1DSCONF(8) Generated Python Manual DSCONF(8)
2
6 dsconf
7
9 dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN]
10 [-Z] [-j] instance {backend,backup,chaining,config,directory_man‐
11 ager,monitor,plugin,pwpolicy,localpwp,replication,repl,repl-agmt,repl-
12 winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
13
16 dsconf backend
17 Manage database suffixes and backends
18 dsconf backup
20 Manage online backups
21 dsconf chaining
23 Manage database chaining and database links
24 dsconf config
26 Manage the server configuration
27 dsconf directory_manager
29 Manage the Directory Manager account
30 dsconf monitor
32 Monitor the state of the instance
33 dsconf plugin
35 Manage plug-ins available on the server
36 dsconf pwpolicy
38 Manage the global password policy settings
39 dsconf localpwp
41 Manage the local user and subtree password policies
42 dsconf replication
44 Manage replication for a suffix
45 dsconf repl-agmt
47 Manage replication agreements
48 dsconf repl-winsync-agmt
50 Manage Winsync agreements
51 dsconf repl-tasks
53 Manage replication tasks
54 dsconf sasl
56 Manage SASL mappings
57 dsconf security
59 Manage security settings
60 dsconf schema
62 Manage the directory schema
63 dsconf repl-conflict
65 Manage replication conflicts
66
69 usage: dsconf instance backend [-h]
70 {suffix,index,vlv-index,attr-en‐
71 crypt,config,monitor,import,export,create,delete,get-tree,compact-db}
72 ...
73
76 dsconf backend suffix
77 Manage backend suffixes
78 dsconf backend index
80 Manage backend indexes
81 dsconf backend vlv-index
83 Manage VLV searches and indexes
84 dsconf backend attr-encrypt
86 Manage encrypted attribute settings
87 dsconf backend config
89 Manage the global database configuration settings
90 dsconf backend monitor
92 Displays global database or suffix monitoring information
93 dsconf backend import
95 Online import of a suffix
96 dsconf backend export
98 Online export of a suffix
99 dsconf backend create
101 Create a backend database
102 dsconf backend delete
104 Delete a backend database
105 dsconf backend get-tree
107 Display the suffix tree
108 dsconf backend compact-db
110 Compact the database and the replication changelog
111
114 usage: dsconf instance backend suffix [-h]
115 {list,get,get-dn,get-sub-suf‐
116 fixes,set}
117 ...
118
121 dsconf backend suffix list
122 List active backends and suffixes
123 dsconf backend suffix get
125 Display the suffix entry
126 dsconf backend suffix get-dn
128 Display the DN of a backend
129 dsconf backend suffix get-sub-suffixes
131 Display sub-suffixes
132 dsconf backend suffix set
134 Set configuration settings for a specific backend
135
138 usage: dsconf instance backend suffix list [-h] [--suffix]
139 [--skip-subsuffixes]
140
143 --suffix
144 Displays the suffixes without backend name
145 --skip-subsuffixes
148 Displays the list of suffixes without sub-suffixes
149
152 usage: dsconf instance backend suffix get [-h] [selector]
153 selector
156 The backend database name to search for
157
160 usage: dsconf instance backend suffix get-dn [-h] [dn]
161 dn The DN to the database entry in cn=ldbm database,cn=plug‐
164 ins,cn=config
165
168 usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix]
169 be_name
170 be_name
173 The backend name or suffix
174
177 --suffix
178 Displays the list of suffixes without backend name
179
182 usage: dsconf instance backend suffix set [-h] [--enable-readonly]
183 [--disable-readonly]
184 [--enable-orphan] [--dis‐
185 able-orphan]
186 [--require-index] [--ig‐
187 nore-index]
188 [--add-referral ADD_REFERRAL]
189 [--del-referral DEL_REFERRAL]
190 [--enable] [--disable]
191 [--cache-size CACHE_SIZE]
192 [--cache-memsize CACHE_MEM‐
193 SIZE]
194 [--dncache-memsize
195 DNCACHE_MEMSIZE]
196 [--state STATE]
197 be_name
198 be_name
201 The backend name or suffix
202
205 --enable-readonly
206 Enables read-only mode for the backend database
207 --disable-readonly
210 Disables read-only mode for the backend database
211 --enable-orphan
214 Disconnect a subsuffix from its parent suffix.
215 --disable-orphan
218 Let the subsuffix be connected to its parent suffix.
219 --require-index
222 Allows only indexed searches
223 --ignore-index
226 Allows all searches even if they are unindexed
227 --add-referral ADD_REFERRAL
230 Adds an LDAP referral to the backend
231 --del-referral DEL_REFERRAL
234 Removes an LDAP referral from the backend
235 --enable
238 Enables the backend database
239 --disable
242 Disables the backend database
243 --cache-size CACHE_SIZE
246 Sets the maximum number of entries to keep in the entry cache
247 --cache-memsize CACHE_MEMSIZE
250 Sets the maximum size in bytes that the entry cache can grow to
251 --dncache-memsize DNCACHE_MEMSIZE
254 Sets the maximum size in bytes that the DN cache can grow to
255 --state STATE
258 Changes the backend state to: "database", "disabled", "refer‐
259 ral", or "referral on update"
260
263 usage: dsconf instance backend index [-h]
264 {add,set,get,list,delete,reindex}
265 ...
266
269 dsconf backend index add
270 Add an index
271 dsconf backend index set
273 Update an index
274 dsconf backend index get
276 Display an index entry
277 dsconf backend index list
279 Display the index
280 dsconf backend index delete
282 Delete an index
283 dsconf backend index reindex
285 Re-index the database for a single index or all indexes
286
289 usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
290 [--matching-rule MATCH‐
291 ING_RULE]
292 [--reindex] --attr ATTR
293 be_name
294 be_name
297 The backend name or suffix
298
301 --index-type INDEX_TYPE
302 Sets the indexing type (eq, sub, pres, or approx)
303 --matching-rule MATCHING_RULE
306 Sets the matching rule for the index
307 --reindex
310 Re-indexes the database after adding a new index
311 --attr ATTR
314 Sets the attribute name to index
315
318 usage: dsconf instance backend index set [-h] --attr ATTR
319 [--add-type ADD_TYPE]
320 [--del-type DEL_TYPE]
321 [--add-mr ADD_MR] [--del-mr
322 DEL_MR]
323 [--reindex]
324 be_name
325 be_name
328 The backend name or suffix
329
332 --attr ATTR
333 Sets the indexed attribute to update
334 --add-type ADD_TYPE
337 Adds an index type to the index (eq, sub, pres, or approx)
338 --del-type DEL_TYPE
341 Removes an index type from the index: (eq, sub, pres, or approx)
342 --add-mr ADD_MR
345 Adds a matching-rule to the index
346 --del-mr DEL_MR
349 Removes a matching-rule from the index
350 --reindex
353 Re-indexes the database after editing the index
354
357 usage: dsconf instance backend index get [-h] --attr ATTR be_name
358 be_name
361 The backend name or suffix
362
365 --attr ATTR
366 Sets the index name to display
367
370 usage: dsconf instance backend index list [-h] [--just-names] be_name
371 be_name
374 The backend name or suffix
375
378 --just-names
379 Displays only the names of indexed attributes
380
383 usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
384 be_name
387 The backend name or suffix
388
391 --attr ATTR
392 Sets the name of the attribute to delete from the index
393
396 usage: dsconf instance backend index reindex [-h] [--attr ATTR]
397 [--wait]
398 be_name
399 be_name
402 The backend name or suffix
403
406 --attr ATTR
407 Sets the name of the attribute to re-index. Omit this argument
408 to re-index all attributes
409 --wait Waits for the index task to complete and reports the status
412
415 usage: dsconf instance backend vlv-index [-h]
416 {list,get,add-search,edit-search,del-search,add-in‐
417 dex,del-index,reindex}
418 ...
419
422 dsconf backend vlv-index list
423 List VLV search and index entries
424 dsconf backend vlv-index get
426 Display a VLV search and indexes
427 dsconf backend vlv-index add-search
429 Add a VLV search entry. The search entry is the parent entry of
430 the VLV index entries, and it specifies the search parameters
431 that are used to match entries for those indexes.
432 dsconf backend vlv-index edit-search
434 Update a VLV search and index
435 dsconf backend vlv-index del-search
437 Delete VLV search & index
438 dsconf backend vlv-index add-index
440 Create a VLV index under a VLV search entry (parent entry). The
441 VLV index specifies the attributes to sort
442 dsconf backend vlv-index del-index
444 Delete a VLV index under a VLV search entry (parent entry)
445 dsconf backend vlv-index reindex
447 Index/re-index the VLV database index
448
451 usage: dsconf instance backend vlv-index list [-h] [--just-names]
452 be_name
453 be_name
456 The backend name of the VLV index
457
460 --just-names
461 Displays only the names of VLV search entries
462
465 usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
466 be_name
469 The backend name of the VLV index
470
473 --name NAME
474 Displays the VLV search entry and its index entries
475
478 usage: dsconf instance backend vlv-index add-search [-h] --name NAME
479 --search-base
480 SEARCH_BASE
481 --search-scope
482 SEARCH_SCOPE
483 --search-filter
484 SEARCH_FILTER
485 be_name
486 be_name
489 The backend name of the VLV index
490
493 --name NAME
494 Sets the name of the VLV search entry
495 --search-base SEARCH_BASE
498 Sets the VLV search base
499 --search-scope SEARCH_SCOPE
502 Sets the VLV search scope: 0 (base search), 1 (one-level
503 search), or 2 (subtree search)
504 --search-filter SEARCH_FILTER
507 Sets the VLV search filter
508
511 usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
512 [--search-base
513 SEARCH_BASE]
514 [--search-scope
515 SEARCH_SCOPE]
516 [--search-filter
517 SEARCH_FILTER]
518 [--reindex]
519 be_name
520 be_name
523 The backend name of the VLV index to update
524
527 --name NAME
528 Sets the name of the VLV index
529 --search-base SEARCH_BASE
532 Sets the VLV search base
533 --search-scope SEARCH_SCOPE
536 Sets the VLV search scope: 0 (base search), 1 (one-level
537 search), or 2 (subtree search)
538 --search-filter SEARCH_FILTER
541 Sets the VLV search filter
542 --reindex
545 Re-indexes all VLV database indexes
546
549 usage: dsconf instance backend vlv-index del-search [-h] --name NAME
550 be_name
551 be_name
554 The backend name of the VLV index
555
558 --name NAME
559 Sets the name of the VLV search index
560
563 usage: dsconf instance backend vlv-index add-index [-h] --parent-name
564 PARENT_NAME --in‐
565 dex-name
566 INDEX_NAME --sort
567 SORT
568 [--index-it]
569 be_name
570 be_name
573 The backend name of the VLV index
574
577 --parent-name PARENT_NAME
578 Sets the name or "cn" attribute of the parent VLV search entry
579 --index-name INDEX_NAME
582 Sets the name of the new VLV index
583 --sort SORT
586 Sets a space-separated list of attributes to sort for this VLV
587 index
588 --index-it
591 Creates the database index for this VLV index definition
592
595 usage: dsconf instance backend vlv-index del-index [-h] --parent-name
596 PARENT_NAME
597 [--index-name IN‐
598 DEX_NAME]
599 [--sort SORT]
600 be_name
601 be_name
604 The backend name of the VLV index
605
608 --parent-name PARENT_NAME
609 Sets the name or "cn" attribute value of the parent VLV search
610 entry
611 --index-name INDEX_NAME
614 Sets the name of the VLV index to delete
615 --sort SORT
618 Delete a VLV index that has this vlvsort value
619
622 usage: dsconf instance backend vlv-index reindex [-h]
623 [--index-name IN‐
624 DEX_NAME]
625 --parent-name PAR‐
626 ENT_NAME
627 be_name
628 be_name
631 The backend name of the VLV index
632
635 --index-name INDEX_NAME
636 Sets the name of the VLV index entry to re-index. If not set,
637 all indexes are re-indexed
638 --parent-name PARENT_NAME
641 Sets the name or "cn" attribute value of the parent VLV search
642 entry
643
646 usage: dsconf instance backend attr-encrypt [-h] [--list]
647 [--just-names]
648 [--add-attr ADD_ATTR]
649 [--del-attr DEL_ATTR]
650 be_name
651 be_name
654 The backend name or suffix
655
658 --list Lists all encrypted attributes in the backend
659 --just-names
662 List only the names of the encrypted attributes when used with
663 --list
664 --add-attr ADD_ATTR
667 Enables encryption for the specified attribute
668 --del-attr DEL_ATTR
671 Disables encryption for the specified attribute
672
675 usage: dsconf instance backend config [-h] {get,set} ...
676
679 dsconf backend config get
680 Display the global database configuration
681 dsconf backend config set
683 Set the global database configuration
684
687 usage: dsconf instance backend config get [-h]
688
691 usage: dsconf instance backend config set [-h]
692 [--lookthroughlimit LOOK‐
693 THROUGHLIMIT]
694 [--mode MODE]
695 [--idlistscanlimit
696 IDLISTSCANLIMIT]
697 [--directory DIRECTORY]
698 [--dbcachesize DBCACHESIZE]
699 [--logdirectory LOGDIRECTORY]
700 [--txn-wait TXN_WAIT]
701 [--checkpoint-interval CHECK‐
702 POINT_INTERVAL]
703 [--compactdb-interval COM‐
704 PACTDB_INTERVAL]
705 [--compactdb-time COM‐
706 PACTDB_TIME]
707 [--txn-batch-val
708 TXN_BATCH_VAL]
709 [--txn-batch-min
710 TXN_BATCH_MIN]
711 [--txn-batch-max
712 TXN_BATCH_MAX]
713 [--logbufsize LOGBUFSIZE]
714 [--locks LOCKS]
715 [--locks-monitoring-enabled
716 LOCKS_MONITORING_ENABLED]
717 [--locks-monitoring-threshold
718 LOCKS_MONITORING_THRESHOLD]
719 [--locks-monitoring-pause
720 LOCKS_MONITORING_PAUSE]
721 [--import-cache-autosize IM‐
722 PORT_CACHE_AUTOSIZE]
723 [--cache-autosize CACHE_AUTO‐
724 SIZE]
725 [--cache-autosize-split
726 CACHE_AUTOSIZE_SPLIT]
727 [--import-cachesize IM‐
728 PORT_CACHESIZE]
729 [--exclude-from-export EX‐
730 CLUDE_FROM_EXPORT]
731 [--pagedlookthroughlimit
732 PAGEDLOOKTHROUGHLIMIT]
733 [--pagedidlistscanlimit PAGE‐
734 DIDLISTSCANLIMIT]
735 [--rangelookthroughlimit
736 RANGELOOKTHROUGHLIMIT]
737 [--backend-opt-level BACK‐
738 END_OPT_LEVEL]
739 [--deadlock-policy DEAD‐
740 LOCK_POLICY]
741 [--db-home-directory
742 DB_HOME_DIRECTORY]
743 [--db-lib DB_LIB]
744
747 --lookthroughlimit LOOKTHROUGHLIMIT
748 Specifies the maximum number of entries that the server will
749 check when examining candidate entries in response to a search
750 request
751 --mode MODE
754 Specifies the permissions used for newly created index files
755 --idlistscanlimit IDLISTSCANLIMIT
758 Specifies the number of entry IDs that are searched during a
759 search operation
760 --directory DIRECTORY
763 Specifies absolute path to database instance
764 --dbcachesize DBCACHESIZE
767 Specifies the database index cache size in bytes
768 --logdirectory LOGDIRECTORY
771 Specifies the path to the directory that contains the database
772 transaction logs
773 --txn-wait TXN_WAIT
776 Sets whether the server should should wait if there are no db
777 locks available
778 --checkpoint-interval CHECKPOINT_INTERVAL
781 Sets the amount of time in seconds after which the server sends
782 a checkpoint entry to the database transaction log
783 --compactdb-interval COMPACTDB_INTERVAL
786 Sets the interval in seconds when the database is compacted
787 --compactdb-time COMPACTDB_TIME
790 Sets the time (HH:MM format) of day when to compact the database
791 after the "compactdb interval" has been reached
792 --txn-batch-val TXN_BATCH_VAL
795 Specifies how many transactions will be batched before being
796 committed
797 --txn-batch-min TXN_BATCH_MIN
800 Controls when transactions should be flushed earliest, indepen‐
801 dently of the batch count. Requires that txn-batch-val is set
802 --txn-batch-max TXN_BATCH_MAX
805 Controls when transactions should be flushed latest, indepen‐
806 dently of the batch count. Requires that txn-batch-val is set)
807 --logbufsize LOGBUFSIZE
810 Specifies the transaction log information buffer size
811 --locks LOCKS
814 Sets the maximum number of database locks
815 --locks-monitoring-enabled LOCKS_MONITORING_ENABLED
818 Enables or disables monitoring of DB locks when the value
819 crosses the percentage set with "--locks-monitoring-threshold"
820 --locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD
823 Sets the DB lock exhaustion threshold in percentage (valid range
824 is 70-90). When the threshold is reached, all searches are
825 aborted until the number of active locks decreases below the
826 configured threshold and/or the administrator increases the num‐
827 ber of database locks (nsslapd-db-locks). This threshold is a
828 safeguard against DB corruption which might be caused by locks
829 exhaustion.
830 --locks-monitoring-pause LOCKS_MONITORING_PAUSE
833 Sets the DB lock monitoring value in milliseconds for the amount
834 of time that the monitoring thread spends waiting between
835 checks.
836 --import-cache-autosize IMPORT_CACHE_AUTOSIZE
839 Enables or disables to automatically set the size of the import
840 cache to be used during the import process of LDIF files
841 --cache-autosize CACHE_AUTOSIZE
844 Sets the percentage of free memory that is used in total for the
845 database and entry cache. "0" disables this feature.
846 --cache-autosize-split CACHE_AUTOSIZE_SPLIT
849 Sets the percentage of RAM that is used for the database cache.
850 The remaining percentage is used for the entry cache
851 --import-cachesize IMPORT_CACHESIZE
854 Sets the size in bytes of the database cache used in the import
855 process.
856 --exclude-from-export EXCLUDE_FROM_EXPORT
859 List of attributes to not include during database export opera‐
860 tions
861 --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
864 Specifies the maximum number of entries that the server will
865 check when examining candidate entries for a search which uses
866 the simple paged results control
867 --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
870 Specifies the number of entry IDs that are searched, specifi‐
871 cally, for a search operation using the simple paged results
872 control.
873 --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
876 Specifies the maximum number of entries that the server will
877 check when examining candidate entries in response to a range
878 search request.
879 --backend-opt-level BACKEND_OPT_LEVEL
882 Sets the backend optimization level for write performance (0, 1,
883 2, or 4). WARNING: This parameter can trigger experimental
884 code.
885 --deadlock-policy DEADLOCK_POLICY
888 Adjusts the backend database deadlock policy (Advanced setting)
889 --db-home-directory DB_HOME_DIRECTORY
892 Sets the directory for the database mmapped files (Advanced set‐
893 ting)
894 --db-lib DB_LIB
897 Sets which db lib is used. Valid values are: bdb or mdb
898
901 usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
902
905 --suffix SUFFIX
906 Displays monitoring information only for the specified suffix
907
910 usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
911 [-g GEN_UNIQ_ID] [-O]
912 [-s INCLUDE_SUFFIXES [IN‐
913 CLUDE_SUFFIXES ...]]
914 [-x EXCLUDE_SUFFIXES [EX‐
915 CLUDE_SUFFIXES ...]]
916 [be_name] [ldifs ...]
917 be_name
920 The backend name or the root suffix
921 ldifs Specifies the filename of the input LDIF files. Multiple files
924 are imported in the specified order.
925
928 -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
929 The number of chunks to have during the import operation
930 -E, --encrypted
933 Encrypt attributes configured in the database for encryption
934 -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
937 Generate a unique id. Set "none" for no unique ID to be gener‐
938 ated and "deterministic" for the generated unique ID to be
939 name-based. By default, a time-based unique ID is generated.
940 When using the deterministic generation to have a name-based
941 unique ID, it is also possible to specify the namespace for the
942 server to use. namespaceId is a string of characters in the for‐
943 mat 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.
944 -O, --only-core
947 Creates only the core database attribute indexes
948 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
951 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
952 Specifies the suffixes or the subtrees to be included
953 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
956 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
957 Specifies the suffixes to be excluded
958
961 usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m]
962 [-N] [-r]
963 [-u] [-U]
964 [-s INCLUDE_SUFFIXES [IN‐
965 CLUDE_SUFFIXES ...]]
966 [-x EXCLUDE_SUFFIXES [EX‐
967 CLUDE_SUFFIXES ...]]
968 be_names [be_names ...]
969 be_names
972 The backend names or the root suffixes
973
976 -l LDIF, --ldif LDIF
977 Sets the filename of the output LDIF file. Separate multiple
978 file names with spaces.
979 -C, --use-id2entry
982 Uses only the main database file
983 -E, --encrypted
986 Decrypts encrypted data during export. This option is used only
987 if database encryption is enabled.
988 -m, --min-base64
991 Sets minimal base-64 encoding
992 -N, --no-seq-num
995 Suppresses printing the sequence numbers
996 -r, --replication
999 Exports the data with information required to initialize a
1000 replica
1001 -u, --no-dump-uniq-id
1004 Omits exporting the unique ID
1005 -U, --not-folded
1008 Disables folding the output
1009 -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes IN‐
1012 CLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
1013 Specifies the suffixes or the subtrees to be included
1014 -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EX‐
1017 CLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
1018 Specifies the suffixes to be excluded
1019
1022 usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUF‐
1023 FIX]
1024 --suffix SUFFIX --be-name BE_NAME
1025 [--create-entries] [--create-suf‐
1026 fix]
1027
1030 --parent-suffix PARENT_SUFFIX
1031 Sets the parent suffix only if this backend is a sub-suffix
1032 --suffix SUFFIX
1035 Sets the database suffix DN
1036 --be-name BE_NAME
1039 Sets the database backend name"
1040 --create-entries
1043 Adds sample entries to the database
1044 --create-suffix
1047 Creates the suffix object entry in the database. Only suffixes
1048 using the 'dc',
1049
1052 usage: dsconf instance backend delete [-h] be_name
1053 be_name
1056 The backend name or suffix
1057
1060 usage: dsconf instance backend get-tree [-h]
1061
1064 usage: dsconf instance backend compact-db [-h] [--only-changelog]
1065
1068 --only-changelog
1069 Compacts only the replication change log
1070
1073 usage: dsconf instance backup [-h] {create,restore} ...
1074
1077 dsconf backup create
1078 Creates a backup of the database
1079 dsconf backup restore
1081 Restores a database from a backup
1082
1085 usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]
1086 archive
1089 Sets the directory where to store the backup files. Format: in‐
1090 stance_name- year_month_date_hour_minutes_seconds. Default:
1091 /var/lib/dirsrv/slapd- instance/bak/
1092
1095 -t DB_TYPE, --db-type DB_TYPE
1096 Sets the database type. Default: ldbm database
1097
1100 usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive
1101 archive
1104 Set the directory that contains the backup files
1105
1108 -t DB_TYPE, --db-type DB_TYPE
1109 Sets the database type. Default: ldbm database
1110
1113 usage: dsconf instance chaining [-h]
1114 {config-get,config-set,con‐
1115 fig-get-def,config-set-def,link-cre‐
1116 ate,link-get,link-set,link-delete,monitor,link-list}
1117 ...
1118
1121 dsconf chaining config-get
1122 Display the chaining controls and server component lists
1123 dsconf chaining config-set
1125 Set the chaining controls and server component lists
1126 dsconf chaining config-get-def
1128 Display the default creation parameters for new database links
1129 dsconf chaining config-set-def
1131 Set the default creation parameters for new database links
1132 dsconf chaining link-create
1134 Create a database link to a remote server
1135 dsconf chaining link-get
1137 Displays chaining database links
1138 dsconf chaining link-set
1140 Edit a database link to a remote server
1141 dsconf chaining link-delete
1143 Delete a database link
1144 dsconf chaining monitor
1146 Display monitor information for a database chaining link
1147 dsconf chaining link-list
1149 List database links
1150
1153 usage: dsconf instance chaining config-get [-h] [--avail-controls]
1154 [--avail-comps]
1155
1158 --avail-controls
1159 Lists available chaining controls
1160 --avail-comps
1163 Lists available chaining plugin components
1164
1167 usage: dsconf instance chaining config-set [-h] [--add-control ADD_CON‐
1168 TROL]
1169 [--del-control DEL_CONTROL]
1170 [--add-comp ADD_COMP]
1171 [--del-comp DEL_COMP]
1172
1175 --add-control ADD_CONTROL
1176 Adds a transmitted control OID
1177 --del-control DEL_CONTROL
1180 Deletes a transmitted control OID
1181 --add-comp ADD_COMP
1184 Adds a chaining component
1185 --del-comp DEL_COMP
1188 Deletes a chaining component
1189
1192 usage: dsconf instance chaining config-get-def [-h]
1193
1196 usage: dsconf instance chaining config-set-def [-h]
1197 [--conn-bind-limit
1198 CONN_BIND_LIMIT]
1199 [--conn-op-limit
1200 CONN_OP_LIMIT]
1201 [--abandon-check-inter‐
1202 val ABANDON_CHECK_INTERVAL]
1203 [--bind-limit
1204 BIND_LIMIT]
1205 [--op-limit OP_LIMIT]
1206 [--proxied-auth PROX‐
1207 IED_AUTH]
1208 [--conn-lifetime
1209 CONN_LIFETIME]
1210 [--bind-timeout
1211 BIND_TIMEOUT]
1212 [--return-ref RE‐
1213 TURN_REF]
1214 [--check-aci CHECK_ACI]
1215 [--bind-attempts
1216 BIND_ATTEMPTS]
1217 [--size-limit
1218 SIZE_LIMIT]
1219 [--time-limit
1220 TIME_LIMIT]
1221 [--hop-limit HOP_LIMIT]
1222 [--response-delay RE‐
1223 SPONSE_DELAY]
1224 [--test-response-delay
1225 TEST_RESPONSE_DELAY]
1226 [--use-starttls
1227 USE_STARTTLS]
1228
1231 --conn-bind-limit CONN_BIND_LIMIT
1232 Sets the maximum number of BIND connections the database link
1233 establishes with the remote server
1234 --conn-op-limit CONN_OP_LIMIT
1237 Sets the maximum number of LDAP connections the database link
1238 establishes with the remote server
1239 --abandon-check-interval ABANDON_CHECK_INTERVAL
1242 Sets the number of seconds that pass before the server checks
1243 for abandoned operations
1244 --bind-limit BIND_LIMIT
1247 Sets the maximum number of concurrent bind operations per TCP
1248 connection
1249 --op-limit OP_LIMIT
1252 Sets the maximum number of concurrent operations allowed
1253 --proxied-auth PROXIED_AUTH
1256 Enables or disables proxied authorization. If set to "off", the
1257 server executes bind for chained operations as the user set in
1258 the nsMultiplexorBindDn attribute.
1259 --conn-lifetime CONN_LIFETIME
1262 Specifies connection lifetime in seconds. "0" keeps the connec‐
1263 tion open forever.
1264 --bind-timeout BIND_TIMEOUT
1267 Sets the amount of time in seconds before a bind attempt times
1268 out
1269 --return-ref RETURN_REF
1272 Enables or disables whether referrals are returned by scoped
1273 searches
1274 --check-aci CHECK_ACI
1277 Enables or disables whether the server evaluates ACIs on the
1278 database link as well as the remote data server
1279 --bind-attempts BIND_ATTEMPTS
1282 Sets the number of times the server tries to bind to the remote
1283 server
1284 --size-limit SIZE_LIMIT
1287 Sets the maximum number of entries to return from a search oper‐
1288 ation
1289 --time-limit TIME_LIMIT
1292 Sets the maximum number of seconds allowed for an operation
1293 --hop-limit HOP_LIMIT
1296 Sets the maximum number of times a database is allowed to chain.
1297 That is the number of times a request can be forwarded from one
1298 database link to another.
1299 --response-delay RESPONSE_DELAY
1302 Sets the maximum amount of time it can take a remote server to
1303 respond to an LDAP operation request made by a database link be‐
1304 fore an error is suspected
1305 --test-response-delay TEST_RESPONSE_DELAY
1308 Sets the duration of the test issued by the database link to
1309 check whether the remote server is responding
1310 --use-starttls USE_STARTTLS
1313 Configured that database links use StartTLS if set to "on"
1314
1317 usage: dsconf instance chaining link-create [-h]
1318 [--conn-bind-limit
1319 CONN_BIND_LIMIT]
1320 [--conn-op-limit
1321 CONN_OP_LIMIT]
1322 [--abandon-check-interval
1323 ABANDON_CHECK_INTERVAL]
1324 [--bind-limit BIND_LIMIT]
1325 [--op-limit OP_LIMIT]
1326 [--proxied-auth PROX‐
1327 IED_AUTH]
1328 [--conn-lifetime CONN_LIFE‐
1329 TIME]
1330 [--bind-timeout BIND_TIME‐
1331 OUT]
1332 [--return-ref RETURN_REF]
1333 [--check-aci CHECK_ACI]
1334 [--bind-attempts BIND_AT‐
1335 TEMPTS]
1336 [--size-limit SIZE_LIMIT]
1337 [--time-limit TIME_LIMIT]
1338 [--hop-limit HOP_LIMIT]
1339 [--response-delay RE‐
1340 SPONSE_DELAY]
1341 [--test-response-delay
1342 TEST_RESPONSE_DELAY]
1343 [--use-starttls USE_START‐
1344 TLS]
1345 --suffix SUFFIX
1346 --server-url
1347 SERVER_URL --bind-mech
1348 BIND_MECH
1349 --bind-dn BIND_DN --bind-pw
1350 BIND_PW
1351 CHAIN_NAME
1352 CHAIN_NAME
1355 The name of the database link
1356
1359 --conn-bind-limit CONN_BIND_LIMIT
1360 Sets the maximum number of BIND connections the database link
1361 establishes with the remote server
1362 --conn-op-limit CONN_OP_LIMIT
1365 Sets the maximum number of LDAP connections the database link
1366 establishes with the remote server
1367 --abandon-check-interval ABANDON_CHECK_INTERVAL
1370 Sets the number of seconds that pass before the server checks
1371 for abandoned operations
1372 --bind-limit BIND_LIMIT
1375 Sets the maximum number of concurrent bind operations per TCP
1376 connection
1377 --op-limit OP_LIMIT
1380 Sets the maximum number of concurrent operations allowed
1381 --proxied-auth PROXIED_AUTH
1384 Enables or disables proxied authorization. If set to "off", the
1385 server executes bind for chained operations as the user set in
1386 the nsMultiplexorBindDn attribute.
1387 --conn-lifetime CONN_LIFETIME
1390 Specifies connection lifetime in seconds. "0" keeps the connec‐
1391 tion open forever.
1392 --bind-timeout BIND_TIMEOUT
1395 Sets the amount of time in seconds before a bind attempt times
1396 out
1397 --return-ref RETURN_REF
1400 Enables or disables whether referrals are returned by scoped
1401 searches
1402 --check-aci CHECK_ACI
1405 Enables or disables whether the server evaluates ACIs on the
1406 database link as well as the remote data server
1407 --bind-attempts BIND_ATTEMPTS
1410 Sets the number of times the server tries to bind to the remote
1411 server
1412 --size-limit SIZE_LIMIT
1415 Sets the maximum number of entries to return from a search oper‐
1416 ation
1417 --time-limit TIME_LIMIT
1420 Sets the maximum number of seconds allowed for an operation
1421 --hop-limit HOP_LIMIT
1424 Sets the maximum number of times a database is allowed to chain.
1425 That is the number of times a request can be forwarded from one
1426 database link to another.
1427 --response-delay RESPONSE_DELAY
1430 Sets the maximum amount of time it can take a remote server to
1431 respond to an LDAP operation request made by a database link be‐
1432 fore an error is suspected
1433 --test-response-delay TEST_RESPONSE_DELAY
1436 Sets the duration of the test issued by the database link to
1437 check whether the remote server is responding
1438 --use-starttls USE_STARTTLS
1441 Configured that database links use StartTLS if set to "on"
1442 --suffix SUFFIX
1445 Sets the suffix managed by the database link
1446 --server-url SERVER_URL
1449 Sets the LDAP/LDAPS URL to the remote server
1450 --bind-mech BIND_MECH
1453 Sets the authentication method to use to authenticate to the re‐
1454 mote server. Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1455 GEST-MD5", or "GSSAPI"
1456 --bind-dn BIND_DN
1459 Sets the DN of the administrative entry used to communicate with
1460 the remote server
1461 --bind-pw BIND_PW
1464 Sets the password of the administrative user
1465
1468 usage: dsconf instance chaining link-get [-h] CHAIN_NAME
1469 CHAIN_NAME
1472 The chaining link name or suffix to retrieve
1473
1476 usage: dsconf instance chaining link-set [-h]
1477 [--conn-bind-limit
1478 CONN_BIND_LIMIT]
1479 [--conn-op-limit
1480 CONN_OP_LIMIT]
1481 [--abandon-check-interval
1482 ABANDON_CHECK_INTERVAL]
1483 [--bind-limit BIND_LIMIT]
1484 [--op-limit OP_LIMIT]
1485 [--proxied-auth PROXIED_AUTH]
1486 [--conn-lifetime CONN_LIFE‐
1487 TIME]
1488 [--bind-timeout BIND_TIMEOUT]
1489 [--return-ref RETURN_REF]
1490 [--check-aci CHECK_ACI]
1491 [--bind-attempts BIND_AT‐
1492 TEMPTS]
1493 [--size-limit SIZE_LIMIT]
1494 [--time-limit TIME_LIMIT]
1495 [--hop-limit HOP_LIMIT]
1496 [--response-delay RESPONSE_DE‐
1497 LAY]
1498 [--test-response-delay
1499 TEST_RESPONSE_DELAY]
1500 [--use-starttls USE_STARTTLS]
1501 [--suffix SUFFIX]
1502 [--server-url SERVER_URL]
1503 [--bind-mech BIND_MECH]
1504 [--bind-dn BIND_DN]
1505 [--bind-pw BIND_PW]
1506 CHAIN_NAME
1507 CHAIN_NAME
1510 The name of the database link
1511
1514 --conn-bind-limit CONN_BIND_LIMIT
1515 Sets the maximum number of BIND connections the database link
1516 establishes with the remote server
1517 --conn-op-limit CONN_OP_LIMIT
1520 Sets the maximum number of LDAP connections the database link
1521 establishes with the remote server
1522 --abandon-check-interval ABANDON_CHECK_INTERVAL
1525 Sets the number of seconds that pass before the server checks
1526 for abandoned operations
1527 --bind-limit BIND_LIMIT
1530 Sets the maximum number of concurrent bind operations per TCP
1531 connection
1532 --op-limit OP_LIMIT
1535 Sets the maximum number of concurrent operations allowed
1536 --proxied-auth PROXIED_AUTH
1539 Enables or disables proxied authorization. If set to "off", the
1540 server executes bind for chained operations as the user set in
1541 the nsMultiplexorBindDn attribute.
1542 --conn-lifetime CONN_LIFETIME
1545 Specifies connection lifetime in seconds. "0" keeps the connec‐
1546 tion open forever.
1547 --bind-timeout BIND_TIMEOUT
1550 Sets the amount of time in seconds before a bind attempt times
1551 out
1552 --return-ref RETURN_REF
1555 Enables or disables whether referrals are returned by scoped
1556 searches
1557 --check-aci CHECK_ACI
1560 Enables or disables whether the server evaluates ACIs on the
1561 database link as well as the remote data server
1562 --bind-attempts BIND_ATTEMPTS
1565 Sets the number of times the server tries to bind to the remote
1566 server
1567 --size-limit SIZE_LIMIT
1570 Sets the maximum number of entries to return from a search oper‐
1571 ation
1572 --time-limit TIME_LIMIT
1575 Sets the maximum number of seconds allowed for an operation
1576 --hop-limit HOP_LIMIT
1579 Sets the maximum number of times a database is allowed to chain.
1580 That is the number of times a request can be forwarded from one
1581 database link to another.
1582 --response-delay RESPONSE_DELAY
1585 Sets the maximum amount of time it can take a remote server to
1586 respond to an LDAP operation request made by a database link be‐
1587 fore an error is suspected
1588 --test-response-delay TEST_RESPONSE_DELAY
1591 Sets the duration of the test issued by the database link to
1592 check whether the remote server is responding
1593 --use-starttls USE_STARTTLS
1596 Configured that database links use StartTLS if set to "on"
1597 --suffix SUFFIX
1600 Sets the suffix managed by the database link
1601 --server-url SERVER_URL
1604 Sets the LDAP/LDAPS URL to the remote server
1605 --bind-mech BIND_MECH
1608 Sets the authentication method to use to authenticate to the re‐
1609 mote server: Valid values: "SIMPLE" (default), "EXTERNAL", "DI‐
1610 GEST-MD5", or "GSSAPI"
1611 --bind-dn BIND_DN
1614 Sets the DN of the administrative entry used to communicate with
1615 the remote server
1616 --bind-pw BIND_PW
1619 Sets the password of the administrative user
1620
1623 usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
1624 CHAIN_NAME
1627 The name of the database link
1628
1631 usage: dsconf instance chaining monitor [-h] CHAIN_NAME
1632 CHAIN_NAME
1635 The name of the database link
1636
1639 usage: dsconf instance chaining link-list [-h]
1640
1643 usage: dsconf instance config [-h] {get,add,replace,delete} ...
1644
1647 dsconf config get
1648 get
1649 dsconf config add
1651 Add attribute value to configuration
1652 dsconf config replace
1654 Replace attribute value in configuration
1655 dsconf config delete
1657 Delete attribute value in configuration
1658
1661 usage: dsconf instance config get [-h] [attrs ...]
1662 attrs Configuration attribute(s) to get
1665
1668 usage: dsconf instance config add [-h] [attr ...]
1669 attr Configuration attribute to add
1672
1675 usage: dsconf instance config replace [-h] [attr ...]
1676 attr Configuration attribute to replace
1679
1682 usage: dsconf instance config delete [-h] [attr ...]
1683 attr Configuration attribute to delete
1686
1689 usage: dsconf instance directory_manager [-h] {password_change} ...
1690
1693 dsconf directory_manager password_change
1694 Changes the password of the Directory Manager account
1695
1698 usage: dsconf instance directory_manager password_change [-h]
1699
1702 usage: dsconf instance monitor [-h]
1703 {server,dbmon,ldbm,backend,snmp,chain‐
1704 ing,disk}
1705 ...
1706
1709 dsconf monitor server
1710 Displays the server statistics, connections, and operations
1711 dsconf monitor dbmon
1713 Monitor all database statistics in a single report
1714 dsconf monitor ldbm
1716 Monitor the LDBM statistics, such as dbcache
1717 dsconf monitor backend
1719 Monitor the behavior of a backend database
1720 dsconf monitor snmp
1722 Displays the SNMP statistics
1723 dsconf monitor chaining
1725 Monitor database chaining statistics
1726 dsconf monitor disk
1728 Displays the disk space statistics. All values are in bytes.
1729
1732 usage: dsconf instance monitor server [-h]
1733
1736 usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
1737
1740 -b BACKENDS, --backends BACKENDS
1741 Specifies a list of space-separated backends to monitor. Default
1742 is all backends.
1743 -x, --indexes
1746 Shows index stats for each backend
1747
1750 usage: dsconf instance monitor ldbm [-h]
1751
1754 usage: dsconf instance monitor backend [-h] [backend]
1755 backend
1758 The optional name of the backend to monitor
1759
1762 usage: dsconf instance monitor snmp [-h]
1763
1766 usage: dsconf instance monitor chaining [-h] [backend]
1767 backend
1770 The optional name of the chaining backend to monitor
1771
1774 usage: dsconf instance monitor disk [-h]
1775
1778 usage: dsconf instance plugin [-h]
1779 {memberof,automember,referential-integ‐
1780 rity,root-dn,usn,account-pol‐
1781 icy,attr-uniq,dna,ldap-pass-through-auth,linked-attr,managed-en‐
1782 tries,pam-pass-through-auth,retro-changelog,posix-winsync,con‐
1783 tentsync,entryuuid,list,show,set}
1784 ...
1785
1788 dsconf plugin memberof
1789 Manage and configure MemberOf plugin
1790 dsconf plugin automember
1792 Manage and configure Automembership plugin
1793 dsconf plugin referential-integrity
1795 Manage and configure Referential Integrity Postoperation plugin
1796 dsconf plugin root-dn
1798 Manage and configure RootDN Access Control plugin
1799 dsconf plugin usn
1801 Manage and configure USN plugin
1802 dsconf plugin account-policy
1804 Manage and configure Account Policy plugin
1805 dsconf plugin attr-uniq
1807 Manage and configure Attribute Uniqueness plugin
1808 dsconf plugin dna
1810 Manage and configure DNA plugin
1811 dsconf plugin ldap-pass-through-auth
1813 Manage and configure LDAP Pass-Through Authentication Plugin
1814 dsconf plugin linked-attr
1816 Manage and configure Linked Attributes plugin
1817 dsconf plugin managed-entries
1819 Manage and configure Managed Entries Plugin
1820 dsconf plugin pam-pass-through-auth
1822 Manage and configure Pass-Through Authentication plugins (LDAP
1823 URLs and PAM)
1824 dsconf plugin retro-changelog
1826 Manage and configure Retro Changelog plugin
1827 dsconf plugin posix-winsync
1829 Manage and configure the Posix Winsync API plugin
1830 dsconf plugin contentsync
1832 Manage and configure Content Sync Plugin (aka syncrepl)
1833 dsconf plugin entryuuid
1835 Manage and configure EntryUUID plugin
1836 dsconf plugin list
1838 List current configured (enabled and disabled) plugins
1839 dsconf plugin show
1841 Show the plugin data
1842 dsconf plugin set
1844 Edit the plugin settings
1845
1848 usage: dsconf instance plugin memberof [-h]
1849 {show,enable,disable,sta‐
1850 tus,set,config-entry,fixup,fixup-status}
1851 ...
1852
1855 dsconf plugin memberof show
1856 Displays the plugin configuration
1857 dsconf plugin memberof enable
1859 Enables the plugin
1860 dsconf plugin memberof disable
1862 Disables the plugin
1863 dsconf plugin memberof status
1865 Displays the plugin status
1866 dsconf plugin memberof set
1868 Edit the plugin settings
1869 dsconf plugin memberof config-entry
1871 Manage the config entry
1872 dsconf plugin memberof fixup
1874 Run the fix-up task for memberOf plugin
1875 dsconf plugin memberof fixup-status
1877 Check the status of a fix-up task
1878
1881 usage: dsconf instance plugin memberof show [-h]
1882
1885 usage: dsconf instance plugin memberof enable [-h]
1886
1889 usage: dsconf instance plugin memberof disable [-h]
1890
1893 usage: dsconf instance plugin memberof status [-h]
1894
1897 usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
1898 [--groupattr GROUPATTR
1899 [GROUPATTR ...]]
1900 [--allbackends {on,off}]
1901 [--skipnested {on,off}]
1902 [--scope SCOPE [SCOPE ...]]
1903 [--exclude EXCLUDE [EXCLUDE
1904 ...]]
1905 [--autoaddoc AUTOADDOC]
1906 [--config-entry CONFIG_EN‐
1907 TRY]
1908
1911 --attr ATTR
1912 Specifies the attribute in the user entry for the Directory
1913 Server to manage to reflect group membership (memberOfAttr)
1914 --groupattr GROUPATTR [GROUPATTR ...]
1917 Specifies the attribute in the group entry to use to identify
1918 the DNs of group members (memberOfGroupAttr)
1919 --allbackends {on,off}
1922 Specifies whether to search the local suffix for user entries on
1923 all available suffixes (memberOfAllBackends)
1924 --skipnested {on,off}
1927 Specifies whether to skip nested groups or not (memberOfSkip‐
1928 Nested)
1929 --scope SCOPE [SCOPE ...]
1932 Specifies backends or multiple-nested suffixes for the MemberOf
1933 plug-in to work on (memberOfEntryScope)
1934 --exclude EXCLUDE [EXCLUDE ...]
1937 Specifies backends or multiple-nested suffixes for the MemberOf
1938 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
1939 --autoaddoc AUTOADDOC
1942 If an entry does not have an object class that allows the mem‐
1943 berOf attribute then the memberOf plugin will automatically add
1944 the object class listed in the memberOfAutoAddOC parameter
1945 --config-entry CONFIG_ENTRY
1948 The value to set as nsslapd-pluginConfigArea
1949
1952 usage: dsconf instance plugin memberof config-entry [-h]
1953 {add,set,show,delete}
1954 ...
1955
1958 dsconf plugin memberof config-entry add
1959 Add the config entry
1960 dsconf plugin memberof config-entry set
1962 Edit the config entry
1963 dsconf plugin memberof config-entry show
1965 Display the config entry
1966 dsconf plugin memberof config-entry delete
1968 Delete the config entry
1969
1972 usage: dsconf instance plugin memberof config-entry add [-h] [--attr
1973 ATTR]
1974 [--groupattr
1975 GROUPATTR [GROUPATTR ...]]
1976 [--allbackends
1977 {on,off}]
1978 [--skipnested
1979 {on,off}]
1980 [--scope SCOPE
1981 [SCOPE ...]]
1982 [--exclude EX‐
1983 CLUDE [EXCLUDE ...]]
1984 [--autoaddoc
1985 AUTOADDOC]
1986 DN
1987 DN The config entry full DN
1990
1993 --attr ATTR
1994 Specifies the attribute in the user entry for the Directory
1995 Server to manage to reflect group membership (memberOfAttr)
1996 --groupattr GROUPATTR [GROUPATTR ...]
1999 Specifies the attribute in the group entry to use to identify
2000 the DNs of group members (memberOfGroupAttr)
2001 --allbackends {on,off}
2004 Specifies whether to search the local suffix for user entries on
2005 all available suffixes (memberOfAllBackends)
2006 --skipnested {on,off}
2009 Specifies whether to skip nested groups or not (memberOfSkip‐
2010 Nested)
2011 --scope SCOPE [SCOPE ...]
2014 Specifies backends or multiple-nested suffixes for the MemberOf
2015 plug-in to work on (memberOfEntryScope)
2016 --exclude EXCLUDE [EXCLUDE ...]
2019 Specifies backends or multiple-nested suffixes for the MemberOf
2020 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2021 --autoaddoc AUTOADDOC
2024 If an entry does not have an object class that allows the mem‐
2025 berOf attribute then the memberOf plugin will automatically add
2026 the object class listed in the memberOfAutoAddOC parameter
2027
2030 usage: dsconf instance plugin memberof config-entry set [-h] [--attr
2031 ATTR]
2032 [--groupattr
2033 GROUPATTR [GROUPATTR ...]]
2034 [--allbackends
2035 {on,off}]
2036 [--skipnested
2037 {on,off}]
2038 [--scope SCOPE
2039 [SCOPE ...]]
2040 [--exclude EX‐
2041 CLUDE [EXCLUDE ...]]
2042 [--autoaddoc
2043 AUTOADDOC]
2044 DN
2045 DN The config entry full DN
2048
2051 --attr ATTR
2052 Specifies the attribute in the user entry for the Directory
2053 Server to manage to reflect group membership (memberOfAttr)
2054 --groupattr GROUPATTR [GROUPATTR ...]
2057 Specifies the attribute in the group entry to use to identify
2058 the DNs of group members (memberOfGroupAttr)
2059 --allbackends {on,off}
2062 Specifies whether to search the local suffix for user entries on
2063 all available suffixes (memberOfAllBackends)
2064 --skipnested {on,off}
2067 Specifies whether to skip nested groups or not (memberOfSkip‐
2068 Nested)
2069 --scope SCOPE [SCOPE ...]
2072 Specifies backends or multiple-nested suffixes for the MemberOf
2073 plug-in to work on (memberOfEntryScope)
2074 --exclude EXCLUDE [EXCLUDE ...]
2077 Specifies backends or multiple-nested suffixes for the MemberOf
2078 plug-in to exclude (memberOfEntryScopeExcludeSubtree)
2079 --autoaddoc AUTOADDOC
2082 If an entry does not have an object class that allows the mem‐
2083 berOf attribute then the memberOf plugin will automatically add
2084 the object class listed in the memberOfAutoAddOC parameter
2085
2088 usage: dsconf instance plugin memberof config-entry show [-h] DN
2089 DN The config entry full DN
2092
2095 usage: dsconf instance plugin memberof config-entry delete [-h] DN
2096 DN The config entry full DN
2099
2102 usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] [--wait]
2103 DN
2104 DN Base DN that contains entries to fix up
2107
2110 -f FILTER, --filter FILTER
2111 Filter for entries to fix up. If omitted, all entries with ob‐
2112 jectclass inetuser/inetadmin/nsmemberof under the specified base
2113 will have their memberOf attribute regenerated.
2114 --wait Wait for the task to finish, this could take a long time
2117
2120 usage: dsconf instance plugin memberof fixup-status [-h] [--dn DN]
2121 [--show-log]
2122 [--watch]
2123
2126 --dn DN
2127 The task entry's DN
2128 --show-log
2131 Display the task log
2132 --watch
2135 Watch the task's status and wait for it to finish
2136
2139 usage: dsconf instance plugin automember [-h]
2140 {show,enable,disable,sta‐
2141 tus,list,definition,fixup,fixup-status,abort-fixup}
2142 ...
2143
2146 dsconf plugin automember show
2147 Displays the plugin configuration
2148 dsconf plugin automember enable
2150 Enables the plugin
2151 dsconf plugin automember disable
2153 Disables the plugin
2154 dsconf plugin automember status
2156 Displays the plugin status
2157 dsconf plugin automember list
2159 List Automembership definitions or regex rules.
2160 dsconf plugin automember definition
2162 Manage Automembership definition.
2163 dsconf plugin automember fixup
2165 Run a rebuild membership task.
2166 dsconf plugin automember fixup-status
2168 Check the status of a fix-up task
2169 dsconf plugin automember abort-fixup
2171 Abort the rebuild membership task.
2172
2175 usage: dsconf instance plugin automember show [-h]
2176
2179 usage: dsconf instance plugin automember enable [-h]
2180
2183 usage: dsconf instance plugin automember disable [-h]
2184
2187 usage: dsconf instance plugin automember status [-h]
2188
2191 usage: dsconf instance plugin automember list [-h] {defini‐
2192 tions,regexes} ...
2193
2196 dsconf plugin automember list definitions
2197 Lists Automembership definitions.
2198 dsconf plugin automember list regexes
2200 List Automembership regex rules.
2201
2204 usage: dsconf instance plugin automember list definitions [-h]
2205
2208 usage: dsconf instance plugin automember list regexes [-h] DEFNAME
2209 DEFNAME
2212 The definition entry CN
2213
2216 usage: dsconf instance plugin automember definition [-h]
2217 DEFNAME
2218 {add,set,delete,show,regex}
2219 ...
2220
2223 dsconf plugin automember definition add
2224 Creates Automembership definition.
2225 dsconf plugin automember definition set
2227 Edits Automembership definition.
2228 dsconf plugin automember definition delete
2230 Removes Automembership definition.
2231 dsconf plugin automember definition show
2233 Displays Automembership definition.
2234 dsconf plugin automember definition regex
2236 Manage Automembership regex rules.
2237
2240 usage: dsconf instance plugin automember definition DEFNAME add
2241 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2242 FAULT_GROUP]
2243 --scope SCOPE --filter FILTER
2244
2247 --grouping-attr GROUPING_ATTR
2248 Specifies the name of the member attribute in the group entry
2249 and the attribute in the object entry that supplies the member
2250 attribute value, in the format group_member_attr:entry_attr (au‐
2251 toMemberGroupingAttr)
2252 --default-group DEFAULT_GROUP
2255 Sets default or fallback group to add the entry to as a member
2256 attribute in group entry (autoMemberDefaultGroup)
2257 --scope SCOPE
2260 Sets the subtree DN to search for entries (autoMemberScope)
2261 --filter FILTER
2264 Sets a standard LDAP search filter to use to search for matching
2265 entries (autoMemberFilter)
2266
2269 usage: dsconf instance plugin automember definition DEFNAME set
2270 [-h] --grouping-attr GROUPING_ATTR [--default-group DE‐
2271 FAULT_GROUP]
2272 --scope SCOPE --filter FILTER
2273
2276 --grouping-attr GROUPING_ATTR
2277 Specifies the name of the member attribute in the group entry
2278 and the attribute in the object entry that supplies the member
2279 attribute value, in the format group_member_attr:entry_attr (au‐
2280 toMemberGroupingAttr)
2281 --default-group DEFAULT_GROUP
2284 Sets default or fallback group to add the entry to as a member
2285 attribute in group entry (autoMemberDefaultGroup)
2286 --scope SCOPE
2289 Sets the subtree DN to search for entries (autoMemberScope)
2290 --filter FILTER
2293 Sets a standard LDAP search filter to use to search for matching
2294 entries (autoMemberFilter)
2295
2298 usage: dsconf instance plugin automember definition DEFNAME delete [-h]
2299
2302 usage: dsconf instance plugin automember definition DEFNAME show [-h]
2303
2306 usage: dsconf instance plugin automember definition DEFNAME regex
2307 [-h] REGEXNAME {add,set,delete,show} ...
2308
2311 dsconf plugin automember definition regex add
2312 Creates Automembership regex.
2313 dsconf plugin automember definition regex set
2315 Edits Automembership regex.
2316 dsconf plugin automember definition regex delete
2318 Removes Automembership regex.
2319 dsconf plugin automember definition regex show
2321 Displays Automembership regex.
2322
2325 usage: dsconf instance plugin automember definition DEFNAME regex
2326 REGEXNAME add
2327 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2328 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2329 GET_GROUP
2330
2333 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2334 Sets a single regular expression to use to identify entries to
2335 exclude (autoMemberExclusiveRegex)
2336 --inclusive INCLUSIVE [INCLUSIVE ...]
2339 Sets a single regular expression to use to identify entries to
2340 include (autoMemberInclusiveRegex)
2341 --target-group TARGET_GROUP
2344 Sets which group to add the entry to as a member, if it meets
2345 the regular expression conditions (autoMemberTargetGroup)
2346
2349 usage: dsconf instance plugin automember definition DEFNAME regex
2350 REGEXNAME set
2351 [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
2352 [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TAR‐
2353 GET_GROUP
2354
2357 --exclusive EXCLUSIVE [EXCLUSIVE ...]
2358 Sets a single regular expression to use to identify entries to
2359 exclude (autoMemberExclusiveRegex)
2360 --inclusive INCLUSIVE [INCLUSIVE ...]
2363 Sets a single regular expression to use to identify entries to
2364 include (autoMemberInclusiveRegex)
2365 --target-group TARGET_GROUP
2368 Sets which group to add the entry to as a member, if it meets
2369 the regular expression conditions (autoMemberTargetGroup)
2370
2373 usage: dsconf instance plugin automember definition DEFNAME regex
2374 REGEXNAME delete
2375 [-h]
2376
2379 usage: dsconf instance plugin automember definition DEFNAME regex
2380 REGEXNAME show
2381 [-h]
2382
2385 usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
2386 {sub,base,one} [--wait]
2387 DN
2388 DN Base DN that contains entries to fix up
2391
2394 -f FILTER, --filter FILTER
2395 Sets the LDAP filter for entries to fix up
2396 -s {sub,base,one}, --scope {sub,base,one}
2399 Sets the LDAP search scope for entries to fix up
2400 --wait Wait for the task to finish, this could take a long time
2403
2406 usage: dsconf instance plugin automember fixup-status [-h] [--dn DN]
2407 [--show-log]
2408 [--watch]
2409
2412 --dn DN
2413 The task entry's DN
2414 --show-log
2417 Display the task log
2418 --watch
2421 Watch the task's status and wait for it to finish
2422
2425 usage: dsconf instance plugin automember abort-fixup [-h]
2426
2429 usage: dsconf instance plugin referential-integrity [-h]
2430 {show,enable,dis‐
2431 able,status,set,config-entry}
2432 ...
2433
2436 dsconf plugin referential-integrity show
2437 Displays the plugin configuration
2438 dsconf plugin referential-integrity enable
2440 Enables the plugin
2441 dsconf plugin referential-integrity disable
2443 Disables the plugin
2444 dsconf plugin referential-integrity status
2446 Displays the plugin status
2447 dsconf plugin referential-integrity set
2449 Edit the plugin settings
2450 dsconf plugin referential-integrity config-entry
2452 Manage the config entry
2453
2456 usage: dsconf instance plugin referential-integrity show [-h]
2457
2460 usage: dsconf instance plugin referential-integrity enable [-h]
2461
2464 usage: dsconf instance plugin referential-integrity disable [-h]
2465
2468 usage: dsconf instance plugin referential-integrity status [-h]
2469
2472 usage: dsconf instance plugin referential-integrity set [-h]
2473 [--update-delay
2474 UPDATE_DELAY]
2475 [--member‐
2476 ship-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2477 [--entry-scope
2478 ENTRY_SCOPE]
2479 [--exclude-en‐
2480 try-scope EXCLUDE_ENTRY_SCOPE]
2481 [--con‐
2482 tainer-scope CONTAINER_SCOPE]
2483 [--log-file
2484 LOG_FILE]
2485 [--config-entry
2486 CONFIG_ENTRY]
2487
2490 --update-delay UPDATE_DELAY
2491 Sets the update interval. Special values: 0 - The check is per‐
2492 formed immediately, -1 - No check is performed (referint-up‐
2493 date-delay)
2494 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2497 Specifies attributes to check for and update (referint-member‐
2498 ship-attr)
2499 --entry-scope ENTRY_SCOPE
2502 Defines the subtree in which the plug-in looks for the delete or
2503 rename operations of a user entry (nsslapd-pluginEntryScope)
2504 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2507 Defines the subtree in which the plug-in ignores any operations
2508 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2509 tryScope)
2510 --container-scope CONTAINER_SCOPE
2513 Specifies which branch the plug-in searches for the groups to
2514 which the user belongs. It only updates groups that are under
2515 the specified container branch, and leaves all other groups not
2516 updated (nsslapd-pluginContainerScope)
2517 --log-file LOG_FILE
2520 Specifies a path to the Referential integrity logfile.For exam‐
2521 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2522 --config-entry CONFIG_ENTRY
2525 The value to set as nsslapd-pluginConfigArea
2526
2529 usage: dsconf instance plugin referential-integrity config-entry
2530 [-h] {add,set,show,delete} ...
2531
2534 dsconf plugin referential-integrity config-entry add
2535 Add the config entry
2536 dsconf plugin referential-integrity config-entry set
2538 Edit the config entry
2539 dsconf plugin referential-integrity config-entry show
2541 Display the config entry
2542 dsconf plugin referential-integrity config-entry delete
2544 Delete the config entry
2545
2548 usage: dsconf instance plugin referential-integrity config-entry add
2549 [-h] [--update-delay UPDATE_DELAY]
2550 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2551 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2552 TRY_SCOPE]
2553 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2554 DN
2555 DN The config entry full DN
2558
2561 --update-delay UPDATE_DELAY
2562 Sets the update interval. Special values: 0 - The check is per‐
2563 formed immediately, -1 - No check is performed (referint-up‐
2564 date-delay)
2565 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2568 Specifies attributes to check for and update (referint-member‐
2569 ship-attr)
2570 --entry-scope ENTRY_SCOPE
2573 Defines the subtree in which the plug-in looks for the delete or
2574 rename operations of a user entry (nsslapd-pluginEntryScope)
2575 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2578 Defines the subtree in which the plug-in ignores any operations
2579 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2580 tryScope)
2581 --container-scope CONTAINER_SCOPE
2584 Specifies which branch the plug-in searches for the groups to
2585 which the user belongs. It only updates groups that are under
2586 the specified container branch, and leaves all other groups not
2587 updated (nsslapd-pluginContainerScope)
2588 --log-file LOG_FILE
2591 Specifies a path to the Referential integrity logfile.For exam‐
2592 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2593
2596 usage: dsconf instance plugin referential-integrity config-entry set
2597 [-h] [--update-delay UPDATE_DELAY]
2598 [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
2599 [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_EN‐
2600 TRY_SCOPE]
2601 [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
2602 DN
2603 DN The config entry full DN
2606
2609 --update-delay UPDATE_DELAY
2610 Sets the update interval. Special values: 0 - The check is per‐
2611 formed immediately, -1 - No check is performed (referint-up‐
2612 date-delay)
2613 --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
2616 Specifies attributes to check for and update (referint-member‐
2617 ship-attr)
2618 --entry-scope ENTRY_SCOPE
2621 Defines the subtree in which the plug-in looks for the delete or
2622 rename operations of a user entry (nsslapd-pluginEntryScope)
2623 --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
2626 Defines the subtree in which the plug-in ignores any operations
2627 for deleting or renaming a user (nsslapd-pluginExcludeEn‐
2628 tryScope)
2629 --container-scope CONTAINER_SCOPE
2632 Specifies which branch the plug-in searches for the groups to
2633 which the user belongs. It only updates groups that are under
2634 the specified container branch, and leaves all other groups not
2635 updated (nsslapd-pluginContainerScope)
2636 --log-file LOG_FILE
2639 Specifies a path to the Referential integrity logfile.For exam‐
2640 ple: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
2641
2644 usage: dsconf instance plugin referential-integrity config-entry show
2645 [-h] DN
2646 DN The config entry full DN
2649
2652 usage: dsconf instance plugin referential-integrity config-entry delete
2653 [-h] DN
2654 DN The config entry full DN
2657
2660 usage: dsconf instance plugin root-dn [-h]
2661 {show,enable,disable,status,set}
2662 ...
2663
2666 dsconf plugin root-dn show
2667 Displays the plugin configuration
2668 dsconf plugin root-dn enable
2670 Enables the plugin
2671 dsconf plugin root-dn disable
2673 Disables the plugin
2674 dsconf plugin root-dn status
2676 Displays the plugin status
2677 dsconf plugin root-dn set
2679 Edit the plugin settings
2680
2683 usage: dsconf instance plugin root-dn show [-h]
2684
2687 usage: dsconf instance plugin root-dn enable [-h]
2688
2691 usage: dsconf instance plugin root-dn disable [-h]
2692
2695 usage: dsconf instance plugin root-dn status [-h]
2696
2699 usage: dsconf instance plugin root-dn set [-h]
2700 [--allow-host ALLOW_HOST [AL‐
2701 LOW_HOST ...]]
2702 [--deny-host DENY_HOST
2703 [DENY_HOST ...]]
2704 [--allow-ip ALLOW_IP [AL‐
2705 LOW_IP ...]]
2706 [--deny-ip DENY_IP [DENY_IP
2707 ...]]
2708 [--open-time OPEN_TIME]
2709 [--close-time CLOSE_TIME]
2710 [--days-allowed DAYS_ALLOWED]
2711
2714 --allow-host ALLOW_HOST [ALLOW_HOST ...]
2715 Sets what hosts, by fully-qualified domain name, the root user
2716 is allowed to use to access Directory Server. Any hosts not
2717 listed are implicitly denied (rootdn-allow-host)
2718 --deny-host DENY_HOST [DENY_HOST ...]
2721 Sets what hosts, by fully-qualified domain name, the root user
2722 is not allowed to use to access Directory Server. Any hosts not
2723 listed are implicitly allowed (rootdn-deny-host). If a host ad‐
2724 dress is listed in both the rootdn-allow-host and
2725 rootdn-deny-host attributes, it is denied access.
2726 --allow-ip ALLOW_IP [ALLOW_IP ...]
2729 Sets what IP addresses, either IPv4 or IPv6, for machines the
2730 root user is allowed to use to access Directory Server. Any IP
2731 addresses not listed are implicitly denied (rootdn-allow-ip)
2732 --deny-ip DENY_IP [DENY_IP ...]
2735 Sets what IP addresses, either IPv4 or IPv6, for machines the
2736 root user is not allowed to use to access Directory Server. Any
2737 IP addresses not listed are implicitly allowed (rootdn-deny-ip).
2738 If an IP address is listed in both the rootdn-allow-ip and
2739 rootdn-deny-ip attributes, it is denied access.
2740 --open-time OPEN_TIME
2743 Sets part of a time period or range when the root user is al‐
2744 lowed to access Directory Server. This sets when the time-based
2745 access begins (rootdn-open- time)
2746 --close-time CLOSE_TIME
2749 Sets part of a time period or range when the root user is al‐
2750 lowed to access Directory Server. This sets when the time-based
2751 access ends (rootdn-close- time)
2752 --days-allowed DAYS_ALLOWED
2755 Sets a comma-separated list of what days the root user is al‐
2756 lowed to use to access Directory Server. Any days listed are im‐
2757 plicitly denied (rootdn-days- allowed)
2758
2761 usage: dsconf instance plugin usn [-h]
2762 {show,enable,disable,sta‐
2763 tus,global,cleanup}
2764 ...
2765
2768 dsconf plugin usn show
2769 Displays the plugin configuration
2770 dsconf plugin usn enable
2772 Enables the plugin
2773 dsconf plugin usn disable
2775 Disables the plugin
2776 dsconf plugin usn status
2778 Displays the plugin status
2779 dsconf plugin usn global
2781 Get or manage global USN mode (nsslapd-entryusn-global)
2782 dsconf plugin usn cleanup
2784 Runs the USN tombstone cleanup task
2785
2788 usage: dsconf instance plugin usn show [-h]
2789
2792 usage: dsconf instance plugin usn enable [-h]
2793
2796 usage: dsconf instance plugin usn disable [-h]
2797
2800 usage: dsconf instance plugin usn status [-h]
2801
2804 usage: dsconf instance plugin usn global [-h] {on,off} ...
2805
2808 dsconf plugin usn global on
2809 Enables USN global mode
2810 dsconf plugin usn global off
2812 Disables USN global mode
2813
2816 usage: dsconf instance plugin usn global on [-h]
2817
2820 usage: dsconf instance plugin usn global off [-h]
2821
2824 usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
2825 [-m MAX_USN]
2826
2829 -s SUFFIX, --suffix SUFFIX
2830 Sets the suffix or subtree in Directory Server to run the
2831 cleanup operation against. If the suffix is not specified, then
2832 the back end must be specified (suffix).
2833 -n BACKEND, --backend BACKEND
2836 Sets the Directory Server instance back end, or database, to run
2837 the cleanup operation against. If the back end is not specified,
2838 then the suffix must be specified. Backend instance in which USN
2839 tombstone entries (backend)
2840 -m MAX_USN, --max-usn MAX_USN
2843 Sets the highest USN value to delete when removing tombstone en‐
2844 tries (max_usn_to_delete)
2845
2848 usage: dsconf instance plugin account-policy [-h]
2849 {show,enable,disable,sta‐
2850 tus,set,config-entry}
2851 ...
2852
2855 dsconf plugin account-policy show
2856 Displays the plugin configuration
2857 dsconf plugin account-policy enable
2859 Enables the plugin
2860 dsconf plugin account-policy disable
2862 Disables the plugin
2863 dsconf plugin account-policy status
2865 Displays the plugin status
2866 dsconf plugin account-policy set
2868 Edit the plugin settings
2869 dsconf plugin account-policy config-entry
2871 Manage the config entry
2872
2875 usage: dsconf instance plugin account-policy show [-h]
2876
2879 usage: dsconf instance plugin account-policy enable [-h]
2880
2883 usage: dsconf instance plugin account-policy disable [-h]
2884
2887 usage: dsconf instance plugin account-policy status [-h]
2888
2891 usage: dsconf instance plugin account-policy set [-h]
2892 [--config-entry CON‐
2893 FIG_ENTRY]
2894
2897 --config-entry CONFIG_ENTRY
2898 Sets the nsslapd-pluginConfigArea attribute
2899
2902 usage: dsconf instance plugin account-policy config-entry [-h]
2903 {add,set,show,delete}
2904 ...
2905
2908 dsconf plugin account-policy config-entry add
2909 Add the config entry
2910 dsconf plugin account-policy config-entry set
2912 Edit the config entry
2913 dsconf plugin account-policy config-entry show
2915 Display the config entry
2916 dsconf plugin account-policy config-entry delete
2918 Delete the config entry
2919
2922 usage: dsconf instance plugin account-policy config-entry add
2923 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2924 ALT_STATE_ATTR]
2925 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2926 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2927 [--state-attr STATE_ATTR]
2928 DN
2929 DN The full DN of the config entry
2932
2935 --always-record-login {yes,no}
2936 Sets that every entry records its last login time (alwaysRecord‐
2937 Login)
2938 --alt-state-attr ALT_STATE_ATTR
2941 Provides a backup attribute for the server to reference to eval‐
2942 uate the expiration time (altStateAttrName)
2943 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2946 Specifies the attribute to store the time of the last successful
2947 login in this attribute in the users directory entry (al‐
2948 waysRecordLoginAttr)
2949 --limit-attr LIMIT_ATTR
2952 Specifies the attribute within the policy to use for the account
2953 inactivation limit (limitAttrName)
2954 --spec-attr SPEC_ATTR
2957 Specifies the attribute to identify which entries are account
2958 policy configuration entries (specAttrName)
2959 --state-attr STATE_ATTR
2962 Specifies the primary time attribute used to evaluate an account
2963 policy (stateAttrName)
2964
2967 usage: dsconf instance plugin account-policy config-entry set
2968 [-h] [--always-record-login {yes,no}] [--alt-state-attr
2969 ALT_STATE_ATTR]
2970 [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
2971 [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
2972 [--state-attr STATE_ATTR]
2973 DN
2974 DN The full DN of the config entry
2977
2980 --always-record-login {yes,no}
2981 Sets that every entry records its last login time (alwaysRecord‐
2982 Login)
2983 --alt-state-attr ALT_STATE_ATTR
2986 Provides a backup attribute for the server to reference to eval‐
2987 uate the expiration time (altStateAttrName)
2988 --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
2991 Specifies the attribute to store the time of the last successful
2992 login in this attribute in the users directory entry (al‐
2993 waysRecordLoginAttr)
2994 --limit-attr LIMIT_ATTR
2997 Specifies the attribute within the policy to use for the account
2998 inactivation limit (limitAttrName)
2999 --spec-attr SPEC_ATTR
3002 Specifies the attribute to identify which entries are account
3003 policy configuration entries (specAttrName)
3004 --state-attr STATE_ATTR
3007 Specifies the primary time attribute used to evaluate an account
3008 policy (stateAttrName)
3009
3012 usage: dsconf instance plugin account-policy config-entry show [-h] DN
3013 DN The full DN of the config entry
3016
3019 usage: dsconf instance plugin account-policy config-entry delete [-h]
3020 DN
3021 DN The full DN of the config entry
3024
3027 usage: dsconf instance plugin attr-uniq [-h]
3028 {list,add,set,show,delete,en‐
3029 able,disable,status}
3030 ...
3031
3034 dsconf plugin attr-uniq list
3035 Lists available plugin configs
3036 dsconf plugin attr-uniq add
3038 Add the config entry
3039 dsconf plugin attr-uniq set
3041 Edit the config entry
3042 dsconf plugin attr-uniq show
3044 Display the config entry
3045 dsconf plugin attr-uniq delete
3047 Delete the config entry
3048 dsconf plugin attr-uniq enable
3050 enable plugin
3051 dsconf plugin attr-uniq disable
3053 disable plugin
3054 dsconf plugin attr-uniq status
3056 display plugin status
3057
3060 usage: dsconf instance plugin attr-uniq list [-h]
3061
3064 usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
3065 [--attr-name ATTR_NAME
3066 [ATTR_NAME ...]]
3067 [--subtree SUBTREE [SUBTREE
3068 ...]]
3069 [--across-all-subtrees
3070 {on,off}]
3071 [--top-entry-oc TOP_EN‐
3072 TRY_OC]
3073 [--subtree-entries-oc SUB‐
3074 TREE_ENTRIES_OC]
3075 NAME
3076 NAME The name of the plug-in configuration record. (cn) You can use
3079 any string, but "attribute_name Attribute Uniqueness" is recom‐
3080 mended.
3081
3084 --enabled {on,off}
3085 Identifies whether or not the config is enabled.
3086 --attr-name ATTR_NAME [ATTR_NAME ...]
3089 Sets the name of the attribute whose values must be unique. This
3090 attribute is multi-valued. (uniqueness-attribute-name)
3091 --subtree SUBTREE [SUBTREE ...]
3094 Sets the DN under which the plug-in checks for uniqueness of the
3095 attributes value. This attribute is multi-valued (unique‐
3096 ness-subtrees)
3097 --across-all-subtrees {on,off}
3100 If enabled (on), the plug-in checks that the attribute is unique
3101 across all subtrees set. If you set the attribute to off,
3102 uniqueness is only enforced within the subtree of the updated
3103 entry (uniqueness-across-all-subtrees)
3104 --top-entry-oc TOP_ENTRY_OC
3107 Verifies that the value of the attribute set in uniqueness-at‐
3108 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3109 --subtree-entries-oc SUBTREE_ENTRIES_OC
3112 Verifies if an attribute is unique, if the entry contains the
3113 object class set in this parameter (uniqueness-subtree-en‐
3114 tries-oc)
3115
3118 usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
3119 [--attr-name ATTR_NAME
3120 [ATTR_NAME ...]]
3121 [--subtree SUBTREE [SUBTREE
3122 ...]]
3123 [--across-all-subtrees
3124 {on,off}]
3125 [--top-entry-oc TOP_EN‐
3126 TRY_OC]
3127 [--subtree-entries-oc SUB‐
3128 TREE_ENTRIES_OC]
3129 NAME
3130 NAME The name of the plug-in configuration record. (cn) You can use
3133 any string, but "attribute_name Attribute Uniqueness" is recom‐
3134 mended.
3135
3138 --enabled {on,off}
3139 Identifies whether or not the config is enabled.
3140 --attr-name ATTR_NAME [ATTR_NAME ...]
3143 Sets the name of the attribute whose values must be unique. This
3144 attribute is multi-valued. (uniqueness-attribute-name)
3145 --subtree SUBTREE [SUBTREE ...]
3148 Sets the DN under which the plug-in checks for uniqueness of the
3149 attributes value. This attribute is multi-valued (unique‐
3150 ness-subtrees)
3151 --across-all-subtrees {on,off}
3154 If enabled (on), the plug-in checks that the attribute is unique
3155 across all subtrees set. If you set the attribute to off,
3156 uniqueness is only enforced within the subtree of the updated
3157 entry (uniqueness-across-all-subtrees)
3158 --top-entry-oc TOP_ENTRY_OC
3161 Verifies that the value of the attribute set in uniqueness-at‐
3162 tribute-name is unique in this subtree (uniqueness-top-entry-oc)
3163 --subtree-entries-oc SUBTREE_ENTRIES_OC
3166 Verifies if an attribute is unique, if the entry contains the
3167 object class set in this parameter (uniqueness-subtree-en‐
3168 tries-oc)
3169
3172 usage: dsconf instance plugin attr-uniq show [-h] NAME
3173 NAME The name of the plug-in configuration record
3176
3179 usage: dsconf instance plugin attr-uniq delete [-h] NAME
3180 NAME The name of the plug-in configuration record
3183
3186 usage: dsconf instance plugin attr-uniq enable [-h] NAME
3187 NAME The name of the plug-in configuration record
3190
3193 usage: dsconf instance plugin attr-uniq disable [-h] NAME
3194 NAME The name of the plug-in configuration record
3197
3200 usage: dsconf instance plugin attr-uniq status [-h] NAME
3201 NAME The name of the plug-in configuration record
3204
3207 usage: dsconf instance plugin dna [-h]
3208 {show,enable,disable,status,list,con‐
3209 fig} ...
3210
3213 dsconf plugin dna show
3214 Displays the plugin configuration
3215 dsconf plugin dna enable
3217 Enables the plugin
3218 dsconf plugin dna disable
3220 Disables the plugin
3221 dsconf plugin dna status
3223 Displays the plugin status
3224 dsconf plugin dna list
3226 List available plugin configs
3227 dsconf plugin dna config
3229 Manage plugin configs
3230
3233 usage: dsconf instance plugin dna show [-h]
3234
3237 usage: dsconf instance plugin dna enable [-h]
3238
3241 usage: dsconf instance plugin dna disable [-h]
3242
3245 usage: dsconf instance plugin dna status [-h]
3246
3249 usage: dsconf instance plugin dna list [-h] {configs,shared-configs}
3250 ...
3251
3254 dsconf plugin dna list configs
3255 List main DNA plugin config entries
3256 dsconf plugin dna list shared-configs
3258 List DNA plugin shared config entries
3259
3262 usage: dsconf instance plugin dna list configs [-h]
3263
3266 usage: dsconf instance plugin dna list shared-configs [-h] BASEDN
3267 BASEDN The search DN
3270
3273 usage: dsconf instance plugin dna config [-h]
3274 NAME
3275 {add,set,show,delete,shared-con‐
3276 fig-entry}
3277 ...
3278
3281 dsconf plugin dna config add
3282 Add the config entry
3283 dsconf plugin dna config set
3285 Edit the config entry
3286 dsconf plugin dna config show
3288 Display the config entry
3289 dsconf plugin dna config delete
3291 Delete the config entry
3292 dsconf plugin dna config shared-config-entry
3294 Manage the shared config entry
3295
3298 usage: dsconf instance plugin dna config NAME add [-h]
3299 [--type TYPE [TYPE
3300 ...]]
3301 [--prefix PREFIX]
3302 [--next-value
3303 NEXT_VALUE]
3304 [--max-value
3305 MAX_VALUE]
3306 [--interval INTERVAL]
3307 [--magic-regen
3308 MAGIC_REGEN]
3309 [--filter FILTER]
3310 [--scope SCOPE]
3311 [--remote-bind-dn RE‐
3312 MOTE_BIND_DN]
3313 [--remote-bind-cred
3314 REMOTE_BIND_CRED]
3315 [--shared-config-en‐
3316 try SHARED_CONFIG_ENTRY]
3317 [--threshold THRESH‐
3318 OLD]
3319 [--next-range
3320 NEXT_RANGE]
3321 [--range-re‐
3322 quest-timeout RANGE_REQUEST_TIMEOUT]
3323
3326 --type TYPE [TYPE ...]
3327 Sets which attributes have unique numbers being generated for
3328 them (dnaType)
3329 --prefix PREFIX
3332 Defines a prefix that can be prepended to the generated number
3333 values for the attribute (dnaPrefix)
3334 --next-value NEXT_VALUE
3337 Sets the next available number which can be assigned
3338 (dnaNextValue)
3339 --max-value MAX_VALUE
3342 Sets the maximum value that can be assigned for the range (dna‐
3343 MaxValue)
3344 --interval INTERVAL
3347 Sets an interval to use to increment through numbers in a range
3348 (dnaInterval)
3349 --magic-regen MAGIC_REGEN
3352 Sets a user-defined value that instructs the plug-in to assign a
3353 new value for the entry (dnaMagicRegen)
3354 --filter FILTER
3357 Sets an LDAP filter to use to search for and identify the en‐
3358 tries to which to apply the distributed numeric assignment range
3359 (dnaFilter)
3360 --scope SCOPE
3363 Sets the base DN to search for entries to which to apply the
3364 distributed numeric assignment (dnaScope)
3365 --remote-bind-dn REMOTE_BIND_DN
3368 Specifies the Replication Manager DN (dnaRemoteBindDN)
3369 --remote-bind-cred REMOTE_BIND_CRED
3372 Specifies the Replication Manager's password (dnaRemoteBindCred)
3373 --shared-config-entry SHARED_CONFIG_ENTRY
3376 Defines a shared identity that the servers can use to transfer
3377 ranges to one another (dnaSharedCfgDN)
3378 --threshold THRESHOLD
3381 Sets a threshold of remaining available numbers in the range.
3382 When the server hits the threshold, it sends a request for a new
3383 range (dnaThreshold)
3384 --next-range NEXT_RANGE
3387 Defines the next range to use when the current range is ex‐
3388 hausted (dnaNextRange)
3389 --range-request-timeout RANGE_REQUEST_TIMEOUT
3392 Sets a timeout period, in seconds, for range requests so that
3393 the server does not stall waiting on a new range from one server
3394 and can request a range from a new server (dnaRangeRequestTime‐
3395 out)
3396
3399 usage: dsconf instance plugin dna config NAME set [-h]
3400 [--type TYPE [TYPE
3401 ...]]
3402 [--prefix PREFIX]
3403 [--next-value
3404 NEXT_VALUE]
3405 [--max-value
3406 MAX_VALUE]
3407 [--interval INTERVAL]
3408 [--magic-regen
3409 MAGIC_REGEN]
3410 [--filter FILTER]
3411 [--scope SCOPE]
3412 [--remote-bind-dn RE‐
3413 MOTE_BIND_DN]
3414 [--remote-bind-cred
3415 REMOTE_BIND_CRED]
3416 [--shared-config-en‐
3417 try SHARED_CONFIG_ENTRY]
3418 [--threshold THRESH‐
3419 OLD]
3420 [--next-range
3421 NEXT_RANGE]
3422 [--range-re‐
3423 quest-timeout RANGE_REQUEST_TIMEOUT]
3424
3427 --type TYPE [TYPE ...]
3428 Sets which attributes have unique numbers being generated for
3429 them (dnaType)
3430 --prefix PREFIX
3433 Defines a prefix that can be prepended to the generated number
3434 values for the attribute (dnaPrefix)
3435 --next-value NEXT_VALUE
3438 Sets the next available number which can be assigned
3439 (dnaNextValue)
3440 --max-value MAX_VALUE
3443 Sets the maximum value that can be assigned for the range (dna‐
3444 MaxValue)
3445 --interval INTERVAL
3448 Sets an interval to use to increment through numbers in a range
3449 (dnaInterval)
3450 --magic-regen MAGIC_REGEN
3453 Sets a user-defined value that instructs the plug-in to assign a
3454 new value for the entry (dnaMagicRegen)
3455 --filter FILTER
3458 Sets an LDAP filter to use to search for and identify the en‐
3459 tries to which to apply the distributed numeric assignment range
3460 (dnaFilter)
3461 --scope SCOPE
3464 Sets the base DN to search for entries to which to apply the
3465 distributed numeric assignment (dnaScope)
3466 --remote-bind-dn REMOTE_BIND_DN
3469 Specifies the Replication Manager DN (dnaRemoteBindDN)
3470 --remote-bind-cred REMOTE_BIND_CRED
3473 Specifies the Replication Manager's password (dnaRemoteBindCred)
3474 --shared-config-entry SHARED_CONFIG_ENTRY
3477 Defines a shared identity that the servers can use to transfer
3478 ranges to one another (dnaSharedCfgDN)
3479 --threshold THRESHOLD
3482 Sets a threshold of remaining available numbers in the range.
3483 When the server hits the threshold, it sends a request for a new
3484 range (dnaThreshold)
3485 --next-range NEXT_RANGE
3488 Defines the next range to use when the current range is ex‐
3489 hausted (dnaNextRange)
3490 --range-request-timeout RANGE_REQUEST_TIMEOUT
3493 Sets a timeout period, in seconds, for range requests so that
3494 the server does not stall waiting on a new range from one server
3495 and can request a range from a new server (dnaRangeRequestTime‐
3496 out)
3497
3500 usage: dsconf instance plugin dna config NAME show [-h]
3501
3504 usage: dsconf instance plugin dna config NAME delete [-h]
3505
3508 usage: dsconf instance plugin dna config NAME shared-config-entry
3509 [-h] SHARED_CFG {set,show,delete} ...
3510
3513 dsconf plugin dna config shared-config-entry set
3514 Edit the shared config entry
3515 dsconf plugin dna config shared-config-entry show
3517 Display the shared config entry
3518 dsconf plugin dna config shared-config-entry delete
3520 Delete the shared config entry
3521
3524 usage: dsconf instance plugin dna config NAME shared-config-entry
3525 SHARED_CFG set
3526 [-h] [--remote-bind-method REMOTE_BIND_METHOD]
3527 [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
3528
3531 --remote-bind-method REMOTE_BIND_METHOD
3532 Specifies the remote bind method "SIMPLE", "SSL" (for SSL client
3533 auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)
3534 --remote-conn-protocol REMOTE_CONN_PROTOCOL
3537 Specifies the remote connection protocol "LDAP", or "TLS"
3538 (dnaRemoteConnProtocol)
3539
3542 usage: dsconf instance plugin dna config NAME shared-config-entry
3543 SHARED_CFG show
3544 [-h]
3545
3548 usage: dsconf instance plugin dna config NAME shared-config-entry
3549 SHARED_CFG delete
3550 [-h]
3551
3554 usage: dsconf instance plugin ldap-pass-through-auth [-h]
3555 {show,enable,dis‐
3556 able,status,list,add,modify,delete}
3557 ...
3558
3561 dsconf plugin ldap-pass-through-auth show
3562 Displays the plugin configuration
3563 dsconf plugin ldap-pass-through-auth enable
3565 Enables the plugin
3566 dsconf plugin ldap-pass-through-auth disable
3568 Disables the plugin
3569 dsconf plugin ldap-pass-through-auth status
3571 Displays the plugin status
3572 dsconf plugin ldap-pass-through-auth list
3574 Lists LDAP URLs
3575 dsconf plugin ldap-pass-through-auth add
3577 Add an LDAP url to the config entry
3578 dsconf plugin ldap-pass-through-auth modify
3580 Edit the LDAP pass through config entry
3581 dsconf plugin ldap-pass-through-auth delete
3583 Delete a URL from the config entry
3584
3587 usage: dsconf instance plugin ldap-pass-through-auth show [-h]
3588
3591 usage: dsconf instance plugin ldap-pass-through-auth enable [-h]
3592
3595 usage: dsconf instance plugin ldap-pass-through-auth disable [-h]
3596
3599 usage: dsconf instance plugin ldap-pass-through-auth status [-h]
3600
3603 usage: dsconf instance plugin ldap-pass-through-auth list [-h]
3604
3607 usage: dsconf instance plugin ldap-pass-through-auth add [-h] URL
3608 URL The full LDAP URL in format "ldap|ldaps://authDS/subtree max‐
3611 conns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
3612 tional parameter is specified the rest should be specified too
3613
3616 usage: dsconf instance plugin ldap-pass-through-auth modify
3617 [-h] OLD_URL NEW_URL
3618 OLD_URL
3621 The full LDAP URL you get from the "list" command
3622 NEW_URL
3625 Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree
3626 maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one op‐
3627 tional parameter is specified the rest should be specified too.
3628
3631 usage: dsconf instance plugin ldap-pass-through-auth delete [-h] URL
3632 URL The full LDAP URL you get from the "list" command
3635
3638 usage: dsconf instance plugin linked-attr [-h]
3639 {show,enable,disable,sta‐
3640 tus,fixup,fixup-status,list,config}
3641 ...
3642
3645 dsconf plugin linked-attr show
3646 Displays the plugin configuration
3647 dsconf plugin linked-attr enable
3649 Enables the plugin
3650 dsconf plugin linked-attr disable
3652 Disables the plugin
3653 dsconf plugin linked-attr status
3655 Displays the plugin status
3656 dsconf plugin linked-attr fixup
3658 Run the fix-up task for linked attributes plugin
3659 dsconf plugin linked-attr fixup-status
3661 Check the status of a fix-up task
3662 dsconf plugin linked-attr list
3664 List available plugin configs
3665 dsconf plugin linked-attr config
3667 Manage plugin configs
3668
3671 usage: dsconf instance plugin linked-attr show [-h]
3672
3675 usage: dsconf instance plugin linked-attr enable [-h]
3676
3679 usage: dsconf instance plugin linked-attr disable [-h]
3680
3683 usage: dsconf instance plugin linked-attr status [-h]
3684
3687 usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
3688 [--wait]
3689
3692 -l LINKDN, --linkdn LINKDN
3693 Sets the base DN that contains entries to fix up
3694 --wait Wait for the task to finish, this could take a long time
3697
3700 usage: dsconf instance plugin linked-attr fixup-status [-h] [--dn DN]
3701 [--show-log]
3702 [--watch]
3703
3706 --dn DN
3707 The task entry's DN
3708 --show-log
3711 Display the task log
3712 --watch
3715 Watch the task's status and wait for it to finish
3716
3719 usage: dsconf instance plugin linked-attr list [-h]
3720
3723 usage: dsconf instance plugin linked-attr config [-h]
3724 NAME
3725 {add,set,show,delete}
3726 ...
3727
3730 dsconf plugin linked-attr config add
3731 Add the config entry
3732 dsconf plugin linked-attr config set
3734 Edit the config entry
3735 dsconf plugin linked-attr config show
3737 Display the config entry
3738 dsconf plugin linked-attr config delete
3740 Delete the config entry
3741
3744 usage: dsconf instance plugin linked-attr config NAME add [-h]
3745 [--link-type
3746 LINK_TYPE]
3747 [--man‐
3748 aged-type MANAGED_TYPE]
3749 [--link-scope
3750 LINK_SCOPE]
3751
3754 --link-type LINK_TYPE
3755 Sets the attribute that is managed manually by administrators
3756 (linkType)
3757 --managed-type MANAGED_TYPE
3760 Sets the attribute that is created dynamically by the plugin
3761 (managedType)
3762 --link-scope LINK_SCOPE
3765 Sets the scope that restricts the plugin to a specific part of
3766 the directory tree (linkScope)
3767
3770 usage: dsconf instance plugin linked-attr config NAME set [-h]
3771 [--link-type
3772 LINK_TYPE]
3773 [--man‐
3774 aged-type MANAGED_TYPE]
3775 [--link-scope
3776 LINK_SCOPE]
3777
3780 --link-type LINK_TYPE
3781 Sets the attribute that is managed manually by administrators
3782 (linkType)
3783 --managed-type MANAGED_TYPE
3786 Sets the attribute that is created dynamically by the plugin
3787 (managedType)
3788 --link-scope LINK_SCOPE
3791 Sets the scope that restricts the plugin to a specific part of
3792 the directory tree (linkScope)
3793
3796 usage: dsconf instance plugin linked-attr config NAME show [-h]
3797
3800 usage: dsconf instance plugin linked-attr config NAME delete [-h]
3801
3804 usage: dsconf instance plugin managed-entries [-h]
3805 {show,enable,disable,sta‐
3806 tus,set,list,config,template}
3807 ...
3808
3811 dsconf plugin managed-entries show
3812 Displays the plugin configuration
3813 dsconf plugin managed-entries enable
3815 Enables the plugin
3816 dsconf plugin managed-entries disable
3818 Disables the plugin
3819 dsconf plugin managed-entries status
3821 Displays the plugin status
3822 dsconf plugin managed-entries set
3824 Edit the plugin settings
3825 dsconf plugin managed-entries list
3827 List Managed Entries Plugin configs and templates
3828 dsconf plugin managed-entries config
3830 Handle Managed Entries Plugin configs
3831 dsconf plugin managed-entries template
3833 Handle Managed Entries Plugin templates
3834
3837 usage: dsconf instance plugin managed-entries show [-h]
3838
3841 usage: dsconf instance plugin managed-entries enable [-h]
3842
3845 usage: dsconf instance plugin managed-entries disable [-h]
3846
3849 usage: dsconf instance plugin managed-entries status [-h]
3850
3853 usage: dsconf instance plugin managed-entries set [-h]
3854 [--config-area CON‐
3855 FIG_AREA]
3856
3859 --config-area CONFIG_AREA
3860 Sets the value of the nsslapd-pluginConfigArea attribute
3861
3864 usage: dsconf instance plugin managed-entries list [-h]
3865 {configs,templates}
3866 ...
3867
3870 dsconf plugin managed-entries list configs
3871 List Managed Entries Plugin configs (list config-area if speci‐
3872 fied in the main plugin entry)
3873 dsconf plugin managed-entries list templates
3875 List Managed Entries Plugin templates in the directory
3876
3879 usage: dsconf instance plugin managed-entries list configs [-h]
3880
3883 usage: dsconf instance plugin managed-entries list templates [-h]
3884 [BASEDN]
3885 BASEDN The base DN where to search the templates
3888
3891 usage: dsconf instance plugin managed-entries config [-h]
3892 NAME
3893 {add,set,show,delete}
3894 ...
3895
3898 dsconf plugin managed-entries config add
3899 Add the config entry
3900 dsconf plugin managed-entries config set
3902 Edit the config entry
3903 dsconf plugin managed-entries config show
3905 Display the config entry
3906 dsconf plugin managed-entries config delete
3908 Delete the config entry
3909
3912 usage: dsconf instance plugin managed-entries config NAME add
3913 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3914 AGED_BASE]
3915 [--managed-template MANAGED_TEMPLATE]
3916
3919 --scope SCOPE
3920 Sets the scope of the search to use to see which entries the
3921 plug-in monitors (originScope)
3922 --filter FILTER
3925 Sets the search filter to use to search for and identify the en‐
3926 tries within the subtree which require a managed entry (origin‐
3927 Filter)
3928 --managed-base MANAGED_BASE
3931 Sets the subtree under which to create the managed entries (man‐
3932 agedBase)
3933 --managed-template MANAGED_TEMPLATE
3936 Identifies the template entry to use to create the managed entry
3937 (managedTemplate)
3938
3941 usage: dsconf instance plugin managed-entries config NAME set
3942 [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MAN‐
3943 AGED_BASE]
3944 [--managed-template MANAGED_TEMPLATE]
3945
3948 --scope SCOPE
3949 Sets the scope of the search to use to see which entries the
3950 plug-in monitors (originScope)
3951 --filter FILTER
3954 Sets the search filter to use to search for and identify the en‐
3955 tries within the subtree which require a managed entry (origin‐
3956 Filter)
3957 --managed-base MANAGED_BASE
3960 Sets the subtree under which to create the managed entries (man‐
3961 agedBase)
3962 --managed-template MANAGED_TEMPLATE
3965 Identifies the template entry to use to create the managed entry
3966 (managedTemplate)
3967
3970 usage: dsconf instance plugin managed-entries config NAME show [-h]
3971
3974 usage: dsconf instance plugin managed-entries config NAME delete [-h]
3975
3978 usage: dsconf instance plugin managed-entries template [-h]
3979 DN
3980 {add,set,show,delete}
3981 ...
3982
3985 dsconf plugin managed-entries template add
3986 Add the template entry
3987 dsconf plugin managed-entries template set
3989 Edit the template entry
3990 dsconf plugin managed-entries template show
3992 Display the template entry
3993 dsconf plugin managed-entries template delete
3995 Delete the template entry
3996
3999 usage: dsconf instance plugin managed-entries template DN add
4000 [-h] [--rdn-attr RDN_ATTR]
4001 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
4002 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
4003
4006 --rdn-attr RDN_ATTR
4007 Sets which attribute to use as the naming attribute in the auto‐
4008 matically- generated entry (mepRDNAttr)
4009 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4012 Sets an attribute with a defined value that must be added to the
4013 automatically-generated entry (mepStaticAttr)
4014 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4017 Sets attributes in the Managed Entries template entry which must
4018 exist in the generated entry (mepMappedAttr)
4019
4022 usage: dsconf instance plugin managed-entries template DN set
4023 [-h] [--rdn-attr RDN_ATTR]
4024 [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
4025 [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
4026
4029 --rdn-attr RDN_ATTR
4030 Sets which attribute to use as the naming attribute in the auto‐
4031 matically- generated entry (mepRDNAttr)
4032 --static-attr STATIC_ATTR [STATIC_ATTR ...]
4035 Sets an attribute with a defined value that must be added to the
4036 automatically-generated entry (mepStaticAttr)
4037 --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
4040 Sets attributes in the Managed Entries template entry which must
4041 exist in the generated entry (mepMappedAttr)
4042
4045 usage: dsconf instance plugin managed-entries template DN show [-h]
4046
4049 usage: dsconf instance plugin managed-entries template DN delete [-h]
4050
4053 usage: dsconf instance plugin pam-pass-through-auth [-h]
4054 {show,enable,dis‐
4055 able,status,list,config}
4056 ...
4057
4060 dsconf plugin pam-pass-through-auth show
4061 Displays the plugin configuration
4062 dsconf plugin pam-pass-through-auth enable
4064 Enables the plugin
4065 dsconf plugin pam-pass-through-auth disable
4067 Disables the plugin
4068 dsconf plugin pam-pass-through-auth status
4070 Displays the plugin status
4071 dsconf plugin pam-pass-through-auth list
4073 Lists PAM configurations
4074 dsconf plugin pam-pass-through-auth config
4076 Manage PAM PTA configurations.
4077
4080 usage: dsconf instance plugin pam-pass-through-auth show [-h]
4081
4084 usage: dsconf instance plugin pam-pass-through-auth enable [-h]
4085
4088 usage: dsconf instance plugin pam-pass-through-auth disable [-h]
4089
4092 usage: dsconf instance plugin pam-pass-through-auth status [-h]
4093
4096 usage: dsconf instance plugin pam-pass-through-auth list [-h]
4097
4100 usage: dsconf instance plugin pam-pass-through-auth config [-h]
4101 NAME
4102 {add,set,show,delete}
4103 ...
4104
4107 dsconf plugin pam-pass-through-auth config add
4108 Add the config entry
4109 dsconf plugin pam-pass-through-auth config set
4111 Edit the config entry
4112 dsconf plugin pam-pass-through-auth config show
4114 Display the config entry
4115 dsconf plugin pam-pass-through-auth config delete
4117 Delete the config entry
4118
4121 usage: dsconf instance plugin pam-pass-through-auth config NAME add
4122 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4123 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4124 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4125 TER]
4126 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4127 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4128 SERVICE]
4129
4132 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4133 Specifies a suffix to exclude from PAM authentication (pamEx‐
4134 cludeSuffix)
4135 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4138 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4139 fix)
4140 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4143 Identifies how to handle missing include or exclude suffixes
4144 (pamMissingSuffix)
4145 --filter FILTER
4148 Sets an LDAP filter to use to identify specific entries within
4149 the included suffixes for which to use PAM pass-through authen‐
4150 tication (pamFilter)
4151 --id-attr ID_ATTR
4154 Contains the attribute name which is used to hold the PAM user
4155 ID (pamIDAttr)
4156 --id_map_method ID_MAP_METHOD
4159 Sets the method to use to map the LDAP bind DN to a PAM identity
4160 (pamIDMapMethod)
4161 --fallback {TRUE,FALSE}
4164 Sets whether to fallback to regular LDAP authentication if PAM
4165 authentication fails (pamFallback)
4166 --secure {TRUE,FALSE}
4169 Requires secure TLS connection for PAM authentication (pamSe‐
4170 cure)
4171 --service SERVICE
4174 Contains the service name to pass to PAM (pamService)
4175
4178 usage: dsconf instance plugin pam-pass-through-auth config NAME set
4179 [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
4180 [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
4181 [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FIL‐
4182 TER]
4183 [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
4184 [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service
4185 SERVICE]
4186
4189 --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
4190 Specifies a suffix to exclude from PAM authentication (pamEx‐
4191 cludeSuffix)
4192 --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
4195 Sets a suffix to include for PAM authentication (pamIncludeSuf‐
4196 fix)
4197 --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
4200 Identifies how to handle missing include or exclude suffixes
4201 (pamMissingSuffix)
4202 --filter FILTER
4205 Sets an LDAP filter to use to identify specific entries within
4206 the included suffixes for which to use PAM pass-through authen‐
4207 tication (pamFilter)
4208 --id-attr ID_ATTR
4211 Contains the attribute name which is used to hold the PAM user
4212 ID (pamIDAttr)
4213 --id_map_method ID_MAP_METHOD
4216 Sets the method to use to map the LDAP bind DN to a PAM identity
4217 (pamIDMapMethod)
4218 --fallback {TRUE,FALSE}
4221 Sets whether to fallback to regular LDAP authentication if PAM
4222 authentication fails (pamFallback)
4223 --secure {TRUE,FALSE}
4226 Requires secure TLS connection for PAM authentication (pamSe‐
4227 cure)
4228 --service SERVICE
4231 Contains the service name to pass to PAM (pamService)
4232
4235 usage: dsconf instance plugin pam-pass-through-auth config NAME show
4236 [-h]
4237
4240 usage: dsconf instance plugin pam-pass-through-auth config NAME delete
4241 [-h]
4242
4245 usage: dsconf instance plugin retro-changelog [-h]
4246 {show,enable,disable,sta‐
4247 tus,set,add,del}
4248 ...
4249
4252 dsconf plugin retro-changelog show
4253 Displays the plugin configuration
4254 dsconf plugin retro-changelog enable
4256 Enables the plugin
4257 dsconf plugin retro-changelog disable
4259 Disables the plugin
4260 dsconf plugin retro-changelog status
4262 Displays the plugin status
4263 dsconf plugin retro-changelog set
4265 Edit the plugin
4266 dsconf plugin retro-changelog add
4268 Add attributes to the plugin
4269 dsconf plugin retro-changelog del
4271 Delete an attribute from plugin scope
4272
4275 usage: dsconf instance plugin retro-changelog show [-h]
4276
4279 usage: dsconf instance plugin retro-changelog enable [-h]
4280
4283 usage: dsconf instance plugin retro-changelog disable [-h]
4284
4287 usage: dsconf instance plugin retro-changelog status [-h]
4288
4291 usage: dsconf instance plugin retro-changelog set [-h]
4292 [--is-replicated
4293 {TRUE,FALSE}]
4294 [--attribute ATTRI‐
4295 BUTE]
4296 [--directory DIREC‐
4297 TORY]
4298 [--max-age MAX_AGE]
4299 [--trim-interval
4300 TRIM_INTERVAL]
4301 [--exclude-suffix
4302 [EXCLUDE_SUFFIX ...]]
4303 [--exclude-attrs [EX‐
4304 CLUDE_ATTRS ...]]
4305
4308 --is-replicated {TRUE,FALSE}
4309 Sets a flag to indicate on a change in the changelog whether the
4310 change is newly made on that server or whether it was replicated
4311 over from another server (isReplicated)
4312 --attribute ATTRIBUTE
4315 Specifies another Directory Server attribute which must be in‐
4316 cluded in the retro changelog entries (nsslapd-attribute)
4317 --directory DIRECTORY
4320 Specifies the name of the directory in which the changelog data‐
4321 base is created the first time the plug-in is run
4322 --max-age MAX_AGE
4325 Specifies the maximum age of any entry in the changelog. Used to
4326 trim the changelog (nsslapd-changelogmaxage)
4327 --trim-interval TRIM_INTERVAL
4330 --exclude-suffix [EXCLUDE_SUFFIX ...]
4333 Specifies the suffix which will be excluded from the scope of
4334 the plugin (nsslapd-exclude-suffix)
4335 --exclude-attrs [EXCLUDE_ATTRS ...]
4338 Specifies the attributes which will be excluded from the scope
4339 of the plugin (nsslapd-exclude-attrs)
4340
4343 usage: dsconf instance plugin retro-changelog add [-h]
4344 [--is-replicated
4345 {TRUE,FALSE}]
4346 [--attribute ATTRI‐
4347 BUTE]
4348 [--directory DIREC‐
4349 TORY]
4350 [--max-age MAX_AGE]
4351 [--trim-interval
4352 TRIM_INTERVAL]
4353 [--exclude-suffix
4354 [EXCLUDE_SUFFIX ...]]
4355 [--exclude-attrs [EX‐
4356 CLUDE_ATTRS ...]]
4357
4360 --is-replicated {TRUE,FALSE}
4361 Sets a flag to indicate on a change in the changelog whether the
4362 change is newly made on that server or whether it was replicated
4363 over from another server (isReplicated)
4364 --attribute ATTRIBUTE
4367 Specifies another Directory Server attribute which must be in‐
4368 cluded in the retro changelog entries (nsslapd-attribute)
4369 --directory DIRECTORY
4372 Specifies the name of the directory in which the changelog data‐
4373 base is created the first time the plug-in is run
4374 --max-age MAX_AGE
4377 Specifies the maximum age of any entry in the changelog. Used to
4378 trim the changelog (nsslapd-changelogmaxage)
4379 --trim-interval TRIM_INTERVAL
4382 --exclude-suffix [EXCLUDE_SUFFIX ...]
4385 Specifies the suffix which will be excluded from the scope of
4386 the plugin (nsslapd-exclude-suffix)
4387 --exclude-attrs [EXCLUDE_ATTRS ...]
4390 Specifies the attributes which will be excluded from the scope
4391 of the plugin (nsslapd-exclude-attrs)
4392
4395 usage: dsconf instance plugin retro-changelog del [-h]
4396 [--is-replicated
4397 {TRUE,FALSE}]
4398 [--attribute ATTRI‐
4399 BUTE]
4400 [--directory DIREC‐
4401 TORY]
4402 [--max-age MAX_AGE]
4403 [--trim-interval
4404 TRIM_INTERVAL]
4405 [--exclude-suffix
4406 [EXCLUDE_SUFFIX ...]]
4407 [--exclude-attrs [EX‐
4408 CLUDE_ATTRS ...]]
4409
4412 --is-replicated {TRUE,FALSE}
4413 Sets a flag to indicate on a change in the changelog whether the
4414 change is newly made on that server or whether it was replicated
4415 over from another server (isReplicated)
4416 --attribute ATTRIBUTE
4419 Specifies another Directory Server attribute which must be in‐
4420 cluded in the retro changelog entries (nsslapd-attribute)
4421 --directory DIRECTORY
4424 Specifies the name of the directory in which the changelog data‐
4425 base is created the first time the plug-in is run
4426 --max-age MAX_AGE
4429 Specifies the maximum age of any entry in the changelog. Used to
4430 trim the changelog (nsslapd-changelogmaxage)
4431 --trim-interval TRIM_INTERVAL
4434 --exclude-suffix [EXCLUDE_SUFFIX ...]
4437 Specifies the suffix which will be excluded from the scope of
4438 the plugin (nsslapd-exclude-suffix)
4439 --exclude-attrs [EXCLUDE_ATTRS ...]
4442 Specifies the attributes which will be excluded from the scope
4443 of the plugin (nsslapd-exclude-attrs)
4444
4447 usage: dsconf instance plugin posix-winsync [-h]
4448 {show,enable,disable,sta‐
4449 tus,set,fixup}
4450 ...
4451
4454 dsconf plugin posix-winsync show
4455 Displays the plugin configuration
4456 dsconf plugin posix-winsync enable
4458 Enables the plugin
4459 dsconf plugin posix-winsync disable
4461 Disables the plugin
4462 dsconf plugin posix-winsync status
4464 Displays the plugin status
4465 dsconf plugin posix-winsync set
4467 Edit the plugin settings
4468 dsconf plugin posix-winsync fixup
4470 Run the memberOf fix-up task to correct mismatched member and
4471 uniquemember values for synced users
4472
4475 usage: dsconf instance plugin posix-winsync show [-h]
4476
4479 usage: dsconf instance plugin posix-winsync enable [-h]
4480
4483 usage: dsconf instance plugin posix-winsync disable [-h]
4484
4487 usage: dsconf instance plugin posix-winsync status [-h]
4488
4491 usage: dsconf instance plugin posix-winsync set [-h]
4492 [--create-memberof-task
4493 {true,false}]
4494 [--lower-case-uid
4495 {true,false}]
4496 [--map-member-uid
4497 {true,false}]
4498 [--map-nested-grouping
4499 {true,false}]
4500 [--ms-sfu-schema
4501 {true,false}]
4502
4505 --create-memberof-task {true,false}
4506 Sets whether to run the memberUID fix-up task immediately after
4507 a sync run in order to update group memberships for synced users
4508 (posixWinsyncCreateMemberOfTask)
4509 --lower-case-uid {true,false}
4512 Sets whether to store (and, if necessary, convert) the UID value
4513 in the memberUID attribute in lower case.(posixWinsyncLower‐
4514 CaseUID)
4515 --map-member-uid {true,false}
4518 Sets whether to map the memberUID attribute in an Active Direc‐
4519 tory group to the uniqueMember attribute in a Directory Server
4520 group (posixWinsyncMapMemberUID)
4521 --map-nested-grouping {true,false}
4524 Manages if nested groups are updated when memberUID attributes
4525 in an Active Directory POSIX group change (posixWinsyncMapNest‐
4526 edGrouping)
4527 --ms-sfu-schema {true,false}
4530 Sets whether to the older Microsoft System Services for Unix 3.0
4531 (msSFU30) schema when syncing Posix attributes from Active Di‐
4532 rectory (posixWinsyncMsSFUSchema)
4533
4536 usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN
4537 DN Set the base DN that contains entries to fix up
4540
4543 -f FILTER, --filter FILTER
4544 Filter for entries to fix up. If omitted, all entries with ob‐
4545 jectclass inetuser/inetadmin/nsmemberof under the specified base
4546 will have their memberOf attribute regenerated.
4547
4550 usage: dsconf instance plugin contentsync [-h]
4551 {show,enable,disable,sta‐
4552 tus,set,add}
4553 ...
4554
4557 dsconf plugin contentsync show
4558 Displays the plugin configuration
4559 dsconf plugin contentsync enable
4561 Enables the plugin
4562 dsconf plugin contentsync disable
4564 Disables the plugin
4565 dsconf plugin contentsync status
4567 Displays the plugin status
4568 dsconf plugin contentsync set
4570 Edit the plugin settings
4571 dsconf plugin contentsync add
4573 Add attributes to the plugin
4574
4577 usage: dsconf instance plugin contentsync show [-h]
4578
4581 usage: dsconf instance plugin contentsync enable [-h]
4582
4585 usage: dsconf instance plugin contentsync disable [-h]
4586
4589 usage: dsconf instance plugin contentsync status [-h]
4590
4593 usage: dsconf instance plugin contentsync set [-h] [--allow-openldap
4594 {on,off}]
4595
4598 --allow-openldap {on,off}
4599 Allows openldap servers to act as read only consumers of this
4600 server via syncrepl
4601
4604 usage: dsconf instance plugin contentsync add [-h] [--allow-openldap
4605 {on,off}]
4606
4609 --allow-openldap {on,off}
4610 Allows openldap servers to act as read only consumers of this
4611 server via syncrepl
4612
4615 usage: dsconf instance plugin entryuuid [-h]
4616 {show,enable,disable,sta‐
4617 tus,fixup,fixup-status}
4618 ...
4619
4622 dsconf plugin entryuuid show
4623 Displays the plugin configuration
4624 dsconf plugin entryuuid enable
4626 Enables the plugin
4627 dsconf plugin entryuuid disable
4629 Disables the plugin
4630 dsconf plugin entryuuid status
4632 Displays the plugin status
4633 dsconf plugin entryuuid fixup
4635 Run the fix-up task for EntryUUID plugin
4636 dsconf plugin entryuuid fixup-status
4638 Check the status of a fix-up task
4639
4642 usage: dsconf instance plugin entryuuid show [-h]
4643
4646 usage: dsconf instance plugin entryuuid enable [-h]
4647
4650 usage: dsconf instance plugin entryuuid disable [-h]
4651
4654 usage: dsconf instance plugin entryuuid status [-h]
4655
4658 usage: dsconf instance plugin entryuuid fixup [-h] [-f FILTER] [--wait]
4659 DN
4660 DN Base DN that contains entries to fix up
4663
4666 -f FILTER, --filter FILTER
4667 Filter for entries to fix up. If omitted, all entries under base
4668 DNwill have their EntryUUID attribute regenerated if not
4669 present.
4670 --wait Wait for the task to finish, this could take a long time
4673
4676 usage: dsconf instance plugin entryuuid fixup-status [-h] [--dn DN]
4677 [--show-log]
4678 [--watch]
4679
4682 --dn DN
4683 The task entry's DN
4684 --show-log
4687 Display the task log
4688 --watch
4691 Watch the task's status and wait for it to finish
4692
4695 usage: dsconf instance plugin list [-h]
4696
4699 usage: dsconf instance plugin show [-h] [selector]
4700 selector
4703 The plugin to search for
4704
4707 usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled
4708 {on,off}]
4709 [--path PATH] [--initfunc INITFUNC]
4710 [--id ID] [--vendor VENDOR]
4711 [--version VERSION]
4712 [--description DESCRIPTION]
4713 [--depends-on-type DEPENDS_ON_TYPE]
4714 [--depends-on-named DEPENDS_ON_NAMED]
4715 [--precedence PRECEDENCE]
4716 [selector]
4717 selector
4720 The plugin to edit
4721
4724 --type TYPE
4725 The type of plugin.
4726 --enabled {on,off}
4729 Identifies whether or not the plugin is enabled.
4730 --path PATH
4733 The plugin library name (without the library suffix).
4734 --initfunc INITFUNC
4737 An initialization function of the plugin.
4738 --id ID
4741 The plugin ID.
4742 --vendor VENDOR
4745 The vendor of plugin.
4746 --version VERSION
4749 The version of plugin.
4750 --description DESCRIPTION
4753 The description of the plugin.
4754 --depends-on-type DEPENDS_ON_TYPE
4757 All plug-ins with a type value which matches one of the values
4758 in the following valid range will be started by the server prior
4759 to this plug-in.
4760 --depends-on-named DEPENDS_ON_NAMED
4763 The plug-in name matching one of the following values will be
4764 started by the server prior to this plug-in
4765 --precedence PRECEDENCE
4768 The priority it has in the execution order of plug-ins
4769
4772 usage: dsconf instance pwpolicy [-h] {get,set} ...
4773
4776 dsconf pwpolicy get
4777 Get the global password policy entry
4778 dsconf pwpolicy set
4780 Set an attribute in a global password policy
4781
4784 usage: dsconf instance pwpolicy get [-h]
4785
4788 usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
4789 [--pwdchange PWDCHANGE]
4790 [--pwdmustchange PWDMUSTCHANGE]
4791 [--pwdhistory PWDHISTORY]
4792 [--pwdhistorycount PWDHISTORYCOUNT]
4793 [--pwdadmin PWDADMIN]
4794 [--pwdtrack PWDTRACK]
4795 [--pwdwarning PWDWARNING]
4796 [--pwdexpire PWDEXPIRE]
4797 [--pwdmaxage PWDMAXAGE]
4798 [--pwdminage PWDMINAGE]
4799 [--pwdgracelimit PWDGRACELIMIT]
4800 [--pwdsendexpiring PWDSENDEXPIRING]
4801 [--pwdlockout PWDLOCKOUT]
4802 [--pwdunlock PWDUNLOCK]
4803 [--pwdlockoutduration PWDLOCKOUTDU‐
4804 RATION]
4805 [--pwdmaxfailures PWDMAXFAILURES]
4806 [--pwdresetfailcount PWDRESETFAIL‐
4807 COUNT]
4808 [--pwdchecksyntax PWDCHECKSYNTAX]
4809 [--pwdminlen PWDMINLEN]
4810 [--pwdmindigits PWDMINDIGITS]
4811 [--pwdminalphas PWDMINALPHAS]
4812 [--pwdminuppers PWDMINUPPERS]
4813 [--pwdminlowers PWDMINLOWERS]
4814 [--pwdminspecials PWDMINSPECIALS]
4815 [--pwdmin8bits PWDMIN8BITS]
4816 [--pwdmaxrepeats PWDMAXREPEATS]
4817 [--pwdpalindrome PWDPALINDROME]
4818 [--pwdmaxseq PWDMAXSEQ]
4819 [--pwdmaxseqsets PWDMAXSEQSETS]
4820 [--pwdmaxclasschars PWDMAXCLASS‐
4821 CHARS]
4822 [--pwdmincatagories PWDMIN‐
4823 CATAGORIES]
4824 [--pwdmintokenlen PWDMINTOKENLEN]
4825 [--pwdbadwords PWDBADWORDS]
4826 [--pwduserattrs PWDUSERATTRS]
4827 [--pwddictcheck PWDDICTCHECK]
4828 [--pwddictpath PWDDICTPATH]
4829 [--pwptprmaxuse PWPTPRMAXUSE]
4830 [--pwptprdelayexpireat PWPTPRDELAY‐
4831 EXPIREAT]
4832 [--pwptprdelayvalidfrom PWPTPRDE‐
4833 LAYVALIDFROM]
4834 [--pwdlocal PWDLOCAL]
4835 [--pwdisglobal PWDISGLOBAL]
4836 [--pwdallowhash PWDALLOWHASH]
4837 [--pwpinheritglobal PWPINHERIT‐
4838 GLOBAL]
4839
4842 --pwdscheme PWDSCHEME
4843 The password storage scheme
4844 --pwdchange PWDCHANGE
4847 Allow users to change their passwords
4848 --pwdmustchange PWDMUSTCHANGE
4851 Users must change their password after it was reset by an admin‐
4852 istrator
4853 --pwdhistory PWDHISTORY
4856 To enable password history set this to "on", otherwise "off"
4857 --pwdhistorycount PWDHISTORYCOUNT
4860 The number of passwords to keep in history
4861 --pwdadmin PWDADMIN
4864 The DN of an entry or a group of account that can bypass pass‐
4865 word policy constraints
4866 --pwdtrack PWDTRACK
4869 Set to "on" to track the time the password was last changed
4870 --pwdwarning PWDWARNING
4873 Send an expiring warning if password expires within this time
4874 (in seconds)
4875 --pwdexpire PWDEXPIRE
4878 Set to "on" to enable password expiration
4879 --pwdmaxage PWDMAXAGE
4882 The password expiration time in seconds
4883 --pwdminage PWDMINAGE
4886 The number of seconds that must pass before a user can change
4887 their password
4888 --pwdgracelimit PWDGRACELIMIT
4891 The number of allowed logins after the password has expired
4892 --pwdsendexpiring PWDSENDEXPIRING
4895 Set to "on" to always send the expiring control regardless of
4896 the warning period
4897 --pwdlockout PWDLOCKOUT
4900 Set to "on" to enable account lockout
4901 --pwdunlock PWDUNLOCK
4904 Set to "on" to allow an account to become unlocked after the
4905 lockout duration
4906 --pwdlockoutduration PWDLOCKOUTDURATION
4909 The number of seconds an account stays locked out
4910 --pwdmaxfailures PWDMAXFAILURES
4913 The maximum number of allowed failed password attempts before
4914 the account gets locked
4915 --pwdresetfailcount PWDRESETFAILCOUNT
4918 The number of seconds to wait before reducing the failed login
4919 count on an account
4920 --pwdchecksyntax PWDCHECKSYNTAX
4923 Set to "on" to enable password syntax checking
4924 --pwdminlen PWDMINLEN
4927 The minimum number of characters required in a password
4928 --pwdmindigits PWDMINDIGITS
4931 The minimum number of digit/number characters in a password
4932 --pwdminalphas PWDMINALPHAS
4935 The minimum number of alpha characters required in a password
4936 --pwdminuppers PWDMINUPPERS
4939 The minimum number of uppercase characters required in a pass‐
4940 word
4941 --pwdminlowers PWDMINLOWERS
4944 The minimum number of lowercase characters required in a pass‐
4945 word
4946 --pwdminspecials PWDMINSPECIALS
4949 The minimum number of special characters required in a password
4950 --pwdmin8bits PWDMIN8BITS
4953 The minimum number of 8-bit characters required in a password
4954 --pwdmaxrepeats PWDMAXREPEATS
4957 The maximum number of times the same character can appear se‐
4958 quentially in the password
4959 --pwdpalindrome PWDPALINDROME
4962 Set to "on" to reject passwords that are palindromes
4963 --pwdmaxseq PWDMAXSEQ
4966 The maximum number of allowed monotonic character sequences in a
4967 password
4968 --pwdmaxseqsets PWDMAXSEQSETS
4971 The maximum number of allowed monotonic character sequences that
4972 can be duplicated in a password
4973 --pwdmaxclasschars PWDMAXCLASSCHARS
4976 The maximum number of sequential characters from the same char‐
4977 acter class that is allowed in a password
4978 --pwdmincatagories PWDMINCATAGORIES
4981 The minimum number of syntax category checks
4982 --pwdmintokenlen PWDMINTOKENLEN
4985 Sets the smallest attribute value length that is used for triv‐
4986 ial/user words checking. This also impacts "--pwduserattrs"
4987 --pwdbadwords PWDBADWORDS
4990 A space-separated list of words that can not be in a password
4991 --pwduserattrs PWDUSERATTRS
4994 A space-separated list of attributes whose values can not appear
4995 in the password (See "--pwdmintokenlen")
4996 --pwddictcheck PWDDICTCHECK
4999 Set to "on" to enforce CrackLib dictionary checking
5000 --pwddictpath PWDDICTPATH
5003 Filesystem path to specific/custom CrackLib dictionary files
5004 --pwptprmaxuse PWPTPRMAXUSE
5007 Number of times a reset password can be used for authentication
5008 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5011 Number of seconds after which a reset password expires
5012 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5015 Number of seconds to wait before using a reset password to au‐
5016 thenticated
5017 --pwdlocal PWDLOCAL
5020 Set to "on" to enable fine-grained (subtree/user-level) password
5021 policies
5022 --pwdisglobal PWDISGLOBAL
5025 Set to "on" to enable password policy state attributes to be
5026 replicated
5027 --pwdallowhash PWDALLOWHASH
5030 Set to "on" to allow adding prehashed passwords
5031 --pwpinheritglobal PWPINHERITGLOBAL
5034 Set to "on" to allow local policies to inherit the global policy
5035
5038 usage: dsconf instance localpwp [-h]
5039 {list,get,set,remove,adduser,addsub‐
5040 tree} ...
5041
5044 dsconf localpwp list
5045 List all the local password policies
5046 dsconf localpwp get
5048 Get local password policy entry
5049 dsconf localpwp set
5051 Set an attribute in a local password policy
5052 dsconf localpwp remove
5054 Remove a local password policy
5055 dsconf localpwp adduser
5057 Add new user password policy
5058 dsconf localpwp addsubtree
5060 Add new subtree password policy
5061
5064 usage: dsconf instance localpwp list [-h] [DN]
5065 DN Suffix to search for local password policies
5068
5071 usage: dsconf instance localpwp get [-h] DN
5072 DN Get the local policy for this entry DN
5075
5078 usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
5079 [--pwdchange PWDCHANGE]
5080 [--pwdmustchange PWDMUSTCHANGE]
5081 [--pwdhistory PWDHISTORY]
5082 [--pwdhistorycount PWDHISTORYCOUNT]
5083 [--pwdadmin PWDADMIN]
5084 [--pwdtrack PWDTRACK]
5085 [--pwdwarning PWDWARNING]
5086 [--pwdexpire PWDEXPIRE]
5087 [--pwdmaxage PWDMAXAGE]
5088 [--pwdminage PWDMINAGE]
5089 [--pwdgracelimit PWDGRACELIMIT]
5090 [--pwdsendexpiring PWDSENDEXPIRING]
5091 [--pwdlockout PWDLOCKOUT]
5092 [--pwdunlock PWDUNLOCK]
5093 [--pwdlockoutduration PWDLOCKOUTDU‐
5094 RATION]
5095 [--pwdmaxfailures PWDMAXFAILURES]
5096 [--pwdresetfailcount PWDRESETFAIL‐
5097 COUNT]
5098 [--pwdchecksyntax PWDCHECKSYNTAX]
5099 [--pwdminlen PWDMINLEN]
5100 [--pwdmindigits PWDMINDIGITS]
5101 [--pwdminalphas PWDMINALPHAS]
5102 [--pwdminuppers PWDMINUPPERS]
5103 [--pwdminlowers PWDMINLOWERS]
5104 [--pwdminspecials PWDMINSPECIALS]
5105 [--pwdmin8bits PWDMIN8BITS]
5106 [--pwdmaxrepeats PWDMAXREPEATS]
5107 [--pwdpalindrome PWDPALINDROME]
5108 [--pwdmaxseq PWDMAXSEQ]
5109 [--pwdmaxseqsets PWDMAXSEQSETS]
5110 [--pwdmaxclasschars PWDMAXCLASS‐
5111 CHARS]
5112 [--pwdmincatagories PWDMIN‐
5113 CATAGORIES]
5114 [--pwdmintokenlen PWDMINTOKENLEN]
5115 [--pwdbadwords PWDBADWORDS]
5116 [--pwduserattrs PWDUSERATTRS]
5117 [--pwddictcheck PWDDICTCHECK]
5118 [--pwddictpath PWDDICTPATH]
5119 [--pwptprmaxuse PWPTPRMAXUSE]
5120 [--pwptprdelayexpireat PWPTPRDELAY‐
5121 EXPIREAT]
5122 [--pwptprdelayvalidfrom PWPTPRDE‐
5123 LAYVALIDFROM]
5124 DN
5125 DN Set the local policy for this entry DN
5128
5131 --pwdscheme PWDSCHEME
5132 The password storage scheme
5133 --pwdchange PWDCHANGE
5136 Allow users to change their passwords
5137 --pwdmustchange PWDMUSTCHANGE
5140 Users must change their password after it was reset by an admin‐
5141 istrator
5142 --pwdhistory PWDHISTORY
5145 To enable password history set this to "on", otherwise "off"
5146 --pwdhistorycount PWDHISTORYCOUNT
5149 The number of passwords to keep in history
5150 --pwdadmin PWDADMIN
5153 The DN of an entry or a group of account that can bypass pass‐
5154 word policy constraints
5155 --pwdtrack PWDTRACK
5158 Set to "on" to track the time the password was last changed
5159 --pwdwarning PWDWARNING
5162 Send an expiring warning if password expires within this time
5163 (in seconds)
5164 --pwdexpire PWDEXPIRE
5167 Set to "on" to enable password expiration
5168 --pwdmaxage PWDMAXAGE
5171 The password expiration time in seconds
5172 --pwdminage PWDMINAGE
5175 The number of seconds that must pass before a user can change
5176 their password
5177 --pwdgracelimit PWDGRACELIMIT
5180 The number of allowed logins after the password has expired
5181 --pwdsendexpiring PWDSENDEXPIRING
5184 Set to "on" to always send the expiring control regardless of
5185 the warning period
5186 --pwdlockout PWDLOCKOUT
5189 Set to "on" to enable account lockout
5190 --pwdunlock PWDUNLOCK
5193 Set to "on" to allow an account to become unlocked after the
5194 lockout duration
5195 --pwdlockoutduration PWDLOCKOUTDURATION
5198 The number of seconds an account stays locked out
5199 --pwdmaxfailures PWDMAXFAILURES
5202 The maximum number of allowed failed password attempts before
5203 the account gets locked
5204 --pwdresetfailcount PWDRESETFAILCOUNT
5207 The number of seconds to wait before reducing the failed login
5208 count on an account
5209 --pwdchecksyntax PWDCHECKSYNTAX
5212 Set to "on" to enable password syntax checking
5213 --pwdminlen PWDMINLEN
5216 The minimum number of characters required in a password
5217 --pwdmindigits PWDMINDIGITS
5220 The minimum number of digit/number characters in a password
5221 --pwdminalphas PWDMINALPHAS
5224 The minimum number of alpha characters required in a password
5225 --pwdminuppers PWDMINUPPERS
5228 The minimum number of uppercase characters required in a pass‐
5229 word
5230 --pwdminlowers PWDMINLOWERS
5233 The minimum number of lowercase characters required in a pass‐
5234 word
5235 --pwdminspecials PWDMINSPECIALS
5238 The minimum number of special characters required in a password
5239 --pwdmin8bits PWDMIN8BITS
5242 The minimum number of 8-bit characters required in a password
5243 --pwdmaxrepeats PWDMAXREPEATS
5246 The maximum number of times the same character can appear se‐
5247 quentially in the password
5248 --pwdpalindrome PWDPALINDROME
5251 Set to "on" to reject passwords that are palindromes
5252 --pwdmaxseq PWDMAXSEQ
5255 The maximum number of allowed monotonic character sequences in a
5256 password
5257 --pwdmaxseqsets PWDMAXSEQSETS
5260 The maximum number of allowed monotonic character sequences that
5261 can be duplicated in a password
5262 --pwdmaxclasschars PWDMAXCLASSCHARS
5265 The maximum number of sequential characters from the same char‐
5266 acter class that is allowed in a password
5267 --pwdmincatagories PWDMINCATAGORIES
5270 The minimum number of syntax category checks
5271 --pwdmintokenlen PWDMINTOKENLEN
5274 Sets the smallest attribute value length that is used for triv‐
5275 ial/user words checking. This also impacts "--pwduserattrs"
5276 --pwdbadwords PWDBADWORDS
5279 A space-separated list of words that can not be in a password
5280 --pwduserattrs PWDUSERATTRS
5283 A space-separated list of attributes whose values can not appear
5284 in the password (See "--pwdmintokenlen")
5285 --pwddictcheck PWDDICTCHECK
5288 Set to "on" to enforce CrackLib dictionary checking
5289 --pwddictpath PWDDICTPATH
5292 Filesystem path to specific/custom CrackLib dictionary files
5293 --pwptprmaxuse PWPTPRMAXUSE
5296 Number of times a reset password can be used for authentication
5297 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5300 Number of seconds after which a reset password expires
5301 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5304 Number of seconds to wait before using a reset password to au‐
5305 thenticated
5306
5309 usage: dsconf instance localpwp remove [-h] DN
5310 DN Remove local policy for this entry DN
5313
5316 usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
5317 [--pwdchange PWDCHANGE]
5318 [--pwdmustchange PWDMUSTCHANGE]
5319 [--pwdhistory PWDHISTORY]
5320 [--pwdhistorycount PWDHISTO‐
5321 RYCOUNT]
5322 [--pwdadmin PWDADMIN]
5323 [--pwdtrack PWDTRACK]
5324 [--pwdwarning PWDWARNING]
5325 [--pwdexpire PWDEXPIRE]
5326 [--pwdmaxage PWDMAXAGE]
5327 [--pwdminage PWDMINAGE]
5328 [--pwdgracelimit PWDGRACELIMIT]
5329 [--pwdsendexpiring PWDSENDEX‐
5330 PIRING]
5331 [--pwdlockout PWDLOCKOUT]
5332 [--pwdunlock PWDUNLOCK]
5333 [--pwdlockoutduration PWDLOCK‐
5334 OUTDURATION]
5335 [--pwdmaxfailures PWDMAXFAIL‐
5336 URES]
5337 [--pwdresetfailcount PWDRESET‐
5338 FAILCOUNT]
5339 [--pwdchecksyntax PWDCHECKSYN‐
5340 TAX]
5341 [--pwdminlen PWDMINLEN]
5342 [--pwdmindigits PWDMINDIGITS]
5343 [--pwdminalphas PWDMINALPHAS]
5344 [--pwdminuppers PWDMINUPPERS]
5345 [--pwdminlowers PWDMINLOWERS]
5346 [--pwdminspecials PWDMINSPE‐
5347 CIALS]
5348 [--pwdmin8bits PWDMIN8BITS]
5349 [--pwdmaxrepeats PWDMAXREPEATS]
5350 [--pwdpalindrome PWDPALINDROME]
5351 [--pwdmaxseq PWDMAXSEQ]
5352 [--pwdmaxseqsets PWDMAXSEQSETS]
5353 [--pwdmaxclasschars PWDMAX‐
5354 CLASSCHARS]
5355 [--pwdmincatagories PWDMIN‐
5356 CATAGORIES]
5357 [--pwdmintokenlen PWDMINTO‐
5358 KENLEN]
5359 [--pwdbadwords PWDBADWORDS]
5360 [--pwduserattrs PWDUSERATTRS]
5361 [--pwddictcheck PWDDICTCHECK]
5362 [--pwddictpath PWDDICTPATH]
5363 [--pwptprmaxuse PWPTPRMAXUSE]
5364 [--pwptprdelayexpireat PWPT‐
5365 PRDELAYEXPIREAT]
5366 [--pwptprdelayvalidfrom PWPT‐
5367 PRDELAYVALIDFROM]
5368 DN
5369 DN Add/replace the local password policy for this entry DN
5372
5375 --pwdscheme PWDSCHEME
5376 The password storage scheme
5377 --pwdchange PWDCHANGE
5380 Allow users to change their passwords
5381 --pwdmustchange PWDMUSTCHANGE
5384 Users must change their password after it was reset by an admin‐
5385 istrator
5386 --pwdhistory PWDHISTORY
5389 To enable password history set this to "on", otherwise "off"
5390 --pwdhistorycount PWDHISTORYCOUNT
5393 The number of passwords to keep in history
5394 --pwdadmin PWDADMIN
5397 The DN of an entry or a group of account that can bypass pass‐
5398 word policy constraints
5399 --pwdtrack PWDTRACK
5402 Set to "on" to track the time the password was last changed
5403 --pwdwarning PWDWARNING
5406 Send an expiring warning if password expires within this time
5407 (in seconds)
5408 --pwdexpire PWDEXPIRE
5411 Set to "on" to enable password expiration
5412 --pwdmaxage PWDMAXAGE
5415 The password expiration time in seconds
5416 --pwdminage PWDMINAGE
5419 The number of seconds that must pass before a user can change
5420 their password
5421 --pwdgracelimit PWDGRACELIMIT
5424 The number of allowed logins after the password has expired
5425 --pwdsendexpiring PWDSENDEXPIRING
5428 Set to "on" to always send the expiring control regardless of
5429 the warning period
5430 --pwdlockout PWDLOCKOUT
5433 Set to "on" to enable account lockout
5434 --pwdunlock PWDUNLOCK
5437 Set to "on" to allow an account to become unlocked after the
5438 lockout duration
5439 --pwdlockoutduration PWDLOCKOUTDURATION
5442 The number of seconds an account stays locked out
5443 --pwdmaxfailures PWDMAXFAILURES
5446 The maximum number of allowed failed password attempts before
5447 the account gets locked
5448 --pwdresetfailcount PWDRESETFAILCOUNT
5451 The number of seconds to wait before reducing the failed login
5452 count on an account
5453 --pwdchecksyntax PWDCHECKSYNTAX
5456 Set to "on" to enable password syntax checking
5457 --pwdminlen PWDMINLEN
5460 The minimum number of characters required in a password
5461 --pwdmindigits PWDMINDIGITS
5464 The minimum number of digit/number characters in a password
5465 --pwdminalphas PWDMINALPHAS
5468 The minimum number of alpha characters required in a password
5469 --pwdminuppers PWDMINUPPERS
5472 The minimum number of uppercase characters required in a pass‐
5473 word
5474 --pwdminlowers PWDMINLOWERS
5477 The minimum number of lowercase characters required in a pass‐
5478 word
5479 --pwdminspecials PWDMINSPECIALS
5482 The minimum number of special characters required in a password
5483 --pwdmin8bits PWDMIN8BITS
5486 The minimum number of 8-bit characters required in a password
5487 --pwdmaxrepeats PWDMAXREPEATS
5490 The maximum number of times the same character can appear se‐
5491 quentially in the password
5492 --pwdpalindrome PWDPALINDROME
5495 Set to "on" to reject passwords that are palindromes
5496 --pwdmaxseq PWDMAXSEQ
5499 The maximum number of allowed monotonic character sequences in a
5500 password
5501 --pwdmaxseqsets PWDMAXSEQSETS
5504 The maximum number of allowed monotonic character sequences that
5505 can be duplicated in a password
5506 --pwdmaxclasschars PWDMAXCLASSCHARS
5509 The maximum number of sequential characters from the same char‐
5510 acter class that is allowed in a password
5511 --pwdmincatagories PWDMINCATAGORIES
5514 The minimum number of syntax category checks
5515 --pwdmintokenlen PWDMINTOKENLEN
5518 Sets the smallest attribute value length that is used for triv‐
5519 ial/user words checking. This also impacts "--pwduserattrs"
5520 --pwdbadwords PWDBADWORDS
5523 A space-separated list of words that can not be in a password
5524 --pwduserattrs PWDUSERATTRS
5527 A space-separated list of attributes whose values can not appear
5528 in the password (See "--pwdmintokenlen")
5529 --pwddictcheck PWDDICTCHECK
5532 Set to "on" to enforce CrackLib dictionary checking
5533 --pwddictpath PWDDICTPATH
5536 Filesystem path to specific/custom CrackLib dictionary files
5537 --pwptprmaxuse PWPTPRMAXUSE
5540 Number of times a reset password can be used for authentication
5541 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5544 Number of seconds after which a reset password expires
5545 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5548 Number of seconds to wait before using a reset password to au‐
5549 thenticated
5550
5553 usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
5554 [--pwdchange PWDCHANGE]
5555 [--pwdmustchange PWD‐
5556 MUSTCHANGE]
5557 [--pwdhistory PWDHISTORY]
5558 [--pwdhistorycount PWDHISTO‐
5559 RYCOUNT]
5560 [--pwdadmin PWDADMIN]
5561 [--pwdtrack PWDTRACK]
5562 [--pwdwarning PWDWARNING]
5563 [--pwdexpire PWDEXPIRE]
5564 [--pwdmaxage PWDMAXAGE]
5565 [--pwdminage PWDMINAGE]
5566 [--pwdgracelimit PWDGRACE‐
5567 LIMIT]
5568 [--pwdsendexpiring PWDSEND‐
5569 EXPIRING]
5570 [--pwdlockout PWDLOCKOUT]
5571 [--pwdunlock PWDUNLOCK]
5572 [--pwdlockoutduration PWD‐
5573 LOCKOUTDURATION]
5574 [--pwdmaxfailures PWDMAX‐
5575 FAILURES]
5576 [--pwdresetfailcount PW‐
5577 DRESETFAILCOUNT]
5578 [--pwdchecksyntax PWD‐
5579 CHECKSYNTAX]
5580 [--pwdminlen PWDMINLEN]
5581 [--pwdmindigits PWDMINDIG‐
5582 ITS]
5583 [--pwdminalphas PWDMINAL‐
5584 PHAS]
5585 [--pwdminuppers PWDMINUP‐
5586 PERS]
5587 [--pwdminlowers PWDMINLOW‐
5588 ERS]
5589 [--pwdminspecials PWDMINSPE‐
5590 CIALS]
5591 [--pwdmin8bits PWDMIN8BITS]
5592 [--pwdmaxrepeats PWDMAXRE‐
5593 PEATS]
5594 [--pwdpalindrome PWDPALIN‐
5595 DROME]
5596 [--pwdmaxseq PWDMAXSEQ]
5597 [--pwdmaxseqsets PWDMAXSE‐
5598 QSETS]
5599 [--pwdmaxclasschars PWDMAX‐
5600 CLASSCHARS]
5601 [--pwdmincatagories PWDMIN‐
5602 CATAGORIES]
5603 [--pwdmintokenlen PWDMINTO‐
5604 KENLEN]
5605 [--pwdbadwords PWDBADWORDS]
5606 [--pwduserattrs PWDUSERAT‐
5607 TRS]
5608 [--pwddictcheck PWD‐
5609 DICTCHECK]
5610 [--pwddictpath PWDDICTPATH]
5611 [--pwptprmaxuse PWPT‐
5612 PRMAXUSE]
5613 [--pwptprdelayexpireat PWPT‐
5614 PRDELAYEXPIREAT]
5615 [--pwptprdelayvalidfrom PW‐
5616 PTPRDELAYVALIDFROM]
5617 DN
5618 DN Add/replace the subtree policy for this entry DN
5621
5624 --pwdscheme PWDSCHEME
5625 The password storage scheme
5626 --pwdchange PWDCHANGE
5629 Allow users to change their passwords
5630 --pwdmustchange PWDMUSTCHANGE
5633 Users must change their password after it was reset by an admin‐
5634 istrator
5635 --pwdhistory PWDHISTORY
5638 To enable password history set this to "on", otherwise "off"
5639 --pwdhistorycount PWDHISTORYCOUNT
5642 The number of passwords to keep in history
5643 --pwdadmin PWDADMIN
5646 The DN of an entry or a group of account that can bypass pass‐
5647 word policy constraints
5648 --pwdtrack PWDTRACK
5651 Set to "on" to track the time the password was last changed
5652 --pwdwarning PWDWARNING
5655 Send an expiring warning if password expires within this time
5656 (in seconds)
5657 --pwdexpire PWDEXPIRE
5660 Set to "on" to enable password expiration
5661 --pwdmaxage PWDMAXAGE
5664 The password expiration time in seconds
5665 --pwdminage PWDMINAGE
5668 The number of seconds that must pass before a user can change
5669 their password
5670 --pwdgracelimit PWDGRACELIMIT
5673 The number of allowed logins after the password has expired
5674 --pwdsendexpiring PWDSENDEXPIRING
5677 Set to "on" to always send the expiring control regardless of
5678 the warning period
5679 --pwdlockout PWDLOCKOUT
5682 Set to "on" to enable account lockout
5683 --pwdunlock PWDUNLOCK
5686 Set to "on" to allow an account to become unlocked after the
5687 lockout duration
5688 --pwdlockoutduration PWDLOCKOUTDURATION
5691 The number of seconds an account stays locked out
5692 --pwdmaxfailures PWDMAXFAILURES
5695 The maximum number of allowed failed password attempts before
5696 the account gets locked
5697 --pwdresetfailcount PWDRESETFAILCOUNT
5700 The number of seconds to wait before reducing the failed login
5701 count on an account
5702 --pwdchecksyntax PWDCHECKSYNTAX
5705 Set to "on" to enable password syntax checking
5706 --pwdminlen PWDMINLEN
5709 The minimum number of characters required in a password
5710 --pwdmindigits PWDMINDIGITS
5713 The minimum number of digit/number characters in a password
5714 --pwdminalphas PWDMINALPHAS
5717 The minimum number of alpha characters required in a password
5718 --pwdminuppers PWDMINUPPERS
5721 The minimum number of uppercase characters required in a pass‐
5722 word
5723 --pwdminlowers PWDMINLOWERS
5726 The minimum number of lowercase characters required in a pass‐
5727 word
5728 --pwdminspecials PWDMINSPECIALS
5731 The minimum number of special characters required in a password
5732 --pwdmin8bits PWDMIN8BITS
5735 The minimum number of 8-bit characters required in a password
5736 --pwdmaxrepeats PWDMAXREPEATS
5739 The maximum number of times the same character can appear se‐
5740 quentially in the password
5741 --pwdpalindrome PWDPALINDROME
5744 Set to "on" to reject passwords that are palindromes
5745 --pwdmaxseq PWDMAXSEQ
5748 The maximum number of allowed monotonic character sequences in a
5749 password
5750 --pwdmaxseqsets PWDMAXSEQSETS
5753 The maximum number of allowed monotonic character sequences that
5754 can be duplicated in a password
5755 --pwdmaxclasschars PWDMAXCLASSCHARS
5758 The maximum number of sequential characters from the same char‐
5759 acter class that is allowed in a password
5760 --pwdmincatagories PWDMINCATAGORIES
5763 The minimum number of syntax category checks
5764 --pwdmintokenlen PWDMINTOKENLEN
5767 Sets the smallest attribute value length that is used for triv‐
5768 ial/user words checking. This also impacts "--pwduserattrs"
5769 --pwdbadwords PWDBADWORDS
5772 A space-separated list of words that can not be in a password
5773 --pwduserattrs PWDUSERATTRS
5776 A space-separated list of attributes whose values can not appear
5777 in the password (See "--pwdmintokenlen")
5778 --pwddictcheck PWDDICTCHECK
5781 Set to "on" to enforce CrackLib dictionary checking
5782 --pwddictpath PWDDICTPATH
5785 Filesystem path to specific/custom CrackLib dictionary files
5786 --pwptprmaxuse PWPTPRMAXUSE
5789 Number of times a reset password can be used for authentication
5790 --pwptprdelayexpireat PWPTPRDELAYEXPIREAT
5793 Number of seconds after which a reset password expires
5794 --pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM
5797 Number of seconds to wait before using a reset password to au‐
5798 thenticated
5799
5802 usage: dsconf instance replication [-h]
5803 {enable,disable,get-ruv,list,sta‐
5804 tus,winsync-status,promote,create-manager,delete-manager,de‐
5805 mote,get,set-changelog,get-changelog,export-changelog,im‐
5806 port-changelog,set,monitor}
5807 ...
5808
5811 dsconf replication enable
5812 Enable replication for a suffix
5813 dsconf replication disable
5815 Disable replication for a suffix
5816 dsconf replication get-ruv
5818 Display the database RUV entry for a suffix
5819 dsconf replication list
5821 Lists all the replicated suffixes
5822 dsconf replication status
5824 Display the current status of all the replication agreements
5825 dsconf replication winsync-status
5827 Display the current status of all the replication agreements
5828 dsconf replication promote
5830 Promote a replica to a hub or supplier
5831 dsconf replication create-manager
5833 Create a replication manager entry
5834 dsconf replication delete-manager
5836 Delete a replication manager entry
5837 dsconf replication demote
5839 Demote replica to a hub or consumer
5840 dsconf replication get
5842 Display the replication configuration
5843 dsconf replication set-changelog
5845 Set replication changelog attributes
5846 dsconf replication get-changelog
5848 Display replication changelog attributes
5849 dsconf replication export-changelog
5851 Export the Directory Server replication changelog to an LDIF
5852 file
5853 dsconf replication import-changelog
5855 Restore/import Directory Server replication change log from an
5856 LDIF file. This is typically used when managing changelog en‐
5857 cryption
5858 dsconf replication set
5860 Set an attribute in the replication configuration
5861 dsconf replication monitor
5863 Display the full replication topology report
5864
5867 usage: dsconf instance replication enable [-h] --suffix SUFFIX --role
5868 ROLE
5869 [--replica-id REPLICA_ID]
5870 [--bind-group-dn
5871 BIND_GROUP_DN]
5872 [--bind-dn BIND_DN]
5873 [--bind-passwd BIND_PASSWD]
5874
5877 --suffix SUFFIX
5878 Sets the DN of the suffix to be enabled for replication
5879 --role ROLE
5882 Sets the replication role: "supplier", "hub", or "consumer"
5883 --replica-id REPLICA_ID
5886 Sets the replication identifier for a "supplier". Values range
5887 from 1 - 65534
5888 --bind-group-dn BIND_GROUP_DN
5891 Sets a group entry DN containing members that are "bind/sup‐
5892 plier" DNs
5893 --bind-dn BIND_DN
5896 Sets the bind or supplier DN that can make replication updates
5897 --bind-passwd BIND_PASSWD
5900 Sets the password for replication manager (--bind-dn). This will
5901 create the manager entry if a value is set
5902
5905 usage: dsconf instance replication disable [-h] --suffix SUFFIX
5906
5909 --suffix SUFFIX
5910 Sets the DN of the suffix to have replication disabled
5911
5914 usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
5915
5918 --suffix SUFFIX
5919 Sets the DN of the replicated suffix
5920
5923 usage: dsconf instance replication list [-h]
5924
5927 usage: dsconf instance replication status [-h] --suffix SUFFIX
5928 [--bind-dn BIND_DN]
5929 [--bind-passwd BIND_PASSWD]
5930
5933 --suffix SUFFIX
5934 Sets the DN of the replication suffix
5935 --bind-dn BIND_DN
5938 Sets the DN to use to authenticate to the consumer
5939 --bind-passwd BIND_PASSWD
5942 Sets the password for the bind DN
5943
5946 usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
5947 [--bind-dn BIND_DN]
5948 [--bind-passwd
5949 BIND_PASSWD]
5950
5953 --suffix SUFFIX
5954 Sets the DN of the replication suffix
5955 --bind-dn BIND_DN
5958 Sets the DN to use to authenticate to the consumer
5959 --bind-passwd BIND_PASSWD
5962 Sets the password of the bind DN
5963
5966 usage: dsconf instance replication promote [-h] --suffix SUFFIX --new‐
5967 role
5968 NEWROLE [--replica-id
5969 REPLICA_ID]
5970 [--bind-group-dn
5971 BIND_GROUP_DN]
5972 [--bind-dn BIND_DN]
5973
5976 --suffix SUFFIX
5977 Sets the DN of the replication suffix to promote
5978 --newrole NEWROLE
5981 Sets the new replica role to "hub" or "supplier"
5982 --replica-id REPLICA_ID
5985 Sets the replication identifier for a "supplier". Values range
5986 from 1 - 65534
5987 --bind-group-dn BIND_GROUP_DN
5990 Sets a group entry DN containing members that are "bind/sup‐
5991 plier" DNs
5992 --bind-dn BIND_DN
5995 Sets the bind or supplier DN that can make replication updates
5996
5999 usage: dsconf instance replication create-manager [-h] [--name NAME]
6000 [--passwd PASSWD]
6001 [--suffix SUFFIX]
6002
6005 --name NAME
6006 Sets the name of the new replication manager entry.For example,
6007 if the name is "replication manager" then the new manager en‐
6008 try's DN would be "cn=replication manager,cn=config".
6009 --passwd PASSWD
6012 Sets the password for replication manager. If not provided, you
6013 will be prompted for the password
6014 --suffix SUFFIX
6017 The DN of the replication suffix whose replication configuration
6018 you want to add this new manager to (OPTIONAL)
6019
6022 usage: dsconf instance replication delete-manager [-h] [--name NAME]
6023 [--suffix SUFFIX]
6024
6027 --name NAME
6028 Sets the name of the replication manager entry under cn=config:
6029 "cn=NAME,cn=config"
6030 --suffix SUFFIX
6033 Sets the DN of the replication suffix whose replication configu‐
6034 ration you want to remove this manager from (OPTIONAL)
6035
6038 usage: dsconf instance replication demote [-h] --suffix SUFFIX --new‐
6039 role
6040 NEWROLE
6041
6044 --suffix SUFFIX
6045 Sets the DN of the replication suffix
6046 --newrole NEWROLE
6049 Sets the new replication role to "hub", or "consumer"
6050
6053 usage: dsconf instance replication get [-h] --suffix SUFFIX
6054
6057 --suffix SUFFIX
6058 Sets the suffix DN for the replication configuration to display
6059
6062 usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
6063 [--max-entries MAX_EN‐
6064 TRIES]
6065 [--max-age MAX_AGE]
6066 [--trim-interval
6067 TRIM_INTERVAL]
6068 [--encrypt]
6069 [--disable-encrypt]
6070
6073 --suffix SUFFIX
6074 Sets the suffix that uses the changelog
6075 --max-entries MAX_ENTRIES
6078 Sets the maximum number of entries to get in the replication
6079 changelog
6080 --max-age MAX_AGE
6083 Set the maximum age of a replication changelog entry
6084 --trim-interval TRIM_INTERVAL
6087 Sets the interval to check if the replication changelog can be
6088 trimmed
6089 --encrypt
6092 Sets the replication changelog to use encryption. You must ex‐
6093 port and import the changelog after setting this.
6094 --disable-encrypt
6097 Sets the replication changelog to not use encryption. You must
6098 export and import the changelog after setting this.
6099
6102 usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
6103
6106 --suffix SUFFIX
6107 Sets the suffix that uses the changelog
6108
6111 usage: dsconf instance replication export-changelog [-h] {to-ldif,de‐
6112 fault} ...
6113
6116 dsconf replication export-changelog to-ldif
6117 Sets the LDIF file name. This is typically used for setting up
6118 changelog encryption
6119 dsconf replication export-changelog default
6121 Export the replication changelog to the server's default LDIF
6122 directory
6123
6126 usage: dsconf instance replication export-changelog to-ldif
6127 [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r
6128 REPLICA_ROOT
6129
6132 -c, --csn-only
6133 Enables to export and interpret CSN only. This option can be
6134 used with or without -i option. The LDIF file that is generated
6135 can not be imported and is only used for debugging purposes.
6136 -d, --decode
6139 Decodes the base64 values in each changelog entry. The LDIF file
6140 that is generated can not be imported and is only used for de‐
6141 bugging purposes.
6142 -l, --preserve-ldif-done
6145 Preserves generated LDIF "files.done" files in changelog direc‐
6146 tory.
6147 -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
6150 Decodes changes in an LDIF file. Use this option if you already
6151 have a changelog LDIF file, but the changes in that file are en‐
6152 coded.
6153 -o OUTPUT_FILE, --output-file OUTPUT_FILE
6156 Sets the path name for the final result
6157 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6160 Specifies the replica root whose changelog you want to export
6161
6164 usage: dsconf instance replication export-changelog default
6165 [-h] -r REPLICA_ROOT
6166
6169 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6170 Specifies the replica root whose changelog you want to export
6171
6174 usage: dsconf instance replication import-changelog [-h]
6175 {from-ldif,default}
6176 ...
6177
6180 dsconf replication import-changelog from-ldif
6181 Restore/import a specific single LDIF file
6182 dsconf replication import-changelog default
6184 Import the default changelog LDIF file created by the server
6185
6188 usage: dsconf instance replication import-changelog from-ldif
6189 [-h] -r REPLICA_ROOT LDIF_PATH
6190 LDIF_PATH
6193 The path of the changelog LDIF file
6194
6197 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6198 Specifies the replica root whose changelog you want to import
6199
6202 usage: dsconf instance replication import-changelog default
6203 [-h] -r REPLICA_ROOT
6204
6207 -r REPLICA_ROOT, --replica-root REPLICA_ROOT
6208 Specifies the replica root whose changelog you want to import
6209
6212 usage: dsconf instance replication set [-h] --suffix SUFFIX
6213 [--repl-add-bind-dn
6214 REPL_ADD_BIND_DN]
6215 [--repl-del-bind-dn
6216 REPL_DEL_BIND_DN]
6217 [--repl-add-ref REPL_ADD_REF]
6218 [--repl-del-ref REPL_DEL_REF]
6219 [--repl-purge-delay
6220 REPL_PURGE_DELAY]
6221 [--repl-tombstone-purge-interval
6222 REPL_TOMBSTONE_PURGE_INTERVAL]
6223 [--repl-fast-tombstone-purging
6224 REPL_FAST_TOMBSTONE_PURGING]
6225 [--repl-bind-group
6226 REPL_BIND_GROUP]
6227 [--repl-bind-group-interval
6228 REPL_BIND_GROUP_INTERVAL]
6229 [--repl-protocol-timeout
6230 REPL_PROTOCOL_TIMEOUT]
6231 [--repl-backoff-max REPL_BACK‐
6232 OFF_MAX]
6233 [--repl-backoff-min REPL_BACK‐
6234 OFF_MIN]
6235 [--repl-release-timeout REPL_RE‐
6236 LEASE_TIMEOUT]
6237 [--repl-keepalive-update-inter‐
6238 val REPL_KEEPALIVE_UPDATE_INTERVAL]
6239
6242 --suffix SUFFIX
6243 Sets the DN of the replication suffix
6244 --repl-add-bind-dn REPL_ADD_BIND_DN
6247 Adds a bind (supplier) DN
6248 --repl-del-bind-dn REPL_DEL_BIND_DN
6251 Removes a bind (supplier) DN
6252 --repl-add-ref REPL_ADD_REF
6255 Adds a replication referral (for consumers only)
6256 --repl-del-ref REPL_DEL_REF
6259 Removes a replication referral (for conusmers only)
6260 --repl-purge-delay REPL_PURGE_DELAY
6263 Sets the replication purge delay
6264 --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
6267 Sets the interval in seconds to check for tombstones that can be
6268 purged
6269 --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
6272 Enables or disables improving the tombstone purging performance
6273 --repl-bind-group REPL_BIND_GROUP
6276 Sets a group entry DN containing members that are "bind/sup‐
6277 plier" DNs
6278 --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
6281 Sets an interval in seconds to check if the bind group has been
6282 updated
6283 --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
6286 Sets a timeout in seconds on how long to wait before stopping
6287 replication when the server is under load
6288 --repl-backoff-max REPL_BACKOFF_MAX
6291 The maximum time in seconds a replication agreement should stay
6292 in a backoff state while waiting to acquire the consumer. De‐
6293 fault is 300 seconds
6294 --repl-backoff-min REPL_BACKOFF_MIN
6297 The starting time in seconds a replication agreement should stay
6298 in a backoff state while waiting to acquire the consumer. De‐
6299 fault is 3 seconds
6300 --repl-release-timeout REPL_RELEASE_TIMEOUT
6303 A timeout in seconds a replication supplier should send updates
6304 before it yields its replication session
6305 --repl-keepalive-update-interval REPL_KEEPALIVE_UPDATE_INTERVAL
6308 Interval in seconds for how often the server will apply an in‐
6309 ternal update to keep the RUV from getting stale. The default is
6310 1 hour (3600 seconds)
6311
6314 usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
6315 [-a [ALIASES ...]]
6316
6319 -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
6320 Sets the connection values for monitoring other not connected
6321 topologies. The format: 'host:port:binddn:bindpwd'. You can use
6322 regex for host and port. You can set bindpwd to * and it will be
6323 requested at the runtime or you can include the path to the
6324 password file in square brackets - [~/pwd.txt]
6325 -a [ALIASES ...], --aliases [ALIASES ...]
6328 Enables displaying an alias instead of host:port, if an alias is
6329 assigned to a host:port combination. The format: alias=host:port
6330
6333 usage: dsconf instance repl-agmt [-h]
6334 {list,enable,disable,init,init-sta‐
6335 tus,poke,status,delete,create,set,get}
6336 ...
6337
6340 dsconf repl-agmt list
6341 List all replication agreements
6342 dsconf repl-agmt enable
6344 Enable replication agreement
6345 dsconf repl-agmt disable
6347 Disable replication agreement
6348 dsconf repl-agmt init
6350 Initialize replication agreement
6351 dsconf repl-agmt init-status
6353 Check the agreement initialization status
6354 dsconf repl-agmt poke
6356 Trigger replication to send updates now
6357 dsconf repl-agmt status
6359 Displays the current status of the replication agreement
6360 dsconf repl-agmt delete
6362 Delete replication agreement
6363 dsconf repl-agmt create
6365 Initialize replication agreement
6366 dsconf repl-agmt set
6368 Set an attribute in the replication agreement
6369 dsconf repl-agmt get
6371 Get replication configuration
6372
6375 usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry EN‐
6376 TRY]
6377
6380 --suffix SUFFIX
6381 Sets the DN of the suffix to look up replication agreements for
6382 --entry ENTRY
6385 Returns the entire entry for each agreement
6386
6389 usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
6390 AGMT_NAME
6393 The name of the replication agreement
6394
6397 --suffix SUFFIX
6398 Sets the DN of the replication suffix
6399
6402 usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
6403 AGMT_NAME
6406 The name of the replication agreement
6407
6410 --suffix SUFFIX
6411 Sets the DN of the replication suffix
6412
6415 usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
6416 AGMT_NAME
6419 The name of the replication agreement
6420
6423 --suffix SUFFIX
6424 Sets the DN of the replication suffix
6425
6428 usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX
6429 AGMT_NAME
6430 AGMT_NAME
6433 The name of the replication agreement
6434
6437 --suffix SUFFIX
6438 Sets the DN of the replication suffix
6439
6442 usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
6443 AGMT_NAME
6446 The name of the replication agreement
6447
6450 --suffix SUFFIX
6451 Sets the DN of the replication suffix
6452
6455 usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
6456 [--bind-dn BIND_DN]
6457 [--bind-passwd BIND_PASSWD]
6458 AGMT_NAME
6459 AGMT_NAME
6462 The name of the replication agreement
6463
6466 --suffix SUFFIX
6467 Sets the DN of the replication suffix
6468 --bind-dn BIND_DN
6471 Sets the DN to use to authenticate to the consumer
6472 --bind-passwd BIND_PASSWD
6475 Sets the password for the bind DN
6476
6479 usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
6480 AGMT_NAME
6483 The name of the replication agreement
6484
6487 --suffix SUFFIX
6488 Sets the DN of the replication suffix
6489
6492 usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host
6493 HOST
6494 --port PORT --conn-protocol
6495 CONN_PROTOCOL [--bind-dn
6496 BIND_DN]
6497 [--bind-passwd BIND_PASSWD]
6498 --bind-method BIND_METHOD
6499 [--frac-list FRAC_LIST]
6500 [--frac-list-total
6501 FRAC_LIST_TOTAL]
6502 [--strip-list STRIP_LIST]
6503 [--schedule SCHEDULE]
6504 [--conn-timeout CONN_TIMEOUT]
6505 [--protocol-timeout PROTO‐
6506 COL_TIMEOUT]
6507 [--wait-async-results
6508 WAIT_ASYNC_RESULTS]
6509 [--busy-wait-time
6510 BUSY_WAIT_TIME]
6511 [--session-pause-time SES‐
6512 SION_PAUSE_TIME]
6513 [--flow-control-window
6514 FLOW_CONTROL_WINDOW]
6515 [--flow-control-pause FLOW_CON‐
6516 TROL_PAUSE]
6517 [--bootstrap-bind-dn BOOT‐
6518 STRAP_BIND_DN]
6519 [--bootstrap-bind-passwd BOOT‐
6520 STRAP_BIND_PASSWD]
6521 [--bootstrap-conn-protocol
6522 BOOTSTRAP_CONN_PROTOCOL]
6523 [--bootstrap-bind-method BOOT‐
6524 STRAP_BIND_METHOD]
6525 [--init]
6526 AGMT_NAME
6527 AGMT_NAME
6530 The name of the replication agreement
6531
6534 --suffix SUFFIX
6535 Sets the DN of the replication suffix
6536 --host HOST
6539 Sets the hostname of the remote replica
6540 --port PORT
6543 Sets the port number of the remote replica
6544 --conn-protocol CONN_PROTOCOL
6547 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6548 TLS
6549 --bind-dn BIND_DN
6552 Sets the bind DN the agreement uses to authenticate to the
6553 replica
6554 --bind-passwd BIND_PASSWD
6557 Sets the credentials for the bind DN
6558 --bind-method BIND_METHOD
6561 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6562 or "SASL/GSSAPI"
6563 --frac-list FRAC_LIST
6566 Sets the list of attributes to NOT replicate to the consumer
6567 during incremental updates
6568 --frac-list-total FRAC_LIST_TOTAL
6571 Sets the list of attributes to NOT replicate during a total ini‐
6572 tialization
6573 --strip-list STRIP_LIST
6576 Sets a list of attributes that are removed from updates only if
6577 the event would otherwise be empty. Typically this is set to
6578 "modifiersname" and "modifytimestmap"
6579 --schedule SCHEDULE
6582 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6583 0-6 (Sunday - Saturday).
6584 --conn-timeout CONN_TIMEOUT
6587 Sets the timeout used for replication connections
6588 --protocol-timeout PROTOCOL_TIMEOUT
6591 Sets a timeout in seconds on how long to wait before stopping
6592 replication when the server is under load
6593 --wait-async-results WAIT_ASYNC_RESULTS
6596 Sets the amount of time in milliseconds the server waits if the
6597 consumer is not ready before resending data
6598 --busy-wait-time BUSY_WAIT_TIME
6601 Sets the amount of time in seconds a supplier should wait after
6602 a consumer sends back a busy response before making another at‐
6603 tempt to acquire access.
6604 --session-pause-time SESSION_PAUSE_TIME
6607 Sets the amount of time in seconds a supplier should wait be‐
6608 tween update sessions.
6609 --flow-control-window FLOW_CONTROL_WINDOW
6612 Sets the maximum number of entries and updates sent by a sup‐
6613 plier, which are not acknowledged by the consumer.
6614 --flow-control-pause FLOW_CONTROL_PAUSE
6617 Sets the time in milliseconds to pause after reaching the number
6618 of entries and updates set in "--flow-control-window"
6619 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6622 Sets an optional bind DN the agreement can use to bootstrap ini‐
6623 tialization when bind groups are being used
6624 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6627 Sets the bootstrap credentials for the bind DN
6628 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6631 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6632 or StartTLS
6633 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6636 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6637 --init Initializes the agreement after creating it
6640
6643 usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
6644 [--port PORT]
6645 [--conn-protocol CONN_PROTOCOL]
6646 [--bind-dn BIND_DN]
6647 [--bind-passwd BIND_PASSWD]
6648 [--bind-method BIND_METHOD]
6649 [--frac-list FRAC_LIST]
6650 [--frac-list-total FRAC_LIST_TO‐
6651 TAL]
6652 [--strip-list STRIP_LIST]
6653 [--schedule SCHEDULE]
6654 [--conn-timeout CONN_TIMEOUT]
6655 [--protocol-timeout PROTOCOL_TIME‐
6656 OUT]
6657 [--wait-async-results
6658 WAIT_ASYNC_RESULTS]
6659 [--busy-wait-time BUSY_WAIT_TIME]
6660 [--session-pause-time SES‐
6661 SION_PAUSE_TIME]
6662 [--flow-control-window FLOW_CON‐
6663 TROL_WINDOW]
6664 [--flow-control-pause FLOW_CON‐
6665 TROL_PAUSE]
6666 [--bootstrap-bind-dn BOOT‐
6667 STRAP_BIND_DN]
6668 [--bootstrap-bind-passwd BOOT‐
6669 STRAP_BIND_PASSWD]
6670 [--bootstrap-conn-protocol BOOT‐
6671 STRAP_CONN_PROTOCOL]
6672 [--bootstrap-bind-method BOOT‐
6673 STRAP_BIND_METHOD]
6674 AGMT_NAME
6675 AGMT_NAME
6678 The name of the replication agreement
6679
6682 --suffix SUFFIX
6683 Sets the DN of the replication suffix
6684 --host HOST
6687 Sets the hostname of the remote replica
6688 --port PORT
6691 Sets the port number of the remote replica
6692 --conn-protocol CONN_PROTOCOL
6695 Sets the replication connection protocol: LDAP, LDAPS, or Start‐
6696 TLS
6697 --bind-dn BIND_DN
6700 Sets the Bind DN the agreement uses to authenticate to the
6701 replica
6702 --bind-passwd BIND_PASSWD
6705 Sets the credentials for the bind DN
6706 --bind-method BIND_METHOD
6709 Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST",
6710 or "SASL/GSSAPI"
6711 --frac-list FRAC_LIST
6714 Sets a list of attributes to NOT replicate to the consumer dur‐
6715 ing incremental updates
6716 --frac-list-total FRAC_LIST_TOTAL
6719 Sets a list of attributes to NOT replicate during a total ini‐
6720 tialization
6721 --strip-list STRIP_LIST
6724 Sets a list of attributes that are removed from updates only if
6725 the event would otherwise be empty. Typically this is set to
6726 "modifiersname" and "modifytimestmap"
6727 --schedule SCHEDULE
6730 Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D =
6731 0-6 (Sunday - Saturday).
6732 --conn-timeout CONN_TIMEOUT
6735 Sets the timeout used for replication connections
6736 --protocol-timeout PROTOCOL_TIMEOUT
6739 Sets a timeout in seconds on how long to wait before stopping
6740 replication when the server is under load
6741 --wait-async-results WAIT_ASYNC_RESULTS
6744 Sets the amount of time in milliseconds the server waits if the
6745 consumer is not ready before resending data
6746 --busy-wait-time BUSY_WAIT_TIME
6749 Sets the amount of time in seconds a supplier should wait after
6750 a consumer sends back a busy response before making another at‐
6751 tempt to acquire access.
6752 --session-pause-time SESSION_PAUSE_TIME
6755 Sets the amount of time in seconds a supplier should wait be‐
6756 tween update sessions.
6757 --flow-control-window FLOW_CONTROL_WINDOW
6760 Sets the maximum number of entries and updates sent by a sup‐
6761 plier, which are not acknowledged by the consumer.
6762 --flow-control-pause FLOW_CONTROL_PAUSE
6765 Sets the time in milliseconds to pause after reaching the number
6766 of entries and updates set in "--flow-control-window"
6767 --bootstrap-bind-dn BOOTSTRAP_BIND_DN
6770 Sets an optional bind DN the agreement can use to bootstrap ini‐
6771 tialization when bind groups are being used
6772 --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
6775 sets the bootstrap credentials for the bind DN
6776 --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
6779 Sets the replication bootstrap connection protocol: LDAP, LDAPS,
6780 or StartTLS
6781 --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
6784 Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"
6785
6788 usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
6789 AGMT_NAME
6792 The suffix DN for which to display the replication configuration
6793
6796 --suffix SUFFIX
6797 Sets the DN of the replication suffix
6798
6801 usage: dsconf instance repl-winsync-agmt [-h]
6802 {list,enable,dis‐
6803 able,init,init-status,poke,status,delete,create,set,get}
6804 ...
6805
6808 dsconf repl-winsync-agmt list
6809 List all the replication winsync agreements
6810 dsconf repl-winsync-agmt enable
6812 Enable replication winsync agreement
6813 dsconf repl-winsync-agmt disable
6815 Disable replication winsync agreement
6816 dsconf repl-winsync-agmt init
6818 Initialize replication winsync agreement
6819 dsconf repl-winsync-agmt init-status
6821 Check the agreement initialization status
6822 dsconf repl-winsync-agmt poke
6824 Trigger replication to send updates now
6825 dsconf repl-winsync-agmt status
6827 Display the current status of the replication agreement
6828 dsconf repl-winsync-agmt delete
6830 Delete replication winsync agreement
6831 dsconf repl-winsync-agmt create
6833 Initialize replication winsync agreement
6834 dsconf repl-winsync-agmt set
6836 Set an attribute in the replication winsync agreement
6837 dsconf repl-winsync-agmt get
6839 Display replication configuration
6840
6843 usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
6844
6847 --suffix SUFFIX
6848 Sets the DN of the suffix to look up replication winsync agree‐
6849 ments
6850
6853 usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX
6854 AGMT_NAME
6855 AGMT_NAME
6858 The name of the replication winsync agreement
6859
6862 --suffix SUFFIX
6863 Sets the DN of the replication winsync suffix
6864
6867 usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
6868 AGMT_NAME
6869 AGMT_NAME
6872 The name of the replication winsync agreement
6873
6876 --suffix SUFFIX
6877 Sets the DN of the replication winsync suffix
6878
6881 usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX
6882 AGMT_NAME
6883 AGMT_NAME
6886 The name of the replication winsync agreement
6887
6890 --suffix SUFFIX
6891 Sets the DN of the replication winsync suffix
6892
6895 usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUF‐
6896 FIX
6897 AGMT_NAME
6898 AGMT_NAME
6901 The name of the replication agreement
6902
6905 --suffix SUFFIX
6906 Sets the DN of the replication suffix
6907
6910 usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX
6911 AGMT_NAME
6912 AGMT_NAME
6915 The name of the replication winsync agreement
6916
6919 --suffix SUFFIX
6920 Sets the DN of the replication winsync suffix
6921
6924 usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX
6925 AGMT_NAME
6926 AGMT_NAME
6929 The name of the replication agreement
6930
6933 --suffix SUFFIX
6934 Sets the DN of the replication suffix
6935
6938 usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX
6939 AGMT_NAME
6940 AGMT_NAME
6943 The name of the replication winsync agreement
6944
6947 --suffix SUFFIX
6948 Sets the DN of the replication winsync suffix
6949
6952 usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX
6953 --host
6954 HOST --port PORT
6955 --conn-protocol
6956 CONN_PROTOCOL
6957 --bind-dn BIND_DN
6958 --bind-passwd
6959 BIND_PASSWD
6960 [--frac-list FRAC_LIST]
6961 [--schedule SCHEDULE]
6962 --win-subtree WIN_SUB‐
6963 TREE
6964 --ds-subtree DS_SUBTREE
6965 --win-domain WIN_DOMAIN
6966 [--sync-users
6967 SYNC_USERS]
6968 [--sync-groups
6969 SYNC_GROUPS]
6970 [--sync-interval
6971 SYNC_INTERVAL]
6972 [--one-way-sync
6973 ONE_WAY_SYNC]
6974 [--move-action MOVE_AC‐
6975 TION]
6976 [--win-filter WIN_FIL‐
6977 TER]
6978 [--ds-filter DS_FILTER]
6979 [--subtree-pair SUB‐
6980 TREE_PAIR]
6981 [--conn-timeout
6982 CONN_TIMEOUT]
6983 [--busy-wait-time
6984 BUSY_WAIT_TIME]
6985 [--session-pause-time
6986 SESSION_PAUSE_TIME]
6987 [--flatten-tree]
6988 [--init]
6989 AGMT_NAME
6990 AGMT_NAME
6993 The name of the replication winsync agreement
6994
6997 --suffix SUFFIX
6998 Sets the DN of the replication winsync suffix
6999 --host HOST
7002 Sets the hostname of the AD server
7003 --port PORT
7006 Sets the port number of the AD server
7007 --conn-protocol CONN_PROTOCOL
7010 Sets the replication winsync connection protocol: LDAP, LDAPS,
7011 or StartTLS
7012 --bind-dn BIND_DN
7015 Sets the bind DN the agreement uses to authenticate to the AD
7016 Server
7017 --bind-passwd BIND_PASSWD
7020 Sets the credentials for the Bind DN
7021 --frac-list FRAC_LIST
7024 Sets a list of attributes to NOT replicate to the consumer dur‐
7025 ing incremental updates
7026 --schedule SCHEDULE
7029 Sets the replication update schedule
7030 --win-subtree WIN_SUBTREE
7033 Sets the suffix of the AD Server
7034 --ds-subtree DS_SUBTREE
7037 Sets the Directory Server suffix
7038 --win-domain WIN_DOMAIN
7041 Sets the AD Domain
7042 --sync-users SYNC_USERS
7045 Synchronizes users between AD and DS
7046 --sync-groups SYNC_GROUPS
7049 Synchronizes groups between AD and DS
7050 --sync-interval SYNC_INTERVAL
7053 Sets the interval that DS checks AD for changes in entries
7054 --one-way-sync ONE_WAY_SYNC
7057 Sets which direction to perform synchronization: "toWindows", or
7058 "fromWindows\,. By default sync occurs in both directions.
7059 --move-action MOVE_ACTION
7062 Sets instructions on how to handle moved or deleted entries:
7063 "none", "unsync", or "delete"
7064 --win-filter WIN_FILTER
7067 Sets a custom filter for finding users in AD Server
7068 --ds-filter DS_FILTER
7071 Sets a custom filter for finding AD users in DS
7072 --subtree-pair SUBTREE_PAIR
7075 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7076 --conn-timeout CONN_TIMEOUT
7079 Sets the timeout used for replicaton connections
7080 --busy-wait-time BUSY_WAIT_TIME
7083 Sets the amount of time in seconds a supplier should wait after
7084 a consumer sends back a busy response before making another at‐
7085 tempt to acquire access
7086 --session-pause-time SESSION_PAUSE_TIME
7089 Sets the amount of time in seconds a supplier should wait be‐
7090 tween update sessions
7091 --flatten-tree
7094 By default, the tree structure of AD is preserved into 389. This
7095 MAY cause replication to fail in some cases, as you may need to
7096 create missing OU's to recreate the same treestructure. This
7097 setting when enabled, removes the tree structure of AD and flat‐
7098 tens all entries into the ds-subtree. This does NOT affect or
7099 change the tree structure of the AD directory.
7100 --init Initializes the agreement after creating it
7103
7106 usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
7107 [--host HOST] [--port
7108 PORT]
7109 [--conn-protocol CONN_PRO‐
7110 TOCOL]
7111 [--bind-dn BIND_DN]
7112 [--bind-passwd
7113 BIND_PASSWD]
7114 [--frac-list FRAC_LIST]
7115 [--schedule SCHEDULE]
7116 [--win-subtree WIN_SUB‐
7117 TREE]
7118 [--ds-subtree DS_SUBTREE]
7119 [--win-domain WIN_DOMAIN]
7120 [--sync-users SYNC_USERS]
7121 [--sync-groups
7122 SYNC_GROUPS]
7123 [--sync-interval SYNC_IN‐
7124 TERVAL]
7125 [--one-way-sync
7126 ONE_WAY_SYNC]
7127 [--move-action MOVE_AC‐
7128 TION]
7129 [--win-filter WIN_FILTER]
7130 [--ds-filter DS_FILTER]
7131 [--subtree-pair SUB‐
7132 TREE_PAIR]
7133 [--conn-timeout CONN_TIME‐
7134 OUT]
7135 [--busy-wait-time
7136 BUSY_WAIT_TIME]
7137 [--session-pause-time SES‐
7138 SION_PAUSE_TIME]
7139 AGMT_NAME
7140 AGMT_NAME
7143 The name of the replication winsync agreement
7144
7147 --suffix SUFFIX
7148 Sets the DN of the replication winsync suffix
7149 --host HOST
7152 Sets the hostname of the AD server
7153 --port PORT
7156 Sets the port number of the AD server
7157 --conn-protocol CONN_PROTOCOL
7160 Sets the replication winsync connection protocol: LDAP, LDAPS,
7161 or StartTLS
7162 --bind-dn BIND_DN
7165 Sets the bind DN the agreement uses to authenticate to the AD
7166 Server
7167 --bind-passwd BIND_PASSWD
7170 Sets the credentials for the Bind DN
7171 --frac-list FRAC_LIST
7174 Sets a list of attributes to NOT replicate to the consumer dur‐
7175 ing incremental updates
7176 --schedule SCHEDULE
7179 Sets the replication update schedule
7180 --win-subtree WIN_SUBTREE
7183 Sets the suffix of the AD Server
7184 --ds-subtree DS_SUBTREE
7187 Sets the Directory Server suffix
7188 --win-domain WIN_DOMAIN
7191 Sets the AD Domain
7192 --sync-users SYNC_USERS
7195 Synchronizes users between AD and DS
7196 --sync-groups SYNC_GROUPS
7199 Synchronizes groups between AD and DS
7200 --sync-interval SYNC_INTERVAL
7203 Sets the interval that DS checks AD for changes in entries
7204 --one-way-sync ONE_WAY_SYNC
7207 Sets which direction to perform synchronization: "toWindows", or
7208 "fromWindows". By default sync occurs in both directions.
7209 --move-action MOVE_ACTION
7212 Sets instructions on how to handle moved or deleted entries:
7213 "none", "unsync", or "delete"
7214 --win-filter WIN_FILTER
7217 Sets a custom filter for finding users in AD Server
7218 --ds-filter DS_FILTER
7221 Sets a custom filter for finding AD users in DS
7222 --subtree-pair SUBTREE_PAIR
7225 Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
7226 --conn-timeout CONN_TIMEOUT
7229 Sets the timeout used for replicaton connections
7230 --busy-wait-time BUSY_WAIT_TIME
7233 Sets the amount of time in seconds a supplier should wait after
7234 a consumer sends back a busy response before making another at‐
7235 tempt to acquire access
7236 --session-pause-time SESSION_PAUSE_TIME
7239 Sets the amount of time in seconds a supplier should wait be‐
7240 tween update sessions
7241
7244 usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX
7245 AGMT_NAME
7246 AGMT_NAME
7249 The suffix DN for the replication configuration to display
7250
7253 --suffix SUFFIX
7254 Sets the DN of the replication suffix
7255
7258 usage: dsconf instance repl-tasks [-h]
7259 {cleanallruv,list-clean‐
7260 ruv-tasks,abort-cleanallruv,list-abortruv-tasks}
7261 ...
7262
7265 dsconf repl-tasks cleanallruv
7266 Cleanup old/removed replica IDs
7267 dsconf repl-tasks list-cleanruv-tasks
7269 List all the running CleanAllRUV tasks
7270 dsconf repl-tasks abort-cleanallruv
7272 Abort cleanallruv tasks
7273 dsconf repl-tasks list-abortruv-tasks
7275 List all the running CleanAllRUV abort tasks
7276
7279 usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
7280 --replica-id REPLICA_ID
7281 [--force-cleaning]
7282
7285 --suffix SUFFIX
7286 Sets the Directory Server suffix
7287 --replica-id REPLICA_ID
7290 Sets the replica ID to remove/clean
7291 --force-cleaning
7294 Ignores errors and make a best attempt to clean all replicas
7295
7298 usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix
7299 SUFFIX]
7300
7303 --suffix SUFFIX
7304 Lists only tasks for the specified suffix
7305
7308 usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUF‐
7309 FIX
7310 --replica-id
7311 REPLICA_ID
7312 [--certify]
7313
7316 --suffix SUFFIX
7317 Sets the Directory Server suffix
7318 --replica-id REPLICA_ID
7321 Sets the replica ID of the cleaning task to abort
7322 --certify
7325 Enforces that the abort task completed on all replicas
7326
7329 usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix
7330 SUFFIX]
7331
7334 --suffix SUFFIX
7335 Lists only tasks for the specified suffix
7336
7339 usage: dsconf instance sasl [-h]
7340 {list,get-mechs,get-avail‐
7341 able-mechs,get,create,delete}
7342 ...
7343
7346 dsconf sasl list
7347 Display available SASL mappings
7348 dsconf sasl get-mechs
7350 Display the SASL mechanisms that the server will accept
7351 dsconf sasl get-available-mechs
7353 Display the SASL mechanisms that are available to the server
7354 dsconf sasl get
7356 Displays SASL mappings
7357 dsconf sasl create
7359 Create a SASL mapping
7360 dsconf sasl delete
7362 Deletes the SASL object
7363
7366 usage: dsconf instance sasl list [-h] [--details]
7367
7370 --details
7371 Displays each SASL mapping in detail
7372
7375 usage: dsconf instance sasl get-mechs [-h]
7376
7379 usage: dsconf instance sasl get-available-mechs [-h]
7380
7383 usage: dsconf instance sasl get [-h] [selector]
7384 selector
7387 The SASL mapping name to display
7388
7391 usage: dsconf instance sasl create [-h] [--cn [CN]]
7392 [--nsSaslMapRegexString
7393 [NSSASLMAPREGEXSTRING]]
7394 [--nsSaslMapBaseDNTemplate
7395 [NSSASLMAPBASEDNTEMPLATE]]
7396 [--nsSaslMapFilterTemplate
7397 [NSSASLMAPFILTERTEMPLATE]]
7398 [--nsSaslMapPriority [NSSASLMAPPRI‐
7399 ORITY]]
7400
7403 --cn [CN]
7404 Value of cn
7405 --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
7408 Value of nsSaslMapRegexString
7409 --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
7412 Value of nsSaslMapBaseDNTemplate
7413 --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
7416 Value of nsSaslMapFilterTemplate
7417 --nsSaslMapPriority [NSSASLMAPPRIORITY]
7420 Value of nsSaslMapPriority
7421
7424 usage: dsconf instance sasl delete [-h] map_name
7425 map_name
7428 The SASL mapping name ("cn" value)
7429
7432 usage: dsconf instance security [-h]
7433 {set,get,enable,disable,dis‐
7434 able_plain_port,certificate,ca-certificate,rsa,ciphers,csr,key}
7435 ...
7436
7439 dsconf security set
7440 Set general security options
7441 dsconf security get
7443 Display general security options
7444 dsconf security enable
7446 Enable security
7447 dsconf security disable
7449 Disable security
7450 dsconf security disable_plain_port
7452 Disables the plain text LDAP port, allowing only LDAPS to func‐
7453 tion
7454 dsconf security certificate
7456 Manage TLS certificates
7457 dsconf security ca-certificate
7459 Manage TLS certificate authorities
7460 dsconf security rsa
7462 Query and update RSA security options
7463 dsconf security ciphers
7465 Manage secure ciphers
7466 dsconf security csr
7468 Manage certificate signing requests
7469 dsconf security key
7471 Manage keys in NSS DB
7472
7475 usage: dsconf instance security set [-h] [--security SECURITY]
7476 [--listen-host LISTEN_HOST]
7477 [--secure-port SECURE_PORT]
7478 [--tls-client-auth TLS_CLIENT_AUTH]
7479 [--tls-client-renegotiation
7480 TLS_CLIENT_RENEGOTIATION]
7481 [--require-secure-authentication
7482 REQUIRE_SECURE_AUTHENTICATION]
7483 [--check-hostname CHECK_HOSTNAME]
7484 [--verify-cert-chain-on-startup
7485 VERIFY_CERT_CHAIN_ON_STARTUP]
7486 [--session-timeout SESSION_TIMEOUT]
7487 [--tls-protocol-min TLS_PROTO‐
7488 COL_MIN]
7489 [--tls-protocol-max TLS_PROTO‐
7490 COL_MAX]
7491 [--allow-insecure-ciphers ALLOW_IN‐
7492 SECURE_CIPHERS]
7493 [--allow-weak-dh-param AL‐
7494 LOW_WEAK_DH_PARAM]
7495 [--cipher-pref CIPHER_PREF]
7496 Use this command for setting security related options located in
7498 cn=config and cn=encryption,cn=config.
7499 To enable/disable security you can use enable and disable commands in‐
7501 stead.
7502
7505 --security SECURITY
7506 Enables or disables security (nsslapd-security)
7507 --listen-host LISTEN_HOST
7510 Sets the host or IP address to listen on for LDAPS (nsslapd-se‐
7511 curelistenhost)
7512 --secure-port SECURE_PORT
7515 Sets the port for LDAPS to listen on (nsslapd-securePort)
7516 --tls-client-auth TLS_CLIENT_AUTH
7519 Configures client authentication requirement (nsSSLClientAuth)
7520 --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
7523 Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)
7524 --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
7527 Configures whether binds over LDAPS, StartTLS, or SASL are re‐
7528 quired (nsslapd- require-secure-binds)
7529 --check-hostname CHECK_HOSTNAME
7532 Checks the subject of remote certificate against the hostname
7533 (nsslapd-ssl- check-hostname)
7534 --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
7537 Validates the server certificate during startup (nsslapd-vali‐
7538 date-cert)
7539 --session-timeout SESSION_TIMEOUT
7542 Sets the secure session timeout (nsSSLSessionTimeout)
7543 --tls-protocol-min TLS_PROTOCOL_MIN
7546 Sets the minimal allowed secure protocol version (sslVersionMin)
7547 --tls-protocol-max TLS_PROTOCOL_MAX
7550 Sets the maximal allowed secure protocol version (sslVersionMax)
7551 --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
7554 Allows weak ciphers for legacy use (allowWeakCipher)
7555 --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
7558 Allows short DH params for legacy use (allowWeakDHParam)
7559 --cipher-pref CIPHER_PREF
7562 Directly sets the nsSSL3Ciphers attribute. It is a comma-sepa‐
7563 rated list of cipher names (prefixed with + or -), optionally
7564 including +all or -all. The attribute may optionally be prefixed
7565 by keyword "default". Please refer to documentation of the at‐
7566 tribute for a more detailed description. (nsSSL3Ciphers)
7567
7570 usage: dsconf instance security get [-h]
7571
7574 usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
7575 If missing, create security database, then turn on security functional‐
7577 ity. Please note this is usually not enough for TLS connections to work
7578 - proper setup of CA and server certificate is necessary.
7579
7582 --cert-name CERT_NAME
7583 Sets the name of the certificate the server should use
7584
7587 usage: dsconf instance security disable [-h]
7588 Turn off security functionality. The rest of the configuration will be
7590 left untouched.
7591
7594 usage: dsconf instance security disable_plain_port [-h]
7595
7598 usage: dsconf instance security certificate [-h]
7599 {add,set-trust-flags,del,get,list}
7600 ...
7601
7604 dsconf security certificate add
7605 Add a server certificate
7606 dsconf security certificate set-trust-flags
7608 Set the Trust flags
7609 dsconf security certificate del
7611 Delete a certificate
7612 dsconf security certificate get
7614 Display a server certificate's information
7615 dsconf security certificate list
7617 List the server certificates
7618
7621 usage: dsconf instance security certificate add [-h] --file FILE --name
7622 NAME
7623 [--primary-cert]
7624 Add a server certificate to the NSS database
7626
7629 --file FILE
7630 Sets the file name of the certificate
7631 --name NAME
7634 Sets the name/nickname of the certificate
7635 --primary-cert
7638 Sets this certificate as the server's certificate
7639
7642 usage: dsconf instance security certificate set-trust-flags
7643 [-h] --flags FLAGS name
7644 Change the trust flags of a server certificate
7646 name The name/nickname of the certificate
7649
7652 --flags FLAGS
7653 Sets the trust flags for the server certificate
7654
7657 usage: dsconf instance security certificate del [-h] name
7658 Delete a certificate from the NSS database
7660 name The name/nickname of the certificate
7663
7666 usage: dsconf instance security certificate get [-h] name
7667 Displays detailed information about a certificate, such as trust at‐
7669 tributes, expiration dates, Subject and Issuer DNs
7670 name Set the name/nickname of the certificate
7673
7676 usage: dsconf instance security certificate list [-h]
7677 Lists the server certificates in the NSS database
7679
7682 usage: dsconf instance security ca-certificate [-h]
7683 {add,set-trust-flags,del,get,list}
7684 ...
7685
7688 dsconf security ca-certificate add
7689 Add a Certificate Authority
7690 dsconf security ca-certificate set-trust-flags
7692 Set the Trust flags
7693 dsconf security ca-certificate del
7695 Delete a certificate
7696 dsconf security ca-certificate get
7698 Displays a Certificate Authority's information
7699 dsconf security ca-certificate list
7701 List the Certificate Authorities
7702
7705 usage: dsconf instance security ca-certificate add [-h] --file FILE
7706 --name
7707 NAME [NAME ...]
7708 Add a Certificate Authority to the NSS database
7710
7713 --file FILE
7714 Sets the file name of the CA certificate
7715 --name NAME [NAME ...]
7718 Sets the name/nickname of the CA certificate, if adding a PEM
7719 bundle then specify multiple names one for each certificate,
7720 otherwise a number increment will be added to the previous name.
7721
7724 usage: dsconf instance security ca-certificate set-trust-flags
7725 [-h] --flags FLAGS name
7726 Change the trust attributes of a CA certificate. Certificate Authori‐
7728 ties typically use "CT,,"
7729 name The name/nickname of the CA certificate
7732
7735 --flags FLAGS
7736 Sets the trust flags for the CA certificate
7737
7740 usage: dsconf instance security ca-certificate del [-h] name
7741 Delete a CA certificate from the NSS database
7743 name The name/nickname of the CA certificate
7746
7749 usage: dsconf instance security ca-certificate get [-h] name
7750 Get detailed information about a CA certificate, like trust attributes,
7752 expiration dates, Subject and Issuer DN
7753 name The name/nickname of the CA certificate
7756
7759 usage: dsconf instance security ca-certificate list [-h]
7760 List the CA certificates in the NSS database
7762
7765 usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
7766
7769 dsconf security rsa set
7770 Set RSA security options
7771 dsconf security rsa get
7773 Get RSA security options
7774 dsconf security rsa enable
7776 Enable RSA
7777 dsconf security rsa disable
7779 Disable RSA
7780
7783 usage: dsconf instance security rsa set [-h]
7784 [--tls-allow-rsa-certificates
7785 TLS_ALLOW_RSA_CERTIFICATES]
7786 [--nss-cert-name NSS_CERT_NAME]
7787 [--nss-token NSS_TOKEN]
7788 Use this command for setting RSA (private key) related options located
7790 in cn=RSA,cn=encryption,cn=config.
7791 To enable/disable RSA you can use enable and disable commands instead.
7793
7796 --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
7797 Activates the use of RSA certificates (nsSSLActivation)
7798 --nss-cert-name NSS_CERT_NAME
7801 Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)
7802 --nss-token NSS_TOKEN
7805 Sets the security token name (module of NSS DB) (nsSSLToken)
7806
7809 usage: dsconf instance security rsa get [-h]
7810
7813 usage: dsconf instance security rsa enable [-h]
7814
7817 usage: dsconf instance security rsa disable [-h]
7818
7821 usage: dsconf instance security ciphers [-h] {enable,dis‐
7822 able,get,set,list} ...
7823
7826 dsconf security ciphers enable
7827 Enable ciphers
7828 dsconf security ciphers disable
7830 Disable ciphers
7831 dsconf security ciphers get
7833 Get ciphers attribute
7834 dsconf security ciphers set
7836 Set ciphers attribute
7837 dsconf security ciphers list
7839 List ciphers
7840
7843 usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
7844 Use this command to enable specific ciphers.
7846 cipher
7849
7852 usage: dsconf instance security ciphers disable [-h] cipher [cipher
7853 ...]
7854 Use this command to disable specific ciphers.
7856 cipher
7859
7862 usage: dsconf instance security ciphers get [-h]
7863 Use this command to get contents of nsSSL3Ciphers attribute.
7865
7868 usage: dsconf instance security ciphers set [-h] cipher-string
7869 Use this command to directly set nsSSL3Ciphers attribute. It is a comma
7871 separated list of cipher names (prefixed with + or -), optionally in‐
7872 cluding +all or -all. The attribute may optionally be set to keyword
7873 default. Please refer to documentation of the attribute for a more de‐
7874 tailed description.
7875 cipher-string
7878
7881 usage: dsconf instance security ciphers list [-h]
7882 [--enabled | --supported |
7883 --disabled]
7884 List secure ciphers. Without arguments, list ciphers as configured in
7886 nsSSL3Ciphers attribute.
7887
7890 --enabled
7891 Lists only enabled ciphers
7892 --supported
7895 Lists only supported ciphers
7896 --disabled
7899 Lists only supported ciphers but without enabled ciphers
7900
7903 usage: dsconf instance security csr [-h] {list,get,req,del} ...
7904
7907 dsconf security csr list
7908 List CSRs
7909 dsconf security csr get
7911 Display CSR content
7912 dsconf security csr req
7914 Generate a Certificate Signing Request
7915 dsconf security csr del
7917 Delete a CSR file
7918
7921 usage: dsconf instance security csr list [-h] [--path PATH]
7922 List all CSR files in instance configuration directiory
7924
7927 --path PATH, -p PATH
7928 Directory contanining CSR file
7929
7932 usage: dsconf instance security csr get [-h] name
7933 Displays the contents of a CSR, which can be used for submittal to CA
7935 name Name of the CSR file to display
7938
7941 usage: dsconf instance security csr req [-h] --subject SUBJECT --name
7942 NAME
7943 [alt_names ...]
7944 Generate a CSR that can be submitted to a CA for verification
7946 alt_names
7949 CSR alternative names. These are auto-detected if not provided
7950
7953 --subject SUBJECT, -s SUBJECT
7954 Subject field
7955 --name NAME, -n NAME
7958 Name
7959
7962 usage: dsconf instance security csr del [-h] name
7963 Delete a CSR file
7965 name Name of the CSR file to delete
7968
7971 usage: dsconf instance security key [-h] {list,del} ...
7972
7975 dsconf security key list
7976 List all keys in NSS DB
7977 dsconf security key del
7979 Delete a key from NSS DB
7980
7983 usage: dsconf instance security key list [-h] [--orphan]
7984
7987 --orphan
7988 List orphan keys (An orphan key is a private key in the NSS DB
7989 for which there is NO cert with the corresponding public key).
7990 An orphan key is created during CSR generation, when the associ‐
7991 ated certificate is imported into the NSS DB, its orphan state
7992 will be removed.
7993
7996 usage: dsconf instance security key del [-h] key_id
7997 Remove a key from the NSS DB. Make sure the key is not in use before
7999 you delete
8000 key_id This is the key ID displayed when listing keys
8003
8006 usage: dsconf instance schema [-h]
8007 {list,attributetypes,objectclasses,match‐
8008 ingrules,reload,validate-syntax,import-openldap-file}
8009 ...
8010
8013 dsconf schema list
8014 List all schema objects on this system
8015 dsconf schema attributetypes
8017 Work with attribute types on this system
8018 dsconf schema objectclasses
8020 Work with objectClasses on this system
8021 dsconf schema matchingrules
8023 Work with matching rules on this system
8024 dsconf schema reload
8026 Dynamically reload schema while server is running
8027 dsconf schema validate-syntax
8029 Run a task to check every modification to attributes to make
8030 sure that the new value has the required syntax for that attri‐
8031 bute type
8032 dsconf schema import-openldap-file
8034 Import an openldap formatted dynamic schema ldifs. These will
8035 contain values like olcAttributeTypes and olcObjectClasses.
8036
8039 usage: dsconf instance schema list [-h]
8040
8043 usage: dsconf instance schema attributetypes [-h]
8044 {get_syn‐
8045 taxes,list,query,add,replace,remove}
8046 ...
8047
8050 dsconf schema attributetypes get_syntaxes
8051 List all available attribute type syntaxes
8052 dsconf schema attributetypes list
8054 List available attribute types on this system
8055 dsconf schema attributetypes query
8057 Query an attribute to determine object classes that may or must
8058 take it
8059 dsconf schema attributetypes add
8061 Add an attribute type to this system
8062 dsconf schema attributetypes replace
8064 Replace an attribute type on this system
8065 dsconf schema attributetypes remove
8067 Remove an attribute type on this system
8068
8071 usage: dsconf instance schema attributetypes get_syntaxes [-h]
8072
8075 usage: dsconf instance schema attributetypes list [-h]
8076
8079 usage: dsconf instance schema attributetypes query [-h] [name]
8080 name Attribute type to query
8083
8086 usage: dsconf instance schema attributetypes add [-h] [--oid OID]
8087 [--desc DESC]
8088 [--x-origin X_ORIGIN]
8089 [--aliases ALIASES
8090 [ALIASES ...]]
8091 [--single-value]
8092 [--multi-value]
8093 [--no-user-mod]
8094 [--user-mod]
8095 [--equality EQUALITY
8096 [EQUALITY ...]]
8097 [--substr SUBSTR [SUB‐
8098 STR ...]]
8099 [--ordering ORDERING
8100 [ORDERING ...]]
8101 [--usage USAGE] [--sup
8102 SUP]
8103 --syntax SYNTAX
8104 name
8105 name NAME of the object
8108
8111 --oid OID
8112 OID assigned to the object
8113 --desc DESC
8116 Description text(DESC) of the object
8117 --x-origin X_ORIGIN
8120 Provides information about where the attribute type is defined
8121 --aliases ALIASES [ALIASES ...]
8124 Additional NAMEs of the object.
8125 --single-value
8128 True if the matching rule must have only one valueOnly one of
8129 the flags this or --multi-value should be specified
8130 --multi-value
8133 True if the matching rule may have multiple values (default)Only
8134 one of the flags this or --single-value should be specified
8135 --no-user-mod
8138 True if the attribute is not modifiable by a client applica‐
8139 tionOnly one of the flags this or --user-mod should be specified
8140 --user-mod
8143 True if the attribute is modifiable by a client application (de‐
8144 fault)Only one of the flags this or --no-user-mode should be
8145 specified
8146 --equality EQUALITY [EQUALITY ...]
8149 NAME or OID of the matching rules used for checkingwhether at‐
8150 tribute values are equal
8151 --substr SUBSTR [SUBSTR ...]
8154 NAME or OID of the matching rules used for checkingwhether an
8155 attribute value contains another value
8156 --ordering ORDERING [ORDERING ...]
8159 NAME or OID of the matching rules used for checkingwhether at‐
8160 tribute values are lesser - equal than
8161 --usage USAGE
8164 The flag indicates how the attribute type is to be used. Choose
8165 from the list: userApplications (default), directoryOperation,
8166 distributedOperation, dSAOperation
8167 --sup SUP
8170 The NAME or OID of attribute type this attribute type is derived
8171 from
8172 --syntax SYNTAX
8175 OID of the LDAP syntax assigned to the attribute
8176
8179 usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
8180 [--desc DESC]
8181 [--x-origin X_ORI‐
8182 GIN]
8183 [--aliases ALIASES
8184 [ALIASES ...]]
8185 [--single-value]
8186 [--multi-value]
8187 [--no-user-mod]
8188 [--user-mod]
8189 [--equality EQUAL‐
8190 ITY [EQUALITY ...]]
8191 [--substr SUBSTR
8192 [SUBSTR ...]]
8193 [--ordering ORDER‐
8194 ING [ORDERING ...]]
8195 [--usage USAGE]
8196 [--sup SUP]
8197 [--syntax SYNTAX]
8198 name
8199 name NAME of the object
8202
8205 --oid OID
8206 OID assigned to the object
8207 --desc DESC
8210 Description text(DESC) of the object
8211 --x-origin X_ORIGIN
8214 Provides information about where the attribute type is defined
8215 --aliases ALIASES [ALIASES ...]
8218 Additional NAMEs of the object.
8219 --single-value
8222 True if the matching rule must have only one valueOnly one of
8223 the flags this or --multi-value should be specified
8224 --multi-value
8227 True if the matching rule may have multiple values (default)Only
8228 one of the flags this or --single-value should be specified
8229 --no-user-mod
8232 True if the attribute is not modifiable by a client applica‐
8233 tionOnly one of the flags this or --user-mod should be specified
8234 --user-mod
8237 True if the attribute is modifiable by a client application (de‐
8238 fault)Only one of the flags this or --no-user-mode should be
8239 specified
8240 --equality EQUALITY [EQUALITY ...]
8243 NAME or OID of the matching rules used for checkingwhether at‐
8244 tribute values are equal
8245 --substr SUBSTR [SUBSTR ...]
8248 NAME or OID of the matching rules used for checkingwhether an
8249 attribute value contains another value
8250 --ordering ORDERING [ORDERING ...]
8253 NAME or OID of the matching rules used for checkingwhether at‐
8254 tribute values are lesser - equal than
8255 --usage USAGE
8258 The flag indicates how the attribute type is to be used. Choose
8259 from the list: userApplications (default), directoryOperation,
8260 distributedOperation, dSAOperation
8261 --sup SUP
8264 The NAME or OID of attribute type this attribute type is derived
8265 from
8266 --syntax SYNTAX
8269 OID of the LDAP syntax assigned to the attribute
8270
8273 usage: dsconf instance schema attributetypes remove [-h] name
8274 name NAME of the object
8277
8280 usage: dsconf instance schema objectclasses [-h]
8281 {list,query,add,replace,re‐
8282 move}
8283 ...
8284
8287 dsconf schema objectclasses list
8288 List available objectClasses on this system
8289 dsconf schema objectclasses query
8291 Query an objectClass
8292 dsconf schema objectclasses add
8294 Add an objectClass to this system
8295 dsconf schema objectclasses replace
8297 Replace an objectClass on this system
8298 dsconf schema objectclasses remove
8300 Remove an objectClass on this system
8301
8304 usage: dsconf instance schema objectclasses list [-h]
8305
8308 usage: dsconf instance schema objectclasses query [-h] [name]
8309 name ObjectClass to query
8312
8315 usage: dsconf instance schema objectclasses add [-h] [--oid OID]
8316 [--desc DESC]
8317 [--x-origin X_ORIGIN]
8318 [--must MUST [MUST
8319 ...]]
8320 [--may MAY [MAY ...]]
8321 [--kind KIND]
8322 [--sup SUP [SUP ...]]
8323 name
8324 name NAME of the object
8327
8330 --oid OID
8331 OID assigned to the object
8332 --desc DESC
8335 Description text(DESC) of the object
8336 --x-origin X_ORIGIN
8339 Provides information about where the attribute type is defined
8340 --must MUST [MUST ...]
8343 NAMEs or OIDs of all attributes an entry of the object must have
8344 --may MAY [MAY ...]
8347 NAMEs or OIDs of additional attributes an entry of the object
8348 may have
8349 --kind KIND
8352 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8353 --sup SUP [SUP ...]
8356 NAME or OIDs of object classes this object is derived from
8357
8360 usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
8361 [--desc DESC]
8362 [--x-origin X_ORI‐
8363 GIN]
8364 [--must MUST [MUST
8365 ...]]
8366 [--may MAY [MAY
8367 ...]]
8368 [--kind KIND]
8369 [--sup SUP [SUP
8370 ...]]
8371 name
8372 name NAME of the object
8375
8378 --oid OID
8379 OID assigned to the object
8380 --desc DESC
8383 Description text(DESC) of the object
8384 --x-origin X_ORIGIN
8387 Provides information about where the attribute type is defined
8388 --must MUST [MUST ...]
8391 NAMEs or OIDs of all attributes an entry of the object must have
8392 --may MAY [MAY ...]
8395 NAMEs or OIDs of additional attributes an entry of the object
8396 may have
8397 --kind KIND
8400 Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
8401 --sup SUP [SUP ...]
8404 NAME or OIDs of object classes this object is derived from
8405
8408 usage: dsconf instance schema objectclasses remove [-h] name
8409 name NAME of the object
8412
8415 usage: dsconf instance schema matchingrules [-h] {list,query} ...
8416
8419 dsconf schema matchingrules list
8420 List available matching rules on this system
8421 dsconf schema matchingrules query
8423 Query a matching rule
8424
8427 usage: dsconf instance schema matchingrules list [-h]
8428
8431 usage: dsconf instance schema matchingrules query [-h] [name]
8432 name Matching rule to query
8435
8438 usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
8439
8442 -d SCHEMADIR, --schemadir SCHEMADIR
8443 directory where schema files are located
8444 --wait Wait for the reload task to complete
8447
8450 usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN
8451 DN Base DN that contains entries to validate
8454
8457 -f FILTER, --filter FILTER
8458 Filter for entries to validate. If omitted, all entries with
8459 filter "(objectclass=*)" are validated
8460
8463 usage: dsconf instance schema import-openldap-file [-h] [--confirm]
8464 schema_file
8465 schema_file
8468 Path to the openldap dynamic schema ldif to import
8469
8472 --confirm
8473 Confirm that you want to apply these schema migration actions to
8474 the 389-ds instance. By default no actions are taken.
8475
8478 usage: dsconf instance repl-conflict [-h]
8479 {list,compare,delete,swap,con‐
8480 vert,list-glue,delete-glue,convert-glue}
8481 ...
8482
8485 dsconf repl-conflict list
8486 List conflict entries
8487 dsconf repl-conflict compare
8489 Compare the conflict entry with its valid counterpart
8490 dsconf repl-conflict delete
8492 Delete a conflict entry
8493 dsconf repl-conflict swap
8495 Replace the valid entry with the conflict entry
8496 dsconf repl-conflict convert
8498 Convert the conflict entry to a valid entry, while keeping the
8499 original valid entry counterpart. This requires that the con‐
8500 verted conflict entry have a new RDN value. For example:
8501 "cn=my_new_rdn_value".
8502 dsconf repl-conflict list-glue
8504 List replication glue entries
8505 dsconf repl-conflict delete-glue
8507 Delete the glue entry and its child entries
8508 dsconf repl-conflict convert-glue
8510 Convert the glue entry into a regular entry
8511
8514 usage: dsconf instance repl-conflict list [-h] suffix
8515 suffix Sets the backend name, or suffix, to look for conflict entries
8518
8521 usage: dsconf instance repl-conflict compare [-h] DN
8522 DN The DN of the conflict entry
8525
8528 usage: dsconf instance repl-conflict delete [-h] DN
8529 DN The DN of the conflict entry
8532
8535 usage: dsconf instance repl-conflict swap [-h] DN
8536 DN The DN of the conflict entry
8539
8542 usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
8543 DN The DN of the conflict entry
8546
8549 --new-rdn NEW_RDN
8550 Sets the new RDN for the converted conflict entry. For example:
8551 "cn=my_new_rdn_value"
8552
8555 usage: dsconf instance repl-conflict list-glue [-h] suffix
8556 suffix The backend name, or suffix, to look for glue entries
8559
8562 usage: dsconf instance repl-conflict delete-glue [-h] DN
8563 DN The DN of the glue entry
8566
8569 usage: dsconf instance repl-conflict convert-glue [-h] DN
8570 DN The DN of the glue entry
8573
8576 -v, --verbose
8577 Display verbose operation tracing during command execution
8578 -D BINDDN, --binddn BINDDN
8581 The account to bind as for executing operations
8582 -w BINDPW, --bindpw BINDPW
8585 Password for the bind DN
8586 -W, --prompt
8589 Prompt for password of the bind DN
8590 -y PWDFILE, --pwdfile PWDFILE
8593 Specifies a file containing the password of the bind DN
8594 -b BASEDN, --basedn BASEDN
8597 Base DN (root naming context) of the instance to manage
8598 -Z, --starttls
8601 Connect with StartTLS
8602 -j, --json
8605 Return result in JSON object
8606
8609 Red Hat, Inc., and William Brown <389-devel@lists.fedoraproject.org>
8610
8613 The latest version of lib389 may be downloaded from
8614 ⟨http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html⟩
8615lib389 1.4.0.1 2023-01-23 DSCONF(8)