entry
3175 dsconf plugin attr-uniq enable
3177 enable plugin
3178 dsconf plugin attr-uniq disable
3180 disable plugin
3181 dsconf plugin attr-uniq status
3183 display plugin status
3184
3187 usage: dsconf instance plugin attr-uniq list [-h]
3188
3191 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3192 [--attr-name ATTR_NAME
3193 [ATTR_NAME ...]]
3194 [--subtree SUBTREE [SUBTREE
3195 ...]]
3196 [--across-all-subtrees
3197 {on,off}]
3198 [--top-entry-oc TOP_EN‐
3199 TRY_OC]
3200 [--subtree-entries-oc SUB‐
3201 TREE_ENTRIES_OC]
3202 NAME
3203 NAME The name of the plug-in configuration record. (cn) You can use
3206 any string, but "attribute_name Attribute Uniqueness" is recom‐
3207 mended.
3208
3211 --enabled {on,off}
3212 Identifies whether or not the config is enabled.
3213 --attr-name ATTR_NAME [ATTR_NAME ...]
3216 Sets the name of the attribute whose values must be unique. This
3217 attribute is multi-valued. (uniqueness-attribute-name)
3218 --subtree SUBTREE [SUBTREE ...]
3221 Sets the DN under which the plug-in checks for uniqueness of the
3222 attributes value. This attribute is multi-valued (unique‐
3223 ness-subtrees)
3224 --across-all-subtrees {on,off}
3227 If enabled (on), the plug-in checks that the attribute is unique
3228 across all subtrees set. If you set the attribute to off,
3229 uniqueness is only enforced within the subtree of the updated
3230 entry (uniqueness-across-all-subtrees)
3231 --top-entry-oc TOP_ENTRY_OC
3234 Verifies that the value of the attribute set in uniqueness-at‐
3235 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3236 --subtree-entries-oc SUBTREE_ENTRIES_OC
3239 Verifies if an attribute is unique, if the entry contains the
3240 object class set in this parameter (uniqueness-subtree-en‐
3241 tries-oc)
3242
3245 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3246 [--attr-name ATTR_NAME
3247 [ATTR_NAME ...]]
3248 [--subtree SUBTREE [SUBTREE
3249 ...]]
3250 [--across-all-subtrees
3251 {on,off}]
3252 [--top-entry-oc TOP_EN‐
3253 TRY_OC]
3254 [--subtree-entries-oc SUB‐
3255 TREE_ENTRIES_OC]
3256 NAME
3257 NAME The name of the plug-in configuration record. (cn) You can use
3260 any string, but "attribute_name Attribute Uniqueness" is recom‐
3261 mended.
3262
3265 --enabled {on,off}
3266 Identifies whether or not the config is enabled.
3267 --attr-name ATTR_NAME [ATTR_NAME ...]
3270 Sets the name of the attribute whose values must be unique. This
3271 attribute is multi-valued. (uniqueness-attribute-name)
3272 --subtree SUBTREE [SUBTREE ...]
3275 Sets the DN under which the plug-in checks for uniqueness of the
3276 attributes value. This attribute is multi-valued (unique‐
3277 ness-subtrees)
3278 --across-all-subtrees {on,off}
3281 If enabled (on), the plug-in checks that the attribute is unique
3282 across all subtrees set. If you set the attribute to off,
3283 uniqueness is only enforced within the subtree of the updated
3284 entry (uniqueness-across-all-subtrees)
3285 --top-entry-oc TOP_ENTRY_OC
3288 Verifies that the value of the attribute set in uniqueness-at‐
3289 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3290 --subtree-entries-oc SUBTREE_ENTRIES_OC
3293 Verifies if an attribute is unique, if the entry contains the
3294 object class set in this parameter (uniqueness-subtree-en‐
3295 tries-oc)
3296
3299 usage: dsconf instance plugin attr-uniq show [-h] NAME
3300 NAME The name of the plug-in configuration record
3303
3306 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3307 NAME The name of the plug-in configuration record
3310
3313 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3314 NAME The name of the plug-in configuration record
3317
3320 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3321 NAME The name of the plug-in configuration record
3324
3327 usage: dsconf instance plugin attr-uniq status [-h] NAME
3328 NAME The name of the plug-in configuration record
3331
3334 usage: dsconf instance plugin dna [-h]
3335 {show,enable,disable,status,list,con‐
3336 fig} ...
3337
3340 dsconf plugin dna show
3341 Displays the plugin configuration
3342 dsconf plugin dna enable
3344 Enables the plugin
3345 dsconf plugin dna disable
3347 Disables the plugin
3348 dsconf plugin dna status
3350 Displays the plugin status
3351 dsconf plugin dna list
3353 List available plugin configs
3354 dsconf plugin dna config
3356 Manage plugin configs
3357
3360 usage: dsconf instance plugin dna show [-h]
3361
3364 usage: dsconf instance plugin dna enable [-h]
3365
3368 usage: dsconf instance plugin dna disable [-h]
3369
3372 usage: dsconf instance plugin dna status [-h]
3373
3376 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3377 ...
3378
3381 dsconf plugin dna list configs
3382 List main DNA plugin config entries
3383 dsconf plugin dna list shared-configs
3385 List DNA plugin shared config entries
3386
3389 usage: dsconf instance plugin dna list configs [-h]
3390
3393 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3394 BASEDN The search DN
3397
3400 usage: dsconf instance plugin dna config [-h]
3401 NAME
3402 {add,set,show,delete,shared-con‐
3403 fig-entry}
3404 ...
3405
3408 dsconf plugin dna config add
3409 Add the config entry
3410 dsconf plugin dna config set
3412 Edit the config entry
3413 dsconf plugin dna config show
3415 Display the config entry
3416 dsconf plugin dna config delete
3418 Delete the config entry
3419 dsconf plugin dna config shared-config-entry
3421 Manage the shared config entry
3422
3425 usage: dsconf instance plugin dna config NAME add [-h]
3426 [--type TYPE [TYPE
3427 ...]]
3428 [--prefix PREFIX]
3429 [--next-value
3430 NEXT_VALUE]
3431 [--max-value
3432 MAX_VALUE]
3433 [--interval INTERVAL]
3434 [--magic-regen
3435 MAGIC_REGEN]
3436 [--filter FILTER]
3437 [--scope SCOPE]
3438 [--remote-bind-dn RE‐
3439 MOTE_BIND_DN]
3440 [--remote-bind-cred
3441 REMOTE_BIND_CRED]
3442 [--shared-config-en‐
3443 try SHARED_CONFIG_ENTRY]
3444 [--threshold THRESH‐
3445 OLD]
3446 [--next-range
3447 NEXT_RANGE]
3448 [--range-re‐
3449 quest-timeout RANGE_REQUEST_TIMEOUT]
3450
3453 --type TYPE [TYPE ...]
3454 Sets which attributes have unique numbers being generated for
3455 them (dnaType)
3456 --prefix PREFIX
3459 Defines a prefix that can be prepended to the generated number
3460 values for the attribute (dnaPrefix)
3461 --next-value NEXT_VALUE
3464 Sets the next available number which can be assigned
3465 (dnaNextValue)
3466 --max-value MAX_VALUE
3469 Sets the maximum value that can be assigned for the range (dna‐
3470 MaxValue)
3471 --interval INTERVAL
3474 Sets an interval to use to increment through numbers in a range
3475 (dnaInterval)
3476 --magic-regen MAGIC_REGEN
3479 Sets a user-defined value that instructs the plug-in to assign a
3480 new value for the entry (dnaMagicRegen)
3481 --filter FILTER
3484 Sets an LDAP filter to use to search for and identify the en‐
3485 tries to which to apply the distributed numeric assignment range
3486 (dnaFilter)
3487 --scope SCOPE
3490 Sets the base DN to search for entries to which to apply the
3491 distributed numeric assignment (dnaScope)
3492 --remote-bind-dn REMOTE_BIND_DN
3495 Specifies the Replication Manager DN (dnaRemoteBindDN)
3496 --remote-bind-cred REMOTE_BIND_CRED
3499 Specifies the Replication Manager's password (dnaRemoteBindCred)
3500 --shared-config-entry SHARED_CONFIG_ENTRY
3503 Defines a shared identity that the servers can use to transfer
3504 ranges to one another (dnaSharedCfgDN)
3505 --threshold THRESHOLD
3508 Sets a threshold of remaining available numbers in the range.
3509 When the server hits the threshold, it sends a request for a new
3510 range (dnaThreshold)
3511 --next-range NEXT_RANGE
3514 Defines the next range to use when the current range is ex‐
3515 hausted (dnaNextRange)
3516 --range-request-timeout RANGE_REQUEST_TIMEOUT
3519 Sets a timeout period, in seconds, for range requests so that
3520 the server does not stall waiting on a new range from one server
3521 and can request a range from a new server (dnaRangeRequestTime‐
3522 out)
3523
3526 usage: dsconf instance plugin dna config NAME set [-h]
3527 [--type TYPE [TYPE
3528 ...]]
3529 [--prefix PREFIX]
3530 [--next-value
3531 NEXT_VALUE]
3532 [--max-value
3533 MAX_VALUE]
3534 [--interval INTERVAL]
3535 [--magic-regen
3536 MAGIC_REGEN]
3537 [--filter FILTER]
3538 [--scope SCOPE]
3539 [--remote-bind-dn RE‐
3540 MOTE_BIND_DN]
3541 [--remote-bind-cred
3542 REMOTE_BIND_CRED]
3543 [--shared-config-en‐
3544 try SHARED_CONFIG_ENTRY]
3545 [--threshold THRESH‐
3546 OLD]
3547 [--next-range
3548 NEXT_RANGE]
3549 [--range-re‐
3550 quest-timeout RANGE_REQUEST_TIMEOUT]
3551
3554 --type TYPE [TYPE ...]
3555 Sets which attributes have unique numbers being generated for
3556 them (dnaType)
3557 --prefix PREFIX
3560 Defines a prefix that can be prepended to the generated number
3561 values for the attribute (dnaPrefix)
3562 --next-value NEXT_VALUE
3565 Sets the next available number which can be assigned
3566 (dnaNextValue)
3567 --max-value MAX_VALUE
3570 Sets the maximum value that can be assigned for the range (dna‐
3571 MaxValue)
3572 --interval INTERVAL
3575 Sets an interval to use to increment through numbers in a range
3576 (dnaInterval)
3577 --magic-regen MAGIC_REGEN
3580 Sets a user-defined value that instructs the plug-in to assign a
3581 new value for the entry (dnaMagicRegen)
3582 --filter FILTER
3585 Sets an LDAP filter to use to search for and identify the en‐
3586 tries to which to apply the distributed numeric assignment range
3587 (dnaFilter)
3588 --scope SCOPE
3591 Sets the base DN to search for entries to which to apply the
3592 distributed numeric assignment (dnaScope)
3593 --remote-bind-dn REMOTE_BIND_DN
3596 Specifies the Replication Manager DN (dnaRemoteBindDN)
3597 --remote-bind-cred REMOTE_BIND_CRED
3600 Specifies the Replication Manager's password (dnaRemoteBindCred)
3601 --shared-config-entry SHARED_CONFIG_ENTRY
3604 Defines a shared identity that the servers can use to transfer
3605 ranges to one another (dnaSharedCfgDN)
3606 --threshold THRESHOLD
3609 Sets a threshold of remaining available numbers in the range.
3610 When the server hits the threshold, it sends a request for a new
3611 range (dnaThreshold)
3612 --next-range NEXT_RANGE
3615 Defines the next range to use when the current range is ex‐
3616 hausted (dnaNextRange)
3617 --range-request-timeout RANGE_REQUEST_TIMEOUT
3620 Sets a timeout period, in seconds, for range requests so that
3621 the server does not stall waiting on a new range from one server
3622 and can request a range from a new server (dnaRangeRequestTime‐
3623 out)
3624
3627 usage: dsconf instance plugin dna config NAME show [-h]
3628
3631 usage: dsconf instance plugin dna config NAME delete [-h]
3632
3635 usage: dsconf instance plugin dna config NAME shared-config-entry
3636 [-h] SHARED_CFG {set,show,delete} ...
3637
3640 dsconf plugin dna config shared-config-entry set
3641 Edit the shared config entry
3642 dsconf plugin dna config shared-config-entry show
3644 Display the shared config entry
3645 dsconf plugin dna config shared-config-entry delete
3647 Delete the shared config entry
3648
3651 usage: dsconf instance plugin dna config NAME shared-config-entry
3652 SHARED_CFG set
3653 [-h] [--remote-bind-method REMOTE_BIND_METHOD]
3654 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3655
3658 --remote-bind-method REMOTE_BIND_METHOD
3659 Specifies the remote bind method "SIMPLE", "SSL" (for SSL client
3660 auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)
3661 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3664 Specifies the remote connection protocol "LDAP", or "TLS"
3665 (dnaRemoteConnProtocol)
3666
3669 usage: dsconf instance plugin dna config NAME shared-config-entry
3670 SHARED_CFG show
3671 [-h]
3672
3675 usage: dsconf instance plugin dna config NAME shared-config-entry
3676 SHARED_CFG delete
3677 [-h]
3678
3681 usage: dsconf instance plugin ldap-pass-through-auth [-h]
3682 {show,enable,dis‐
3683 able,status,list,add,modify,delete}
3684 ...
3685
3688 dsconf plugin ldap-pass-through-auth show
3689 Displays the plugin configuration
3690 dsconf plugin ldap-pass-through-auth enable
3692 Enables the plugin
3693 dsconf plugin ldap-pass-through-auth disable
3695 Disables the plugin
3696 dsconf plugin ldap-pass-through-auth status
3698 Displays the plugin status
3699 dsconf plugin ldap-pass-through-auth list
3701 Lists LDAP URLs
3702 dsconf plugin ldap-pass-through-auth add
3704 Add an LDAP url to the config entry
3705 dsconf plugin ldap-pass-through-auth modify
3707 Edit the LDAP pass through config entry
3708 dsconf plugin ldap-pass-through-auth delete
3710 Delete a URL from the config entry
3711
3714 usage: dsconf instance plugin ldap-pass-through-auth show [-h]
3715
3718 usage: dsconf instance plugin ldap-pass-through-auth enable [-h]
3719
3722 usage: dsconf instance plugin ldap-pass-through-auth disable [-h]
3723
3726 usage: dsconf instance plugin ldap-pass-through-auth status [-h]
3727
3730 usage: dsconf instance plugin ldap-pass-through-auth list [-h]
3731
3734 usage: dsconf instance plugin ldap-pass-through-auth add [-h] URL
3735 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
3738 conns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
3739 tional parameter is specified the rest should be specified too
3740
3743 usage: dsconf instance plugin ldap-pass-through-auth modify
3744 [-h] OLD_URL NEW_URL
3745 OLD_URL
3748 The full LDAP URL you get from the "list" command
3749 NEW_URL
3752 Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree
3753 maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
3754 tional parameter is specified the rest should be specified too.
3755
3758 usage: dsconf instance plugin ldap-pass-through-auth delete [-h] URL
3759 URL The full LDAP URL you get from the "list" command
3762
3765 usage: dsconf instance plugin linked-attr [-h]
3766 {show,enable,disable,sta‐
3767 tus,fixup,fixup-status,list,config}
3768 ...
3769
3772 dsconf plugin linked-attr show
3773 Displays the plugin configuration
3774 dsconf plugin linked-attr enable
3776 Enables the plugin
3777 dsconf plugin linked-attr disable
3779 Disables the plugin
3780 dsconf plugin linked-attr status
3782 Displays the plugin status
3783 dsconf plugin linked-attr fixup
3785 Run the fix-up task for linked attributes plugin
3786 dsconf plugin linked-attr fixup-status
3788 Check the status of a fix-up task
3789 dsconf plugin linked-attr list
3791 List available plugin configs
3792 dsconf plugin linked-attr config
3794 Manage plugin configs
3795
3798 usage: dsconf instance plugin linked-attr show [-h]
3799
3802 usage: dsconf instance plugin linked-attr enable [-h]
3803
3806 usage: dsconf instance plugin linked-attr disable [-h]
3807
3810 usage: dsconf instance plugin linked-attr status [-h]
3811
3814 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3815 [--wait]
3816
3819 -l LINKDN, --linkdn LINKDN
3820 Sets the base DN that contains entries to fix up
3821 --wait Wait for the task to finish, this could take a long time
3824
3827 usage: dsconf instance plugin linked-attr fixup-status [-h] [--dn DN]
3828 [--show-log]
3829 [--watch]
3830
3833 --dn DN
3834 The task entry's DN
3835 --show-log
3838 Display the task log
3839 --watch
3842 Watch the task's status and wait for it to finish
3843
3846 usage: dsconf instance plugin linked-attr list [-h]
3847
3850 usage: dsconf instance plugin linked-attr config [-h]
3851 NAME
3852 {add,set,show,delete}
3853 ...
3854
3857 dsconf plugin linked-attr config add
3858 Add the config entry
3859 dsconf plugin linked-attr config set
3861 Edit the config entry
3862 dsconf plugin linked-attr config show
3864 Display the config entry
3865 dsconf plugin linked-attr config delete
3867 Delete the config entry
3868
3871 usage: dsconf instance plugin linked-attr config NAME add [-h]
3872 [--link-type
3873 LINK_TYPE]
3874 [--man‐
3875 aged-type MANAGED_TYPE]
3876 [--link-scope
3877 LINK_SCOPE]
3878
3881 --link-type LINK_TYPE
3882 Sets the attribute that is managed manually by administrators
3883 (linkType)
3884 --managed-type MANAGED_TYPE
3887 Sets the attribute that is created dynamically by the plugin
3888 (managedType)
3889 --link-scope LINK_SCOPE
3892 Sets the scope that restricts the plugin to a specific part of
3893 the directory tree (linkScope)
3894
3897 usage: dsconf instance plugin linked-attr config NAME set [-h]
3898 [--link-type
3899 LINK_TYPE]
3900 [--man‐
3901 aged-type MANAGED_TYPE]
3902 [--link-scope
3903 LINK_SCOPE]
3904
3907 --link-type LINK_TYPE
3908 Sets the attribute that is managed manually by administrators
3909 (linkType)
3910 --managed-type MANAGED_TYPE
3913 Sets the attribute that is created dynamically by the plugin
3914 (managedType)
3915 --link-scope LINK_SCOPE
3918 Sets the scope that restricts the plugin to a specific part of
3919 the directory tree (linkScope)
3920
3923 usage: dsconf instance plugin linked-attr config NAME show [-h]
3924
3927 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3928
3931 usage: dsconf instance plugin managed-entries [-h]
3932 {show,enable,disable,sta‐
3933 tus,set,list,config,template}
3934 ...
3935
3938 dsconf plugin managed-entries show
3939 Displays the plugin configuration
3940 dsconf plugin managed-entries enable
3942 Enables the plugin
3943 dsconf plugin managed-entries disable
3945 Disables the plugin
3946 dsconf plugin managed-entries status
3948 Displays the plugin status
3949 dsconf plugin managed-entries set
3951 Edit the plugin settings
3952 dsconf plugin managed-entries list
3954 List Managed Entries Plugin configs and templates
3955 dsconf plugin managed-entries config
3957 Handle Managed Entries Plugin configs
3958 dsconf plugin managed-entries template
3960 Handle Managed Entries Plugin templates
3961
3964 usage: dsconf instance plugin managed-entries show [-h]
3965
3968 usage: dsconf instance plugin managed-entries enable [-h]
3969
3972 usage: dsconf instance plugin managed-entries disable [-h]
3973
3976 usage: dsconf instance plugin managed-entries status [-h]
3977
3980 usage: dsconf instance plugin managed-entries set [-h]
3981 [--config-area CON‐
3982 FIG_AREA]
3983
3986 --config-area CONFIG_AREA
3987 Sets the value of the nsslapd-pluginConfigArea attribute
3988
3991 usage: dsconf instance plugin managed-entries list [-h]
3992 {configs,templates}
3993 ...
3994
3997 dsconf plugin managed-entries list configs
3998 List Managed Entries Plugin configs (list config-area if speci‐
3999 fied in the main plugin entry)
4000 dsconf plugin managed-entries list templates
4002 List Managed Entries Plugin templates in the directory
4003
4006 usage: dsconf instance plugin managed-entries list configs [-h]
4007
4010 usage: dsconf instance plugin managed-entries list templates [-h]
4011 [BASEDN]
4012 BASEDN The base DN where to search the templates
4015
4018 usage: dsconf instance plugin managed-entries config [-h]
4019 NAME
4020 {add,set,show,delete}
4021 ...
4022
4025 dsconf plugin managed-entries config add
4026 Add the config entry
4027 dsconf plugin managed-entries config set
4029 Edit the config entry
4030 dsconf plugin managed-entries config show
4032 Display the config entry
4033 dsconf plugin managed-entries config delete
4035 Delete the config entry
4036
4039 usage: dsconf instance plugin managed-entries config NAME add
4040 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
4041 AGED_BASE]
4042 [--managed-template MANAGED_TEMPLATE]
4043
4046 --scope SCOPE
4047 Sets the scope of the search to use to see which entries the
4048 plug-in monitors (originScope)
4049 --filter FILTER
4052 Sets the search filter to use to search for and identify the en‐
4053 tries within the subtree which require a managed entry (origin‐
4054 Filter)
4055 --managed-base MANAGED_BASE
4058 Sets the subtree under which to create the managed entries (man‐
4059 agedBase)
4060 --managed-template MANAGED_TEMPLATE
4063 Identifies the template entry to use to create the managed entry
4064 (managedTemplate)
4065
4068 usage: dsconf instance plugin managed-entries config NAME set
4069 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
4070 AGED_BASE]
4071 [--managed-template MANAGED_TEMPLATE]
4072
4075 --scope SCOPE
4076 Sets the scope of the search to use to see which entries the
4077 plug-in monitors (originScope)
4078 --filter FILTER
4081 Sets the search filter to use to search for and identify the en‐
4082 tries within the subtree which require a managed entry (origin‐
4083 Filter)
4084 --managed-base MANAGED_BASE
4087 Sets the subtree under which to create the managed entries (man‐
4088 agedBase)
4089 --managed-template MANAGED_TEMPLATE
4092 Identifies the template entry to use to create the managed entry
4093 (managedTemplate)
4094
4097 usage: dsconf instance plugin managed-entries config NAME show [-h]
4098
4101 usage: dsconf instance plugin managed-entries config NAME delete [-h]
4102
4105 usage: dsconf instance plugin managed-entries template [-h]
4106 DN
4107 {add,set,show,delete}
4108 ...
4109
4112 dsconf plugin managed-entries template add
4113 Add the template entry
4114 dsconf plugin managed-entries template set
4116 Edit the template entry
4117 dsconf plugin managed-entries template show
4119 Display the template entry
4120 dsconf plugin managed-entries template delete
4122 Delete the template entry
4123
4126 usage: dsconf instance plugin managed-entries template DN add
4127 [-h] [--rdn-attr RDN_ATTR]
4128 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
4129 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
4130
4133 --rdn-attr RDN_ATTR
4134 Sets which attribute to use as the naming attribute in the auto‐
4135 matically- generated entry (mepRDNAttr)
4136 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4139 Sets an attribute with a defined value that must be added to the
4140 automatically-generated entry (mepStaticAttr)
4141 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4144 Sets attributes in the Managed Entries template entry which must
4145 exist in the generated entry (mepMappedAttr)
4146
4149 usage: dsconf instance plugin managed-entries template DN set
4150 [-h] [--rdn-attr RDN_ATTR]
4151 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
4152 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
4153
4156 --rdn-attr RDN_ATTR
4157 Sets which attribute to use as the naming attribute in the auto‐
4158 matically- generated entry (mepRDNAttr)
4159 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4162 Sets an attribute with a defined value that must be added to the
4163 automatically-generated entry (mepStaticAttr)
4164 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4167 Sets attributes in the Managed Entries template entry which must
4168 exist in the generated entry (mepMappedAttr)
4169
4172 usage: dsconf instance plugin managed-entries template DN show [-h]
4173
4176 usage: dsconf instance plugin managed-entries template DN delete [-h]
4177
4180 usage: dsconf instance plugin pam-pass-through-auth [-h]
4181 {show,enable,dis‐
4182 able,status,list,config}
4183 ...
4184
4187 dsconf plugin pam-pass-through-auth show
4188 Displays the plugin configuration
4189 dsconf plugin pam-pass-through-auth enable
4191 Enables the plugin
4192 dsconf plugin pam-pass-through-auth disable
4194 Disables the plugin
4195 dsconf plugin pam-pass-through-auth status
4197 Displays the plugin status
4198 dsconf plugin pam-pass-through-auth list
4200 Lists PAM configurations
4201 dsconf plugin pam-pass-through-auth config
4203 Manage PAM PTA configurations.
4204
4207 usage: dsconf instance plugin pam-pass-through-auth show [-h]
4208
4211 usage: dsconf instance plugin pam-pass-through-auth enable [-h]
4212
4215 usage: dsconf instance plugin pam-pass-through-auth disable [-h]
4216
4219 usage: dsconf instance plugin pam-pass-through-auth status [-h]
4220
4223 usage: dsconf instance plugin pam-pass-through-auth list [-h]
4224
4227 usage: dsconf instance plugin pam-pass-through-auth config [-h]
4228 NAME
4229 {add,set,show,delete}
4230 ...
4231
4234 dsconf plugin pam-pass-through-auth config add
4235 Add the config entry
4236 dsconf plugin pam-pass-through-auth config set
4238 Edit the config entry
4239 dsconf plugin pam-pass-through-auth config show
4241 Display the config entry
4242 dsconf plugin pam-pass-through-auth config delete
4244 Delete the config entry
4245
4248 usage: dsconf instance plugin pam-pass-through-auth config NAME add
4249 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4250 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4251 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4252 TER]
4253 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4254 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4255 SERVICE]
4256
4259 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4260 Specifies a suffix to exclude from PAM authentication (pamEx‐
4261 cludeSuffix)
4262 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4265 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4266 fix)
4267 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4270 Identifies how to handle missing include or exclude suffixes
4271 (pamMissingSuffix)
4272 --filter FILTER
4275 Sets an LDAP filter to use to identify specific entries within
4276 the included suffixes for which to use PAM pass-through authen‐
4277 tication (pamFilter)
4278 --id-attr ID_ATTR
4281 Contains the attribute name which is used to hold the PAM user
4282 ID (pamIDAttr)
4283 --id_map_method ID_MAP_METHOD
4286 Sets the method to use to map the LDAP bind DN to a PAM identity
4287 (pamIDMapMethod)
4288 --fallback {TRUE,FALSE}
4291 Sets whether to fallback to regular LDAP authentication if PAM
4292 authentication fails (pamFallback)
4293 --secure {TRUE,FALSE}
4296 Requires secure TLS connection for PAM authentication (pamSe‐
4297 cure)
4298 --service SERVICE
4301 Contains the service name to pass to PAM (pamService)
4302
4305 usage: dsconf instance plugin pam-pass-through-auth config NAME set
4306 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4307 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4308 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4309 TER]
4310 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4311 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4312 SERVICE]
4313
4316 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4317 Specifies a suffix to exclude from PAM authentication (pamEx‐
4318 cludeSuffix)
4319 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4322 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4323 fix)
4324 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4327 Identifies how to handle missing include or exclude suffixes
4328 (pamMissingSuffix)
4329 --filter FILTER
4332 Sets an LDAP filter to use to identify specific entries within
4333 the included suffixes for which to use PAM pass-through authen‐
4334 tication (pamFilter)
4335 --id-attr ID_ATTR
4338 Contains the attribute name which is used to hold the PAM user
4339 ID (pamIDAttr)
4340 --id_map_method ID_MAP_METHOD
4343 Sets the method to use to map the LDAP bind DN to a PAM identity
4344 (pamIDMapMethod)
4345 --fallback {TRUE,FALSE}
4348 Sets whether to fallback to regular LDAP authentication if PAM
4349 authentication fails (pamFallback)
4350 --secure {TRUE,FALSE}
4353 Requires secure TLS connection for PAM authentication (pamSe‐
4354 cure)
4355 --service SERVICE
4358 Contains the service name to pass to PAM (pamService)
4359
4362 usage: dsconf instance plugin pam-pass-through-auth config NAME show
4363 [-h]
4364
4367 usage: dsconf instance plugin pam-pass-through-auth config NAME delete
4368 [-h]
4369
4372 usage: dsconf instance plugin retro-changelog [-h]
4373 {show,enable,disable,sta‐
4374 tus,set,add,del}
4375 ...
4376
4379 dsconf plugin retro-changelog show
4380 Displays the plugin configuration
4381 dsconf plugin retro-changelog enable
4383 Enables the plugin
4384 dsconf plugin retro-changelog disable
4386 Disables the plugin
4387 dsconf plugin retro-changelog status
4389 Displays the plugin status
4390 dsconf plugin retro-changelog set
4392 Edit the plugin
4393 dsconf plugin retro-changelog add
4395 Add attributes to the plugin
4396 dsconf plugin retro-changelog del
4398 Delete an attribute from plugin scope
4399
4402 usage: dsconf instance plugin retro-changelog show [-h]
4403
4406 usage: dsconf instance plugin retro-changelog enable [-h]
4407
4410 usage: dsconf instance plugin retro-changelog disable [-h]
4411
4414 usage: dsconf instance plugin retro-changelog status [-h]
4415
4418 usage: dsconf instance plugin retro-changelog set [-h]
4419 [--is-replicated
4420 {TRUE,FALSE}]
4421 [--attribute ATTRI‐
4422 BUTE]
4423 [--directory DIREC‐
4424 TORY]
4425 [--max-age MAX_AGE]
4426 [--trim-interval
4427 TRIM_INTERVAL]
4428 [--exclude-suffix
4429 [EXCLUDE_SUFFIX ...]]
4430 [--exclude-attrs [EX‐
4431 CLUDE_ATTRS ...]]
4432
4435 --is-replicated {TRUE,FALSE}
4436 Sets a flag to indicate on a change in the changelog whether the
4437 change is newly made on that server or whether it was replicated
4438 over from another server (isReplicated)
4439 --attribute ATTRIBUTE
4442 Specifies another Directory Server attribute which must be in‐
4443 cluded in the retro changelog entries (nsslapd-attribute)
4444 --directory DIRECTORY
4447 Specifies the name of the directory in which the changelog data‐
4448 base is created the first time the plug-in is run
4449 --max-age MAX_AGE
4452 Specifies the maximum age of any entry in the changelog. Used to
4453 trim the changelog (nsslapd-changelogmaxage)
4454 --trim-interval TRIM_INTERVAL
4457 --exclude-suffix [EXCLUDE_SUFFIX ...]
4460 Specifies the suffix which will be excluded from the scope of
4461 the plugin (nsslapd-exclude-suffix)
4462 --exclude-attrs [EXCLUDE_ATTRS ...]
4465 Specifies the attributes which will be excluded from the scope
4466 of the plugin (nsslapd-exclude-attrs)
4467
4470 usage: dsconf instance plugin retro-changelog add [-h]
4471 [--is-replicated
4472 {TRUE,FALSE}]
4473 [--attribute ATTRI‐
4474 BUTE]
4475 [--directory DIREC‐
4476 TORY]
4477 [--max-age MAX_AGE]
4478 [--trim-interval
4479 TRIM_INTERVAL]
4480 [--exclude-suffix
4481 [EXCLUDE_SUFFIX ...]]
4482 [--exclude-attrs [EX‐
4483 CLUDE_ATTRS ...]]
4484
4487 --is-replicated {TRUE,FALSE}
4488 Sets a flag to indicate on a change in the changelog whether the
4489 change is newly made on that server or whether it was replicated
4490 over from another server (isReplicated)
4491 --attribute ATTRIBUTE
4494 Specifies another Directory Server attribute which must be in‐
4495 cluded in the retro changelog entries (nsslapd-attribute)
4496 --directory DIRECTORY
4499 Specifies the name of the directory in which the changelog data‐
4500 base is created the first time the plug-in is run
4501 --max-age MAX_AGE
4504 Specifies the maximum age of any entry in the changelog. Used to
4505 trim the changelog (nsslapd-changelogmaxage)
4506 --trim-interval TRIM_INTERVAL
4509 --exclude-suffix [EXCLUDE_SUFFIX ...]
4512 Specifies the suffix which will be excluded from the scope of
4513 the plugin (nsslapd-exclude-suffix)
4514 --exclude-attrs [EXCLUDE_ATTRS ...]
4517 Specifies the attributes which will be excluded from the scope
4518 of the plugin (nsslapd-exclude-attrs)
4519
4522 usage: dsconf instance plugin retro-changelog del [-h]
4523 [--is-replicated
4524 {TRUE,FALSE}]
4525 [--attribute ATTRI‐
4526 BUTE]
4527 [--directory DIREC‐
4528 TORY]
4529 [--max-age MAX_AGE]
4530 [--trim-interval
4531 TRIM_INTERVAL]
4532 [--exclude-suffix
4533 [EXCLUDE_SUFFIX ...]]
4534 [--exclude-attrs [EX‐
4535 CLUDE_ATTRS ...]]
4536
4539 --is-replicated {TRUE,FALSE}
4540 Sets a flag to indicate on a change in the changelog whether the
4541 change is newly made on that server or whether it was replicated
4542 over from another server (isReplicated)
4543 --attribute ATTRIBUTE
4546 Specifies another Directory Server attribute which must be in‐
4547 cluded in the retro changelog entries (nsslapd-attribute)
4548 --directory DIRECTORY
4551 Specifies the name of the directory in which the changelog data‐
4552 base is created the first time the plug-in is run
4553 --max-age MAX_AGE
4556 Specifies the maximum age of any entry in the changelog. Used to
4557 trim the changelog (nsslapd-changelogmaxage)
4558 --trim-interval TRIM_INTERVAL
4561 --exclude-suffix [EXCLUDE_SUFFIX ...]
4564 Specifies the suffix which will be excluded from the scope of
4565 the plugin (nsslapd-exclude-suffix)
4566 --exclude-attrs [EXCLUDE_ATTRS ...]
4569 Specifies the attributes which will be excluded from the scope
4570 of the plugin (nsslapd-exclude-attrs)
4571
4574 usage: dsconf instance plugin posix-winsync [-h]
4575 {show,enable,disable,sta‐
4576 tus,set,fixup}
4577 ...
4578
4581 dsconf plugin posix-winsync show
4582 Displays the plugin configuration
4583 dsconf plugin posix-winsync enable
4585 Enables the plugin
4586 dsconf plugin posix-winsync disable
4588 Disables the plugin
4589 dsconf plugin posix-winsync status
4591 Displays the plugin status
4592 dsconf plugin posix-winsync set
4594 Edit the plugin settings
4595 dsconf plugin posix-winsync fixup
4597 Run the memberOf fix-up task to correct mismatched member and
4598 uniquemember values for synced users
4599
4602 usage: dsconf instance plugin posix-winsync show [-h]
4603
4606 usage: dsconf instance plugin posix-winsync enable [-h]
4607
4610 usage: dsconf instance plugin posix-winsync disable [-h]
4611
4614 usage: dsconf instance plugin posix-winsync status [-h]
4615
4618 usage: dsconf instance plugin posix-winsync set [-h]
4619 [--create-memberof-task
4620 {true,false}]
4621 [--lower-case-uid
4622 {true,false}]
4623 [--map-member-uid
4624 {true,false}]
4625 [--map-nested-grouping
4626 {true,false}]
4627 [--ms-sfu-schema
4628 {true,false}]
4629
4632 --create-memberof-task {true,false}
4633 Sets whether to run the memberUID fix-up task immediately after
4634 a sync run in order to update group memberships for synced users
4635 (posixWinsyncCreateMemberOfTask)
4636 --lower-case-uid {true,false}
4639 Sets whether to store (and, if necessary, convert) the UID value
4640 in the memberUID attribute in lower case.(posixWinsyncLower‐
4641 CaseUID)
4642 --map-member-uid {true,false}
4645 Sets whether to map the memberUID attribute in an Active Direc‐
4646 tory group to the uniqueMember attribute in a Directory Server
4647 group (posixWinsyncMapMemberUID)
4648 --map-nested-grouping {true,false}
4651 Manages if nested groups are updated when memberUID attributes
4652 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4653 edGrouping)
4654 --ms-sfu-schema {true,false}
4657 Sets whether to the older Microsoft System Services for Unix 3.0
4658 (msSFU30) schema when syncing Posix attributes from Active Di‐
4659 rectory (posixWinsyncMsSFUSchema)
4660
4663 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER]
4664 [--timeout TIMEOUT]
4665 DN
4666 DN Set the base DN that contains entries to fix up
4669
4672 -f FILTER, --filter FILTER
4673 Filter for entries to fix up. If omitted, all entries with ob‐
4674 jectclass inetuser/inetadmin/nsmemberof under the specified base
4675 will have their memberOf attribute regenerated.
4676 --timeout TIMEOUT
4679 Set a timeout to wait for the fixup task. Default is 120 seconds
4680
4683 usage: dsconf instance plugin contentsync [-h]
4684 {show,enable,disable,sta‐
4685 tus,set,add}
4686 ...
4687
4690 dsconf plugin contentsync show
4691 Displays the plugin configuration
4692 dsconf plugin contentsync enable
4694 Enables the plugin
4695 dsconf plugin contentsync disable
4697 Disables the plugin
4698 dsconf plugin contentsync status
4700 Displays the plugin status
4701 dsconf plugin contentsync set
4703 Edit the plugin settings
4704 dsconf plugin contentsync add
4706 Add attributes to the plugin
4707
4710 usage: dsconf instance plugin contentsync show [-h]
4711
4714 usage: dsconf instance plugin contentsync enable [-h]
4715
4718 usage: dsconf instance plugin contentsync disable [-h]
4719
4722 usage: dsconf instance plugin contentsync status [-h]
4723
4726 usage: dsconf instance plugin contentsync set [-h] [--allow-openldap
4727 {on,off}]
4728
4731 --allow-openldap {on,off}
4732 Allows openldap servers to act as read only consumers of this
4733 server via syncrepl
4734
4737 usage: dsconf instance plugin contentsync add [-h] [--allow-openldap
4738 {on,off}]
4739
4742 --allow-openldap {on,off}
4743 Allows openldap servers to act as read only consumers of this
4744 server via syncrepl
4745
4748 usage: dsconf instance plugin entryuuid [-h]
4749 {show,enable,disable,sta‐
4750 tus,fixup,fixup-status}
4751 ...
4752
4755 dsconf plugin entryuuid show
4756 Displays the plugin configuration
4757 dsconf plugin entryuuid enable
4759 Enables the plugin
4760 dsconf plugin entryuuid disable
4762 Disables the plugin
4763 dsconf plugin entryuuid status
4765 Displays the plugin status
4766 dsconf plugin entryuuid fixup
4768 Run the fix-up task for EntryUUID plugin
4769 dsconf plugin entryuuid fixup-status
4771 Check the status of a fix-up task
4772
4775 usage: dsconf instance plugin entryuuid show [-h]
4776
4779 usage: dsconf instance plugin entryuuid enable [-h]
4780
4783 usage: dsconf instance plugin entryuuid disable [-h]
4784
4787 usage: dsconf instance plugin entryuuid status [-h]
4788
4791 usage: dsconf instance plugin entryuuid fixup [-h] [-f FILTER] [--wait]
4792 [--timeout TIMEOUT]
4793 DN
4794 DN Base DN that contains entries to fix up
4797
4800 -f FILTER, --filter FILTER
4801 Filter for entries to fix up. If omitted, all entries under base
4802 DNwill have their EntryUUID attribute regenerated if not
4803 present.
4804 --wait Wait for the task to finish, this could take a long time
4807 --timeout TIMEOUT
4810 Sets the task timeout. Default is 0 (no timeout)
4811
4814 usage: dsconf instance plugin entryuuid fixup-status [-h] [--dn DN]
4815 [--show-log]
4816 [--watch]
4817
4820 --dn DN
4821 The task entry's DN
4822 --show-log
4825 Display the task log
4826 --watch
4829 Watch the task's status and wait for it to finish
4830
4833 usage: dsconf instance plugin list [-h]
4834
4837 usage: dsconf instance plugin show [-h] [selector]
4838 selector
4841 The plugin to search for
4842
4845 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4846 {on,off}]
4847 [--path PATH] [--initfunc INITFUNC]
4848 [--id ID] [--vendor VENDOR]
4849 [--version VERSION]
4850 [--description DESCRIPTION]
4851 [--depends-on-type DEPENDS_ON_TYPE]
4852 [--depends-on-named DEPENDS_ON_NAMED]
4853 [--precedence PRECEDENCE]
4854 [selector]
4855 selector
4858 The plugin to edit
4859
4862 --type TYPE
4863 The type of plugin.
4864 --enabled {on,off}
4867 Identifies whether or not the plugin is enabled.
4868 --path PATH
4871 The plugin library name (without the library suffix).
4872 --initfunc INITFUNC
4875 An initialization function of the plugin.
4876 --id ID
4879 The plugin ID.
4880 --vendor VENDOR
4883 The vendor of plugin.
4884 --version VERSION
4887 The version of plugin.
4888 --description DESCRIPTION
4891 The description of the plugin.
4892 --depends-on-type DEPENDS_ON_TYPE
4895 All plug-ins with a type value which matches one of the values
4896 in the following valid range will be started by the server prior
4897 to this plug-in.
4898 --depends-on-named DEPENDS_ON_NAMED
4901 The plug-in name matching one of the following values will be
4902 started by the server prior to this plug-in
4903 --precedence PRECEDENCE
4906 The priority it has in the execution order of plug-ins
4907
4910 usage: dsconf instance pwpolicy [-h] {get,set,list-schemes} ...
4911
4914 dsconf pwpolicy get
4915 Get the global password policy entry
4916 dsconf pwpolicy set
4918 Set an attribute in a global password policy
4919 dsconf pwpolicy list-schemes
4921 Get a list of the current password storage schemes
4922
4925 usage: dsconf instance pwpolicy get [-h]
4926
4929 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4930 [--pwdchange PWDCHANGE]
4931 [--pwdmustchange PWDMUSTCHANGE]
4932 [--pwdhistory PWDHISTORY]
4933 [--pwdhistorycount PWDHISTORYCOUNT]
4934 [--pwdadmin PWDADMIN]
4935 [--pwdadminskipupdates PWDADMIN‐
4936 SKIPUPDATES]
4937 [--pwdtrack PWDTRACK]
4938 [--pwdwarning PWDWARNING]
4939 [--pwdexpire PWDEXPIRE]
4940 [--pwdmaxage PWDMAXAGE]
4941 [--pwdminage PWDMINAGE]
4942 [--pwdgracelimit PWDGRACELIMIT]
4943 [--pwdsendexpiring PWDSENDEXPIRING]
4944 [--pwdlockout PWDLOCKOUT]
4945 [--pwdunlock PWDUNLOCK]
4946 [--pwdlockoutduration PWDLOCKOUTDU‐
4947 RATION]
4948 [--pwdmaxfailures PWDMAXFAILURES]
4949 [--pwdresetfailcount PWDRESETFAIL‐
4950 COUNT]
4951 [--pwdchecksyntax PWDCHECKSYNTAX]
4952 [--pwdminlen PWDMINLEN]
4953 [--pwdmindigits PWDMINDIGITS]
4954 [--pwdminalphas PWDMINALPHAS]
4955 [--pwdminuppers PWDMINUPPERS]
4956 [--pwdminlowers PWDMINLOWERS]
4957 [--pwdminspecials PWDMINSPECIALS]
4958 [--pwdmin8bits PWDMIN8BITS]
4959 [--pwdmaxrepeats PWDMAXREPEATS]
4960 [--pwdpalindrome PWDPALINDROME]
4961 [--pwdmaxseq PWDMAXSEQ]
4962 [--pwdmaxseqsets PWDMAXSEQSETS]
4963 [--pwdmaxclasschars PWDMAXCLASS‐
4964 CHARS]
4965 [--pwdmincatagories PWDMIN‐
4966 CATAGORIES]
4967 [--pwdmintokenlen PWDMINTOKENLEN]
4968 [--pwdbadwords PWDBADWORDS]
4969 [--pwduserattrs PWDUSERATTRS]
4970 [--pwddictcheck PWDDICTCHECK]
4971 [--pwddictpath PWDDICTPATH]
4972 [--pwptprmaxuse PWPTPRMAXUSE]
4973 [--pwptprdelayexpireat PWPTPRDELAY‐
4974 EXPIREAT]
4975 [--pwptprdelayvalidfrom PWPTPRDE‐
4976 LAYVALIDFROM]
4977 [--pwdlocal PWDLOCAL]
4978 [--pwdisglobal PWDISGLOBAL]
4979 [--pwdallowhash PWDALLOWHASH]
4980 [--pwpinheritglobal PWPINHERIT‐
4981 GLOBAL]
4982
4985 --pwdscheme PWDSCHEME
4986 The password storage scheme
4987 --pwdchange PWDCHANGE
4990 Allow users to change their passwords
4991 --pwdmustchange PWDMUSTCHANGE
4994 Users must change their password after it was reset by an admin‐
4995 istrator
4996 --pwdhistory PWDHISTORY
4999 To enable password history set this to "on", otherwise "off"
5000 --pwdhistorycount PWDHISTORYCOUNT
5003 The number of passwords to keep in history
5004 --pwdadmin PWDADMIN
5007 The DN of an entry or a group of account that can bypass pass‐
5008 word policy constraints
5009 --pwdadminskipupdates PWDADMINSKIPUPDATES
5012 Set to "on" if the Password Admin's password update should not
5013 trigger updates to the password state attributes (passwordExpi‐
5014 rationtime, passwordHistory, etc).
5015 --pwdtrack PWDTRACK
5018 Set to "on" to track the time the password was last changed
5019 --pwdwarning PWDWARNING
5022 Send an expiring warning if password expires within this time
5023 (in seconds)
5024 --pwdexpire PWDEXPIRE
5027 Set to "on" to enable password expiration
5028 --pwdmaxage PWDMAXAGE
5031 The password expiration time in seconds
5032 --pwdminage PWDMINAGE
5035 The number of seconds that must pass before a user can change
5036 their password
5037 --pwdgracelimit PWDGRACELIMIT
5040 The number of allowed logins after the password has expired
5041 --pwdsendexpiring PWDSENDEXPIRING
5044 Set to "on" to always send the expiring control regardless of
5045 the warning period
5046 --pwdlockout PWDLOCKOUT
5049 Set to "on" to enable account lockout
5050 --pwdunlock PWDUNLOCK
5053 Set to "on" to allow an account to become unlocked after the
5054 lockout duration
5055 --pwdlockoutduration PWDLOCKOUTDURATION
5058 The number of seconds an account stays locked out
5059 --pwdmaxfailures PWDMAXFAILURES
5062 The maximum number of allowed failed password attempts before
5063 the account gets locked
5064 --pwdresetfailcount PWDRESETFAILCOUNT
5067 The number of seconds to wait before reducing the failed login
5068 count on an account
5069 --pwdchecksyntax PWDCHECKSYNTAX
5072 Set to "on" to enable password syntax checking
5073 --pwdminlen PWDMINLEN
5076 The minimum number of characters required in a password
5077 --pwdmindigits PWDMINDIGITS
5080 The minimum number of digit/number characters in a password
5081 --pwdminalphas PWDMINALPHAS
5084 The minimum number of alpha characters required in a password
5085 --pwdminuppers PWDMINUPPERS
5088 The minimum number of uppercase characters required in a pass‐
5089 word
5090 --pwdminlowers PWDMINLOWERS
5093 The minimum number of lowercase characters required in a pass‐
5094 word
5095 --pwdminspecials PWDMINSPECIALS
5098 The minimum number of special characters required in a password
5099 --pwdmin8bits PWDMIN8BITS
5102 The minimum number of 8-bit characters required in a password
5103 --pwdmaxrepeats PWDMAXREPEATS
5106 The maximum number of times the same character can appear se‐
5107 quentially in the password
5108 --pwdpalindrome PWDPALINDROME
5111 Set to "on" to reject passwords that are palindromes
5112 --pwdmaxseq PWDMAXSEQ
5115 The maximum number of allowed monotonic character sequences in a
5116 password
5117 --pwdmaxseqsets PWDMAXSEQSETS
5120 The maximum number of allowed monotonic character sequences that
5121 can be duplicated in a password
5122 --pwdmaxclasschars PWDMAXCLASSCHARS
5125 The maximum number of sequential characters from the same char‐
5126 acter class that is allowed in a password
5127 --pwdmincatagories PWDMINCATAGORIES
5130 The minimum number of syntax category checks
5131 --pwdmintokenlen PWDMINTOKENLEN
5134 Sets the smallest attribute value length that is used for triv‐
5135 ial/user words checking. This also impacts "--pwduserattrs"
5136 --pwdbadwords PWDBADWORDS
5139 A space-separated list of words that can not be in a password
5140 --pwduserattrs PWDUSERATTRS
5143 A space-separated list of attributes whose values can not appear
5144 in the password (See "--pwdmintokenlen")
5145 --pwddictcheck PWDDICTCHECK
5148 Set to "on" to enforce CrackLib dictionary checking
5149 --pwddictpath PWDDICTPATH
5152 Filesystem path to specific/custom CrackLib dictionary files
5153 --pwptprmaxuse PWPTPRMAXUSE
5156 Number of times a reset password can be used for authentication
5157 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5160 Number of seconds after which a reset password expires
5161 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5164 Number of seconds to wait before using a reset password to au‐
5165 thenticated
5166 --pwdlocal PWDLOCAL
5169 Set to "on" to enable fine-grained (subtree/user-level) password
5170 policies
5171 --pwdisglobal PWDISGLOBAL
5174 Set to "on" to enable password policy state attributes to be
5175 replicated
5176 --pwdallowhash PWDALLOWHASH
5179 Set to "on" to allow adding prehashed passwords
5180 --pwpinheritglobal PWPINHERITGLOBAL
5183 Set to "on" to allow local policies to inherit the global policy
5184
5187 usage: dsconf instance pwpolicy list-schemes [-h]
5188
5191 usage: dsconf instance localpwp [-h]
5192 {list,get,set,remove,adduser,addsub‐
5193 tree} ...
5194
5197 dsconf localpwp list
5198 List all the local password policies
5199 dsconf localpwp get
5201 Get local password policy entry
5202 dsconf localpwp set
5204 Set an attribute in a local password policy
5205 dsconf localpwp remove
5207 Remove a local password policy
5208 dsconf localpwp adduser
5210 Add new user password policy
5211 dsconf localpwp addsubtree
5213 Add new subtree password policy
5214
5217 usage: dsconf instance localpwp list [-h] [DN]
5218 DN Suffix to search for local password policies
5221
5224 usage: dsconf instance localpwp get [-h] DN
5225 DN Get the local policy for this entry DN
5228
5231 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
5232 [--pwdchange PWDCHANGE]
5233 [--pwdmustchange PWDMUSTCHANGE]
5234 [--pwdhistory PWDHISTORY]
5235 [--pwdhistorycount PWDHISTORYCOUNT]
5236 [--pwdadmin PWDADMIN]
5237 [--pwdadminskipupdates PWDADMIN‐
5238 SKIPUPDATES]
5239 [--pwdtrack PWDTRACK]
5240 [--pwdwarning PWDWARNING]
5241 [--pwdexpire PWDEXPIRE]
5242 [--pwdmaxage PWDMAXAGE]
5243 [--pwdminage PWDMINAGE]
5244 [--pwdgracelimit PWDGRACELIMIT]
5245 [--pwdsendexpiring PWDSENDEXPIRING]
5246 [--pwdlockout PWDLOCKOUT]
5247 [--pwdunlock PWDUNLOCK]
5248 [--pwdlockoutduration PWDLOCKOUTDU‐
5249 RATION]
5250 [--pwdmaxfailures PWDMAXFAILURES]
5251 [--pwdresetfailcount PWDRESETFAIL‐
5252 COUNT]
5253 [--pwdchecksyntax PWDCHECKSYNTAX]
5254 [--pwdminlen PWDMINLEN]
5255 [--pwdmindigits PWDMINDIGITS]
5256 [--pwdminalphas PWDMINALPHAS]
5257 [--pwdminuppers PWDMINUPPERS]
5258 [--pwdminlowers PWDMINLOWERS]
5259 [--pwdminspecials PWDMINSPECIALS]
5260 [--pwdmin8bits PWDMIN8BITS]
5261 [--pwdmaxrepeats PWDMAXREPEATS]
5262 [--pwdpalindrome PWDPALINDROME]
5263 [--pwdmaxseq PWDMAXSEQ]
5264 [--pwdmaxseqsets PWDMAXSEQSETS]
5265 [--pwdmaxclasschars PWDMAXCLASS‐
5266 CHARS]
5267 [--pwdmincatagories PWDMIN‐
5268 CATAGORIES]
5269 [--pwdmintokenlen PWDMINTOKENLEN]
5270 [--pwdbadwords PWDBADWORDS]
5271 [--pwduserattrs PWDUSERATTRS]
5272 [--pwddictcheck PWDDICTCHECK]
5273 [--pwddictpath PWDDICTPATH]
5274 [--pwptprmaxuse PWPTPRMAXUSE]
5275 [--pwptprdelayexpireat PWPTPRDELAY‐
5276 EXPIREAT]
5277 [--pwptprdelayvalidfrom PWPTPRDE‐
5278 LAYVALIDFROM]
5279 DN
5280 DN Set the local policy for this entry DN
5283
5286 --pwdscheme PWDSCHEME
5287 The password storage scheme
5288 --pwdchange PWDCHANGE
5291 Allow users to change their passwords
5292 --pwdmustchange PWDMUSTCHANGE
5295 Users must change their password after it was reset by an admin‐
5296 istrator
5297 --pwdhistory PWDHISTORY
5300 To enable password history set this to "on", otherwise "off"
5301 --pwdhistorycount PWDHISTORYCOUNT
5304 The number of passwords to keep in history
5305 --pwdadmin PWDADMIN
5308 The DN of an entry or a group of account that can bypass pass‐
5309 word policy constraints
5310 --pwdadminskipupdates PWDADMINSKIPUPDATES
5313 Set to "on" if the Password Admin's password update should not
5314 trigger updates to the password state attributes (passwordExpi‐
5315 rationtime, passwordHistory, etc).
5316 --pwdtrack PWDTRACK
5319 Set to "on" to track the time the password was last changed
5320 --pwdwarning PWDWARNING
5323 Send an expiring warning if password expires within this time
5324 (in seconds)
5325 --pwdexpire PWDEXPIRE
5328 Set to "on" to enable password expiration
5329 --pwdmaxage PWDMAXAGE
5332 The password expiration time in seconds
5333 --pwdminage PWDMINAGE
5336 The number of seconds that must pass before a user can change
5337 their password
5338 --pwdgracelimit PWDGRACELIMIT
5341 The number of allowed logins after the password has expired
5342 --pwdsendexpiring PWDSENDEXPIRING
5345 Set to "on" to always send the expiring control regardless of
5346 the warning period
5347 --pwdlockout PWDLOCKOUT
5350 Set to "on" to enable account lockout
5351 --pwdunlock PWDUNLOCK
5354 Set to "on" to allow an account to become unlocked after the
5355 lockout duration
5356 --pwdlockoutduration PWDLOCKOUTDURATION
5359 The number of seconds an account stays locked out
5360 --pwdmaxfailures PWDMAXFAILURES
5363 The maximum number of allowed failed password attempts before
5364 the account gets locked
5365 --pwdresetfailcount PWDRESETFAILCOUNT
5368 The number of seconds to wait before reducing the failed login
5369 count on an account
5370 --pwdchecksyntax PWDCHECKSYNTAX
5373 Set to "on" to enable password syntax checking
5374 --pwdminlen PWDMINLEN
5377 The minimum number of characters required in a password
5378 --pwdmindigits PWDMINDIGITS
5381 The minimum number of digit/number characters in a password
5382 --pwdminalphas PWDMINALPHAS
5385 The minimum number of alpha characters required in a password
5386 --pwdminuppers PWDMINUPPERS
5389 The minimum number of uppercase characters required in a pass‐
5390 word
5391 --pwdminlowers PWDMINLOWERS
5394 The minimum number of lowercase characters required in a pass‐
5395 word
5396 --pwdminspecials PWDMINSPECIALS
5399 The minimum number of special characters required in a password
5400 --pwdmin8bits PWDMIN8BITS
5403 The minimum number of 8-bit characters required in a password
5404 --pwdmaxrepeats PWDMAXREPEATS
5407 The maximum number of times the same character can appear se‐
5408 quentially in the password
5409 --pwdpalindrome PWDPALINDROME
5412 Set to "on" to reject passwords that are palindromes
5413 --pwdmaxseq PWDMAXSEQ
5416 The maximum number of allowed monotonic character sequences in a
5417 password
5418 --pwdmaxseqsets PWDMAXSEQSETS
5421 The maximum number of allowed monotonic character sequences that
5422 can be duplicated in a password
5423 --pwdmaxclasschars PWDMAXCLASSCHARS
5426 The maximum number of sequential characters from the same char‐
5427 acter class that is allowed in a password
5428 --pwdmincatagories PWDMINCATAGORIES
5431 The minimum number of syntax category checks
5432 --pwdmintokenlen PWDMINTOKENLEN
5435 Sets the smallest attribute value length that is used for triv‐
5436 ial/user words checking. This also impacts "--pwduserattrs"
5437 --pwdbadwords PWDBADWORDS
5440 A space-separated list of words that can not be in a password
5441 --pwduserattrs PWDUSERATTRS
5444 A space-separated list of attributes whose values can not appear
5445 in the password (See "--pwdmintokenlen")
5446 --pwddictcheck PWDDICTCHECK
5449 Set to "on" to enforce CrackLib dictionary checking
5450 --pwddictpath PWDDICTPATH
5453 Filesystem path to specific/custom CrackLib dictionary files
5454 --pwptprmaxuse PWPTPRMAXUSE
5457 Number of times a reset password can be used for authentication
5458 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5461 Number of seconds after which a reset password expires
5462 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5465 Number of seconds to wait before using a reset password to au‐
5466 thenticated
5467
5470 usage: dsconf instance localpwp remove [-h] DN
5471 DN Remove local policy for this entry DN
5474
5477 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5478 [--pwdchange PWDCHANGE]
5479 [--pwdmustchange PWDMUSTCHANGE]
5480 [--pwdhistory PWDHISTORY]
5481 [--pwdhistorycount PWDHISTO‐
5482 RYCOUNT]
5483 [--pwdadmin PWDADMIN]
5484 [--pwdadminskipupdates PWDAD‐
5485 MINSKIPUPDATES]
5486 [--pwdtrack PWDTRACK]
5487 [--pwdwarning PWDWARNING]
5488 [--pwdexpire PWDEXPIRE]
5489 [--pwdmaxage PWDMAXAGE]
5490 [--pwdminage PWDMINAGE]
5491 [--pwdgracelimit PWDGRACELIMIT]
5492 [--pwdsendexpiring PWDSENDEX‐
5493 PIRING]
5494 [--pwdlockout PWDLOCKOUT]
5495 [--pwdunlock PWDUNLOCK]
5496 [--pwdlockoutduration PWDLOCK‐
5497 OUTDURATION]
5498 [--pwdmaxfailures PWDMAXFAIL‐
5499 URES]
5500 [--pwdresetfailcount PWDRESET‐
5501 FAILCOUNT]
5502 [--pwdchecksyntax PWDCHECKSYN‐
5503 TAX]
5504 [--pwdminlen PWDMINLEN]
5505 [--pwdmindigits PWDMINDIGITS]
5506 [--pwdminalphas PWDMINALPHAS]
5507 [--pwdminuppers PWDMINUPPERS]
5508 [--pwdminlowers PWDMINLOWERS]
5509 [--pwdminspecials PWDMINSPE‐
5510 CIALS]
5511 [--pwdmin8bits PWDMIN8BITS]
5512 [--pwdmaxrepeats PWDMAXREPEATS]
5513 [--pwdpalindrome PWDPALINDROME]
5514 [--pwdmaxseq PWDMAXSEQ]
5515 [--pwdmaxseqsets PWDMAXSEQSETS]
5516 [--pwdmaxclasschars PWDMAX‐
5517 CLASSCHARS]
5518 [--pwdmincatagories PWDMIN‐
5519 CATAGORIES]
5520 [--pwdmintokenlen PWDMINTO‐
5521 KENLEN]
5522 [--pwdbadwords PWDBADWORDS]
5523 [--pwduserattrs PWDUSERATTRS]
5524 [--pwddictcheck PWDDICTCHECK]
5525 [--pwddictpath PWDDICTPATH]
5526 [--pwptprmaxuse PWPTPRMAXUSE]
5527 [--pwptprdelayexpireat PWPT‐
5528 PRDELAYEXPIREAT]
5529 [--pwptprdelayvalidfrom PWPT‐
5530 PRDELAYVALIDFROM]
5531 DN
5532 DN Add/replace the local password policy for this entry DN
5535
5538 --pwdscheme PWDSCHEME
5539 The password storage scheme
5540 --pwdchange PWDCHANGE
5543 Allow users to change their passwords
5544 --pwdmustchange PWDMUSTCHANGE
5547 Users must change their password after it was reset by an admin‐
5548 istrator
5549 --pwdhistory PWDHISTORY
5552 To enable password history set this to "on", otherwise "off"
5553 --pwdhistorycount PWDHISTORYCOUNT
5556 The number of passwords to keep in history
5557 --pwdadmin PWDADMIN
5560 The DN of an entry or a group of account that can bypass pass‐
5561 word policy constraints
5562 --pwdadminskipupdates PWDADMINSKIPUPDATES
5565 Set to "on" if the Password Admin's password update should not
5566 trigger updates to the password state attributes (passwordExpi‐
5567 rationtime, passwordHistory, etc).
5568 --pwdtrack PWDTRACK
5571 Set to "on" to track the time the password was last changed
5572 --pwdwarning PWDWARNING
5575 Send an expiring warning if password expires within this time
5576 (in seconds)
5577 --pwdexpire PWDEXPIRE
5580 Set to "on" to enable password expiration
5581 --pwdmaxage PWDMAXAGE
5584 The password expiration time in seconds
5585 --pwdminage PWDMINAGE
5588 The number of seconds that must pass before a user can change
5589 their password
5590 --pwdgracelimit PWDGRACELIMIT
5593 The number of allowed logins after the password has expired
5594 --pwdsendexpiring PWDSENDEXPIRING
5597 Set to "on" to always send the expiring control regardless of
5598 the warning period
5599 --pwdlockout PWDLOCKOUT
5602 Set to "on" to enable account lockout
5603 --pwdunlock PWDUNLOCK
5606 Set to "on" to allow an account to become unlocked after the
5607 lockout duration
5608 --pwdlockoutduration PWDLOCKOUTDURATION
5611 The number of seconds an account stays locked out
5612 --pwdmaxfailures PWDMAXFAILURES
5615 The maximum number of allowed failed password attempts before
5616 the account gets locked
5617 --pwdresetfailcount PWDRESETFAILCOUNT
5620 The number of seconds to wait before reducing the failed login
5621 count on an account
5622 --pwdchecksyntax PWDCHECKSYNTAX
5625 Set to "on" to enable password syntax checking
5626 --pwdminlen PWDMINLEN
5629 The minimum number of characters required in a password
5630 --pwdmindigits PWDMINDIGITS
5633 The minimum number of digit/number characters in a password
5634 --pwdminalphas PWDMINALPHAS
5637 The minimum number of alpha characters required in a password
5638 --pwdminuppers PWDMINUPPERS
5641 The minimum number of uppercase characters required in a pass‐
5642 word
5643 --pwdminlowers PWDMINLOWERS
5646 The minimum number of lowercase characters required in a pass‐
5647 word
5648 --pwdminspecials PWDMINSPECIALS
5651 The minimum number of special characters required in a password
5652 --pwdmin8bits PWDMIN8BITS
5655 The minimum number of 8-bit characters required in a password
5656 --pwdmaxrepeats PWDMAXREPEATS
5659 The maximum number of times the same character can appear se‐
5660 quentially in the password
5661 --pwdpalindrome PWDPALINDROME
5664 Set to "on" to reject passwords that are palindromes
5665 --pwdmaxseq PWDMAXSEQ
5668 The maximum number of allowed monotonic character sequences in a
5669 password
5670 --pwdmaxseqsets PWDMAXSEQSETS
5673 The maximum number of allowed monotonic character sequences that
5674 can be duplicated in a password
5675 --pwdmaxclasschars PWDMAXCLASSCHARS
5678 The maximum number of sequential characters from the same char‐
5679 acter class that is allowed in a password
5680 --pwdmincatagories PWDMINCATAGORIES
5683 The minimum number of syntax category checks
5684 --pwdmintokenlen PWDMINTOKENLEN
5687 Sets the smallest attribute value length that is used for triv‐
5688 ial/user words checking. This also impacts "--pwduserattrs"
5689 --pwdbadwords PWDBADWORDS
5692 A space-separated list of words that can not be in a password
5693 --pwduserattrs PWDUSERATTRS
5696 A space-separated list of attributes whose values can not appear
5697 in the password (See "--pwdmintokenlen")
5698 --pwddictcheck PWDDICTCHECK
5701 Set to "on" to enforce CrackLib dictionary checking
5702 --pwddictpath PWDDICTPATH
5705 Filesystem path to specific/custom CrackLib dictionary files
5706 --pwptprmaxuse PWPTPRMAXUSE
5709 Number of times a reset password can be used for authentication
5710 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5713 Number of seconds after which a reset password expires
5714 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5717 Number of seconds to wait before using a reset password to au‐
5718 thenticated
5719
5722 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5723 [--pwdchange PWDCHANGE]
5724 [--pwdmustchange PWD‐
5725 MUSTCHANGE]
5726 [--pwdhistory PWDHISTORY]
5727 [--pwdhistorycount PWDHISTO‐
5728 RYCOUNT]
5729 [--pwdadmin PWDADMIN]
5730 [--pwdadminskipupdates PW‐
5731 DADMINSKIPUPDATES]
5732 [--pwdtrack PWDTRACK]
5733 [--pwdwarning PWDWARNING]
5734 [--pwdexpire PWDEXPIRE]
5735 [--pwdmaxage PWDMAXAGE]
5736 [--pwdminage PWDMINAGE]
5737 [--pwdgracelimit PWDGRACE‐
5738 LIMIT]
5739 [--pwdsendexpiring PWDSEND‐
5740 EXPIRING]
5741 [--pwdlockout PWDLOCKOUT]
5742 [--pwdunlock PWDUNLOCK]
5743 [--pwdlockoutduration PWD‐
5744 LOCKOUTDURATION]
5745 [--pwdmaxfailures PWDMAX‐
5746 FAILURES]
5747 [--pwdresetfailcount PW‐
5748 DRESETFAILCOUNT]
5749 [--pwdchecksyntax PWD‐
5750 CHECKSYNTAX]
5751 [--pwdminlen PWDMINLEN]
5752 [--pwdmindigits PWDMINDIG‐
5753 ITS]
5754 [--pwdminalphas PWDMINAL‐
5755 PHAS]
5756 [--pwdminuppers PWDMINUP‐
5757 PERS]
5758 [--pwdminlowers PWDMINLOW‐
5759 ERS]
5760 [--pwdminspecials PWDMINSPE‐
5761 CIALS]
5762 [--pwdmin8bits PWDMIN8BITS]
5763 [--pwdmaxrepeats PWDMAXRE‐
5764 PEATS]
5765 [--pwdpalindrome PWDPALIN‐
5766 DROME]
5767 [--pwdmaxseq PWDMAXSEQ]
5768 [--pwdmaxseqsets PWDMAXSE‐
5769 QSETS]
5770 [--pwdmaxclasschars PWDMAX‐
5771 CLASSCHARS]
5772 [--pwdmincatagories PWDMIN‐
5773 CATAGORIES]
5774 [--pwdmintokenlen PWDMINTO‐
5775 KENLEN]
5776 [--pwdbadwords PWDBADWORDS]
5777 [--pwduserattrs PWDUSERAT‐
5778 TRS]
5779 [--pwddictcheck PWD‐
5780 DICTCHECK]
5781 [--pwddictpath PWDDICTPATH]
5782 [--pwptprmaxuse PWPT‐
5783 PRMAXUSE]
5784 [--pwptprdelayexpireat PWPT‐
5785 PRDELAYEXPIREAT]
5786 [--pwptprdelayvalidfrom PW‐
5787 PTPRDELAYVALIDFROM]
5788 DN
5789 DN Add/replace the subtree policy for this entry DN
5792
5795 --pwdscheme PWDSCHEME
5796 The password storage scheme
5797 --pwdchange PWDCHANGE
5800 Allow users to change their passwords
5801 --pwdmustchange PWDMUSTCHANGE
5804 Users must change their password after it was reset by an admin‐
5805 istrator
5806 --pwdhistory PWDHISTORY
5809 To enable password history set this to "on", otherwise "off"
5810 --pwdhistorycount PWDHISTORYCOUNT
5813 The number of passwords to keep in history
5814 --pwdadmin PWDADMIN
5817 The DN of an entry or a group of account that can bypass pass‐
5818 word policy constraints
5819 --pwdadminskipupdates PWDADMINSKIPUPDATES
5822 Set to "on" if the Password Admin's password update should not
5823 trigger updates to the password state attributes (passwordExpi‐
5824 rationtime, passwordHistory, etc).
5825 --pwdtrack PWDTRACK
5828 Set to "on" to track the time the password was last changed
5829 --pwdwarning PWDWARNING
5832 Send an expiring warning if password expires within this time
5833 (in seconds)
5834 --pwdexpire PWDEXPIRE
5837 Set to "on" to enable password expiration
5838 --pwdmaxage PWDMAXAGE
5841 The password expiration time in seconds
5842 --pwdminage PWDMINAGE
5845 The number of seconds that must pass before a user can change
5846 their password
5847 --pwdgracelimit PWDGRACELIMIT
5850 The number of allowed logins after the password has expired
5851 --pwdsendexpiring PWDSENDEXPIRING
5854 Set to "on" to always send the expiring control regardless of
5855 the warning period
5856 --pwdlockout PWDLOCKOUT
5859 Set to "on" to enable account lockout
5860 --pwdunlock PWDUNLOCK
5863 Set to "on" to allow an account to become unlocked after the
5864 lockout duration
5865 --pwdlockoutduration PWDLOCKOUTDURATION
5868 The number of seconds an account stays locked out
5869 --pwdmaxfailures PWDMAXFAILURES
5872 The maximum number of allowed failed password attempts before
5873 the account gets locked
5874 --pwdresetfailcount PWDRESETFAILCOUNT
5877 The number of seconds to wait before reducing the failed login
5878 count on an account
5879 --pwdchecksyntax PWDCHECKSYNTAX
5882 Set to "on" to enable password syntax checking
5883 --pwdminlen PWDMINLEN
5886 The minimum number of characters required in a password
5887 --pwdmindigits PWDMINDIGITS
5890 The minimum number of digit/number characters in a password
5891 --pwdminalphas PWDMINALPHAS
5894 The minimum number of alpha characters required in a password
5895 --pwdminuppers PWDMINUPPERS
5898 The minimum number of uppercase characters required in a pass‐
5899 word
5900 --pwdminlowers PWDMINLOWERS
5903 The minimum number of lowercase characters required in a pass‐
5904 word
5905 --pwdminspecials PWDMINSPECIALS
5908 The minimum number of special characters required in a password
5909 --pwdmin8bits PWDMIN8BITS
5912 The minimum number of 8-bit characters required in a password
5913 --pwdmaxrepeats PWDMAXREPEATS
5916 The maximum number of times the same character can appear se‐
5917 quentially in the password
5918 --pwdpalindrome PWDPALINDROME
5921 Set to "on" to reject passwords that are palindromes
5922 --pwdmaxseq PWDMAXSEQ
5925 The maximum number of allowed monotonic character sequences in a
5926 password
5927 --pwdmaxseqsets PWDMAXSEQSETS
5930 The maximum number of allowed monotonic character sequences that
5931 can be duplicated in a password
5932 --pwdmaxclasschars PWDMAXCLASSCHARS
5935 The maximum number of sequential characters from the same char‐
5936 acter class that is allowed in a password
5937 --pwdmincatagories PWDMINCATAGORIES
5940 The minimum number of syntax category checks
5941 --pwdmintokenlen PWDMINTOKENLEN
5944 Sets the smallest attribute value length that is used for triv‐
5945 ial/user words checking. This also impacts "--pwduserattrs"
5946 --pwdbadwords PWDBADWORDS
5949 A space-separated list of words that can not be in a password
5950 --pwduserattrs PWDUSERATTRS
5953 A space-separated list of attributes whose values can not appear
5954 in the password (See "--pwdmintokenlen")
5955 --pwddictcheck PWDDICTCHECK
5958 Set to "on" to enforce CrackLib dictionary checking
5959 --pwddictpath PWDDICTPATH
5962 Filesystem path to specific/custom CrackLib dictionary files
5963 --pwptprmaxuse PWPTPRMAXUSE
5966 Number of times a reset password can be used for authentication
5967 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5970 Number of seconds after which a reset password expires
5971 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5974 Number of seconds to wait before using a reset password to au‐
5975 thenticated
5976
5979 usage: dsconf instance replication [-h]
5980 {enable,disable,get-ruv,list,sta‐
5981 tus,winsync-status,promote,create-manager,delete-manager,de‐
5982 mote,get,set-changelog,get-changelog,export-changelog,im‐
5983 port-changelog,set,monitor}
5984 ...
5985
5988 dsconf replication enable
5989 Enable replication for a suffix
5990 dsconf replication disable
5992 Disable replication for a suffix
5993 dsconf replication get-ruv
5995 Display the database RUV entry for a suffix
5996 dsconf replication list
5998 Lists all the replicated suffixes
5999 dsconf replication status
6001 Display the current status of all the replication agreements
6002 dsconf replication winsync-status
6004 Display the current status of all the replication agreements
6005 dsconf replication promote
6007 Promote a replica to a hub or supplier
6008 dsconf replication create-manager
6010 Create a replication manager entry
6011 dsconf replication delete-manager
6013 Delete a replication manager entry
6014 dsconf replication demote
6016 Demote replica to a hub or consumer
6017 dsconf replication get
6019 Display the replication configuration
6020 dsconf replication set-changelog
6022 Set replication changelog attributes
6023 dsconf replication get-changelog
6025 Display replication changelog attributes
6026 dsconf replication export-changelog
6028 Export the Directory Server replication changelog to an LDIF
6029 file
6030 dsconf replication import-changelog
6032 Restore/import Directory Server replication change log from an
6033 LDIF file. This is typically used when managing changelog en‐
6034 cryption
6035 dsconf replication set
6037 Set an attribute in the replication configuration
6038 dsconf replication monitor
6040 Display the full replication topology report
6041
6044 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
6045 ROLE
6046 [--replica-id REPLICA_ID]
6047 [--bind-group-dn
6048 BIND_GROUP_DN]
6049 [--bind-dn BIND_DN]
6050 [--bind-passwd BIND_PASSWD]
6051 [--bind-passwd-file
6052 BIND_PASSWD_FILE]
6053 [--bind-passwd-prompt]
6054
6057 --suffix SUFFIX
6058 Sets the DN of the suffix to be enabled for replication
6059 --role ROLE
6062 Sets the replication role: "supplier", "hub", or "consumer"
6063 --replica-id REPLICA_ID
6066 Sets the replication identifier for a "supplier". Values range
6067 from 1 - 65534
6068 --bind-group-dn BIND_GROUP_DN
6071 Sets a group entry DN containing members that are "bind/sup‐
6072 plier" DNs
6073 --bind-dn BIND_DN
6076 Sets the bind or supplier DN that can make replication updates
6077 --bind-passwd BIND_PASSWD
6080 Sets the password for replication manager (--bind-dn). This will
6081 create the manager entry if a value is set
6082 --bind-passwd-file BIND_PASSWD_FILE
6085 File containing the password
6086 --bind-passwd-prompt
6089 Prompt for password
6090
6093 usage: dsconf instance replication disable [-h] --suffix SUFFIX
6094
6097 --suffix SUFFIX
6098 Sets the DN of the suffix to have replication disabled
6099
6102 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
6103
6106 --suffix SUFFIX
6107 Sets the DN of the replicated suffix
6108
6111 usage: dsconf instance replication list [-h]
6112
6115 usage: dsconf instance replication status [-h] --suffix SUFFIX
6116 [--bind-dn BIND_DN]
6117 [--bind-passwd BIND_PASSWD]
6118 [--bind-passwd-file
6119 BIND_PASSWD_FILE]
6120 [--bind-passwd-prompt]
6121
6124 --suffix SUFFIX
6125 Sets the DN of the replication suffix
6126 --bind-dn BIND_DN
6129 Sets the DN to use to authenticate to the consumer. If not set,
6130 current instance's root DN will be used. It will be used for all
6131 agreements
6132 --bind-passwd BIND_PASSWD
6135 Sets the password for the bind DN. It will be used for all
6136 agreements
6137 --bind-passwd-file BIND_PASSWD_FILE
6140 File containing the password. It will be used for all agreements
6141 --bind-passwd-prompt
6144 Prompt for passwords for each agreement's instance separately
6145
6148 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
6149 [--bind-dn BIND_DN]
6150 [--bind-passwd
6151 BIND_PASSWD]
6152 [--bind-passwd-file
6153 BIND_PASSWD_FILE]
6154 [--bind-passwd-prompt]
6155
6158 --suffix SUFFIX
6159 Sets the DN of the replication suffix
6160 --bind-dn BIND_DN
6163 Sets the DN to use to authenticate to the consumer. Currectly
6164 not used
6165 --bind-passwd BIND_PASSWD
6168 Sets the password of the bind DN. Currectly not used
6169 --bind-passwd-file BIND_PASSWD_FILE
6172 File containing the password. Currectly not used
6173 --bind-passwd-prompt
6176 Prompt for password. Currectly not used
6177
6180 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
6181 role
6182 NEWROLE [--replica-id
6183 REPLICA_ID]
6184 [--bind-group-dn
6185 BIND_GROUP_DN]
6186 [--bind-dn BIND_DN]
6187
6190 --suffix SUFFIX
6191 Sets the DN of the replication suffix to promote
6192 --newrole NEWROLE
6195 Sets the new replica role to "hub" or "supplier"
6196 --replica-id REPLICA_ID
6199 Sets the replication identifier for a "supplier". Values range
6200 from 1 - 65534
6201 --bind-group-dn BIND_GROUP_DN
6204 Sets a group entry DN containing members that are "bind/sup‐
6205 plier" DNs
6206 --bind-dn BIND_DN
6209 Sets the bind or supplier DN that can make replication updates
6210
6213 usage: dsconf instance replication create-manager [-h] [--name NAME]
6214 [--passwd PASSWD]
6215 [--passwd-file
6216 PASSWD_FILE]
6217 [--bind-passwd-file
6218 BIND_PASSWD_FILE]
6219 [--suffix SUFFIX]
6220
6223 --name NAME
6224 Sets the name of the new replication manager entry.For example,
6225 if the name is "replication manager" then the new manager en‐
6226 try's DN would be "cn=replication manager,cn=config".
6227 --passwd PASSWD
6230 Sets the password for replication manager. If not provided, you
6231 will be prompted for the password
6232 --passwd-file PASSWD_FILE
6235 File containing the password for back compatibility
6236 --bind-passwd-file BIND_PASSWD_FILE
6239 File containing the password
6240 --suffix SUFFIX
6243 The DN of the replication suffix whose replication configuration
6244 you want to add this new manager to (OPTIONAL)
6245
6248 usage: dsconf instance replication delete-manager [-h] [--name NAME]
6249 [--suffix SUFFIX]
6250
6253 --name NAME
6254 Sets the name of the replication manager entry under cn=config:
6255 "cn=NAME,cn=config"
6256 --suffix SUFFIX
6259 Sets the DN of the replication suffix whose replication configu‐
6260 ration you want to remove this manager from (OPTIONAL)
6261
6264 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
6265 role
6266 NEWROLE
6267
6270 --suffix SUFFIX
6271 Sets the DN of the replication suffix
6272 --newrole NEWROLE
6275 Sets the new replication role to "hub", or "consumer"
6276
6279 usage: dsconf instance replication get [-h] --suffix SUFFIX
6280
6283 --suffix SUFFIX
6284 Sets the suffix DN for the replication configuration to display
6285
6288 usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
6289 [--max-entries MAX_EN‐
6290 TRIES]
6291 [--max-age MAX_AGE]
6292 [--trim-interval
6293 TRIM_INTERVAL]
6294 [--encrypt]
6295 [--disable-encrypt]
6296
6299 --suffix SUFFIX
6300 Sets the suffix that uses the changelog
6301 --max-entries MAX_ENTRIES
6304 Sets the maximum number of entries to get in the replication
6305 changelog
6306 --max-age MAX_AGE
6309 Set the maximum age of a replication changelog entry
6310 --trim-interval TRIM_INTERVAL
6313 Sets the interval to check if the replication changelog can be
6314 trimmed
6315 --encrypt
6318 Sets the replication changelog to use encryption. You must ex‐
6319 port and import the changelog after setting this.
6320 --disable-encrypt
6323 Sets the replication changelog to not use encryption. You must
6324 export and import the changelog after setting this.
6325
6328 usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
6329
6332 --suffix SUFFIX
6333 Sets the suffix that uses the changelog
6334
6337 usage: dsconf instance replication export-changelog [-h] {to-ldif,de‐
6338 fault} ...
6339
6342 dsconf replication export-changelog to-ldif
6343 Sets the LDIF file name. This is typically used for setting up
6344 changelog encryption
6345 dsconf replication export-changelog default
6347 Export the replication changelog to the server's default LDIF
6348 directory
6349
6352 usage: dsconf instance replication export-changelog to-ldif
6353 [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r
6354 REPLICA_ROOT
6355
6358 -c, --csn-only
6359 Enables to export and interpret CSN only. This option can be
6360 used with or without -i option. The LDIF file that is generated
6361 can not be imported and is only used for debugging purposes.
6362 -d, --decode
6365 Decodes the base64 values in each changelog entry. The LDIF file
6366 that is generated can not be imported and is only used for de‐
6367 bugging purposes.
6368 -l, --preserve-ldif-done
6371 Preserves generated LDIF "files.done" files in changelog direc‐
6372 tory.
6373 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
6376 Decodes changes in an LDIF file. Use this option if you already
6377 have a changelog LDIF file, but the changes in that file are en‐
6378 coded.
6379 -o OUTPUT_FILE, --output-file OUTPUT_FILE
6382 Sets the path name for the final result
6383 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6386 Specifies the replica root whose changelog you want to export
6387
6390 usage: dsconf instance replication export-changelog default
6391 [-h] -r REPLICA_ROOT
6392
6395 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6396 Specifies the replica root whose changelog you want to export
6397
6400 usage: dsconf instance replication import-changelog [-h]
6401 {from-ldif,default}
6402 ...
6403
6406 dsconf replication import-changelog from-ldif
6407 Restore/import a specific single LDIF file
6408 dsconf replication import-changelog default
6410 Import the default changelog LDIF file created by the server
6411
6414 usage: dsconf instance replication import-changelog from-ldif
6415 [-h] -r REPLICA_ROOT LDIF_PATH
6416 LDIF_PATH
6419 The path of the changelog LDIF file
6420
6423 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6424 Specifies the replica root whose changelog you want to import
6425
6428 usage: dsconf instance replication import-changelog default
6429 [-h] -r REPLICA_ROOT
6430
6433 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6434 Specifies the replica root whose changelog you want to import
6435
6438 usage: dsconf instance replication set [-h] --suffix SUFFIX
6439 [--repl-add-bind-dn
6440 REPL_ADD_BIND_DN]
6441 [--repl-del-bind-dn
6442 REPL_DEL_BIND_DN]
6443 [--repl-add-ref REPL_ADD_REF]
6444 [--repl-del-ref REPL_DEL_REF]
6445 [--repl-purge-delay
6446 REPL_PURGE_DELAY]
6447 [--repl-tombstone-purge-interval
6448 REPL_TOMBSTONE_PURGE_INTERVAL]
6449 [--repl-fast-tombstone-purging
6450 REPL_FAST_TOMBSTONE_PURGING]
6451 [--repl-bind-group
6452 REPL_BIND_GROUP]
6453 [--repl-bind-group-interval
6454 REPL_BIND_GROUP_INTERVAL]
6455 [--repl-protocol-timeout
6456 REPL_PROTOCOL_TIMEOUT]
6457 [--repl-backoff-max REPL_BACK‐
6458 OFF_MAX]
6459 [--repl-backoff-min REPL_BACK‐
6460 OFF_MIN]
6461 [--repl-release-timeout REPL_RE‐
6462 LEASE_TIMEOUT]
6463 [--repl-keepalive-update-inter‐
6464 val REPL_KEEPALIVE_UPDATE_INTERVAL]
6465
6468 --suffix SUFFIX
6469 Sets the DN of the replication suffix
6470 --repl-add-bind-dn REPL_ADD_BIND_DN
6473 Adds a bind (supplier) DN
6474 --repl-del-bind-dn REPL_DEL_BIND_DN
6477 Removes a bind (supplier) DN
6478 --repl-add-ref REPL_ADD_REF
6481 Adds a replication referral (for consumers only)
6482 --repl-del-ref REPL_DEL_REF
6485 Removes a replication referral (for conusmers only)
6486 --repl-purge-delay REPL_PURGE_DELAY
6489 Sets the replication purge delay
6490 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
6493 Sets the interval in seconds to check for tombstones that can be
6494 purged
6495 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6498 Enables or disables improving the tombstone purging performance
6499 --repl-bind-group REPL_BIND_GROUP
6502 Sets a group entry DN containing members that are "bind/sup‐
6503 plier" DNs
6504 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6507 Sets an interval in seconds to check if the bind group has been
6508 updated
6509 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6512 Sets a timeout in seconds on how long to wait before stopping
6513 replication when the server is under load
6514 --repl-backoff-max REPL_BACKOFF_MAX
6517 The maximum time in seconds a replication agreement should stay
6518 in a backoff state while waiting to acquire the consumer. De‐
6519 fault is 300 seconds
6520 --repl-backoff-min REPL_BACKOFF_MIN
6523 The starting time in seconds a replication agreement should stay
6524 in a backoff state while waiting to acquire the consumer. De‐
6525 fault is 3 seconds
6526 --repl-release-timeout REPL_RELEASE_TIMEOUT
6529 A timeout in seconds a replication supplier should send updates
6530 before it yields its replication session
6531 --repl-keepalive-update-interval REPL_KEEPALIVE_UPDATE_INTERVAL
6534 Interval in seconds for how often the server will apply an in‐
6535 ternal update to keep the RUV from getting stale. The default is
6536 1 hour (3600 seconds)
6537
6540 usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
6541 [-a [ALIASES ...]]
6542
6545 -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
6546 Sets the connection values for monitoring other not connected
6547 topologies. The format: 'host:port:binddn:bindpwd'. You can use
6548 regex for host and port. You can set bindpwd to * and it will be
6549 requested at the runtime or you can include the path to the
6550 password file in square brackets - [~/pwd.txt]
6551 -a [ALIASES ...], --aliases [ALIASES ...]
6554 Enables displaying an alias instead of host:port, if an alias is
6555 assigned to a host:port combination. The format: alias=host:port
6556
6559 usage: dsconf instance repl-agmt [-h]
6560 {list,enable,disable,init,init-sta‐
6561 tus,poke,status,delete,create,set,get}
6562 ...
6563
6566 dsconf repl-agmt list
6567 List all replication agreements
6568 dsconf repl-agmt enable
6570 Enable replication agreement
6571 dsconf repl-agmt disable
6573 Disable replication agreement
6574 dsconf repl-agmt init
6576 Initialize replication agreement
6577 dsconf repl-agmt init-status
6579 Check the agreement initialization status
6580 dsconf repl-agmt poke
6582 Trigger replication to send updates now
6583 dsconf repl-agmt status
6585 Displays the current status of the replication agreement
6586 dsconf repl-agmt delete
6588 Delete replication agreement
6589 dsconf repl-agmt create
6591 Initialize replication agreement
6592 dsconf repl-agmt set
6594 Set an attribute in the replication agreement
6595 dsconf repl-agmt get
6597 Get replication configuration
6598
6601 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry EN‐
6602 TRY]
6603
6606 --suffix SUFFIX
6607 Sets the DN of the suffix to look up replication agreements for
6608 --entry ENTRY
6611 Returns the entire entry for each agreement
6612
6615 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6616 AGMT_NAME
6619 The name of the replication agreement
6620
6623 --suffix SUFFIX
6624 Sets the DN of the replication suffix
6625
6628 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6629 AGMT_NAME
6632 The name of the replication agreement
6633
6636 --suffix SUFFIX
6637 Sets the DN of the replication suffix
6638
6641 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6642 AGMT_NAME
6645 The name of the replication agreement
6646
6649 --suffix SUFFIX
6650 Sets the DN of the replication suffix
6651
6654 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6655 AGMT_NAME
6656 AGMT_NAME
6659 The name of the replication agreement
6660
6663 --suffix SUFFIX
6664 Sets the DN of the replication suffix
6665
6668 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6669 AGMT_NAME
6672 The name of the replication agreement
6673
6676 --suffix SUFFIX
6677 Sets the DN of the replication suffix
6678
6681 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6682 [--bind-dn BIND_DN]
6683 [--bind-passwd BIND_PASSWD]
6684 [--bind-passwd-file
6685 BIND_PASSWD_FILE]
6686 [--bind-passwd-prompt]
6687 AGMT_NAME
6688 AGMT_NAME
6691 The name of the replication agreement
6692
6695 --suffix SUFFIX
6696 Sets the DN of the replication suffix
6697 --bind-dn BIND_DN
6700 Sets the DN to use to authenticate to the consumer. If not set,
6701 current instance's root DN will be used. It will be used for all
6702 agreements
6703 --bind-passwd BIND_PASSWD
6706 Sets the password for the bind DN. It will be used for all
6707 agreements
6708 --bind-passwd-file BIND_PASSWD_FILE
6711 File containing the password. It will be used for all agreements
6712 --bind-passwd-prompt
6715 Prompt for passwords for each agreement's instance separately
6716
6719 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6720 AGMT_NAME
6723 The name of the replication agreement
6724
6727 --suffix SUFFIX
6728 Sets the DN of the replication suffix
6729
6732 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6733 HOST
6734 --port PORT --conn-protocol
6735 CONN_PROTOCOL [--bind-dn
6736 BIND_DN]
6737 [--bind-passwd BIND_PASSWD]
6738 [--bind-passwd-file
6739 BIND_PASSWD_FILE]
6740 [--bind-passwd-prompt]
6741 --bind-method
6742 BIND_METHOD [--frac-list
6743 FRAC_LIST]
6744 [--frac-list-total
6745 FRAC_LIST_TOTAL]
6746 [--strip-list STRIP_LIST]
6747 [--schedule SCHEDULE]
6748 [--conn-timeout CONN_TIMEOUT]
6749 [--protocol-timeout PROTO‐
6750 COL_TIMEOUT]
6751 [--wait-async-results
6752 WAIT_ASYNC_RESULTS]
6753 [--busy-wait-time
6754 BUSY_WAIT_TIME]
6755 [--session-pause-time SES‐
6756 SION_PAUSE_TIME]
6757 [--flow-control-window
6758 FLOW_CONTROL_WINDOW]
6759 [--flow-control-pause FLOW_CON‐
6760 TROL_PAUSE]
6761 [--bootstrap-bind-dn BOOT‐
6762 STRAP_BIND_DN]
6763 [--bootstrap-bind-passwd BOOT‐
6764 STRAP_BIND_PASSWD]
6765 [--bootstrap-bind-passwd-file
6766 BOOTSTRAP_BIND_PASSWD_FILE]
6767 [--boot‐
6768 strap-bind-passwd-prompt]
6769 [--bootstrap-conn-protocol
6770 BOOTSTRAP_CONN_PROTOCOL]
6771 [--bootstrap-bind-method BOOT‐
6772 STRAP_BIND_METHOD]
6773 [--init]
6774 AGMT_NAME
6775 AGMT_NAME
6778 The name of the replication agreement
6779
6782 --suffix SUFFIX
6783 Sets the DN of the replication suffix
6784 --host HOST
6787 Sets the hostname of the remote replica
6788 --port PORT
6791 Sets the port number of the remote replica
6792 --conn-protocol CONN_PROTOCOL
6795 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6796 TLS
6797 --bind-dn BIND_DN
6800 Sets the bind DN the agreement uses to authenticate to the
6801 replica
6802 --bind-passwd BIND_PASSWD
6805 Sets the credentials for the bind DN
6806 --bind-passwd-file BIND_PASSWD_FILE
6809 File containing the password
6810 --bind-passwd-prompt
6813 Prompt for password
6814 --bind-method BIND_METHOD
6817 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6818 or "SASL/GSSAPI"
6819 --frac-list FRAC_LIST
6822 Sets the list of attributes to NOT replicate to the consumer
6823 during incremental updates
6824 --frac-list-total FRAC_LIST_TOTAL
6827 Sets the list of attributes to NOT replicate during a total ini‐
6828 tialization
6829 --strip-list STRIP_LIST
6832 Sets a list of attributes that are removed from updates only if
6833 the event would otherwise be empty. Typically this is set to
6834 "modifiersname" and "modifytimestmap"
6835 --schedule SCHEDULE
6838 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6839 0-6 (Sunday - Saturday).
6840 --conn-timeout CONN_TIMEOUT
6843 Sets the timeout used for replication connections
6844 --protocol-timeout PROTOCOL_TIMEOUT
6847 Sets a timeout in seconds on how long to wait before stopping
6848 replication when the server is under load
6849 --wait-async-results WAIT_ASYNC_RESULTS
6852 Sets the amount of time in milliseconds the server waits if the
6853 consumer is not ready before resending data
6854 --busy-wait-time BUSY_WAIT_TIME
6857 Sets the amount of time in seconds a supplier should wait after
6858 a consumer sends back a busy response before making another at‐
6859 tempt to acquire access.
6860 --session-pause-time SESSION_PAUSE_TIME
6863 Sets the amount of time in seconds a supplier should wait be‐
6864 tween update sessions.
6865 --flow-control-window FLOW_CONTROL_WINDOW
6868 Sets the maximum number of entries and updates sent by a sup‐
6869 plier, which are not acknowledged by the consumer.
6870 --flow-control-pause FLOW_CONTROL_PAUSE
6873 Sets the time in milliseconds to pause after reaching the number
6874 of entries and updates set in "--flow-control-window"
6875 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6878 Sets an optional bind DN the agreement can use to bootstrap ini‐
6879 tialization when bind groups are being used
6880 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6883 Sets the bootstrap credentials for the bind DN
6884 --bootstrap-bind-passwd-file BOOTSTRAP_BIND_PASSWD_FILE
6887 File containing the password
6888 --bootstrap-bind-passwd-prompt
6891 File containing the password
6892 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6895 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6896 or StartTLS
6897 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6900 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6901 --init Initializes the agreement after creating it
6904
6907 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6908 [--port PORT]
6909 [--conn-protocol CONN_PROTOCOL]
6910 [--bind-dn BIND_DN]
6911 [--bind-passwd BIND_PASSWD]
6912 [--bind-passwd-file
6913 BIND_PASSWD_FILE]
6914 [--bind-passwd-prompt]
6915 [--bind-method BIND_METHOD]
6916 [--frac-list FRAC_LIST]
6917 [--frac-list-total FRAC_LIST_TO‐
6918 TAL]
6919 [--strip-list STRIP_LIST]
6920 [--schedule SCHEDULE]
6921 [--conn-timeout CONN_TIMEOUT]
6922 [--protocol-timeout PROTOCOL_TIME‐
6923 OUT]
6924 [--wait-async-results
6925 WAIT_ASYNC_RESULTS]
6926 [--busy-wait-time BUSY_WAIT_TIME]
6927 [--session-pause-time SES‐
6928 SION_PAUSE_TIME]
6929 [--flow-control-window FLOW_CON‐
6930 TROL_WINDOW]
6931 [--flow-control-pause FLOW_CON‐
6932 TROL_PAUSE]
6933 [--bootstrap-bind-dn BOOT‐
6934 STRAP_BIND_DN]
6935 [--bootstrap-bind-passwd BOOT‐
6936 STRAP_BIND_PASSWD]
6937 [--bootstrap-bind-passwd-file
6938 BOOTSTRAP_BIND_PASSWD_FILE]
6939 [--bootstrap-bind-passwd-prompt]
6940 [--bootstrap-conn-protocol BOOT‐
6941 STRAP_CONN_PROTOCOL]
6942 [--bootstrap-bind-method BOOT‐
6943 STRAP_BIND_METHOD]
6944 AGMT_NAME
6945 AGMT_NAME
6948 The name of the replication agreement
6949
6952 --suffix SUFFIX
6953 Sets the DN of the replication suffix
6954 --host HOST
6957 Sets the hostname of the remote replica
6958 --port PORT
6961 Sets the port number of the remote replica
6962 --conn-protocol CONN_PROTOCOL
6965 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6966 TLS
6967 --bind-dn BIND_DN
6970 Sets the Bind DN the agreement uses to authenticate to the
6971 replica
6972 --bind-passwd BIND_PASSWD
6975 Sets the credentials for the bind DN
6976 --bind-passwd-file BIND_PASSWD_FILE
6979 File containing the password
6980 --bind-passwd-prompt
6983 Prompt for password
6984 --bind-method BIND_METHOD
6987 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6988 or "SASL/GSSAPI"
6989 --frac-list FRAC_LIST
6992 Sets a list of attributes to NOT replicate to the consumer dur‐
6993 ing incremental updates
6994 --frac-list-total FRAC_LIST_TOTAL
6997 Sets a list of attributes to NOT replicate during a total ini‐
6998 tialization
6999 --strip-list STRIP_LIST
7002 Sets a list of attributes that are removed from updates only if
7003 the event would otherwise be empty. Typically this is set to
7004 "modifiersname" and "modifytimestmap"
7005 --schedule SCHEDULE
7008 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
7009 0-6 (Sunday - Saturday).
7010 --conn-timeout CONN_TIMEOUT
7013 Sets the timeout used for replication connections
7014 --protocol-timeout PROTOCOL_TIMEOUT
7017 Sets a timeout in seconds on how long to wait before stopping
7018 replication when the server is under load
7019 --wait-async-results WAIT_ASYNC_RESULTS
7022 Sets the amount of time in milliseconds the server waits if the
7023 consumer is not ready before resending data
7024 --busy-wait-time BUSY_WAIT_TIME
7027 Sets the amount of time in seconds a supplier should wait after
7028 a consumer sends back a busy response before making another at‐
7029 tempt to acquire access.
7030 --session-pause-time SESSION_PAUSE_TIME
7033 Sets the amount of time in seconds a supplier should wait be‐
7034 tween update sessions.
7035 --flow-control-window FLOW_CONTROL_WINDOW
7038 Sets the maximum number of entries and updates sent by a sup‐
7039 plier, which are not acknowledged by the consumer.
7040 --flow-control-pause FLOW_CONTROL_PAUSE
7043 Sets the time in milliseconds to pause after reaching the number
7044 of entries and updates set in "--flow-control-window"
7045 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
7048 Sets an optional bind DN the agreement can use to bootstrap ini‐
7049 tialization when bind groups are being used
7050 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
7053 sets the bootstrap credentials for the bind DN
7054 --bootstrap-bind-passwd-file BOOTSTRAP_BIND_PASSWD_FILE
7057 File containing the password
7058 --bootstrap-bind-passwd-prompt
7061 Prompt for password
7062 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
7065 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
7066 or StartTLS
7067 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
7070 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
7071
7074 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
7075 AGMT_NAME
7078 The suffix DN for which to display the replication configuration
7079
7082 --suffix SUFFIX
7083 Sets the DN of the replication suffix
7084
7087 usage: dsconf instance repl-winsync-agmt [-h]
7088 {list,enable,dis‐
7089 able,init,init-status,poke,status,delete,create,set,get}
7090 ...
7091
7094 dsconf repl-winsync-agmt list
7095 List all the replication winsync agreements
7096 dsconf repl-winsync-agmt enable
7098 Enable replication winsync agreement
7099 dsconf repl-winsync-agmt disable
7101 Disable replication winsync agreement
7102 dsconf repl-winsync-agmt init
7104 Initialize replication winsync agreement
7105 dsconf repl-winsync-agmt init-status
7107 Check the agreement initialization status
7108 dsconf repl-winsync-agmt poke
7110 Trigger replication to send updates now
7111 dsconf repl-winsync-agmt status
7113 Display the current status of the replication agreement
7114 dsconf repl-winsync-agmt delete
7116 Delete replication winsync agreement
7117 dsconf repl-winsync-agmt create
7119 Initialize replication winsync agreement
7120 dsconf repl-winsync-agmt set
7122 Set an attribute in the replication winsync agreement
7123 dsconf repl-winsync-agmt get
7125 Display replication configuration
7126
7129 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
7130
7133 --suffix SUFFIX
7134 Sets the DN of the suffix to look up replication winsync agree‐
7135 ments
7136
7139 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
7140 AGMT_NAME
7141 AGMT_NAME
7144 The name of the replication winsync agreement
7145
7148 --suffix SUFFIX
7149 Sets the DN of the replication winsync suffix
7150
7153 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
7154 AGMT_NAME
7155 AGMT_NAME
7158 The name of the replication winsync agreement
7159
7162 --suffix SUFFIX
7163 Sets the DN of the replication winsync suffix
7164
7167 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
7168 AGMT_NAME
7169 AGMT_NAME
7172 The name of the replication winsync agreement
7173
7176 --suffix SUFFIX
7177 Sets the DN of the replication winsync suffix
7178
7181 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
7182 FIX
7183 AGMT_NAME
7184 AGMT_NAME
7187 The name of the replication agreement
7188
7191 --suffix SUFFIX
7192 Sets the DN of the replication suffix
7193
7196 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
7197 AGMT_NAME
7198 AGMT_NAME
7201 The name of the replication winsync agreement
7202
7205 --suffix SUFFIX
7206 Sets the DN of the replication winsync suffix
7207
7210 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
7211 AGMT_NAME
7212 AGMT_NAME
7215 The name of the replication agreement
7216
7219 --suffix SUFFIX
7220 Sets the DN of the replication suffix
7221
7224 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
7225 AGMT_NAME
7226 AGMT_NAME
7229 The name of the replication winsync agreement
7230
7233 --suffix SUFFIX
7234 Sets the DN of the replication winsync suffix
7235
7238 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
7239 --host
7240 HOST --port PORT
7241 --conn-protocol
7242 CONN_PROTOCOL
7243 --bind-dn BIND_DN
7244 [--bind-passwd
7245 BIND_PASSWD]
7246 [--bind-passwd-file
7247 BIND_PASSWD_FILE]
7248 [--bind-passwd-prompt]
7249 [--frac-list FRAC_LIST]
7250 [--schedule SCHEDULE]
7251 --win-subtree WIN_SUB‐
7252 TREE
7253 --ds-subtree DS_SUBTREE
7254 --win-domain WIN_DOMAIN
7255 [--sync-users
7256 SYNC_USERS]
7257 [--sync-groups
7258 SYNC_GROUPS]
7259 [--sync-interval
7260 SYNC_INTERVAL]
7261 [--one-way-sync
7262 ONE_WAY_SYNC]
7263 [--move-action MOVE_AC‐
7264 TION]
7265 [--win-filter WIN_FIL‐
7266 TER]
7267 [--ds-filter DS_FILTER]
7268 [--subtree-pair SUB‐
7269 TREE_PAIR]
7270 [--conn-timeout
7271 CONN_TIMEOUT]
7272 [--busy-wait-time
7273 BUSY_WAIT_TIME]
7274 [--session-pause-time
7275 SESSION_PAUSE_TIME]
7276 [--flatten-tree]
7277 [--init]
7278 AGMT_NAME
7279 AGMT_NAME
7282 The name of the replication winsync agreement
7283
7286 --suffix SUFFIX
7287 Sets the DN of the replication winsync suffix
7288 --host HOST
7291 Sets the hostname of the AD server
7292 --port PORT
7295 Sets the port number of the AD server
7296 --conn-protocol CONN_PROTOCOL
7299 Sets the replication winsync connection protocol: LDAP, LDAPS,
7300 or StartTLS
7301 --bind-dn BIND_DN
7304 Sets the bind DN the agreement uses to authenticate to the AD
7305 Server
7306 --bind-passwd BIND_PASSWD
7309 Sets the credentials for the Bind DN
7310 --bind-passwd-file BIND_PASSWD_FILE
7313 File containing the password
7314 --bind-passwd-prompt
7317 Prompt for password
7318 --frac-list FRAC_LIST
7321 Sets a list of attributes to NOT replicate to the consumer dur‐
7322 ing incremental updates
7323 --schedule SCHEDULE
7326 Sets the replication update schedule
7327 --win-subtree WIN_SUBTREE
7330 Sets the suffix of the AD Server
7331 --ds-subtree DS_SUBTREE
7334 Sets the Directory Server suffix
7335 --win-domain WIN_DOMAIN
7338 Sets the AD Domain
7339 --sync-users SYNC_USERS
7342 Synchronizes users between AD and DS
7343 --sync-groups SYNC_GROUPS
7346 Synchronizes groups between AD and DS
7347 --sync-interval SYNC_INTERVAL
7350 Sets the interval that DS checks AD for changes in entries
7351 --one-way-sync ONE_WAY_SYNC
7354 Sets which direction to perform synchronization: "toWindows", or
7355 "fromWindows". By default sync occurs in both directions.
7356 --move-action MOVE_ACTION
7359 Sets instructions on how to handle moved or deleted entries:
7360 "none", "unsync", or "delete"
7361 --win-filter WIN_FILTER
7364 Sets a custom filter for finding users in AD Server
7365 --ds-filter DS_FILTER
7368 Sets a custom filter for finding AD users in DS
7369 --subtree-pair SUBTREE_PAIR
7372 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7373 --conn-timeout CONN_TIMEOUT
7376 Sets the timeout used for replicaton connections
7377 --busy-wait-time BUSY_WAIT_TIME
7380 Sets the amount of time in seconds a supplier should wait after
7381 a consumer sends back a busy response before making another at‐
7382 tempt to acquire access
7383 --session-pause-time SESSION_PAUSE_TIME
7386 Sets the amount of time in seconds a supplier should wait be‐
7387 tween update sessions
7388 --flatten-tree
7391 By default, the tree structure of AD is preserved into 389. This
7392 MAY cause replication to fail in some cases, as you may need to
7393 create missing OU's to recreate the same treestructure. This
7394 setting when enabled, removes the tree structure of AD and flat‐
7395 tens all entries into the ds-subtree. This does NOT affect or
7396 change the tree structure of the AD directory.
7397 --init Initializes the agreement after creating it
7400
7403 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
7404 [--host HOST] [--port
7405 PORT]
7406 [--conn-protocol CONN_PRO‐
7407 TOCOL]
7408 [--bind-dn BIND_DN]
7409 [--bind-passwd
7410 BIND_PASSWD]
7411 [--bind-passwd-file
7412 BIND_PASSWD_FILE]
7413 [--bind-passwd-prompt]
7414 [--frac-list FRAC_LIST]
7415 [--schedule SCHEDULE]
7416 [--win-subtree WIN_SUB‐
7417 TREE]
7418 [--ds-subtree DS_SUBTREE]
7419 [--win-domain WIN_DOMAIN]
7420 [--sync-users SYNC_USERS]
7421 [--sync-groups
7422 SYNC_GROUPS]
7423 [--sync-interval SYNC_IN‐
7424 TERVAL]
7425 [--one-way-sync
7426 ONE_WAY_SYNC]
7427 [--move-action MOVE_AC‐
7428 TION]
7429 [--win-filter WIN_FILTER]
7430 [--ds-filter DS_FILTER]
7431 [--subtree-pair SUB‐
7432 TREE_PAIR]
7433 [--conn-timeout CONN_TIME‐
7434 OUT]
7435 [--busy-wait-time
7436 BUSY_WAIT_TIME]
7437 [--session-pause-time SES‐
7438 SION_PAUSE_TIME]
7439 AGMT_NAME
7440 AGMT_NAME
7443 The name of the replication winsync agreement
7444
7447 --suffix SUFFIX
7448 Sets the DN of the replication winsync suffix
7449 --host HOST
7452 Sets the hostname of the AD server
7453 --port PORT
7456 Sets the port number of the AD server
7457 --conn-protocol CONN_PROTOCOL
7460 Sets the replication winsync connection protocol: LDAP, LDAPS,
7461 or StartTLS
7462 --bind-dn BIND_DN
7465 Sets the bind DN the agreement uses to authenticate to the AD
7466 Server
7467 --bind-passwd BIND_PASSWD
7470 Sets the credentials for the Bind DN
7471 --bind-passwd-file BIND_PASSWD_FILE
7474 File containing the password
7475 --bind-passwd-prompt
7478 Prompt for password
7479 --frac-list FRAC_LIST
7482 Sets a list of attributes to NOT replicate to the consumer dur‐
7483 ing incremental updates
7484 --schedule SCHEDULE
7487 Sets the replication update schedule
7488 --win-subtree WIN_SUBTREE
7491 Sets the suffix of the AD Server
7492 --ds-subtree DS_SUBTREE
7495 Sets the Directory Server suffix
7496 --win-domain WIN_DOMAIN
7499 Sets the AD Domain
7500 --sync-users SYNC_USERS
7503 Synchronizes users between AD and DS
7504 --sync-groups SYNC_GROUPS
7507 Synchronizes groups between AD and DS
7508 --sync-interval SYNC_INTERVAL
7511 Sets the interval that DS checks AD for changes in entries
7512 --one-way-sync ONE_WAY_SYNC
7515 Sets which direction to perform synchronization: "toWindows", or
7516 "fromWindows". By default sync occurs in both directions.
7517 --move-action MOVE_ACTION
7520 Sets instructions on how to handle moved or deleted entries:
7521 "none", "unsync", or "delete"
7522 --win-filter WIN_FILTER
7525 Sets a custom filter for finding users in AD Server
7526 --ds-filter DS_FILTER
7529 Sets a custom filter for finding AD users in DS
7530 --subtree-pair SUBTREE_PAIR
7533 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7534 --conn-timeout CONN_TIMEOUT
7537 Sets the timeout used for replicaton connections
7538 --busy-wait-time BUSY_WAIT_TIME
7541 Sets the amount of time in seconds a supplier should wait after
7542 a consumer sends back a busy response before making another at‐
7543 tempt to acquire access
7544 --session-pause-time SESSION_PAUSE_TIME
7547 Sets the amount of time in seconds a supplier should wait be‐
7548 tween update sessions
7549
7552 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
7553 AGMT_NAME
7554 AGMT_NAME
7557 The suffix DN for the replication configuration to display
7558
7561 --suffix SUFFIX
7562 Sets the DN of the replication suffix
7563
7566 usage: dsconf instance repl-tasks [-h]
7567 {cleanallruv,list-clean‐
7568 ruv-tasks,abort-cleanallruv,list-abortruv-tasks}
7569 ...
7570
7573 dsconf repl-tasks cleanallruv
7574 Cleanup old/removed replica IDs
7575 dsconf repl-tasks list-cleanruv-tasks
7577 List all the running CleanAllRUV tasks
7578 dsconf repl-tasks abort-cleanallruv
7580 Abort cleanallruv tasks
7581 dsconf repl-tasks list-abortruv-tasks
7583 List all the running CleanAllRUV abort tasks
7584
7587 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
7588 --replica-id REPLICA_ID
7589 [--force-cleaning]
7590
7593 --suffix SUFFIX
7594 Sets the Directory Server suffix
7595 --replica-id REPLICA_ID
7598 Sets the replica ID to remove/clean
7599 --force-cleaning
7602 Ignores errors and make a best attempt to clean all replicas
7603
7606 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
7607 SUFFIX]
7608
7611 --suffix SUFFIX
7612 Lists only tasks for the specified suffix
7613
7616 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
7617 FIX
7618 --replica-id
7619 REPLICA_ID
7620 [--certify]
7621
7624 --suffix SUFFIX
7625 Sets the Directory Server suffix
7626 --replica-id REPLICA_ID
7629 Sets the replica ID of the cleaning task to abort
7630 --certify
7633 Enforces that the abort task completed on all replicas
7634
7637 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
7638 SUFFIX]
7639
7642 --suffix SUFFIX
7643 Lists only tasks for the specified suffix
7644
7647 usage: dsconf instance sasl [-h]
7648 {list,get-mechs,get-avail‐
7649 able-mechs,get,create,delete}
7650 ...
7651
7654 dsconf sasl list
7655 Display available SASL mappings
7656 dsconf sasl get-mechs
7658 Display the SASL mechanisms that the server will accept
7659 dsconf sasl get-available-mechs
7661 Display the SASL mechanisms that are available to the server
7662 dsconf sasl get
7664 Displays SASL mappings
7665 dsconf sasl create
7667 Create a SASL mapping
7668 dsconf sasl delete
7670 Deletes the SASL object
7671
7674 usage: dsconf instance sasl list [-h] [--details]
7675
7678 --details
7679 Displays each SASL mapping in detail
7680
7683 usage: dsconf instance sasl get-mechs [-h]
7684
7687 usage: dsconf instance sasl get-available-mechs [-h]
7688
7691 usage: dsconf instance sasl get [-h] [selector]
7692 selector
7695 The SASL mapping name to display
7696
7699 usage: dsconf instance sasl create [-h] [--cn [CN]]
7700 [--nsSaslMapRegexString
7701 [NSSASLMAPREGEXSTRING]]
7702 [--nsSaslMapBaseDNTemplate
7703 [NSSASLMAPBASEDNTEMPLATE]]
7704 [--nsSaslMapFilterTemplate
7705 [NSSASLMAPFILTERTEMPLATE]]
7706 [--nsSaslMapPriority [NSSASLMAPPRI‐
7707 ORITY]]
7708
7711 --cn [CN]
7712 Value of cn
7713 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7716 Value of nsSaslMapRegexString
7717 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7720 Value of nsSaslMapBaseDNTemplate
7721 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7724 Value of nsSaslMapFilterTemplate
7725 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7728 Value of nsSaslMapPriority
7729
7732 usage: dsconf instance sasl delete [-h] map_name
7733 map_name
7736 The SASL mapping name ("cn" value)
7737
7740 usage: dsconf instance security [-h]
7741 {set,get,enable,disable,dis‐
7742 able_plain_port,certificate,ca-certificate,rsa,ciphers,csr,key,ex‐
7743 port-cert}
7744 ...
7745
7748 dsconf security set
7749 Set general security options
7750 dsconf security get
7752 Display general security options
7753 dsconf security enable
7755 Enable security
7756 dsconf security disable
7758 Disable security
7759 dsconf security disable_plain_port
7761 Disables the plain text LDAP port, allowing only LDAPS to func‐
7762 tion
7763 dsconf security certificate
7765 Manage TLS certificates
7766 dsconf security ca-certificate
7768 Manage TLS certificate authorities
7769 dsconf security rsa
7771 Query and update RSA security options
7772 dsconf security ciphers
7774 Manage secure ciphers
7775 dsconf security csr
7777 Manage certificate signing requests
7778 dsconf security key
7780 Manage keys in NSS DB
7781 dsconf security export-cert
7783 Export a certificate to PEM or DER/Binary format. PEM format is
7784 the default
7785
7788 usage: dsconf instance security set [-h] [--security SECURITY]
7789 [--listen-host LISTEN_HOST]
7790 [--secure-port SECURE_PORT]
7791 [--tls-client-auth TLS_CLIENT_AUTH]
7792 [--tls-client-renegotiation
7793 TLS_CLIENT_RENEGOTIATION]
7794 [--require-secure-authentication
7795 REQUIRE_SECURE_AUTHENTICATION]
7796 [--check-hostname CHECK_HOSTNAME]
7797 [--verify-cert-chain-on-startup
7798 VERIFY_CERT_CHAIN_ON_STARTUP]
7799 [--session-timeout SESSION_TIMEOUT]
7800 [--tls-protocol-min TLS_PROTO‐
7801 COL_MIN]
7802 [--tls-protocol-max TLS_PROTO‐
7803 COL_MAX]
7804 [--allow-insecure-ciphers ALLOW_IN‐
7805 SECURE_CIPHERS]
7806 [--allow-weak-dh-param AL‐
7807 LOW_WEAK_DH_PARAM]
7808 [--cipher-pref CIPHER_PREF]
7809 Use this command for setting security related options located in
7811 cn=config and cn=encryption,cn=config.
7812 To enable/disable security you can use enable and disable commands in‐
7814 stead.
7815
7818 --security SECURITY
7819 Enables or disables security (nsslapd-security)
7820 --listen-host LISTEN_HOST
7823 Sets the host or IP address to listen on for LDAPS (nsslapd-se‐
7824 curelistenhost)
7825 --secure-port SECURE_PORT
7828 Sets the port for LDAPS to listen on (nsslapd-securePort)
7829 --tls-client-auth TLS_CLIENT_AUTH
7832 Configures client authentication requirement (nsSSLClientAuth)
7833 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7836 Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)
7837 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7840 Configures whether binds over LDAPS, StartTLS, or SASL are re‐
7841 quired (nsslapd- require-secure-binds)
7842 --check-hostname CHECK_HOSTNAME
7845 Checks the subject of remote certificate against the hostname
7846 (nsslapd-ssl- check-hostname)
7847 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7850 Validates the server certificate during startup (nsslapd-vali‐
7851 date-cert)
7852 --session-timeout SESSION_TIMEOUT
7855 Sets the secure session timeout (nsSSLSessionTimeout)
7856 --tls-protocol-min TLS_PROTOCOL_MIN
7859 Sets the minimal allowed secure protocol version (sslVersionMin)
7860 --tls-protocol-max TLS_PROTOCOL_MAX
7863 Sets the maximal allowed secure protocol version (sslVersionMax)
7864 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7867 Allows weak ciphers for legacy use (allowWeakCipher)
7868 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7871 Allows short DH params for legacy use (allowWeakDHParam)
7872 --cipher-pref CIPHER_PREF
7875 Directly sets the nsSSL3Ciphers attribute. It is a comma-sepa‐
7876 rated list of cipher names (prefixed with + or -), optionally
7877 including +all or -all. The attribute may optionally be prefixed
7878 by keyword "default". Please refer to documentation of the at‐
7879 tribute for a more detailed description. (nsSSL3Ciphers)
7880
7883 usage: dsconf instance security get [-h]
7884
7887 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7888 If missing, create security database, then turn on security functional‐
7890 ity. Please note this is usually not enough for TLS connections to work
7891 - proper setup of CA and server certificate is necessary.
7892
7895 --cert-name CERT_NAME
7896 Sets the name of the certificate the server should use
7897
7900 usage: dsconf instance security disable [-h]
7901 Turn off security functionality. The rest of the configuration will be
7903 left untouched.
7904
7907 usage: dsconf instance security disable_plain_port [-h]
7908
7911 usage: dsconf instance security certificate [-h]
7912 {add,set-trust-flags,del,get,list}
7913 ...
7914
7917 dsconf security certificate add
7918 Add a server certificate
7919 dsconf security certificate set-trust-flags
7921 Set the Trust flags
7922 dsconf security certificate del
7924 Delete a certificate
7925 dsconf security certificate get
7927 Display a server certificate's information
7928 dsconf security certificate list
7930 List the server certificates
7931
7934 usage: dsconf instance security certificate add [-h] --file FILE --name
7935 NAME
7936 [--primary-cert]
7937 Add a server certificate to the NSS database
7939
7942 --file FILE
7943 Sets the file name of the certificate
7944 --name NAME
7947 Sets the name/nickname of the certificate
7948 --primary-cert
7951 Sets this certificate as the server's certificate
7952
7955 usage: dsconf instance security certificate set-trust-flags
7956 [-h] --flags FLAGS name
7957 Change the trust flags of a server certificate
7959 name The name/nickname of the certificate
7962
7965 --flags FLAGS
7966 Sets the trust flags for the server certificate
7967
7970 usage: dsconf instance security certificate del [-h] name
7971 Delete a certificate from the NSS database
7973 name The name/nickname of the certificate
7976
7979 usage: dsconf instance security certificate get [-h] name
7980 Displays detailed information about a certificate, such as trust at‐
7982 tributes, expiration dates, Subject and Issuer DNs
7983 name Set the name/nickname of the certificate
7986
7989 usage: dsconf instance security certificate list [-h]
7990 Lists the server certificates in the NSS database
7992
7995 usage: dsconf instance security ca-certificate [-h]
7996 {add,set-trust-flags,del,get,list}
7997 ...
7998
8001 dsconf security ca-certificate add
8002 Add a Certificate Authority
8003 dsconf security ca-certificate set-trust-flags
8005 Set the Trust flags
8006 dsconf security ca-certificate del
8008 Delete a certificate
8009 dsconf security ca-certificate get
8011 Displays a Certificate Authority's information
8012 dsconf security ca-certificate list
8014 List the Certificate Authorities
8015
8018 usage: dsconf instance security ca-certificate add [-h] --file FILE
8019 --name
8020 NAME [NAME ...]
8021 Add a Certificate Authority to the NSS database
8023
8026 --file FILE
8027 Sets the file name of the CA certificate
8028 --name NAME [NAME ...]
8031 Sets the name/nickname of the CA certificate, if adding a PEM
8032 bundle then specify multiple names one for each certificate,
8033 otherwise a number increment will be added to the previous name.
8034
8037 usage: dsconf instance security ca-certificate set-trust-flags
8038 [-h] --flags FLAGS name
8039 Change the trust attributes of a CA certificate. Certificate Authori‐
8041 ties typically use "CT,,"
8042 name The name/nickname of the CA certificate
8045
8048 --flags FLAGS
8049 Sets the trust flags for the CA certificate
8050
8053 usage: dsconf instance security ca-certificate del [-h] name
8054 Delete a CA certificate from the NSS database
8056 name The name/nickname of the CA certificate
8059
8062 usage: dsconf instance security ca-certificate get [-h] name
8063 Get detailed information about a CA certificate, like trust attributes,
8065 expiration dates, Subject and Issuer DN
8066 name The name/nickname of the CA certificate
8069
8072 usage: dsconf instance security ca-certificate list [-h]
8073 List the CA certificates in the NSS database
8075
8078 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
8079
8082 dsconf security rsa set
8083 Set RSA security options
8084 dsconf security rsa get
8086 Get RSA security options
8087 dsconf security rsa enable
8089 Enable RSA
8090 dsconf security rsa disable
8092 Disable RSA
8093
8096 usage: dsconf instance security rsa set [-h]
8097 [--tls-allow-rsa-certificates
8098 TLS_ALLOW_RSA_CERTIFICATES]
8099 [--nss-cert-name NSS_CERT_NAME]
8100 [--nss-token NSS_TOKEN]
8101 Use this command for setting RSA (private key) related options located
8103 in cn=RSA,cn=encryption,cn=config.
8104 To enable/disable RSA you can use enable and disable commands instead.
8106
8109 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
8110 Activates the use of RSA certificates (nsSSLActivation)
8111 --nss-cert-name NSS_CERT_NAME
8114 Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)
8115 --nss-token NSS_TOKEN
8118 Sets the security token name (module of NSS DB) (nsSSLToken)
8119
8122 usage: dsconf instance security rsa get [-h]
8123
8126 usage: dsconf instance security rsa enable [-h]
8127
8130 usage: dsconf instance security rsa disable [-h]
8131
8134 usage: dsconf instance security ciphers [-h] {enable,dis‐
8135 able,get,set,list} ...
8136
8139 dsconf security ciphers enable
8140 Enable ciphers
8141 dsconf security ciphers disable
8143 Disable ciphers
8144 dsconf security ciphers get
8146 Get ciphers attribute
8147 dsconf security ciphers set
8149 Set ciphers attribute
8150 dsconf security ciphers list
8152 List ciphers
8153
8156 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
8157 Use this command to enable specific ciphers.
8159 cipher
8162
8165 usage: dsconf instance security ciphers disable [-h] cipher [cipher
8166 ...]
8167 Use this command to disable specific ciphers.
8169 cipher
8172
8175 usage: dsconf instance security ciphers get [-h]
8176 Use this command to get contents of nsSSL3Ciphers attribute.
8178
8181 usage: dsconf instance security ciphers set [-h] cipher-string
8182 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
8184 separated list of cipher names (prefixed with + or -), optionally in‐
8185 cluding +all or -all. The attribute may optionally be set to keyword
8186 default. Please refer to documentation of the attribute for a more de‐
8187 tailed description.
8188 cipher-string
8191
8194 usage: dsconf instance security ciphers list [-h]
8195 [--enabled | --supported |
8196 --disabled]
8197 List secure ciphers. Without arguments, list ciphers as configured in
8199 nsSSL3Ciphers attribute.
8200
8203 --enabled
8204 Lists only enabled ciphers
8205 --supported
8208 Lists only supported ciphers
8209 --disabled
8212 Lists only supported ciphers but without enabled ciphers
8213
8216 usage: dsconf instance security csr [-h] {list,get,req,del} ...
8217
8220 dsconf security csr list
8221 List CSRs
8222 dsconf security csr get
8224 Display CSR content
8225 dsconf security csr req
8227 Generate a Certificate Signing Request
8228 dsconf security csr del
8230 Delete a CSR file
8231
8234 usage: dsconf instance security csr list [-h] [--path PATH]
8235 List all CSR files in instance configuration directiory
8237
8240 --path PATH, -p PATH
8241 Directory contanining CSR file
8242
8245 usage: dsconf instance security csr get [-h] name
8246 Displays the contents of a CSR, which can be used for submittal to CA
8248 name Name of the CSR file to display
8251
8254 usage: dsconf instance security csr req [-h] --subject SUBJECT --name
8255 NAME
8256 [alt_names ...]
8257 Generate a CSR that can be submitted to a CA for verification
8259 alt_names
8262 CSR alternative names. These are auto-detected if not provided
8263
8266 --subject SUBJECT, -s SUBJECT
8267 Subject field
8268 --name NAME, -n NAME
8271 Name
8272
8275 usage: dsconf instance security csr del [-h] name
8276 Delete a CSR file
8278 name Name of the CSR file to delete
8281
8284 usage: dsconf instance security key [-h] {list,del} ...
8285
8288 dsconf security key list
8289 List all keys in NSS DB
8290 dsconf security key del
8292 Delete a key from NSS DB
8293
8296 usage: dsconf instance security key list [-h] [--orphan]
8297
8300 --orphan
8301 List orphan keys (An orphan key is a private key in the NSS DB
8302 for which there is NO cert with the corresponding public key).
8303 An orphan key is created during CSR generation, when the associ‐
8304 ated certificate is imported into the NSS DB, its orphan state
8305 will be removed.
8306
8309 usage: dsconf instance security key del [-h] key_id
8310 Remove a key from the NSS DB. Make sure the key is not in use before
8312 you delete
8313 key_id This is the key ID displayed when listing keys
8316
8319 usage: dsconf instance security export-cert [-h] [--binary-format]
8320 [--output-file OUTPUT_FILE]
8321 nickname
8322 nickname
8325 The name of the certificate to export
8326
8329 --binary-format
8330 Export certificate in DER/binary format
8331 --output-file OUTPUT_FILE
8334 The name for the exported certificate. Default name is the cer‐
8335 tificate nickname with an extension of ".pem" or ".crt"
8336
8339 usage: dsconf instance schema [-h]
8340 {list,attributetypes,objectclasses,match‐
8341 ingrules,reload,validate-syntax,import-openldap-file}
8342 ...
8343
8346 dsconf schema list
8347 List all schema objects on this system
8348 dsconf schema attributetypes
8350 Work with attribute types on this system
8351 dsconf schema objectclasses
8353 Work with objectClasses on this system
8354 dsconf schema matchingrules
8356 Work with matching rules on this system
8357 dsconf schema reload
8359 Dynamically reload schema while server is running
8360 dsconf schema validate-syntax
8362 Run a task to check that all attributes in an entry have the
8363 correct syntax
8364 dsconf schema import-openldap-file
8366 Import an openldap formatted dynamic schema ldifs. These will
8367 contain values like olcAttributeTypes and olcObjectClasses.
8368
8371 usage: dsconf instance schema list [-h]
8372
8375 usage: dsconf instance schema attributetypes [-h]
8376 {get_syn‐
8377 taxes,list,query,add,replace,remove}
8378 ...
8379
8382 dsconf schema attributetypes get_syntaxes
8383 List all available attribute type syntaxes
8384 dsconf schema attributetypes list
8386 List available attribute types on this system
8387 dsconf schema attributetypes query
8389 Query an attribute to determine object classes that may or must
8390 take it
8391 dsconf schema attributetypes add
8393 Add an attribute type to this system
8394 dsconf schema attributetypes replace
8396 Replace an attribute type on this system
8397 dsconf schema attributetypes remove
8399 Remove an attribute type on this system
8400
8403 usage: dsconf instance schema attributetypes get_syntaxes [-h]
8404
8407 usage: dsconf instance schema attributetypes list [-h]
8408
8411 usage: dsconf instance schema attributetypes query [-h] [name]
8412 name Attribute type to query
8415
8418 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
8419 [--desc DESC]
8420 [--x-origin X_ORIGIN]
8421 [--aliases ALIASES
8422 [ALIASES ...]]
8423 [--single-value]
8424 [--multi-value]
8425 [--no-user-mod]
8426 [--user-mod]
8427 [--equality EQUALITY]
8428 [--substr SUBSTR]
8429 [--ordering ORDERING]
8430 [--usage USAGE] [--sup
8431 SUP]
8432 --syntax SYNTAX
8433 name
8434 name NAME of the object
8437
8440 --oid OID
8441 OID assigned to the object
8442 --desc DESC
8445 Description text(DESC) of the object
8446 --x-origin X_ORIGIN
8449 Provides information about where the attribute type is defined
8450 --aliases ALIASES [ALIASES ...]
8453 Additional NAMEs of the object.
8454 --single-value
8457 True if the matching rule must have only one valueOnly one of
8458 the flags this or --multi-value should be specified
8459 --multi-value
8462 True if the matching rule may have multiple values (default)Only
8463 one of the flags this or --single-value should be specified
8464 --no-user-mod
8467 True if the attribute is not modifiable by a client applica‐
8468 tionOnly one of the flags this or --user-mod should be specified
8469 --user-mod
8472 True if the attribute is modifiable by a client application (de‐
8473 fault)Only one of the flags this or --no-user-mode should be
8474 specified
8475 --equality EQUALITY
8478 NAME or OID of the matching rule used for checkingwhether attri‐
8479 bute values are equal
8480 --substr SUBSTR
8483 NAME or OID of the matching rule used for checkingwhether an at‐
8484 tribute value contains another value
8485 --ordering ORDERING
8488 NAME or OID of the matching rule used for checkingwhether attri‐
8489 bute values are lesser - equal than
8490 --usage USAGE
8493 The flag indicates how the attribute type is to be used. Choose
8494 from the list: userApplications (default), directoryOperation,
8495 distributedOperation, dSAOperation
8496 --sup SUP
8499 The NAME or OID of attribute type this attribute type is derived
8500 from
8501 --syntax SYNTAX
8504 OID of the LDAP syntax assigned to the attribute
8505
8508 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
8509 [--desc DESC]
8510 [--x-origin X_ORI‐
8511 GIN]
8512 [--aliases ALIASES
8513 [ALIASES ...]]
8514 [--single-value]
8515 [--multi-value]
8516 [--no-user-mod]
8517 [--user-mod]
8518 [--equality EQUAL‐
8519 ITY]
8520 [--substr SUBSTR]
8521 [--ordering ORDER‐
8522 ING]
8523 [--usage USAGE]
8524 [--sup SUP]
8525 [--syntax SYNTAX]
8526 name
8527 name NAME of the object
8530
8533 --oid OID
8534 OID assigned to the object
8535 --desc DESC
8538 Description text(DESC) of the object
8539 --x-origin X_ORIGIN
8542 Provides information about where the attribute type is defined
8543 --aliases ALIASES [ALIASES ...]
8546 Additional NAMEs of the object.
8547 --single-value
8550 True if the matching rule must have only one valueOnly one of
8551 the flags this or --multi-value should be specified
8552 --multi-value
8555 True if the matching rule may have multiple values (default)Only
8556 one of the flags this or --single-value should be specified
8557 --no-user-mod
8560 True if the attribute is not modifiable by a client applica‐
8561 tionOnly one of the flags this or --user-mod should be specified
8562 --user-mod
8565 True if the attribute is modifiable by a client application (de‐
8566 fault)Only one of the flags this or --no-user-mode should be
8567 specified
8568 --equality EQUALITY
8571 NAME or OID of the matching rule used for checkingwhether attri‐
8572 bute values are equal
8573 --substr SUBSTR
8576 NAME or OID of the matching rule used for checkingwhether an at‐
8577 tribute value contains another value
8578 --ordering ORDERING
8581 NAME or OID of the matching rule used for checkingwhether attri‐
8582 bute values are lesser - equal than
8583 --usage USAGE
8586 The flag indicates how the attribute type is to be used. Choose
8587 from the list: userApplications (default), directoryOperation,
8588 distributedOperation, dSAOperation
8589 --sup SUP
8592 The NAME or OID of attribute type this attribute type is derived
8593 from
8594 --syntax SYNTAX
8597 OID of the LDAP syntax assigned to the attribute
8598
8601 usage: dsconf instance schema attributetypes remove [-h] name
8602 name NAME of the object
8605
8608 usage: dsconf instance schema objectclasses [-h]
8609 {list,query,add,replace,re‐
8610 move}
8611 ...
8612
8615 dsconf schema objectclasses list
8616 List available objectClasses on this system
8617 dsconf schema objectclasses query
8619 Query an objectClass
8620 dsconf schema objectclasses add
8622 Add an objectClass to this system
8623 dsconf schema objectclasses replace
8625 Replace an objectClass on this system
8626 dsconf schema objectclasses remove
8628 Remove an objectClass on this system
8629
8632 usage: dsconf instance schema objectclasses list [-h]
8633
8636 usage: dsconf instance schema objectclasses query [-h] [name]
8637 name ObjectClass to query
8640
8643 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
8644 [--desc DESC]
8645 [--x-origin X_ORIGIN]
8646 [--must MUST [MUST
8647 ...]]
8648 [--may MAY [MAY ...]]
8649 [--kind KIND]
8650 [--sup SUP [SUP ...]]
8651 name
8652 name NAME of the object
8655
8658 --oid OID
8659 OID assigned to the object
8660 --desc DESC
8663 Description text(DESC) of the object
8664 --x-origin X_ORIGIN
8667 Provides information about where the attribute type is defined
8668 --must MUST [MUST ...]
8671 NAMEs or OIDs of all attributes an entry of the object must have
8672 --may MAY [MAY ...]
8675 NAMEs or OIDs of additional attributes an entry of the object
8676 may have
8677 --kind KIND
8680 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8681 --sup SUP [SUP ...]
8684 NAME or OIDs of object classes this object is derived from
8685
8688 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
8689 [--desc DESC]
8690 [--x-origin X_ORI‐
8691 GIN]
8692 [--must MUST [MUST
8693 ...]]
8694 [--may MAY [MAY
8695 ...]]
8696 [--kind KIND]
8697 [--sup SUP [SUP
8698 ...]]
8699 name
8700 name NAME of the object
8703
8706 --oid OID
8707 OID assigned to the object
8708 --desc DESC
8711 Description text(DESC) of the object
8712 --x-origin X_ORIGIN
8715 Provides information about where the attribute type is defined
8716 --must MUST [MUST ...]
8719 NAMEs or OIDs of all attributes an entry of the object must have
8720 --may MAY [MAY ...]
8723 NAMEs or OIDs of additional attributes an entry of the object
8724 may have
8725 --kind KIND
8728 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8729 --sup SUP [SUP ...]
8732 NAME or OIDs of object classes this object is derived from
8733
8736 usage: dsconf instance schema objectclasses remove [-h] name
8737 name NAME of the object
8740
8743 usage: dsconf instance schema matchingrules [-h] {list,query} ...
8744
8747 dsconf schema matchingrules list
8748 List available matching rules on this system
8749 dsconf schema matchingrules query
8751 Query a matching rule
8752
8755 usage: dsconf instance schema matchingrules list [-h]
8756
8759 usage: dsconf instance schema matchingrules query [-h] [name]
8760 name Matching rule to query
8763
8766 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
8767 [--timeout TIMEOUT]
8768
8771 -d SCHEMADIR, --schemadir SCHEMADIR
8772 directory where schema files are located
8773 --wait Wait for the reload task to complete
8776 --timeout TIMEOUT
8779 Set a timeout to wait for the reload task. Default is 120 sec‐
8780 onds
8781
8784 usage: dsconf instance schema validate-syntax [-h] [-f FILTER]
8785 [--timeout TIMEOUT]
8786 DN
8787 DN Base DN that contains entries to validate
8790
8793 -f FILTER, --filter FILTER
8794 Filter for entries to validate. If omitted, all entries with
8795 filter "(objectclass=*)" are validated
8796 --timeout TIMEOUT
8799 Set a timeout to wait for the validation task. Default is 120
8800 seconds
8801
8804 usage: dsconf instance schema import-openldap-file [-h] [--confirm]
8805 schema_file
8806 schema_file
8809 Path to the openldap dynamic schema ldif to import
8810
8813 --confirm
8814 Confirm that you want to apply these schema migration actions to
8815 the 389-ds instance. By default no actions are taken.
8816
8819 usage: dsconf instance repl-conflict [-h]
8820 {list,compare,delete,swap,con‐
8821 vert,list-glue,delete-glue,convert-glue}
8822 ...
8823
8826 dsconf repl-conflict list
8827 List conflict entries
8828 dsconf repl-conflict compare
8830 Compare the conflict entry with its valid counterpart
8831 dsconf repl-conflict delete
8833 Delete a conflict entry
8834 dsconf repl-conflict swap
8836 Replace the valid entry with the conflict entry
8837 dsconf repl-conflict convert
8839 Convert the conflict entry to a valid entry, while keeping the
8840 original valid entry counterpart. This requires that the con‐
8841 verted conflict entry have a new RDN value. For example:
8842 "cn=my_new_rdn_value".
8843 dsconf repl-conflict list-glue
8845 List replication glue entries
8846 dsconf repl-conflict delete-glue
8848 Delete the glue entry and its child entries
8849 dsconf repl-conflict convert-glue
8851 Convert the glue entry into a regular entry
8852
8855 usage: dsconf instance repl-conflict list [-h] suffix
8856 suffix Sets the backend name, or suffix, to look for conflict entries
8859
8862 usage: dsconf instance repl-conflict compare [-h] DN
8863 DN The DN of the conflict entry
8866
8869 usage: dsconf instance repl-conflict delete [-h] DN
8870 DN The DN of the conflict entry
8873
8876 usage: dsconf instance repl-conflict swap [-h] DN
8877 DN The DN of the conflict entry
8880
8883 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8884 DN The DN of the conflict entry
8887
8890 --new-rdn NEW_RDN
8891 Sets the new RDN for the converted conflict entry. For example:
8892 "cn=my_new_rdn_value"
8893
8896 usage: dsconf instance repl-conflict list-glue [-h] suffix
8897 suffix The backend name, or suffix, to look for glue entries
8900
8903 usage: dsconf instance repl-conflict delete-glue [-h] DN
8904 DN The DN of the glue entry
8907
8910 usage: dsconf instance repl-conflict convert-glue [-h] DN
8911 DN The DN of the glue entry
8914
8917 -v, --verbose
8918 Display verbose operation tracing during command execution
8919 -D BINDDN, --binddn BINDDN
8922 The account to bind as for executing operations
8923 -w BINDPW, --bindpw BINDPW
8926 Password for the bind DN
8927 -W, --prompt
8930 Prompt for password of the bind DN
8931 -y PWDFILE, --pwdfile PWDFILE
8934 Specifies a file containing the password of the bind DN
8935 -b BASEDN, --basedn BASEDN
8938 Base DN (root naming context) of the instance to manage
8939 -Z, --starttls
8942 Connect with StartTLS
8943 -j, --json
8946 Return result in JSON object
8947
8950 Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>
8951
8954 The latest version of lib389 may be downloaded from
8955 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8956lib389 2.4.4 2023-11-15 DSCONF(8)