1dsctl(8) System Manager's Manual dsctl(8)
2
6 dsctl
7
9 dsctl [-h] [-v] [-j] [-l] [--remove-all [REMOVE_ALL]] [instance]
10 {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbver‐
11 ify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate} ...
12
14 instance
15 The name of the instance to act upon
16 Sub-commands
19 dsctl restart
20 Restart an instance of Directory Server, if it is running: else
21 start it.
22 dsctl start
24 Start an instance of Directory Server, if it is not currently
25 running
26 dsctl stop
28 Stop an instance of Directory Server, if it is currently running
29 dsctl status
31 Check running status of an instance of Directory Server
32 dsctl remove
34 Destroy an instance of Directory Server, and remove all data.
35 dsctl db2index
37 Initialise a reindex of the server database. The server must be
38 stopped for this to proceed.
39 dsctl db2bak
41 Initialise a BDB backup of the database. The server must be
42 stopped for this to proceed.
43 dsctl db2ldif
45 Initialise an LDIF dump of the database. The server must be
46 stopped for this to proceed.
47 dsctl dbverify
49 Perform a db verification. You should only do this at direction
50 of support
51 dsctl bak2db
53 Restore a BDB backup of the database. The server must be stopped
54 for this to proceed.
55 dsctl ldif2db
57 Restore an LDIF dump of the database. The server must be stopped
58 for this to proceed.
59 dsctl backups
61 List backup's found in the server's default backup directory
62 dsctl ldifs
64 List all the LDIF files located in the server's LDIF directory
65 dsctl tls
67 Manage TLS certificates
68 dsctl healthcheck
70 Run a healthcheck report on a local Directory Server instance.
71 This is a safe and read-only operation. Do not attempt to run
72 this on a remote Directory Server as this tool needs access to
73 local resources, otherwise the report may be inaccurate.
74 dsctl get-nsstate
76 Get the replication nsState in a human readable format
77 Replica DN: The DN of the replication configuration
79 entry Replica SUffix: The replicated suffix Replica ID:
80 The Replica identifier Gen Time The time the CSN
81 generator was created Gen Time String: The time string of
82 generator Gen as CSN: The generation CSN Local Offset:
83 The offset due to the local clock being set back Local Offset
84 String: The offset in a nice human format Remote Offset:
85 The offset due to clock difference with remote systems Remote
86 Offset String: The offset in a nice human format Time Skew:
87 The time skew between this server and its replicas Time Skew
88 String: The time skew in a nice human format Seq Num:
89 The number of multiple csns within a second System Time:
90 The local system time Diff in Seconds: The time difference
91 in seconds from the CSN generator creation to now Diff in
92 days/secs: The time difference broken up into days and sec‐
93 onds Endian: Little/Big Endian
94
97 usage: dsctl [instance] restart [-h]
98
103 usage: dsctl [instance] start [-h]
104
109 usage: dsctl [instance] stop [-h]
110
115 usage: dsctl [instance] status [-h]
116
121 usage: dsctl [instance] remove [-h] [--do-it]
122 --do-it
126 By default we do a dry run. This actually initiates the removal
127 of the
128 instance.
129
132 usage: dsctl [instance] db2index [-h] backend
133 backend
136 The backend to reindex. IE userRoot
137
141 usage: dsctl [instance] db2bak [-h] [archive]
142 archive
145 The destination for the archive. This will be created during the
146 db2bak
147 process.
148
152 usage: dsctl [instance] db2ldif [-h] [--replication] [--encrypted]
153 backend [ldif]
154 backend
157 The backend to output as an LDIF. IE userRoot
158 ldif The path to the ldif output location.
161 --replication
164 Export replication information, suitable for importing on a new
165 consumer or
166 backups.
167 --encrypted
170 Export encrypted attributes
171
174 usage: dsctl [instance] dbverify [-h] backend
175 backend
178 The backend to verify. IE userRoot
179
183 usage: dsctl [instance] bak2db [-h] archive
184 archive
187 The archive to restore. This will erase all current server data‐
188 bases.
189
193 usage: dsctl [instance] ldif2db [-h] [--encrypted] backend ldif
194 backend
197 The backend to restore from an LDIF. IE userRoot
198 ldif The path to the ldif to import
201 --encrypted
204 Import encrypted attributes
205
208 usage: dsctl [instance] backups [-h] [--delete DELETE]
209 --delete DELETE
213 Delete backup directory
214
217 usage: dsctl [instance] ldifs [-h] [--delete DELETE]
218 --delete DELETE
222 Delete LDIF file
223
226 usage: dsctl [instance] tls [-h]
227 {list-ca,list-client-ca,show-server-
228 cert,show-cert,generate-server-cert-csr,import-client-ca,import-
229 ca,import-server-cert,import-server-key-cert,remove-cert}
230 ...
231 Sub-commands
234 dsctl tls list-ca
235 list server certificate authorities including intermediates
236 dsctl tls list-client-ca
238 list client certificate authorities including intermediates
239 dsctl tls show-server-cert
241 Show the active server certificate that clients will see and
242 verify
243 dsctl tls show-cert
245 Show a certificate's details referenced by it's nickname. This
246 is analogous to certutil -L -d <path> -n <nickname>
247 dsctl tls generate-server-cert-csr
249 Generate a Server-Cert certificate signing request - the csr is
250 then submitted to a CA for verification, and when signed you
251 import with import-ca and import-server-cert
252 dsctl tls import-client-ca
254 Import a CA trusted to issue user (client) certificates. This is
255 part of how client certificate authentication functions.
256 dsctl tls import-ca
258 Import a CA or intermediate CA for signing this servers certifi‐
259 cates (aka Server-Cert). You should import all the CA's in the
260 chain as required.
261 dsctl tls import-server-cert
263 Import a new Server-Cert after the csr has been signed from a
264 CA.
265 dsctl tls import-server-key-cert
267 Import a new key and Server-Cert after having been signed from a
268 CA. This is used if you have an external csr tool or a service
269 like lets encrypt that generates PEM keys externally.
270 dsctl tls remove-cert
272 Delete a certificate from this database. This will remove it
273 from acting as a CA, a client CA or the Server-Cert role.
274
276 usage: dsctl [instance] tls list-ca [-h]
277
282 usage: dsctl [instance] tls list-client-ca [-h]
283
288 usage: dsctl [instance] tls show-server-cert [-h]
289
294 usage: dsctl [instance] tls show-cert [-h] nickname
295 nickname
298 The nickname (friendly name) of the certificate to display
299
303 usage: dsctl [instance] tls generate-server-cert-csr [-h] [--subject
304 SUBJECT]
305 [alt_names
306 [alt_names ...]]
307 alt_names
310 Certificate requests subject alternative names. These are
311 auto-detected if not
312 provided
313 --subject SUBJECT, -s SUBJECT
316 Certificate Subject field to use
317
320 usage: dsctl [instance] tls import-client-ca [-h] cert_path nickname
321 cert_path
324 The path to the x509 cert to import as a client trust root
325 nickname
328 The name of the certificate once imported
329
333 usage: dsctl [instance] tls import-ca [-h] cert_path nickname
334 cert_path
337 The path to the x509 cert to import as a server CA
338 nickname
341 The name of the certificate once imported
342
346 usage: dsctl [instance] tls import-server-cert [-h] cert_path
347 cert_path
350 The path to the x509 cert to import as Server-Cert
351
355 usage: dsctl [instance] tls import-server-key-cert [-h] cert_path
356 key_path
357 cert_path
360 The path to the x509 cert to import as Server-Cert
361 key_path
364 The path to the x509 key to import associated to Server-Cert
365
369 usage: dsctl [instance] tls remove-cert [-h] nickname
370 nickname
373 The name of the certificate to delete
374
379 usage: dsctl [instance] healthcheck [-h]
380
385 usage: dsctl [instance] get-nsstate [-h] [--suffix SUFFIX] [--flip
386 FLIP]
387 --suffix SUFFIX
391 The DN of the replication suffix to read the state from
392 --flip FLIP
395 Flip between Little/Big Endian, this might be required for cer‐
396 tain
397 architectures
398 -v, --verbose
401 Display verbose operation tracing during command execution
402 -j, --json
405 Return result in JSON object
406 -l, --list
409 List available Directory Server instances
410 --remove-all [REMOVE_ALL]
413 Remove all instances of Directory Server (you can also provide
414 an optional
415 directory prefix for this argument)
416
419 lib389 was written by Red Hat Inc. <389-devel@lists.fedoraproject.org>.
420
422 The latest version of lib389 may be downloaded from
423 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
424 Manual dsctl(8)