1dsconf(8) System Manager's Manual dsconf(8)
2
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl-agmt,repl-win‐
12 sync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
15 instance
16 The name of the instance or its LDAP URL, such as
17 ldap://server.example.com:389
18 Sub-commands
21 dsconf backend
22 Manage database suffixes and backends
23 dsconf backup
25 Manage online backups
26 dsconf chaining
28 Manage database chaining and database links
29 dsconf config
31 Manage the server configuration
32 dsconf directory_manager
34 Manage the Directory Manager account
35 dsconf monitor
37 Monitor the state of the instance
38 dsconf plugin
40 Manage plug-ins available on the server
41 dsconf pwpolicy
43 Manage the global password policy settings
44 dsconf localpwp
46 Manage the local user and subtree password policies
47 dsconf replication
49 Manage replication for a suffix
50 dsconf repl-agmt
52 Manage replication agreements
53 dsconf repl-winsync-agmt
55 Manage Winsync agreements
56 dsconf repl-tasks
58 Manage replication tasks
59 dsconf sasl
61 Manage SASL mappings
62 dsconf security
64 Manage security settings
65 dsconf schema
67 Manage the directory schema
68 dsconf repl-conflict
70 Manage replication conflicts
71
73 usage: dsconf instance backend [-h]
74 {suffix,index,vlv-index,attr-en‐
75 crypt,config,monitor,import,export,create,delete,get-tree,compact-db}
76 ...
77 Sub-commands
80 dsconf backend suffix
81 Manage backend suffixes
82 dsconf backend index
84 Manage backend indexes
85 dsconf backend vlv-index
87 Manage VLV searches and indexes
88 dsconf backend attr-encrypt
90 Manage encrypted attribute settings
91 dsconf backend config
93 Manage the global database configuration settings
94 dsconf backend monitor
96 Displays global database or suffix monitoring information
97 dsconf backend import
99 Online import of a suffix
100 dsconf backend export
102 Online export of a suffix
103 dsconf backend create
105 Create a backend database
106 dsconf backend delete
108 Delete a backend database
109 dsconf backend get-tree
111 Display the suffix tree
112 dsconf backend compact-db
114 Compact the database and the replication changelog
115
117 usage: dsconf instance backend suffix [-h]
118 {list,get,get-dn,get-sub-suf‐
119 fixes,set}
120 ...
121 Sub-commands
124 dsconf backend suffix list
125 List active backends and suffixes
126 dsconf backend suffix get
128 Display the suffix entry
129 dsconf backend suffix get-dn
131 Display the DN of a backend
132 dsconf backend suffix get-sub-suffixes
134 Display sub-suffixes
135 dsconf backend suffix set
137 Set configuration settings for a specific backend
138
140 usage: dsconf instance backend suffix list [-h] [--suffix]
141 [--skip-subsuffixes]
142 --suffix
146 Displays the suffixes without backend name
147 --skip-subsuffixes
150 Displays the list of suffixes without sub-suffixes
151
154 usage: dsconf instance backend suffix get [-h] [selector]
155 selector
158 The backend database name to search for
159
163 usage: dsconf instance backend suffix get-dn [-h] [dn]
164 dn The DN to the database entry in cn=ldbm database,cn=plug‐
167 ins,cn=config
168
172 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
173 be_name
174 be_name
177 The backend name or suffix
178 --suffix
181 Displays the list of suffixes without backend name
182
185 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
186 [--disable-readonly]
187 [--require-index] [--ignore-
188 index]
189 [--add-referral ADD_REFERRAL]
190 [--del-referral DEL_REFERRAL]
191 [--enable] [--disable]
192 [--cache-size CACHE_SIZE]
193 [--cache-memsize CACHE_MEM‐
194 SIZE]
195 [--dncache-memsize
196 DNCACHE_MEMSIZE]
197 [--state STATE]
198 be_name
199 be_name
202 The backend name or suffix
203 --enable-readonly
206 Enables read-only mode for the backend database
207 --disable-readonly
210 Disables read-only mode for the backend database
211 --require-index
214 Allows only indexed searches
215 --ignore-index
218 Allows all searches even if they are unindexed
219 --add-referral ADD_REFERRAL
222 Adds an LDAP referral to the backend
223 --del-referral DEL_REFERRAL
226 Removes an LDAP referral from the backend
227 --enable
230 Enables the backend database
231 --disable
234 Disables the backend database
235 --cache-size CACHE_SIZE
238 Sets the maximum number of entries to keep in the entry cache
239 --cache-memsize CACHE_MEMSIZE
242 Sets the maximum size in bytes that the entry cache can grow to
243 --dncache-memsize DNCACHE_MEMSIZE
246 Sets the maximum size in bytes that the DN cache can grow to
247 --state STATE
250 Changes the backend state to: "database", "disabled", "refer‐
251 ral", or "referral on update"
252
256 usage: dsconf instance backend index [-h]
257 {add,set,get,list,delete,reindex}
258 ...
259 Sub-commands
262 dsconf backend index add
263 Add an index
264 dsconf backend index set
266 Update an index
267 dsconf backend index get
269 Display an index entry
270 dsconf backend index list
272 Display the index
273 dsconf backend index delete
275 Delete an index
276 dsconf backend index reindex
278 Re-index the database for a single index or all indexes
279
281 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
282 [--matching-rule MATCH‐
283 ING_RULE]
284 [--reindex] --attr ATTR
285 be_name
286 be_name
289 The backend name or suffix
290 --index-type INDEX_TYPE
293 Sets the indexing type (eq, sub, pres, or approx)
294 --matching-rule MATCHING_RULE
297 Sets the matching rule for the index
298 --reindex
301 Re-indexes the database after adding a new index
302 --attr ATTR
305 Sets the attribute name to index
306
309 usage: dsconf instance backend index set [-h] --attr ATTR
310 [--add-type ADD_TYPE]
311 [--del-type DEL_TYPE]
312 [--add-mr ADD_MR] [--del-mr
313 DEL_MR]
314 [--reindex]
315 be_name
316 be_name
319 The backend name or suffix
320 --attr ATTR
323 Sets the indexed attribute to update
324 --add-type ADD_TYPE
327 Adds an index type to the index (eq, sub, pres, or approx)
328 --del-type DEL_TYPE
331 Removes an index type from the index: (eq, sub, pres, or approx)
332 --add-mr ADD_MR
335 Adds a matching-rule to the index
336 --del-mr DEL_MR
339 Removes a matching-rule from the index
340 --reindex
343 Re-indexes the database after editing the index
344
347 usage: dsconf instance backend index get [-h] --attr ATTR be_name
348 be_name
351 The backend name or suffix
352 --attr ATTR
355 Sets the index name to display
356
359 usage: dsconf instance backend index list [-h] [--just-names] be_name
360 be_name
363 The backend name or suffix
364 --just-names
367 Displays only the names of indexed attributes
368
371 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
372 be_name
375 The backend name or suffix
376 --attr ATTR
379 Sets the name of the attribute to delete from the index
380
383 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
384 [--wait]
385 be_name
386 be_name
389 The backend name or suffix
390 --attr ATTR
393 Sets the name of the attribute to re-index. Omit this argument
394 to re-index all attributes
395 --wait Waits for the index task to complete and reports the status
398
402 usage: dsconf instance backend vlv-index [-h]
403 {list,get,add-search,edit-
404 search,del-search,add-index,del-index,reindex}
405 ...
406 Sub-commands
409 dsconf backend vlv-index list
410 List VLV search and index entries
411 dsconf backend vlv-index get
413 Display a VLV search and indexes
414 dsconf backend vlv-index add-search
416 Add a VLV search entry. The search entry is the parent entry of
417 the VLV index entries, and it specifies the search parameters
418 that are used to match entries for those indexes.
419 dsconf backend vlv-index edit-search
421 Update a VLV search and index
422 dsconf backend vlv-index del-search
424 Delete VLV search & index
425 dsconf backend vlv-index add-index
427 Create a VLV index under a VLV search entry (parent entry). The
428 VLV index specifies the attributes to sort
429 dsconf backend vlv-index del-index
431 Delete a VLV index under a VLV search entry (parent entry)
432 dsconf backend vlv-index reindex
434 Index/re-index the VLV database index
435
437 usage: dsconf instance backend vlv-index list [-h] [--just-names]
438 be_name
439 be_name
442 The backend name of the VLV index
443 --just-names
446 Displays only the names of VLV search entries
447
450 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
451 be_name
454 The backend name of the VLV index
455 --name NAME
458 Displays the VLV search entry and its index entries
459
462 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
463 --search-base
464 SEARCH_BASE
465 --search-scope
466 SEARCH_SCOPE
467 --search-filter
468 SEARCH_FILTER
469 be_name
470 be_name
473 The backend name of the VLV index
474 --name NAME
477 Sets the name of the VLV search entry
478 --search-base SEARCH_BASE
481 Sets the VLV search base
482 --search-scope SEARCH_SCOPE
485 Sets the VLV search scope: 0 (base search), 1 (one-level
486 search), or 2 (subtree search)
487 --search-filter SEARCH_FILTER
490 Sets the VLV search filter
491
494 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
495 [--search-base
496 SEARCH_BASE]
497 [--search-scope
498 SEARCH_SCOPE]
499 [--search-filter
500 SEARCH_FILTER]
501 [--reindex]
502 be_name
503 be_name
506 The backend name of the VLV index to update
507 --name NAME
510 Sets the name of the VLV index
511 --search-base SEARCH_BASE
514 Sets the VLV search base
515 --search-scope SEARCH_SCOPE
518 Sets the VLV search scope: 0 (base search), 1 (one-level
519 search), or 2 (subtree search)
520 --search-filter SEARCH_FILTER
523 Sets the VLV search filter
524 --reindex
527 Re-indexes all VLV database indexes
528
531 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
532 be_name
533 be_name
536 The backend name of the VLV index
537 --name NAME
540 Sets the name of the VLV search index
541
544 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
545 PARENT_NAME --index-
546 name
547 INDEX_NAME --sort
548 SORT
549 [--index-it]
550 be_name
551 be_name
554 The backend name of the VLV index
555 --parent-name PARENT_NAME
558 Sets the name or "cn" attribute of the parent VLV search entry
559 --index-name INDEX_NAME
562 Sets the name of the new VLV index
563 --sort SORT
566 Sets a space-separated list of attributes to sort for this VLV
567 index
568 --index-it
571 Creates the database index for this VLV index definition
572
575 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
576 PARENT_NAME
577 [--index-name IN‐
578 DEX_NAME]
579 [--sort SORT]
580 be_name
581 be_name
584 The backend name of the VLV index
585 --parent-name PARENT_NAME
588 Sets the name or "cn" attribute value of the parent VLV search
589 entry
590 --index-name INDEX_NAME
593 Sets the name of the VLV index to delete
594 --sort SORT
597 Delete a VLV index that has this vlvsort value
598
601 usage: dsconf instance backend vlv-index reindex [-h]
602 [--index-name IN‐
603 DEX_NAME]
604 --parent-name PAR‐
605 ENT_NAME
606 be_name
607 be_name
610 The backend name of the VLV index
611 --index-name INDEX_NAME
614 Sets the name of the VLV index entry to re-index. If not set,
615 all indexes are re-indexed
616 --parent-name PARENT_NAME
619 Sets the name or "cn" attribute value of the parent VLV search
620 entry
621
625 usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-
626 names]
627 [--add-attr ADD_ATTR]
628 [--del-attr DEL_ATTR]
629 be_name
630 be_name
633 The backend name or suffix
634 --list Lists all encrypted attributes in the backend
637 --just-names
640 List only the names of the encrypted attributes when used with
641 --list
642 --add-attr ADD_ATTR
645 Enables encryption for the specified attribute
646 --del-attr DEL_ATTR
649 Disables encryption for the specified attribute
650
653 usage: dsconf instance backend config [-h] {get,set} ...
654 Sub-commands
657 dsconf backend config get
658 Display the global database configuration
659 dsconf backend config set
661 Set the global database configuration
662
664 usage: dsconf instance backend config get [-h]
665
670 usage: dsconf instance backend config set [-h]
671 [--lookthroughlimit LOOK‐
672 THROUGHLIMIT]
673 [--mode MODE]
674 [--idlistscanlimit
675 IDLISTSCANLIMIT]
676 [--directory DIRECTORY]
677 [--dbcachesize DBCACHESIZE]
678 [--logdirectory LOGDIRECTORY]
679 [--durable-txn DURABLE_TXN]
680 [--txn-wait TXN_WAIT]
681 [--checkpoint-interval CHECK‐
682 POINT_INTERVAL]
683 [--compactdb-interval COM‐
684 PACTDB_INTERVAL]
685 [--compactdb-time COM‐
686 PACTDB_TIME]
687 [--txn-batch-val
688 TXN_BATCH_VAL]
689 [--txn-batch-min
690 TXN_BATCH_MIN]
691 [--txn-batch-max
692 TXN_BATCH_MAX]
693 [--logbufsize LOGBUFSIZE]
694 [--locks LOCKS]
695 [--locks-monitoring-enabled
696 LOCKS_MONITORING_ENABLED]
697 [--locks-monitoring-threshold
698 LOCKS_MONITORING_THRESHOLD]
699 [--locks-monitoring-pause
700 LOCKS_MONITORING_PAUSE]
701 [--import-cache-autosize IM‐
702 PORT_CACHE_AUTOSIZE]
703 [--cache-autosize CACHE_AUTO‐
704 SIZE]
705 [--cache-autosize-split
706 CACHE_AUTOSIZE_SPLIT]
707 [--import-cachesize IM‐
708 PORT_CACHESIZE]
709 [--exclude-from-export EX‐
710 CLUDE_FROM_EXPORT]
711 [--pagedlookthroughlimit
712 PAGEDLOOKTHROUGHLIMIT]
713 [--pagedidlistscanlimit PAGE‐
714 DIDLISTSCANLIMIT]
715 [--rangelookthroughlimit
716 RANGELOOKTHROUGHLIMIT]
717 [--backend-opt-level BACK‐
718 END_OPT_LEVEL]
719 [--deadlock-policy DEAD‐
720 LOCK_POLICY]
721 [--db-home-directory
722 DB_HOME_DIRECTORY]
723 --lookthroughlimit LOOKTHROUGHLIMIT
727 Specifies the maximum number of entries that the server will
728 check when examining candidate entries in response to a search
729 request
730 --mode MODE
733 Specifies the permissions used for newly created index files
734 --idlistscanlimit IDLISTSCANLIMIT
737 Specifies the number of entry IDs that are searched during a
738 search operation
739 --directory DIRECTORY
742 Specifies absolute path to database instance
743 --dbcachesize DBCACHESIZE
746 Specifies the database index cache size in bytes
747 --logdirectory LOGDIRECTORY
750 Specifies the path to the directory that contains the database
751 transaction logs
752 --durable-txn DURABLE_TXN
755 Enables or disables whether database transaction log entries are
756 immediately written to the disk
757 --txn-wait TXN_WAIT
760 Sets whether the server should should wait if there are no db
761 locks available
762 --checkpoint-interval CHECKPOINT_INTERVAL
765 Sets the amount of time in seconds after which the server sends
766 a checkpoint entry to the database transaction log
767 --compactdb-interval COMPACTDB_INTERVAL
770 Sets the interval in seconds when the database is compacted
771 --compactdb-time COMPACTDB_TIME
774 Sets the time (HH:MM format) of day when to compact the database
775 after the "compactdb interval" has been reached
776 --txn-batch-val TXN_BATCH_VAL
779 Specifies how many transactions will be batched before being
780 committed
781 --txn-batch-min TXN_BATCH_MIN
784 Controls when transactions should be flushed earliest, indepen‐
785 dently of the batch count. Requires that txn-batch-val is set
786 --txn-batch-max TXN_BATCH_MAX
789 Controls when transactions should be flushed latest, indepen‐
790 dently of the batch count. Requires that txn-batch-val is set)
791 --logbufsize LOGBUFSIZE
794 Specifies the transaction log information buffer size
795 --locks LOCKS
798 Sets the maximum number of database locks
799 --locks-monitoring-enabled LOCKS_MONITORING_ENABLED
802 Enables or disables monitoring of DB locks when the value
803 crosses the percentage set with "--locks-monitoring-threshold"
804 --locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD
807 Sets the DB lock exhaustion threshold in percentage (valid range
808 is 70-90). When the threshold is reached, all searches are
809 aborted until the number of active locks decreases below the
810 configured threshold and/or the administrator increases the num‐
811 ber of database locks (nsslapd-db-locks). This threshold is a
812 safeguard against DB corruption which might be caused by locks
813 exhaustion.
814 --locks-monitoring-pause LOCKS_MONITORING_PAUSE
817 Sets the DB lock monitoring value in milliseconds for the amount
818 of time that the monitoring thread spends waiting between
819 checks.
820 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
823 Enables or disables to automatically set the size of the import
824 cache to be used during the import process of LDIF files
825 --cache-autosize CACHE_AUTOSIZE
828 Sets the percentage of free memory that is used in total for the
829 database and entry cache. "0" disables this feature.
830 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
833 Sets the percentage of RAM that is used for the database cache.
834 The remaining percentage is used for the entry cache
835 --import-cachesize IMPORT_CACHESIZE
838 Sets the size in bytes of the database cache used in the import
839 process.
840 --exclude-from-export EXCLUDE_FROM_EXPORT
843 List of attributes to not include during database export opera‐
844 tions
845 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
848 Specifies the maximum number of entries that the server will
849 check when examining candidate entries for a search which uses
850 the simple paged results control
851 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
854 Specifies the number of entry IDs that are searched, specifi‐
855 cally, for a search operation using the simple paged results
856 control.
857 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
860 Specifies the maximum number of entries that the server will
861 check when examining candidate entries in response to a range
862 search request.
863 --backend-opt-level BACKEND_OPT_LEVEL
866 Sets the backend optimization level for write performance (0, 1,
867 2, or 4). WARNING: This parameter can trigger experimental
868 code.
869 --deadlock-policy DEADLOCK_POLICY
872 Adjusts the backend database deadlock policy (Advanced setting)
873 --db-home-directory DB_HOME_DIRECTORY
876 Sets the directory for the database mmapped files (Advanced set‐
877 ting)
878
882 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
883 --suffix SUFFIX
887 Displays monitoring information only for the specified suffix
888
891 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
892 [-g GEN_UNIQ_ID] [-O]
893 [-s INCLUDE_SUFFIXES [IN‐
894 CLUDE_SUFFIXES ...]]
895 [-x EXCLUDE_SUFFIXES [EX‐
896 CLUDE_SUFFIXES ...]]
897 [be_name] [ldifs ...]
898 be_name
901 The backend name or the root suffix
902 ldifs Specifies the filename of the input LDIF files. Multiple files
905 are imported in the specified order.
906 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
909 The number of chunks to have during the import operation
910 -E, --encrypted
913 Encrypt attributes configured in the database for encryption
914 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
917 Generate a unique id. Set "none" for no unique ID to be gener‐
918 ated and "deterministic" for the generated unique ID to be
919 name-based. By default, a time-based unique ID is generated.
920 When using the deterministic generation to have a name-based
921 unique ID, it is also possible to specify the namespace for the
922 server to use. namespaceId is a string of characters in the for‐
923 mat 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
924 -O, --only-core
927 Creates only the core database attribute indexes
928 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
931 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
932 Specifies the suffixes or the subtrees to be included
933 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
936 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
937 Specifies the suffixes to be excluded
938
941 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
942 [-N] [-r]
943 [-u] [-U]
944 [-s INCLUDE_SUFFIXES [IN‐
945 CLUDE_SUFFIXES ...]]
946 [-x EXCLUDE_SUFFIXES [EX‐
947 CLUDE_SUFFIXES ...]]
948 be_names [be_names ...]
949 be_names
952 The backend names or the root suffixes
953 -l LDIF, --ldif LDIF
956 Sets the filename of the output LDIF file. Separate multiple
957 file names with spaces.
958 -C, --use-id2entry
961 Uses only the main database file
962 -E, --encrypted
965 Decrypts encrypted data during export. This option is used only
966 if database encryption is enabled.
967 -m, --min-base64
970 Sets minimal base-64 encoding
971 -N, --no-seq-num
974 Suppresses printing the sequence numbers
975 -r, --replication
978 Exports the data with information required to initialize a
979 replica
980 -u, --no-dump-uniq-id
983 Omits exporting the unique ID
984 -U, --not-folded
987 Disables folding the output
988 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
991 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
992 Specifies the suffixes or the subtrees to be included
993 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
996 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
997 Specifies the suffixes to be excluded
998
1001 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
1002 FIX]
1003 --suffix SUFFIX --be-name BE_NAME
1004 [--create-entries] [--create-suf‐
1005 fix]
1006 --parent-suffix PARENT_SUFFIX
1010 Sets the parent suffix only if this backend is a sub-suffix
1011 --suffix SUFFIX
1014 Sets the database suffix DN
1015 --be-name BE_NAME
1018 Sets the database backend name"
1019 --create-entries
1022 Adds sample entries to the database
1023 --create-suffix
1026 Creates the suffix object entry in the database. Only suffixes
1027 using the 'dc',
1028
1031 usage: dsconf instance backend delete [-h] be_name
1032 be_name
1035 The backend name or suffix
1036
1040 usage: dsconf instance backend get-tree [-h]
1041
1046 usage: dsconf instance backend compact-db [-h] [--only-changelog]
1047 --only-changelog
1051 Compacts only the replication change log
1052
1056 usage: dsconf instance backup [-h] {create,restore} ...
1057 Sub-commands
1060 dsconf backup create
1061 Creates a backup of the database
1062 dsconf backup restore
1064 Restores a database from a backup
1065
1067 usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]
1068 archive
1071 Sets the directory where to store the backup files. Format: in‐
1072 stance_name- year_month_date_hour_minutes_seconds. Default:
1073 /var/lib/dirsrv/slapd- instance/bak/
1074 -t DB_TYPE, --db-type DB_TYPE
1077 Sets the database type. Default: ldbm database
1078
1081 usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive
1082 archive
1085 Set the directory that contains the backup files
1086 -t DB_TYPE, --db-type DB_TYPE
1089 Sets the database type. Default: ldbm database
1090
1094 usage: dsconf instance chaining [-h]
1095 {config-get,config-set,config-get-
1096 def,config-set-def,link-create,link-get,link-set,link-delete,moni‐
1097 tor,link-list}
1098 ...
1099 Sub-commands
1102 dsconf chaining config-get
1103 Display the chaining controls and server component lists
1104 dsconf chaining config-set
1106 Set the chaining controls and server component lists
1107 dsconf chaining config-get-def
1109 Display the default creation parameters for new database links
1110 dsconf chaining config-set-def
1112 Set the default creation parameters for new database links
1113 dsconf chaining link-create
1115 Create a database link to a remote server
1116 dsconf chaining link-get
1118 Displays chaining database links
1119 dsconf chaining link-set
1121 Edit a database link to a remote server
1122 dsconf chaining link-delete
1124 Delete a database link
1125 dsconf chaining monitor
1127 Display monitor information for a database chaining link
1128 dsconf chaining link-list
1130 List database links
1131
1133 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1134 [--avail-comps]
1135 --avail-controls
1139 Lists available chaining controls
1140 --avail-comps
1143 Lists available chaining plugin components
1144
1147 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1148 TROL]
1149 [--del-control DEL_CONTROL]
1150 [--add-comp ADD_COMP]
1151 [--del-comp DEL_COMP]
1152 --add-control ADD_CONTROL
1156 Adds a transmitted control OID
1157 --del-control DEL_CONTROL
1160 Deletes a transmitted control OID
1161 --add-comp ADD_COMP
1164 Adds a chaining component
1165 --del-comp DEL_COMP
1168 Deletes a chaining component
1169
1172 usage: dsconf instance chaining config-get-def [-h]
1173
1178 usage: dsconf instance chaining config-set-def [-h]
1179 [--conn-bind-limit
1180 CONN_BIND_LIMIT]
1181 [--conn-op-limit
1182 CONN_OP_LIMIT]
1183 [--abandon-check-inter‐
1184 val ABANDON_CHECK_INTERVAL]
1185 [--bind-limit
1186 BIND_LIMIT]
1187 [--op-limit OP_LIMIT]
1188 [--proxied-auth PROX‐
1189 IED_AUTH]
1190 [--conn-lifetime
1191 CONN_LIFETIME]
1192 [--bind-timeout
1193 BIND_TIMEOUT]
1194 [--return-ref RE‐
1195 TURN_REF]
1196 [--check-aci CHECK_ACI]
1197 [--bind-attempts
1198 BIND_ATTEMPTS]
1199 [--size-limit
1200 SIZE_LIMIT]
1201 [--time-limit
1202 TIME_LIMIT]
1203 [--hop-limit HOP_LIMIT]
1204 [--response-delay RE‐
1205 SPONSE_DELAY]
1206 [--test-response-delay
1207 TEST_RESPONSE_DELAY]
1208 [--use-starttls
1209 USE_STARTTLS]
1210 --conn-bind-limit CONN_BIND_LIMIT
1214 Sets the maximum number of BIND connections the database link
1215 establishes with the remote server
1216 --conn-op-limit CONN_OP_LIMIT
1219 Sets the maximum number of LDAP connections the database link
1220 establishes with the remote server
1221 --abandon-check-interval ABANDON_CHECK_INTERVAL
1224 Sets the number of seconds that pass before the server checks
1225 for abandoned operations
1226 --bind-limit BIND_LIMIT
1229 Sets the maximum number of concurrent bind operations per TCP
1230 connection
1231 --op-limit OP_LIMIT
1234 Sets the maximum number of concurrent operations allowed
1235 --proxied-auth PROXIED_AUTH
1238 Enables or disables proxied authorization. If set to "off", the
1239 server executes bind for chained operations as the user set in
1240 the nsMultiplexorBindDn attribute.
1241 --conn-lifetime CONN_LIFETIME
1244 Specifies connection lifetime in seconds. "0" keeps the connec‐
1245 tion open forever.
1246 --bind-timeout BIND_TIMEOUT
1249 Sets the amount of time in seconds before a bind attempt times
1250 out
1251 --return-ref RETURN_REF
1254 Enables or disables whether referrals are returned by scoped
1255 searches
1256 --check-aci CHECK_ACI
1259 Enables or disables whether the server evaluates ACIs on the
1260 database link as well as the remote data server
1261 --bind-attempts BIND_ATTEMPTS
1264 Sets the number of times the server tries to bind to the remote
1265 server
1266 --size-limit SIZE_LIMIT
1269 Sets the maximum number of entries to return from a search oper‐
1270 ation
1271 --time-limit TIME_LIMIT
1274 Sets the maximum number of seconds allowed for an operation
1275 --hop-limit HOP_LIMIT
1278 Sets the maximum number of times a database is allowed to chain.
1279 That is the number of times a request can be forwarded from one
1280 database link to another.
1281 --response-delay RESPONSE_DELAY
1284 Sets the maximum amount of time it can take a remote server to
1285 respond to an LDAP operation request made by a database link be‐
1286 fore an error is suspected
1287 --test-response-delay TEST_RESPONSE_DELAY
1290 Sets the duration of the test issued by the database link to
1291 check whether the remote server is responding
1292 --use-starttls USE_STARTTLS
1295 Configured that database links use StartTLS if set to "on"
1296
1299 usage: dsconf instance chaining link-create [-h]
1300 [--conn-bind-limit
1301 CONN_BIND_LIMIT]
1302 [--conn-op-limit
1303 CONN_OP_LIMIT]
1304 [--abandon-check-interval
1305 ABANDON_CHECK_INTERVAL]
1306 [--bind-limit BIND_LIMIT]
1307 [--op-limit OP_LIMIT]
1308 [--proxied-auth PROX‐
1309 IED_AUTH]
1310 [--conn-lifetime CONN_LIFE‐
1311 TIME]
1312 [--bind-timeout BIND_TIME‐
1313 OUT]
1314 [--return-ref RETURN_REF]
1315 [--check-aci CHECK_ACI]
1316 [--bind-attempts BIND_AT‐
1317 TEMPTS]
1318 [--size-limit SIZE_LIMIT]
1319 [--time-limit TIME_LIMIT]
1320 [--hop-limit HOP_LIMIT]
1321 [--response-delay RE‐
1322 SPONSE_DELAY]
1323 [--test-response-delay
1324 TEST_RESPONSE_DELAY]
1325 [--use-starttls USE_START‐
1326 TLS]
1327 --suffix SUFFIX --server-
1328 url
1329 SERVER_URL --bind-mech
1330 BIND_MECH
1331 --bind-dn BIND_DN --bind-pw
1332 BIND_PW
1333 CHAIN_NAME
1334 CHAIN_NAME
1337 The name of the database link
1338 --conn-bind-limit CONN_BIND_LIMIT
1341 Sets the maximum number of BIND connections the database link
1342 establishes with the remote server
1343 --conn-op-limit CONN_OP_LIMIT
1346 Sets the maximum number of LDAP connections the database link
1347 establishes with the remote server
1348 --abandon-check-interval ABANDON_CHECK_INTERVAL
1351 Sets the number of seconds that pass before the server checks
1352 for abandoned operations
1353 --bind-limit BIND_LIMIT
1356 Sets the maximum number of concurrent bind operations per TCP
1357 connection
1358 --op-limit OP_LIMIT
1361 Sets the maximum number of concurrent operations allowed
1362 --proxied-auth PROXIED_AUTH
1365 Enables or disables proxied authorization. If set to "off", the
1366 server executes bind for chained operations as the user set in
1367 the nsMultiplexorBindDn attribute.
1368 --conn-lifetime CONN_LIFETIME
1371 Specifies connection lifetime in seconds. "0" keeps the connec‐
1372 tion open forever.
1373 --bind-timeout BIND_TIMEOUT
1376 Sets the amount of time in seconds before a bind attempt times
1377 out
1378 --return-ref RETURN_REF
1381 Enables or disables whether referrals are returned by scoped
1382 searches
1383 --check-aci CHECK_ACI
1386 Enables or disables whether the server evaluates ACIs on the
1387 database link as well as the remote data server
1388 --bind-attempts BIND_ATTEMPTS
1391 Sets the number of times the server tries to bind to the remote
1392 server
1393 --size-limit SIZE_LIMIT
1396 Sets the maximum number of entries to return from a search oper‐
1397 ation
1398 --time-limit TIME_LIMIT
1401 Sets the maximum number of seconds allowed for an operation
1402 --hop-limit HOP_LIMIT
1405 Sets the maximum number of times a database is allowed to chain.
1406 That is the number of times a request can be forwarded from one
1407 database link to another.
1408 --response-delay RESPONSE_DELAY
1411 Sets the maximum amount of time it can take a remote server to
1412 respond to an LDAP operation request made by a database link be‐
1413 fore an error is suspected
1414 --test-response-delay TEST_RESPONSE_DELAY
1417 Sets the duration of the test issued by the database link to
1418 check whether the remote server is responding
1419 --use-starttls USE_STARTTLS
1422 Configured that database links use StartTLS if set to "on"
1423 --suffix SUFFIX
1426 Sets the suffix managed by the database link
1427 --server-url SERVER_URL
1430 Sets the LDAP/LDAPS URL to the remote server
1431 --bind-mech BIND_MECH
1434 Sets the authentication method to use to authenticate to the re‐
1435 mote server. Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1436 GEST-MD5", or "GSSAPI"
1437 --bind-dn BIND_DN
1440 Sets the DN of the administrative entry used to communicate with
1441 the remote server
1442 --bind-pw BIND_PW
1445 Sets the password of the administrative user
1446
1449 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1450 CHAIN_NAME
1453 The chaining link name or suffix to retrieve
1454
1458 usage: dsconf instance chaining link-set [-h]
1459 [--conn-bind-limit
1460 CONN_BIND_LIMIT]
1461 [--conn-op-limit
1462 CONN_OP_LIMIT]
1463 [--abandon-check-interval
1464 ABANDON_CHECK_INTERVAL]
1465 [--bind-limit BIND_LIMIT]
1466 [--op-limit OP_LIMIT]
1467 [--proxied-auth PROXIED_AUTH]
1468 [--conn-lifetime CONN_LIFE‐
1469 TIME]
1470 [--bind-timeout BIND_TIMEOUT]
1471 [--return-ref RETURN_REF]
1472 [--check-aci CHECK_ACI]
1473 [--bind-attempts BIND_AT‐
1474 TEMPTS]
1475 [--size-limit SIZE_LIMIT]
1476 [--time-limit TIME_LIMIT]
1477 [--hop-limit HOP_LIMIT]
1478 [--response-delay RESPONSE_DE‐
1479 LAY]
1480 [--test-response-delay
1481 TEST_RESPONSE_DELAY]
1482 [--use-starttls USE_STARTTLS]
1483 [--suffix SUFFIX]
1484 [--server-url SERVER_URL]
1485 [--bind-mech BIND_MECH]
1486 [--bind-dn BIND_DN]
1487 [--bind-pw BIND_PW]
1488 CHAIN_NAME
1489 CHAIN_NAME
1492 The name of the database link
1493 --conn-bind-limit CONN_BIND_LIMIT
1496 Sets the maximum number of BIND connections the database link
1497 establishes with the remote server
1498 --conn-op-limit CONN_OP_LIMIT
1501 Sets the maximum number of LDAP connections the database link
1502 establishes with the remote server
1503 --abandon-check-interval ABANDON_CHECK_INTERVAL
1506 Sets the number of seconds that pass before the server checks
1507 for abandoned operations
1508 --bind-limit BIND_LIMIT
1511 Sets the maximum number of concurrent bind operations per TCP
1512 connection
1513 --op-limit OP_LIMIT
1516 Sets the maximum number of concurrent operations allowed
1517 --proxied-auth PROXIED_AUTH
1520 Enables or disables proxied authorization. If set to "off", the
1521 server executes bind for chained operations as the user set in
1522 the nsMultiplexorBindDn attribute.
1523 --conn-lifetime CONN_LIFETIME
1526 Specifies connection lifetime in seconds. "0" keeps the connec‐
1527 tion open forever.
1528 --bind-timeout BIND_TIMEOUT
1531 Sets the amount of time in seconds before a bind attempt times
1532 out
1533 --return-ref RETURN_REF
1536 Enables or disables whether referrals are returned by scoped
1537 searches
1538 --check-aci CHECK_ACI
1541 Enables or disables whether the server evaluates ACIs on the
1542 database link as well as the remote data server
1543 --bind-attempts BIND_ATTEMPTS
1546 Sets the number of times the server tries to bind to the remote
1547 server
1548 --size-limit SIZE_LIMIT
1551 Sets the maximum number of entries to return from a search oper‐
1552 ation
1553 --time-limit TIME_LIMIT
1556 Sets the maximum number of seconds allowed for an operation
1557 --hop-limit HOP_LIMIT
1560 Sets the maximum number of times a database is allowed to chain.
1561 That is the number of times a request can be forwarded from one
1562 database link to another.
1563 --response-delay RESPONSE_DELAY
1566 Sets the maximum amount of time it can take a remote server to
1567 respond to an LDAP operation request made by a database link be‐
1568 fore an error is suspected
1569 --test-response-delay TEST_RESPONSE_DELAY
1572 Sets the duration of the test issued by the database link to
1573 check whether the remote server is responding
1574 --use-starttls USE_STARTTLS
1577 Configured that database links use StartTLS if set to "on"
1578 --suffix SUFFIX
1581 Sets the suffix managed by the database link
1582 --server-url SERVER_URL
1585 Sets the LDAP/LDAPS URL to the remote server
1586 --bind-mech BIND_MECH
1589 Sets the authentication method to use to authenticate to the re‐
1590 mote server: Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1591 GEST-MD5", or "GSSAPI"
1592 --bind-dn BIND_DN
1595 Sets the DN of the administrative entry used to communicate with
1596 the remote server
1597 --bind-pw BIND_PW
1600 Sets the password of the administrative user
1601
1604 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1605 CHAIN_NAME
1608 The name of the database link
1609
1613 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1614 CHAIN_NAME
1617 The name of the database link
1618
1622 usage: dsconf instance chaining link-list [-h]
1623
1629 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1630 Sub-commands
1633 dsconf config get
1634 get
1635 dsconf config add
1637 Add attribute value to configuration
1638 dsconf config replace
1640 Replace attribute value in configuration
1641 dsconf config delete
1643 Delete attribute value in configuration
1644
1646 usage: dsconf instance config get [-h] [attrs ...]
1647 attrs Configuration attribute(s) to get
1650
1654 usage: dsconf instance config add [-h] [attr ...]
1655 attr Configuration attribute to add
1658
1662 usage: dsconf instance config replace [-h] [attr ...]
1663 attr Configuration attribute to replace
1666
1670 usage: dsconf instance config delete [-h] [attr ...]
1671 attr Configuration attribute to delete
1674
1679 usage: dsconf instance directory_manager [-h] {password_change} ...
1680 Sub-commands
1683 dsconf directory_manager password_change
1684 Changes the password of the Directory Manager account
1685
1687 usage: dsconf instance directory_manager password_change [-h]
1688
1694 usage: dsconf instance monitor [-h]
1695 {server,dbmon,ldbm,backend,snmp,chain‐
1696 ing,disk}
1697 ...
1698 Sub-commands
1701 dsconf monitor server
1702 Displays the server statistics, connections, and operations
1703 dsconf monitor dbmon
1705 Monitor all database statistics in a single report
1706 dsconf monitor ldbm
1708 Monitor the LDBM statistics, such as dbcache
1709 dsconf monitor backend
1711 Monitor the behavior of a backend database
1712 dsconf monitor snmp
1714 Displays the SNMP statistics
1715 dsconf monitor chaining
1717 Monitor database chaining statistics
1718 dsconf monitor disk
1720 Displays the disk space statistics. All values are in bytes.
1721
1723 usage: dsconf instance monitor server [-h]
1724
1729 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1730 -b BACKENDS, --backends BACKENDS
1734 Specifies a list of space-separated backends to monitor. Default
1735 is all backends.
1736 -x, --indexes
1739 Shows index stats for each backend
1740
1743 usage: dsconf instance monitor ldbm [-h]
1744
1749 usage: dsconf instance monitor backend [-h] [backend]
1750 backend
1753 The optional name of the backend to monitor
1754
1758 usage: dsconf instance monitor snmp [-h]
1759
1764 usage: dsconf instance monitor chaining [-h] [backend]
1765 backend
1768 The optional name of the chaining backend to monitor
1769
1773 usage: dsconf instance monitor disk [-h]
1774
1780 usage: dsconf instance plugin [-h]
1781 {memberof,automember,referential-integ‐
1782 rity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-en‐
1783 tries,pass-through-auth,retro-changelog,posix-winsync,con‐
1784 tentsync,list,show,set}
1785 ...
1786 Sub-commands
1789 dsconf plugin memberof
1790 Manage and configure MemberOf plugin
1791 dsconf plugin automember
1793 Manage and configure Automembership plugin
1794 dsconf plugin referential-integrity
1796 Manage and configure Referential Integrity Postoperation plugin
1797 dsconf plugin root-dn
1799 Manage and configure RootDN Access Control plugin
1800 dsconf plugin usn
1802 Manage and configure USN plugin
1803 dsconf plugin account-policy
1805 Manage and configure Account Policy plugin
1806 dsconf plugin attr-uniq
1808 Manage and configure Attribute Uniqueness plugin
1809 dsconf plugin dna
1811 Manage and configure DNA plugin
1812 dsconf plugin linked-attr
1814 Manage and configure Linked Attributes plugin
1815 dsconf plugin managed-entries
1817 Manage and configure Managed Entries Plugin
1818 dsconf plugin pass-through-auth
1820 Manage and configure Pass-Through Authentication plugins (URLs
1821 and PAM)
1822 dsconf plugin retro-changelog
1824 Manage and configure Retro Changelog plugin
1825 dsconf plugin posix-winsync
1827 Manage and configure the Posix Winsync API plugin
1828 dsconf plugin contentsync
1830 Manage and configure Content Sync Plugin (aka syncrepl)
1831 dsconf plugin list
1833 List current configured (enabled and disabled) plugins
1834 dsconf plugin show
1836 Show the plugin data
1837 dsconf plugin set
1839 Edit the plugin settings
1840
1842 usage: dsconf instance plugin memberof [-h]
1843 {show,enable,disable,sta‐
1844 tus,set,config-entry,fixup}
1845 ...
1846 Sub-commands
1849 dsconf plugin memberof show
1850 Displays the plugin configuration
1851 dsconf plugin memberof enable
1853 Enables the plugin
1854 dsconf plugin memberof disable
1856 Disables the plugin
1857 dsconf plugin memberof status
1859 Displays the plugin status
1860 dsconf plugin memberof set
1862 Edit the plugin settings
1863 dsconf plugin memberof config-entry
1865 Manage the config entry
1866 dsconf plugin memberof fixup
1868 Run the fix-up task for memberOf plugin
1869
1871 usage: dsconf instance plugin memberof show [-h]
1872
1877 usage: dsconf instance plugin memberof enable [-h]
1878
1883 usage: dsconf instance plugin memberof disable [-h]
1884
1889 usage: dsconf instance plugin memberof status [-h]
1890
1895 usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
1896 [--groupattr GROUPATTR
1897 [GROUPATTR ...]]
1898 [--allbackends {on,off}]
1899 [--skipnested {on,off}]
1900 [--scope SCOPE [SCOPE ...]]
1901 [--exclude EXCLUDE [EXCLUDE
1902 ...]]
1903 [--autoaddoc AUTOADDOC]
1904 [--config-entry CONFIG_EN‐
1905 TRY]
1906 --attr ATTR
1910 Specifies the attribute in the user entry for the Directory
1911 Server to manage to reflect group membership (memberOfAttr)
1912 --groupattr GROUPATTR [GROUPATTR ...]
1915 Specifies the attribute in the group entry to use to identify
1916 the DNs of group members (memberOfGroupAttr)
1917 --allbackends {on,off}
1920 Specifies whether to search the local suffix for user entries on
1921 all available suffixes (memberOfAllBackends)
1922 --skipnested {on,off}
1925 Specifies whether to skip nested groups or not (memberOfSkip‐
1926 Nested)
1927 --scope SCOPE [SCOPE ...]
1930 Specifies backends or multiple-nested suffixes for the MemberOf
1931 plug-in to work on (memberOfEntryScope)
1932 --exclude EXCLUDE [EXCLUDE ...]
1935 Specifies backends or multiple-nested suffixes for the MemberOf
1936 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1937 --autoaddoc AUTOADDOC
1940 If an entry does not have an object class that allows the mem‐
1941 berOf attribute then the memberOf plugin will automatically add
1942 the object class listed in the memberOfAutoAddOC parameter
1943 --config-entry CONFIG_ENTRY
1946 The value to set as nsslapd-pluginConfigArea
1947
1950 usage: dsconf instance plugin memberof config-entry [-h]
1951 {add,set,show,delete}
1952 ...
1953 Sub-commands
1956 dsconf plugin memberof config-entry add
1957 Add the config entry
1958 dsconf plugin memberof config-entry set
1960 Edit the config entry
1961 dsconf plugin memberof config-entry show
1963 Display the config entry
1964 dsconf plugin memberof config-entry delete
1966 Delete the config entry
1967
1969 usage: dsconf instance plugin memberof config-entry add [-h] [--attr
1970 ATTR]
1971 [--groupattr
1972 GROUPATTR [GROUPATTR ...]]
1973 [--allbackends
1974 {on,off}]
1975 [--skipnested
1976 {on,off}]
1977 [--scope SCOPE
1978 [SCOPE ...]]
1979 [--exclude EX‐
1980 CLUDE [EXCLUDE ...]]
1981 [--autoaddoc
1982 AUTOADDOC]
1983 DN
1984 DN The config entry full DN
1987 --attr ATTR
1990 Specifies the attribute in the user entry for the Directory
1991 Server to manage to reflect group membership (memberOfAttr)
1992 --groupattr GROUPATTR [GROUPATTR ...]
1995 Specifies the attribute in the group entry to use to identify
1996 the DNs of group members (memberOfGroupAttr)
1997 --allbackends {on,off}
2000 Specifies whether to search the local suffix for user entries on
2001 all available suffixes (memberOfAllBackends)
2002 --skipnested {on,off}
2005 Specifies whether to skip nested groups or not (memberOfSkip‐
2006 Nested)
2007 --scope SCOPE [SCOPE ...]
2010 Specifies backends or multiple-nested suffixes for the MemberOf
2011 plug-in to work on (memberOfEntryScope)
2012 --exclude EXCLUDE [EXCLUDE ...]
2015 Specifies backends or multiple-nested suffixes for the MemberOf
2016 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2017 --autoaddoc AUTOADDOC
2020 If an entry does not have an object class that allows the mem‐
2021 berOf attribute then the memberOf plugin will automatically add
2022 the object class listed in the memberOfAutoAddOC parameter
2023
2026 usage: dsconf instance plugin memberof config-entry set [-h] [--attr
2027 ATTR]
2028 [--groupattr
2029 GROUPATTR [GROUPATTR ...]]
2030 [--allbackends
2031 {on,off}]
2032 [--skipnested
2033 {on,off}]
2034 [--scope SCOPE
2035 [SCOPE ...]]
2036 [--exclude EX‐
2037 CLUDE [EXCLUDE ...]]
2038 [--autoaddoc
2039 AUTOADDOC]
2040 DN
2041 DN The config entry full DN
2044 --attr ATTR
2047 Specifies the attribute in the user entry for the Directory
2048 Server to manage to reflect group membership (memberOfAttr)
2049 --groupattr GROUPATTR [GROUPATTR ...]
2052 Specifies the attribute in the group entry to use to identify
2053 the DNs of group members (memberOfGroupAttr)
2054 --allbackends {on,off}
2057 Specifies whether to search the local suffix for user entries on
2058 all available suffixes (memberOfAllBackends)
2059 --skipnested {on,off}
2062 Specifies whether to skip nested groups or not (memberOfSkip‐
2063 Nested)
2064 --scope SCOPE [SCOPE ...]
2067 Specifies backends or multiple-nested suffixes for the MemberOf
2068 plug-in to work on (memberOfEntryScope)
2069 --exclude EXCLUDE [EXCLUDE ...]
2072 Specifies backends or multiple-nested suffixes for the MemberOf
2073 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2074 --autoaddoc AUTOADDOC
2077 If an entry does not have an object class that allows the mem‐
2078 berOf attribute then the memberOf plugin will automatically add
2079 the object class listed in the memberOfAutoAddOC parameter
2080
2083 usage: dsconf instance plugin memberof config-entry show [-h] DN
2084 DN The config entry full DN
2087
2091 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2092 DN The config entry full DN
2095
2100 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] DN
2101 DN Base DN that contains entries to fix up
2104 -f FILTER, --filter FILTER
2107 Filter for entries to fix up. If omitted, all entries with ob‐
2108 jectclass inetuser/inetadmin/nsmemberof under the specified base
2109 will have their memberOf attribute regenerated.
2110
2114 usage: dsconf instance plugin automember [-h]
2115 {show,enable,disable,sta‐
2116 tus,list,definition,fixup}
2117 ...
2118 Sub-commands
2121 dsconf plugin automember show
2122 Displays the plugin configuration
2123 dsconf plugin automember enable
2125 Enables the plugin
2126 dsconf plugin automember disable
2128 Disables the plugin
2129 dsconf plugin automember status
2131 Displays the plugin status
2132 dsconf plugin automember list
2134 List Automembership definitions or regex rules.
2135 dsconf plugin automember definition
2137 Manage Automembership definition.
2138 dsconf plugin automember fixup
2140 Run a rebuild membership task.
2141
2143 usage: dsconf instance plugin automember show [-h]
2144
2149 usage: dsconf instance plugin automember enable [-h]
2150
2155 usage: dsconf instance plugin automember disable [-h]
2156
2161 usage: dsconf instance plugin automember status [-h]
2162
2167 usage: dsconf instance plugin automember list [-h] {defini‐
2168 tions,regexes} ...
2169 Sub-commands
2172 dsconf plugin automember list definitions
2173 Lists Automembership definitions.
2174 dsconf plugin automember list regexes
2176 List Automembership regex rules.
2177
2179 usage: dsconf instance plugin automember list definitions [-h]
2180
2185 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2186 DEFNAME
2189 The definition entry CN
2190
2195 usage: dsconf instance plugin automember definition [-h]
2196 DEFNAME
2197 {add,set,delete,show,regex}
2198 ...
2199 DEFNAME
2202 The definition entry CN.
2203 Sub-commands
2206 dsconf plugin automember definition add
2207 Creates Automembership definition.
2208 dsconf plugin automember definition set
2210 Edits Automembership definition.
2211 dsconf plugin automember definition delete
2213 Removes Automembership definition.
2214 dsconf plugin automember definition show
2216 Displays Automembership definition.
2217 dsconf plugin automember definition regex
2219 Manage Automembership regex rules.
2220
2222 usage: dsconf instance plugin automember definition DEFNAME add
2223 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2224 FAULT_GROUP]
2225 --scope SCOPE --filter FILTER
2226 --grouping-attr GROUPING_ATTR
2230 Specifies the name of the member attribute in the group entry
2231 and the attribute in the object entry that supplies the member
2232 attribute value, in the format group_member_attr:entry_attr (au‐
2233 toMemberGroupingAttr)
2234 --default-group DEFAULT_GROUP
2237 Sets default or fallback group to add the entry to as a member
2238 attribute in group entry (autoMemberDefaultGroup)
2239 --scope SCOPE
2242 Sets the subtree DN to search for entries (autoMemberScope)
2243 --filter FILTER
2246 Sets a standard LDAP search filter to use to search for matching
2247 entries (autoMemberFilter)
2248
2251 usage: dsconf instance plugin automember definition DEFNAME set
2252 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2253 FAULT_GROUP]
2254 --scope SCOPE --filter FILTER
2255 --grouping-attr GROUPING_ATTR
2259 Specifies the name of the member attribute in the group entry
2260 and the attribute in the object entry that supplies the member
2261 attribute value, in the format group_member_attr:entry_attr (au‐
2262 toMemberGroupingAttr)
2263 --default-group DEFAULT_GROUP
2266 Sets default or fallback group to add the entry to as a member
2267 attribute in group entry (autoMemberDefaultGroup)
2268 --scope SCOPE
2271 Sets the subtree DN to search for entries (autoMemberScope)
2272 --filter FILTER
2275 Sets a standard LDAP search filter to use to search for matching
2276 entries (autoMemberFilter)
2277
2280 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2281
2286 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2287
2292 usage: dsconf instance plugin automember definition DEFNAME regex
2293 [-h] REGEXNAME {add,set,delete,show} ...
2294 REGEXNAME
2297 The regex entry CN
2298 Sub-commands
2301 dsconf plugin automember definition regex add
2302 Creates Automembership regex.
2303 dsconf plugin automember definition regex set
2305 Edits Automembership regex.
2306 dsconf plugin automember definition regex delete
2308 Removes Automembership regex.
2309 dsconf plugin automember definition regex show
2311 Displays Automembership regex.
2312
2314 usage: dsconf instance plugin automember definition DEFNAME regex
2315 REGEXNAME add
2316 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2317 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2318 GET_GROUP
2319 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2323 Sets a single regular expression to use to identify entries to
2324 exclude (autoMemberExclusiveRegex)
2325 --inclusive INCLUSIVE [INCLUSIVE ...]
2328 Sets a single regular expression to use to identify entries to
2329 include (autoMemberInclusiveRegex)
2330 --target-group TARGET_GROUP
2333 Sets which group to add the entry to as a member, if it meets
2334 the regular expression conditions (autoMemberTargetGroup)
2335
2338 usage: dsconf instance plugin automember definition DEFNAME regex
2339 REGEXNAME set
2340 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2341 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2342 GET_GROUP
2343 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2347 Sets a single regular expression to use to identify entries to
2348 exclude (autoMemberExclusiveRegex)
2349 --inclusive INCLUSIVE [INCLUSIVE ...]
2352 Sets a single regular expression to use to identify entries to
2353 include (autoMemberInclusiveRegex)
2354 --target-group TARGET_GROUP
2357 Sets which group to add the entry to as a member, if it meets
2358 the regular expression conditions (autoMemberTargetGroup)
2359
2362 usage: dsconf instance plugin automember definition DEFNAME regex
2363 REGEXNAME delete
2364 [-h]
2365
2370 usage: dsconf instance plugin automember definition DEFNAME regex
2371 REGEXNAME show
2372 [-h]
2373
2380 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2381 {sub,base,one}
2382 DN
2383 DN Base DN that contains entries to fix up
2386 -f FILTER, --filter FILTER
2389 Sets the LDAP filter for entries to fix up
2390 -s {sub,base,one}, --scope {sub,base,one}
2393 Sets the LDAP search scope for entries to fix up
2394
2398 usage: dsconf instance plugin referential-integrity [-h]
2399 {show,enable,dis‐
2400 able,status,set,config-entry}
2401 ...
2402 Sub-commands
2405 dsconf plugin referential-integrity show
2406 Displays the plugin configuration
2407 dsconf plugin referential-integrity enable
2409 Enables the plugin
2410 dsconf plugin referential-integrity disable
2412 Disables the plugin
2413 dsconf plugin referential-integrity status
2415 Displays the plugin status
2416 dsconf plugin referential-integrity set
2418 Edit the plugin settings
2419 dsconf plugin referential-integrity config-entry
2421 Manage the config entry
2422
2424 usage: dsconf instance plugin referential-integrity show [-h]
2425
2430 usage: dsconf instance plugin referential-integrity enable [-h]
2431
2436 usage: dsconf instance plugin referential-integrity disable [-h]
2437
2442 usage: dsconf instance plugin referential-integrity status [-h]
2443
2448 usage: dsconf instance plugin referential-integrity set [-h]
2449 [--update-delay
2450 UPDATE_DELAY]
2451 [--membership-
2452 attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2453 [--entry-scope
2454 ENTRY_SCOPE]
2455 [--exclude-en‐
2456 try-scope EXCLUDE_ENTRY_SCOPE]
2457 [--container-
2458 scope CONTAINER_SCOPE]
2459 [--log-file
2460 LOG_FILE]
2461 [--config-entry
2462 CONFIG_ENTRY]
2463 --update-delay UPDATE_DELAY
2467 Sets the update interval. Special values: 0 - The check is per‐
2468 formed immediately, -1 - No check is performed (referint-up‐
2469 date-delay)
2470 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2473 Specifies attributes to check for and update (referint-member‐
2474 ship-attr)
2475 --entry-scope ENTRY_SCOPE
2478 Defines the subtree in which the plug-in looks for the delete or
2479 rename operations of a user entry (nsslapd-pluginEntryScope)
2480 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2483 Defines the subtree in which the plug-in ignores any operations
2484 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2485 tryScope)
2486 --container-scope CONTAINER_SCOPE
2489 Specifies which branch the plug-in searches for the groups to
2490 which the user belongs. It only updates groups that are under
2491 the specified container branch, and leaves all other groups not
2492 updated (nsslapd-pluginContainerScope)
2493 --log-file LOG_FILE
2496 Specifies a path to the Referential integrity logfile.For exam‐
2497 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2498 --config-entry CONFIG_ENTRY
2501 The value to set as nsslapd-pluginConfigArea
2502
2505 usage: dsconf instance plugin referential-integrity config-entry
2506 [-h] {add,set,show,delete} ...
2507 Sub-commands
2510 dsconf plugin referential-integrity config-entry add
2511 Add the config entry
2512 dsconf plugin referential-integrity config-entry set
2514 Edit the config entry
2515 dsconf plugin referential-integrity config-entry show
2517 Display the config entry
2518 dsconf plugin referential-integrity config-entry delete
2520 Delete the config entry
2521
2523 usage: dsconf instance plugin referential-integrity config-entry add
2524 [-h] [--update-delay UPDATE_DELAY]
2525 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2526 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2527 TRY_SCOPE]
2528 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2529 DN
2530 DN The config entry full DN
2533 --update-delay UPDATE_DELAY
2536 Sets the update interval. Special values: 0 - The check is per‐
2537 formed immediately, -1 - No check is performed (referint-up‐
2538 date-delay)
2539 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2542 Specifies attributes to check for and update (referint-member‐
2543 ship-attr)
2544 --entry-scope ENTRY_SCOPE
2547 Defines the subtree in which the plug-in looks for the delete or
2548 rename operations of a user entry (nsslapd-pluginEntryScope)
2549 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2552 Defines the subtree in which the plug-in ignores any operations
2553 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2554 tryScope)
2555 --container-scope CONTAINER_SCOPE
2558 Specifies which branch the plug-in searches for the groups to
2559 which the user belongs. It only updates groups that are under
2560 the specified container branch, and leaves all other groups not
2561 updated (nsslapd-pluginContainerScope)
2562 --log-file LOG_FILE
2565 Specifies a path to the Referential integrity logfile.For exam‐
2566 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2567
2570 usage: dsconf instance plugin referential-integrity config-entry set
2571 [-h] [--update-delay UPDATE_DELAY]
2572 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2573 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2574 TRY_SCOPE]
2575 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2576 DN
2577 DN The config entry full DN
2580 --update-delay UPDATE_DELAY
2583 Sets the update interval. Special values: 0 - The check is per‐
2584 formed immediately, -1 - No check is performed (referint-up‐
2585 date-delay)
2586 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2589 Specifies attributes to check for and update (referint-member‐
2590 ship-attr)
2591 --entry-scope ENTRY_SCOPE
2594 Defines the subtree in which the plug-in looks for the delete or
2595 rename operations of a user entry (nsslapd-pluginEntryScope)
2596 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2599 Defines the subtree in which the plug-in ignores any operations
2600 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2601 tryScope)
2602 --container-scope CONTAINER_SCOPE
2605 Specifies which branch the plug-in searches for the groups to
2606 which the user belongs. It only updates groups that are under
2607 the specified container branch, and leaves all other groups not
2608 updated (nsslapd-pluginContainerScope)
2609 --log-file LOG_FILE
2612 Specifies a path to the Referential integrity logfile.For exam‐
2613 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2614
2617 usage: dsconf instance plugin referential-integrity config-entry show
2618 [-h] DN
2619 DN The config entry full DN
2622
2626 usage: dsconf instance plugin referential-integrity config-entry delete
2627 [-h] DN
2628 DN The config entry full DN
2631
2637 usage: dsconf instance plugin root-dn [-h]
2638 {show,enable,disable,status,set}
2639 ...
2640 Sub-commands
2643 dsconf plugin root-dn show
2644 Displays the plugin configuration
2645 dsconf plugin root-dn enable
2647 Enables the plugin
2648 dsconf plugin root-dn disable
2650 Disables the plugin
2651 dsconf plugin root-dn status
2653 Displays the plugin status
2654 dsconf plugin root-dn set
2656 Edit the plugin settings
2657
2659 usage: dsconf instance plugin root-dn show [-h]
2660
2665 usage: dsconf instance plugin root-dn enable [-h]
2666
2671 usage: dsconf instance plugin root-dn disable [-h]
2672
2677 usage: dsconf instance plugin root-dn status [-h]
2678
2683 usage: dsconf instance plugin root-dn set [-h]
2684 [--allow-host ALLOW_HOST [AL‐
2685 LOW_HOST ...]]
2686 [--deny-host DENY_HOST
2687 [DENY_HOST ...]]
2688 [--allow-ip ALLOW_IP [AL‐
2689 LOW_IP ...]]
2690 [--deny-ip DENY_IP [DENY_IP
2691 ...]]
2692 [--open-time OPEN_TIME]
2693 [--close-time CLOSE_TIME]
2694 [--days-allowed DAYS_ALLOWED]
2695 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2699 Sets what hosts, by fully-qualified domain name, the root user
2700 is allowed to use to access Directory Server. Any hosts not
2701 listed are implicitly denied (rootdn-allow-host)
2702 --deny-host DENY_HOST [DENY_HOST ...]
2705 Sets what hosts, by fully-qualified domain name, the root user
2706 is not allowed to use to access Directory Server. Any hosts not
2707 listed are implicitly allowed (rootdn-deny-host). If a host ad‐
2708 dress is listed in both the rootdn-allow-host and
2709 rootdn-deny-host attributes, it is denied access.
2710 --allow-ip ALLOW_IP [ALLOW_IP ...]
2713 Sets what IP addresses, either IPv4 or IPv6, for machines the
2714 root user is allowed to use to access Directory Server. Any IP
2715 addresses not listed are implicitly denied (rootdn-allow-ip)
2716 --deny-ip DENY_IP [DENY_IP ...]
2719 Sets what IP addresses, either IPv4 or IPv6, for machines the
2720 root user is not allowed to use to access Directory Server. Any
2721 IP addresses not listed are implicitly allowed (rootdn-deny-ip).
2722 If an IP address is listed in both the rootdn-allow-ip and
2723 rootdn-deny-ip attributes, it is denied access.
2724 --open-time OPEN_TIME
2727 Sets part of a time period or range when the root user is al‐
2728 lowed to access Directory Server. This sets when the time-based
2729 access begins (rootdn-open- time)
2730 --close-time CLOSE_TIME
2733 Sets part of a time period or range when the root user is al‐
2734 lowed to access Directory Server. This sets when the time-based
2735 access ends (rootdn-close- time)
2736 --days-allowed DAYS_ALLOWED
2739 Sets a comma-separated list of what days the root user is al‐
2740 lowed to use to access Directory Server. Any days listed are im‐
2741 plicitly denied (rootdn-days- allowed)
2742
2746 usage: dsconf instance plugin usn [-h]
2747 {show,enable,disable,sta‐
2748 tus,global,cleanup}
2749 ...
2750 Sub-commands
2753 dsconf plugin usn show
2754 Displays the plugin configuration
2755 dsconf plugin usn enable
2757 Enables the plugin
2758 dsconf plugin usn disable
2760 Disables the plugin
2761 dsconf plugin usn status
2763 Displays the plugin status
2764 dsconf plugin usn global
2766 Get or manage global USN mode (nsslapd-entryusn-global)
2767 dsconf plugin usn cleanup
2769 Runs the USN tombstone cleanup task
2770
2772 usage: dsconf instance plugin usn show [-h]
2773
2778 usage: dsconf instance plugin usn enable [-h]
2779
2784 usage: dsconf instance plugin usn disable [-h]
2785
2790 usage: dsconf instance plugin usn status [-h]
2791
2796 usage: dsconf instance plugin usn global [-h] {on,off} ...
2797 Sub-commands
2800 dsconf plugin usn global on
2801 Enables USN global mode
2802 dsconf plugin usn global off
2804 Disables USN global mode
2805
2807 usage: dsconf instance plugin usn global on [-h]
2808
2813 usage: dsconf instance plugin usn global off [-h]
2814
2820 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2821 [-m MAX_USN]
2822 -s SUFFIX, --suffix SUFFIX
2826 Sets the suffix or subtree in Directory Server to run the
2827 cleanup operation against. If the suffix is not specified, then
2828 the back end must be specified (suffix).
2829 -n BACKEND, --backend BACKEND
2832 Sets the Directory Server instance back end, or database, to run
2833 the cleanup operation against. If the back end is not specified,
2834 then the suffix must be specified. Backend instance in which USN
2835 tombstone entries (backend)
2836 -m MAX_USN, --max-usn MAX_USN
2839 Sets the highest USN value to delete when removing tombstone en‐
2840 tries (max_usn_to_delete)
2841
2845 usage: dsconf instance plugin account-policy [-h]
2846 {show,enable,disable,sta‐
2847 tus,set,config-entry}
2848 ...
2849 Sub-commands
2852 dsconf plugin account-policy show
2853 Displays the plugin configuration
2854 dsconf plugin account-policy enable
2856 Enables the plugin
2857 dsconf plugin account-policy disable
2859 Disables the plugin
2860 dsconf plugin account-policy status
2862 Displays the plugin status
2863 dsconf plugin account-policy set
2865 Edit the plugin settings
2866 dsconf plugin account-policy config-entry
2868 Manage the config entry
2869
2871 usage: dsconf instance plugin account-policy show [-h]
2872
2877 usage: dsconf instance plugin account-policy enable [-h]
2878
2883 usage: dsconf instance plugin account-policy disable [-h]
2884
2889 usage: dsconf instance plugin account-policy status [-h]
2890
2895 usage: dsconf instance plugin account-policy set [-h]
2896 [--config-entry CON‐
2897 FIG_ENTRY]
2898 --config-entry CONFIG_ENTRY
2902 Sets the nsslapd-pluginConfigArea attribute
2903
2906 usage: dsconf instance plugin account-policy config-entry [-h]
2907 {add,set,show,delete}
2908 ...
2909 Sub-commands
2912 dsconf plugin account-policy config-entry add
2913 Add the config entry
2914 dsconf plugin account-policy config-entry set
2916 Edit the config entry
2917 dsconf plugin account-policy config-entry show
2919 Display the config entry
2920 dsconf plugin account-policy config-entry delete
2922 Delete the config entry
2923
2925 usage: dsconf instance plugin account-policy config-entry add
2926 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2927 ALT_STATE_ATTR]
2928 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2929 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2930 [--state-attr STATE_ATTR]
2931 DN
2932 DN The full DN of the config entry
2935 --always-record-login {yes,no}
2938 Sets that every entry records its last login time (alwaysRecord‐
2939 Login)
2940 --alt-state-attr ALT_STATE_ATTR
2943 Provides a backup attribute for the server to reference to eval‐
2944 uate the expiration time (altStateAttrName)
2945 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2948 Specifies the attribute to store the time of the last successful
2949 login in this attribute in the users directory entry (al‐
2950 waysRecordLoginAttr)
2951 --limit-attr LIMIT_ATTR
2954 Specifies the attribute within the policy to use for the account
2955 inactivation limit (limitAttrName)
2956 --spec-attr SPEC_ATTR
2959 Specifies the attribute to identify which entries are account
2960 policy configuration entries (specAttrName)
2961 --state-attr STATE_ATTR
2964 Specifies the primary time attribute used to evaluate an account
2965 policy (stateAttrName)
2966
2969 usage: dsconf instance plugin account-policy config-entry set
2970 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2971 ALT_STATE_ATTR]
2972 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2973 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2974 [--state-attr STATE_ATTR]
2975 DN
2976 DN The full DN of the config entry
2979 --always-record-login {yes,no}
2982 Sets that every entry records its last login time (alwaysRecord‐
2983 Login)
2984 --alt-state-attr ALT_STATE_ATTR
2987 Provides a backup attribute for the server to reference to eval‐
2988 uate the expiration time (altStateAttrName)
2989 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2992 Specifies the attribute to store the time of the last successful
2993 login in this attribute in the users directory entry (al‐
2994 waysRecordLoginAttr)
2995 --limit-attr LIMIT_ATTR
2998 Specifies the attribute within the policy to use for the account
2999 inactivation limit (limitAttrName)
3000 --spec-attr SPEC_ATTR
3003 Specifies the attribute to identify which entries are account
3004 policy configuration entries (specAttrName)
3005 --state-attr STATE_ATTR
3008 Specifies the primary time attribute used to evaluate an account
3009 policy (stateAttrName)
3010
3013 usage: dsconf instance plugin account-policy config-entry show [-h] DN
3014 DN The full DN of the config entry
3017
3021 usage: dsconf instance plugin account-policy config-entry delete [-h]
3022 DN
3023 DN The full DN of the config entry
3026
3032 usage: dsconf instance plugin attr-uniq [-h]
3033 {list,add,set,show,delete,en‐
3034 able,disable,status}
3035 ...
3036 Sub-commands
3039 dsconf plugin attr-uniq list
3040 Lists available plugin configs
3041 dsconf plugin attr-uniq add
3043 Add the config entry
3044 dsconf plugin attr-uniq set
3046 Edit the config entry
3047 dsconf plugin attr-uniq show
3049 Display the config entry
3050 dsconf plugin attr-uniq delete
3052 Delete the config entry
3053 dsconf plugin attr-uniq enable
3055 enable plugin
3056 dsconf plugin attr-uniq disable
3058 disable plugin
3059 dsconf plugin attr-uniq status
3061 display plugin status
3062
3064 usage: dsconf instance plugin attr-uniq list [-h]
3065
3070 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3071 [--attr-name ATTR_NAME
3072 [ATTR_NAME ...]]
3073 [--subtree SUBTREE [SUBTREE
3074 ...]]
3075 [--across-all-subtrees
3076 {on,off}]
3077 [--top-entry-oc TOP_EN‐
3078 TRY_OC]
3079 [--subtree-entries-oc SUB‐
3080 TREE_ENTRIES_OC]
3081 NAME
3082 NAME The name of the plug-in configuration record. (cn) You can use
3085 any string, but "attribute_name Attribute Uniqueness" is recom‐
3086 mended.
3087 --enabled {on,off}
3090 Identifies whether or not the config is enabled.
3091 --attr-name ATTR_NAME [ATTR_NAME ...]
3094 Sets the name of the attribute whose values must be unique. This
3095 attribute is multi-valued. (uniqueness-attribute-name)
3096 --subtree SUBTREE [SUBTREE ...]
3099 Sets the DN under which the plug-in checks for uniqueness of the
3100 attributes value. This attribute is multi-valued (unique‐
3101 ness-subtrees)
3102 --across-all-subtrees {on,off}
3105 If enabled (on), the plug-in checks that the attribute is unique
3106 across all subtrees set. If you set the attribute to off,
3107 uniqueness is only enforced within the subtree of the updated
3108 entry (uniqueness-across-all-subtrees)
3109 --top-entry-oc TOP_ENTRY_OC
3112 Verifies that the value of the attribute set in uniqueness-at‐
3113 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3114 --subtree-entries-oc SUBTREE_ENTRIES_OC
3117 Verifies if an attribute is unique, if the entry contains the
3118 object class set in this parameter (uniqueness-subtree-en‐
3119 tries-oc)
3120
3123 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3124 [--attr-name ATTR_NAME
3125 [ATTR_NAME ...]]
3126 [--subtree SUBTREE [SUBTREE
3127 ...]]
3128 [--across-all-subtrees
3129 {on,off}]
3130 [--top-entry-oc TOP_EN‐
3131 TRY_OC]
3132 [--subtree-entries-oc SUB‐
3133 TREE_ENTRIES_OC]
3134 NAME
3135 NAME The name of the plug-in configuration record. (cn) You can use
3138 any string, but "attribute_name Attribute Uniqueness" is recom‐
3139 mended.
3140 --enabled {on,off}
3143 Identifies whether or not the config is enabled.
3144 --attr-name ATTR_NAME [ATTR_NAME ...]
3147 Sets the name of the attribute whose values must be unique. This
3148 attribute is multi-valued. (uniqueness-attribute-name)
3149 --subtree SUBTREE [SUBTREE ...]
3152 Sets the DN under which the plug-in checks for uniqueness of the
3153 attributes value. This attribute is multi-valued (unique‐
3154 ness-subtrees)
3155 --across-all-subtrees {on,off}
3158 If enabled (on), the plug-in checks that the attribute is unique
3159 across all subtrees set. If you set the attribute to off,
3160 uniqueness is only enforced within the subtree of the updated
3161 entry (uniqueness-across-all-subtrees)
3162 --top-entry-oc TOP_ENTRY_OC
3165 Verifies that the value of the attribute set in uniqueness-at‐
3166 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3167 --subtree-entries-oc SUBTREE_ENTRIES_OC
3170 Verifies if an attribute is unique, if the entry contains the
3171 object class set in this parameter (uniqueness-subtree-en‐
3172 tries-oc)
3173
3176 usage: dsconf instance plugin attr-uniq show [-h] NAME
3177 NAME The name of the plug-in configuration record
3180
3184 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3185 NAME The name of the plug-in configuration record
3188
3192 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3193 NAME The name of the plug-in configuration record
3196
3200 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3201 NAME The name of the plug-in configuration record
3204
3208 usage: dsconf instance plugin attr-uniq status [-h] NAME
3209 NAME The name of the plug-in configuration record
3212
3217 usage: dsconf instance plugin dna [-h]
3218 {show,enable,disable,status,list,con‐
3219 fig} ...
3220 Sub-commands
3223 dsconf plugin dna show
3224 Displays the plugin configuration
3225 dsconf plugin dna enable
3227 Enables the plugin
3228 dsconf plugin dna disable
3230 Disables the plugin
3231 dsconf plugin dna status
3233 Displays the plugin status
3234 dsconf plugin dna list
3236 List available plugin configs
3237 dsconf plugin dna config
3239 Manage plugin configs
3240
3242 usage: dsconf instance plugin dna show [-h]
3243
3248 usage: dsconf instance plugin dna enable [-h]
3249
3254 usage: dsconf instance plugin dna disable [-h]
3255
3260 usage: dsconf instance plugin dna status [-h]
3261
3266 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3267 ...
3268 Sub-commands
3271 dsconf plugin dna list configs
3272 List main DNA plugin config entries
3273 dsconf plugin dna list shared-configs
3275 List DNA plugin shared config entries
3276
3278 usage: dsconf instance plugin dna list configs [-h]
3279
3284 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3285 BASEDN The search DN
3288
3293 usage: dsconf instance plugin dna config [-h]
3294 NAME
3295 {add,set,show,delete,shared-
3296 config-entry}
3297 ...
3298 NAME The DNA configuration name
3301 Sub-commands
3304 dsconf plugin dna config add
3305 Add the config entry
3306 dsconf plugin dna config set
3308 Edit the config entry
3309 dsconf plugin dna config show
3311 Display the config entry
3312 dsconf plugin dna config delete
3314 Delete the config entry
3315 dsconf plugin dna config shared-config-entry
3317 Manage the shared config entry
3318
3320 usage: dsconf instance plugin dna config NAME add [-h]
3321 [--type TYPE [TYPE
3322 ...]]
3323 [--prefix PREFIX]
3324 [--next-value
3325 NEXT_VALUE]
3326 [--max-value
3327 MAX_VALUE]
3328 [--interval INTERVAL]
3329 [--magic-regen
3330 MAGIC_REGEN]
3331 [--filter FILTER]
3332 [--scope SCOPE]
3333 [--remote-bind-dn RE‐
3334 MOTE_BIND_DN]
3335 [--remote-bind-cred
3336 REMOTE_BIND_CRED]
3337 [--shared-config-en‐
3338 try SHARED_CONFIG_ENTRY]
3339 [--threshold THRESH‐
3340 OLD]
3341 [--next-range
3342 NEXT_RANGE]
3343 [--range-request-
3344 timeout RANGE_REQUEST_TIMEOUT]
3345 --type TYPE [TYPE ...]
3349 Sets which attributes have unique numbers being generated for
3350 them (dnaType)
3351 --prefix PREFIX
3354 Defines a prefix that can be prepended to the generated number
3355 values for the attribute (dnaPrefix)
3356 --next-value NEXT_VALUE
3359 Sets the next available number which can be assigned
3360 (dnaNextValue)
3361 --max-value MAX_VALUE
3364 Sets the maximum value that can be assigned for the range (dna‐
3365 MaxValue)
3366 --interval INTERVAL
3369 Sets an interval to use to increment through numbers in a range
3370 (dnaInterval)
3371 --magic-regen MAGIC_REGEN
3374 Sets a user-defined value that instructs the plug-in to assign a
3375 new value for the entry (dnaMagicRegen)
3376 --filter FILTER
3379 Sets an LDAP filter to use to search for and identify the en‐
3380 tries to which to apply the distributed numeric assignment range
3381 (dnaFilter)
3382 --scope SCOPE
3385 Sets the base DN to search for entries to which to apply the
3386 distributed numeric assignment (dnaScope)
3387 --remote-bind-dn REMOTE_BIND_DN
3390 Specifies the Replication Manager DN (dnaRemoteBindDN)
3391 --remote-bind-cred REMOTE_BIND_CRED
3394 Specifies the Replication Manager's password (dnaRemoteBindCred)
3395 --shared-config-entry SHARED_CONFIG_ENTRY
3398 Defines a shared identity that the servers can use to transfer
3399 ranges to one another (dnaSharedCfgDN)
3400 --threshold THRESHOLD
3403 Sets a threshold of remaining available numbers in the range.
3404 When the server hits the threshold, it sends a request for a new
3405 range (dnaThreshold)
3406 --next-range NEXT_RANGE
3409 Defines the next range to use when the current range is ex‐
3410 hausted (dnaNextRange)
3411 --range-request-timeout RANGE_REQUEST_TIMEOUT
3414 Sets a timeout period, in seconds, for range requests so that
3415 the server does not stall waiting on a new range from one server
3416 and can request a range from a new server (dnaRangeRequestTime‐
3417 out)
3418
3421 usage: dsconf instance plugin dna config NAME set [-h]
3422 [--type TYPE [TYPE
3423 ...]]
3424 [--prefix PREFIX]
3425 [--next-value
3426 NEXT_VALUE]
3427 [--max-value
3428 MAX_VALUE]
3429 [--interval INTERVAL]
3430 [--magic-regen
3431 MAGIC_REGEN]
3432 [--filter FILTER]
3433 [--scope SCOPE]
3434 [--remote-bind-dn RE‐
3435 MOTE_BIND_DN]
3436 [--remote-bind-cred
3437 REMOTE_BIND_CRED]
3438 [--shared-config-en‐
3439 try SHARED_CONFIG_ENTRY]
3440 [--threshold THRESH‐
3441 OLD]
3442 [--next-range
3443 NEXT_RANGE]
3444 [--range-request-
3445 timeout RANGE_REQUEST_TIMEOUT]
3446 --type TYPE [TYPE ...]
3450 Sets which attributes have unique numbers being generated for
3451 them (dnaType)
3452 --prefix PREFIX
3455 Defines a prefix that can be prepended to the generated number
3456 values for the attribute (dnaPrefix)
3457 --next-value NEXT_VALUE
3460 Sets the next available number which can be assigned
3461 (dnaNextValue)
3462 --max-value MAX_VALUE
3465 Sets the maximum value that can be assigned for the range (dna‐
3466 MaxValue)
3467 --interval INTERVAL
3470 Sets an interval to use to increment through numbers in a range
3471 (dnaInterval)
3472 --magic-regen MAGIC_REGEN
3475 Sets a user-defined value that instructs the plug-in to assign a
3476 new value for the entry (dnaMagicRegen)
3477 --filter FILTER
3480 Sets an LDAP filter to use to search for and identify the en‐
3481 tries to which to apply the distributed numeric assignment range
3482 (dnaFilter)
3483 --scope SCOPE
3486 Sets the base DN to search for entries to which to apply the
3487 distributed numeric assignment (dnaScope)
3488 --remote-bind-dn REMOTE_BIND_DN
3491 Specifies the Replication Manager DN (dnaRemoteBindDN)
3492 --remote-bind-cred REMOTE_BIND_CRED
3495 Specifies the Replication Manager's password (dnaRemoteBindCred)
3496 --shared-config-entry SHARED_CONFIG_ENTRY
3499 Defines a shared identity that the servers can use to transfer
3500 ranges to one another (dnaSharedCfgDN)
3501 --threshold THRESHOLD
3504 Sets a threshold of remaining available numbers in the range.
3505 When the server hits the threshold, it sends a request for a new
3506 range (dnaThreshold)
3507 --next-range NEXT_RANGE
3510 Defines the next range to use when the current range is ex‐
3511 hausted (dnaNextRange)
3512 --range-request-timeout RANGE_REQUEST_TIMEOUT
3515 Sets a timeout period, in seconds, for range requests so that
3516 the server does not stall waiting on a new range from one server
3517 and can request a range from a new server (dnaRangeRequestTime‐
3518 out)
3519
3522 usage: dsconf instance plugin dna config NAME show [-h]
3523
3528 usage: dsconf instance plugin dna config NAME delete [-h]
3529
3534 usage: dsconf instance plugin dna config NAME shared-config-entry
3535 [-h] SHARED_CFG {set,show,delete} ...
3536 SHARED_CFG
3539 Use HOSTNAME:PORT for this argument to identify the host name
3540 and port of a server in a shared range, as part of the DNA range
3541 configuration for that specific host in multi-supplier replica‐
3542 tion. (dnaHostname+dnaPortNum)
3543 Sub-commands
3546 dsconf plugin dna config shared-config-entry set
3547 Edit the shared config entry
3548 dsconf plugin dna config shared-config-entry show
3550 Display the shared config entry
3551 dsconf plugin dna config shared-config-entry delete
3553 Delete the shared config entry
3554
3556 usage: dsconf instance plugin dna config NAME shared-config-entry
3557 SHARED_CFG set
3558 [-h] [--remote-bind-method REMOTE_BIND_METHOD]
3559 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3560 --remote-bind-method REMOTE_BIND_METHOD
3564 Specifies the remote bind method "SIMPLE", "SSL" (for SSL client
3565 auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)
3566 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3569 Specifies the remote connection protocol "LDAP", or "TLS"
3570 (dnaRemoteConnProtocol)
3571
3574 usage: dsconf instance plugin dna config NAME shared-config-entry
3575 SHARED_CFG show
3576 [-h]
3577
3582 usage: dsconf instance plugin dna config NAME shared-config-entry
3583 SHARED_CFG delete
3584 [-h]
3585
3593 usage: dsconf instance plugin linked-attr [-h]
3594 {show,enable,disable,sta‐
3595 tus,fixup,list,config}
3596 ...
3597 Sub-commands
3600 dsconf plugin linked-attr show
3601 Displays the plugin configuration
3602 dsconf plugin linked-attr enable
3604 Enables the plugin
3605 dsconf plugin linked-attr disable
3607 Disables the plugin
3608 dsconf plugin linked-attr status
3610 Displays the plugin status
3611 dsconf plugin linked-attr fixup
3613 Run the fix-up task for linked attributes plugin
3614 dsconf plugin linked-attr list
3616 List available plugin configs
3617 dsconf plugin linked-attr config
3619 Manage plugin configs
3620
3622 usage: dsconf instance plugin linked-attr show [-h]
3623
3628 usage: dsconf instance plugin linked-attr enable [-h]
3629
3634 usage: dsconf instance plugin linked-attr disable [-h]
3635
3640 usage: dsconf instance plugin linked-attr status [-h]
3641
3646 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3647 -l LINKDN, --linkdn LINKDN
3651 Sets the base DN that contains entries to fix up
3652
3655 usage: dsconf instance plugin linked-attr list [-h]
3656
3661 usage: dsconf instance plugin linked-attr config [-h]
3662 NAME
3663 {add,set,show,delete}
3664 ...
3665 NAME The Linked Attributes configuration name
3668 Sub-commands
3671 dsconf plugin linked-attr config add
3672 Add the config entry
3673 dsconf plugin linked-attr config set
3675 Edit the config entry
3676 dsconf plugin linked-attr config show
3678 Display the config entry
3679 dsconf plugin linked-attr config delete
3681 Delete the config entry
3682
3684 usage: dsconf instance plugin linked-attr config NAME add [-h]
3685 [--link-type
3686 LINK_TYPE]
3687 [--managed-
3688 type MANAGED_TYPE]
3689 [--link-scope
3690 LINK_SCOPE]
3691 --link-type LINK_TYPE
3695 Sets the attribute that is managed manually by administrators
3696 (linkType)
3697 --managed-type MANAGED_TYPE
3700 Sets the attribute that is created dynamically by the plugin
3701 (managedType)
3702 --link-scope LINK_SCOPE
3705 Sets the scope that restricts the plugin to a specific part of
3706 the directory tree (linkScope)
3707
3710 usage: dsconf instance plugin linked-attr config NAME set [-h]
3711 [--link-type
3712 LINK_TYPE]
3713 [--managed-
3714 type MANAGED_TYPE]
3715 [--link-scope
3716 LINK_SCOPE]
3717 --link-type LINK_TYPE
3721 Sets the attribute that is managed manually by administrators
3722 (linkType)
3723 --managed-type MANAGED_TYPE
3726 Sets the attribute that is created dynamically by the plugin
3727 (managedType)
3728 --link-scope LINK_SCOPE
3731 Sets the scope that restricts the plugin to a specific part of
3732 the directory tree (linkScope)
3733
3736 usage: dsconf instance plugin linked-attr config NAME show [-h]
3737
3742 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3743
3750 usage: dsconf instance plugin managed-entries [-h]
3751 {show,enable,disable,sta‐
3752 tus,set,list,config,template}
3753 ...
3754 Sub-commands
3757 dsconf plugin managed-entries show
3758 Displays the plugin configuration
3759 dsconf plugin managed-entries enable
3761 Enables the plugin
3762 dsconf plugin managed-entries disable
3764 Disables the plugin
3765 dsconf plugin managed-entries status
3767 Displays the plugin status
3768 dsconf plugin managed-entries set
3770 Edit the plugin settings
3771 dsconf plugin managed-entries list
3773 List Managed Entries Plugin configs and templates
3774 dsconf plugin managed-entries config
3776 Handle Managed Entries Plugin configs
3777 dsconf plugin managed-entries template
3779 Handle Managed Entries Plugin templates
3780
3782 usage: dsconf instance plugin managed-entries show [-h]
3783
3788 usage: dsconf instance plugin managed-entries enable [-h]
3789
3794 usage: dsconf instance plugin managed-entries disable [-h]
3795
3800 usage: dsconf instance plugin managed-entries status [-h]
3801
3806 usage: dsconf instance plugin managed-entries set [-h]
3807 [--config-area CON‐
3808 FIG_AREA]
3809 --config-area CONFIG_AREA
3813 Sets the value of the nsslapd-pluginConfigArea attribute
3814
3817 usage: dsconf instance plugin managed-entries list [-h]
3818 {configs,templates}
3819 ...
3820 Sub-commands
3823 dsconf plugin managed-entries list configs
3824 List Managed Entries Plugin configs (list config-area if speci‐
3825 fied in the main plugin entry)
3826 dsconf plugin managed-entries list templates
3828 List Managed Entries Plugin templates in the directory
3829
3831 usage: dsconf instance plugin managed-entries list configs [-h]
3832
3837 usage: dsconf instance plugin managed-entries list templates [-h]
3838 [BASEDN]
3839 BASEDN The base DN where to search the templates
3842
3847 usage: dsconf instance plugin managed-entries config [-h]
3848 NAME
3849 {add,set,show,delete}
3850 ...
3851 NAME The config entry CN
3854 Sub-commands
3857 dsconf plugin managed-entries config add
3858 Add the config entry
3859 dsconf plugin managed-entries config set
3861 Edit the config entry
3862 dsconf plugin managed-entries config show
3864 Display the config entry
3865 dsconf plugin managed-entries config delete
3867 Delete the config entry
3868
3870 usage: dsconf instance plugin managed-entries config NAME add
3871 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3872 AGED_BASE]
3873 [--managed-template MANAGED_TEMPLATE]
3874 --scope SCOPE
3878 Sets the scope of the search to use to see which entries the
3879 plug-in monitors (originScope)
3880 --filter FILTER
3883 Sets the search filter to use to search for and identify the en‐
3884 tries within the subtree which require a managed entry (origin‐
3885 Filter)
3886 --managed-base MANAGED_BASE
3889 Sets the subtree under which to create the managed entries (man‐
3890 agedBase)
3891 --managed-template MANAGED_TEMPLATE
3894 Identifies the template entry to use to create the managed entry
3895 (managedTemplate)
3896
3899 usage: dsconf instance plugin managed-entries config NAME set
3900 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3901 AGED_BASE]
3902 [--managed-template MANAGED_TEMPLATE]
3903 --scope SCOPE
3907 Sets the scope of the search to use to see which entries the
3908 plug-in monitors (originScope)
3909 --filter FILTER
3912 Sets the search filter to use to search for and identify the en‐
3913 tries within the subtree which require a managed entry (origin‐
3914 Filter)
3915 --managed-base MANAGED_BASE
3918 Sets the subtree under which to create the managed entries (man‐
3919 agedBase)
3920 --managed-template MANAGED_TEMPLATE
3923 Identifies the template entry to use to create the managed entry
3924 (managedTemplate)
3925
3928 usage: dsconf instance plugin managed-entries config NAME show [-h]
3929
3934 usage: dsconf instance plugin managed-entries config NAME delete [-h]
3935
3941 usage: dsconf instance plugin managed-entries template [-h]
3942 DN
3943 {add,set,show,delete}
3944 ...
3945 DN The template entry DN.
3948 Sub-commands
3951 dsconf plugin managed-entries template add
3952 Add the template entry
3953 dsconf plugin managed-entries template set
3955 Edit the template entry
3956 dsconf plugin managed-entries template show
3958 Display the template entry
3959 dsconf plugin managed-entries template delete
3961 Delete the template entry
3962
3964 usage: dsconf instance plugin managed-entries template DN add
3965 [-h] [--rdn-attr RDN_ATTR]
3966 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
3967 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3968 --rdn-attr RDN_ATTR
3972 Sets which attribute to use as the naming attribute in the auto‐
3973 matically- generated entry (mepRDNAttr)
3974 --static-attr STATIC_ATTR [STATIC_ATTR ...]
3977 Sets an attribute with a defined value that must be added to the
3978 automatically-generated entry (mepStaticAttr)
3979 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
3982 Sets attributes in the Managed Entries template entry which must
3983 exist in the generated entry (mepMappedAttr)
3984
3987 usage: dsconf instance plugin managed-entries template DN set
3988 [-h] [--rdn-attr RDN_ATTR]
3989 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
3990 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
3991 --rdn-attr RDN_ATTR
3995 Sets which attribute to use as the naming attribute in the auto‐
3996 matically- generated entry (mepRDNAttr)
3997 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4000 Sets an attribute with a defined value that must be added to the
4001 automatically-generated entry (mepStaticAttr)
4002 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4005 Sets attributes in the Managed Entries template entry which must
4006 exist in the generated entry (mepMappedAttr)
4007
4010 usage: dsconf instance plugin managed-entries template DN show [-h]
4011
4016 usage: dsconf instance plugin managed-entries template DN delete [-h]
4017
4024 usage: dsconf instance plugin pass-through-auth [-h]
4025 {show,enable,dis‐
4026 able,status,list,url,pam-config}
4027 ...
4028 Sub-commands
4031 dsconf plugin pass-through-auth show
4032 Displays the plugin configuration
4033 dsconf plugin pass-through-auth enable
4035 Enables the plugin
4036 dsconf plugin pass-through-auth disable
4038 Disables the plugin
4039 dsconf plugin pass-through-auth status
4041 Displays the plugin status
4042 dsconf plugin pass-through-auth enable
4044 Enable the pass through authentication plugins
4045 dsconf plugin pass-through-auth disable
4047 Disable the pass through authentication plugins
4048 dsconf plugin pass-through-auth list
4050 List pass-though plugin URLs or PAM configurations
4051 dsconf plugin pass-through-auth url
4053 Manage PTA URL configurations
4054 dsconf plugin pass-through-auth pam-config
4056 Manage PAM PTA configurations.
4057
4059 usage: dsconf instance plugin pass-through-auth show [-h]
4060
4065 usage: dsconf instance plugin pass-through-auth enable [-h]
4066
4071 usage: dsconf instance plugin pass-through-auth disable [-h]
4072
4077 usage: dsconf instance plugin pass-through-auth status [-h]
4078
4083 usage: dsconf instance plugin pass-through-auth list [-h]
4084 {urls,pam-configs}
4085 ...
4086 Sub-commands
4089 dsconf plugin pass-through-auth list urls
4090 Lists URLs
4091 dsconf plugin pass-through-auth list pam-configs
4093 Lists PAM configurations
4094
4096 usage: dsconf instance plugin pass-through-auth list urls [-h]
4097
4102 usage: dsconf instance plugin pass-through-auth list pam-configs [-h]
4103
4109 usage: dsconf instance plugin pass-through-auth url [-h]
4110 {add,modify,delete}
4111 ...
4112 Sub-commands
4115 dsconf plugin pass-through-auth url add
4116 Add the config entry
4117 dsconf plugin pass-through-auth url modify
4119 Edit the config entry
4120 dsconf plugin pass-through-auth url delete
4122 Delete the config entry
4123
4125 usage: dsconf instance plugin pass-through-auth url add [-h] URL
4126 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
4129 conns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
4130 tional parameter is specified the rest should be specified too
4131
4135 usage: dsconf instance plugin pass-through-auth url modify [-h]
4136 OLD_URL
4137 NEW_URL
4138 OLD_URL
4141 The full LDAP URL you get from the "list" command
4142 NEW_URL
4145 Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree
4146 maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
4147 tional parameter is specified the rest should be specified too.
4148
4152 usage: dsconf instance plugin pass-through-auth url delete [-h] URL
4153 URL The full LDAP URL you get from the "list" command
4156
4161 usage: dsconf instance plugin pass-through-auth pam-config [-h]
4162 NAME
4163 {add,set,show,delete}
4164 ...
4165 NAME The PAM PTA configuration name
4168 Sub-commands
4171 dsconf plugin pass-through-auth pam-config add
4172 Add the config entry
4173 dsconf plugin pass-through-auth pam-config set
4175 Edit the config entry
4176 dsconf plugin pass-through-auth pam-config show
4178 Display the config entry
4179 dsconf plugin pass-through-auth pam-config delete
4181 Delete the config entry
4182
4184 usage: dsconf instance plugin pass-through-auth pam-config NAME add
4185 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4186 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4187 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4188 TER]
4189 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4190 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4191 SERVICE]
4192 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4196 Specifies a suffix to exclude from PAM authentication (pamEx‐
4197 cludeSuffix)
4198 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4201 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4202 fix)
4203 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4206 Identifies how to handle missing include or exclude suffixes
4207 (pamMissingSuffix)
4208 --filter FILTER
4211 Sets an LDAP filter to use to identify specific entries within
4212 the included suffixes for which to use PAM pass-through authen‐
4213 tication (pamFilter)
4214 --id-attr ID_ATTR
4217 Contains the attribute name which is used to hold the PAM user
4218 ID (pamIDAttr)
4219 --id_map_method ID_MAP_METHOD
4222 Sets the method to use to map the LDAP bind DN to a PAM identity
4223 (pamIDMapMethod)
4224 --fallback {TRUE,FALSE}
4227 Sets whether to fallback to regular LDAP authentication if PAM
4228 authentication fails (pamFallback)
4229 --secure {TRUE,FALSE}
4232 Requires secure TLS connection for PAM authentication (pamSe‐
4233 cure)
4234 --service SERVICE
4237 Contains the service name to pass to PAM (pamService)
4238
4241 usage: dsconf instance plugin pass-through-auth pam-config NAME set
4242 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4243 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4244 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4245 TER]
4246 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4247 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4248 SERVICE]
4249 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4253 Specifies a suffix to exclude from PAM authentication (pamEx‐
4254 cludeSuffix)
4255 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4258 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4259 fix)
4260 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4263 Identifies how to handle missing include or exclude suffixes
4264 (pamMissingSuffix)
4265 --filter FILTER
4268 Sets an LDAP filter to use to identify specific entries within
4269 the included suffixes for which to use PAM pass-through authen‐
4270 tication (pamFilter)
4271 --id-attr ID_ATTR
4274 Contains the attribute name which is used to hold the PAM user
4275 ID (pamIDAttr)
4276 --id_map_method ID_MAP_METHOD
4279 Sets the method to use to map the LDAP bind DN to a PAM identity
4280 (pamIDMapMethod)
4281 --fallback {TRUE,FALSE}
4284 Sets whether to fallback to regular LDAP authentication if PAM
4285 authentication fails (pamFallback)
4286 --secure {TRUE,FALSE}
4289 Requires secure TLS connection for PAM authentication (pamSe‐
4290 cure)
4291 --service SERVICE
4294 Contains the service name to pass to PAM (pamService)
4295
4298 usage: dsconf instance plugin pass-through-auth pam-config NAME show
4299 [-h]
4300
4305 usage: dsconf instance plugin pass-through-auth pam-config NAME delete
4306 [-h]
4307
4314 usage: dsconf instance plugin retro-changelog [-h]
4315 {show,enable,disable,sta‐
4316 tus,set,add}
4317 ...
4318 Sub-commands
4321 dsconf plugin retro-changelog show
4322 Displays the plugin configuration
4323 dsconf plugin retro-changelog enable
4325 Enables the plugin
4326 dsconf plugin retro-changelog disable
4328 Disables the plugin
4329 dsconf plugin retro-changelog status
4331 Displays the plugin status
4332 dsconf plugin retro-changelog set
4334 Edit the plugin
4335 dsconf plugin retro-changelog add
4337 Add attributes to the plugin
4338
4340 usage: dsconf instance plugin retro-changelog show [-h]
4341
4346 usage: dsconf instance plugin retro-changelog enable [-h]
4347
4352 usage: dsconf instance plugin retro-changelog disable [-h]
4353
4358 usage: dsconf instance plugin retro-changelog status [-h]
4359
4364 usage: dsconf instance plugin retro-changelog set [-h]
4365 [--is-replicated
4366 {TRUE,FALSE}]
4367 [--attribute ATTRI‐
4368 BUTE]
4369 [--directory DIREC‐
4370 TORY]
4371 [--max-age MAX_AGE]
4372 [--trim-interval
4373 TRIM_INTERVAL]
4374 [--exclude-suffix EX‐
4375 CLUDE_SUFFIX]
4376 [--exclude-attrs EX‐
4377 CLUDE_ATTRS]
4378 --is-replicated {TRUE,FALSE}
4382 Sets a flag to indicate on a change in the changelog whether the
4383 change is newly made on that server or whether it was replicated
4384 over from another server (isReplicated)
4385 --attribute ATTRIBUTE
4388 Specifies another Directory Server attribute which must be in‐
4389 cluded in the retro changelog entries (nsslapd-attribute)
4390 --directory DIRECTORY
4393 Specifies the name of the directory in which the changelog data‐
4394 base is created the first time the plug-in is run
4395 --max-age MAX_AGE
4398 This attribute specifies the maximum age of any entry in the
4399 changelog. Used to trim the changelog (nsslapd-changelogmaxage)
4400 --trim-interval TRIM_INTERVAL
4403 --exclude-suffix EXCLUDE_SUFFIX
4406 This attribute specifies the suffix which will be excluded from
4407 the scope of the plugin (nsslapd-exclude-suffix)
4408 --exclude-attrs EXCLUDE_ATTRS
4411 This attribute specifies the attributes which will be excluded
4412 from the scope of the plugin (nsslapd-exclude-attrs)
4413
4416 usage: dsconf instance plugin retro-changelog add [-h]
4417 [--is-replicated
4418 {TRUE,FALSE}]
4419 [--attribute ATTRI‐
4420 BUTE]
4421 [--directory DIREC‐
4422 TORY]
4423 [--max-age MAX_AGE]
4424 [--trim-interval
4425 TRIM_INTERVAL]
4426 [--exclude-suffix EX‐
4427 CLUDE_SUFFIX]
4428 [--exclude-attrs EX‐
4429 CLUDE_ATTRS]
4430 --is-replicated {TRUE,FALSE}
4434 Sets a flag to indicate on a change in the changelog whether the
4435 change is newly made on that server or whether it was replicated
4436 over from another server (isReplicated)
4437 --attribute ATTRIBUTE
4440 Specifies another Directory Server attribute which must be in‐
4441 cluded in the retro changelog entries (nsslapd-attribute)
4442 --directory DIRECTORY
4445 Specifies the name of the directory in which the changelog data‐
4446 base is created the first time the plug-in is run
4447 --max-age MAX_AGE
4450 This attribute specifies the maximum age of any entry in the
4451 changelog. Used to trim the changelog (nsslapd-changelogmaxage)
4452 --trim-interval TRIM_INTERVAL
4455 --exclude-suffix EXCLUDE_SUFFIX
4458 This attribute specifies the suffix which will be excluded from
4459 the scope of the plugin (nsslapd-exclude-suffix)
4460 --exclude-attrs EXCLUDE_ATTRS
4463 This attribute specifies the attributes which will be excluded
4464 from the scope of the plugin (nsslapd-exclude-attrs)
4465
4469 usage: dsconf instance plugin posix-winsync [-h]
4470 {show,enable,disable,sta‐
4471 tus,set,fixup}
4472 ...
4473 Sub-commands
4476 dsconf plugin posix-winsync show
4477 Displays the plugin configuration
4478 dsconf plugin posix-winsync enable
4480 Enables the plugin
4481 dsconf plugin posix-winsync disable
4483 Disables the plugin
4484 dsconf plugin posix-winsync status
4486 Displays the plugin status
4487 dsconf plugin posix-winsync set
4489 Edit the plugin settings
4490 dsconf plugin posix-winsync fixup
4492 Run the memberOf fix-up task to correct mismatched member and
4493 uniquemember values for synced users
4494
4496 usage: dsconf instance plugin posix-winsync show [-h]
4497
4502 usage: dsconf instance plugin posix-winsync enable [-h]
4503
4508 usage: dsconf instance plugin posix-winsync disable [-h]
4509
4514 usage: dsconf instance plugin posix-winsync status [-h]
4515
4520 usage: dsconf instance plugin posix-winsync set [-h]
4521 [--create-memberof-task
4522 {true,false}]
4523 [--lower-case-uid
4524 {true,false}]
4525 [--map-member-uid
4526 {true,false}]
4527 [--map-nested-grouping
4528 {true,false}]
4529 [--ms-sfu-schema
4530 {true,false}]
4531 --create-memberof-task {true,false}
4535 Sets whether to run the memberUID fix-up task immediately after
4536 a sync run in order to update group memberships for synced users
4537 (posixWinsyncCreateMemberOfTask)
4538 --lower-case-uid {true,false}
4541 Sets whether to store (and, if necessary, convert) the UID value
4542 in the memberUID attribute in lower case.(posixWinsyncLower‐
4543 CaseUID)
4544 --map-member-uid {true,false}
4547 Sets whether to map the memberUID attribute in an Active Direc‐
4548 tory group to the uniqueMember attribute in a Directory Server
4549 group (posixWinsyncMapMemberUID)
4550 --map-nested-grouping {true,false}
4553 Manages if nested groups are updated when memberUID attributes
4554 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4555 edGrouping)
4556 --ms-sfu-schema {true,false}
4559 Sets whether to the older Microsoft System Services for Unix 3.0
4560 (msSFU30) schema when syncing Posix attributes from Active Di‐
4561 rectory (posixWinsyncMsSFUSchema)
4562
4565 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN
4566 DN Set the base DN that contains entries to fix up
4569 -f FILTER, --filter FILTER
4572 Filter for entries to fix up. If omitted, all entries with ob‐
4573 jectclass inetuser/inetadmin/nsmemberof under the specified base
4574 will have their memberOf attribute regenerated.
4575
4579 usage: dsconf instance plugin contentsync [-h]
4580 {show,enable,disable,sta‐
4581 tus,set,add}
4582 ...
4583 Sub-commands
4586 dsconf plugin contentsync show
4587 Displays the plugin configuration
4588 dsconf plugin contentsync enable
4590 Enables the plugin
4591 dsconf plugin contentsync disable
4593 Disables the plugin
4594 dsconf plugin contentsync status
4596 Displays the plugin status
4597 dsconf plugin contentsync set
4599 Edit the plugin settings
4600 dsconf plugin contentsync add
4602 Add attributes to the plugin
4603
4605 usage: dsconf instance plugin contentsync show [-h]
4606
4611 usage: dsconf instance plugin contentsync enable [-h]
4612
4617 usage: dsconf instance plugin contentsync disable [-h]
4618
4623 usage: dsconf instance plugin contentsync status [-h]
4624
4629 usage: dsconf instance plugin contentsync set [-h] [--allow-openldap
4630 {on,off}]
4631 --allow-openldap {on,off}
4635 Allows openldap servers to act as read only consumers of this
4636 server via syncrepl
4637
4640 usage: dsconf instance plugin contentsync add [-h] [--allow-openldap
4641 {on,off}]
4642 --allow-openldap {on,off}
4646 Allows openldap servers to act as read only consumers of this
4647 server via syncrepl
4648
4652 usage: dsconf instance plugin list [-h]
4653
4658 usage: dsconf instance plugin show [-h] [selector]
4659 selector
4662 The plugin to search for
4663
4667 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4668 {on,off}]
4669 [--path PATH] [--initfunc INITFUNC]
4670 [--id ID] [--vendor VENDOR]
4671 [--version VERSION]
4672 [--description DESCRIPTION]
4673 [--depends-on-type DEPENDS_ON_TYPE]
4674 [--depends-on-named DEPENDS_ON_NAMED]
4675 [--precedence PRECEDENCE]
4676 [selector]
4677 selector
4680 The plugin to edit
4681 --type TYPE
4684 The type of plugin.
4685 --enabled {on,off}
4688 Identifies whether or not the plugin is enabled.
4689 --path PATH
4692 The plugin library name (without the library suffix).
4693 --initfunc INITFUNC
4696 An initialization function of the plugin.
4697 --id ID
4700 The plugin ID.
4701 --vendor VENDOR
4704 The vendor of plugin.
4705 --version VERSION
4708 The version of plugin.
4709 --description DESCRIPTION
4712 The description of the plugin.
4713 --depends-on-type DEPENDS_ON_TYPE
4716 All plug-ins with a type value which matches one of the values
4717 in the following valid range will be started by the server prior
4718 to this plug-in.
4719 --depends-on-named DEPENDS_ON_NAMED
4722 The plug-in name matching one of the following values will be
4723 started by the server prior to this plug-in
4724 --precedence PRECEDENCE
4727 The priority it has in the execution order of plug-ins
4728
4732 usage: dsconf instance pwpolicy [-h] {get,set} ...
4733 Sub-commands
4736 dsconf pwpolicy get
4737 Get the global password policy entry
4738 dsconf pwpolicy set
4740 Set an attribute in a global password policy
4741
4743 usage: dsconf instance pwpolicy get [-h]
4744
4749 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4750 [--pwdchange PWDCHANGE]
4751 [--pwdmustchange PWDMUSTCHANGE]
4752 [--pwdhistory PWDHISTORY]
4753 [--pwdhistorycount PWDHISTORYCOUNT]
4754 [--pwdadmin PWDADMIN]
4755 [--pwdtrack PWDTRACK]
4756 [--pwdwarning PWDWARNING]
4757 [--pwdexpire PWDEXPIRE]
4758 [--pwdmaxage PWDMAXAGE]
4759 [--pwdminage PWDMINAGE]
4760 [--pwdgracelimit PWDGRACELIMIT]
4761 [--pwdsendexpiring PWDSENDEXPIRING]
4762 [--pwdlockout PWDLOCKOUT]
4763 [--pwdunlock PWDUNLOCK]
4764 [--pwdlockoutduration PWDLOCKOUTDU‐
4765 RATION]
4766 [--pwdmaxfailures PWDMAXFAILURES]
4767 [--pwdresetfailcount PWDRESETFAIL‐
4768 COUNT]
4769 [--pwdchecksyntax PWDCHECKSYNTAX]
4770 [--pwdminlen PWDMINLEN]
4771 [--pwdmindigits PWDMINDIGITS]
4772 [--pwdminalphas PWDMINALPHAS]
4773 [--pwdminuppers PWDMINUPPERS]
4774 [--pwdminlowers PWDMINLOWERS]
4775 [--pwdminspecials PWDMINSPECIALS]
4776 [--pwdmin8bits PWDMIN8BITS]
4777 [--pwdmaxrepeats PWDMAXREPEATS]
4778 [--pwdpalindrome PWDPALINDROME]
4779 [--pwdmaxseq PWDMAXSEQ]
4780 [--pwdmaxseqsets PWDMAXSEQSETS]
4781 [--pwdmaxclasschars PWDMAXCLASS‐
4782 CHARS]
4783 [--pwdmincatagories PWDMIN‐
4784 CATAGORIES]
4785 [--pwdmintokenlen PWDMINTOKENLEN]
4786 [--pwdbadwords PWDBADWORDS]
4787 [--pwduserattrs PWDUSERATTRS]
4788 [--pwddictcheck PWDDICTCHECK]
4789 [--pwddictpath PWDDICTPATH]
4790 [--pwptprmaxuse PWPTPRMAXUSE]
4791 [--pwptprdelayexpireat PWPTPRDELAY‐
4792 EXPIREAT]
4793 [--pwptprdelayvalidfrom PWPTPRDE‐
4794 LAYVALIDFROM]
4795 [--pwdlocal PWDLOCAL]
4796 [--pwdisglobal PWDISGLOBAL]
4797 [--pwdallowhash PWDALLOWHASH]
4798 [--pwpinheritglobal PWPINHERIT‐
4799 GLOBAL]
4800 --pwdscheme PWDSCHEME
4804 The password storage scheme
4805 --pwdchange PWDCHANGE
4808 Allow users to change their passwords
4809 --pwdmustchange PWDMUSTCHANGE
4812 Users must change their password after it was reset by an admin‐
4813 istrator
4814 --pwdhistory PWDHISTORY
4817 To enable password history set this to "on", otherwise "off"
4818 --pwdhistorycount PWDHISTORYCOUNT
4821 The number of passwords to keep in history
4822 --pwdadmin PWDADMIN
4825 The DN of an entry or a group of account that can bypass pass‐
4826 word policy constraints
4827 --pwdtrack PWDTRACK
4830 Set to "on" to track the time the password was last changed
4831 --pwdwarning PWDWARNING
4834 Send an expiring warning if password expires within this time
4835 (in seconds)
4836 --pwdexpire PWDEXPIRE
4839 Set to "on" to enable password expiration
4840 --pwdmaxage PWDMAXAGE
4843 The password expiration time in seconds
4844 --pwdminage PWDMINAGE
4847 The number of seconds that must pass before a user can change
4848 their password
4849 --pwdgracelimit PWDGRACELIMIT
4852 The number of allowed logins after the password has expired
4853 --pwdsendexpiring PWDSENDEXPIRING
4856 Set to "on" to always send the expiring control regardless of
4857 the warning period
4858 --pwdlockout PWDLOCKOUT
4861 Set to "on" to enable account lockout
4862 --pwdunlock PWDUNLOCK
4865 Set to "on" to allow an account to become unlocked after the
4866 lockout duration
4867 --pwdlockoutduration PWDLOCKOUTDURATION
4870 The number of seconds an account stays locked out
4871 --pwdmaxfailures PWDMAXFAILURES
4874 The maximum number of allowed failed password attempts before
4875 the account gets locked
4876 --pwdresetfailcount PWDRESETFAILCOUNT
4879 The number of seconds to wait before reducing the failed login
4880 count on an account
4881 --pwdchecksyntax PWDCHECKSYNTAX
4884 Set to "on" to enable password syntax checking
4885 --pwdminlen PWDMINLEN
4888 The minimum number of characters required in a password
4889 --pwdmindigits PWDMINDIGITS
4892 The minimum number of digit/number characters in a password
4893 --pwdminalphas PWDMINALPHAS
4896 The minimum number of alpha characters required in a password
4897 --pwdminuppers PWDMINUPPERS
4900 The minimum number of uppercase characters required in a pass‐
4901 word
4902 --pwdminlowers PWDMINLOWERS
4905 The minimum number of lowercase characters required in a pass‐
4906 word
4907 --pwdminspecials PWDMINSPECIALS
4910 The minimum number of special characters required in a password
4911 --pwdmin8bits PWDMIN8BITS
4914 The minimum number of 8-bit characters required in a password
4915 --pwdmaxrepeats PWDMAXREPEATS
4918 The maximum number of times the same character can appear se‐
4919 quentially in the password
4920 --pwdpalindrome PWDPALINDROME
4923 Set to "on" to reject passwords that are palindromes
4924 --pwdmaxseq PWDMAXSEQ
4927 The maximum number of allowed monotonic character sequences in a
4928 password
4929 --pwdmaxseqsets PWDMAXSEQSETS
4932 The maximum number of allowed monotonic character sequences that
4933 can be duplicated in a password
4934 --pwdmaxclasschars PWDMAXCLASSCHARS
4937 The maximum number of sequential characters from the same char‐
4938 acter class that is allowed in a password
4939 --pwdmincatagories PWDMINCATAGORIES
4942 The minimum number of syntax category checks
4943 --pwdmintokenlen PWDMINTOKENLEN
4946 Sets the smallest attribute value length that is used for triv‐
4947 ial/user words checking. This also impacts "--pwduserattrs"
4948 --pwdbadwords PWDBADWORDS
4951 A space-separated list of words that can not be in a password
4952 --pwduserattrs PWDUSERATTRS
4955 A space-separated list of attributes whose values can not appear
4956 in the password (See "--pwdmintokenlen")
4957 --pwddictcheck PWDDICTCHECK
4960 Set to "on" to enforce CrackLib dictionary checking
4961 --pwddictpath PWDDICTPATH
4964 Filesystem path to specific/custom CrackLib dictionary files
4965 --pwptprmaxuse PWPTPRMAXUSE
4968 Number of times a reset password can be used for authentication
4969 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
4972 Number of seconds after which a reset password expires
4973 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
4976 Number of seconds to wait before using a reset password to au‐
4977 thenticated
4978 --pwdlocal PWDLOCAL
4981 Set to "on" to enable fine-grained (subtree/user-level) password
4982 policies
4983 --pwdisglobal PWDISGLOBAL
4986 Set to "on" to enable password policy state attributes to be
4987 replicated
4988 --pwdallowhash PWDALLOWHASH
4991 Set to "on" to allow adding prehashed passwords
4992 --pwpinheritglobal PWPINHERITGLOBAL
4995 Set to "on" to allow local policies to inherit the global policy
4996
5000 usage: dsconf instance localpwp [-h]
5001 {list,get,set,remove,adduser,addsub‐
5002 tree} ...
5003 Sub-commands
5006 dsconf localpwp list
5007 List all the local password policies
5008 dsconf localpwp get
5010 Get local password policy entry
5011 dsconf localpwp set
5013 Set an attribute in a local password policy
5014 dsconf localpwp remove
5016 Remove a local password policy
5017 dsconf localpwp adduser
5019 Add new user password policy
5020 dsconf localpwp addsubtree
5022 Add new subtree password policy
5023
5025 usage: dsconf instance localpwp list [-h] [DN]
5026 DN Suffix to search for local password policies
5029
5033 usage: dsconf instance localpwp get [-h] DN
5034 DN Get the local policy for this entry DN
5037
5041 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
5042 [--pwdchange PWDCHANGE]
5043 [--pwdmustchange PWDMUSTCHANGE]
5044 [--pwdhistory PWDHISTORY]
5045 [--pwdhistorycount PWDHISTORYCOUNT]
5046 [--pwdadmin PWDADMIN]
5047 [--pwdtrack PWDTRACK]
5048 [--pwdwarning PWDWARNING]
5049 [--pwdexpire PWDEXPIRE]
5050 [--pwdmaxage PWDMAXAGE]
5051 [--pwdminage PWDMINAGE]
5052 [--pwdgracelimit PWDGRACELIMIT]
5053 [--pwdsendexpiring PWDSENDEXPIRING]
5054 [--pwdlockout PWDLOCKOUT]
5055 [--pwdunlock PWDUNLOCK]
5056 [--pwdlockoutduration PWDLOCKOUTDU‐
5057 RATION]
5058 [--pwdmaxfailures PWDMAXFAILURES]
5059 [--pwdresetfailcount PWDRESETFAIL‐
5060 COUNT]
5061 [--pwdchecksyntax PWDCHECKSYNTAX]
5062 [--pwdminlen PWDMINLEN]
5063 [--pwdmindigits PWDMINDIGITS]
5064 [--pwdminalphas PWDMINALPHAS]
5065 [--pwdminuppers PWDMINUPPERS]
5066 [--pwdminlowers PWDMINLOWERS]
5067 [--pwdminspecials PWDMINSPECIALS]
5068 [--pwdmin8bits PWDMIN8BITS]
5069 [--pwdmaxrepeats PWDMAXREPEATS]
5070 [--pwdpalindrome PWDPALINDROME]
5071 [--pwdmaxseq PWDMAXSEQ]
5072 [--pwdmaxseqsets PWDMAXSEQSETS]
5073 [--pwdmaxclasschars PWDMAXCLASS‐
5074 CHARS]
5075 [--pwdmincatagories PWDMIN‐
5076 CATAGORIES]
5077 [--pwdmintokenlen PWDMINTOKENLEN]
5078 [--pwdbadwords PWDBADWORDS]
5079 [--pwduserattrs PWDUSERATTRS]
5080 [--pwddictcheck PWDDICTCHECK]
5081 [--pwddictpath PWDDICTPATH]
5082 [--pwptprmaxuse PWPTPRMAXUSE]
5083 [--pwptprdelayexpireat PWPTPRDELAY‐
5084 EXPIREAT]
5085 [--pwptprdelayvalidfrom PWPTPRDE‐
5086 LAYVALIDFROM]
5087 DN
5088 DN Set the local policy for this entry DN
5091 --pwdscheme PWDSCHEME
5094 The password storage scheme
5095 --pwdchange PWDCHANGE
5098 Allow users to change their passwords
5099 --pwdmustchange PWDMUSTCHANGE
5102 Users must change their password after it was reset by an admin‐
5103 istrator
5104 --pwdhistory PWDHISTORY
5107 To enable password history set this to "on", otherwise "off"
5108 --pwdhistorycount PWDHISTORYCOUNT
5111 The number of passwords to keep in history
5112 --pwdadmin PWDADMIN
5115 The DN of an entry or a group of account that can bypass pass‐
5116 word policy constraints
5117 --pwdtrack PWDTRACK
5120 Set to "on" to track the time the password was last changed
5121 --pwdwarning PWDWARNING
5124 Send an expiring warning if password expires within this time
5125 (in seconds)
5126 --pwdexpire PWDEXPIRE
5129 Set to "on" to enable password expiration
5130 --pwdmaxage PWDMAXAGE
5133 The password expiration time in seconds
5134 --pwdminage PWDMINAGE
5137 The number of seconds that must pass before a user can change
5138 their password
5139 --pwdgracelimit PWDGRACELIMIT
5142 The number of allowed logins after the password has expired
5143 --pwdsendexpiring PWDSENDEXPIRING
5146 Set to "on" to always send the expiring control regardless of
5147 the warning period
5148 --pwdlockout PWDLOCKOUT
5151 Set to "on" to enable account lockout
5152 --pwdunlock PWDUNLOCK
5155 Set to "on" to allow an account to become unlocked after the
5156 lockout duration
5157 --pwdlockoutduration PWDLOCKOUTDURATION
5160 The number of seconds an account stays locked out
5161 --pwdmaxfailures PWDMAXFAILURES
5164 The maximum number of allowed failed password attempts before
5165 the account gets locked
5166 --pwdresetfailcount PWDRESETFAILCOUNT
5169 The number of seconds to wait before reducing the failed login
5170 count on an account
5171 --pwdchecksyntax PWDCHECKSYNTAX
5174 Set to "on" to enable password syntax checking
5175 --pwdminlen PWDMINLEN
5178 The minimum number of characters required in a password
5179 --pwdmindigits PWDMINDIGITS
5182 The minimum number of digit/number characters in a password
5183 --pwdminalphas PWDMINALPHAS
5186 The minimum number of alpha characters required in a password
5187 --pwdminuppers PWDMINUPPERS
5190 The minimum number of uppercase characters required in a pass‐
5191 word
5192 --pwdminlowers PWDMINLOWERS
5195 The minimum number of lowercase characters required in a pass‐
5196 word
5197 --pwdminspecials PWDMINSPECIALS
5200 The minimum number of special characters required in a password
5201 --pwdmin8bits PWDMIN8BITS
5204 The minimum number of 8-bit characters required in a password
5205 --pwdmaxrepeats PWDMAXREPEATS
5208 The maximum number of times the same character can appear se‐
5209 quentially in the password
5210 --pwdpalindrome PWDPALINDROME
5213 Set to "on" to reject passwords that are palindromes
5214 --pwdmaxseq PWDMAXSEQ
5217 The maximum number of allowed monotonic character sequences in a
5218 password
5219 --pwdmaxseqsets PWDMAXSEQSETS
5222 The maximum number of allowed monotonic character sequences that
5223 can be duplicated in a password
5224 --pwdmaxclasschars PWDMAXCLASSCHARS
5227 The maximum number of sequential characters from the same char‐
5228 acter class that is allowed in a password
5229 --pwdmincatagories PWDMINCATAGORIES
5232 The minimum number of syntax category checks
5233 --pwdmintokenlen PWDMINTOKENLEN
5236 Sets the smallest attribute value length that is used for triv‐
5237 ial/user words checking. This also impacts "--pwduserattrs"
5238 --pwdbadwords PWDBADWORDS
5241 A space-separated list of words that can not be in a password
5242 --pwduserattrs PWDUSERATTRS
5245 A space-separated list of attributes whose values can not appear
5246 in the password (See "--pwdmintokenlen")
5247 --pwddictcheck PWDDICTCHECK
5250 Set to "on" to enforce CrackLib dictionary checking
5251 --pwddictpath PWDDICTPATH
5254 Filesystem path to specific/custom CrackLib dictionary files
5255 --pwptprmaxuse PWPTPRMAXUSE
5258 Number of times a reset password can be used for authentication
5259 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5262 Number of seconds after which a reset password expires
5263 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5266 Number of seconds to wait before using a reset password to au‐
5267 thenticated
5268
5271 usage: dsconf instance localpwp remove [-h] DN
5272 DN Remove local policy for this entry DN
5275
5279 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5280 [--pwdchange PWDCHANGE]
5281 [--pwdmustchange PWDMUSTCHANGE]
5282 [--pwdhistory PWDHISTORY]
5283 [--pwdhistorycount PWDHISTO‐
5284 RYCOUNT]
5285 [--pwdadmin PWDADMIN]
5286 [--pwdtrack PWDTRACK]
5287 [--pwdwarning PWDWARNING]
5288 [--pwdexpire PWDEXPIRE]
5289 [--pwdmaxage PWDMAXAGE]
5290 [--pwdminage PWDMINAGE]
5291 [--pwdgracelimit PWDGRACELIMIT]
5292 [--pwdsendexpiring PWDSENDEX‐
5293 PIRING]
5294 [--pwdlockout PWDLOCKOUT]
5295 [--pwdunlock PWDUNLOCK]
5296 [--pwdlockoutduration PWDLOCK‐
5297 OUTDURATION]
5298 [--pwdmaxfailures PWDMAXFAIL‐
5299 URES]
5300 [--pwdresetfailcount PWDRESET‐
5301 FAILCOUNT]
5302 [--pwdchecksyntax PWDCHECKSYN‐
5303 TAX]
5304 [--pwdminlen PWDMINLEN]
5305 [--pwdmindigits PWDMINDIGITS]
5306 [--pwdminalphas PWDMINALPHAS]
5307 [--pwdminuppers PWDMINUPPERS]
5308 [--pwdminlowers PWDMINLOWERS]
5309 [--pwdminspecials PWDMINSPE‐
5310 CIALS]
5311 [--pwdmin8bits PWDMIN8BITS]
5312 [--pwdmaxrepeats PWDMAXREPEATS]
5313 [--pwdpalindrome PWDPALINDROME]
5314 [--pwdmaxseq PWDMAXSEQ]
5315 [--pwdmaxseqsets PWDMAXSEQSETS]
5316 [--pwdmaxclasschars PWDMAX‐
5317 CLASSCHARS]
5318 [--pwdmincatagories PWDMIN‐
5319 CATAGORIES]
5320 [--pwdmintokenlen PWDMINTO‐
5321 KENLEN]
5322 [--pwdbadwords PWDBADWORDS]
5323 [--pwduserattrs PWDUSERATTRS]
5324 [--pwddictcheck PWDDICTCHECK]
5325 [--pwddictpath PWDDICTPATH]
5326 [--pwptprmaxuse PWPTPRMAXUSE]
5327 [--pwptprdelayexpireat PWPT‐
5328 PRDELAYEXPIREAT]
5329 [--pwptprdelayvalidfrom PWPT‐
5330 PRDELAYVALIDFROM]
5331 DN
5332 DN Add/replace the local password policy for this entry DN
5335 --pwdscheme PWDSCHEME
5338 The password storage scheme
5339 --pwdchange PWDCHANGE
5342 Allow users to change their passwords
5343 --pwdmustchange PWDMUSTCHANGE
5346 Users must change their password after it was reset by an admin‐
5347 istrator
5348 --pwdhistory PWDHISTORY
5351 To enable password history set this to "on", otherwise "off"
5352 --pwdhistorycount PWDHISTORYCOUNT
5355 The number of passwords to keep in history
5356 --pwdadmin PWDADMIN
5359 The DN of an entry or a group of account that can bypass pass‐
5360 word policy constraints
5361 --pwdtrack PWDTRACK
5364 Set to "on" to track the time the password was last changed
5365 --pwdwarning PWDWARNING
5368 Send an expiring warning if password expires within this time
5369 (in seconds)
5370 --pwdexpire PWDEXPIRE
5373 Set to "on" to enable password expiration
5374 --pwdmaxage PWDMAXAGE
5377 The password expiration time in seconds
5378 --pwdminage PWDMINAGE
5381 The number of seconds that must pass before a user can change
5382 their password
5383 --pwdgracelimit PWDGRACELIMIT
5386 The number of allowed logins after the password has expired
5387 --pwdsendexpiring PWDSENDEXPIRING
5390 Set to "on" to always send the expiring control regardless of
5391 the warning period
5392 --pwdlockout PWDLOCKOUT
5395 Set to "on" to enable account lockout
5396 --pwdunlock PWDUNLOCK
5399 Set to "on" to allow an account to become unlocked after the
5400 lockout duration
5401 --pwdlockoutduration PWDLOCKOUTDURATION
5404 The number of seconds an account stays locked out
5405 --pwdmaxfailures PWDMAXFAILURES
5408 The maximum number of allowed failed password attempts before
5409 the account gets locked
5410 --pwdresetfailcount PWDRESETFAILCOUNT
5413 The number of seconds to wait before reducing the failed login
5414 count on an account
5415 --pwdchecksyntax PWDCHECKSYNTAX
5418 Set to "on" to enable password syntax checking
5419 --pwdminlen PWDMINLEN
5422 The minimum number of characters required in a password
5423 --pwdmindigits PWDMINDIGITS
5426 The minimum number of digit/number characters in a password
5427 --pwdminalphas PWDMINALPHAS
5430 The minimum number of alpha characters required in a password
5431 --pwdminuppers PWDMINUPPERS
5434 The minimum number of uppercase characters required in a pass‐
5435 word
5436 --pwdminlowers PWDMINLOWERS
5439 The minimum number of lowercase characters required in a pass‐
5440 word
5441 --pwdminspecials PWDMINSPECIALS
5444 The minimum number of special characters required in a password
5445 --pwdmin8bits PWDMIN8BITS
5448 The minimum number of 8-bit characters required in a password
5449 --pwdmaxrepeats PWDMAXREPEATS
5452 The maximum number of times the same character can appear se‐
5453 quentially in the password
5454 --pwdpalindrome PWDPALINDROME
5457 Set to "on" to reject passwords that are palindromes
5458 --pwdmaxseq PWDMAXSEQ
5461 The maximum number of allowed monotonic character sequences in a
5462 password
5463 --pwdmaxseqsets PWDMAXSEQSETS
5466 The maximum number of allowed monotonic character sequences that
5467 can be duplicated in a password
5468 --pwdmaxclasschars PWDMAXCLASSCHARS
5471 The maximum number of sequential characters from the same char‐
5472 acter class that is allowed in a password
5473 --pwdmincatagories PWDMINCATAGORIES
5476 The minimum number of syntax category checks
5477 --pwdmintokenlen PWDMINTOKENLEN
5480 Sets the smallest attribute value length that is used for triv‐
5481 ial/user words checking. This also impacts "--pwduserattrs"
5482 --pwdbadwords PWDBADWORDS
5485 A space-separated list of words that can not be in a password
5486 --pwduserattrs PWDUSERATTRS
5489 A space-separated list of attributes whose values can not appear
5490 in the password (See "--pwdmintokenlen")
5491 --pwddictcheck PWDDICTCHECK
5494 Set to "on" to enforce CrackLib dictionary checking
5495 --pwddictpath PWDDICTPATH
5498 Filesystem path to specific/custom CrackLib dictionary files
5499 --pwptprmaxuse PWPTPRMAXUSE
5502 Number of times a reset password can be used for authentication
5503 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5506 Number of seconds after which a reset password expires
5507 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5510 Number of seconds to wait before using a reset password to au‐
5511 thenticated
5512
5515 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5516 [--pwdchange PWDCHANGE]
5517 [--pwdmustchange PWD‐
5518 MUSTCHANGE]
5519 [--pwdhistory PWDHISTORY]
5520 [--pwdhistorycount PWDHISTO‐
5521 RYCOUNT]
5522 [--pwdadmin PWDADMIN]
5523 [--pwdtrack PWDTRACK]
5524 [--pwdwarning PWDWARNING]
5525 [--pwdexpire PWDEXPIRE]
5526 [--pwdmaxage PWDMAXAGE]
5527 [--pwdminage PWDMINAGE]
5528 [--pwdgracelimit PWDGRACE‐
5529 LIMIT]
5530 [--pwdsendexpiring PWDSEND‐
5531 EXPIRING]
5532 [--pwdlockout PWDLOCKOUT]
5533 [--pwdunlock PWDUNLOCK]
5534 [--pwdlockoutduration PWD‐
5535 LOCKOUTDURATION]
5536 [--pwdmaxfailures PWDMAX‐
5537 FAILURES]
5538 [--pwdresetfailcount PW‐
5539 DRESETFAILCOUNT]
5540 [--pwdchecksyntax PWD‐
5541 CHECKSYNTAX]
5542 [--pwdminlen PWDMINLEN]
5543 [--pwdmindigits PWDMINDIG‐
5544 ITS]
5545 [--pwdminalphas PWDMINAL‐
5546 PHAS]
5547 [--pwdminuppers PWDMINUP‐
5548 PERS]
5549 [--pwdminlowers PWDMINLOW‐
5550 ERS]
5551 [--pwdminspecials PWDMINSPE‐
5552 CIALS]
5553 [--pwdmin8bits PWDMIN8BITS]
5554 [--pwdmaxrepeats PWDMAXRE‐
5555 PEATS]
5556 [--pwdpalindrome PWDPALIN‐
5557 DROME]
5558 [--pwdmaxseq PWDMAXSEQ]
5559 [--pwdmaxseqsets PWDMAXSE‐
5560 QSETS]
5561 [--pwdmaxclasschars PWDMAX‐
5562 CLASSCHARS]
5563 [--pwdmincatagories PWDMIN‐
5564 CATAGORIES]
5565 [--pwdmintokenlen PWDMINTO‐
5566 KENLEN]
5567 [--pwdbadwords PWDBADWORDS]
5568 [--pwduserattrs PWDUSERAT‐
5569 TRS]
5570 [--pwddictcheck PWD‐
5571 DICTCHECK]
5572 [--pwddictpath PWDDICTPATH]
5573 [--pwptprmaxuse PWPT‐
5574 PRMAXUSE]
5575 [--pwptprdelayexpireat PWPT‐
5576 PRDELAYEXPIREAT]
5577 [--pwptprdelayvalidfrom PW‐
5578 PTPRDELAYVALIDFROM]
5579 DN
5580 DN Add/replace the subtree policy for this entry DN
5583 --pwdscheme PWDSCHEME
5586 The password storage scheme
5587 --pwdchange PWDCHANGE
5590 Allow users to change their passwords
5591 --pwdmustchange PWDMUSTCHANGE
5594 Users must change their password after it was reset by an admin‐
5595 istrator
5596 --pwdhistory PWDHISTORY
5599 To enable password history set this to "on", otherwise "off"
5600 --pwdhistorycount PWDHISTORYCOUNT
5603 The number of passwords to keep in history
5604 --pwdadmin PWDADMIN
5607 The DN of an entry or a group of account that can bypass pass‐
5608 word policy constraints
5609 --pwdtrack PWDTRACK
5612 Set to "on" to track the time the password was last changed
5613 --pwdwarning PWDWARNING
5616 Send an expiring warning if password expires within this time
5617 (in seconds)
5618 --pwdexpire PWDEXPIRE
5621 Set to "on" to enable password expiration
5622 --pwdmaxage PWDMAXAGE
5625 The password expiration time in seconds
5626 --pwdminage PWDMINAGE
5629 The number of seconds that must pass before a user can change
5630 their password
5631 --pwdgracelimit PWDGRACELIMIT
5634 The number of allowed logins after the password has expired
5635 --pwdsendexpiring PWDSENDEXPIRING
5638 Set to "on" to always send the expiring control regardless of
5639 the warning period
5640 --pwdlockout PWDLOCKOUT
5643 Set to "on" to enable account lockout
5644 --pwdunlock PWDUNLOCK
5647 Set to "on" to allow an account to become unlocked after the
5648 lockout duration
5649 --pwdlockoutduration PWDLOCKOUTDURATION
5652 The number of seconds an account stays locked out
5653 --pwdmaxfailures PWDMAXFAILURES
5656 The maximum number of allowed failed password attempts before
5657 the account gets locked
5658 --pwdresetfailcount PWDRESETFAILCOUNT
5661 The number of seconds to wait before reducing the failed login
5662 count on an account
5663 --pwdchecksyntax PWDCHECKSYNTAX
5666 Set to "on" to enable password syntax checking
5667 --pwdminlen PWDMINLEN
5670 The minimum number of characters required in a password
5671 --pwdmindigits PWDMINDIGITS
5674 The minimum number of digit/number characters in a password
5675 --pwdminalphas PWDMINALPHAS
5678 The minimum number of alpha characters required in a password
5679 --pwdminuppers PWDMINUPPERS
5682 The minimum number of uppercase characters required in a pass‐
5683 word
5684 --pwdminlowers PWDMINLOWERS
5687 The minimum number of lowercase characters required in a pass‐
5688 word
5689 --pwdminspecials PWDMINSPECIALS
5692 The minimum number of special characters required in a password
5693 --pwdmin8bits PWDMIN8BITS
5696 The minimum number of 8-bit characters required in a password
5697 --pwdmaxrepeats PWDMAXREPEATS
5700 The maximum number of times the same character can appear se‐
5701 quentially in the password
5702 --pwdpalindrome PWDPALINDROME
5705 Set to "on" to reject passwords that are palindromes
5706 --pwdmaxseq PWDMAXSEQ
5709 The maximum number of allowed monotonic character sequences in a
5710 password
5711 --pwdmaxseqsets PWDMAXSEQSETS
5714 The maximum number of allowed monotonic character sequences that
5715 can be duplicated in a password
5716 --pwdmaxclasschars PWDMAXCLASSCHARS
5719 The maximum number of sequential characters from the same char‐
5720 acter class that is allowed in a password
5721 --pwdmincatagories PWDMINCATAGORIES
5724 The minimum number of syntax category checks
5725 --pwdmintokenlen PWDMINTOKENLEN
5728 Sets the smallest attribute value length that is used for triv‐
5729 ial/user words checking. This also impacts "--pwduserattrs"
5730 --pwdbadwords PWDBADWORDS
5733 A space-separated list of words that can not be in a password
5734 --pwduserattrs PWDUSERATTRS
5737 A space-separated list of attributes whose values can not appear
5738 in the password (See "--pwdmintokenlen")
5739 --pwddictcheck PWDDICTCHECK
5742 Set to "on" to enforce CrackLib dictionary checking
5743 --pwddictpath PWDDICTPATH
5746 Filesystem path to specific/custom CrackLib dictionary files
5747 --pwptprmaxuse PWPTPRMAXUSE
5750 Number of times a reset password can be used for authentication
5751 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5754 Number of seconds after which a reset password expires
5755 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5758 Number of seconds to wait before using a reset password to au‐
5759 thenticated
5760
5764 usage: dsconf instance replication [-h]
5765 {enable,disable,get-ruv,list,sta‐
5766 tus,winsync-status,promote,create-manager,delete-manager,de‐
5767 mote,get,set-changelog,get-changelog,export-changelog,import-
5768 changelog,set,monitor}
5769 ...
5770 Sub-commands
5773 dsconf replication enable
5774 Enable replication for a suffix
5775 dsconf replication disable
5777 Disable replication for a suffix
5778 dsconf replication get-ruv
5780 Display the database RUV entry for a suffix
5781 dsconf replication list
5783 Lists all the replicated suffixes
5784 dsconf replication status
5786 Display the current status of all the replication agreements
5787 dsconf replication winsync-status
5789 Display the current status of all the replication agreements
5790 dsconf replication promote
5792 Promote a replica to a hub or supplier
5793 dsconf replication create-manager
5795 Create a replication manager entry
5796 dsconf replication delete-manager
5798 Delete a replication manager entry
5799 dsconf replication demote
5801 Demote replica to a hub or consumer
5802 dsconf replication get
5804 Display the replication configuration
5805 dsconf replication set-changelog
5807 Set replication changelog attributes
5808 dsconf replication get-changelog
5810 Display replication changelog attributes
5811 dsconf replication export-changelog
5813 Export the Directory Server replication changelog to an LDIF
5814 file
5815 dsconf replication import-changelog
5817 Restore/import Directory Server replication change log from an
5818 LDIF file. This is typically used when managing changelog en‐
5819 cryption
5820 dsconf replication set
5822 Set an attribute in the replication configuration
5823 dsconf replication monitor
5825 Display the full replication topology report
5826
5828 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
5829 ROLE
5830 [--replica-id REPLICA_ID]
5831 [--bind-group-dn
5832 BIND_GROUP_DN]
5833 [--bind-dn BIND_DN]
5834 [--bind-passwd BIND_PASSWD]
5835 --suffix SUFFIX
5839 Sets the DN of the suffix to be enabled for replication
5840 --role ROLE
5843 Sets the replication role: "supplier", "hub", or "consumer"
5844 --replica-id REPLICA_ID
5847 Sets the replication identifier for a "supplier". Values range
5848 from 1 - 65534
5849 --bind-group-dn BIND_GROUP_DN
5852 Sets a group entry DN containing members that are "bind/sup‐
5853 plier" DNs
5854 --bind-dn BIND_DN
5857 Sets the bind or supplier DN that can make replication updates
5858 --bind-passwd BIND_PASSWD
5861 Sets the password for replication manager (--bind-dn). This will
5862 create the manager entry if a value is set
5863
5866 usage: dsconf instance replication disable [-h] --suffix SUFFIX
5867 --suffix SUFFIX
5871 Sets the DN of the suffix to have replication disabled
5872
5875 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
5876 --suffix SUFFIX
5880 Sets the DN of the replicated suffix
5881
5884 usage: dsconf instance replication list [-h]
5885
5890 usage: dsconf instance replication status [-h] --suffix SUFFIX
5891 [--bind-dn BIND_DN]
5892 [--bind-passwd BIND_PASSWD]
5893 --suffix SUFFIX
5897 Sets the DN of the replication suffix
5898 --bind-dn BIND_DN
5901 Sets the DN to use to authenticate to the consumer
5902 --bind-passwd BIND_PASSWD
5905 Sets the password for the bind DN
5906
5909 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
5910 [--bind-dn BIND_DN]
5911 [--bind-passwd
5912 BIND_PASSWD]
5913 --suffix SUFFIX
5917 Sets the DN of the replication suffix
5918 --bind-dn BIND_DN
5921 Sets the DN to use to authenticate to the consumer
5922 --bind-passwd BIND_PASSWD
5925 Sets the password of the bind DN
5926
5929 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
5930 role
5931 NEWROLE [--replica-id
5932 REPLICA_ID]
5933 [--bind-group-dn
5934 BIND_GROUP_DN]
5935 [--bind-dn BIND_DN]
5936 --suffix SUFFIX
5940 Sets the DN of the replication suffix to promote
5941 --newrole NEWROLE
5944 Sets the new replica role to "hub" or "supplier"
5945 --replica-id REPLICA_ID
5948 Sets the replication identifier for a "supplier". Values range
5949 from 1 - 65534
5950 --bind-group-dn BIND_GROUP_DN
5953 Sets a group entry DN containing members that are "bind/sup‐
5954 plier" DNs
5955 --bind-dn BIND_DN
5958 Sets the bind or supplier DN that can make replication updates
5959
5962 usage: dsconf instance replication create-manager [-h] [--name NAME]
5963 [--passwd PASSWD]
5964 [--suffix SUFFIX]
5965 --name NAME
5969 Sets the name of the new replication manager entry.For example,
5970 if the name is "replication manager" then the new manager en‐
5971 try's DN would be "cn=replication manager,cn=config".
5972 --passwd PASSWD
5975 Sets the password for replication manager. If not provided, you
5976 will be prompted for the password
5977 --suffix SUFFIX
5980 The DN of the replication suffix whose replication configuration
5981 you want to add this new manager to (OPTIONAL)
5982
5985 usage: dsconf instance replication delete-manager [-h] [--name NAME]
5986 [--suffix SUFFIX]
5987 --name NAME
5991 Sets the name of the replication manager entry under cn=config:
5992 "cn=NAME,cn=config"
5993 --suffix SUFFIX
5996 Sets the DN of the replication suffix whose replication configu‐
5997 ration you want to remove this manager from (OPTIONAL)
5998
6001 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
6002 role
6003 NEWROLE
6004 --suffix SUFFIX
6008 Sets the DN of the replication suffix
6009 --newrole NEWROLE
6012 Sets the new replication role to "hub", or "consumer"
6013
6016 usage: dsconf instance replication get [-h] --suffix SUFFIX
6017 --suffix SUFFIX
6021 Sets the suffix DN for the replication configuration to display
6022
6025 usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
6026 [--max-entries MAX_EN‐
6027 TRIES]
6028 [--max-age MAX_AGE]
6029 [--trim-interval
6030 TRIM_INTERVAL]
6031 [--encrypt]
6032 [--disable-encrypt]
6033 --suffix SUFFIX
6037 Sets the suffix that uses the changelog
6038 --max-entries MAX_ENTRIES
6041 Sets the maximum number of entries to get in the replication
6042 changelog
6043 --max-age MAX_AGE
6046 Set the maximum age of a replication changelog entry
6047 --trim-interval TRIM_INTERVAL
6050 Sets the interval to check if the replication changelog can be
6051 trimmed
6052 --encrypt
6055 Sets the replication changelog to use encryption. You must ex‐
6056 port and import the changelog after setting this.
6057 --disable-encrypt
6060 Sets the replication changelog to not use encryption. You must
6061 export and import the changelog after setting this.
6062
6065 usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
6066 --suffix SUFFIX
6070 Sets the suffix that uses the changelog
6071
6074 usage: dsconf instance replication export-changelog [-h] {to-ldif,de‐
6075 fault} ...
6076 Sub-commands
6079 dsconf replication export-changelog to-ldif
6080 Sets the LDIF file name. This is typically used for setting up
6081 changelog encryption
6082 dsconf replication export-changelog default
6084 Export the replication changelog to the server's default LDIF
6085 directory
6086
6088 usage: dsconf instance replication export-changelog to-ldif
6089 [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r
6090 REPLICA_ROOT
6091 -c, --csn-only
6095 Enables to export and interpret CSN only. This option can be
6096 used with or without -i option. The LDIF file that is generated
6097 can not be imported and is only used for debugging purposes.
6098 -d, --decode
6101 Decodes the base64 values in each changelog entry. The LDIF file
6102 that is generated can not be imported and is only used for de‐
6103 bugging purposes.
6104 -l, --preserve-ldif-done
6107 Preserves generated LDIF "files.done" files in changelog direc‐
6108 tory.
6109 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
6112 Decodes changes in an LDIF file. Use this option if you already
6113 have a changelog LDIF file, but the changes in that file are en‐
6114 coded.
6115 -o OUTPUT_FILE, --output-file OUTPUT_FILE
6118 Sets the path name for the final result
6119 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6122 Specifies the replica root whose changelog you want to export
6123
6126 usage: dsconf instance replication export-changelog default
6127 [-h] -r REPLICA_ROOT
6128 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6132 Specifies the replica root whose changelog you want to export
6133
6137 usage: dsconf instance replication import-changelog [-h]
6138 {from-ldif,default}
6139 ...
6140 Sub-commands
6143 dsconf replication import-changelog from-ldif
6144 Restore/import a specific single LDIF file
6145 dsconf replication import-changelog default
6147 Import the default changelog LDIF file created by the server
6148
6150 usage: dsconf instance replication import-changelog from-ldif
6151 [-h] -r REPLICA_ROOT LDIF_PATH
6152 LDIF_PATH
6155 The path of the changelog LDIF file
6156 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6159 Specifies the replica root whose changelog you want to import
6160
6163 usage: dsconf instance replication import-changelog default
6164 [-h] -r REPLICA_ROOT
6165 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6169 Specifies the replica root whose changelog you want to import
6170
6174 usage: dsconf instance replication set [-h] --suffix SUFFIX
6175 [--repl-add-bind-dn
6176 REPL_ADD_BIND_DN]
6177 [--repl-del-bind-dn
6178 REPL_DEL_BIND_DN]
6179 [--repl-add-ref REPL_ADD_REF]
6180 [--repl-del-ref REPL_DEL_REF]
6181 [--repl-purge-delay
6182 REPL_PURGE_DELAY]
6183 [--repl-tombstone-purge-interval
6184 REPL_TOMBSTONE_PURGE_INTERVAL]
6185 [--repl-fast-tombstone-purging
6186 REPL_FAST_TOMBSTONE_PURGING]
6187 [--repl-bind-group
6188 REPL_BIND_GROUP]
6189 [--repl-bind-group-interval
6190 REPL_BIND_GROUP_INTERVAL]
6191 [--repl-protocol-timeout
6192 REPL_PROTOCOL_TIMEOUT]
6193 [--repl-backoff-max REPL_BACK‐
6194 OFF_MAX]
6195 [--repl-backoff-min REPL_BACK‐
6196 OFF_MIN]
6197 [--repl-release-timeout REPL_RE‐
6198 LEASE_TIMEOUT]
6199 --suffix SUFFIX
6203 Sets the DN of the replication suffix
6204 --repl-add-bind-dn REPL_ADD_BIND_DN
6207 Adds a bind (supplier) DN
6208 --repl-del-bind-dn REPL_DEL_BIND_DN
6211 Removes a bind (supplier) DN
6212 --repl-add-ref REPL_ADD_REF
6215 Adds a replication referral (for consumers only)
6216 --repl-del-ref REPL_DEL_REF
6219 Removes a replication referral (for conusmers only)
6220 --repl-purge-delay REPL_PURGE_DELAY
6223 Sets the replication purge delay
6224 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
6227 Sets the interval in seconds to check for tombstones that can be
6228 purged
6229 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6232 Enables or disables improving the tombstone purging performance
6233 --repl-bind-group REPL_BIND_GROUP
6236 Sets a group entry DN containing members that are "bind/sup‐
6237 plier" DNs
6238 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6241 Sets an interval in seconds to check if the bind group has been
6242 updated
6243 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6246 Sets a timeout in seconds on how long to wait before stopping
6247 replication when the server is under load
6248 --repl-backoff-max REPL_BACKOFF_MAX
6251 The maximum time in seconds a replication agreement should stay
6252 in a backoff state while waiting to acquire the consumer. De‐
6253 fault is 300 seconds
6254 --repl-backoff-min REPL_BACKOFF_MIN
6257 The starting time in seconds a replication agreement should stay
6258 in a backoff state while waiting to acquire the consumer. De‐
6259 fault is 3 seconds
6260 --repl-release-timeout REPL_RELEASE_TIMEOUT
6263 A timeout in seconds a replication supplier should send updates
6264 before it yields its replication session
6265
6268 usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
6269 [-a [ALIASES ...]]
6270 -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
6274 Sets the connection values for monitoring other not connected
6275 topologies. The format: 'host:port:binddn:bindpwd'. You can use
6276 regex for host and port. You can set bindpwd to * and it will be
6277 requested at the runtime or you can include the path to the
6278 password file in square brackets - [~/pwd.txt]
6279 -a [ALIASES ...], --aliases [ALIASES ...]
6282 Enables displaying an alias instead of host:port, if an alias is
6283 assigned to a host:port combination. The format: alias=host:port
6284
6288 usage: dsconf instance repl-agmt [-h]
6289 {list,enable,disable,init,init-sta‐
6290 tus,poke,status,delete,create,set,get}
6291 ...
6292 Sub-commands
6295 dsconf repl-agmt list
6296 List all replication agreements
6297 dsconf repl-agmt enable
6299 Enable replication agreement
6300 dsconf repl-agmt disable
6302 Disable replication agreement
6303 dsconf repl-agmt init
6305 Initialize replication agreement
6306 dsconf repl-agmt init-status
6308 Check the agreement initialization status
6309 dsconf repl-agmt poke
6311 Trigger replication to send updates now
6312 dsconf repl-agmt status
6314 Displays the current status of the replication agreement
6315 dsconf repl-agmt delete
6317 Delete replication agreement
6318 dsconf repl-agmt create
6320 Initialize replication agreement
6321 dsconf repl-agmt set
6323 Set an attribute in the replication agreement
6324 dsconf repl-agmt get
6326 Get replication configuration
6327
6329 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry EN‐
6330 TRY]
6331 --suffix SUFFIX
6335 Sets the DN of the suffix to look up replication agreements for
6336 --entry ENTRY
6339 Returns the entire entry for each agreement
6340
6343 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6344 AGMT_NAME
6347 The name of the replication agreement
6348 --suffix SUFFIX
6351 Sets the DN of the replication suffix
6352
6355 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6356 AGMT_NAME
6359 The name of the replication agreement
6360 --suffix SUFFIX
6363 Sets the DN of the replication suffix
6364
6367 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6368 AGMT_NAME
6371 The name of the replication agreement
6372 --suffix SUFFIX
6375 Sets the DN of the replication suffix
6376
6379 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6380 AGMT_NAME
6381 AGMT_NAME
6384 The name of the replication agreement
6385 --suffix SUFFIX
6388 Sets the DN of the replication suffix
6389
6392 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6393 AGMT_NAME
6396 The name of the replication agreement
6397 --suffix SUFFIX
6400 Sets the DN of the replication suffix
6401
6404 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6405 [--bind-dn BIND_DN]
6406 [--bind-passwd BIND_PASSWD]
6407 AGMT_NAME
6408 AGMT_NAME
6411 The name of the replication agreement
6412 --suffix SUFFIX
6415 Sets the DN of the replication suffix
6416 --bind-dn BIND_DN
6419 Sets the DN to use to authenticate to the consumer
6420 --bind-passwd BIND_PASSWD
6423 Sets the password for the bind DN
6424
6427 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6428 AGMT_NAME
6431 The name of the replication agreement
6432 --suffix SUFFIX
6435 Sets the DN of the replication suffix
6436
6439 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6440 HOST
6441 --port PORT --conn-protocol
6442 CONN_PROTOCOL [--bind-dn
6443 BIND_DN]
6444 [--bind-passwd BIND_PASSWD]
6445 --bind-method BIND_METHOD
6446 [--frac-list FRAC_LIST]
6447 [--frac-list-total
6448 FRAC_LIST_TOTAL]
6449 [--strip-list STRIP_LIST]
6450 [--schedule SCHEDULE]
6451 [--conn-timeout CONN_TIMEOUT]
6452 [--protocol-timeout PROTO‐
6453 COL_TIMEOUT]
6454 [--wait-async-results
6455 WAIT_ASYNC_RESULTS]
6456 [--busy-wait-time
6457 BUSY_WAIT_TIME]
6458 [--session-pause-time SES‐
6459 SION_PAUSE_TIME]
6460 [--flow-control-window
6461 FLOW_CONTROL_WINDOW]
6462 [--flow-control-pause FLOW_CON‐
6463 TROL_PAUSE]
6464 [--bootstrap-bind-dn BOOT‐
6465 STRAP_BIND_DN]
6466 [--bootstrap-bind-passwd BOOT‐
6467 STRAP_BIND_PASSWD]
6468 [--bootstrap-conn-protocol
6469 BOOTSTRAP_CONN_PROTOCOL]
6470 [--bootstrap-bind-method BOOT‐
6471 STRAP_BIND_METHOD]
6472 [--init]
6473 AGMT_NAME
6474 AGMT_NAME
6477 The name of the replication agreement
6478 --suffix SUFFIX
6481 Sets the DN of the replication suffix
6482 --host HOST
6485 Sets the hostname of the remote replica
6486 --port PORT
6489 Sets the port number of the remote replica
6490 --conn-protocol CONN_PROTOCOL
6493 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6494 TLS
6495 --bind-dn BIND_DN
6498 Sets the bind DN the agreement uses to authenticate to the
6499 replica
6500 --bind-passwd BIND_PASSWD
6503 Sets the credentials for the bind DN
6504 --bind-method BIND_METHOD
6507 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6508 or "SASL/GSSAPI"
6509 --frac-list FRAC_LIST
6512 Sets the list of attributes to NOT replicate to the consumer
6513 during incremental updates
6514 --frac-list-total FRAC_LIST_TOTAL
6517 Sets the list of attributes to NOT replicate during a total ini‐
6518 tialization
6519 --strip-list STRIP_LIST
6522 Sets a list of attributes that are removed from updates only if
6523 the event would otherwise be empty. Typically this is set to
6524 "modifiersname" and "modifytimestmap"
6525 --schedule SCHEDULE
6528 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6529 0-6 (Sunday - Saturday).
6530 --conn-timeout CONN_TIMEOUT
6533 Sets the timeout used for replication connections
6534 --protocol-timeout PROTOCOL_TIMEOUT
6537 Sets a timeout in seconds on how long to wait before stopping
6538 replication when the server is under load
6539 --wait-async-results WAIT_ASYNC_RESULTS
6542 Sets the amount of time in milliseconds the server waits if the
6543 consumer is not ready before resending data
6544 --busy-wait-time BUSY_WAIT_TIME
6547 Sets the amount of time in seconds a supplier should wait after
6548 a consumer sends back a busy response before making another at‐
6549 tempt to acquire access.
6550 --session-pause-time SESSION_PAUSE_TIME
6553 Sets the amount of time in seconds a supplier should wait be‐
6554 tween update sessions.
6555 --flow-control-window FLOW_CONTROL_WINDOW
6558 Sets the maximum number of entries and updates sent by a sup‐
6559 plier, which are not acknowledged by the consumer.
6560 --flow-control-pause FLOW_CONTROL_PAUSE
6563 Sets the time in milliseconds to pause after reaching the number
6564 of entries and updates set in "--flow-control-window"
6565 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6568 Sets an optional bind DN the agreement can use to bootstrap ini‐
6569 tialization when bind groups are being used
6570 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6573 Sets the bootstrap credentials for the bind DN
6574 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6577 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6578 or StartTLS
6579 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6582 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6583 --init Initializes the agreement after creating it
6586
6589 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6590 [--port PORT]
6591 [--conn-protocol CONN_PROTOCOL]
6592 [--bind-dn BIND_DN]
6593 [--bind-passwd BIND_PASSWD]
6594 [--bind-method BIND_METHOD]
6595 [--frac-list FRAC_LIST]
6596 [--frac-list-total FRAC_LIST_TO‐
6597 TAL]
6598 [--strip-list STRIP_LIST]
6599 [--schedule SCHEDULE]
6600 [--conn-timeout CONN_TIMEOUT]
6601 [--protocol-timeout PROTOCOL_TIME‐
6602 OUT]
6603 [--wait-async-results
6604 WAIT_ASYNC_RESULTS]
6605 [--busy-wait-time BUSY_WAIT_TIME]
6606 [--session-pause-time SES‐
6607 SION_PAUSE_TIME]
6608 [--flow-control-window FLOW_CON‐
6609 TROL_WINDOW]
6610 [--flow-control-pause FLOW_CON‐
6611 TROL_PAUSE]
6612 [--bootstrap-bind-dn BOOT‐
6613 STRAP_BIND_DN]
6614 [--bootstrap-bind-passwd BOOT‐
6615 STRAP_BIND_PASSWD]
6616 [--bootstrap-conn-protocol BOOT‐
6617 STRAP_CONN_PROTOCOL]
6618 [--bootstrap-bind-method BOOT‐
6619 STRAP_BIND_METHOD]
6620 AGMT_NAME
6621 AGMT_NAME
6624 The name of the replication agreement
6625 --suffix SUFFIX
6628 Sets the DN of the replication suffix
6629 --host HOST
6632 Sets the hostname of the remote replica
6633 --port PORT
6636 Sets the port number of the remote replica
6637 --conn-protocol CONN_PROTOCOL
6640 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6641 TLS
6642 --bind-dn BIND_DN
6645 Sets the Bind DN the agreement uses to authenticate to the
6646 replica
6647 --bind-passwd BIND_PASSWD
6650 Sets the credentials for the bind DN
6651 --bind-method BIND_METHOD
6654 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6655 or "SASL/GSSAPI"
6656 --frac-list FRAC_LIST
6659 Sets a list of attributes to NOT replicate to the consumer dur‐
6660 ing incremental updates
6661 --frac-list-total FRAC_LIST_TOTAL
6664 Sets a list of attributes to NOT replicate during a total ini‐
6665 tialization
6666 --strip-list STRIP_LIST
6669 Sets a list of attributes that are removed from updates only if
6670 the event would otherwise be empty. Typically this is set to
6671 "modifiersname" and "modifytimestmap"
6672 --schedule SCHEDULE
6675 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6676 0-6 (Sunday - Saturday).
6677 --conn-timeout CONN_TIMEOUT
6680 Sets the timeout used for replication connections
6681 --protocol-timeout PROTOCOL_TIMEOUT
6684 Sets a timeout in seconds on how long to wait before stopping
6685 replication when the server is under load
6686 --wait-async-results WAIT_ASYNC_RESULTS
6689 Sets the amount of time in milliseconds the server waits if the
6690 consumer is not ready before resending data
6691 --busy-wait-time BUSY_WAIT_TIME
6694 Sets the amount of time in seconds a supplier should wait after
6695 a consumer sends back a busy response before making another at‐
6696 tempt to acquire access.
6697 --session-pause-time SESSION_PAUSE_TIME
6700 Sets the amount of time in seconds a supplier should wait be‐
6701 tween update sessions.
6702 --flow-control-window FLOW_CONTROL_WINDOW
6705 Sets the maximum number of entries and updates sent by a sup‐
6706 plier, which are not acknowledged by the consumer.
6707 --flow-control-pause FLOW_CONTROL_PAUSE
6710 Sets the time in milliseconds to pause after reaching the number
6711 of entries and updates set in "--flow-control-window"
6712 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6715 Sets an optional bind DN the agreement can use to bootstrap ini‐
6716 tialization when bind groups are being used
6717 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6720 sets the bootstrap credentials for the bind DN
6721 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6724 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6725 or StartTLS
6726 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6729 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6730
6733 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
6734 AGMT_NAME
6737 The suffix DN for which to display the replication configuration
6738 --suffix SUFFIX
6741 Sets the DN of the replication suffix
6742
6746 usage: dsconf instance repl-winsync-agmt [-h]
6747 {list,enable,dis‐
6748 able,init,init-status,poke,status,delete,create,set,get}
6749 ...
6750 Sub-commands
6753 dsconf repl-winsync-agmt list
6754 List all the replication winsync agreements
6755 dsconf repl-winsync-agmt enable
6757 Enable replication winsync agreement
6758 dsconf repl-winsync-agmt disable
6760 Disable replication winsync agreement
6761 dsconf repl-winsync-agmt init
6763 Initialize replication winsync agreement
6764 dsconf repl-winsync-agmt init-status
6766 Check the agreement initialization status
6767 dsconf repl-winsync-agmt poke
6769 Trigger replication to send updates now
6770 dsconf repl-winsync-agmt status
6772 Display the current status of the replication agreement
6773 dsconf repl-winsync-agmt delete
6775 Delete replication winsync agreement
6776 dsconf repl-winsync-agmt create
6778 Initialize replication winsync agreement
6779 dsconf repl-winsync-agmt set
6781 Set an attribute in the replication winsync agreement
6782 dsconf repl-winsync-agmt get
6784 Display replication configuration
6785
6787 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
6788 --suffix SUFFIX
6792 Sets the DN of the suffix to look up replication winsync agree‐
6793 ments
6794
6797 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
6798 AGMT_NAME
6799 AGMT_NAME
6802 The name of the replication winsync agreement
6803 --suffix SUFFIX
6806 Sets the DN of the replication winsync suffix
6807
6810 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
6811 AGMT_NAME
6812 AGMT_NAME
6815 The name of the replication winsync agreement
6816 --suffix SUFFIX
6819 Sets the DN of the replication winsync suffix
6820
6823 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
6824 AGMT_NAME
6825 AGMT_NAME
6828 The name of the replication winsync agreement
6829 --suffix SUFFIX
6832 Sets the DN of the replication winsync suffix
6833
6836 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
6837 FIX
6838 AGMT_NAME
6839 AGMT_NAME
6842 The name of the replication agreement
6843 --suffix SUFFIX
6846 Sets the DN of the replication suffix
6847
6850 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
6851 AGMT_NAME
6852 AGMT_NAME
6855 The name of the replication winsync agreement
6856 --suffix SUFFIX
6859 Sets the DN of the replication winsync suffix
6860
6863 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
6864 AGMT_NAME
6865 AGMT_NAME
6868 The name of the replication agreement
6869 --suffix SUFFIX
6872 Sets the DN of the replication suffix
6873
6876 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
6877 AGMT_NAME
6878 AGMT_NAME
6881 The name of the replication winsync agreement
6882 --suffix SUFFIX
6885 Sets the DN of the replication winsync suffix
6886
6889 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
6890 --host
6891 HOST --port PORT
6892 --conn-protocol
6893 CONN_PROTOCOL
6894 --bind-dn BIND_DN
6895 --bind-passwd
6896 BIND_PASSWD
6897 [--frac-list FRAC_LIST]
6898 [--schedule SCHEDULE]
6899 --win-subtree WIN_SUB‐
6900 TREE
6901 --ds-subtree DS_SUBTREE
6902 --win-domain WIN_DOMAIN
6903 [--sync-users
6904 SYNC_USERS]
6905 [--sync-groups
6906 SYNC_GROUPS]
6907 [--sync-interval
6908 SYNC_INTERVAL]
6909 [--one-way-sync
6910 ONE_WAY_SYNC]
6911 [--move-action MOVE_AC‐
6912 TION]
6913 [--win-filter WIN_FIL‐
6914 TER]
6915 [--ds-filter DS_FILTER]
6916 [--subtree-pair SUB‐
6917 TREE_PAIR]
6918 [--conn-timeout
6919 CONN_TIMEOUT]
6920 [--busy-wait-time
6921 BUSY_WAIT_TIME]
6922 [--session-pause-time
6923 SESSION_PAUSE_TIME]
6924 [--init]
6925 AGMT_NAME
6926 AGMT_NAME
6929 The name of the replication winsync agreement
6930 --suffix SUFFIX
6933 Sets the DN of the replication winsync suffix
6934 --host HOST
6937 Sets the hostname of the AD server
6938 --port PORT
6941 Sets the port number of the AD server
6942 --conn-protocol CONN_PROTOCOL
6945 Sets the replication winsync connection protocol: LDAP, LDAPS,
6946 or StartTLS
6947 --bind-dn BIND_DN
6950 Sets the bind DN the agreement uses to authenticate to the AD
6951 Server
6952 --bind-passwd BIND_PASSWD
6955 Sets the credentials for the Bind DN
6956 --frac-list FRAC_LIST
6959 Sets a list of attributes to NOT replicate to the consumer dur‐
6960 ing incremental updates
6961 --schedule SCHEDULE
6964 Sets the replication update schedule
6965 --win-subtree WIN_SUBTREE
6968 Sets the suffix of the AD Server
6969 --ds-subtree DS_SUBTREE
6972 Sets the Directory Server suffix
6973 --win-domain WIN_DOMAIN
6976 Sets the AD Domain
6977 --sync-users SYNC_USERS
6980 Synchronizes users between AD and DS
6981 --sync-groups SYNC_GROUPS
6984 Synchronizes groups between AD and DS
6985 --sync-interval SYNC_INTERVAL
6988 Sets the interval that DS checks AD for changes in entries
6989 --one-way-sync ONE_WAY_SYNC
6992 Sets which direction to perform synchronization: "toWindows",
6993 "fromWindows", "both"
6994 --move-action MOVE_ACTION
6997 Sets instructions on how to handle moved or deleted entries:
6998 "none", "unsync", or "delete"
6999 --win-filter WIN_FILTER
7002 Sets a custom filter for finding users in AD Server
7003 --ds-filter DS_FILTER
7006 Sets a custom filter for finding AD users in DS
7007 --subtree-pair SUBTREE_PAIR
7010 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7011 --conn-timeout CONN_TIMEOUT
7014 Sets the timeout used for replicaton connections
7015 --busy-wait-time BUSY_WAIT_TIME
7018 Sets the amount of time in seconds a supplier should wait after
7019 a consumer sends back a busy response before making another at‐
7020 tempt to acquire access
7021 --session-pause-time SESSION_PAUSE_TIME
7024 Sets the amount of time in seconds a supplier should wait be‐
7025 tween update sessions
7026 --init Initializes the agreement after creating it
7029
7032 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
7033 [--host HOST] [--port
7034 PORT]
7035 [--conn-protocol CONN_PRO‐
7036 TOCOL]
7037 [--bind-dn BIND_DN]
7038 [--bind-passwd
7039 BIND_PASSWD]
7040 [--frac-list FRAC_LIST]
7041 [--schedule SCHEDULE]
7042 [--win-subtree WIN_SUB‐
7043 TREE]
7044 [--ds-subtree DS_SUBTREE]
7045 [--win-domain WIN_DOMAIN]
7046 [--sync-users SYNC_USERS]
7047 [--sync-groups
7048 SYNC_GROUPS]
7049 [--sync-interval SYNC_IN‐
7050 TERVAL]
7051 [--one-way-sync
7052 ONE_WAY_SYNC]
7053 [--move-action MOVE_AC‐
7054 TION]
7055 [--win-filter WIN_FILTER]
7056 [--ds-filter DS_FILTER]
7057 [--subtree-pair SUB‐
7058 TREE_PAIR]
7059 [--conn-timeout CONN_TIME‐
7060 OUT]
7061 [--busy-wait-time
7062 BUSY_WAIT_TIME]
7063 [--session-pause-time SES‐
7064 SION_PAUSE_TIME]
7065 AGMT_NAME
7066 AGMT_NAME
7069 The name of the replication winsync agreement
7070 --suffix SUFFIX
7073 Sets the DN of the replication winsync suffix
7074 --host HOST
7077 Sets the hostname of the AD server
7078 --port PORT
7081 Sets the port number of the AD server
7082 --conn-protocol CONN_PROTOCOL
7085 Sets the replication winsync connection protocol: LDAP, LDAPS,
7086 or StartTLS
7087 --bind-dn BIND_DN
7090 Sets the bind DN the agreement uses to authenticate to the AD
7091 Server
7092 --bind-passwd BIND_PASSWD
7095 Sets the credentials for the Bind DN
7096 --frac-list FRAC_LIST
7099 Sets a list of attributes to NOT replicate to the consumer dur‐
7100 ing incremental updates
7101 --schedule SCHEDULE
7104 Sets the replication update schedule
7105 --win-subtree WIN_SUBTREE
7108 Sets the suffix of the AD Server
7109 --ds-subtree DS_SUBTREE
7112 Sets the Directory Server suffix
7113 --win-domain WIN_DOMAIN
7116 Sets the AD Domain
7117 --sync-users SYNC_USERS
7120 Synchronizes users between AD and DS
7121 --sync-groups SYNC_GROUPS
7124 Synchronizes groups between AD and DS
7125 --sync-interval SYNC_INTERVAL
7128 Sets the interval that DS checks AD for changes in entries
7129 --one-way-sync ONE_WAY_SYNC
7132 Sets which direction to perform synchronization: "toWindows",
7133 "fromWindows", "both"
7134 --move-action MOVE_ACTION
7137 Sets instructions on how to handle moved or deleted entries:
7138 "none", "unsync", or "delete"
7139 --win-filter WIN_FILTER
7142 Sets a custom filter for finding users in AD Server
7143 --ds-filter DS_FILTER
7146 Sets a custom filter for finding AD users in DS
7147 --subtree-pair SUBTREE_PAIR
7150 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7151 --conn-timeout CONN_TIMEOUT
7154 Sets the timeout used for replicaton connections
7155 --busy-wait-time BUSY_WAIT_TIME
7158 Sets the amount of time in seconds a supplier should wait after
7159 a consumer sends back a busy response before making another at‐
7160 tempt to acquire access
7161 --session-pause-time SESSION_PAUSE_TIME
7164 Sets the amount of time in seconds a supplier should wait be‐
7165 tween update sessions
7166
7169 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
7170 AGMT_NAME
7171 AGMT_NAME
7174 The suffix DN for the replication configuration to display
7175 --suffix SUFFIX
7178 Sets the DN of the replication suffix
7179
7183 usage: dsconf instance repl-tasks [-h]
7184 {cleanallruv,list-cleanruv-
7185 tasks,abort-cleanallruv,list-abortruv-tasks}
7186 ...
7187 Sub-commands
7190 dsconf repl-tasks cleanallruv
7191 Cleanup old/removed replica IDs
7192 dsconf repl-tasks list-cleanruv-tasks
7194 List all the running CleanAllRUV tasks
7195 dsconf repl-tasks abort-cleanallruv
7197 Abort cleanallruv tasks
7198 dsconf repl-tasks list-abortruv-tasks
7200 List all the running CleanAllRUV abort tasks
7201
7203 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
7204 --replica-id REPLICA_ID
7205 [--force-cleaning]
7206 --suffix SUFFIX
7210 Sets the Directory Server suffix
7211 --replica-id REPLICA_ID
7214 Sets the replica ID to remove/clean
7215 --force-cleaning
7218 Ignores errors and make a best attempt to clean all replicas
7219
7222 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
7223 SUFFIX]
7224 --suffix SUFFIX
7228 Lists only tasks for the specified suffix
7229
7232 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
7233 FIX
7234 --replica-id
7235 REPLICA_ID
7236 [--certify]
7237 --suffix SUFFIX
7241 Sets the Directory Server suffix
7242 --replica-id REPLICA_ID
7245 Sets the replica ID of the cleaning task to abort
7246 --certify
7249 Enforces that the abort task completed on all replicas
7250
7253 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
7254 SUFFIX]
7255 --suffix SUFFIX
7259 Lists only tasks for the specified suffix
7260
7264 usage: dsconf instance sasl [-h]
7265 {list,get-mechs,get-available-
7266 mechs,get,create,delete}
7267 ...
7268 Sub-commands
7271 dsconf sasl list
7272 Display available SASL mappings
7273 dsconf sasl get-mechs
7275 Display the SASL mechanisms that the server will accept
7276 dsconf sasl get-available-mechs
7278 Display the SASL mechanisms that are available to the server
7279 dsconf sasl get
7281 Displays SASL mappings
7282 dsconf sasl create
7284 Create a SASL mapping
7285 dsconf sasl delete
7287 Deletes the SASL object
7288
7290 usage: dsconf instance sasl list [-h] [--details]
7291 --details
7295 Displays each SASL mapping in detail
7296
7299 usage: dsconf instance sasl get-mechs [-h]
7300
7305 usage: dsconf instance sasl get-available-mechs [-h]
7306
7311 usage: dsconf instance sasl get [-h] [selector]
7312 selector
7315 The SASL mapping name to display
7316
7320 usage: dsconf instance sasl create [-h] [--cn [CN]]
7321 [--nsSaslMapRegexString
7322 [NSSASLMAPREGEXSTRING]]
7323 [--nsSaslMapBaseDNTemplate
7324 [NSSASLMAPBASEDNTEMPLATE]]
7325 [--nsSaslMapFilterTemplate
7326 [NSSASLMAPFILTERTEMPLATE]]
7327 [--nsSaslMapPriority [NSSASLMAPPRI‐
7328 ORITY]]
7329 --cn [CN]
7333 Value of cn
7334 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7337 Value of nsSaslMapRegexString
7338 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7341 Value of nsSaslMapBaseDNTemplate
7342 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7345 Value of nsSaslMapFilterTemplate
7346 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7349 Value of nsSaslMapPriority
7350
7353 usage: dsconf instance sasl delete [-h] map_name
7354 map_name
7357 The SASL mapping name ("cn" value)
7358
7363 usage: dsconf instance security [-h]
7364 {set,get,enable,disable,dis‐
7365 able_plain_port,certificate,ca-certificate,rsa,ciphers}
7366 ...
7367 Sub-commands
7370 dsconf security set
7371 Set general security options
7372 dsconf security get
7374 Display general security options
7375 dsconf security enable
7377 Enable security
7378 dsconf security disable
7380 Disable security
7381 dsconf security disable_plain_port
7383 Disables the plain text LDAP port, allowing only LDAPS to func‐
7384 tion
7385 dsconf security certificate
7387 Manage TLS certificates
7388 dsconf security ca-certificate
7390 Manage TLS certificate authorities
7391 dsconf security rsa
7393 Query and update RSA security options
7394 dsconf security ciphers
7396 Manage secure ciphers
7397
7399 usage: dsconf instance security set [-h] [--security SECURITY]
7400 [--listen-host LISTEN_HOST]
7401 [--secure-port SECURE_PORT]
7402 [--tls-client-auth TLS_CLIENT_AUTH]
7403 [--tls-client-renegotiation
7404 TLS_CLIENT_RENEGOTIATION]
7405 [--require-secure-authentication
7406 REQUIRE_SECURE_AUTHENTICATION]
7407 [--check-hostname CHECK_HOSTNAME]
7408 [--verify-cert-chain-on-startup
7409 VERIFY_CERT_CHAIN_ON_STARTUP]
7410 [--session-timeout SESSION_TIMEOUT]
7411 [--tls-protocol-min TLS_PROTO‐
7412 COL_MIN]
7413 [--tls-protocol-max TLS_PROTO‐
7414 COL_MAX]
7415 [--allow-insecure-ciphers ALLOW_IN‐
7416 SECURE_CIPHERS]
7417 [--allow-weak-dh-param AL‐
7418 LOW_WEAK_DH_PARAM]
7419 [--cipher-pref CIPHER_PREF]
7420 Use this command for setting security related options located in
7422 cn=config and cn=encryption,cn=config.
7423 To enable/disable security you can use enable and disable commands in‐
7425 stead.
7426 --security SECURITY
7430 Enables or disables security (nsslapd-security)
7431 --listen-host LISTEN_HOST
7434 Sets the host or IP address to listen on for LDAPS (nsslapd-se‐
7435 curelistenhost)
7436 --secure-port SECURE_PORT
7439 Sets the port for LDAPS to listen on (nsslapd-securePort)
7440 --tls-client-auth TLS_CLIENT_AUTH
7443 Configures client authentication requirement (nsSSLClientAuth)
7444 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7447 Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)
7448 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7451 Configures whether binds over LDAPS, StartTLS, or SASL are re‐
7452 quired (nsslapd- require-secure-binds)
7453 --check-hostname CHECK_HOSTNAME
7456 Checks the subject of remote certificate against the hostname
7457 (nsslapd-ssl- check-hostname)
7458 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7461 Validates the server certificate during startup (nsslapd-vali‐
7462 date-cert)
7463 --session-timeout SESSION_TIMEOUT
7466 Sets the secure session timeout (nsSSLSessionTimeout)
7467 --tls-protocol-min TLS_PROTOCOL_MIN
7470 Sets the minimal allowed secure protocol version (sslVersionMin)
7471 --tls-protocol-max TLS_PROTOCOL_MAX
7474 Sets the maximal allowed secure protocol version (sslVersionMax)
7475 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7478 Allows weak ciphers for legacy use (allowWeakCipher)
7479 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7482 Allows short DH params for legacy use (allowWeakDHParam)
7483 --cipher-pref CIPHER_PREF
7486 Directly sets the nsSSL3Ciphers attribute. It is a comma-sepa‐
7487 rated list of cipher names (prefixed with + or -), optionally
7488 including +all or -all. The attribute may optionally be prefixed
7489 by keyword "default". Please refer to documentation of the at‐
7490 tribute for a more detailed description. (nsSSL3Ciphers)
7491
7494 usage: dsconf instance security get [-h]
7495
7500 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7501 If missing, create security database, then turn on security functional‐
7503 ity. Please note this is usually not enough for TLS connections to work
7504 - proper setup of CA and server certificate is necessary.
7505 --cert-name CERT_NAME
7509 Sets the name of the certificate the server should use
7510
7513 usage: dsconf instance security disable [-h]
7514 Turn off security functionality. The rest of the configuration will be
7516 left untouched.
7517
7522 usage: dsconf instance security disable_plain_port [-h]
7523
7528 usage: dsconf instance security certificate [-h]
7529 {add,set-trust-
7530 flags,del,get,list}
7531 ...
7532 Sub-commands
7535 dsconf security certificate add
7536 Add a server certificate
7537 dsconf security certificate set-trust-flags
7539 Set the Trust flags
7540 dsconf security certificate del
7542 Delete a certificate
7543 dsconf security certificate get
7545 Display a server certificate's information
7546 dsconf security certificate list
7548 List the server certificates
7549
7551 usage: dsconf instance security certificate add [-h] --file FILE --name
7552 NAME
7553 [--primary-cert]
7554 Add a server certificate to the NSS database
7556 --file FILE
7560 Sets the file name of the certificate
7561 --name NAME
7564 Sets the name/nickname of the certificate
7565 --primary-cert
7568 Sets this certificate as the server's certificate
7569
7572 usage: dsconf instance security certificate set-trust-flags
7573 [-h] --flags FLAGS name
7574 Change the trust flags of a server certificate
7576 name The name/nickname of the certificate
7579 --flags FLAGS
7582 Sets the trust flags for the server certificate
7583
7586 usage: dsconf instance security certificate del [-h] name
7587 Delete a certificate from the NSS database
7589 name The name/nickname of the certificate
7592
7596 usage: dsconf instance security certificate get [-h] name
7597 Displays detailed information about a certificate, such as trust at‐
7599 tributes, expiration dates, Subject and Issuer DNs
7600 name Set the name/nickname of the certificate
7603
7607 usage: dsconf instance security certificate list [-h]
7608 Lists the server certificates in the NSS database
7610
7616 usage: dsconf instance security ca-certificate [-h]
7617 {add,set-trust-
7618 flags,del,get,list}
7619 ...
7620 Sub-commands
7623 dsconf security ca-certificate add
7624 Add a Certificate Authority
7625 dsconf security ca-certificate set-trust-flags
7627 Set the Trust flags
7628 dsconf security ca-certificate del
7630 Delete a certificate
7631 dsconf security ca-certificate get
7633 Displays a Certificate Authority's information
7634 dsconf security ca-certificate list
7636 List the Certificate Authorities
7637
7639 usage: dsconf instance security ca-certificate add [-h] --file FILE
7640 --name
7641 NAME
7642 Add a Certificate Authority to the NSS database
7644 --file FILE
7648 Sets the file name of the CA certificate
7649 --name NAME
7652 Sets the name/nickname of the CA certificate
7653
7656 usage: dsconf instance security ca-certificate set-trust-flags
7657 [-h] --flags FLAGS name
7658 Change the trust attributes of a CA certificate. Certificate Authori‐
7660 ties typically use "CT,,"
7661 name The name/nickname of the CA certificate
7664 --flags FLAGS
7667 Sets the trust flags for the CA certificate
7668
7671 usage: dsconf instance security ca-certificate del [-h] name
7672 Delete a CA certificate from the NSS database
7674 name The name/nickname of the CA certificate
7677
7681 usage: dsconf instance security ca-certificate get [-h] name
7682 Get detailed information about a CA certificate, like trust attributes,
7684 expiration dates, Subject and Issuer DN
7685 name The name/nickname of the CA certificate
7688
7692 usage: dsconf instance security ca-certificate list [-h]
7693 List the CA certificates in the NSS database
7695
7701 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
7702 Sub-commands
7705 dsconf security rsa set
7706 Set RSA security options
7707 dsconf security rsa get
7709 Get RSA security options
7710 dsconf security rsa enable
7712 Enable RSA
7713 dsconf security rsa disable
7715 Disable RSA
7716
7718 usage: dsconf instance security rsa set [-h]
7719 [--tls-allow-rsa-certificates
7720 TLS_ALLOW_RSA_CERTIFICATES]
7721 [--nss-cert-name NSS_CERT_NAME]
7722 [--nss-token NSS_TOKEN]
7723 Use this command for setting RSA (private key) related options located
7725 in cn=RSA,cn=encryption,cn=config.
7726 To enable/disable RSA you can use enable and disable commands instead.
7728 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
7732 Activates the use of RSA certificates (nsSSLActivation)
7733 --nss-cert-name NSS_CERT_NAME
7736 Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)
7737 --nss-token NSS_TOKEN
7740 Sets the security token name (module of NSS DB) (nsSSLToken)
7741
7744 usage: dsconf instance security rsa get [-h]
7745
7750 usage: dsconf instance security rsa enable [-h]
7751
7756 usage: dsconf instance security rsa disable [-h]
7757
7763 usage: dsconf instance security ciphers [-h] {enable,dis‐
7764 able,get,set,list} ...
7765 Sub-commands
7768 dsconf security ciphers enable
7769 Enable ciphers
7770 dsconf security ciphers disable
7772 Disable ciphers
7773 dsconf security ciphers get
7775 Get ciphers attribute
7776 dsconf security ciphers set
7778 Set ciphers attribute
7779 dsconf security ciphers list
7781 List ciphers
7782
7784 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
7785 Use this command to enable specific ciphers.
7787 cipher
7790
7793 usage: dsconf instance security ciphers disable [-h] cipher [cipher
7794 ...]
7795 Use this command to disable specific ciphers.
7797 cipher
7800
7803 usage: dsconf instance security ciphers get [-h]
7804 Use this command to get contents of nsSSL3Ciphers attribute.
7806
7811 usage: dsconf instance security ciphers set [-h] cipher-string
7812 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
7814 separated list of cipher names (prefixed with + or -), optionally in‐
7815 cluding +all or -all. The attribute may optionally be set to keyword
7816 default. Please refer to documentation of the attribute for a more de‐
7817 tailed description.
7818 cipher-string
7821
7824 usage: dsconf instance security ciphers list [-h]
7825 [--enabled | --supported |
7826 --disabled]
7827 List secure ciphers. Without arguments, list ciphers as configured in
7829 nsSSL3Ciphers attribute.
7830 --enabled
7834 Lists only enabled ciphers
7835 --supported
7838 Lists only supported ciphers
7839 --disabled
7842 Lists only supported ciphers but without enabled ciphers
7843
7848 usage: dsconf instance schema [-h]
7849 {list,attributetypes,objectclasses,match‐
7850 ingrules,reload,validate-syntax,import-openldap-file}
7851 ...
7852 Sub-commands
7855 dsconf schema list
7856 List all schema objects on this system
7857 dsconf schema attributetypes
7859 Work with attribute types on this system
7860 dsconf schema objectclasses
7862 Work with objectClasses on this system
7863 dsconf schema matchingrules
7865 Work with matching rules on this system
7866 dsconf schema reload
7868 Dynamically reload schema while server is running
7869 dsconf schema validate-syntax
7871 Run a task to check every modification to attributes to make
7872 sure that the new value has the required syntax for that attri‐
7873 bute type
7874 dsconf schema import-openldap-file
7876 Import an openldap formatted dynamic schema ldifs. These will
7877 contain values like olcAttributeTypes and olcObjectClasses.
7878
7880 usage: dsconf instance schema list [-h]
7881
7886 usage: dsconf instance schema attributetypes [-h]
7887 {get_syn‐
7888 taxes,list,query,add,replace,remove}
7889 ...
7890 Sub-commands
7893 dsconf schema attributetypes get_syntaxes
7894 List all available attribute type syntaxes
7895 dsconf schema attributetypes list
7897 List available attribute types on this system
7898 dsconf schema attributetypes query
7900 Query an attribute to determine object classes that may or must
7901 take it
7902 dsconf schema attributetypes add
7904 Add an attribute type to this system
7905 dsconf schema attributetypes replace
7907 Replace an attribute type on this system
7908 dsconf schema attributetypes remove
7910 Remove an attribute type on this system
7911
7913 usage: dsconf instance schema attributetypes get_syntaxes [-h]
7914
7919 usage: dsconf instance schema attributetypes list [-h]
7920
7925 usage: dsconf instance schema attributetypes query [-h] [name]
7926 name Attribute type to query
7929
7933 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
7934 [--desc DESC]
7935 [--x-origin X_ORIGIN]
7936 [--aliases ALIASES
7937 [ALIASES ...]]
7938 [--single-value]
7939 [--multi-value]
7940 [--no-user-mod]
7941 [--user-mod]
7942 [--equality EQUALITY]
7943 [--substr SUBSTR]
7944 [--ordering ORDERING]
7945 [--usage USAGE] [--sup
7946 SUP]
7947 --syntax SYNTAX
7948 name
7949 name NAME of the object
7952 --oid OID
7955 OID assigned to the object
7956 --desc DESC
7959 Description text(DESC) of the object
7960 --x-origin X_ORIGIN
7963 Provides information about where the attribute type is defined
7964 --aliases ALIASES [ALIASES ...]
7967 Additional NAMEs of the object.
7968 --single-value
7971 True if the matching rule must have only one valueOnly one of
7972 the flags this or --multi-value should be specified
7973 --multi-value
7976 True if the matching rule may have multiple values (default)Only
7977 one of the flags this or --single-value should be specified
7978 --no-user-mod
7981 True if the attribute is not modifiable by a client applica‐
7982 tionOnly one of the flags this or --user-mod should be specified
7983 --user-mod
7986 True if the attribute is modifiable by a client application (de‐
7987 fault)Only one of the flags this or --no-user-mode should be
7988 specified
7989 --equality EQUALITY
7992 NAME or OID of the matching rule used for checkingwhether attri‐
7993 bute values are equal
7994 --substr SUBSTR
7997 NAME or OID of the matching rule used for checkingwhether an at‐
7998 tribute value contains another value
7999 --ordering ORDERING
8002 NAME or OID of the matching rule used for checkingwhether attri‐
8003 bute values are lesser - equal than
8004 --usage USAGE
8007 The flag indicates how the attribute type is to be used. Choose
8008 from the list: userApplications (default), directoryOperation,
8009 distributedOperation, dSAOperation
8010 --sup SUP
8013 The NAME or OID of attribute type this attribute type is derived
8014 from
8015 --syntax SYNTAX
8018 OID of the LDAP syntax assigned to the attribute
8019
8022 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
8023 [--desc DESC]
8024 [--x-origin X_ORI‐
8025 GIN]
8026 [--aliases ALIASES
8027 [ALIASES ...]]
8028 [--single-value]
8029 [--multi-value]
8030 [--no-user-mod]
8031 [--user-mod]
8032 [--equality EQUAL‐
8033 ITY]
8034 [--substr SUBSTR]
8035 [--ordering ORDER‐
8036 ING]
8037 [--usage USAGE]
8038 [--sup SUP]
8039 [--syntax SYNTAX]
8040 name
8041 name NAME of the object
8044 --oid OID
8047 OID assigned to the object
8048 --desc DESC
8051 Description text(DESC) of the object
8052 --x-origin X_ORIGIN
8055 Provides information about where the attribute type is defined
8056 --aliases ALIASES [ALIASES ...]
8059 Additional NAMEs of the object.
8060 --single-value
8063 True if the matching rule must have only one valueOnly one of
8064 the flags this or --multi-value should be specified
8065 --multi-value
8068 True if the matching rule may have multiple values (default)Only
8069 one of the flags this or --single-value should be specified
8070 --no-user-mod
8073 True if the attribute is not modifiable by a client applica‐
8074 tionOnly one of the flags this or --user-mod should be specified
8075 --user-mod
8078 True if the attribute is modifiable by a client application (de‐
8079 fault)Only one of the flags this or --no-user-mode should be
8080 specified
8081 --equality EQUALITY
8084 NAME or OID of the matching rule used for checkingwhether attri‐
8085 bute values are equal
8086 --substr SUBSTR
8089 NAME or OID of the matching rule used for checkingwhether an at‐
8090 tribute value contains another value
8091 --ordering ORDERING
8094 NAME or OID of the matching rule used for checkingwhether attri‐
8095 bute values are lesser - equal than
8096 --usage USAGE
8099 The flag indicates how the attribute type is to be used. Choose
8100 from the list: userApplications (default), directoryOperation,
8101 distributedOperation, dSAOperation
8102 --sup SUP
8105 The NAME or OID of attribute type this attribute type is derived
8106 from
8107 --syntax SYNTAX
8110 OID of the LDAP syntax assigned to the attribute
8111
8114 usage: dsconf instance schema attributetypes remove [-h] name
8115 name NAME of the object
8118
8123 usage: dsconf instance schema objectclasses [-h]
8124 {list,query,add,replace,re‐
8125 move}
8126 ...
8127 Sub-commands
8130 dsconf schema objectclasses list
8131 List available objectClasses on this system
8132 dsconf schema objectclasses query
8134 Query an objectClass
8135 dsconf schema objectclasses add
8137 Add an objectClass to this system
8138 dsconf schema objectclasses replace
8140 Replace an objectClass on this system
8141 dsconf schema objectclasses remove
8143 Remove an objectClass on this system
8144
8146 usage: dsconf instance schema objectclasses list [-h]
8147
8152 usage: dsconf instance schema objectclasses query [-h] [name]
8153 name ObjectClass to query
8156
8160 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
8161 [--desc DESC]
8162 [--x-origin X_ORIGIN]
8163 [--must MUST [MUST
8164 ...]]
8165 [--may MAY [MAY ...]]
8166 [--kind KIND]
8167 [--sup SUP [SUP ...]]
8168 name
8169 name NAME of the object
8172 --oid OID
8175 OID assigned to the object
8176 --desc DESC
8179 Description text(DESC) of the object
8180 --x-origin X_ORIGIN
8183 Provides information about where the attribute type is defined
8184 --must MUST [MUST ...]
8187 NAMEs or OIDs of all attributes an entry of the object must have
8188 --may MAY [MAY ...]
8191 NAMEs or OIDs of additional attributes an entry of the object
8192 may have
8193 --kind KIND
8196 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8197 --sup SUP [SUP ...]
8200 NAME or OIDs of object classes this object is derived from
8201
8204 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
8205 [--desc DESC]
8206 [--x-origin X_ORI‐
8207 GIN]
8208 [--must MUST [MUST
8209 ...]]
8210 [--may MAY [MAY
8211 ...]]
8212 [--kind KIND]
8213 [--sup SUP [SUP
8214 ...]]
8215 name
8216 name NAME of the object
8219 --oid OID
8222 OID assigned to the object
8223 --desc DESC
8226 Description text(DESC) of the object
8227 --x-origin X_ORIGIN
8230 Provides information about where the attribute type is defined
8231 --must MUST [MUST ...]
8234 NAMEs or OIDs of all attributes an entry of the object must have
8235 --may MAY [MAY ...]
8238 NAMEs or OIDs of additional attributes an entry of the object
8239 may have
8240 --kind KIND
8243 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8244 --sup SUP [SUP ...]
8247 NAME or OIDs of object classes this object is derived from
8248
8251 usage: dsconf instance schema objectclasses remove [-h] name
8252 name NAME of the object
8255
8260 usage: dsconf instance schema matchingrules [-h] {list,query} ...
8261 Sub-commands
8264 dsconf schema matchingrules list
8265 List available matching rules on this system
8266 dsconf schema matchingrules query
8268 Query a matching rule
8269
8271 usage: dsconf instance schema matchingrules list [-h]
8272
8277 usage: dsconf instance schema matchingrules query [-h] [name]
8278 name Matching rule to query
8281
8286 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
8287 -d SCHEMADIR, --schemadir SCHEMADIR
8291 directory where schema files are located
8292 --wait Wait for the reload task to complete
8295
8298 usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN
8299 DN Base DN that contains entries to validate
8302 -f FILTER, --filter FILTER
8305 Filter for entries to validate. If omitted, all entries with
8306 filter "(objectclass=*)" are validated
8307
8310 usage: dsconf instance schema import-openldap-file [-h] [--confirm]
8311 schema_file
8312 schema_file
8315 Path to the openldap dynamic schema ldif to import
8316 --confirm
8319 Confirm that you want to apply these schema migration actions to
8320 the 389-ds instance. By default no actions are taken.
8321
8325 usage: dsconf instance repl-conflict [-h]
8326 {list,compare,delete,swap,con‐
8327 vert,list-glue,delete-glue,convert-glue}
8328 ...
8329 Sub-commands
8332 dsconf repl-conflict list
8333 List conflict entries
8334 dsconf repl-conflict compare
8336 Compare the conflict entry with its valid counterpart
8337 dsconf repl-conflict delete
8339 Delete a conflict entry
8340 dsconf repl-conflict swap
8342 Replace the valid entry with the conflict entry
8343 dsconf repl-conflict convert
8345 Convert the conflict entry to a valid entry, while keeping the
8346 original valid entry counterpart. This requires that the con‐
8347 verted conflict entry have a new RDN value. For example:
8348 "cn=my_new_rdn_value".
8349 dsconf repl-conflict list-glue
8351 List replication glue entries
8352 dsconf repl-conflict delete-glue
8354 Delete the glue entry and its child entries
8355 dsconf repl-conflict convert-glue
8357 Convert the glue entry into a regular entry
8358
8360 usage: dsconf instance repl-conflict list [-h] suffix
8361 suffix Sets the backend name, or suffix, to look for conflict entries
8364
8368 usage: dsconf instance repl-conflict compare [-h] DN
8369 DN The DN of the conflict entry
8372
8376 usage: dsconf instance repl-conflict delete [-h] DN
8377 DN The DN of the conflict entry
8380
8384 usage: dsconf instance repl-conflict swap [-h] DN
8385 DN The DN of the conflict entry
8388
8392 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8393 DN The DN of the conflict entry
8396 --new-rdn NEW_RDN
8399 Sets the new RDN for the converted conflict entry. For example:
8400 "cn=my_new_rdn_value"
8401
8404 usage: dsconf instance repl-conflict list-glue [-h] suffix
8405 suffix The backend name, or suffix, to look for glue entries
8408
8412 usage: dsconf instance repl-conflict delete-glue [-h] DN
8413 DN The DN of the glue entry
8416
8420 usage: dsconf instance repl-conflict convert-glue [-h] DN
8421 DN The DN of the glue entry
8424 -v, --verbose
8429 Display verbose operation tracing during command execution
8430 -D BINDDN, --binddn BINDDN
8433 The account to bind as for executing operations
8434 -w BINDPW, --bindpw BINDPW
8437 Password for the bind DN
8438 -W, --prompt
8441 Prompt for password of the bind DN
8442 -y PWDFILE, --pwdfile PWDFILE
8445 Specifies a file containing the password of the bind DN
8446 -b BASEDN, --basedn BASEDN
8449 Base DN (root naming context) of the instance to manage
8450 -Z, --starttls
8453 Connect with StartTLS
8454 -j, --json
8457 Return result in JSON object
8458
8461 lib389 was written by Red Hat Inc., and William Brown <389-de‐
8462 vel@lists.fedoraproject.org>.
8463
8465 The latest version of lib389 may be downloaded from
8466 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8467 Manual dsconf(8)