1dsconf(8) System Manager's Manual dsconf(8)
2
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl-agmt,repl-win‐
12 sync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
15 instance
16 The instance name OR the LDAP url to connect to, IE localhost,
17 ldap://mai.example.com:389
18 Sub-commands
21 dsconf backend
22 Manage database suffixes and backends
23 dsconf backup
25 Manage online backups
26 dsconf chaining
28 Manage database chaining/database links
29 dsconf config
31 Manage server configuration
32 dsconf directory_manager
34 Manage the directory manager account
35 dsconf monitor
37 Monitor the state of the instance
38 dsconf plugin
40 Manage plugins available on the server
41 dsconf pwpolicy
43 Get and set the global password policy settings
44 dsconf localpwp
46 Manage local (user/subtree) password policies
47 dsconf replication
49 Configure replication for a suffix
50 dsconf repl-agmt
52 Manage replication agreements
53 dsconf repl-winsync-agmt
55 Manage Winsync Agreements
56 dsconf repl-tasks
58 Manage replication tasks
59 dsconf sasl
61 Query and manipulate SASL mappings
62 dsconf security
64 Query and manipulate security options
65 dsconf schema
67 Query and manipulate schema
68 dsconf repl-conflict
70 Manage replication conflicts
71
73 usage: dsconf instance backend [-h]
74 {suffix,index,vlv-index,attr-
75 encrypt,config,monitor,import,export,create,delete,get-tree}
76 ...
77 Sub-commands
80 dsconf backend suffix
81 Manage a backend suffix
82 dsconf backend index
84 Manage backend indexes
85 dsconf backend vlv-index
87 Manage VLV searches and indexes
88 dsconf backend attr-encrypt
90 Encrypted attribute options
91 dsconf backend config
93 Manage the global database configuration settings
94 dsconf backend monitor
96 Get the global database monitor information
97 dsconf backend import
99 Do an online import of the suffix
100 dsconf backend export
102 Do an online export of the suffix
103 dsconf backend create
105 Create a backend database
106 dsconf backend delete
108 Delete a backend database
109 dsconf backend get-tree
111 Get a representation of the suffix tree
112
114 usage: dsconf instance backend suffix [-h]
115 {list,get,get-dn,get-sub-suf‐
116 fixes,set}
117 ...
118 Sub-commands
121 dsconf backend suffix list
122 List current active backends and suffixes
123 dsconf backend suffix get
125 Get the suffix entry
126 dsconf backend suffix get-dn
128 get_dn
129 dsconf backend suffix get-sub-suffixes
131 Get the sub-suffixes of this backend
132 dsconf backend suffix set
134 Set configuration settings for a single backend
135
137 usage: dsconf instance backend suffix list [-h] [--suffix]
138 [--skip-subsuffixes]
139 --suffix
143 Just display the suffix, and not the backend name
144 --skip-subsuffixes
147 Skip over sub-suffixes
148
151 usage: dsconf instance backend suffix get [-h] [selector]
152 selector
155 The backend to search for
156
160 usage: dsconf instance backend suffix get-dn [-h] [dn]
161 dn The backend dn to get
164
168 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
169 be_name
170 be_name
173 The backend name or suffix to search for sub-suffixes
174 --suffix
177 Just display the suffix, and not the backend name
178
181 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
182 [--disable-readonly]
183 [--require-index] [--ignore-
184 index]
185 [--add-referral ADD_REFERRAL]
186 [--del-referral DEL_REFERRAL]
187 [--enable] [--disable]
188 [--cache-size CACHE_SIZE]
189 [--cache-memsize CACHE_MEM‐
190 SIZE]
191 [--dncache-memsize
192 DNCACHE_MEMSIZE]
193 be_name
194 be_name
197 The backend name or suffix to delete
198 --enable-readonly
201 Set backend database to be read-only
202 --disable-readonly
205 Disable read-only mode for backend database
206 --require-index
209 Only allow indexed searches
210 --ignore-index
213 Allow all searches even if they are unindexed
214 --add-referral ADD_REFERRAL
217 Add a LDAP referral to the backend
218 --del-referral DEL_REFERRAL
221 Remove a LDAP referral to the backend
222 --enable
225 Enable the backend database
226 --disable
229 Disable the backend database
230 --cache-size CACHE_SIZE
233 The maximum number of entries to keep in the entry cache
234 --cache-memsize CACHE_MEMSIZE
237 The maximum size in bytes that the entry cache can grow to
238 --dncache-memsize DNCACHE_MEMSIZE
241 The maximum size in bytes that the DN cache can grow to
242
246 usage: dsconf instance backend index [-h]
247 {add,set,get,list,delete,reindex}
248 ...
249 Sub-commands
252 dsconf backend index add
253 Set configuration settings for a single backend
254 dsconf backend index set
256 Edit an index entry
257 dsconf backend index get
259 Get an index entry
260 dsconf backend index list
262 Set configuration settings for a single backend
263 dsconf backend index delete
265 Set configuration settings for a single backend
266 dsconf backend index reindex
268 Reindex the database (for a single index or all indexes
269
271 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
272 [--matching-rule MATCH‐
273 ING_RULE]
274 [--reindex] --attr ATTR
275 be_name
276 be_name
279 The backend name or suffix to delete
280 --index-type INDEX_TYPE
283 An indexing type: eq, sub, pres, or approximate
284 --matching-rule MATCHING_RULE
287 Matching rule for the index
288 --reindex
291 After adding new index, reindex the database
292 --attr ATTR
295 The index attribute's name
296
299 usage: dsconf instance backend index set [-h] --attr ATTR
300 [--add-type ADD_TYPE]
301 [--del-type DEL_TYPE]
302 [--add-mr ADD_MR] [--del-mr
303 DEL_MR]
304 [--reindex]
305 be_name
306 be_name
309 The backend name or suffix to edit an index from
310 --attr ATTR
313 The index name to edit
314 --add-type ADD_TYPE
317 An index type to add to the index: eq, sub, pres, or approx
318 --del-type DEL_TYPE
321 An index type to remove from the index: eq, sub, pres, or approx
322 --add-mr ADD_MR
325 A matching-rule to add to the index
326 --del-mr DEL_MR
329 A matching-rule to remove from the index
330 --reindex
333 After editing index, reindex the database
334
337 usage: dsconf instance backend index get [-h] --attr ATTR be_name
338 be_name
341 The backend name or suffix to get the index from
342 --attr ATTR
345 The index name to get
346
349 usage: dsconf instance backend index list [-h] [--just-names] be_name
350 be_name
353 The backend name or suffix to list indexes from
354 --just-names
357 Return a list of just the attribute names for a backend
358
361 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
362 be_name
365 The backend name or suffix to delete
366 --attr ATTR
369 The index attribute's name
370
373 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
374 [--wait]
375 be_name
376 be_name
379 The backend name or suffix to reindex
380 --attr ATTR
383 The index attribute's name to reindex. Skip this argument to
384 reindex all attributes
385 --wait Wait for the index task to complete and report the status
388
392 usage: dsconf instance backend vlv-index [-h]
393 {list,get,add-search,edit-
394 search,del-search,add-index,del-index,reindex}
395 ...
396 Sub-commands
399 dsconf backend vlv-index list
400 List VLV search and index entries
401 dsconf backend vlv-index get
403 Get a VLV search & index
404 dsconf backend vlv-index add-search
406 Add a VLV search entry. The search entry is the parent entry of
407 the VLV index entries, and it specifies the search params that
408 are used to match entries for those indexes.
409 dsconf backend vlv-index edit-search
411 Edit a VLV search & index
412 dsconf backend vlv-index del-search
414 Delete VLV search & index
415 dsconf backend vlv-index add-index
417 Create a VLV index under a VLV search entry(parent entry). The
418 VLV index just specifies the attributes to sort
419 dsconf backend vlv-index del-index
421 Delete a VLV index under a VLV search entry(parent entry).
422 dsconf backend vlv-index reindex
424 Index/reindex the VLV database index
425
427 usage: dsconf instance backend vlv-index list [-h] [--just-names]
428 be_name
429 be_name
432 The backend name of the VLV index
433 --just-names
436 List just the names of the VLV search entries
437
440 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
441 be_name
444 The backend name of the VLV index
445 --name NAME
448 Get the VLV search entry and its index entries
449
452 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
453 --search-base
454 SEARCH_BASE
455 --search-scope
456 SEARCH_SCOPE
457 --search-filter
458 SEARCH_FILTER
459 be_name
460 be_name
463 The backend name of the VLV index
464 --name NAME
467 Name of the VLV search entry
468 --search-base SEARCH_BASE
471 The VLV search base
472 --search-scope SEARCH_SCOPE
475 The VLV search scope: 0 (base search), 1 (one-level search), or
476 2 (subtree search)
477 --search-filter SEARCH_FILTER
480 The VLV search filter
481
484 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
485 [--search-base
486 SEARCH_BASE]
487 [--search-scope
488 SEARCH_SCOPE]
489 [--search-filter
490 SEARCH_FILTER]
491 [--reindex]
492 be_name
493 be_name
496 The backend name of the VLV index
497 --name NAME
500 Name of the VLV index
501 --search-base SEARCH_BASE
504 The VLV search base
505 --search-scope SEARCH_SCOPE
508 The VLV search scope: 0 (base search), 1 (one-level search), or
509 2 (subtree search)
510 --search-filter SEARCH_FILTER
513 The VLV search filter
514 --reindex
517 Reindex all the VLV database indexes
518
521 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
522 be_name
523 be_name
526 The backend name of the VLV index
527 --name NAME
530 Name of the VLV search index
531
534 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
535 PARENT_NAME --index-
536 name
537 INDEX_NAME --sort
538 SORT
539 [--index-it]
540 be_name
541 be_name
544 The backend name of the VLV index
545 --parent-name PARENT_NAME
548 Name, or "cn" attribute value, of the parent VLV search entry
549 --index-name INDEX_NAME
552 Name of the new VLV index
553 --sort SORT
556 A space separated list of attributes to sort for this VLV index
557 --index-it
560 Create the database index for this VLV index definition
561
564 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
565 PARENT_NAME
566 [--index-name
567 INDEX_NAME]
568 [--sort SORT]
569 be_name
570 be_name
573 The backend name of the VLV index
574 --parent-name PARENT_NAME
577 Name, or "cn" attribute value, of the parent VLV search entry
578 --index-name INDEX_NAME
581 Name of the VLV index to delete
582 --sort SORT
585 Delete a VLV index that has this vlvsort value
586
589 usage: dsconf instance backend vlv-index reindex [-h]
590 [--index-name
591 INDEX_NAME]
592 --parent-name PAR‐
593 ENT_NAME
594 be_name
595 be_name
598 The backend name of the VLV index
599 --index-name INDEX_NAME
602 Name of the VLV Index entry to reindex. If not set, all indexes
603 are reindexed
604 --parent-name PARENT_NAME
607 Name, or "cn" attribute value, of the parent VLV search entry
608
612 usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-
613 names]
614 [--add-attr ADD_ATTR]
615 [--del-attr DEL_ATTR]
616 be_name
617 be_name
620 The backend name or suffix to to reindex
621 --list List all the encrypted attributes for this backend
624 --just-names
627 List just the names of the encrypted attributes (used with
628 --list)
629 --add-attr ADD_ATTR
632 Add an attribute to be encrypted
633 --del-attr DEL_ATTR
636 Remove an attribute from being encrypted
637
640 usage: dsconf instance backend config [-h] {get,set} ...
641 Sub-commands
644 dsconf backend config get
645 Get the global database configuration
646 dsconf backend config set
648 Set the global database configuration
649
651 usage: dsconf instance backend config get [-h]
652
657 usage: dsconf instance backend config set [-h]
658 [--lookthroughlimit LOOK‐
659 THROUGHLIMIT]
660 [--mode MODE]
661 [--idlistscanlimit
662 IDLISTSCANLIMIT]
663 [--directory DIRECTORY]
664 [--dbcachesize DBCACHESIZE]
665 [--logdirectory LOGDIRECTORY]
666 [--durable-txn DURABLE_TXN]
667 [--txn-wait TXN_WAIT]
668 [--checkpoint-interval CHECK‐
669 POINT_INTERVAL]
670 [--compactdb-interval COM‐
671 PACTDB_INTERVAL]
672 [--txn-batch-val
673 TXN_BATCH_VAL]
674 [--txn-batch-min
675 TXN_BATCH_MIN]
676 [--txn-batch-max
677 TXN_BATCH_MAX]
678 [--logbufsize LOGBUFSIZE]
679 [--locks LOCKS]
680 [--import-cache-autosize
681 IMPORT_CACHE_AUTOSIZE]
682 [--cache-autosize CACHE_AUTO‐
683 SIZE]
684 [--cache-autosize-split
685 CACHE_AUTOSIZE_SPLIT]
686 [--import-cachesize
687 IMPORT_CACHESIZE]
688 [--exclude-from-export
689 EXCLUDE_FROM_EXPORT]
690 [--pagedlookthroughlimit
691 PAGEDLOOKTHROUGHLIMIT]
692 [--pagedidlistscanlimit PAGE‐
693 DIDLISTSCANLIMIT]
694 [--rangelookthroughlimit
695 RANGELOOKTHROUGHLIMIT]
696 [--backend-opt-level BACK‐
697 END_OPT_LEVEL]
698 [--deadlock-policy DEAD‐
699 LOCK_POLICY]
700 [--db-home-directory
701 DB_HOME_DIRECTORY]
702 --lookthroughlimit LOOKTHROUGHLIMIT
706 specifies the maximum number of entries that the Directory
707 Server will check when examining candidate entries in response
708 to a search request
709 --mode MODE
712 Specifies the permissions used for newly created index files
713 --idlistscanlimit IDLISTSCANLIMIT
716 Specifies the number of entry IDs that are searched during a
717 search operation
718 --directory DIRECTORY
721 Specifies absolute path to database instance
722 --dbcachesize DBCACHESIZE
725 Specifies the database index cache size, in bytes.
726 --logdirectory LOGDIRECTORY
729 Specifies the path to the directory that contains the database
730 transaction logs
731 --durable-txn DURABLE_TXN
734 Sets whether database transaction log entries are immediately
735 written to the disk.
736 --txn-wait TXN_WAIT
739 Sets whether the server should should wait if there are no db
740 locks available
741 --checkpoint-interval CHECKPOINT_INTERVAL
744 Sets the amount of time in seconds after which the Directory
745 Server sends a checkpoint entry to the database transaction log
746 --compactdb-interval COMPACTDB_INTERVAL
749 Sets the interval in seconds when the database is compacted
750 --txn-batch-val TXN_BATCH_VAL
753 Specifies how many transactions will be batched before being
754 committed
755 --txn-batch-min TXN_BATCH_MIN
758 Controls when transactions should be flushed earliest, indepen‐
759 dently of the batch count (only works when txn-batch-val is set)
760 --txn-batch-max TXN_BATCH_MAX
763 Controls when transactions should be flushed latest, indepen‐
764 dently of the batch count (only works when txn-batch-val is set)
765 --logbufsize LOGBUFSIZE
768 Specifies the transaction log information buffer size
769 --locks LOCKS
772 Sets the maximum number of database locks
773 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
776 Set to "on" or "off" to automatically set the size of the import
777 cache to be used during the the import process of LDIF files
778 --cache-autosize CACHE_AUTOSIZE
781 Sets the percentage of free memory that is used in total for the
782 database and entry cache. Set to "0" to disable this feature.
783 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
786 Sets the percentage of RAM that is used for the database cache.
787 The remaining percentage is used for the entry cache
788 --import-cachesize IMPORT_CACHESIZE
791 Sets the size, in bytes, of the database cache used in the
792 import process.
793 --exclude-from-export EXCLUDE_FROM_EXPORT
796 List of attributes to not include during database export opera‐
797 tions
798 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
801 Specifies the maximum number of entries that the Directory
802 Server will check when examining candidate entries for a search
803 which uses the simple paged results control
804 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
807 Specifies the number of entry IDs that are searched, specifi‐
808 cally, for a search operation using the simple paged results
809 control.
810 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
813 Specifies the maximum number of entries that the Directory
814 Server will check when examining candidate entries in response
815 to a range search request.
816 --backend-opt-level BACKEND_OPT_LEVEL
819 WARNING this parameter can trigger experimental code to improve
820 write performance. Valid values are: 0, 1, 2, or 4
821 --deadlock-policy DEADLOCK_POLICY
824 Adjusts the backend database deadlock policy (Advanced setting)
825 --db-home-directory DB_HOME_DIRECTORY
828 Sets the directory for the database mmapped files (Advanced set‐
829 ting)
830
834 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
835 --suffix SUFFIX
839 Get just the suffix monitor entry
840
843 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
844 [-g GEN_UNIQ_ID] [-O]
845 [-s INCLUDE_SUFFIXES
846 [INCLUDE_SUFFIXES ...]]
847 [-x EXCLUDE_SUFFIXES
848 [EXCLUDE_SUFFIXES ...]]
849 [be_name] [ldifs [ldifs ...]]
850 be_name
853 The backend name or the root suffix where to import
854 ldifs Specifies the filename of the input LDIF files.When multiple
857 files are imported, they are imported in the orderthey are spec‐
858 ified on the command line.
859 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
862 The number of chunks to have during the import operation.
863 -E, --encrypted
866 Decrypts encrypted data during export. This option is used
867 onlyif database encryption is enabled.
868 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
871 Generate a unique id. Type none for no unique ID to be gener‐
872 atedand deterministic for the generated unique ID to be
873 name-based.By default, a time- based unique ID is generated.When
874 using the deterministic generation to have a name-based unique
875 ID,it is also possible to specify the namespace for the server
876 to use.namespaceId is a string of charactersin the format
877 00-xxxxxxxx- xxxxxxxx-xxxxxxxx-xxxxxxxx.
878 -O, --only-core
881 Requests that only the core database is created without
882 attribute indexes.
883 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes
886 INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
887 Specifies the suffixes or the subtrees to be included.
888 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes
891 EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
892 Specifies the suffixes to be excluded.
893
896 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
897 [-N] [-r]
898 [-u] [-U]
899 [-s INCLUDE_SUFFIXES
900 [INCLUDE_SUFFIXES ...]]
901 [-x EXCLUDE_SUFFIXES
902 [EXCLUDE_SUFFIXES ...]]
903 be_names [be_names ...]
904 be_names
907 The backend names or the root suffixes from where to export.
908 -l LDIF, --ldif LDIF
911 Gives the filename of the output LDIF file.If more than one are
912 specified, use a space as a separator
913 -C, --use-id2entry
916 Uses only the main database file.
917 -E, --encrypted
920 Decrypts encrypted data during export. This option is used only
921 if database encryption is enabled.
922 -m, --min-base64
925 Sets minimal base-64 encoding.
926 -N, --no-seq-num
929 Enables you to suppress printing the sequence number.
930 -r, --replication
933 Exports the information required to initialize a replica when
934 the LDIF is imported
935 -u, --no-dump-uniq-id
938 Requests that the unique ID is not exported.
939 -U, --not-folded
942 Requests that the output LDIF is not folded.
943 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes
946 INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
947 Specifies the suffixes or the subtrees to be included.
948 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes
951 EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
952 Specifies the suffixes to be excluded.
953
956 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
957 FIX]
958 --suffix SUFFIX --be-name BE_NAME
959 [--create-entries] [--create-suf‐
960 fix]
961 --parent-suffix PARENT_SUFFIX
965 Sets the parent suffix only if this backend is a sub-suffix
966 --suffix SUFFIX
969 The database suffix DN, for example "dc=example,dc=com"
970 --be-name BE_NAME
973 The database backend name, for example "userroot"
974 --create-entries
977 Create sample entries in the database
978 --create-suffix
981 Create the suffix object entry in the database. Only suffixes
982 using the attributes 'dc', 'o', 'ou', or 'cn' are supported in
983 this feature
984
987 usage: dsconf instance backend delete [-h] be_name
988 be_name
991 The backend name or suffix to delete
992
996 usage: dsconf instance backend get-tree [-h]
997
1003 usage: dsconf instance backup [-h] {create,restore} ...
1004 Sub-commands
1007 dsconf backup create
1008 Creates a backup of the database
1009 dsconf backup restore
1011 Restores a database from a backup
1012
1014 usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]
1015 archive
1018 The directory where the backup files will be stored.The
1019 /var/lib/dirsrv/slapd- instance/bak directory is used by
1020 default.The backup file is named according to the
1021 year-month-day-hour format.
1022 -t DB_TYPE, --db-type DB_TYPE
1025 Database type (default: ldbm database).
1026
1029 usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive
1030 archive
1033 The directory of the backup files.
1034 -t DB_TYPE, --db-type DB_TYPE
1037 Database type (default: ldbm database).
1038
1042 usage: dsconf instance chaining [-h]
1043 {config-get,config-set,config-get-
1044 def,config-set-def,link-create,link-get,link-set,link-delete,moni‐
1045 tor,link-list}
1046 ...
1047 Sub-commands
1050 dsconf chaining config-get
1051 Get the chaining controls and server component lists
1052 dsconf chaining config-set
1054 Set the chaining controls and server component lists
1055 dsconf chaining config-get-def
1057 Get the default creation parameters for new database links
1058 dsconf chaining config-set-def
1060 Set the default creation parameters for new database links
1061 dsconf chaining link-create
1063 Create a database link to a remote server
1064 dsconf chaining link-get
1066 get chaining database link
1067 dsconf chaining link-set
1069 Edit a database link to a remote server
1070 dsconf chaining link-delete
1072 Delete a database link
1073 dsconf chaining monitor
1075 Get the monitor information for a database chaining link
1076 dsconf chaining link-list
1078 List database links
1079
1081 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1082 [--avail-comps]
1083 --avail-controls
1087 List available controls for chaining
1088 --avail-comps
1091 List available plugin components for chaining
1092
1095 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1096 TROL]
1097 [--del-control DEL_CONTROL]
1098 [--add-comp ADD_COMP]
1099 [--del-comp DEL_COMP]
1100 --add-control ADD_CONTROL
1104 Add a transmitted control OID
1105 --del-control DEL_CONTROL
1108 Delete a transmitted control OID
1109 --add-comp ADD_COMP
1112 Add a chaining component
1113 --del-comp DEL_COMP
1116 Delete a chaining component
1117
1120 usage: dsconf instance chaining config-get-def [-h]
1121
1126 usage: dsconf instance chaining config-set-def [-h]
1127 [--conn-bind-limit
1128 CONN_BIND_LIMIT]
1129 [--conn-op-limit
1130 CONN_OP_LIMIT]
1131 [--abandon-check-inter‐
1132 val ABANDON_CHECK_INTERVAL]
1133 [--bind-limit
1134 BIND_LIMIT]
1135 [--op-limit OP_LIMIT]
1136 [--proxied-auth PROX‐
1137 IED_AUTH]
1138 [--conn-lifetime
1139 CONN_LIFETIME]
1140 [--bind-timeout
1141 BIND_TIMEOUT]
1142 [--return-ref
1143 RETURN_REF]
1144 [--check-aci CHECK_ACI]
1145 [--bind-attempts
1146 BIND_ATTEMPTS]
1147 [--size-limit
1148 SIZE_LIMIT]
1149 [--time-limit
1150 TIME_LIMIT]
1151 [--hop-limit HOP_LIMIT]
1152 [--response-delay
1153 RESPONSE_DELAY]
1154 [--test-response-delay
1155 TEST_RESPONSE_DELAY]
1156 [--use-starttls
1157 USE_STARTTLS]
1158 --conn-bind-limit CONN_BIND_LIMIT
1162 The maximum number of BIND connections the database link estab‐
1163 lishes with the remote server.
1164 --conn-op-limit CONN_OP_LIMIT
1167 The maximum number of LDAP connections the database link estab‐
1168 lishes with the remote server.
1169 --abandon-check-interval ABANDON_CHECK_INTERVAL
1172 The number of seconds that pass before the server checks for
1173 abandoned operations.
1174 --bind-limit BIND_LIMIT
1177 The maximum number of concurrent bind operations per TCP connec‐
1178 tion.
1179 --op-limit OP_LIMIT
1182 The maximum number of concurrent operations allowed.
1183 --proxied-auth PROXIED_AUTH
1186 Set to "off" to disable proxied authorization, then binds for
1187 chained operations are executed as the user set in the nsMulti‐
1188 plexorBindDn attribute (on/off).
1189 --conn-lifetime CONN_LIFETIME
1192 Specifies connection lifetime in seconds. 0 keeps connection
1193 open forever.
1194 --bind-timeout BIND_TIMEOUT
1197 The amount of time in seconds before a bind attempt times out.
1198 --return-ref RETURN_REF
1201 Sets whether referrals are returned by scoped searches (on/off).
1202 --check-aci CHECK_ACI
1205 Set whether ACIs are evaluated on the database link as well as
1206 the remote data server (on/off).
1207 --bind-attempts BIND_ATTEMPTS
1210 Sets the number of times the server tries to bind with the
1211 remote server.
1212 --size-limit SIZE_LIMIT
1215 Sets the maximum number of entries to return from a search oper‐
1216 ation.
1217 --time-limit TIME_LIMIT
1220 Sets the maximum number of seconds allowed for an operation.
1221 --hop-limit HOP_LIMIT
1224 Sets the maximum number of times a database is allowed to chain;
1225 that is, the number of times a request can be forwarded from one
1226 database link to another.
1227 --response-delay RESPONSE_DELAY
1230 The maximum amount of time it can take a remote server to
1231 respond to an LDAP operation request made by a database link
1232 before an error is suspected.
1233 --test-response-delay TEST_RESPONSE_DELAY
1236 Sets the duration of the test issued by the database link to
1237 check whether the remote server is responding.
1238 --use-starttls USE_STARTTLS
1241 Set to "on" specifies that the database links should use Start‐
1242 TLS for its secure connections.
1243
1246 usage: dsconf instance chaining link-create [-h]
1247 [--conn-bind-limit
1248 CONN_BIND_LIMIT]
1249 [--conn-op-limit
1250 CONN_OP_LIMIT]
1251 [--abandon-check-interval
1252 ABANDON_CHECK_INTERVAL]
1253 [--bind-limit BIND_LIMIT]
1254 [--op-limit OP_LIMIT]
1255 [--proxied-auth PROX‐
1256 IED_AUTH]
1257 [--conn-lifetime CONN_LIFE‐
1258 TIME]
1259 [--bind-timeout BIND_TIME‐
1260 OUT]
1261 [--return-ref RETURN_REF]
1262 [--check-aci CHECK_ACI]
1263 [--bind-attempts
1264 BIND_ATTEMPTS]
1265 [--size-limit SIZE_LIMIT]
1266 [--time-limit TIME_LIMIT]
1267 [--hop-limit HOP_LIMIT]
1268 [--response-delay
1269 RESPONSE_DELAY]
1270 [--test-response-delay
1271 TEST_RESPONSE_DELAY]
1272 [--use-starttls USE_START‐
1273 TLS]
1274 --suffix SUFFIX --server-
1275 url
1276 SERVER_URL --bind-mech
1277 BIND_MECH
1278 --bind-dn BIND_DN --bind-pw
1279 BIND_PW
1280 CHAIN_NAME
1281 CHAIN_NAME
1284 The name of the database link
1285 --conn-bind-limit CONN_BIND_LIMIT
1288 The maximum number of BIND connections the database link estab‐
1289 lishes with the remote server.
1290 --conn-op-limit CONN_OP_LIMIT
1293 The maximum number of LDAP connections the database link estab‐
1294 lishes with the remote server.
1295 --abandon-check-interval ABANDON_CHECK_INTERVAL
1298 The number of seconds that pass before the server checks for
1299 abandoned operations.
1300 --bind-limit BIND_LIMIT
1303 The maximum number of concurrent bind operations per TCP connec‐
1304 tion.
1305 --op-limit OP_LIMIT
1308 The maximum number of concurrent operations allowed.
1309 --proxied-auth PROXIED_AUTH
1312 Set to "off" to disable proxied authorization, then binds for
1313 chained operations are executed as the user set in the nsMulti‐
1314 plexorBindDn attribute (on/off).
1315 --conn-lifetime CONN_LIFETIME
1318 Specifies connection lifetime in seconds. 0 keeps connection
1319 open forever.
1320 --bind-timeout BIND_TIMEOUT
1323 The amount of time in seconds before a bind attempt times out.
1324 --return-ref RETURN_REF
1327 Sets whether referrals are returned by scoped searches (on/off).
1328 --check-aci CHECK_ACI
1331 Set whether ACIs are evaluated on the database link as well as
1332 the remote data server (on/off).
1333 --bind-attempts BIND_ATTEMPTS
1336 Sets the number of times the server tries to bind with the
1337 remote server.
1338 --size-limit SIZE_LIMIT
1341 Sets the maximum number of entries to return from a search oper‐
1342 ation.
1343 --time-limit TIME_LIMIT
1346 Sets the maximum number of seconds allowed for an operation.
1347 --hop-limit HOP_LIMIT
1350 Sets the maximum number of times a database is allowed to chain;
1351 that is, the number of times a request can be forwarded from one
1352 database link to another.
1353 --response-delay RESPONSE_DELAY
1356 The maximum amount of time it can take a remote server to
1357 respond to an LDAP operation request made by a database link
1358 before an error is suspected.
1359 --test-response-delay TEST_RESPONSE_DELAY
1362 Sets the duration of the test issued by the database link to
1363 check whether the remote server is responding.
1364 --use-starttls USE_STARTTLS
1367 Set to "on" specifies that the database links should use Start‐
1368 TLS for its secure connections.
1369 --suffix SUFFIX
1372 The suffix managed by the database link.
1373 --server-url SERVER_URL
1376 Gives the LDAP/LDAPS URL of the remote server.
1377 --bind-mech BIND_MECH
1380 Sets the authentication method to use to authenticate to the
1381 remote server: <leave empty for LDAP/LDAPS>, EXTERNAL,
1382 DIGEST-MD5, or GSSAPI
1383 --bind-dn BIND_DN
1386 DN of the administrative entry used to communicate with the
1387 remote server
1388 --bind-pw BIND_PW
1391 Password for the administrative user.
1392
1395 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1396 CHAIN_NAME
1399 The chaining link name, or suffix, to retrieve
1400
1404 usage: dsconf instance chaining link-set [-h]
1405 [--conn-bind-limit
1406 CONN_BIND_LIMIT]
1407 [--conn-op-limit
1408 CONN_OP_LIMIT]
1409 [--abandon-check-interval
1410 ABANDON_CHECK_INTERVAL]
1411 [--bind-limit BIND_LIMIT]
1412 [--op-limit OP_LIMIT]
1413 [--proxied-auth PROXIED_AUTH]
1414 [--conn-lifetime CONN_LIFE‐
1415 TIME]
1416 [--bind-timeout BIND_TIMEOUT]
1417 [--return-ref RETURN_REF]
1418 [--check-aci CHECK_ACI]
1419 [--bind-attempts
1420 BIND_ATTEMPTS]
1421 [--size-limit SIZE_LIMIT]
1422 [--time-limit TIME_LIMIT]
1423 [--hop-limit HOP_LIMIT]
1424 [--response-delay
1425 RESPONSE_DELAY]
1426 [--test-response-delay
1427 TEST_RESPONSE_DELAY]
1428 [--use-starttls USE_STARTTLS]
1429 [--suffix SUFFIX]
1430 [--server-url SERVER_URL]
1431 [--bind-mech BIND_MECH]
1432 [--bind-dn BIND_DN]
1433 [--bind-pw BIND_PW]
1434 CHAIN_NAME
1435 CHAIN_NAME
1438 The name of the database link
1439 --conn-bind-limit CONN_BIND_LIMIT
1442 The maximum number of BIND connections the database link estab‐
1443 lishes with the remote server.
1444 --conn-op-limit CONN_OP_LIMIT
1447 The maximum number of LDAP connections the database link estab‐
1448 lishes with the remote server.
1449 --abandon-check-interval ABANDON_CHECK_INTERVAL
1452 The number of seconds that pass before the server checks for
1453 abandoned operations.
1454 --bind-limit BIND_LIMIT
1457 The maximum number of concurrent bind operations per TCP connec‐
1458 tion.
1459 --op-limit OP_LIMIT
1462 The maximum number of concurrent operations allowed.
1463 --proxied-auth PROXIED_AUTH
1466 Set to "off" to disable proxied authorization, then binds for
1467 chained operations are executed as the user set in the nsMulti‐
1468 plexorBindDn attribute (on/off).
1469 --conn-lifetime CONN_LIFETIME
1472 Specifies connection lifetime in seconds. 0 keeps connection
1473 open forever.
1474 --bind-timeout BIND_TIMEOUT
1477 The amount of time in seconds before a bind attempt times out.
1478 --return-ref RETURN_REF
1481 Sets whether referrals are returned by scoped searches (on/off).
1482 --check-aci CHECK_ACI
1485 Set whether ACIs are evaluated on the database link as well as
1486 the remote data server (on/off).
1487 --bind-attempts BIND_ATTEMPTS
1490 Sets the number of times the server tries to bind with the
1491 remote server.
1492 --size-limit SIZE_LIMIT
1495 Sets the maximum number of entries to return from a search oper‐
1496 ation.
1497 --time-limit TIME_LIMIT
1500 Sets the maximum number of seconds allowed for an operation.
1501 --hop-limit HOP_LIMIT
1504 Sets the maximum number of times a database is allowed to chain;
1505 that is, the number of times a request can be forwarded from one
1506 database link to another.
1507 --response-delay RESPONSE_DELAY
1510 The maximum amount of time it can take a remote server to
1511 respond to an LDAP operation request made by a database link
1512 before an error is suspected.
1513 --test-response-delay TEST_RESPONSE_DELAY
1516 Sets the duration of the test issued by the database link to
1517 check whether the remote server is responding.
1518 --use-starttls USE_STARTTLS
1521 Set to "on" specifies that the database links should use Start‐
1522 TLS for its secure connections.
1523 --suffix SUFFIX
1526 The suffix managed by the database link.
1527 --server-url SERVER_URL
1530 Gives the LDAP/LDAPS URL of the remote server.
1531 --bind-mech BIND_MECH
1534 Sets the authentication method to use to authenticate to the
1535 remote server: <leave empty for LDAP/LDAPS>, EXTERNAL,
1536 DIGEST-MD5, or GSSAPI
1537 --bind-dn BIND_DN
1540 DN of the administrative entry used to communicate with the
1541 remote server
1542 --bind-pw BIND_PW
1545 Password for the administrative user.
1546
1549 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1550 CHAIN_NAME
1553 The name of the database link
1554
1558 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1559 CHAIN_NAME
1562 The name of the database link
1563
1567 usage: dsconf instance chaining link-list [-h]
1568
1574 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1575 Sub-commands
1578 dsconf config get
1579 get
1580 dsconf config add
1582 Add attribute value to configuration
1583 dsconf config replace
1585 Replace attribute value in configuration
1586 dsconf config delete
1588 Delete attribute value in configuration
1589
1591 usage: dsconf instance config get [-h] [attrs [attrs ...]]
1592 attrs Configuration attribute(s) to get
1595
1599 usage: dsconf instance config add [-h] [attr [attr ...]]
1600 attr Configuration attribute to add
1603
1607 usage: dsconf instance config replace [-h] [attr [attr ...]]
1608 attr Configuration attribute to replace
1611
1615 usage: dsconf instance config delete [-h] [attr [attr ...]]
1616 attr Configuration attribute to delete
1619
1624 usage: dsconf instance directory_manager [-h] {password_change} ...
1625 Sub-commands
1628 dsconf directory_manager password_change
1629 Change the directory manager password
1630
1632 usage: dsconf instance directory_manager password_change [-h]
1633
1639 usage: dsconf instance monitor [-h]
1640 {server,dbmon,ldbm,backend,snmp,chain‐
1641 ing,disk}
1642 ...
1643 Sub-commands
1646 dsconf monitor server
1647 Monitor the server statistics, connections and operations
1648 dsconf monitor dbmon
1650 Monitor the all the database statistics in a single report
1651 dsconf monitor ldbm
1653 Monitor the ldbm statistics, such as dbcache
1654 dsconf monitor backend
1656 Monitor the behavior of a backend database
1657 dsconf monitor snmp
1659 Monitor the SNMP statistics
1660 dsconf monitor chaining
1662 Monitor database chaining statistics
1663 dsconf monitor disk
1665 Disk space statistics. All values are in bytes
1666
1668 usage: dsconf instance monitor server [-h]
1669
1674 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1675 -b BACKENDS, --backends BACKENDS
1679 List of space separated backends to monitor. Default is all
1680 backends.
1681 -x, --indexes
1684 Show index stats for each backend
1685
1688 usage: dsconf instance monitor ldbm [-h]
1689
1694 usage: dsconf instance monitor backend [-h] [backend]
1695 backend
1698 Optional name of the backend to monitor
1699
1703 usage: dsconf instance monitor snmp [-h]
1704
1709 usage: dsconf instance monitor chaining [-h] [backend]
1710 backend
1713 Optional name of the chaining backend to monitor
1714
1718 usage: dsconf instance monitor disk [-h]
1719
1725 usage: dsconf instance plugin [-h]
1726 {memberof,automember,referential-
1727 integrity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-
1728 entries,pass-through-auth,retro-changelog,posix-winsync,list,show,set}
1729 ...
1730 Sub-commands
1733 dsconf plugin memberof
1734 Manage and configure MemberOf plugin
1735 dsconf plugin automember
1737 Manage and configure Automembership plugin
1738 dsconf plugin referential-integrity
1740 Manage and configure Referential Integrity Postoperation plugin
1741 dsconf plugin root-dn
1743 Manage and configure RootDN Access Control plugin
1744 dsconf plugin usn
1746 Manage and configure USN plugin
1747 dsconf plugin account-policy
1749 Manage and configure Account Policy plugin
1750 dsconf plugin attr-uniq
1752 Manage and configure Attribute Uniqueness plugin
1753 dsconf plugin dna
1755 Manage and configure DNA plugin
1756 dsconf plugin linked-attr
1758 Manage and configure Linked Attributes plugin
1759 dsconf plugin managed-entries
1761 Manage and configure Managed Entries Plugin
1762 dsconf plugin pass-through-auth
1764 Manage and configure Pass-Through Authentication plugins (URLs
1765 and PAM)
1766 dsconf plugin retro-changelog
1768 Manage and configure Retro Changelog plugin
1769 dsconf plugin posix-winsync
1771 Manage and configure The Posix Winsync API plugin
1772 dsconf plugin list
1774 List current configured (enabled and disabled) plugins
1775 dsconf plugin show
1777 Show the plugin data
1778 dsconf plugin set
1780 Edit the plugin
1781
1783 usage: dsconf instance plugin memberof [-h]
1784 {show,enable,disable,sta‐
1785 tus,set,config-entry,fixup}
1786 ...
1787 Sub-commands
1790 dsconf plugin memberof show
1791 display plugin configuration
1792 dsconf plugin memberof enable
1794 enable plugin
1795 dsconf plugin memberof disable
1797 disable plugin
1798 dsconf plugin memberof status
1800 display plugin status
1801 dsconf plugin memberof set
1803 Edit the plugin
1804 dsconf plugin memberof config-entry
1806 Manage the config entry
1807 dsconf plugin memberof fixup
1809 Run the fix-up task for memberOf plugin
1810
1812 usage: dsconf instance plugin memberof show [-h]
1813
1818 usage: dsconf instance plugin memberof enable [-h]
1819
1824 usage: dsconf instance plugin memberof disable [-h]
1825
1830 usage: dsconf instance plugin memberof status [-h]
1831
1836 usage: dsconf instance plugin memberof set [-h] [--attr ATTR [ATTR
1837 ...]]
1838 [--groupattr GROUPATTR
1839 [GROUPATTR ...]]
1840 [--allbackends {on,off}]
1841 [--skipnested {on,off}]
1842 [--scope SCOPE] [--exclude
1843 EXCLUDE]
1844 [--autoaddoc AUTOADDOC]
1845 [--config-entry CON‐
1846 FIG_ENTRY]
1847 --attr ATTR [ATTR ...]
1851 Specifies the attribute in the user entry for the Directory
1852 Server to manage to reflect group membership (memberOfAttr)
1853 --groupattr GROUPATTR [GROUPATTR ...]
1856 Specifies the attribute in the group entry to use to identify
1857 the DNs of group members (memberOfGroupAttr)
1858 --allbackends {on,off}
1861 Specifies whether to search the local suffix for user entries on
1862 all available suffixes (memberOfAllBackends)
1863 --skipnested {on,off}
1866 Specifies wherher to skip nested groups or not (memberOfSkip‐
1867 Nested)
1868 --scope SCOPE
1871 Specifies backends or multiple-nested suffixes for the MemberOf
1872 plug-in to work on (memberOfEntryScope)
1873 --exclude EXCLUDE
1876 Specifies backends or multiple-nested suffixes for the MemberOf
1877 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1878 --autoaddoc AUTOADDOC
1881 If an entry does not have an object class that allows the mem‐
1882 berOf attribute then the memberOf plugin will automatically add
1883 the object class listed in the memberOfAutoAddOC parameter
1884 --config-entry CONFIG_ENTRY
1887 The value to set as nsslapd-pluginConfigArea
1888
1891 usage: dsconf instance plugin memberof config-entry [-h]
1892 {add,set,show,delete}
1893 ...
1894 Sub-commands
1897 dsconf plugin memberof config-entry add
1898 Add the config entry
1899 dsconf plugin memberof config-entry set
1901 Edit the config entry
1902 dsconf plugin memberof config-entry show
1904 Display the config entry
1905 dsconf plugin memberof config-entry delete
1907 Delete the config entry
1908
1910 usage: dsconf instance plugin memberof config-entry add [-h]
1911 [--attr ATTR
1912 [ATTR ...]]
1913 [--groupattr
1914 GROUPATTR [GROUPATTR ...]]
1915 [--allbackends
1916 {on,off}]
1917 [--skipnested
1918 {on,off}]
1919 [--scope SCOPE]
1920 [--exclude
1921 EXCLUDE]
1922 [--autoaddoc
1923 AUTOADDOC]
1924 DN
1925 DN The config entry full DN
1928 --attr ATTR [ATTR ...]
1931 Specifies the attribute in the user entry for the Directory
1932 Server to manage to reflect group membership (memberOfAttr)
1933 --groupattr GROUPATTR [GROUPATTR ...]
1936 Specifies the attribute in the group entry to use to identify
1937 the DNs of group members (memberOfGroupAttr)
1938 --allbackends {on,off}
1941 Specifies whether to search the local suffix for user entries on
1942 all available suffixes (memberOfAllBackends)
1943 --skipnested {on,off}
1946 Specifies wherher to skip nested groups or not (memberOfSkip‐
1947 Nested)
1948 --scope SCOPE
1951 Specifies backends or multiple-nested suffixes for the MemberOf
1952 plug-in to work on (memberOfEntryScope)
1953 --exclude EXCLUDE
1956 Specifies backends or multiple-nested suffixes for the MemberOf
1957 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1958 --autoaddoc AUTOADDOC
1961 If an entry does not have an object class that allows the mem‐
1962 berOf attribute then the memberOf plugin will automatically add
1963 the object class listed in the memberOfAutoAddOC parameter
1964
1967 usage: dsconf instance plugin memberof config-entry set [-h]
1968 [--attr ATTR
1969 [ATTR ...]]
1970 [--groupattr
1971 GROUPATTR [GROUPATTR ...]]
1972 [--allbackends
1973 {on,off}]
1974 [--skipnested
1975 {on,off}]
1976 [--scope SCOPE]
1977 [--exclude
1978 EXCLUDE]
1979 [--autoaddoc
1980 AUTOADDOC]
1981 DN
1982 DN The config entry full DN
1985 --attr ATTR [ATTR ...]
1988 Specifies the attribute in the user entry for the Directory
1989 Server to manage to reflect group membership (memberOfAttr)
1990 --groupattr GROUPATTR [GROUPATTR ...]
1993 Specifies the attribute in the group entry to use to identify
1994 the DNs of group members (memberOfGroupAttr)
1995 --allbackends {on,off}
1998 Specifies whether to search the local suffix for user entries on
1999 all available suffixes (memberOfAllBackends)
2000 --skipnested {on,off}
2003 Specifies wherher to skip nested groups or not (memberOfSkip‐
2004 Nested)
2005 --scope SCOPE
2008 Specifies backends or multiple-nested suffixes for the MemberOf
2009 plug-in to work on (memberOfEntryScope)
2010 --exclude EXCLUDE
2013 Specifies backends or multiple-nested suffixes for the MemberOf
2014 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2015 --autoaddoc AUTOADDOC
2018 If an entry does not have an object class that allows the mem‐
2019 berOf attribute then the memberOf plugin will automatically add
2020 the object class listed in the memberOfAutoAddOC parameter
2021
2024 usage: dsconf instance plugin memberof config-entry show [-h] DN
2025 DN The config entry full DN
2028
2032 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2033 DN The config entry full DN
2036
2041 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] DN
2042 DN Base DN that contains entries to fix up
2045 -f FILTER, --filter FILTER
2048 Filter for entries to fix up. If omitted, all entries with
2049 objectclass inetuser/inetadmin/nsmemberof under the specified
2050 base will have their memberOf attribute regenerated.
2051
2055 usage: dsconf instance plugin automember [-h]
2056 {show,enable,disable,sta‐
2057 tus,list,definition,fixup}
2058 ...
2059 Sub-commands
2062 dsconf plugin automember show
2063 display plugin configuration
2064 dsconf plugin automember enable
2066 enable plugin
2067 dsconf plugin automember disable
2069 disable plugin
2070 dsconf plugin automember status
2072 display plugin status
2073 dsconf plugin automember list
2075 List Automembership definitions or regex rules.
2076 dsconf plugin automember definition
2078 Manage Automembership definition.
2079 dsconf plugin automember fixup
2081 Run a rebuild membership task.
2082
2084 usage: dsconf instance plugin automember show [-h]
2085
2090 usage: dsconf instance plugin automember enable [-h]
2091
2096 usage: dsconf instance plugin automember disable [-h]
2097
2102 usage: dsconf instance plugin automember status [-h]
2103
2108 usage: dsconf instance plugin automember list [-h] {defini‐
2109 tions,regexes} ...
2110 Sub-commands
2113 dsconf plugin automember list definitions
2114 List Automembership definitions.
2115 dsconf plugin automember list regexes
2117 List Automembership regex rules.
2118
2120 usage: dsconf instance plugin automember list definitions [-h]
2121
2126 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2127 DEFNAME
2130 The definition entry CN.
2131
2136 usage: dsconf instance plugin automember definition [-h]
2137 DEFNAME
2138 {add,set,delete,show,regex}
2139 ...
2140 DEFNAME
2143 The definition entry CN.
2144 Sub-commands
2147 dsconf plugin automember definition add
2148 Create Automembership definition.
2149 dsconf plugin automember definition set
2151 Edit Automembership definition.
2152 dsconf plugin automember definition delete
2154 Remove Automembership definition.
2155 dsconf plugin automember definition show
2157 Display Automembership definition.
2158 dsconf plugin automember definition regex
2160 Manage Automembership regex rules.
2161
2163 usage: dsconf instance plugin automember definition DEFNAME add
2164 [-h] --grouping-attr GROUPING_ATTR [--default-group
2165 DEFAULT_GROUP]
2166 --scope SCOPE --filter FILTER
2167 --grouping-attr GROUPING_ATTR
2171 Specifies the name of the member attribute in the group entry
2172 and the attribute in the object entry that supplies the member
2173 attribute value, in the format group_member_attr:entry_attr
2174 (autoMemberGroupingAttr)
2175 --default-group DEFAULT_GROUP
2178 Sets default or fallback group to add the entry to as a member
2179 attribute in group entry (autoMemberDefaultGroup)
2180 --scope SCOPE
2183 Sets the subtree DN to search for entries (autoMemberScope)
2184 --filter FILTER
2187 Sets a standard LDAP search filter to use to search for matching
2188 entries (autoMemberFilter)
2189
2192 usage: dsconf instance plugin automember definition DEFNAME set
2193 [-h] --grouping-attr GROUPING_ATTR [--default-group
2194 DEFAULT_GROUP]
2195 --scope SCOPE --filter FILTER
2196 --grouping-attr GROUPING_ATTR
2200 Specifies the name of the member attribute in the group entry
2201 and the attribute in the object entry that supplies the member
2202 attribute value, in the format group_member_attr:entry_attr
2203 (autoMemberGroupingAttr)
2204 --default-group DEFAULT_GROUP
2207 Sets default or fallback group to add the entry to as a member
2208 attribute in group entry (autoMemberDefaultGroup)
2209 --scope SCOPE
2212 Sets the subtree DN to search for entries (autoMemberScope)
2213 --filter FILTER
2216 Sets a standard LDAP search filter to use to search for matching
2217 entries (autoMemberFilter)
2218
2221 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2222
2227 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2228
2233 usage: dsconf instance plugin automember definition DEFNAME regex
2234 [-h] REGEXNAME {add,set,delete,show} ...
2235 REGEXNAME
2238 The regex entry CN.
2239 Sub-commands
2242 dsconf plugin automember definition regex add
2243 Create Automembership regex.
2244 dsconf plugin automember definition regex set
2246 Edit Automembership regex.
2247 dsconf plugin automember definition regex delete
2249 Remove Automembership regex.
2250 dsconf plugin automember definition regex show
2252 Display Automembership regex.
2253
2255 usage: dsconf instance plugin automember definition DEFNAME regex
2256 REGEXNAME add
2257 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2258 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2259 GET_GROUP
2260 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2264 Sets a single regular expression to use to identify entries to
2265 exclude (autoMemberExclusiveRegex)
2266 --inclusive INCLUSIVE [INCLUSIVE ...]
2269 Sets a single regular expression to use to identify entries to
2270 include (autoMemberInclusiveRegex)
2271 --target-group TARGET_GROUP
2274 Sets which group to add the entry to as a member, if it meets
2275 the regular expression conditions (autoMemberTargetGroup)
2276
2279 usage: dsconf instance plugin automember definition DEFNAME regex
2280 REGEXNAME set
2281 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2282 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2283 GET_GROUP
2284 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2288 Sets a single regular expression to use to identify entries to
2289 exclude (autoMemberExclusiveRegex)
2290 --inclusive INCLUSIVE [INCLUSIVE ...]
2293 Sets a single regular expression to use to identify entries to
2294 include (autoMemberInclusiveRegex)
2295 --target-group TARGET_GROUP
2298 Sets which group to add the entry to as a member, if it meets
2299 the regular expression conditions (autoMemberTargetGroup)
2300
2303 usage: dsconf instance plugin automember definition DEFNAME regex
2304 REGEXNAME delete
2305 [-h]
2306
2311 usage: dsconf instance plugin automember definition DEFNAME regex
2312 REGEXNAME show
2313 [-h]
2314
2321 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2322 {sub,base,one}
2323 DN
2324 DN Base DN that contains entries to fix up
2327 -f FILTER, --filter FILTER
2330 LDAP filter for entries to fix up.
2331 -s {sub,base,one}, --scope {sub,base,one}
2334 LDAP search scope for entries to fix up
2335
2339 usage: dsconf instance plugin referential-integrity [-h]
2340 {show,enable,dis‐
2341 able,status,set,config-entry}
2342 ...
2343 Sub-commands
2346 dsconf plugin referential-integrity show
2347 display plugin configuration
2348 dsconf plugin referential-integrity enable
2350 enable plugin
2351 dsconf plugin referential-integrity disable
2353 disable plugin
2354 dsconf plugin referential-integrity status
2356 display plugin status
2357 dsconf plugin referential-integrity set
2359 Edit the plugin
2360 dsconf plugin referential-integrity config-entry
2362 Manage the config entry
2363
2365 usage: dsconf instance plugin referential-integrity show [-h]
2366
2371 usage: dsconf instance plugin referential-integrity enable [-h]
2372
2377 usage: dsconf instance plugin referential-integrity disable [-h]
2378
2383 usage: dsconf instance plugin referential-integrity status [-h]
2384
2389 usage: dsconf instance plugin referential-integrity set [-h]
2390 [--update-delay
2391 UPDATE_DELAY]
2392 [--membership-
2393 attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2394 [--entry-scope
2395 ENTRY_SCOPE]
2396 [--exclude-
2397 entry-scope EXCLUDE_ENTRY_SCOPE]
2398 [--container-
2399 scope CONTAINER_SCOPE]
2400 [--log-file
2401 LOG_FILE]
2402 [--config-entry
2403 CONFIG_ENTRY]
2404 --update-delay UPDATE_DELAY
2408 Sets the update interval. Special values: 0 - The check is per‐
2409 formed immediately, -1 - No check is performed
2410 (referint-update-delay)
2411 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2414 Specifies attributes to check for and update (referint-member‐
2415 ship-attr)
2416 --entry-scope ENTRY_SCOPE
2419 Defines the subtree in which the plug-in looks for the delete or
2420 rename operations of a user entry (nsslapd-pluginEntryScope)
2421 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2424 Defines the subtree in which the plug-in ignores any operations
2425 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2426 tryScope)
2427 --container-scope CONTAINER_SCOPE
2430 Specifies which branch the plug-in searches for the groups to
2431 which the user belongs. It only updates groups that are under
2432 the specified container branch, and leaves all other groups not
2433 updated (nsslapd-pluginContainerScope)
2434 --log-file LOG_FILE
2437 Specifies a path to the Referential integrity logfile.For exam‐
2438 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2439 --config-entry CONFIG_ENTRY
2442 The value to set as nsslapd-pluginConfigArea
2443
2446 usage: dsconf instance plugin referential-integrity config-entry
2447 [-h] {add,set,show,delete} ...
2448 Sub-commands
2451 dsconf plugin referential-integrity config-entry add
2452 Add the config entry
2453 dsconf plugin referential-integrity config-entry set
2455 Edit the config entry
2456 dsconf plugin referential-integrity config-entry show
2458 Display the config entry
2459 dsconf plugin referential-integrity config-entry delete
2461 Delete the config entry
2462
2464 usage: dsconf instance plugin referential-integrity config-entry add
2465 [-h] [--update-delay UPDATE_DELAY]
2466 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2467 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope
2468 EXCLUDE_ENTRY_SCOPE]
2469 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2470 DN
2471 DN The config entry full DN
2474 --update-delay UPDATE_DELAY
2477 Sets the update interval. Special values: 0 - The check is per‐
2478 formed immediately, -1 - No check is performed
2479 (referint-update-delay)
2480 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2483 Specifies attributes to check for and update (referint-member‐
2484 ship-attr)
2485 --entry-scope ENTRY_SCOPE
2488 Defines the subtree in which the plug-in looks for the delete or
2489 rename operations of a user entry (nsslapd-pluginEntryScope)
2490 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2493 Defines the subtree in which the plug-in ignores any operations
2494 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2495 tryScope)
2496 --container-scope CONTAINER_SCOPE
2499 Specifies which branch the plug-in searches for the groups to
2500 which the user belongs. It only updates groups that are under
2501 the specified container branch, and leaves all other groups not
2502 updated (nsslapd-pluginContainerScope)
2503 --log-file LOG_FILE
2506 Specifies a path to the Referential integrity logfile.For exam‐
2507 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2508
2511 usage: dsconf instance plugin referential-integrity config-entry set
2512 [-h] [--update-delay UPDATE_DELAY]
2513 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2514 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope
2515 EXCLUDE_ENTRY_SCOPE]
2516 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2517 DN
2518 DN The config entry full DN
2521 --update-delay UPDATE_DELAY
2524 Sets the update interval. Special values: 0 - The check is per‐
2525 formed immediately, -1 - No check is performed
2526 (referint-update-delay)
2527 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2530 Specifies attributes to check for and update (referint-member‐
2531 ship-attr)
2532 --entry-scope ENTRY_SCOPE
2535 Defines the subtree in which the plug-in looks for the delete or
2536 rename operations of a user entry (nsslapd-pluginEntryScope)
2537 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2540 Defines the subtree in which the plug-in ignores any operations
2541 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2542 tryScope)
2543 --container-scope CONTAINER_SCOPE
2546 Specifies which branch the plug-in searches for the groups to
2547 which the user belongs. It only updates groups that are under
2548 the specified container branch, and leaves all other groups not
2549 updated (nsslapd-pluginContainerScope)
2550 --log-file LOG_FILE
2553 Specifies a path to the Referential integrity logfile.For exam‐
2554 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2555
2558 usage: dsconf instance plugin referential-integrity config-entry show
2559 [-h] DN
2560 DN The config entry full DN
2563
2567 usage: dsconf instance plugin referential-integrity config-entry delete
2568 [-h] DN
2569 DN The config entry full DN
2572
2578 usage: dsconf instance plugin root-dn [-h]
2579 {show,enable,disable,status,set}
2580 ...
2581 Sub-commands
2584 dsconf plugin root-dn show
2585 display plugin configuration
2586 dsconf plugin root-dn enable
2588 enable plugin
2589 dsconf plugin root-dn disable
2591 disable plugin
2592 dsconf plugin root-dn status
2594 display plugin status
2595 dsconf plugin root-dn set
2597 Edit the plugin
2598
2600 usage: dsconf instance plugin root-dn show [-h]
2601
2606 usage: dsconf instance plugin root-dn enable [-h]
2607
2612 usage: dsconf instance plugin root-dn disable [-h]
2613
2618 usage: dsconf instance plugin root-dn status [-h]
2619
2624 usage: dsconf instance plugin root-dn set [-h]
2625 [--allow-host ALLOW_HOST
2626 [ALLOW_HOST ...]]
2627 [--deny-host DENY_HOST
2628 [DENY_HOST ...]]
2629 [--allow-ip ALLOW_IP
2630 [ALLOW_IP ...]]
2631 [--deny-ip DENY_IP [DENY_IP
2632 ...]]
2633 [--open-time OPEN_TIME]
2634 [--close-time CLOSE_TIME]
2635 [--days-allowed DAYS_ALLOWED]
2636 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2640 Sets what hosts, by fully-qualified domain name, the root user
2641 is allowed to use to access the Directory Server. Any hosts not
2642 listed are implicitly denied (rootdn-allow-host)
2643 --deny-host DENY_HOST [DENY_HOST ...]
2646 Sets what hosts, by fully-qualified domain name, the root user
2647 is not allowed to use to access the Directory Server Any hosts
2648 not listed are implicitly allowed (rootdn-deny-host). If an host
2649 address is listed in both the rootdn- allow-host and
2650 rootdn-deny-host attributes, it is denied access.
2651 --allow-ip ALLOW_IP [ALLOW_IP ...]
2654 Sets what IP addresses, either IPv4 or IPv6, for machines the
2655 root user is allowed to use to access the Directory Server Any
2656 IP addresses not listed are implicitly denied (rootdn-allow-ip)
2657 --deny-ip DENY_IP [DENY_IP ...]
2660 Sets what IP addresses, either IPv4 or IPv6, for machines the
2661 root user is not allowed to use to access the Directory Server.
2662 Any IP addresses not listed are implicitly allowed
2663 (rootdn-deny-ip) If an IP address is listed in both the
2664 rootdn-allow-ip and rootdn-deny-ip attributes, it is denied
2665 access.
2666 --open-time OPEN_TIME
2669 Sets part of a time period or range when the root user is
2670 allowed to access the Directory Server. This sets when the
2671 time-based access begins (rootdn- open-time)
2672 --close-time CLOSE_TIME
2675 Sets part of a time period or range when the root user is
2676 allowed to access the Directory Server. This sets when the
2677 time-based access ends (rootdn-close- time)
2678 --days-allowed DAYS_ALLOWED
2681 Gives a comma-separated list of what days the root user is
2682 allowed to use to access the Directory Server. Any days listed
2683 are implicitly denied (rootdn- days-allowed)
2684
2688 usage: dsconf instance plugin usn [-h]
2689 {show,enable,disable,sta‐
2690 tus,global,cleanup}
2691 ...
2692 Sub-commands
2695 dsconf plugin usn show
2696 display plugin configuration
2697 dsconf plugin usn enable
2699 enable plugin
2700 dsconf plugin usn disable
2702 disable plugin
2703 dsconf plugin usn status
2705 display plugin status
2706 dsconf plugin usn global
2708 Get or manage global usn mode (nsslapd-entryusn-global)
2709 dsconf plugin usn cleanup
2711 Run the USN tombstone cleanup task
2712
2714 usage: dsconf instance plugin usn show [-h]
2715
2720 usage: dsconf instance plugin usn enable [-h]
2721
2726 usage: dsconf instance plugin usn disable [-h]
2727
2732 usage: dsconf instance plugin usn status [-h]
2733
2738 usage: dsconf instance plugin usn global [-h] {on,off} ...
2739 Sub-commands
2742 dsconf plugin usn global on
2743 Enable usn global mode
2744 dsconf plugin usn global off
2746 Disable usn global mode
2747
2749 usage: dsconf instance plugin usn global on [-h]
2750
2755 usage: dsconf instance plugin usn global off [-h]
2756
2762 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2763 [-m MAX_USN]
2764 -s SUFFIX, --suffix SUFFIX
2768 Gives the suffix or subtree in the Directory Server to run the
2769 cleanup operation against. If the suffix is not specified, then
2770 the back end must be given (suffix)
2771 -n BACKEND, --backend BACKEND
2774 Gives the Directory Server instance back end, or database, to
2775 run the cleanup operation against. If the back end is not speci‐
2776 fied, then the suffix must be specified. Backend instance in
2777 which USN tombstone entries (backend)
2778 -m MAX_USN, --max-usn MAX_USN
2781 Gives the highest USN value to delete when removing tombstone
2782 entries (max_usn_to_delete)
2783
2787 usage: dsconf instance plugin account-policy [-h]
2788 {show,enable,disable,sta‐
2789 tus,set,config-entry}
2790 ...
2791 Sub-commands
2794 dsconf plugin account-policy show
2795 display plugin configuration
2796 dsconf plugin account-policy enable
2798 enable plugin
2799 dsconf plugin account-policy disable
2801 disable plugin
2802 dsconf plugin account-policy status
2804 display plugin status
2805 dsconf plugin account-policy set
2807 Edit the plugin
2808 dsconf plugin account-policy config-entry
2810 Manage the config entry
2811
2813 usage: dsconf instance plugin account-policy show [-h]
2814
2819 usage: dsconf instance plugin account-policy enable [-h]
2820
2825 usage: dsconf instance plugin account-policy disable [-h]
2826
2831 usage: dsconf instance plugin account-policy status [-h]
2832
2837 usage: dsconf instance plugin account-policy set [-h]
2838 [--config-entry CON‐
2839 FIG_ENTRY]
2840 --config-entry CONFIG_ENTRY
2844 The value to set as nsslapd-pluginConfigArea
2845
2848 usage: dsconf instance plugin account-policy config-entry [-h]
2849 {add,set,show,delete}
2850 ...
2851 Sub-commands
2854 dsconf plugin account-policy config-entry add
2855 Add the config entry
2856 dsconf plugin account-policy config-entry set
2858 Edit the config entry
2859 dsconf plugin account-policy config-entry show
2861 Display the config entry
2862 dsconf plugin account-policy config-entry delete
2864 Delete the config entry
2865
2867 usage: dsconf instance plugin account-policy config-entry add
2868 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2869 ALT_STATE_ATTR]
2870 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2871 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2872 [--state-attr STATE_ATTR]
2873 DN
2874 DN The config entry full DN
2877 --always-record-login {yes,no}
2880 Sets that every entry records its last login time (alwaysRecord‐
2881 Login)
2882 --alt-state-attr ALT_STATE_ATTR
2885 Provides a backup attribute for the server to reference to eval‐
2886 uate the expiration time (altStateAttrName)
2887 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2890 Specifies the attribute to store the time of the last successful
2891 login in this attribute in the users directory entry
2892 (alwaysRecordLoginAttr)
2893 --limit-attr LIMIT_ATTR
2896 Specifies the attribute within the policy to use for the account
2897 inactivation limit (limitAttrName)
2898 --spec-attr SPEC_ATTR
2901 Specifies the attribute to identify which entries are account
2902 policy configuration entries (specAttrName)
2903 --state-attr STATE_ATTR
2906 Specifies the primary time attribute used to evaluate an account
2907 policy (stateAttrName)
2908
2911 usage: dsconf instance plugin account-policy config-entry set
2912 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2913 ALT_STATE_ATTR]
2914 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2915 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2916 [--state-attr STATE_ATTR]
2917 DN
2918 DN The config entry full DN
2921 --always-record-login {yes,no}
2924 Sets that every entry records its last login time (alwaysRecord‐
2925 Login)
2926 --alt-state-attr ALT_STATE_ATTR
2929 Provides a backup attribute for the server to reference to eval‐
2930 uate the expiration time (altStateAttrName)
2931 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2934 Specifies the attribute to store the time of the last successful
2935 login in this attribute in the users directory entry
2936 (alwaysRecordLoginAttr)
2937 --limit-attr LIMIT_ATTR
2940 Specifies the attribute within the policy to use for the account
2941 inactivation limit (limitAttrName)
2942 --spec-attr SPEC_ATTR
2945 Specifies the attribute to identify which entries are account
2946 policy configuration entries (specAttrName)
2947 --state-attr STATE_ATTR
2950 Specifies the primary time attribute used to evaluate an account
2951 policy (stateAttrName)
2952
2955 usage: dsconf instance plugin account-policy config-entry show [-h] DN
2956 DN The config entry full DN
2959
2963 usage: dsconf instance plugin account-policy config-entry delete [-h]
2964 DN
2965 DN The config entry full DN
2968
2974 usage: dsconf instance plugin attr-uniq [-h]
2975 {list,add,set,show,delete,enable,dis‐
2976 able,status}
2977 ...
2978 Sub-commands
2981 dsconf plugin attr-uniq list
2982 List available plugin configs
2983 dsconf plugin attr-uniq add
2985 Add the config entry
2986 dsconf plugin attr-uniq set
2988 Edit the config entry
2989 dsconf plugin attr-uniq show
2991 Display the config entry
2992 dsconf plugin attr-uniq delete
2994 Delete the config entry
2995 dsconf plugin attr-uniq enable
2997 enable plugin
2998 dsconf plugin attr-uniq disable
3000 disable plugin
3001 dsconf plugin attr-uniq status
3003 display plugin status
3004
3006 usage: dsconf instance plugin attr-uniq list [-h]
3007
3012 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3013 [--attr-name ATTR_NAME
3014 [ATTR_NAME ...]]
3015 [--subtree SUBTREE [SUBTREE
3016 ...]]
3017 [--across-all-subtrees
3018 {on,off}]
3019 [--top-entry-oc
3020 TOP_ENTRY_OC]
3021 [--subtree-entries-oc SUB‐
3022 TREE_ENTRIES_OC]
3023 NAME
3024 NAME Sets the name of the plug-in configuration record. (cn) You can
3027 use any string, but "attribute_name Attribute Uniqueness" is
3028 recommended.
3029 --enabled {on,off}
3032 Identifies whether or not the config is enabled.
3033 --attr-name ATTR_NAME [ATTR_NAME ...]
3036 Sets the name of the attribute whose values must be unique. This
3037 attribute is multi-valued. (uniqueness-attribute-name)
3038 --subtree SUBTREE [SUBTREE ...]
3041 Sets the DN under which the plug-in checks for uniqueness of the
3042 attributes value. This attribute is multi-valued (unique‐
3043 ness-subtrees)
3044 --across-all-subtrees {on,off}
3047 If enabled (on), the plug-in checks that the attribute is unique
3048 across all subtrees set. If you set the attribute to off,
3049 uniqueness is only enforced within the subtree of the updated
3050 entry (uniqueness-across-all-subtrees)
3051 --top-entry-oc TOP_ENTRY_OC
3054 Verifies that the value of the attribute set in unique‐
3055 ness-attribute-name is unique in this subtree (unique‐
3056 ness-top-entry-oc)
3057 --subtree-entries-oc SUBTREE_ENTRIES_OC
3060 Verifies if an attribute is unique, if the entry contains the
3061 object class set in this parameter (uniqueness-sub‐
3062 tree-entries-oc)
3063
3066 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3067 [--attr-name ATTR_NAME
3068 [ATTR_NAME ...]]
3069 [--subtree SUBTREE [SUBTREE
3070 ...]]
3071 [--across-all-subtrees
3072 {on,off}]
3073 [--top-entry-oc
3074 TOP_ENTRY_OC]
3075 [--subtree-entries-oc SUB‐
3076 TREE_ENTRIES_OC]
3077 NAME
3078 NAME Sets the name of the plug-in configuration record. (cn) You can
3081 use any string, but "attribute_name Attribute Uniqueness" is
3082 recommended.
3083 --enabled {on,off}
3086 Identifies whether or not the config is enabled.
3087 --attr-name ATTR_NAME [ATTR_NAME ...]
3090 Sets the name of the attribute whose values must be unique. This
3091 attribute is multi-valued. (uniqueness-attribute-name)
3092 --subtree SUBTREE [SUBTREE ...]
3095 Sets the DN under which the plug-in checks for uniqueness of the
3096 attributes value. This attribute is multi-valued (unique‐
3097 ness-subtrees)
3098 --across-all-subtrees {on,off}
3101 If enabled (on), the plug-in checks that the attribute is unique
3102 across all subtrees set. If you set the attribute to off,
3103 uniqueness is only enforced within the subtree of the updated
3104 entry (uniqueness-across-all-subtrees)
3105 --top-entry-oc TOP_ENTRY_OC
3108 Verifies that the value of the attribute set in unique‐
3109 ness-attribute-name is unique in this subtree (unique‐
3110 ness-top-entry-oc)
3111 --subtree-entries-oc SUBTREE_ENTRIES_OC
3114 Verifies if an attribute is unique, if the entry contains the
3115 object class set in this parameter (uniqueness-sub‐
3116 tree-entries-oc)
3117
3120 usage: dsconf instance plugin attr-uniq show [-h] NAME
3121 NAME The name of the plug-in configuration record
3124
3128 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3129 NAME Sets the name of the plug-in configuration record
3132
3136 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3137 NAME Sets the name of the plug-in configuration record
3140
3144 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3145 NAME Sets the name of the plug-in configuration record
3148
3152 usage: dsconf instance plugin attr-uniq status [-h] NAME
3153 NAME Sets the name of the plug-in configuration record
3156
3161 usage: dsconf instance plugin dna [-h]
3162 {show,enable,disable,status,list,con‐
3163 fig} ...
3164 Sub-commands
3167 dsconf plugin dna show
3168 display plugin configuration
3169 dsconf plugin dna enable
3171 enable plugin
3172 dsconf plugin dna disable
3174 disable plugin
3175 dsconf plugin dna status
3177 display plugin status
3178 dsconf plugin dna list
3180 List available plugin configs
3181 dsconf plugin dna config
3183 Manage plugin configs
3184
3186 usage: dsconf instance plugin dna show [-h]
3187
3192 usage: dsconf instance plugin dna enable [-h]
3193
3198 usage: dsconf instance plugin dna disable [-h]
3199
3204 usage: dsconf instance plugin dna status [-h]
3205
3210 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3211 ...
3212 Sub-commands
3215 dsconf plugin dna list configs
3216 List main DNA plugin config entries
3217 dsconf plugin dna list shared-configs
3219 List DNA plugin shared config entries
3220
3222 usage: dsconf instance plugin dna list configs [-h]
3223
3228 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3229 BASEDN The search DN
3232
3237 usage: dsconf instance plugin dna config [-h]
3238 NAME
3239 {add,set,show,delete,shared-
3240 config-entry}
3241 ...
3242 NAME The DNA configuration name
3245 Sub-commands
3248 dsconf plugin dna config add
3249 Add the config entry
3250 dsconf plugin dna config set
3252 Edit the config entry
3253 dsconf plugin dna config show
3255 Display the config entry
3256 dsconf plugin dna config delete
3258 Delete the config entry
3259 dsconf plugin dna config shared-config-entry
3261 Manage the shared config entry
3262
3264 usage: dsconf instance plugin dna config NAME add [-h]
3265 [--type TYPE [TYPE
3266 ...]]
3267 [--prefix PREFIX]
3268 [--next-value
3269 NEXT_VALUE]
3270 [--max-value
3271 MAX_VALUE]
3272 [--interval INTERVAL]
3273 [--magic-regen
3274 MAGIC_REGEN]
3275 [--filter FILTER]
3276 [--scope SCOPE]
3277 [--remote-bind-dn
3278 REMOTE_BIND_DN]
3279 [--remote-bind-cred
3280 REMOTE_BIND_CRED]
3281 [--shared-config-
3282 entry SHARED_CONFIG_ENTRY]
3283 [--threshold THRESH‐
3284 OLD]
3285 [--next-range
3286 NEXT_RANGE]
3287 [--range-request-
3288 timeout RANGE_REQUEST_TIMEOUT]
3289 --type TYPE [TYPE ...]
3293 Sets which attributes have unique numbers being generated for
3294 them (dnaType)
3295 --prefix PREFIX
3298 Defines a prefix that can be prepended to the generated number
3299 values for the attribute (dnaPrefix)
3300 --next-value NEXT_VALUE
3303 Gives the next available number which can be assigned
3304 (dnaNextValue)
3305 --max-value MAX_VALUE
3308 Sets the maximum value that can be assigned for the range (dna‐
3309 MaxValue)
3310 --interval INTERVAL
3313 Sets an interval to use to increment through numbers in a range
3314 (dnaInterval)
3315 --magic-regen MAGIC_REGEN
3318 Sets a user-defined value that instructs the plug-in to assign a
3319 new value for the entry (dnaMagicRegen)
3320 --filter FILTER
3323 Sets an LDAP filter to use to search for and identify the
3324 entries to which to apply the distributed numeric assignment
3325 range (dnaFilter)
3326 --scope SCOPE
3329 Sets the base DN to search for entries to which to apply the
3330 distributed numeric assignment (dnaScope)
3331 --remote-bind-dn REMOTE_BIND_DN
3334 Specifies the Replication Manager DN (dnaRemoteBindDN)
3335 --remote-bind-cred REMOTE_BIND_CRED
3338 Specifies the Replication Manager's password (dnaRemoteBindCred)
3339 --shared-config-entry SHARED_CONFIG_ENTRY
3342 Defines a shared identity that the servers can use to transfer
3343 ranges to one another (dnaSharedCfgDN)
3344 --threshold THRESHOLD
3347 Sets a threshold of remaining available numbers in the range.
3348 When the server hits the threshold, it sends a request for a new
3349 range (dnaThreshold)
3350 --next-range NEXT_RANGE
3353 Defines the next range to use when the current range is
3354 exhausted (dnaNextRange)
3355 --range-request-timeout RANGE_REQUEST_TIMEOUT
3358 sets a timeout period, in seconds, for range requests so that
3359 the server does not stall waiting on a new range from one server
3360 and can request a range from a new server (dnaRangeRequestTime‐
3361 out)
3362
3365 usage: dsconf instance plugin dna config NAME set [-h]
3366 [--type TYPE [TYPE
3367 ...]]
3368 [--prefix PREFIX]
3369 [--next-value
3370 NEXT_VALUE]
3371 [--max-value
3372 MAX_VALUE]
3373 [--interval INTERVAL]
3374 [--magic-regen
3375 MAGIC_REGEN]
3376 [--filter FILTER]
3377 [--scope SCOPE]
3378 [--remote-bind-dn
3379 REMOTE_BIND_DN]
3380 [--remote-bind-cred
3381 REMOTE_BIND_CRED]
3382 [--shared-config-
3383 entry SHARED_CONFIG_ENTRY]
3384 [--threshold THRESH‐
3385 OLD]
3386 [--next-range
3387 NEXT_RANGE]
3388 [--range-request-
3389 timeout RANGE_REQUEST_TIMEOUT]
3390 --type TYPE [TYPE ...]
3394 Sets which attributes have unique numbers being generated for
3395 them (dnaType)
3396 --prefix PREFIX
3399 Defines a prefix that can be prepended to the generated number
3400 values for the attribute (dnaPrefix)
3401 --next-value NEXT_VALUE
3404 Gives the next available number which can be assigned
3405 (dnaNextValue)
3406 --max-value MAX_VALUE
3409 Sets the maximum value that can be assigned for the range (dna‐
3410 MaxValue)
3411 --interval INTERVAL
3414 Sets an interval to use to increment through numbers in a range
3415 (dnaInterval)
3416 --magic-regen MAGIC_REGEN
3419 Sets a user-defined value that instructs the plug-in to assign a
3420 new value for the entry (dnaMagicRegen)
3421 --filter FILTER
3424 Sets an LDAP filter to use to search for and identify the
3425 entries to which to apply the distributed numeric assignment
3426 range (dnaFilter)
3427 --scope SCOPE
3430 Sets the base DN to search for entries to which to apply the
3431 distributed numeric assignment (dnaScope)
3432 --remote-bind-dn REMOTE_BIND_DN
3435 Specifies the Replication Manager DN (dnaRemoteBindDN)
3436 --remote-bind-cred REMOTE_BIND_CRED
3439 Specifies the Replication Manager's password (dnaRemoteBindCred)
3440 --shared-config-entry SHARED_CONFIG_ENTRY
3443 Defines a shared identity that the servers can use to transfer
3444 ranges to one another (dnaSharedCfgDN)
3445 --threshold THRESHOLD
3448 Sets a threshold of remaining available numbers in the range.
3449 When the server hits the threshold, it sends a request for a new
3450 range (dnaThreshold)
3451 --next-range NEXT_RANGE
3454 Defines the next range to use when the current range is
3455 exhausted (dnaNextRange)
3456 --range-request-timeout RANGE_REQUEST_TIMEOUT
3459 sets a timeout period, in seconds, for range requests so that
3460 the server does not stall waiting on a new range from one server
3461 and can request a range from a new server (dnaRangeRequestTime‐
3462 out)
3463
3466 usage: dsconf instance plugin dna config NAME show [-h]
3467
3472 usage: dsconf instance plugin dna config NAME delete [-h]
3473
3478 usage: dsconf instance plugin dna config NAME shared-config-entry
3479 [-h] HOSTNAME PORT {add,set,show,delete} ...
3480 HOSTNAME
3483 Identifies the host name of a server in a shared range, as part
3484 of the DNA range configuration for that specific host in
3485 multi-master replication (dnaHostname)
3486 PORT Gives the standard port number to use to connect to the host
3489 identified in dnaHostname (dnaPortNum)
3490 Sub-commands
3493 dsconf plugin dna config shared-config-entry add
3494 Add the shared config entry
3495 dsconf plugin dna config shared-config-entry set
3497 Edit the shared config entry
3498 dsconf plugin dna config shared-config-entry show
3500 Display the shared config entry
3501 dsconf plugin dna config shared-config-entry delete
3503 Delete the shared config entry
3504
3506 usage: dsconf instance plugin dna config NAME shared-config-entry HOST‐
3507 NAME PORT add
3508 [-h] [--secure-port SECURE_PORT]
3509 [--remote-bind-method REMOTE_BIND_METHOD]
3510 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3511 [--remaining-values REMAINING_VALUES]
3512 --secure-port SECURE_PORT
3516 Gives the secure (TLS) port number to use to connect to the host
3517 identified in dnaHostname (dnaSecurePortNum)
3518 --remote-bind-method REMOTE_BIND_METHOD
3521 Specifies the remote bind method (dnaRemoteBindMethod)
3522 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3525 Specifies the remote connection protocol (dnaRemoteConnProtocol)
3526 --remaining-values REMAINING_VALUES
3529 Contains the number of values that are remaining and available
3530 to a server to assign to entries (dnaRemainingValues)
3531
3534 usage: dsconf instance plugin dna config NAME shared-config-entry HOST‐
3535 NAME PORT set
3536 [-h] [--secure-port SECURE_PORT]
3537 [--remote-bind-method REMOTE_BIND_METHOD]
3538 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3539 [--remaining-values REMAINING_VALUES]
3540 --secure-port SECURE_PORT
3544 Gives the secure (TLS) port number to use to connect to the host
3545 identified in dnaHostname (dnaSecurePortNum)
3546 --remote-bind-method REMOTE_BIND_METHOD
3549 Specifies the remote bind method (dnaRemoteBindMethod)
3550 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3553 Specifies the remote connection protocol (dnaRemoteConnProtocol)
3554 --remaining-values REMAINING_VALUES
3557 Contains the number of values that are remaining and available
3558 to a server to assign to entries (dnaRemainingValues)
3559
3562 usage: dsconf instance plugin dna config NAME shared-config-entry HOST‐
3563 NAME PORT show
3564 [-h]
3565
3570 usage: dsconf instance plugin dna config NAME shared-config-entry HOST‐
3571 NAME PORT delete
3572 [-h]
3573
3581 usage: dsconf instance plugin linked-attr [-h]
3582 {show,enable,disable,sta‐
3583 tus,fixup,list,config}
3584 ...
3585 Sub-commands
3588 dsconf plugin linked-attr show
3589 display plugin configuration
3590 dsconf plugin linked-attr enable
3592 enable plugin
3593 dsconf plugin linked-attr disable
3595 disable plugin
3596 dsconf plugin linked-attr status
3598 display plugin status
3599 dsconf plugin linked-attr fixup
3601 Run the fix-up task for linked attributes plugin
3602 dsconf plugin linked-attr list
3604 List available plugin configs
3605 dsconf plugin linked-attr config
3607 Manage plugin configs
3608
3610 usage: dsconf instance plugin linked-attr show [-h]
3611
3616 usage: dsconf instance plugin linked-attr enable [-h]
3617
3622 usage: dsconf instance plugin linked-attr disable [-h]
3623
3628 usage: dsconf instance plugin linked-attr status [-h]
3629
3634 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3635 -l LINKDN, --linkdn LINKDN
3639 Base DN that contains entries to fix up
3640
3643 usage: dsconf instance plugin linked-attr list [-h]
3644
3649 usage: dsconf instance plugin linked-attr config [-h]
3650 NAME
3651 {add,set,show,delete}
3652 ...
3653 NAME The Linked Attributes configuration name
3656 Sub-commands
3659 dsconf plugin linked-attr config add
3660 Add the config entry
3661 dsconf plugin linked-attr config set
3663 Edit the config entry
3664 dsconf plugin linked-attr config show
3666 Display the config entry
3667 dsconf plugin linked-attr config delete
3669 Delete the config entry
3670
3672 usage: dsconf instance plugin linked-attr config NAME add [-h]
3673 [--link-type
3674 LINK_TYPE]
3675 [--managed-
3676 type MANAGED_TYPE]
3677 [--link-scope
3678 LINK_SCOPE]
3679 --link-type LINK_TYPE
3683 Sets the attribute that is managed manually by administrators
3684 (linkType)
3685 --managed-type MANAGED_TYPE
3688 Sets the attribute that is created dynamically by the plugin
3689 (managedType)
3690 --link-scope LINK_SCOPE
3693 Sets the scope that restricts the plugin to a specific part of
3694 the directory tree (linkScope)
3695
3698 usage: dsconf instance plugin linked-attr config NAME set [-h]
3699 [--link-type
3700 LINK_TYPE]
3701 [--managed-
3702 type MANAGED_TYPE]
3703 [--link-scope
3704 LINK_SCOPE]
3705 --link-type LINK_TYPE
3709 Sets the attribute that is managed manually by administrators
3710 (linkType)
3711 --managed-type MANAGED_TYPE
3714 Sets the attribute that is created dynamically by the plugin
3715 (managedType)
3716 --link-scope LINK_SCOPE
3719 Sets the scope that restricts the plugin to a specific part of
3720 the directory tree (linkScope)
3721
3724 usage: dsconf instance plugin linked-attr config NAME show [-h]
3725
3730 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3731
3738 usage: dsconf instance plugin managed-entries [-h]
3739 {show,enable,disable,sta‐
3740 tus,set,list,config,template}
3741 ...
3742 Sub-commands
3745 dsconf plugin managed-entries show
3746 display plugin configuration
3747 dsconf plugin managed-entries enable
3749 enable plugin
3750 dsconf plugin managed-entries disable
3752 disable plugin
3753 dsconf plugin managed-entries status
3755 display plugin status
3756 dsconf plugin managed-entries set
3758 Edit the plugin
3759 dsconf plugin managed-entries list
3761 List Managed Entries Plugin configs and templates
3762 dsconf plugin managed-entries config
3764 Handle Managed Entries Plugin configs
3765 dsconf plugin managed-entries template
3767 Handle Managed Entries Plugin templates
3768
3770 usage: dsconf instance plugin managed-entries show [-h]
3771
3776 usage: dsconf instance plugin managed-entries enable [-h]
3777
3782 usage: dsconf instance plugin managed-entries disable [-h]
3783
3788 usage: dsconf instance plugin managed-entries status [-h]
3789
3794 usage: dsconf instance plugin managed-entries set [-h]
3795 [--config-area CON‐
3796 FIG_AREA]
3797 --config-area CONFIG_AREA
3801 The value to set as nsslapd-pluginConfigArea
3802
3805 usage: dsconf instance plugin managed-entries list [-h]
3806 {configs,templates}
3807 ...
3808 Sub-commands
3811 dsconf plugin managed-entries list configs
3812 List Managed Entries Plugin configs (list config-area if speci‐
3813 fied in the main plugin entry)
3814 dsconf plugin managed-entries list templates
3816 List Managed Entries Plugin templates in the directory
3817
3819 usage: dsconf instance plugin managed-entries list configs [-h]
3820
3825 usage: dsconf instance plugin managed-entries list templates [-h]
3826 BASEDN
3827 BASEDN The base DN where to search the templates.
3830
3835 usage: dsconf instance plugin managed-entries config [-h]
3836 NAME
3837 {add,set,show,delete}
3838 ...
3839 NAME The config entry CN.
3842 Sub-commands
3845 dsconf plugin managed-entries config add
3846 Add the config entry
3847 dsconf plugin managed-entries config set
3849 Edit the config entry
3850 dsconf plugin managed-entries config show
3852 Display the config entry
3853 dsconf plugin managed-entries config delete
3855 Delete the config entry
3856
3858 usage: dsconf instance plugin managed-entries config NAME add
3859 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3860 AGED_BASE]
3861 [--managed-template MANAGED_TEMPLATE]
3862 --scope SCOPE
3866 Sets the scope of the search to use to see which entries the
3867 plug-in monitors (originScope)
3868 --filter FILTER
3871 Sets the search filter to use to search for and identify the
3872 entries within the subtree which require a managed entry (orig‐
3873 inFilter)
3874 --managed-base MANAGED_BASE
3877 Sets the subtree under which to create the managed entries (man‐
3878 agedBase)
3879 --managed-template MANAGED_TEMPLATE
3882 Identifies the template entry to use to create the managed entry
3883 (managedTemplate)
3884
3887 usage: dsconf instance plugin managed-entries config NAME set
3888 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3889 AGED_BASE]
3890 [--managed-template MANAGED_TEMPLATE]
3891 --scope SCOPE
3895 Sets the scope of the search to use to see which entries the
3896 plug-in monitors (originScope)
3897 --filter FILTER
3900 Sets the search filter to use to search for and identify the
3901 entries within the subtree which require a managed entry (orig‐
3902 inFilter)
3903 --managed-base MANAGED_BASE
3906 Sets the subtree under which to create the managed entries (man‐
3907 agedBase)
3908 --managed-template MANAGED_TEMPLATE
3911 Identifies the template entry to use to create the managed entry
3912 (managedTemplate)
3913
3916 usage: dsconf instance plugin managed-entries config NAME show [-h]
3917
3922 usage: dsconf instance plugin managed-entries config NAME delete [-h]
3923
3929 usage: dsconf instance plugin managed-entries template [-h]
3930 DN
3931 {add,set,show,delete}
3932 ...
3933 DN The template entry DN.
3936 Sub-commands
3939 dsconf plugin managed-entries template add
3940 Add the template entry
3941 dsconf plugin managed-entries template set
3943 Edit the template entry
3944 dsconf plugin managed-entries template show
3946 Display the template entry
3947 dsconf plugin managed-entries template delete
3949 Delete the template entry
3950
3952 usage: dsconf instance plugin managed-entries template DN add
3953 [-h] [--rdn-attr RDN_ATTR] [--static-attr STATIC_ATTR]
3954 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3955 --rdn-attr RDN_ATTR
3959 Sets which attribute to use as the naming attribute in the auto‐
3960 matically- generated entry (mepRDNAttr)
3961 --static-attr STATIC_ATTR
3964 Sets an attribute with a defined value that must be added to the
3965 automatically-generated entry (mepStaticAttr)
3966 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3969 Sets attributes in the Managed Entries template entry which must
3970 exist in the generated entry (mepMappedAttr)
3971
3974 usage: dsconf instance plugin managed-entries template DN set
3975 [-h] [--rdn-attr RDN_ATTR] [--static-attr STATIC_ATTR]
3976 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3977 --rdn-attr RDN_ATTR
3981 Sets which attribute to use as the naming attribute in the auto‐
3982 matically- generated entry (mepRDNAttr)
3983 --static-attr STATIC_ATTR
3986 Sets an attribute with a defined value that must be added to the
3987 automatically-generated entry (mepStaticAttr)
3988 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3991 Sets attributes in the Managed Entries template entry which must
3992 exist in the generated entry (mepMappedAttr)
3993
3996 usage: dsconf instance plugin managed-entries template DN show [-h]
3997
4002 usage: dsconf instance plugin managed-entries template DN delete [-h]
4003
4010 usage: dsconf instance plugin pass-through-auth [-h]
4011 {show,enable,dis‐
4012 able,status,list,url,pam-config}
4013 ...
4014 Sub-commands
4017 dsconf plugin pass-through-auth show
4018 display plugin configuration
4019 dsconf plugin pass-through-auth enable
4021 enable plugin
4022 dsconf plugin pass-through-auth disable
4024 disable plugin
4025 dsconf plugin pass-through-auth status
4027 display plugin status
4028 dsconf plugin pass-through-auth list
4030 List pass-though plugin URLs or PAM configurations.
4031 dsconf plugin pass-through-auth url
4033 Manage PTA URL configurations.
4034 dsconf plugin pass-through-auth pam-config
4036 Manage PAM PTA configurations.
4037
4039 usage: dsconf instance plugin pass-through-auth show [-h]
4040
4045 usage: dsconf instance plugin pass-through-auth enable [-h]
4046
4051 usage: dsconf instance plugin pass-through-auth disable [-h]
4052
4057 usage: dsconf instance plugin pass-through-auth status [-h]
4058
4063 usage: dsconf instance plugin pass-through-auth list [-h]
4064 {urls,pam-configs}
4065 ...
4066 Sub-commands
4069 dsconf plugin pass-through-auth list urls
4070 List URLs.
4071 dsconf plugin pass-through-auth list pam-configs
4073 List PAM configurations.
4074
4076 usage: dsconf instance plugin pass-through-auth list urls [-h]
4077
4082 usage: dsconf instance plugin pass-through-auth list pam-configs [-h]
4083
4089 usage: dsconf instance plugin pass-through-auth url [-h]
4090 {add,modify,delete}
4091 ...
4092 Sub-commands
4095 dsconf plugin pass-through-auth url add
4096 Add the config entry
4097 dsconf plugin pass-through-auth url modify
4099 Edit the config entry
4100 dsconf plugin pass-through-auth url delete
4102 Delete the config entry
4103
4105 usage: dsconf instance plugin pass-through-auth url add [-h] URL
4106 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
4109 conns,maxops,timeout,ldver,connlifetime,startTLS". If one
4110 optional parameter is specified the rest should be specified too
4111
4115 usage: dsconf instance plugin pass-through-auth url modify [-h]
4116 OLD_URL
4117 NEW_URL
4118 OLD_URL
4121 The full LDAP URL you get from the "list" command
4122 NEW_URL
4125 The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
4126 conns,maxops,timeout,ldver,connlifetime,startTLS". If one
4127 optional parameter is specified the rest should be specified too
4128
4132 usage: dsconf instance plugin pass-through-auth url delete [-h] URL
4133 URL The full LDAP URL you get from the "list" command
4136
4141 usage: dsconf instance plugin pass-through-auth pam-config [-h]
4142 NAME
4143 {add,set,show,delete}
4144 ...
4145 NAME The PAM PTA configuration name
4148 Sub-commands
4151 dsconf plugin pass-through-auth pam-config add
4152 Add the config entry
4153 dsconf plugin pass-through-auth pam-config set
4155 Edit the config entry
4156 dsconf plugin pass-through-auth pam-config show
4158 Display the config entry
4159 dsconf plugin pass-through-auth pam-config delete
4161 Delete the config entry
4162
4164 usage: dsconf instance plugin pass-through-auth pam-config NAME add
4165 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4166 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4167 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4168 TER]
4169 [--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method
4170 ID_MAP_METHOD]
4171 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4172 SERVICE]
4173 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4177 Specifies a suffix to exclude from PAM authentication (pamEx‐
4178 cludeSuffix)
4179 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4182 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4183 fix)
4184 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4187 Identifies how to handle missing include or exclude suffixes
4188 (pamMissingSuffix)
4189 --filter FILTER
4192 Sets an LDAP filter to use to identify specific entries within
4193 the included suffixes for which to use PAM pass-through authen‐
4194 tication (pamFilter)
4195 --id-attr ID_ATTR [ID_ATTR ...]
4198 Contains the attribute name which is used to hold the PAM user
4199 ID (pamIDAttr)
4200 --id_map_method ID_MAP_METHOD
4203 Gives the method to use to map the LDAP bind DN to a PAM iden‐
4204 tity (pamIDMapMethod)
4205 --fallback {TRUE,FALSE}
4208 Sets whether to fallback to regular LDAP authentication if PAM
4209 authentication fails (pamFallback)
4210 --secure {TRUE,FALSE}
4213 Requires secure TLS connection for PAM authentication (pamSe‐
4214 cure)
4215 --service SERVICE
4218 Contains the service name to pass to PAM (pamService)
4219
4222 usage: dsconf instance plugin pass-through-auth pam-config NAME set
4223 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4224 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4225 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4226 TER]
4227 [--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method
4228 ID_MAP_METHOD]
4229 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4230 SERVICE]
4231 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4235 Specifies a suffix to exclude from PAM authentication (pamEx‐
4236 cludeSuffix)
4237 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4240 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4241 fix)
4242 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4245 Identifies how to handle missing include or exclude suffixes
4246 (pamMissingSuffix)
4247 --filter FILTER
4250 Sets an LDAP filter to use to identify specific entries within
4251 the included suffixes for which to use PAM pass-through authen‐
4252 tication (pamFilter)
4253 --id-attr ID_ATTR [ID_ATTR ...]
4256 Contains the attribute name which is used to hold the PAM user
4257 ID (pamIDAttr)
4258 --id_map_method ID_MAP_METHOD
4261 Gives the method to use to map the LDAP bind DN to a PAM iden‐
4262 tity (pamIDMapMethod)
4263 --fallback {TRUE,FALSE}
4266 Sets whether to fallback to regular LDAP authentication if PAM
4267 authentication fails (pamFallback)
4268 --secure {TRUE,FALSE}
4271 Requires secure TLS connection for PAM authentication (pamSe‐
4272 cure)
4273 --service SERVICE
4276 Contains the service name to pass to PAM (pamService)
4277
4280 usage: dsconf instance plugin pass-through-auth pam-config NAME show
4281 [-h]
4282
4287 usage: dsconf instance plugin pass-through-auth pam-config NAME delete
4288 [-h]
4289
4296 usage: dsconf instance plugin retro-changelog [-h]
4297 {show,enable,disable,sta‐
4298 tus,set}
4299 ...
4300 Sub-commands
4303 dsconf plugin retro-changelog show
4304 display plugin configuration
4305 dsconf plugin retro-changelog enable
4307 enable plugin
4308 dsconf plugin retro-changelog disable
4310 disable plugin
4311 dsconf plugin retro-changelog status
4313 display plugin status
4314 dsconf plugin retro-changelog set
4316 Edit the plugin
4317
4319 usage: dsconf instance plugin retro-changelog show [-h]
4320
4325 usage: dsconf instance plugin retro-changelog enable [-h]
4326
4331 usage: dsconf instance plugin retro-changelog disable [-h]
4332
4337 usage: dsconf instance plugin retro-changelog status [-h]
4338
4343 usage: dsconf instance plugin retro-changelog set [-h]
4344 [--is-replicated
4345 {TRUE,FALSE}]
4346 [--attribute
4347 ATTRIBUTE]
4348 [--directory DIREC‐
4349 TORY]
4350 [--max-age MAX_AGE]
4351 [--exclude-suffix
4352 EXCLUDE_SUFFIX]
4353 --is-replicated {TRUE,FALSE}
4357 Sets a flag to indicate on a change in the changelog whether the
4358 change is newly made on that server or whether it was replicated
4359 over from another server (isReplicated)
4360 --attribute ATTRIBUTE
4363 Specifies another Directory Server attribute which must be
4364 included in the retro changelog entries (nsslapd-attribute)
4365 --directory DIRECTORY
4368 Specifies the name of the directory in which the changelog data‐
4369 base is created the first time the plug-in is run
4370 --max-age MAX_AGE
4373 This attribute specifies the maximum age of any entry in the
4374 changelog (nsslapd-changelogmaxage)
4375 --exclude-suffix EXCLUDE_SUFFIX
4378 This attribute specifies the suffix which will be excluded from
4379 the scope of the plugin (nsslapd-exclude-suffix)
4380
4384 usage: dsconf instance plugin posix-winsync [-h]
4385 {show,enable,disable,sta‐
4386 tus,set,fixup}
4387 ...
4388 Sub-commands
4391 dsconf plugin posix-winsync show
4392 display plugin configuration
4393 dsconf plugin posix-winsync enable
4395 enable plugin
4396 dsconf plugin posix-winsync disable
4398 disable plugin
4399 dsconf plugin posix-winsync status
4401 display plugin status
4402 dsconf plugin posix-winsync set
4404 Edit the plugin
4405 dsconf plugin posix-winsync fixup
4407 Run the memberOf fix-up task to correct mismatched member and
4408 uniquemember values for synced users
4409
4411 usage: dsconf instance plugin posix-winsync show [-h]
4412
4417 usage: dsconf instance plugin posix-winsync enable [-h]
4418
4423 usage: dsconf instance plugin posix-winsync disable [-h]
4424
4429 usage: dsconf instance plugin posix-winsync status [-h]
4430
4435 usage: dsconf instance plugin posix-winsync set [-h]
4436 [--create-memberof-task
4437 {true,false}]
4438 [--lower-case-uid
4439 {true,false}]
4440 [--map-member-uid
4441 {true,false}]
4442 [--map-nested-grouping
4443 {true,false}]
4444 [--ms-sfu-schema
4445 {true,false}]
4446 --create-memberof-task {true,false}
4450 Sets whether to run the memberUID fix-up task immediately after
4451 a sync run in order to update group memberships for synced users
4452 (posixWinsyncCreateMemberOfTask)
4453 --lower-case-uid {true,false}
4456 Sets whether to store (and, if necessary, convert) the UID value
4457 in the memberUID attribute in lower case.(posixWinsyncLower‐
4458 CaseUID)
4459 --map-member-uid {true,false}
4462 Sets whether to map the memberUID attribute in an Active Direc‐
4463 tory group to the uniqueMember attribute in a Directory Server
4464 group (posixWinsyncMapMemberUID)
4465 --map-nested-grouping {true,false}
4468 Manages if nested groups are updated when memberUID attributes
4469 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4470 edGrouping)
4471 --ms-sfu-schema {true,false}
4474 Sets whether to the older Microsoft System Services for Unix 3.0
4475 (msSFU30) schema when syncing Posix attributes from Active
4476 Directory (posixWinsyncMsSFUSchema)
4477
4480 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN
4481 DN Base DN that contains entries to fix up
4484 -f FILTER, --filter FILTER
4487 Filter for entries to fix up. If omitted, all entries with
4488 objectclass inetuser/inetadmin/nsmemberof under the specified
4489 base will have their memberOf attribute regenerated.
4490
4494 usage: dsconf instance plugin list [-h]
4495
4500 usage: dsconf instance plugin show [-h] [selector]
4501 selector
4504 The plugin to search for
4505
4509 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4510 {on,off}]
4511 [--path PATH] [--initfunc INITFUNC]
4512 [--id ID] [--vendor VENDOR]
4513 [--version VERSION]
4514 [--description DESCRIPTION]
4515 [--depends-on-type DEPENDS_ON_TYPE]
4516 [--depends-on-named DEPENDS_ON_NAMED]
4517 [--precedence PRECEDENCE]
4518 [selector]
4519 selector
4522 The plugin to edit
4523 --type TYPE
4526 The type of plugin.
4527 --enabled {on,off}
4530 Identifies whether or not the plugin is enabled.
4531 --path PATH
4534 The plugin library name (without the library suffix).
4535 --initfunc INITFUNC
4538 An initialization function of the plugin.
4539 --id ID
4542 The plugin ID.
4543 --vendor VENDOR
4546 The vendor of plugin.
4547 --version VERSION
4550 The version of plugin.
4551 --description DESCRIPTION
4554 The description of the plugin.
4555 --depends-on-type DEPENDS_ON_TYPE
4558 All plug-ins with a type value which matches one of the values
4559 in the following valid range will be started by the server prior
4560 to this plug-in.
4561 --depends-on-named DEPENDS_ON_NAMED
4564 The plug-in name matching one of the following values will be
4565 started by the server prior to this plug-in
4566 --precedence PRECEDENCE
4569 The priority it has in the execution order of plug-ins
4570
4574 usage: dsconf instance pwpolicy [-h] {get,set} ...
4575 Sub-commands
4578 dsconf pwpolicy get
4579 Get the global password policy entry
4580 dsconf pwpolicy set
4582 Set an attribute in a global password policy
4583
4585 usage: dsconf instance pwpolicy get [-h]
4586
4591 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4592 [--pwdchange PWDCHANGE]
4593 [--pwdmustchange PWDMUSTCHANGE]
4594 [--pwdhistory PWDHISTORY]
4595 [--pwdhistorycount PWDHISTORYCOUNT]
4596 [--pwdadmin PWDADMIN]
4597 [--pwdtrack PWDTRACK]
4598 [--pwdwarning PWDWARNING]
4599 [--pwdexpire PWDEXPIRE]
4600 [--pwdmaxage PWDMAXAGE]
4601 [--pwdminage PWDMINAGE]
4602 [--pwdgracelimit PWDGRACELIMIT]
4603 [--pwdsendexpiring PWDSENDEXPIRING]
4604 [--pwdlockout PWDLOCKOUT]
4605 [--pwdunlock PWDUNLOCK]
4606 [--pwdlockoutduration PWDLOCKOUTDU‐
4607 RATION]
4608 [--pwdmaxfailures PWDMAXFAILURES]
4609 [--pwdresetfailcount PWDRESETFAIL‐
4610 COUNT]
4611 [--pwdchecksyntax PWDCHECKSYNTAX]
4612 [--pwdminlen PWDMINLEN]
4613 [--pwdmindigits PWDMINDIGITS]
4614 [--pwdminalphas PWDMINALPHAS]
4615 [--pwdminuppers PWDMINUPPERS]
4616 [--pwdminlowers PWDMINLOWERS]
4617 [--pwdminspecials PWDMINSPECIALS]
4618 [--pwdmin8bits PWDMIN8BITS]
4619 [--pwdmaxrepeats PWDMAXREPEATS]
4620 [--pwdpalindrome PWDPALINDROME]
4621 [--pwdmaxseq PWDMAXSEQ]
4622 [--pwdmaxseqsets PWDMAXSEQSETS]
4623 [--pwdmaxclasschars PWDMAXCLASS‐
4624 CHARS]
4625 [--pwdmincatagories PWDMIN‐
4626 CATAGORIES]
4627 [--pwdmintokenlen PWDMINTOKENLEN]
4628 [--pwdbadwords PWDBADWORDS]
4629 [--pwduserattrs PWDUSERATTRS]
4630 [--pwpinheritglobal PWPINHERIT‐
4631 GLOBAL]
4632 [--pwddictcheck PWDDICTCHECK]
4633 [--pwddictpath PWDDICTPATH]
4634 [--pwdlocal PWDLOCAL]
4635 [--pwdisglobal PWDISGLOBAL]
4636 [--pwdallowhash PWDALLOWHASH]
4637 --pwdscheme PWDSCHEME
4641 The password storage scheme
4642 --pwdchange PWDCHANGE
4645 Allow users to change their passwords
4646 --pwdmustchange PWDMUSTCHANGE
4649 User must change their passwrod after it is reset by an Adminis‐
4650 trator
4651 --pwdhistory PWDHISTORY
4654 To enable password history set this to "on", otherwise "off"
4655 --pwdhistorycount PWDHISTORYCOUNT
4658 The number of password to keep in history
4659 --pwdadmin PWDADMIN
4662 The DN of an entry or a group of account that can bypass pass‐
4663 word policy constraints
4664 --pwdtrack PWDTRACK
4667 Set to "on" to track the time the password was last changed
4668 --pwdwarning PWDWARNING
4671 Send an expiring warning if password expires within this time
4672 (in seconds)
4673 --pwdexpire PWDEXPIRE
4676 Set to "on" to enable password expiration
4677 --pwdmaxage PWDMAXAGE
4680 The password expiration time in seconds
4681 --pwdminage PWDMINAGE
4684 The number of seconds that must pass before a user can change
4685 their password
4686 --pwdgracelimit PWDGRACELIMIT
4689 The number of allowed logins after the password has expired
4690 --pwdsendexpiring PWDSENDEXPIRING
4693 Set to "on" to always send the expiring control regardless of
4694 the warning period
4695 --pwdlockout PWDLOCKOUT
4698 Set to "on" to enable account lockout
4699 --pwdunlock PWDUNLOCK
4702 Set to "on" to allow an account to become unlocked after the
4703 lockout duration
4704 --pwdlockoutduration PWDLOCKOUTDURATION
4707 The number of seconds an account stays locked out
4708 --pwdmaxfailures PWDMAXFAILURES
4711 The maximum number of allowed failed password attempts before
4712 the account gets locked
4713 --pwdresetfailcount PWDRESETFAILCOUNT
4716 The number of seconds to wait before reducing the failed login
4717 count on an account
4718 --pwdchecksyntax PWDCHECKSYNTAX
4721 Set to "on" to Enable password syntax checking
4722 --pwdminlen PWDMINLEN
4725 The minimum number of characters required in a password
4726 --pwdmindigits PWDMINDIGITS
4729 The minimum number of digit/number characters in a password
4730 --pwdminalphas PWDMINALPHAS
4733 The minimum number of alpha characters required in a password
4734 --pwdminuppers PWDMINUPPERS
4737 The minimum number of uppercase characters required in a pass‐
4738 word
4739 --pwdminlowers PWDMINLOWERS
4742 The minimum number of lowercase characters required in a pass‐
4743 word
4744 --pwdminspecials PWDMINSPECIALS
4747 The minimum number of special characters required in a password
4748 --pwdmin8bits PWDMIN8BITS
4751 The minimum number of 8-bit characters required in a password
4752 --pwdmaxrepeats PWDMAXREPEATS
4755 The maximum number of times the same character can appear
4756 sequentially in the password
4757 --pwdpalindrome PWDPALINDROME
4760 Set to "on" to reject passwords that are palindromes
4761 --pwdmaxseq PWDMAXSEQ
4764 The maximum number of allowed monotonic character sequences in a
4765 password
4766 --pwdmaxseqsets PWDMAXSEQSETS
4769 The maximum number of allowed monotonic character sequences that
4770 can be duplicated in a password
4771 --pwdmaxclasschars PWDMAXCLASSCHARS
4774 The maximum number of sequential characters from the same char‐
4775 acter class that is allowed in a password
4776 --pwdmincatagories PWDMINCATAGORIES
4779 The minimum number of syntax category checks
4780 --pwdmintokenlen PWDMINTOKENLEN
4783 Sets the smallest attribute value length that is used for triv‐
4784 ial/user words checking. This also impacts "--pwduserattrs"
4785 --pwdbadwords PWDBADWORDS
4788 A space-separated list of words that can not be in a password
4789 --pwduserattrs PWDUSERATTRS
4792 A space-separated list of attributes whose values can not appear
4793 in the password (See "--pwdmintokenlen")
4794 --pwpinheritglobal PWPINHERITGLOBAL
4797 Set to "on" to allow local policies to inherit the global policy
4798 --pwddictcheck PWDDICTCHECK
4801 Set to "on" to enforce CrackLib dictionary checking
4802 --pwddictpath PWDDICTPATH
4805 Filesystem path to specific/custom CrackLib dictionary files
4806 --pwdlocal PWDLOCAL
4809 Set to "on" to enable fine-grained (subtree/user-level) password
4810 policies
4811 --pwdisglobal PWDISGLOBAL
4814 Set to "on" to enable password policy state attributesto be
4815 replicated
4816 --pwdallowhash PWDALLOWHASH
4819 Set to "on" to allow adding prehashed passwords
4820
4824 usage: dsconf instance localpwp [-h]
4825 {list,get,set,remove,adduser,addsub‐
4826 tree} ...
4827 Sub-commands
4830 dsconf localpwp list
4831 List all the local password policies
4832 dsconf localpwp get
4834 Get local password policy entry
4835 dsconf localpwp set
4837 Set an attribute in a local password policy
4838 dsconf localpwp remove
4840 Remove a local password policy
4841 dsconf localpwp adduser
4843 Add new user password policy
4844 dsconf localpwp addsubtree
4846 Add new subtree password policy
4847
4849 usage: dsconf instance localpwp list [-h] [DN]
4850 DN Suffix to search for local password policies
4853
4857 usage: dsconf instance localpwp get [-h] DN
4858 DN Get the local policy for this entry DN
4861
4865 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
4866 [--pwdchange PWDCHANGE]
4867 [--pwdmustchange PWDMUSTCHANGE]
4868 [--pwdhistory PWDHISTORY]
4869 [--pwdhistorycount PWDHISTORYCOUNT]
4870 [--pwdadmin PWDADMIN]
4871 [--pwdtrack PWDTRACK]
4872 [--pwdwarning PWDWARNING]
4873 [--pwdexpire PWDEXPIRE]
4874 [--pwdmaxage PWDMAXAGE]
4875 [--pwdminage PWDMINAGE]
4876 [--pwdgracelimit PWDGRACELIMIT]
4877 [--pwdsendexpiring PWDSENDEXPIRING]
4878 [--pwdlockout PWDLOCKOUT]
4879 [--pwdunlock PWDUNLOCK]
4880 [--pwdlockoutduration PWDLOCKOUTDU‐
4881 RATION]
4882 [--pwdmaxfailures PWDMAXFAILURES]
4883 [--pwdresetfailcount PWDRESETFAIL‐
4884 COUNT]
4885 [--pwdchecksyntax PWDCHECKSYNTAX]
4886 [--pwdminlen PWDMINLEN]
4887 [--pwdmindigits PWDMINDIGITS]
4888 [--pwdminalphas PWDMINALPHAS]
4889 [--pwdminuppers PWDMINUPPERS]
4890 [--pwdminlowers PWDMINLOWERS]
4891 [--pwdminspecials PWDMINSPECIALS]
4892 [--pwdmin8bits PWDMIN8BITS]
4893 [--pwdmaxrepeats PWDMAXREPEATS]
4894 [--pwdpalindrome PWDPALINDROME]
4895 [--pwdmaxseq PWDMAXSEQ]
4896 [--pwdmaxseqsets PWDMAXSEQSETS]
4897 [--pwdmaxclasschars PWDMAXCLASS‐
4898 CHARS]
4899 [--pwdmincatagories PWDMIN‐
4900 CATAGORIES]
4901 [--pwdmintokenlen PWDMINTOKENLEN]
4902 [--pwdbadwords PWDBADWORDS]
4903 [--pwduserattrs PWDUSERATTRS]
4904 [--pwpinheritglobal PWPINHERIT‐
4905 GLOBAL]
4906 [--pwddictcheck PWDDICTCHECK]
4907 [--pwddictpath PWDDICTPATH]
4908 DN
4909 DN Set the local policy for this entry DN
4912 --pwdscheme PWDSCHEME
4915 The password storage scheme
4916 --pwdchange PWDCHANGE
4919 Allow users to change their passwords
4920 --pwdmustchange PWDMUSTCHANGE
4923 User must change their passwrod after it is reset by an Adminis‐
4924 trator
4925 --pwdhistory PWDHISTORY
4928 To enable password history set this to "on", otherwise "off"
4929 --pwdhistorycount PWDHISTORYCOUNT
4932 The number of password to keep in history
4933 --pwdadmin PWDADMIN
4936 The DN of an entry or a group of account that can bypass pass‐
4937 word policy constraints
4938 --pwdtrack PWDTRACK
4941 Set to "on" to track the time the password was last changed
4942 --pwdwarning PWDWARNING
4945 Send an expiring warning if password expires within this time
4946 (in seconds)
4947 --pwdexpire PWDEXPIRE
4950 Set to "on" to enable password expiration
4951 --pwdmaxage PWDMAXAGE
4954 The password expiration time in seconds
4955 --pwdminage PWDMINAGE
4958 The number of seconds that must pass before a user can change
4959 their password
4960 --pwdgracelimit PWDGRACELIMIT
4963 The number of allowed logins after the password has expired
4964 --pwdsendexpiring PWDSENDEXPIRING
4967 Set to "on" to always send the expiring control regardless of
4968 the warning period
4969 --pwdlockout PWDLOCKOUT
4972 Set to "on" to enable account lockout
4973 --pwdunlock PWDUNLOCK
4976 Set to "on" to allow an account to become unlocked after the
4977 lockout duration
4978 --pwdlockoutduration PWDLOCKOUTDURATION
4981 The number of seconds an account stays locked out
4982 --pwdmaxfailures PWDMAXFAILURES
4985 The maximum number of allowed failed password attempts before
4986 the account gets locked
4987 --pwdresetfailcount PWDRESETFAILCOUNT
4990 The number of seconds to wait before reducing the failed login
4991 count on an account
4992 --pwdchecksyntax PWDCHECKSYNTAX
4995 Set to "on" to Enable password syntax checking
4996 --pwdminlen PWDMINLEN
4999 The minimum number of characters required in a password
5000 --pwdmindigits PWDMINDIGITS
5003 The minimum number of digit/number characters in a password
5004 --pwdminalphas PWDMINALPHAS
5007 The minimum number of alpha characters required in a password
5008 --pwdminuppers PWDMINUPPERS
5011 The minimum number of uppercase characters required in a pass‐
5012 word
5013 --pwdminlowers PWDMINLOWERS
5016 The minimum number of lowercase characters required in a pass‐
5017 word
5018 --pwdminspecials PWDMINSPECIALS
5021 The minimum number of special characters required in a password
5022 --pwdmin8bits PWDMIN8BITS
5025 The minimum number of 8-bit characters required in a password
5026 --pwdmaxrepeats PWDMAXREPEATS
5029 The maximum number of times the same character can appear
5030 sequentially in the password
5031 --pwdpalindrome PWDPALINDROME
5034 Set to "on" to reject passwords that are palindromes
5035 --pwdmaxseq PWDMAXSEQ
5038 The maximum number of allowed monotonic character sequences in a
5039 password
5040 --pwdmaxseqsets PWDMAXSEQSETS
5043 The maximum number of allowed monotonic character sequences that
5044 can be duplicated in a password
5045 --pwdmaxclasschars PWDMAXCLASSCHARS
5048 The maximum number of sequential characters from the same char‐
5049 acter class that is allowed in a password
5050 --pwdmincatagories PWDMINCATAGORIES
5053 The minimum number of syntax category checks
5054 --pwdmintokenlen PWDMINTOKENLEN
5057 Sets the smallest attribute value length that is used for triv‐
5058 ial/user words checking. This also impacts "--pwduserattrs"
5059 --pwdbadwords PWDBADWORDS
5062 A space-separated list of words that can not be in a password
5063 --pwduserattrs PWDUSERATTRS
5066 A space-separated list of attributes whose values can not appear
5067 in the password (See "--pwdmintokenlen")
5068 --pwpinheritglobal PWPINHERITGLOBAL
5071 Set to "on" to allow local policies to inherit the global policy
5072 --pwddictcheck PWDDICTCHECK
5075 Set to "on" to enforce CrackLib dictionary checking
5076 --pwddictpath PWDDICTPATH
5079 Filesystem path to specific/custom CrackLib dictionary files
5080
5083 usage: dsconf instance localpwp remove [-h] DN
5084 DN Remove local policy for this entry DN
5087
5091 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5092 [--pwdchange PWDCHANGE]
5093 [--pwdmustchange PWDMUSTCHANGE]
5094 [--pwdhistory PWDHISTORY]
5095 [--pwdhistorycount PWDHISTO‐
5096 RYCOUNT]
5097 [--pwdadmin PWDADMIN]
5098 [--pwdtrack PWDTRACK]
5099 [--pwdwarning PWDWARNING]
5100 [--pwdexpire PWDEXPIRE]
5101 [--pwdmaxage PWDMAXAGE]
5102 [--pwdminage PWDMINAGE]
5103 [--pwdgracelimit PWDGRACELIMIT]
5104 [--pwdsendexpiring PWDSENDEX‐
5105 PIRING]
5106 [--pwdlockout PWDLOCKOUT]
5107 [--pwdunlock PWDUNLOCK]
5108 [--pwdlockoutduration PWDLOCK‐
5109 OUTDURATION]
5110 [--pwdmaxfailures PWDMAXFAIL‐
5111 URES]
5112 [--pwdresetfailcount PWDRESET‐
5113 FAILCOUNT]
5114 [--pwdchecksyntax PWDCHECKSYN‐
5115 TAX]
5116 [--pwdminlen PWDMINLEN]
5117 [--pwdmindigits PWDMINDIGITS]
5118 [--pwdminalphas PWDMINALPHAS]
5119 [--pwdminuppers PWDMINUPPERS]
5120 [--pwdminlowers PWDMINLOWERS]
5121 [--pwdminspecials PWDMINSPE‐
5122 CIALS]
5123 [--pwdmin8bits PWDMIN8BITS]
5124 [--pwdmaxrepeats PWDMAXREPEATS]
5125 [--pwdpalindrome PWDPALINDROME]
5126 [--pwdmaxseq PWDMAXSEQ]
5127 [--pwdmaxseqsets PWDMAXSEQSETS]
5128 [--pwdmaxclasschars PWDMAX‐
5129 CLASSCHARS]
5130 [--pwdmincatagories PWDMIN‐
5131 CATAGORIES]
5132 [--pwdmintokenlen PWDMINTO‐
5133 KENLEN]
5134 [--pwdbadwords PWDBADWORDS]
5135 [--pwduserattrs PWDUSERATTRS]
5136 [--pwpinheritglobal PWPINHERIT‐
5137 GLOBAL]
5138 [--pwddictcheck PWDDICTCHECK]
5139 [--pwddictpath PWDDICTPATH]
5140 DN
5141 DN Add/replace the local password policy for this entry DN
5144 --pwdscheme PWDSCHEME
5147 The password storage scheme
5148 --pwdchange PWDCHANGE
5151 Allow users to change their passwords
5152 --pwdmustchange PWDMUSTCHANGE
5155 User must change their passwrod after it is reset by an Adminis‐
5156 trator
5157 --pwdhistory PWDHISTORY
5160 To enable password history set this to "on", otherwise "off"
5161 --pwdhistorycount PWDHISTORYCOUNT
5164 The number of password to keep in history
5165 --pwdadmin PWDADMIN
5168 The DN of an entry or a group of account that can bypass pass‐
5169 word policy constraints
5170 --pwdtrack PWDTRACK
5173 Set to "on" to track the time the password was last changed
5174 --pwdwarning PWDWARNING
5177 Send an expiring warning if password expires within this time
5178 (in seconds)
5179 --pwdexpire PWDEXPIRE
5182 Set to "on" to enable password expiration
5183 --pwdmaxage PWDMAXAGE
5186 The password expiration time in seconds
5187 --pwdminage PWDMINAGE
5190 The number of seconds that must pass before a user can change
5191 their password
5192 --pwdgracelimit PWDGRACELIMIT
5195 The number of allowed logins after the password has expired
5196 --pwdsendexpiring PWDSENDEXPIRING
5199 Set to "on" to always send the expiring control regardless of
5200 the warning period
5201 --pwdlockout PWDLOCKOUT
5204 Set to "on" to enable account lockout
5205 --pwdunlock PWDUNLOCK
5208 Set to "on" to allow an account to become unlocked after the
5209 lockout duration
5210 --pwdlockoutduration PWDLOCKOUTDURATION
5213 The number of seconds an account stays locked out
5214 --pwdmaxfailures PWDMAXFAILURES
5217 The maximum number of allowed failed password attempts before
5218 the account gets locked
5219 --pwdresetfailcount PWDRESETFAILCOUNT
5222 The number of seconds to wait before reducing the failed login
5223 count on an account
5224 --pwdchecksyntax PWDCHECKSYNTAX
5227 Set to "on" to Enable password syntax checking
5228 --pwdminlen PWDMINLEN
5231 The minimum number of characters required in a password
5232 --pwdmindigits PWDMINDIGITS
5235 The minimum number of digit/number characters in a password
5236 --pwdminalphas PWDMINALPHAS
5239 The minimum number of alpha characters required in a password
5240 --pwdminuppers PWDMINUPPERS
5243 The minimum number of uppercase characters required in a pass‐
5244 word
5245 --pwdminlowers PWDMINLOWERS
5248 The minimum number of lowercase characters required in a pass‐
5249 word
5250 --pwdminspecials PWDMINSPECIALS
5253 The minimum number of special characters required in a password
5254 --pwdmin8bits PWDMIN8BITS
5257 The minimum number of 8-bit characters required in a password
5258 --pwdmaxrepeats PWDMAXREPEATS
5261 The maximum number of times the same character can appear
5262 sequentially in the password
5263 --pwdpalindrome PWDPALINDROME
5266 Set to "on" to reject passwords that are palindromes
5267 --pwdmaxseq PWDMAXSEQ
5270 The maximum number of allowed monotonic character sequences in a
5271 password
5272 --pwdmaxseqsets PWDMAXSEQSETS
5275 The maximum number of allowed monotonic character sequences that
5276 can be duplicated in a password
5277 --pwdmaxclasschars PWDMAXCLASSCHARS
5280 The maximum number of sequential characters from the same char‐
5281 acter class that is allowed in a password
5282 --pwdmincatagories PWDMINCATAGORIES
5285 The minimum number of syntax category checks
5286 --pwdmintokenlen PWDMINTOKENLEN
5289 Sets the smallest attribute value length that is used for triv‐
5290 ial/user words checking. This also impacts "--pwduserattrs"
5291 --pwdbadwords PWDBADWORDS
5294 A space-separated list of words that can not be in a password
5295 --pwduserattrs PWDUSERATTRS
5298 A space-separated list of attributes whose values can not appear
5299 in the password (See "--pwdmintokenlen")
5300 --pwpinheritglobal PWPINHERITGLOBAL
5303 Set to "on" to allow local policies to inherit the global policy
5304 --pwddictcheck PWDDICTCHECK
5307 Set to "on" to enforce CrackLib dictionary checking
5308 --pwddictpath PWDDICTPATH
5311 Filesystem path to specific/custom CrackLib dictionary files
5312
5315 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5316 [--pwdchange PWDCHANGE]
5317 [--pwdmustchange PWD‐
5318 MUSTCHANGE]
5319 [--pwdhistory PWDHISTORY]
5320 [--pwdhistorycount PWDHISTO‐
5321 RYCOUNT]
5322 [--pwdadmin PWDADMIN]
5323 [--pwdtrack PWDTRACK]
5324 [--pwdwarning PWDWARNING]
5325 [--pwdexpire PWDEXPIRE]
5326 [--pwdmaxage PWDMAXAGE]
5327 [--pwdminage PWDMINAGE]
5328 [--pwdgracelimit PWDGRACE‐
5329 LIMIT]
5330 [--pwdsendexpiring PWDSEND‐
5331 EXPIRING]
5332 [--pwdlockout PWDLOCKOUT]
5333 [--pwdunlock PWDUNLOCK]
5334 [--pwdlockoutduration PWD‐
5335 LOCKOUTDURATION]
5336 [--pwdmaxfailures PWDMAX‐
5337 FAILURES]
5338 [--pwdresetfailcount
5339 PWDRESETFAILCOUNT]
5340 [--pwdchecksyntax PWD‐
5341 CHECKSYNTAX]
5342 [--pwdminlen PWDMINLEN]
5343 [--pwdmindigits PWDMINDIG‐
5344 ITS]
5345 [--pwdminalphas PWDMINAL‐
5346 PHAS]
5347 [--pwdminuppers PWDMINUP‐
5348 PERS]
5349 [--pwdminlowers PWDMINLOW‐
5350 ERS]
5351 [--pwdminspecials PWDMINSPE‐
5352 CIALS]
5353 [--pwdmin8bits PWDMIN8BITS]
5354 [--pwdmaxrepeats PWDMAXRE‐
5355 PEATS]
5356 [--pwdpalindrome PWDPALIN‐
5357 DROME]
5358 [--pwdmaxseq PWDMAXSEQ]
5359 [--pwdmaxseqsets PWDMAXSE‐
5360 QSETS]
5361 [--pwdmaxclasschars PWDMAX‐
5362 CLASSCHARS]
5363 [--pwdmincatagories PWDMIN‐
5364 CATAGORIES]
5365 [--pwdmintokenlen PWDMINTO‐
5366 KENLEN]
5367 [--pwdbadwords PWDBADWORDS]
5368 [--pwduserattrs PWDUSERAT‐
5369 TRS]
5370 [--pwpinheritglobal PWPIN‐
5371 HERITGLOBAL]
5372 [--pwddictcheck PWD‐
5373 DICTCHECK]
5374 [--pwddictpath PWDDICTPATH]
5375 DN
5376 DN Add/replace the subtree policy for this entry DN
5379 --pwdscheme PWDSCHEME
5382 The password storage scheme
5383 --pwdchange PWDCHANGE
5386 Allow users to change their passwords
5387 --pwdmustchange PWDMUSTCHANGE
5390 User must change their passwrod after it is reset by an Adminis‐
5391 trator
5392 --pwdhistory PWDHISTORY
5395 To enable password history set this to "on", otherwise "off"
5396 --pwdhistorycount PWDHISTORYCOUNT
5399 The number of password to keep in history
5400 --pwdadmin PWDADMIN
5403 The DN of an entry or a group of account that can bypass pass‐
5404 word policy constraints
5405 --pwdtrack PWDTRACK
5408 Set to "on" to track the time the password was last changed
5409 --pwdwarning PWDWARNING
5412 Send an expiring warning if password expires within this time
5413 (in seconds)
5414 --pwdexpire PWDEXPIRE
5417 Set to "on" to enable password expiration
5418 --pwdmaxage PWDMAXAGE
5421 The password expiration time in seconds
5422 --pwdminage PWDMINAGE
5425 The number of seconds that must pass before a user can change
5426 their password
5427 --pwdgracelimit PWDGRACELIMIT
5430 The number of allowed logins after the password has expired
5431 --pwdsendexpiring PWDSENDEXPIRING
5434 Set to "on" to always send the expiring control regardless of
5435 the warning period
5436 --pwdlockout PWDLOCKOUT
5439 Set to "on" to enable account lockout
5440 --pwdunlock PWDUNLOCK
5443 Set to "on" to allow an account to become unlocked after the
5444 lockout duration
5445 --pwdlockoutduration PWDLOCKOUTDURATION
5448 The number of seconds an account stays locked out
5449 --pwdmaxfailures PWDMAXFAILURES
5452 The maximum number of allowed failed password attempts before
5453 the account gets locked
5454 --pwdresetfailcount PWDRESETFAILCOUNT
5457 The number of seconds to wait before reducing the failed login
5458 count on an account
5459 --pwdchecksyntax PWDCHECKSYNTAX
5462 Set to "on" to Enable password syntax checking
5463 --pwdminlen PWDMINLEN
5466 The minimum number of characters required in a password
5467 --pwdmindigits PWDMINDIGITS
5470 The minimum number of digit/number characters in a password
5471 --pwdminalphas PWDMINALPHAS
5474 The minimum number of alpha characters required in a password
5475 --pwdminuppers PWDMINUPPERS
5478 The minimum number of uppercase characters required in a pass‐
5479 word
5480 --pwdminlowers PWDMINLOWERS
5483 The minimum number of lowercase characters required in a pass‐
5484 word
5485 --pwdminspecials PWDMINSPECIALS
5488 The minimum number of special characters required in a password
5489 --pwdmin8bits PWDMIN8BITS
5492 The minimum number of 8-bit characters required in a password
5493 --pwdmaxrepeats PWDMAXREPEATS
5496 The maximum number of times the same character can appear
5497 sequentially in the password
5498 --pwdpalindrome PWDPALINDROME
5501 Set to "on" to reject passwords that are palindromes
5502 --pwdmaxseq PWDMAXSEQ
5505 The maximum number of allowed monotonic character sequences in a
5506 password
5507 --pwdmaxseqsets PWDMAXSEQSETS
5510 The maximum number of allowed monotonic character sequences that
5511 can be duplicated in a password
5512 --pwdmaxclasschars PWDMAXCLASSCHARS
5515 The maximum number of sequential characters from the same char‐
5516 acter class that is allowed in a password
5517 --pwdmincatagories PWDMINCATAGORIES
5520 The minimum number of syntax category checks
5521 --pwdmintokenlen PWDMINTOKENLEN
5524 Sets the smallest attribute value length that is used for triv‐
5525 ial/user words checking. This also impacts "--pwduserattrs"
5526 --pwdbadwords PWDBADWORDS
5529 A space-separated list of words that can not be in a password
5530 --pwduserattrs PWDUSERATTRS
5533 A space-separated list of attributes whose values can not appear
5534 in the password (See "--pwdmintokenlen")
5535 --pwpinheritglobal PWPINHERITGLOBAL
5538 Set to "on" to allow local policies to inherit the global policy
5539 --pwddictcheck PWDDICTCHECK
5542 Set to "on" to enforce CrackLib dictionary checking
5543 --pwddictpath PWDDICTPATH
5546 Filesystem path to specific/custom CrackLib dictionary files
5547
5551 usage: dsconf instance replication [-h]
5552 {enable,disable,get-ruv,list,sta‐
5553 tus,winsync-status,promote,create-manager,delete-man‐
5554 ager,demote,get,create-changelog,delete-changelog,set-changelog,get-
5555 changelog,dump-changelog,restore-changelog,set,monitor}
5556 ...
5557 Sub-commands
5560 dsconf replication enable
5561 Enable replication for a suffix
5562 dsconf replication disable
5564 Disable replication for a suffix
5565 dsconf replication get-ruv
5567 Get the database RUV entry for his suffix
5568 dsconf replication list
5570 List all the replicated suffixes
5571 dsconf replication status
5573 Get the current status of all the replication agreements
5574 dsconf replication winsync-status
5576 Get the current status of all the replication agreements
5577 dsconf replication promote
5579 Promte replica to a Hub or Master
5580 dsconf replication create-manager
5582 Create a replication manager entry
5583 dsconf replication delete-manager
5585 Delete a replication manager entry
5586 dsconf replication demote
5588 Demote replica to a Hub or Consumer
5589 dsconf replication get
5591 Get replication configuration
5592 dsconf replication create-changelog
5594 Create the replication changelog
5595 dsconf replication delete-changelog
5597 Delete the replication changelog. This will invalidate any
5598 existing replication agreements
5599 dsconf replication set-changelog
5601 Set replication changelog attributes.
5602 dsconf replication get-changelog
5604 Display replication changelog attributes.
5605 dsconf replication dump-changelog
5607 Decode Directory Server replication change log and dump it to an
5608 LDIF
5609 dsconf replication restore-changelog
5611 Restore Directory Server replication change log from LDIF file
5612 or change log directory
5613 dsconf replication set
5615 Set an attribute in the replication configuration
5616 dsconf replication monitor
5618 Get the full replication topology report
5619
5621 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
5622 ROLE
5623 [--replica-id REPLICA_ID]
5624 [--bind-group-dn
5625 BIND_GROUP_DN]
5626 [--bind-dn BIND_DN]
5627 [--bind-passwd BIND_PASSWD]
5628 --suffix SUFFIX
5632 The DN of the suffix to be enabled for replication
5633 --role ROLE
5636 The Replication role: "master", "hub", or "consumer"
5637 --replica-id REPLICA_ID
5640 The replication identifier for a "master". Values range from 1 -
5641 65534
5642 --bind-group-dn BIND_GROUP_DN
5645 A group entry DN containing members that are "bind/supplier" DNs
5646 --bind-dn BIND_DN
5649 The Bind or Supplier DN that can make replication updates
5650 --bind-passwd BIND_PASSWD
5653 Password for replication manager(--bind-dn). This will create
5654 the manager entry if a value is set
5655
5658 usage: dsconf instance replication disable [-h] --suffix SUFFIX
5659 --suffix SUFFIX
5663 The DN of the suffix to have replication disabled
5664
5667 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
5668 --suffix SUFFIX
5672 The DN of the replicated suffix
5673
5676 usage: dsconf instance replication list [-h]
5677
5682 usage: dsconf instance replication status [-h] --suffix SUFFIX
5683 [--bind-dn BIND_DN]
5684 [--bind-passwd BIND_PASSWD]
5685 --suffix SUFFIX
5689 The DN of the replication suffix
5690 --bind-dn BIND_DN
5693 The DN to use to authenticate to the consumer
5694 --bind-passwd BIND_PASSWD
5697 The password for the bind DN
5698
5701 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
5702 [--bind-dn BIND_DN]
5703 [--bind-passwd
5704 BIND_PASSWD]
5705 --suffix SUFFIX
5709 The DN of the replication suffix
5710 --bind-dn BIND_DN
5713 The DN to use to authenticate to the consumer
5714 --bind-passwd BIND_PASSWD
5717 The password for the bind DN
5718
5721 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
5722 role
5723 NEWROLE [--replica-id
5724 REPLICA_ID]
5725 [--bind-group-dn
5726 BIND_GROUP_DN]
5727 [--bind-dn BIND_DN]
5728 --suffix SUFFIX
5732 The DN of the replication suffix to promote
5733 --newrole NEWROLE
5736 Promote this replica to a "hub" or "master"
5737 --replica-id REPLICA_ID
5740 The replication identifier for a "master". Values range from 1 -
5741 65534
5742 --bind-group-dn BIND_GROUP_DN
5745 A group entry DN containing members that are "bind/supplier" DNs
5746 --bind-dn BIND_DN
5749 The Bind or Supplier DN that can make replication updates
5750
5753 usage: dsconf instance replication create-manager [-h] [--name NAME]
5754 [--passwd PASSWD]
5755 [--suffix SUFFIX]
5756 --name NAME
5760 The NAME of the new replication manager entry. For example, if
5761 the NAME is "replication manager" then the new manager entry's
5762 DN would be "cn=replication manager,cn=config".
5763 --passwd PASSWD
5766 Password for replication manager. If not provided, you will be
5767 prompted for the password
5768 --suffix SUFFIX
5771 The DN of the replication suffix whose replication configuration
5772 you want to add this new manager to (OPTIONAL)
5773
5776 usage: dsconf instance replication delete-manager [-h] [--name NAME]
5777 [--suffix SUFFIX]
5778 --name NAME
5782 The NAME of the replication manager entry under cn=config:
5783 "cn=NAME,cn=config"
5784 --suffix SUFFIX
5787 The DN of the replication suffix whose replication configuration
5788 you want to remove this manager from (OPTIONAL)
5789
5792 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
5793 role
5794 NEWROLE
5795 --suffix SUFFIX
5799 Promte this replica to a "hub" or "consumer"
5800 --newrole NEWROLE
5803 The Replication role: "hub", or "consumer"
5804
5807 usage: dsconf instance replication get [-h] --suffix SUFFIX
5808 --suffix SUFFIX
5812 Get the replication configuration for this suffix DN
5813
5816 usage: dsconf instance replication create-changelog [-h]
5817
5822 usage: dsconf instance replication delete-changelog [-h]
5823
5828 usage: dsconf instance replication set-changelog [-h] [--cl-dir CL_DIR]
5829 [--max-entries
5830 MAX_ENTRIES]
5831 [--max-age MAX_AGE]
5832 [--compact-interval
5833 COMPACT_INTERVAL]
5834 [--trim-interval
5835 TRIM_INTERVAL]
5836 --cl-dir CL_DIR
5840 The replication changelog location on the filesystem
5841 --max-entries MAX_ENTRIES
5844 The maximum number of entries to get in the replication
5845 changelog
5846 --max-age MAX_AGE
5849 The maximum age of a replication changelog entry
5850 --compact-interval COMPACT_INTERVAL
5853 The replication changelog compaction interval
5854 --trim-interval TRIM_INTERVAL
5857 The interval to check if the replication changelog can be
5858 trimmed
5859
5862 usage: dsconf instance replication get-changelog [-h]
5863
5868 usage: dsconf instance replication dump-changelog [-h] [-c] [-l]
5869 [-i CHANGELOG_LDIF]
5870 [-o OUTPUT_FILE]
5871 [-r REPLICA_ROOTS
5872 [REPLICA_ROOTS ...]]
5873 -c, --csn-only
5877 Dump and interpret CSN only. This option can be used with or
5878 without -i option.
5879 -l, --preserve-ldif-done
5882 Preserve generated ldif.done files from changelogdir.
5883 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
5886 If you already have a ldif-like changelog, but the changes in
5887 that file are encoded, you may use this option to decode that
5888 ldif-like changelog. It should be base64 encoded.
5889 -o OUTPUT_FILE, --output-file OUTPUT_FILE
5892 Path name for the final result. Default to STDOUT if omitted.
5893 -r REPLICA_ROOTS [REPLICA_ROOTS ...], --replica-roots REPLICA_ROOTS
5896 [REPLICA_ROOTS ...]
5897 Specify replica roots whose changelog you want to dump. The
5898 replica roots may be seperated by comma. All the replica roots
5899 would be dumped if the option is omitted.
5900
5903 usage: dsconf instance replication restore-changelog [-h]
5904 {from-ldif,from-
5905 changelogdir}
5906 ...
5907 Sub-commands
5910 dsconf replication restore-changelog from-ldif
5911 Restore a single LDIF file.
5912 dsconf replication restore-changelog from-changelogdir
5914 Restore LDIF files from changelogdir.
5915
5917 usage: dsconf instance replication restore-changelog from-ldif
5918 [-h] -r REPLICA_ROOT LDIF_PATH
5919 LDIF_PATH
5922 The path of changelog LDIF file.
5923 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
5926 Specify one replica root whose changelog you want to restore.
5927 The replica root will be consumed from the LDIF file name if the
5928 option is omitted.
5929
5932 usage: dsconf instance replication restore-changelog from-changelogdir
5933 [-h] REPLICA_ROOTS [REPLICA_ROOTS ...]
5934 REPLICA_ROOTS
5937 Specify replica roots whose changelog you want to restore. The
5938 replica roots may be seperated by comma. All the replica roots
5939 would be dumped if the option is omitted.
5940
5945 usage: dsconf instance replication set [-h] --suffix SUFFIX
5946 [--repl-add-bind-dn
5947 REPL_ADD_BIND_DN]
5948 [--repl-del-bind-dn
5949 REPL_DEL_BIND_DN]
5950 [--repl-add-ref REPL_ADD_REF]
5951 [--repl-del-ref REPL_DEL_REF]
5952 [--repl-purge-delay
5953 REPL_PURGE_DELAY]
5954 [--repl-tombstone-purge-interval
5955 REPL_TOMBSTONE_PURGE_INTERVAL]
5956 [--repl-fast-tombstone-purging
5957 REPL_FAST_TOMBSTONE_PURGING]
5958 [--repl-bind-group
5959 REPL_BIND_GROUP]
5960 [--repl-bind-group-interval
5961 REPL_BIND_GROUP_INTERVAL]
5962 [--repl-protocol-timeout
5963 REPL_PROTOCOL_TIMEOUT]
5964 [--repl-backoff-max REPL_BACK‐
5965 OFF_MAX]
5966 [--repl-backoff-min REPL_BACK‐
5967 OFF_MIN]
5968 [--repl-release-timeout
5969 REPL_RELEASE_TIMEOUT]
5970 --suffix SUFFIX
5974 The DN of the replication suffix
5975 --repl-add-bind-dn REPL_ADD_BIND_DN
5978 Add a bind (supplier) DN
5979 --repl-del-bind-dn REPL_DEL_BIND_DN
5982 Remove a bind (supplier) DN
5983 --repl-add-ref REPL_ADD_REF
5986 Add a replication referral (for consumers only)
5987 --repl-del-ref REPL_DEL_REF
5990 Remove a replication referral (for conusmers only)
5991 --repl-purge-delay REPL_PURGE_DELAY
5994 The replication purge delay
5995 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
5998 The interval in seconds to check for tombstones that can be
5999 purged
6000 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6003 Set to "on" to improve tombstone purging performance
6004 --repl-bind-group REPL_BIND_GROUP
6007 A group entry DN containing members that are "bind/supplier" DNs
6008 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6011 An interval in seconds to check if the bind group has been
6012 updated
6013 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6016 A timeout in seconds on how long to wait before stopping repli‐
6017 cation when the server is under load
6018 --repl-backoff-max REPL_BACKOFF_MAX
6021 The maximum time in seconds a replication agreement should stay
6022 in a backoff state while waiting to acquire the consumer.
6023 Default is 300 seconds
6024 --repl-backoff-min REPL_BACKOFF_MIN
6027 The starting time in seconds a replication agreement should stay
6028 in a backoff state while waiting to acquire the consumer.
6029 Default is 3 seconds
6030 --repl-release-timeout REPL_RELEASE_TIMEOUT
6033 A timeout in seconds a replication master should send updates
6034 before it yields its replication session
6035
6038 usage: dsconf instance replication monitor [-h]
6039 [-c [CONNECTIONS [CONNEC‐
6040 TIONS ...]]]
6041 [-a [ALIASES [ALIASES ...]]]
6042 -c [CONNECTIONS [CONNECTIONS ...]], --connections [CONNECTIONS [CONNEC‐
6046 TIONS ...]]
6047 The connection values for monitoring other not connected topolo‐
6048 gies. The format: 'host:port:binddn:bindpwd'. You can use regex
6049 for host and port. You can set bindpwd to * and it will be
6050 requested at the runtime or you can include the path to the
6051 password file in square brackets - [~/pwd.txt]
6052 -a [ALIASES [ALIASES ...]], --aliases [ALIASES [ALIASES ...]]
6055 If a host:port is assigned an alias, then the alias instead of
6056 host:port will be displayed in the output. The format:
6057 alias=host:port
6058
6062 usage: dsconf instance repl-agmt [-h]
6063 {list,enable,disable,init,init-sta‐
6064 tus,poke,status,delete,create,set,get}
6065 ...
6066 Sub-commands
6069 dsconf repl-agmt list
6070 List all the replication agreements
6071 dsconf repl-agmt enable
6073 Enable replication agreement
6074 dsconf repl-agmt disable
6076 Disable replication agreement
6077 dsconf repl-agmt init
6079 Initialize replication agreement
6080 dsconf repl-agmt init-status
6082 Check the agreement initialization status
6083 dsconf repl-agmt poke
6085 Trigger replication to send updates now
6086 dsconf repl-agmt status
6088 Get the current status of the replication agreement
6089 dsconf repl-agmt delete
6091 Delete replication agreement
6092 dsconf repl-agmt create
6094 Initialize replication agreement
6095 dsconf repl-agmt set
6097 Set an attribute in the replication agreement
6098 dsconf repl-agmt get
6100 Get replication configuration
6101
6103 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry
6104 ENTRY]
6105 --suffix SUFFIX
6109 The DN of the suffix to look up replication agreements
6110 --entry ENTRY
6113 Return the entire entry for each agreement
6114
6117 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6118 AGMT_NAME
6121 The name of the replication agreement
6122 --suffix SUFFIX
6125 The DN of the replication suffix
6126
6129 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6130 AGMT_NAME
6133 The name of the replication agreement
6134 --suffix SUFFIX
6137 The DN of the replication suffix
6138
6141 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6142 AGMT_NAME
6145 The name of the replication agreement
6146 --suffix SUFFIX
6149 The DN of the replication suffix
6150
6153 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6154 AGMT_NAME
6155 AGMT_NAME
6158 The name of the replication agreement
6159 --suffix SUFFIX
6162 The DN of the replication suffix
6163
6166 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6167 AGMT_NAME
6170 The name of the replication agreement
6171 --suffix SUFFIX
6174 The DN of the replication suffix
6175
6178 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6179 [--bind-dn BIND_DN]
6180 [--bind-passwd BIND_PASSWD]
6181 AGMT_NAME
6182 AGMT_NAME
6185 The name of the replication agreement
6186 --suffix SUFFIX
6189 The DN of the replication suffix
6190 --bind-dn BIND_DN
6193 The DN to use to authenticate to the consumer
6194 --bind-passwd BIND_PASSWD
6197 The password for the bind DN
6198
6201 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6202 AGMT_NAME
6205 The name of the replication agreement
6206 --suffix SUFFIX
6209 The DN of the replication suffix
6210
6213 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6214 HOST
6215 --port PORT --conn-protocol
6216 CONN_PROTOCOL [--bind-dn
6217 BIND_DN]
6218 [--bind-passwd BIND_PASSWD]
6219 --bind-method BIND_METHOD
6220 [--frac-list FRAC_LIST]
6221 [--frac-list-total
6222 FRAC_LIST_TOTAL]
6223 [--strip-list STRIP_LIST]
6224 [--schedule SCHEDULE]
6225 [--conn-timeout CONN_TIMEOUT]
6226 [--protocol-timeout PROTO‐
6227 COL_TIMEOUT]
6228 [--wait-async-results
6229 WAIT_ASYNC_RESULTS]
6230 [--busy-wait-time
6231 BUSY_WAIT_TIME]
6232 [--session-pause-time SES‐
6233 SION_PAUSE_TIME]
6234 [--flow-control-window
6235 FLOW_CONTROL_WINDOW]
6236 [--flow-control-pause FLOW_CON‐
6237 TROL_PAUSE]
6238 [--init]
6239 AGMT_NAME
6240 AGMT_NAME
6243 The name of the replication agreement
6244 --suffix SUFFIX
6247 The DN of the replication suffix
6248 --host HOST
6251 The hostname of the remote replica
6252 --port PORT
6255 The port number of the remote replica
6256 --conn-protocol CONN_PROTOCOL
6259 The replication connection protocol: LDAP, LDAPS, or StartTLS
6260 --bind-dn BIND_DN
6263 The Bind DN the agreement uses to authenticate to the replica
6264 --bind-passwd BIND_PASSWD
6267 The credentials for the Bind DN
6268 --bind-method BIND_METHOD
6271 The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or
6272 "SASL/GSSAPI"
6273 --frac-list FRAC_LIST
6276 List of attributes to NOT replicate to the consumer during
6277 incremental updates
6278 --frac-list-total FRAC_LIST_TOTAL
6281 List of attributes to NOT replicate during a total initializa‐
6282 tion
6283 --strip-list STRIP_LIST
6286 A list of attributes that are removed from updates only if the
6287 event would otherwise be empty. Typically this is set to "modi‐
6288 fiersname" and "modifytimestmap"
6289 --schedule SCHEDULE
6292 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6293 0-6 (Sunday - Saturday).
6294 --conn-timeout CONN_TIMEOUT
6297 The timeout used for replicaton connections
6298 --protocol-timeout PROTOCOL_TIMEOUT
6301 A timeout in seconds on how long to wait before stopping repli‐
6302 cation when the server is under load
6303 --wait-async-results WAIT_ASYNC_RESULTS
6306 The amount of time in milliseconds the server waits if the con‐
6307 sumer is not ready before resending data
6308 --busy-wait-time BUSY_WAIT_TIME
6311 The amount of time in seconds a supplier should wait after a
6312 consumer sends back a busy response before making another
6313 attempt to acquire access.
6314 --session-pause-time SESSION_PAUSE_TIME
6317 The amount of time in seconds a supplier should wait between
6318 update sessions.
6319 --flow-control-window FLOW_CONTROL_WINDOW
6322 Sets the maximum number of entries and updates sent by a sup‐
6323 plier, which are not acknowledged by the consumer.
6324 --flow-control-pause FLOW_CONTROL_PAUSE
6327 The time in milliseconds to pause after reaching the number of
6328 entries and updates set in "--flow-control-window"
6329 --init Initialize the agreement after creating it.
6332
6335 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6336 [--port PORT]
6337 [--conn-protocol CONN_PROTOCOL]
6338 [--bind-dn BIND_DN]
6339 [--bind-passwd BIND_PASSWD]
6340 [--bind-method BIND_METHOD]
6341 [--frac-list FRAC_LIST]
6342 [--frac-list-total
6343 FRAC_LIST_TOTAL]
6344 [--strip-list STRIP_LIST]
6345 [--schedule SCHEDULE]
6346 [--conn-timeout CONN_TIMEOUT]
6347 [--protocol-timeout PROTOCOL_TIME‐
6348 OUT]
6349 [--wait-async-results
6350 WAIT_ASYNC_RESULTS]
6351 [--busy-wait-time BUSY_WAIT_TIME]
6352 [--session-pause-time SES‐
6353 SION_PAUSE_TIME]
6354 [--flow-control-window FLOW_CON‐
6355 TROL_WINDOW]
6356 [--flow-control-pause FLOW_CON‐
6357 TROL_PAUSE]
6358 AGMT_NAME
6359 AGMT_NAME
6362 The name of the replication agreement
6363 --suffix SUFFIX
6366 The DN of the replication suffix
6367 --host HOST
6370 The hostname of the remote replica
6371 --port PORT
6374 The port number of the remote replica
6375 --conn-protocol CONN_PROTOCOL
6378 The replication connection protocol: LDAP, LDAPS, or StartTLS
6379 --bind-dn BIND_DN
6382 The Bind DN the agreement uses to authenticate to the replica
6383 --bind-passwd BIND_PASSWD
6386 The credentials for the Bind DN
6387 --bind-method BIND_METHOD
6390 The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or
6391 "SASL/GSSAPI"
6392 --frac-list FRAC_LIST
6395 List of attributes to NOT replicate to the consumer during
6396 incremental updates
6397 --frac-list-total FRAC_LIST_TOTAL
6400 List of attributes to NOT replicate during a total initializa‐
6401 tion
6402 --strip-list STRIP_LIST
6405 A list of attributes that are removed from updates only if the
6406 event would otherwise be empty. Typically this is set to "modi‐
6407 fiersname" and "modifytimestmap"
6408 --schedule SCHEDULE
6411 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6412 0-6 (Sunday - Saturday).
6413 --conn-timeout CONN_TIMEOUT
6416 The timeout used for replicaton connections
6417 --protocol-timeout PROTOCOL_TIMEOUT
6420 A timeout in seconds on how long to wait before stopping repli‐
6421 cation when the server is under load
6422 --wait-async-results WAIT_ASYNC_RESULTS
6425 The amount of time in milliseconds the server waits if the con‐
6426 sumer is not ready before resending data
6427 --busy-wait-time BUSY_WAIT_TIME
6430 The amount of time in seconds a supplier should wait after a
6431 consumer sends back a busy response before making another
6432 attempt to acquire access.
6433 --session-pause-time SESSION_PAUSE_TIME
6436 The amount of time in seconds a supplier should wait between
6437 update sessions.
6438 --flow-control-window FLOW_CONTROL_WINDOW
6441 Sets the maximum number of entries and updates sent by a sup‐
6442 plier, which are not acknowledged by the consumer.
6443 --flow-control-pause FLOW_CONTROL_PAUSE
6446 The time in milliseconds to pause after reaching the number of
6447 entries and updates set in "--flow-control-window"
6448
6451 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
6452 AGMT_NAME
6455 Get the replication configuration for this suffix DN
6456 --suffix SUFFIX
6459 The DN of the replication suffix
6460
6464 usage: dsconf instance repl-winsync-agmt [-h]
6465 {list,enable,dis‐
6466 able,init,init-status,poke,status,delete,create,set,get}
6467 ...
6468 Sub-commands
6471 dsconf repl-winsync-agmt list
6472 List all the replication winsync agreements
6473 dsconf repl-winsync-agmt enable
6475 Enable replication winsync agreement
6476 dsconf repl-winsync-agmt disable
6478 Disable replication winsync agreement
6479 dsconf repl-winsync-agmt init
6481 Initialize replication winsync agreement
6482 dsconf repl-winsync-agmt init-status
6484 Check the agreement initialization status
6485 dsconf repl-winsync-agmt poke
6487 Trigger replication to send updates now
6488 dsconf repl-winsync-agmt status
6490 Get the current status of the replication agreement
6491 dsconf repl-winsync-agmt delete
6493 Delete replication winsync agreement
6494 dsconf repl-winsync-agmt create
6496 Initialize replication winsync agreement
6497 dsconf repl-winsync-agmt set
6499 Set an attribute in the replication winsync agreement
6500 dsconf repl-winsync-agmt get
6502 Get replication configuration
6503
6505 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
6506 --suffix SUFFIX
6510 The DN of the suffix to look up replication winsync agreements
6511
6514 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
6515 AGMT_NAME
6516 AGMT_NAME
6519 The name of the replication winsync agreement
6520 --suffix SUFFIX
6523 The DN of the replication winsync suffix
6524
6527 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
6528 AGMT_NAME
6529 AGMT_NAME
6532 The name of the replication winsync agreement
6533 --suffix SUFFIX
6536 The DN of the replication winsync suffix
6537
6540 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
6541 AGMT_NAME
6542 AGMT_NAME
6545 The name of the replication winsync agreement
6546 --suffix SUFFIX
6549 The DN of the replication winsync suffix
6550
6553 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
6554 FIX
6555 AGMT_NAME
6556 AGMT_NAME
6559 The name of the replication agreement
6560 --suffix SUFFIX
6563 The DN of the replication suffix
6564
6567 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
6568 AGMT_NAME
6569 AGMT_NAME
6572 The name of the replication winsync agreement
6573 --suffix SUFFIX
6576 The DN of the replication winsync suffix
6577
6580 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
6581 AGMT_NAME
6582 AGMT_NAME
6585 The name of the replication agreement
6586 --suffix SUFFIX
6589 The DN of the replication suffix
6590
6593 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
6594 AGMT_NAME
6595 AGMT_NAME
6598 The name of the replication winsync agreement
6599 --suffix SUFFIX
6602 The DN of the replication winsync suffix
6603
6606 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
6607 --host
6608 HOST --port PORT
6609 --conn-protocol
6610 CONN_PROTOCOL
6611 --bind-dn BIND_DN
6612 --bind-passwd
6613 BIND_PASSWD
6614 [--frac-list FRAC_LIST]
6615 [--schedule SCHEDULE]
6616 --win-subtree WIN_SUB‐
6617 TREE
6618 --ds-subtree DS_SUBTREE
6619 --win-domain WIN_DOMAIN
6620 [--sync-users
6621 SYNC_USERS]
6622 [--sync-groups
6623 SYNC_GROUPS]
6624 [--sync-interval
6625 SYNC_INTERVAL]
6626 [--one-way-sync
6627 ONE_WAY_SYNC]
6628 [--move-action
6629 MOVE_ACTION]
6630 [--win-filter WIN_FIL‐
6631 TER]
6632 [--ds-filter DS_FILTER]
6633 [--subtree-pair SUB‐
6634 TREE_PAIR]
6635 [--conn-timeout
6636 CONN_TIMEOUT]
6637 [--busy-wait-time
6638 BUSY_WAIT_TIME]
6639 [--session-pause-time
6640 SESSION_PAUSE_TIME]
6641 [--init]
6642 AGMT_NAME
6643 AGMT_NAME
6646 The name of the replication winsync agreement
6647 --suffix SUFFIX
6650 The DN of the replication winsync suffix
6651 --host HOST
6654 The hostname of the AD server
6655 --port PORT
6658 The port number of the AD server
6659 --conn-protocol CONN_PROTOCOL
6662 The replication winsync connection protocol: LDAP, LDAPS, or
6663 StartTLS
6664 --bind-dn BIND_DN
6667 The Bind DN the agreement uses to authenticate to the AD Server
6668 --bind-passwd BIND_PASSWD
6671 The credentials for the Bind DN
6672 --frac-list FRAC_LIST
6675 List of attributes to NOT replicate to the consumer during
6676 incremental updates
6677 --schedule SCHEDULE
6680 Sets the replication update schedule
6681 --win-subtree WIN_SUBTREE
6684 The suffix of the AD Server
6685 --ds-subtree DS_SUBTREE
6688 The Directory Server suffix
6689 --win-domain WIN_DOMAIN
6692 The AD Domain
6693 --sync-users SYNC_USERS
6696 Synchronize Users between AD and DS
6697 --sync-groups SYNC_GROUPS
6700 Synchronize Groups between AD and DS
6701 --sync-interval SYNC_INTERVAL
6704 The interval that DS checks AD for changes in entries
6705 --one-way-sync ONE_WAY_SYNC
6708 Sets which direction to perform synchronization: "toWindows",
6709 "fromWindows", "both"
6710 --move-action MOVE_ACTION
6713 Sets instructions on how to handle moved or deleted entries:
6714 "none", "unsync", or "delete"
6715 --win-filter WIN_FILTER
6718 Custom filter for finding users in AD Server
6719 --ds-filter DS_FILTER
6722 Custom filter for finding AD users in DS Server
6723 --subtree-pair SUBTREE_PAIR
6726 Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
6727 --conn-timeout CONN_TIMEOUT
6730 The timeout used for replicaton connections
6731 --busy-wait-time BUSY_WAIT_TIME
6734 The amount of time in seconds a supplier should wait after a
6735 consumer sends back a busy response before making another
6736 attempt to acquire access.
6737 --session-pause-time SESSION_PAUSE_TIME
6740 The amount of time in seconds a supplier should wait between
6741 update sessions.
6742 --init Initialize the agreement after creating it.
6745
6748 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
6749 [--host HOST] [--port
6750 PORT]
6751 [--conn-protocol CONN_PRO‐
6752 TOCOL]
6753 [--bind-dn BIND_DN]
6754 [--bind-passwd
6755 BIND_PASSWD]
6756 [--frac-list FRAC_LIST]
6757 [--schedule SCHEDULE]
6758 [--win-subtree WIN_SUB‐
6759 TREE]
6760 [--ds-subtree DS_SUBTREE]
6761 [--win-domain WIN_DOMAIN]
6762 [--sync-users SYNC_USERS]
6763 [--sync-groups
6764 SYNC_GROUPS]
6765 [--sync-interval
6766 SYNC_INTERVAL]
6767 [--one-way-sync
6768 ONE_WAY_SYNC]
6769 [--move-action
6770 MOVE_ACTION]
6771 [--win-filter WIN_FILTER]
6772 [--ds-filter DS_FILTER]
6773 [--subtree-pair SUB‐
6774 TREE_PAIR]
6775 [--conn-timeout CONN_TIME‐
6776 OUT]
6777 [--busy-wait-time
6778 BUSY_WAIT_TIME]
6779 [--session-pause-time SES‐
6780 SION_PAUSE_TIME]
6781 AGMT_NAME
6782 AGMT_NAME
6785 The name of the replication winsync agreement
6786 --suffix SUFFIX
6789 The DN of the replication winsync suffix
6790 --host HOST
6793 The hostname of the AD server
6794 --port PORT
6797 The port number of the AD server
6798 --conn-protocol CONN_PROTOCOL
6801 The replication winsync connection protocol: LDAP, LDAPS, or
6802 StartTLS
6803 --bind-dn BIND_DN
6806 The Bind DN the agreement uses to authenticate to the AD Server
6807 --bind-passwd BIND_PASSWD
6810 The credentials for the Bind DN
6811 --frac-list FRAC_LIST
6814 List of attributes to NOT replicate to the consumer during
6815 incremental updates
6816 --schedule SCHEDULE
6819 Sets the replication update schedule
6820 --win-subtree WIN_SUBTREE
6823 The suffix of the AD Server
6824 --ds-subtree DS_SUBTREE
6827 The Directory Server suffix
6828 --win-domain WIN_DOMAIN
6831 The AD Domain
6832 --sync-users SYNC_USERS
6835 Synchronize Users between AD and DS
6836 --sync-groups SYNC_GROUPS
6839 Synchronize Groups between AD and DS
6840 --sync-interval SYNC_INTERVAL
6843 The interval that DS checks AD for changes in entries
6844 --one-way-sync ONE_WAY_SYNC
6847 Sets which direction to perform synchronization: "toWindows",
6848 "fromWindows", "both"
6849 --move-action MOVE_ACTION
6852 Sets instructions on how to handle moved or deleted entries:
6853 "none", "unsync", or "delete"
6854 --win-filter WIN_FILTER
6857 Custom filter for finding users in AD Server
6858 --ds-filter DS_FILTER
6861 Custom filter for finding AD users in DS Server
6862 --subtree-pair SUBTREE_PAIR
6865 Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
6866 --conn-timeout CONN_TIMEOUT
6869 The timeout used for replicaton connections
6870 --busy-wait-time BUSY_WAIT_TIME
6873 The amount of time in seconds a supplier should wait after a
6874 consumer sends back a busy response before making another
6875 attempt to acquire access.
6876 --session-pause-time SESSION_PAUSE_TIME
6879 The amount of time in seconds a supplier should wait between
6880 update sessions.
6881
6884 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
6885 AGMT_NAME
6886 AGMT_NAME
6889 Get the replication configuration for this suffix DN
6890 --suffix SUFFIX
6893 The DN of the replication suffix
6894
6898 usage: dsconf instance repl-tasks [-h]
6899 {cleanallruv,list-cleanruv-
6900 tasks,abort-cleanallruv,list-abortruv-tasks}
6901 ...
6902 Sub-commands
6905 dsconf repl-tasks cleanallruv
6906 Cleanup old/removed replica IDs
6907 dsconf repl-tasks list-cleanruv-tasks
6909 List all the running CleanAllRUV tasks
6910 dsconf repl-tasks abort-cleanallruv
6912 Abort cleanallruv tasks
6913 dsconf repl-tasks list-abortruv-tasks
6915 List all the running CleanAllRUV abort Tasks
6916
6918 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
6919 --replica-id REPLICA_ID
6920 [--force-cleaning]
6921 --suffix SUFFIX
6925 The Directory Server suffix
6926 --replica-id REPLICA_ID
6929 The replica ID to remove/clean
6930 --force-cleaning
6933 Ignore errors and do a best attempt to clean all the replicas
6934
6937 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
6938 SUFFIX]
6939 --suffix SUFFIX
6943 List only tasks from for suffix
6944
6947 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
6948 FIX
6949 --replica-id
6950 REPLICA_ID
6951 [--certify]
6952 --suffix SUFFIX
6956 The Directory Server suffix
6957 --replica-id REPLICA_ID
6960 The replica ID of the cleaning task to abort
6961 --certify
6964 Enforce that the abort task completed on all replicas
6965
6968 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
6969 SUFFIX]
6970 --suffix SUFFIX
6974 List only tasks from for suffix
6975
6979 usage: dsconf instance sasl [-h] {list,get-mechs,get,create,delete} ...
6980 Sub-commands
6983 dsconf sasl list
6984 List available SASL mappings
6985 dsconf sasl get-mechs
6987 List available SASL mechanisms
6988 dsconf sasl get
6990 get
6991 dsconf sasl create
6993 create
6994 dsconf sasl delete
6996 deletes the object
6997
6999 usage: dsconf instance sasl list [-h] [--details]
7000 --details
7004 Get each SASL Mapping in detail.
7005
7008 usage: dsconf instance sasl get-mechs [-h]
7009
7014 usage: dsconf instance sasl get [-h] [selector]
7015 selector
7018 SASL mapping name to get
7019
7023 usage: dsconf instance sasl create [-h] [--cn [CN]]
7024 [--nsSaslMapRegexString
7025 [NSSASLMAPREGEXSTRING]]
7026 [--nsSaslMapBaseDNTemplate
7027 [NSSASLMAPBASEDNTEMPLATE]]
7028 [--nsSaslMapFilterTemplate
7029 [NSSASLMAPFILTERTEMPLATE]]
7030 [--nsSaslMapPriority [NSSASLMAPPRI‐
7031 ORITY]]
7032 --cn [CN]
7036 Value of cn
7037 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7040 Value of nsSaslMapRegexString
7041 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7044 Value of nsSaslMapBaseDNTemplate
7045 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7048 Value of nsSaslMapFilterTemplate
7049 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7052 Value of nsSaslMapPriority
7053
7056 usage: dsconf instance sasl delete [-h] map_name
7057 map_name
7060 The SASL Mapping name ("cn" value)
7061
7066 usage: dsconf instance security [-h]
7067 {set,get,enable,disable,dis‐
7068 able_plain_port,certificate,ca-certificate,rsa,ciphers}
7069 ...
7070 Sub-commands
7073 dsconf security set
7074 Set general security options
7075 dsconf security get
7077 Get general security options
7078 dsconf security enable
7080 Enable security
7081 dsconf security disable
7083 Disable security
7084 dsconf security disable_plain_port
7086 Disables the plain text LDAP port, allowing only LDAPS to func‐
7087 tion
7088 dsconf security certificate
7090 Manage TLS certificates
7091 dsconf security ca-certificate
7093 Manage TLS Certificate Authorities
7094 dsconf security rsa
7096 Query and manipulate RSA security options
7097 dsconf security ciphers
7099 Manage secure ciphers
7100
7102 usage: dsconf instance security set [-h] [--security SECURITY]
7103 [--listen-host LISTEN_HOST]
7104 [--secure-port SECURE_PORT]
7105 [--tls-client-auth TLS_CLIENT_AUTH]
7106 [--tls-client-renegotiation
7107 TLS_CLIENT_RENEGOTIATION]
7108 [--require-secure-authentication
7109 REQUIRE_SECURE_AUTHENTICATION]
7110 [--check-hostname CHECK_HOSTNAME]
7111 [--verify-cert-chain-on-startup
7112 VERIFY_CERT_CHAIN_ON_STARTUP]
7113 [--session-timeout SESSION_TIMEOUT]
7114 [--tls-protocol-min TLS_PROTO‐
7115 COL_MIN]
7116 [--tls-protocol-max TLS_PROTO‐
7117 COL_MAX]
7118 [--allow-insecure-ciphers
7119 ALLOW_INSECURE_CIPHERS]
7120 [--allow-weak-dh-param
7121 ALLOW_WEAK_DH_PARAM]
7122 [--cipher-pref CIPHER_PREF]
7123 Use this command for setting security related options located in
7125 cn=config and cn=encryption,cn=config.
7126 To enable/disable security you can use enable and disable commands
7128 instead.
7129 --security SECURITY
7133 Enable or disable security (nsslapd-security)
7134 --listen-host LISTEN_HOST
7137 Host/address to listen on for LDAPS (nsslapd-securelistenhost)
7138 --secure-port SECURE_PORT
7141 Port for LDAPS to listen on (nsslapd-securePort)
7142 --tls-client-auth TLS_CLIENT_AUTH
7145 Client authentication requirement (nsSSLClientAuth)
7146 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7149 Allow client TLS renegotiation (nsTLSAllowClientRenegotiation)
7150 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7153 Require binds over LDAPS, StartTLS, or SASL (nss‐
7154 lapd-require-secure-binds)
7155 --check-hostname CHECK_HOSTNAME
7158 Check Subject of remote certificate against the hostname (nss‐
7159 lapd-ssl-check- hostname)
7160 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7163 Validate server certificate during startup (nsslapd-vali‐
7164 date-cert)
7165 --session-timeout SESSION_TIMEOUT
7168 Secure session timeout (nsSSLSessionTimeout)
7169 --tls-protocol-min TLS_PROTOCOL_MIN
7172 Secure protocol minimal allowed version (sslVersionMin)
7173 --tls-protocol-max TLS_PROTOCOL_MAX
7176 Secure protocol maximal allowed version (sslVersionMax)
7177 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7180 Allow weak ciphers for legacy use (allowWeakCipher)
7181 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7184 Allow short DH params for legacy use (allowWeakDHParam)
7185 --cipher-pref CIPHER_PREF
7188 Use this command to directly set nsSSL3Ciphers attribute. It is
7189 a comma separated list of cipher names (prefixed with + or -),
7190 optionally including +all or -all. The attribute may optionally
7191 be prefixed by keyword default. Please refer to documentation
7192 of the attribute for a more detailed description.
7193 (nsSSL3Ciphers)
7194
7197 usage: dsconf instance security get [-h]
7198
7203 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7204 If missing, create security database, then turn on security functional‐
7206 ity. Please note this is usually not enough for TLS connections to work
7207 - proper setup of CA and server certificate is necessary.
7208 --cert-name CERT_NAME
7212 The name of the certificate the server should use
7213
7216 usage: dsconf instance security disable [-h]
7217 Turn off security functionality. The rest of the configuration will be
7219 left untouched.
7220
7225 usage: dsconf instance security disable_plain_port [-h]
7226
7231 usage: dsconf instance security certificate [-h]
7232 {add,set-trust-
7233 flags,del,get,list}
7234 ...
7235 Sub-commands
7238 dsconf security certificate add
7239 Add a server certificate
7240 dsconf security certificate set-trust-flags
7242 Set the Trust flags
7243 dsconf security certificate del
7245 Delete a certificate
7246 dsconf security certificate get
7248 Get a server certificate's information
7249 dsconf security certificate list
7251 List the server certificates
7252
7254 usage: dsconf instance security certificate add [-h] --file FILE --name
7255 NAME
7256 [--primary-cert]
7257 Add a server certificate to the NSS database
7259 --file FILE
7263 The file name of the certificate
7264 --name NAME
7267 The name/nickname of the certificate
7268 --primary-cert
7271 Set this certificate as the server's certificate
7272
7275 usage: dsconf instance security certificate set-trust-flags
7276 [-h] --flags FLAGS name
7277 Change the trust flags of a server certificate
7279 name The name/nickname of the certificate
7282 --flags FLAGS
7285 The trust flags for the server certificate
7286
7289 usage: dsconf instance security certificate del [-h] name
7290 Delete a certificate from the NSS database
7292 name The name/nickname of the certificate
7295
7299 usage: dsconf instance security certificate get [-h] name
7300 Get detailed information about a certificate, like trust attributes,
7302 expiration dates, Subject and Issuer DNs
7303 name The name/nickname of the certificate
7306
7310 usage: dsconf instance security certificate list [-h]
7311 List the server certificates in the NSS database
7313
7319 usage: dsconf instance security ca-certificate [-h]
7320 {add,set-trust-
7321 flags,del,get,list}
7322 ...
7323 Sub-commands
7326 dsconf security ca-certificate add
7327 Add a Certificate Authority
7328 dsconf security ca-certificate set-trust-flags
7330 Set the Trust flags
7331 dsconf security ca-certificate del
7333 Delete a certificate
7334 dsconf security ca-certificate get
7336 Get a Certificate Authority's information
7337 dsconf security ca-certificate list
7339 List the Certificate Authorities
7340
7342 usage: dsconf instance security ca-certificate add [-h] --file FILE
7343 --name
7344 NAME
7345 Add a Certificate Authority to the NSS database
7347 --file FILE
7351 The file name of the CA certificate
7352 --name NAME
7355 The name/nickname of the CA certificate
7356
7359 usage: dsconf instance security ca-certificate set-trust-flags
7360 [-h] --flags FLAGS name
7361 Change the trust attributes of a CA certificate. Certificate Authori‐
7363 ties typically use "CT,,"
7364 name The name/nickname of the CA certificate
7367 --flags FLAGS
7370 The trust flags for the CA certificate
7371
7374 usage: dsconf instance security ca-certificate del [-h] name
7375 Delete a CA certificate from the NSS database
7377 name The name/nickname of the CA certificate
7380
7384 usage: dsconf instance security ca-certificate get [-h] name
7385 Get detailed information about a CA certificate, like trust attributes,
7387 expiration dates, Subject and Issuer DN
7388 name The name/nickname of the CA certificate
7391
7395 usage: dsconf instance security ca-certificate list [-h]
7396 List the CA certificates in the NSS database
7398
7404 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
7405 Sub-commands
7408 dsconf security rsa set
7409 Set RSA security options
7410 dsconf security rsa get
7412 Get RSA security options
7413 dsconf security rsa enable
7415 Enable RSA
7416 dsconf security rsa disable
7418 Disable RSA
7419
7421 usage: dsconf instance security rsa set [-h]
7422 [--tls-allow-rsa-certificates
7423 TLS_ALLOW_RSA_CERTIFICATES]
7424 [--nss-cert-name NSS_CERT_NAME]
7425 [--nss-token NSS_TOKEN]
7426 Use this command for setting RSA (private key) related options located
7428 in cn=RSA,cn=encryption,cn=config.
7429 To enable/disable RSA you can use enable and disable commands instead.
7431 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
7435 Activate use of RSA certificates (nsSSLActivation)
7436 --nss-cert-name NSS_CERT_NAME
7439 Server certificate name in NSS DB (nsSSLPersonalitySSL)
7440 --nss-token NSS_TOKEN
7443 Security token name (module of NSS DB) (nsSSLToken)
7444
7447 usage: dsconf instance security rsa get [-h]
7448
7453 usage: dsconf instance security rsa enable [-h]
7454
7459 usage: dsconf instance security rsa disable [-h]
7460
7466 usage: dsconf instance security ciphers [-h] {enable,dis‐
7467 able,get,set,list} ...
7468 Sub-commands
7471 dsconf security ciphers enable
7472 Enable ciphers
7473 dsconf security ciphers disable
7475 Disable ciphers
7476 dsconf security ciphers get
7478 Get ciphers attribute
7479 dsconf security ciphers set
7481 Set ciphers attribute
7482 dsconf security ciphers list
7484 List ciphers
7485
7487 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
7488 Use this command to enable specific ciphers.
7490 cipher
7493
7496 usage: dsconf instance security ciphers disable [-h] cipher [cipher
7497 ...]
7498 Use this command to disable specific ciphers.
7500 cipher
7503
7506 usage: dsconf instance security ciphers get [-h]
7507 Use this command to get contents of nsSSL3Ciphers attribute.
7509
7514 usage: dsconf instance security ciphers set [-h] cipher-string
7515 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
7517 separated list of cipher names (prefixed with + or -), optionally
7518 including +all or -all. The attribute may optionally be prefixed by
7519 keyword default. Please refer to documentation of the attribute for a
7520 more detailed description.
7521 cipher-string
7524
7527 usage: dsconf instance security ciphers list [-h]
7528 [--enabled | --supported |
7529 --disabled]
7530 List secure ciphers. Without arguments, list ciphers as configured in
7532 nsSSL3Ciphers attribute.
7533 --enabled
7537 Only enabled ciphers
7538 --supported
7541 Only supported ciphers
7542 --disabled
7545 Only supported ciphers without enabled ciphers
7546
7551 usage: dsconf instance schema [-h]
7552 {list,attributetypes,objectclasses,match‐
7553 ingrules,reload,validate-syntax}
7554 ...
7555 Sub-commands
7558 dsconf schema list
7559 List all schema objects on this system
7560 dsconf schema attributetypes
7562 Work with attribute types on this system
7563 dsconf schema objectclasses
7565 Work with objectClasses on this system
7566 dsconf schema matchingrules
7568 Work with matching rules on this system
7569 dsconf schema reload
7571 Dynamically reload schema while server is running
7572 dsconf schema validate-syntax
7574 Run a task to check every modification to attributes to make
7575 sure that the new value has the required syntax for that
7576 attribute type
7577
7579 usage: dsconf instance schema list [-h]
7580
7585 usage: dsconf instance schema attributetypes [-h]
7586 {get_syn‐
7587 taxes,list,query,add,replace,remove}
7588 ...
7589 Sub-commands
7592 dsconf schema attributetypes get_syntaxes
7593 List all available attribute type syntaxes
7594 dsconf schema attributetypes list
7596 List available attribute types on this system
7597 dsconf schema attributetypes query
7599 Query an attribute to determine object classes that may or must
7600 take it
7601 dsconf schema attributetypes add
7603 Add an attribute type to this system
7604 dsconf schema attributetypes replace
7606 Replace an attribute type on this system
7607 dsconf schema attributetypes remove
7609 Remove an attribute type on this system
7610
7612 usage: dsconf instance schema attributetypes get_syntaxes [-h]
7613
7618 usage: dsconf instance schema attributetypes list [-h]
7619
7624 usage: dsconf instance schema attributetypes query [-h] [name]
7625 name Attribute type to query
7628
7632 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
7633 [--desc DESC]
7634 [--x-origin X_ORIGIN]
7635 [--aliases ALIASES
7636 [ALIASES ...]]
7637 [--single-value]
7638 [--multi-value]
7639 [--no-user-mod]
7640 [--user-mod]
7641 [--equality EQUALITY]
7642 [--substr SUBSTR]
7643 [--ordering ORDERING]
7644 [--usage USAGE]
7645 [--sup SUP [SUP ...]]
7646 --syntax SYNTAX
7647 name
7648 name NAME of the object
7651 --oid OID
7654 OID assigned to the object
7655 --desc DESC
7658 Description text(DESC) of the object
7659 --x-origin X_ORIGIN
7662 Provides information about where the attribute type is defined
7663 --aliases ALIASES [ALIASES ...]
7666 Additional NAMEs of the object.
7667 --single-value
7670 True if the matching rule must have only one valueOnly one of
7671 the flags this or --multi-value should be specified
7672 --multi-value
7675 True if the matching rule may have multiple values (default)Only
7676 one of the flags this or --single-value should be specified
7677 --no-user-mod
7680 True if the attribute is not modifiable by a client applica‐
7681 tionOnly one of the flags this or --user-mod should be specified
7682 --user-mod
7685 True if the attribute is modifiable by a client application
7686 (default)Only one of the flags this or --no-user-mode should be
7687 specified
7688 --equality EQUALITY
7691 NAME or OID of the matching rule used for checkingwhether
7692 attribute values are equal
7693 --substr SUBSTR
7696 NAME or OID of the matching rule used for checkingwhether an
7697 attribute value contains another value
7698 --ordering ORDERING
7701 NAME or OID of the matching rule used for checkingwhether
7702 attribute values are lesser - equal than
7703 --usage USAGE
7706 The flag indicates how the attribute type is to be used. Choose
7707 from the list: userApplications (default), directoryOperation,
7708 distributedOperation, dSAOperation
7709 --sup SUP [SUP ...]
7712 The list of NAMEs or OIDs of attribute typesthis attribute type
7713 is derived from
7714 --syntax SYNTAX
7717 OID of the LDAP syntax assigned to the attribute
7718
7721 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
7722 [--desc DESC]
7723 [--x-origin X_ORI‐
7724 GIN]
7725 [--aliases ALIASES
7726 [ALIASES ...]]
7727 [--single-value]
7728 [--multi-value]
7729 [--no-user-mod]
7730 [--user-mod]
7731 [--equality EQUAL‐
7732 ITY]
7733 [--substr SUBSTR]
7734 [--ordering ORDER‐
7735 ING]
7736 [--usage USAGE]
7737 [--sup SUP [SUP
7738 ...]]
7739 [--syntax SYNTAX]
7740 name
7741 name NAME of the object
7744 --oid OID
7747 OID assigned to the object
7748 --desc DESC
7751 Description text(DESC) of the object
7752 --x-origin X_ORIGIN
7755 Provides information about where the attribute type is defined
7756 --aliases ALIASES [ALIASES ...]
7759 Additional NAMEs of the object.
7760 --single-value
7763 True if the matching rule must have only one valueOnly one of
7764 the flags this or --multi-value should be specified
7765 --multi-value
7768 True if the matching rule may have multiple values (default)Only
7769 one of the flags this or --single-value should be specified
7770 --no-user-mod
7773 True if the attribute is not modifiable by a client applica‐
7774 tionOnly one of the flags this or --user-mod should be specified
7775 --user-mod
7778 True if the attribute is modifiable by a client application
7779 (default)Only one of the flags this or --no-user-mode should be
7780 specified
7781 --equality EQUALITY
7784 NAME or OID of the matching rule used for checkingwhether
7785 attribute values are equal
7786 --substr SUBSTR
7789 NAME or OID of the matching rule used for checkingwhether an
7790 attribute value contains another value
7791 --ordering ORDERING
7794 NAME or OID of the matching rule used for checkingwhether
7795 attribute values are lesser - equal than
7796 --usage USAGE
7799 The flag indicates how the attribute type is to be used. Choose
7800 from the list: userApplications (default), directoryOperation,
7801 distributedOperation, dSAOperation
7802 --sup SUP [SUP ...]
7805 The list of NAMEs or OIDs of attribute typesthis attribute type
7806 is derived from
7807 --syntax SYNTAX
7810 OID of the LDAP syntax assigned to the attribute
7811
7814 usage: dsconf instance schema attributetypes remove [-h] name
7815 name NAME of the object
7818
7823 usage: dsconf instance schema objectclasses [-h]
7824 {list,query,add,replace,remove}
7825 ...
7826 Sub-commands
7829 dsconf schema objectclasses list
7830 List available objectClasses on this system
7831 dsconf schema objectclasses query
7833 Query an objectClass
7834 dsconf schema objectclasses add
7836 Add an objectClass to this system
7837 dsconf schema objectclasses replace
7839 Replace an objectClass on this system
7840 dsconf schema objectclasses remove
7842 Remove an objectClass on this system
7843
7845 usage: dsconf instance schema objectclasses list [-h]
7846
7851 usage: dsconf instance schema objectclasses query [-h] [name]
7852 name ObjectClass to query
7855
7859 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
7860 [--desc DESC]
7861 [--x-origin X_ORIGIN]
7862 [--must MUST [MUST
7863 ...]]
7864 [--may MAY [MAY ...]]
7865 [--kind KIND]
7866 [--sup SUP [SUP ...]]
7867 name
7868 name NAME of the object
7871 --oid OID
7874 OID assigned to the object
7875 --desc DESC
7878 Description text(DESC) of the object
7879 --x-origin X_ORIGIN
7882 Provides information about where the attribute type is defined
7883 --must MUST [MUST ...]
7886 NAMEs or OIDs of all attributes an entry of the object must have
7887 --may MAY [MAY ...]
7890 NAMEs or OIDs of additional attributes an entry of the object
7891 may have
7892 --kind KIND
7895 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
7896 --sup SUP [SUP ...]
7899 NAMEs or OIDs of object classes this object is derived from
7900
7903 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
7904 [--desc DESC]
7905 [--x-origin X_ORI‐
7906 GIN]
7907 [--must MUST [MUST
7908 ...]]
7909 [--may MAY [MAY
7910 ...]]
7911 [--kind KIND]
7912 [--sup SUP [SUP
7913 ...]]
7914 name
7915 name NAME of the object
7918 --oid OID
7921 OID assigned to the object
7922 --desc DESC
7925 Description text(DESC) of the object
7926 --x-origin X_ORIGIN
7929 Provides information about where the attribute type is defined
7930 --must MUST [MUST ...]
7933 NAMEs or OIDs of all attributes an entry of the object must have
7934 --may MAY [MAY ...]
7937 NAMEs or OIDs of additional attributes an entry of the object
7938 may have
7939 --kind KIND
7942 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
7943 --sup SUP [SUP ...]
7946 NAMEs or OIDs of object classes this object is derived from
7947
7950 usage: dsconf instance schema objectclasses remove [-h] name
7951 name NAME of the object
7954
7959 usage: dsconf instance schema matchingrules [-h] {list,query} ...
7960 Sub-commands
7963 dsconf schema matchingrules list
7964 List available matching rules on this system
7965 dsconf schema matchingrules query
7967 Query a matching rule
7968
7970 usage: dsconf instance schema matchingrules list [-h]
7971
7976 usage: dsconf instance schema matchingrules query [-h] [name]
7977 name Matching rule to query
7980
7985 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
7986 -d SCHEMADIR, --schemadir SCHEMADIR
7990 directory where schema files are located
7991 --wait Wait for the reload task to complete
7994
7997 usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN
7998 DN Base DN that contains entries to validate
8001 -f FILTER, --filter FILTER
8004 Filter for entries to validate. If omitted, all entries with
8005 filter "(objectclass=*)" are validated
8006
8010 usage: dsconf instance repl-conflict [-h]
8011 {list,compare,delete,swap,con‐
8012 vert,list-glue,delete-glue,convert-glue}
8013 ...
8014 Sub-commands
8017 dsconf repl-conflict list
8018 List conflict entries
8019 dsconf repl-conflict compare
8021 Compare the conflict entry with its valid counterpart
8022 dsconf repl-conflict delete
8024 Delete a conflict entry
8025 dsconf repl-conflict swap
8027 Replace the valid entry with the conflict entry
8028 dsconf repl-conflict convert
8030 Convert the conflict entry to a valid entry, while keeping the
8031 original valid entry counterpart. This requires that the con‐
8032 verted conflict entry have a new RDN value. For example:
8033 "cn=my_new_rdn_value".
8034 dsconf repl-conflict list-glue
8036 List replication glue entries
8037 dsconf repl-conflict delete-glue
8039 Delete the glue entry and its child entries
8040 dsconf repl-conflict convert-glue
8042 Convert the glue entry into a regular entry
8043
8045 usage: dsconf instance repl-conflict list [-h] suffix
8046 suffix The backend name, or suffix, to look for conflict entries
8049
8053 usage: dsconf instance repl-conflict compare [-h] DN
8054 DN The DN of the conflict entry
8057
8061 usage: dsconf instance repl-conflict delete [-h] DN
8062 DN The DN of the conflict entry
8065
8069 usage: dsconf instance repl-conflict swap [-h] DN
8070 DN The DN of the conflict entry
8073
8077 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8078 DN The DN of the conflict entry
8081 --new-rdn NEW_RDN
8084 The new RDN for the converted conflict entry. For example:
8085 "cn=my_new_rdn_value"
8086
8089 usage: dsconf instance repl-conflict list-glue [-h] suffix
8090 suffix The backend name, or suffix, to look for glue entries
8093
8097 usage: dsconf instance repl-conflict delete-glue [-h] DN
8098 DN The DN of the glue entry
8101
8105 usage: dsconf instance repl-conflict convert-glue [-h] DN
8106 DN The DN of the glue entry
8109 -v, --verbose
8114 Display verbose operation tracing during command execution
8115 -D BINDDN, --binddn BINDDN
8118 The account to bind as for executing operations
8119 -w BINDPW, --bindpw BINDPW
8122 Password for binddn
8123 -W, --prompt
8126 Prompt for password for the bind DN
8127 -y PWDFILE, --pwdfile PWDFILE
8130 Specifies a file containing the password for the binddn
8131 -b BASEDN, --basedn BASEDN
8134 Basedn (root naming context) of the instance to manage
8135 -Z, --starttls
8138 Connect with StartTLS
8139 -j, --json
8142 Return result in JSON object
8143
8146 lib389 was written by Red Hat Inc. <389-devel@lists.fedoraproject.org>.
8147
8149 The latest version of lib389 may be downloaded from
8150 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8151 Manual dsconf(8)