dsconf - Man Page
Synopsis
dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN] [-Z] [-j] instance {backend,backup,chaining,config,directory_manager,monitor,plugin,pwpolicy,localpwp,replication,repl-agmt,repl-winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...
Options
- instance
The instance name OR the LDAP url to connect to, IE localhost, ldap://mai.example.com:389
Sub-commands
- dsconf backend
Manage database suffixes and backends
- dsconf backup
Manage online backups
- dsconf chaining
Manage database chaining/database links
- dsconf config
Manage server configuration
- dsconf directory_manager
Manage the directory manager account
- dsconf monitor
Monitor the state of the instance
- dsconf plugin
Manage plugins available on the server
- dsconf pwpolicy
Get and set the global password policy settings
- dsconf localpwp
Manage local (user/subtree) password policies
- dsconf replication
Configure replication for a suffix
- dsconf repl-agmt
Manage replication agreements
- dsconf repl-winsync-agmt
Manage Winsync Agreements
- dsconf repl-tasks
Manage replication tasks
- dsconf sasl
Query and manipulate SASL mappings
- dsconf security
Query and manipulate security options
- dsconf schema
Query and manipulate schema
- dsconf repl-conflict
Manage replication conflicts
OPTIONS 'dsconf backend'
usage: dsconf instance backend [-h]
{suffix,index,vlv-index,attr-encrypt,config,monitor,import,export,create,delete,get-tree}
...
Sub-commands
- dsconf backend suffix
Manage a backend suffix
- dsconf backend index
Manage backend indexes
- dsconf backend vlv-index
Manage VLV searches and indexes
- dsconf backend attr-encrypt
Encrypted attribute options
- dsconf backend config
Manage the global database configuration settings
- dsconf backend monitor
Get the global database monitor information
- dsconf backend import
Do an online import of the suffix
- dsconf backend export
Do an online export of the suffix
- dsconf backend create
Create a backend database
- dsconf backend delete
Delete a backend database
- dsconf backend get-tree
Get a representation of the suffix tree
OPTIONS 'dsconf backend suffix'
usage: dsconf instance backend suffix [-h]
{list,get,get-dn,get-sub-suffixes,set}
...
Sub-commands
- dsconf backend suffix list
List current active backends and suffixes
- dsconf backend suffix get
Get the suffix entry
- dsconf backend suffix get-dn
get_dn
- dsconf backend suffix get-sub-suffixes
Get the sub-suffixes of this backend
- dsconf backend suffix set
Set configuration settings for a single backend
OPTIONS 'dsconf backend suffix list'
usage: dsconf instance backend suffix list [-h] [--suffix]
[--skip-subsuffixes]
- --suffix
Just display the suffix, and not the backend name
- --skip-subsuffixes
Skip over sub-suffixes
OPTIONS 'dsconf backend suffix get'
usage: dsconf instance backend suffix get [-h] [selector]
- selector
The backend to search for
OPTIONS 'dsconf backend suffix get-dn'
usage: dsconf instance backend suffix get-dn [-h] [dn]
- dn
The backend dn to get
OPTIONS 'dsconf backend suffix get-sub-suffixes'
usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix] be_name
- be_name
The backend name or suffix to search for sub-suffixes
- --suffix
Just display the suffix, and not the backend name
OPTIONS 'dsconf backend suffix set'
usage: dsconf instance backend suffix set [-h] [--enable-readonly]
[--disable-readonly]
[--require-index] [--ignore-index]
[--add-referral ADD_REFERRAL]
[--del-referral DEL_REFERRAL]
[--enable] [--disable]
[--cache-size CACHE_SIZE]
[--cache-memsize CACHE_MEMSIZE]
[--dncache-memsize DNCACHE_MEMSIZE]
be_name
- be_name
The backend name or suffix to delete
- --enable-readonly
Set backend database to be read-only
- --disable-readonly
Disable read-only mode for backend database
- --require-index
Only allow indexed searches
- --ignore-index
Allow all searches even if they are unindexed
- --add-referral ADD_REFERRAL
Add a LDAP referral to the backend
- --del-referral DEL_REFERRAL
Remove a LDAP referral to the backend
- --enable
Enable the backend database
- --disable
Disable the backend database
- --cache-size CACHE_SIZE
The maximum number of entries to keep in the entry cache
- --cache-memsize CACHE_MEMSIZE
The maximum size in bytes that the entry cache can grow to
- --dncache-memsize DNCACHE_MEMSIZE
The maximum size in bytes that the DN cache can grow to
OPTIONS 'dsconf backend index'
usage: dsconf instance backend index [-h]
{add,set,get,list,delete,reindex} ...
Sub-commands
- dsconf backend index add
Set configuration settings for a single backend
- dsconf backend index set
Edit an index entry
- dsconf backend index get
Get an index entry
- dsconf backend index list
Set configuration settings for a single backend
- dsconf backend index delete
Set configuration settings for a single backend
- dsconf backend index reindex
Reindex the database (for a single index or all indexes
OPTIONS 'dsconf backend index add'
usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
[--matching-rule MATCHING_RULE]
[--reindex] --attr ATTR
be_name
- be_name
The backend name or suffix to delete
- --index-type INDEX_TYPE
An indexing type: eq, sub, pres, or approximate
- --matching-rule MATCHING_RULE
Matching rule for the index
- --reindex
After adding new index, reindex the database
- --attr ATTR
The index attribute's name
OPTIONS 'dsconf backend index set'
usage: dsconf instance backend index set [-h] --attr ATTR
[--add-type ADD_TYPE]
[--del-type DEL_TYPE]
[--add-mr ADD_MR] [--del-mr DEL_MR]
[--reindex]
be_name
- be_name
The backend name or suffix to edit an index from
- --attr ATTR
The index name to edit
- --add-type ADD_TYPE
An index type to add to the index: eq, sub, pres, or approx
- --del-type DEL_TYPE
An index type to remove from the index: eq, sub, pres, or approx
- --add-mr ADD_MR
A matching-rule to add to the index
- --del-mr DEL_MR
A matching-rule to remove from the index
- --reindex
After editing index, reindex the database
OPTIONS 'dsconf backend index get'
usage: dsconf instance backend index get [-h] --attr ATTR be_name
- be_name
The backend name or suffix to get the index from
- --attr ATTR
The index name to get
OPTIONS 'dsconf backend index list'
usage: dsconf instance backend index list [-h] [--just-names] be_name
- be_name
The backend name or suffix to list indexes from
- --just-names
Return a list of just the attribute names for a backend
OPTIONS 'dsconf backend index delete'
usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name
- be_name
The backend name or suffix to delete
- --attr ATTR
The index attribute's name
OPTIONS 'dsconf backend index reindex'
usage: dsconf instance backend index reindex [-h] [--attr ATTR] [--wait]
be_name
- be_name
The backend name or suffix to reindex
- --attr ATTR
The index attribute's name to reindex. Skip this argument to reindex all attributes
- --wait
Wait for the index task to complete and report the status
OPTIONS 'dsconf backend vlv-index'
usage: dsconf instance backend vlv-index [-h]
{list,get,add-search,edit-search,del-search,add-index,del-index,reindex}
...
Sub-commands
- dsconf backend vlv-index list
List VLV search and index entries
- dsconf backend vlv-index get
Get a VLV search & index
- dsconf backend vlv-index add-search
Add a VLV search entry. The search entry is the parent entry of the VLV index entries, and it specifies the search params that are used to match entries for those indexes.
- dsconf backend vlv-index edit-search
Edit a VLV search & index
- dsconf backend vlv-index del-search
Delete VLV search & index
- dsconf backend vlv-index add-index
Create a VLV index under a VLV search entry(parent entry). The VLV index just specifies the attributes to sort
- dsconf backend vlv-index del-index
Delete a VLV index under a VLV search entry(parent entry).
- dsconf backend vlv-index reindex
Index/reindex the VLV database index
OPTIONS 'dsconf backend vlv-index list'
usage: dsconf instance backend vlv-index list [-h] [--just-names] be_name
- be_name
The backend name of the VLV index
- --just-names
List just the names of the VLV search entries
OPTIONS 'dsconf backend vlv-index get'
usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name
- be_name
The backend name of the VLV index
- --name NAME
Get the VLV search entry and its index entries
OPTIONS 'dsconf backend vlv-index add-search'
usage: dsconf instance backend vlv-index add-search [-h] --name NAME
--search-base SEARCH_BASE
--search-scope
SEARCH_SCOPE
--search-filter
SEARCH_FILTER
be_name
- be_name
The backend name of the VLV index
- --name NAME
Name of the VLV search entry
- --search-base SEARCH_BASE
The VLV search base
- --search-scope SEARCH_SCOPE
The VLV search scope: 0 (base search), 1 (one-level search), or 2 (subtree search)
- --search-filter SEARCH_FILTER
The VLV search filter
OPTIONS 'dsconf backend vlv-index edit-search'
usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
[--search-base SEARCH_BASE]
[--search-scope SEARCH_SCOPE]
[--search-filter SEARCH_FILTER]
[--reindex]
be_name
- be_name
The backend name of the VLV index
- --name NAME
Name of the VLV index
- --search-base SEARCH_BASE
The VLV search base
- --search-scope SEARCH_SCOPE
The VLV search scope: 0 (base search), 1 (one-level search), or 2 (subtree search)
- --search-filter SEARCH_FILTER
The VLV search filter
- --reindex
Reindex all the VLV database indexes
OPTIONS 'dsconf backend vlv-index del-search'
usage: dsconf instance backend vlv-index del-search [-h] --name NAME be_name
- be_name
The backend name of the VLV index
- --name NAME
Name of the VLV search index
OPTIONS 'dsconf backend vlv-index add-index'
usage: dsconf instance backend vlv-index add-index [-h] --parent-name
PARENT_NAME --index-name
INDEX_NAME --sort SORT
[--index-it]
be_name
- be_name
The backend name of the VLV index
- --parent-name PARENT_NAME
Name, or "cn" attribute value, of the parent VLV search entry
- --index-name INDEX_NAME
Name of the new VLV index
- --sort SORT
A space separated list of attributes to sort for this VLV index
- --index-it
Create the database index for this VLV index definition
OPTIONS 'dsconf backend vlv-index del-index'
usage: dsconf instance backend vlv-index del-index [-h] --parent-name
PARENT_NAME
[--index-name INDEX_NAME]
[--sort SORT]
be_name
- be_name
The backend name of the VLV index
- --parent-name PARENT_NAME
Name, or "cn" attribute value, of the parent VLV search entry
- --index-name INDEX_NAME
Name of the VLV index to delete
- --sort SORT
Delete a VLV index that has this vlvsort value
OPTIONS 'dsconf backend vlv-index reindex'
usage: dsconf instance backend vlv-index reindex [-h]
[--index-name INDEX_NAME]
--parent-name PARENT_NAME
be_name
- be_name
The backend name of the VLV index
- --index-name INDEX_NAME
Name of the VLV Index entry to reindex. If not set, all indexes are reindexed
- --parent-name PARENT_NAME
Name, or "cn" attribute value, of the parent VLV search entry
OPTIONS 'dsconf backend attr-encrypt'
usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-names]
[--add-attr ADD_ATTR]
[--del-attr DEL_ATTR]
be_name
- be_name
The backend name or suffix to to reindex
- --list
List all the encrypted attributes for this backend
- --just-names
List just the names of the encrypted attributes (used with --list)
- --add-attr ADD_ATTR
Add an attribute to be encrypted
- --del-attr DEL_ATTR
Remove an attribute from being encrypted
OPTIONS 'dsconf backend config'
usage: dsconf instance backend config [-h] {get,set} ...
Sub-commands
- dsconf backend config get
Get the global database configuration
- dsconf backend config set
Set the global database configuration
OPTIONS 'dsconf backend config get'
usage: dsconf instance backend config get [-h]
OPTIONS 'dsconf backend config set'
usage: dsconf instance backend config set [-h]
[--lookthroughlimit LOOKTHROUGHLIMIT]
[--mode MODE]
[--idlistscanlimit IDLISTSCANLIMIT]
[--directory DIRECTORY]
[--dbcachesize DBCACHESIZE]
[--logdirectory LOGDIRECTORY]
[--durable-txn DURABLE_TXN]
[--txn-wait TXN_WAIT]
[--checkpoint-interval CHECKPOINT_INTERVAL]
[--compactdb-interval COMPACTDB_INTERVAL]
[--txn-batch-val TXN_BATCH_VAL]
[--txn-batch-min TXN_BATCH_MIN]
[--txn-batch-max TXN_BATCH_MAX]
[--logbufsize LOGBUFSIZE]
[--locks LOCKS]
[--import-cache-autosize IMPORT_CACHE_AUTOSIZE]
[--cache-autosize CACHE_AUTOSIZE]
[--cache-autosize-split CACHE_AUTOSIZE_SPLIT]
[--import-cachesize IMPORT_CACHESIZE]
[--exclude-from-export EXCLUDE_FROM_EXPORT]
[--pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT]
[--pagedidlistscanlimit PAGEDIDLISTSCANLIMIT]
[--rangelookthroughlimit RANGELOOKTHROUGHLIMIT]
[--backend-opt-level BACKEND_OPT_LEVEL]
[--deadlock-policy DEADLOCK_POLICY]
[--db-home-directory DB_HOME_DIRECTORY]
- --lookthroughlimit LOOKTHROUGHLIMIT
specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request
- --mode MODE
Specifies the permissions used for newly created index files
- --idlistscanlimit IDLISTSCANLIMIT
Specifies the number of entry IDs that are searched during a search operation
- --directory DIRECTORY
Specifies absolute path to database instance
- --dbcachesize DBCACHESIZE
Specifies the database index cache size, in bytes.
- --logdirectory LOGDIRECTORY
Specifies the path to the directory that contains the database transaction logs
- --durable-txn DURABLE_TXN
Sets whether database transaction log entries are immediately written to the disk.
- --txn-wait TXN_WAIT
Sets whether the server should should wait if there are no db locks available
- --checkpoint-interval CHECKPOINT_INTERVAL
Sets the amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log
- --compactdb-interval COMPACTDB_INTERVAL
Sets the interval in seconds when the database is compacted
- --txn-batch-val TXN_BATCH_VAL
Specifies how many transactions will be batched before being committed
- --txn-batch-min TXN_BATCH_MIN
Controls when transactions should be flushed earliest, independently of the batch count (only works when txn-batch-val is set)
- --txn-batch-max TXN_BATCH_MAX
Controls when transactions should be flushed latest, independently of the batch count (only works when txn-batch-val is set)
- --logbufsize LOGBUFSIZE
Specifies the transaction log information buffer size
- --locks LOCKS
Sets the maximum number of database locks
- --import-cache-autosize IMPORT_CACHE_AUTOSIZE
Set to "on" or "off" to automatically set the size of the import cache to be used during the the import process of LDIF files
- --cache-autosize CACHE_AUTOSIZE
Sets the percentage of free memory that is used in total for the database and entry cache. Set to "0" to disable this feature.
- --cache-autosize-split CACHE_AUTOSIZE_SPLIT
Sets the percentage of RAM that is used for the database cache. The remaining percentage is used for the entry cache
- --import-cachesize IMPORT_CACHESIZE
Sets the size, in bytes, of the database cache used in the import process.
- --exclude-from-export EXCLUDE_FROM_EXPORT
List of attributes to not include during database export operations
- --pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT
Specifies the maximum number of entries that the Directory Server will check when examining candidate entries for a search which uses the simple paged results control
- --pagedidlistscanlimit PAGEDIDLISTSCANLIMIT
Specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control.
- --rangelookthroughlimit RANGELOOKTHROUGHLIMIT
Specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a range search request.
- --backend-opt-level BACKEND_OPT_LEVEL
WARNING this parameter can trigger experimental code to improve write performance. Valid values are: 0, 1, 2, or 4
- --deadlock-policy DEADLOCK_POLICY
Adjusts the backend database deadlock policy (Advanced setting)
- --db-home-directory DB_HOME_DIRECTORY
Sets the directory for the database mmapped files (Advanced setting)
OPTIONS 'dsconf backend monitor'
usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]
- --suffix SUFFIX
Get just the suffix monitor entry
OPTIONS 'dsconf backend import'
usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
[-g GEN_UNIQ_ID] [-O]
[-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
[-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
[be_name] [ldifs ...]
- be_name
The backend name or the root suffix where to import
- ldifs
Specifies the filename of the input LDIF files.When multiple files are imported, they are imported in the orderthey are specified on the command line.
- -c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE
The number of chunks to have during the import operation.
- -E, --encrypted
Decrypts encrypted data during export. This option is used onlyif database encryption is enabled.
- -g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID
Generate a unique id. Type none for no unique ID to be generatedand deterministic for the generated unique ID to be name-based.By default, a time- based unique ID is generated.When using the deterministic generation to have a name-based unique ID,it is also possible to specify the namespace for the server to use.namespaceId is a string of charactersin the format 00-xxxxxxxx- xxxxxxxx-xxxxxxxx-xxxxxxxx.
- -O, --only-core
Requests that only the core database is created without attribute indexes.
- -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
Specifies the suffixes or the subtrees to be included.
- -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
Specifies the suffixes to be excluded.
OPTIONS 'dsconf backend export'
usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m] [-N] [-r]
[-u] [-U]
[-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
[-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
be_names [be_names ...]
- be_names
The backend names or the root suffixes from where to export.
- -l LDIF, --ldif LDIF
Gives the filename of the output LDIF file.If more than one are specified, use a space as a separator
- -C, --use-id2entry
Uses only the main database file.
- -E, --encrypted
Decrypts encrypted data during export. This option is used only if database encryption is enabled.
- -m, --min-base64
Sets minimal base-64 encoding.
- -N, --no-seq-num
Enables you to suppress printing the sequence number.
- -r, --replication
Exports the information required to initialize a replica when the LDIF is imported
- -u, --no-dump-uniq-id
Requests that the unique ID is not exported.
- -U, --not-folded
Requests that the output LDIF is not folded.
- -s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]
Specifies the suffixes or the subtrees to be included.
- -x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]
Specifies the suffixes to be excluded.
OPTIONS 'dsconf backend create'
usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUFFIX]
--suffix SUFFIX --be-name BE_NAME
[--create-entries] [--create-suffix]
- --parent-suffix PARENT_SUFFIX
Sets the parent suffix only if this backend is a sub-suffix
- --suffix SUFFIX
The database suffix DN, for example "dc=example,dc=com"
- --be-name BE_NAME
The database backend name, for example "userroot"
- --create-entries
Create sample entries in the database
- --create-suffix
Create the suffix object entry in the database. Only suffixes using the attributes 'dc', 'o', 'ou', or 'cn' are supported in this feature
OPTIONS 'dsconf backend delete'
usage: dsconf instance backend delete [-h] be_name
- be_name
The backend name or suffix to delete
OPTIONS 'dsconf backend get-tree'
usage: dsconf instance backend get-tree [-h]
OPTIONS 'dsconf backup'
usage: dsconf instance backup [-h] {create,restore} ...
Sub-commands
- dsconf backup create
Creates a backup of the database
- dsconf backup restore
Restores a database from a backup
OPTIONS 'dsconf backup create'
usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]
- archive
The directory where the backup files will be stored.The /var/lib/dirsrv/slapd- instance/bak directory is used by default.The backup file is named according to the year-month-day-hour format.
- -t DB_TYPE, --db-type DB_TYPE
Database type (default: ldbm database).
OPTIONS 'dsconf backup restore'
usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive
- archive
The directory of the backup files.
- -t DB_TYPE, --db-type DB_TYPE
Database type (default: ldbm database).
OPTIONS 'dsconf chaining'
usage: dsconf instance chaining [-h]
{config-get,config-set,config-get-def,config-set-def,link-create,link-get,link-set,link-delete,monitor,link-list}
...
Sub-commands
- dsconf chaining config-get
Get the chaining controls and server component lists
- dsconf chaining config-set
Set the chaining controls and server component lists
- dsconf chaining config-get-def
Get the default creation parameters for new database links
- dsconf chaining config-set-def
Set the default creation parameters for new database links
- dsconf chaining link-create
Create a database link to a remote server
- dsconf chaining link-get
get chaining database link
- dsconf chaining link-set
Edit a database link to a remote server
- dsconf chaining link-delete
Delete a database link
- dsconf chaining monitor
Get the monitor information for a database chaining link
- dsconf chaining link-list
List database links
OPTIONS 'dsconf chaining config-get'
usage: dsconf instance chaining config-get [-h] [--avail-controls]
[--avail-comps]
- --avail-controls
List available controls for chaining
- --avail-comps
List available plugin components for chaining
OPTIONS 'dsconf chaining config-set'
usage: dsconf instance chaining config-set [-h] [--add-control ADD_CONTROL]
[--del-control DEL_CONTROL]
[--add-comp ADD_COMP]
[--del-comp DEL_COMP]
- --add-control ADD_CONTROL
Add a transmitted control OID
- --del-control DEL_CONTROL
Delete a transmitted control OID
- --add-comp ADD_COMP
Add a chaining component
- --del-comp DEL_COMP
Delete a chaining component
OPTIONS 'dsconf chaining config-get-def'
usage: dsconf instance chaining config-get-def [-h]
OPTIONS 'dsconf chaining config-set-def'
usage: dsconf instance chaining config-set-def [-h]
[--conn-bind-limit CONN_BIND_LIMIT]
[--conn-op-limit CONN_OP_LIMIT]
[--abandon-check-interval ABANDON_CHECK_INTERVAL]
[--bind-limit BIND_LIMIT]
[--op-limit OP_LIMIT]
[--proxied-auth PROXIED_AUTH]
[--conn-lifetime CONN_LIFETIME]
[--bind-timeout BIND_TIMEOUT]
[--return-ref RETURN_REF]
[--check-aci CHECK_ACI]
[--bind-attempts BIND_ATTEMPTS]
[--size-limit SIZE_LIMIT]
[--time-limit TIME_LIMIT]
[--hop-limit HOP_LIMIT]
[--response-delay RESPONSE_DELAY]
[--test-response-delay TEST_RESPONSE_DELAY]
[--use-starttls USE_STARTTLS]
- --conn-bind-limit CONN_BIND_LIMIT
The maximum number of BIND connections the database link establishes with the remote server.
- --conn-op-limit CONN_OP_LIMIT
The maximum number of LDAP connections the database link establishes with the remote server.
- --abandon-check-interval ABANDON_CHECK_INTERVAL
The number of seconds that pass before the server checks for abandoned operations.
- --bind-limit BIND_LIMIT
The maximum number of concurrent bind operations per TCP connection.
- --op-limit OP_LIMIT
The maximum number of concurrent operations allowed.
- --proxied-auth PROXIED_AUTH
Set to "off" to disable proxied authorization, then binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute (on/off).
- --conn-lifetime CONN_LIFETIME
Specifies connection lifetime in seconds. 0 keeps connection open forever.
- --bind-timeout BIND_TIMEOUT
The amount of time in seconds before a bind attempt times out.
- --return-ref RETURN_REF
Sets whether referrals are returned by scoped searches (on/off).
- --check-aci CHECK_ACI
Set whether ACIs are evaluated on the database link as well as the remote data server (on/off).
- --bind-attempts BIND_ATTEMPTS
Sets the number of times the server tries to bind with the remote server.
- --size-limit SIZE_LIMIT
Sets the maximum number of entries to return from a search operation.
- --time-limit TIME_LIMIT
Sets the maximum number of seconds allowed for an operation.
- --hop-limit HOP_LIMIT
Sets the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another.
- --response-delay RESPONSE_DELAY
The maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.
- --test-response-delay TEST_RESPONSE_DELAY
Sets the duration of the test issued by the database link to check whether the remote server is responding.
- --use-starttls USE_STARTTLS
Set to "on" specifies that the database links should use StartTLS for its secure connections.
OPTIONS 'dsconf chaining link-create'
usage: dsconf instance chaining link-create [-h]
[--conn-bind-limit CONN_BIND_LIMIT]
[--conn-op-limit CONN_OP_LIMIT]
[--abandon-check-interval ABANDON_CHECK_INTERVAL]
[--bind-limit BIND_LIMIT]
[--op-limit OP_LIMIT]
[--proxied-auth PROXIED_AUTH]
[--conn-lifetime CONN_LIFETIME]
[--bind-timeout BIND_TIMEOUT]
[--return-ref RETURN_REF]
[--check-aci CHECK_ACI]
[--bind-attempts BIND_ATTEMPTS]
[--size-limit SIZE_LIMIT]
[--time-limit TIME_LIMIT]
[--hop-limit HOP_LIMIT]
[--response-delay RESPONSE_DELAY]
[--test-response-delay TEST_RESPONSE_DELAY]
[--use-starttls USE_STARTTLS]
--suffix SUFFIX --server-url
SERVER_URL --bind-mech BIND_MECH
--bind-dn BIND_DN --bind-pw
BIND_PW
CHAIN_NAME
- CHAIN_NAME
The name of the database link
- --conn-bind-limit CONN_BIND_LIMIT
The maximum number of BIND connections the database link establishes with the remote server.
- --conn-op-limit CONN_OP_LIMIT
The maximum number of LDAP connections the database link establishes with the remote server.
- --abandon-check-interval ABANDON_CHECK_INTERVAL
The number of seconds that pass before the server checks for abandoned operations.
- --bind-limit BIND_LIMIT
The maximum number of concurrent bind operations per TCP connection.
- --op-limit OP_LIMIT
The maximum number of concurrent operations allowed.
- --proxied-auth PROXIED_AUTH
Set to "off" to disable proxied authorization, then binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute (on/off).
- --conn-lifetime CONN_LIFETIME
Specifies connection lifetime in seconds. 0 keeps connection open forever.
- --bind-timeout BIND_TIMEOUT
The amount of time in seconds before a bind attempt times out.
- --return-ref RETURN_REF
Sets whether referrals are returned by scoped searches (on/off).
- --check-aci CHECK_ACI
Set whether ACIs are evaluated on the database link as well as the remote data server (on/off).
- --bind-attempts BIND_ATTEMPTS
Sets the number of times the server tries to bind with the remote server.
- --size-limit SIZE_LIMIT
Sets the maximum number of entries to return from a search operation.
- --time-limit TIME_LIMIT
Sets the maximum number of seconds allowed for an operation.
- --hop-limit HOP_LIMIT
Sets the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another.
- --response-delay RESPONSE_DELAY
The maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.
- --test-response-delay TEST_RESPONSE_DELAY
Sets the duration of the test issued by the database link to check whether the remote server is responding.
- --use-starttls USE_STARTTLS
Set to "on" specifies that the database links should use StartTLS for its secure connections.
- --suffix SUFFIX
The suffix managed by the database link.
- --server-url SERVER_URL
Gives the LDAP/LDAPS URL of the remote server.
- --bind-mech BIND_MECH
Sets the authentication method to use to authenticate to the remote server: SIMPLE, EXTERNAL, DIGEST-MD5, or GSSAPI. Default if unset is SIMPLE.
- --bind-dn BIND_DN
DN of the administrative entry used to communicate with the remote server
- --bind-pw BIND_PW
Password for the administrative user.
OPTIONS 'dsconf chaining link-get'
usage: dsconf instance chaining link-get [-h] CHAIN_NAME
- CHAIN_NAME
The chaining link name, or suffix, to retrieve
OPTIONS 'dsconf chaining link-set'
usage: dsconf instance chaining link-set [-h]
[--conn-bind-limit CONN_BIND_LIMIT]
[--conn-op-limit CONN_OP_LIMIT]
[--abandon-check-interval ABANDON_CHECK_INTERVAL]
[--bind-limit BIND_LIMIT]
[--op-limit OP_LIMIT]
[--proxied-auth PROXIED_AUTH]
[--conn-lifetime CONN_LIFETIME]
[--bind-timeout BIND_TIMEOUT]
[--return-ref RETURN_REF]
[--check-aci CHECK_ACI]
[--bind-attempts BIND_ATTEMPTS]
[--size-limit SIZE_LIMIT]
[--time-limit TIME_LIMIT]
[--hop-limit HOP_LIMIT]
[--response-delay RESPONSE_DELAY]
[--test-response-delay TEST_RESPONSE_DELAY]
[--use-starttls USE_STARTTLS]
[--suffix SUFFIX]
[--server-url SERVER_URL]
[--bind-mech BIND_MECH]
[--bind-dn BIND_DN]
[--bind-pw BIND_PW]
CHAIN_NAME
- CHAIN_NAME
The name of the database link
- --conn-bind-limit CONN_BIND_LIMIT
The maximum number of BIND connections the database link establishes with the remote server.
- --conn-op-limit CONN_OP_LIMIT
The maximum number of LDAP connections the database link establishes with the remote server.
- --abandon-check-interval ABANDON_CHECK_INTERVAL
The number of seconds that pass before the server checks for abandoned operations.
- --bind-limit BIND_LIMIT
The maximum number of concurrent bind operations per TCP connection.
- --op-limit OP_LIMIT
The maximum number of concurrent operations allowed.
- --proxied-auth PROXIED_AUTH
Set to "off" to disable proxied authorization, then binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute (on/off).
- --conn-lifetime CONN_LIFETIME
Specifies connection lifetime in seconds. 0 keeps connection open forever.
- --bind-timeout BIND_TIMEOUT
The amount of time in seconds before a bind attempt times out.
- --return-ref RETURN_REF
Sets whether referrals are returned by scoped searches (on/off).
- --check-aci CHECK_ACI
Set whether ACIs are evaluated on the database link as well as the remote data server (on/off).
- --bind-attempts BIND_ATTEMPTS
Sets the number of times the server tries to bind with the remote server.
- --size-limit SIZE_LIMIT
Sets the maximum number of entries to return from a search operation.
- --time-limit TIME_LIMIT
Sets the maximum number of seconds allowed for an operation.
- --hop-limit HOP_LIMIT
Sets the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another.
- --response-delay RESPONSE_DELAY
The maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.
- --test-response-delay TEST_RESPONSE_DELAY
Sets the duration of the test issued by the database link to check whether the remote server is responding.
- --use-starttls USE_STARTTLS
Set to "on" specifies that the database links should use StartTLS for its secure connections.
- --suffix SUFFIX
The suffix managed by the database link.
- --server-url SERVER_URL
Gives the LDAP/LDAPS URL of the remote server.
- --bind-mech BIND_MECH
Sets the authentication method to use to authenticate to the remote server: SIMPLE, EXTERNAL, DIGEST-MD5, or GSSAPI. Default if unset is SIMPLE.
- --bind-dn BIND_DN
DN of the administrative entry used to communicate with the remote server
- --bind-pw BIND_PW
Password for the administrative user.
OPTIONS 'dsconf chaining link-delete'
usage: dsconf instance chaining link-delete [-h] CHAIN_NAME
- CHAIN_NAME
The name of the database link
OPTIONS 'dsconf chaining monitor'
usage: dsconf instance chaining monitor [-h] CHAIN_NAME
- CHAIN_NAME
The name of the database link
OPTIONS 'dsconf chaining link-list'
usage: dsconf instance chaining link-list [-h]
OPTIONS 'dsconf config'
usage: dsconf instance config [-h] {get,add,replace,delete} ...
Sub-commands
- dsconf config get
get
- dsconf config add
Add attribute value to configuration
- dsconf config replace
Replace attribute value in configuration
- dsconf config delete
Delete attribute value in configuration
OPTIONS 'dsconf config get'
usage: dsconf instance config get [-h] [attrs ...]
- attrs
Configuration attribute(s) to get
OPTIONS 'dsconf config add'
usage: dsconf instance config add [-h] [attr ...]
- attr
Configuration attribute to add
OPTIONS 'dsconf config replace'
usage: dsconf instance config replace [-h] [attr ...]
- attr
Configuration attribute to replace
OPTIONS 'dsconf config delete'
usage: dsconf instance config delete [-h] [attr ...]
- attr
Configuration attribute to delete
OPTIONS 'dsconf directory_manager'
usage: dsconf instance directory_manager [-h] {password_change} ...
Sub-commands
- dsconf directory_manager password_change
Change the directory manager password
OPTIONS 'dsconf directory_manager password_change'
usage: dsconf instance directory_manager password_change [-h]
OPTIONS 'dsconf monitor'
usage: dsconf instance monitor [-h]
{server,dbmon,ldbm,backend,snmp,chaining,disk}
...
Sub-commands
- dsconf monitor server
Monitor the server statistics, connections and operations
- dsconf monitor dbmon
Monitor the all the database statistics in a single report
- dsconf monitor ldbm
Monitor the ldbm statistics, such as dbcache
- dsconf monitor backend
Monitor the behavior of a backend database
- dsconf monitor snmp
Monitor the SNMP statistics
- dsconf monitor chaining
Monitor database chaining statistics
- dsconf monitor disk
Disk space statistics. All values are in bytes
OPTIONS 'dsconf monitor server'
usage: dsconf instance monitor server [-h]
OPTIONS 'dsconf monitor dbmon'
usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]
- -b BACKENDS, --backends BACKENDS
List of space separated backends to monitor. Default is all backends.
- -x, --indexes
Show index stats for each backend
OPTIONS 'dsconf monitor ldbm'
usage: dsconf instance monitor ldbm [-h]
OPTIONS 'dsconf monitor backend'
usage: dsconf instance monitor backend [-h] [backend]
- backend
Optional name of the backend to monitor
OPTIONS 'dsconf monitor snmp'
usage: dsconf instance monitor snmp [-h]
OPTIONS 'dsconf monitor chaining'
usage: dsconf instance monitor chaining [-h] [backend]
- backend
Optional name of the chaining backend to monitor
OPTIONS 'dsconf monitor disk'
usage: dsconf instance monitor disk [-h]
OPTIONS 'dsconf plugin'
usage: dsconf instance plugin [-h]
{memberof,automember,referential-integrity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-entries,pass-through-auth,retro-changelog,posix-winsync,contentsync,list,show,set}
...
Sub-commands
- dsconf plugin memberof
Manage and configure MemberOf plugin
- dsconf plugin automember
Manage and configure Automembership plugin
- dsconf plugin referential-integrity
Manage and configure Referential Integrity Postoperation plugin
- dsconf plugin root-dn
Manage and configure RootDN Access Control plugin
- dsconf plugin usn
Manage and configure USN plugin
- dsconf plugin account-policy
Manage and configure Account Policy plugin
- dsconf plugin attr-uniq
Manage and configure Attribute Uniqueness plugin
- dsconf plugin dna
Manage and configure DNA plugin
- dsconf plugin linked-attr
Manage and configure Linked Attributes plugin
- dsconf plugin managed-entries
Manage and configure Managed Entries Plugin
- dsconf plugin pass-through-auth
Manage and configure Pass-Through Authentication plugins (URLs and PAM)
- dsconf plugin retro-changelog
Manage and configure Retro Changelog plugin
- dsconf plugin posix-winsync
Manage and configure The Posix Winsync API plugin
- dsconf plugin contentsync
Manage and configure Content Sync Plugin (aka syncrepl)
- dsconf plugin list
List current configured (enabled and disabled) plugins
- dsconf plugin show
Show the plugin data
- dsconf plugin set
Edit the plugin
OPTIONS 'dsconf plugin memberof'
usage: dsconf instance plugin memberof [-h]
{show,enable,disable,status,set,config-entry,fixup}
...
Sub-commands
- dsconf plugin memberof show
display plugin configuration
- dsconf plugin memberof enable
enable plugin
- dsconf plugin memberof disable
disable plugin
- dsconf plugin memberof status
display plugin status
- dsconf plugin memberof set
Edit the plugin
- dsconf plugin memberof config-entry
Manage the config entry
- dsconf plugin memberof fixup
Run the fix-up task for memberOf plugin
OPTIONS 'dsconf plugin memberof show'
usage: dsconf instance plugin memberof show [-h]
OPTIONS 'dsconf plugin memberof enable'
usage: dsconf instance plugin memberof enable [-h]
OPTIONS 'dsconf plugin memberof disable'
usage: dsconf instance plugin memberof disable [-h]
OPTIONS 'dsconf plugin memberof status'
usage: dsconf instance plugin memberof status [-h]
OPTIONS 'dsconf plugin memberof set'
usage: dsconf instance plugin memberof set [-h] [--attr ATTR [ATTR ...]]
[--groupattr GROUPATTR [GROUPATTR ...]]
[--allbackends {on,off}]
[--skipnested {on,off}]
[--scope SCOPE] [--exclude EXCLUDE]
[--autoaddoc AUTOADDOC]
[--config-entry CONFIG_ENTRY]
- --attr ATTR [ATTR ...]
Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)
- --groupattr GROUPATTR [GROUPATTR ...]
Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)
- --allbackends {on,off}
Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)
- --skipnested {on,off}
Specifies wherher to skip nested groups or not (memberOfSkipNested)
- --scope SCOPE
Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)
- --exclude EXCLUDE
Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)
- --autoaddoc AUTOADDOC
If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter
- --config-entry CONFIG_ENTRY
The value to set as nsslapd-pluginConfigArea
OPTIONS 'dsconf plugin memberof config-entry'
usage: dsconf instance plugin memberof config-entry [-h]
{add,set,show,delete} ...
Sub-commands
- dsconf plugin memberof config-entry add
Add the config entry
- dsconf plugin memberof config-entry set
Edit the config entry
- dsconf plugin memberof config-entry show
Display the config entry
- dsconf plugin memberof config-entry delete
Delete the config entry
OPTIONS 'dsconf plugin memberof config-entry add'
usage: dsconf instance plugin memberof config-entry add [-h]
[--attr ATTR [ATTR ...]]
[--groupattr GROUPATTR [GROUPATTR ...]]
[--allbackends {on,off}]
[--skipnested {on,off}]
[--scope SCOPE]
[--exclude EXCLUDE]
[--autoaddoc AUTOADDOC]
DN
- DN
The config entry full DN
- --attr ATTR [ATTR ...]
Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)
- --groupattr GROUPATTR [GROUPATTR ...]
Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)
- --allbackends {on,off}
Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)
- --skipnested {on,off}
Specifies wherher to skip nested groups or not (memberOfSkipNested)
- --scope SCOPE
Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)
- --exclude EXCLUDE
Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)
- --autoaddoc AUTOADDOC
If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter
OPTIONS 'dsconf plugin memberof config-entry set'
usage: dsconf instance plugin memberof config-entry set [-h]
[--attr ATTR [ATTR ...]]
[--groupattr GROUPATTR [GROUPATTR ...]]
[--allbackends {on,off}]
[--skipnested {on,off}]
[--scope SCOPE]
[--exclude EXCLUDE]
[--autoaddoc AUTOADDOC]
DN
- DN
The config entry full DN
- --attr ATTR [ATTR ...]
Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)
- --groupattr GROUPATTR [GROUPATTR ...]
Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)
- --allbackends {on,off}
Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)
- --skipnested {on,off}
Specifies wherher to skip nested groups or not (memberOfSkipNested)
- --scope SCOPE
Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)
- --exclude EXCLUDE
Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)
- --autoaddoc AUTOADDOC
If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter
OPTIONS 'dsconf plugin memberof config-entry show'
usage: dsconf instance plugin memberof config-entry show [-h] DN
- DN
The config entry full DN
OPTIONS 'dsconf plugin memberof config-entry delete'
usage: dsconf instance plugin memberof config-entry delete [-h] DN
- DN
The config entry full DN
OPTIONS 'dsconf plugin memberof fixup'
usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] DN
- DN
Base DN that contains entries to fix up
- -f FILTER, --filter FILTER
Filter for entries to fix up. If omitted, all entries with objectclass inetuser/inetadmin/nsmemberof under the specified base will have their memberOf attribute regenerated.
OPTIONS 'dsconf plugin automember'
usage: dsconf instance plugin automember [-h]
{show,enable,disable,status,list,definition,fixup}
...
Sub-commands
- dsconf plugin automember show
display plugin configuration
- dsconf plugin automember enable
enable plugin
- dsconf plugin automember disable
disable plugin
- dsconf plugin automember status
display plugin status
- dsconf plugin automember list
List Automembership definitions or regex rules.
- dsconf plugin automember definition
Manage Automembership definition.
- dsconf plugin automember fixup
Run a rebuild membership task.
OPTIONS 'dsconf plugin automember show'
usage: dsconf instance plugin automember show [-h]
OPTIONS 'dsconf plugin automember enable'
usage: dsconf instance plugin automember enable [-h]
OPTIONS 'dsconf plugin automember disable'
usage: dsconf instance plugin automember disable [-h]
OPTIONS 'dsconf plugin automember status'
usage: dsconf instance plugin automember status [-h]
OPTIONS 'dsconf plugin automember list'
usage: dsconf instance plugin automember list [-h] {definitions,regexes} ...
Sub-commands
- dsconf plugin automember list definitions
List Automembership definitions.
- dsconf plugin automember list regexes
List Automembership regex rules.
OPTIONS 'dsconf plugin automember list definitions'
usage: dsconf instance plugin automember list definitions [-h]
OPTIONS 'dsconf plugin automember list regexes'
usage: dsconf instance plugin automember list regexes [-h] DEFNAME
- DEFNAME
The definition entry CN.
OPTIONS 'dsconf plugin automember definition'
usage: dsconf instance plugin automember definition [-h]
DEFNAME
{add,set,delete,show,regex}
...
- DEFNAME
The definition entry CN.
Sub-commands
- dsconf plugin automember definition add
Create Automembership definition.
- dsconf plugin automember definition set
Edit Automembership definition.
- dsconf plugin automember definition delete
Remove Automembership definition.
- dsconf plugin automember definition show
Display Automembership definition.
- dsconf plugin automember definition regex
Manage Automembership regex rules.
OPTIONS 'dsconf plugin automember definition add'
usage: dsconf instance plugin automember definition DEFNAME add
[-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
--scope SCOPE --filter FILTER
- --grouping-attr GROUPING_ATTR
Specifies the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr (autoMemberGroupingAttr)
- --default-group DEFAULT_GROUP
Sets default or fallback group to add the entry to as a member attribute in group entry (autoMemberDefaultGroup)
- --scope SCOPE
Sets the subtree DN to search for entries (autoMemberScope)
- --filter FILTER
Sets a standard LDAP search filter to use to search for matching entries (autoMemberFilter)
OPTIONS 'dsconf plugin automember definition set'
usage: dsconf instance plugin automember definition DEFNAME set
[-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
--scope SCOPE --filter FILTER
- --grouping-attr GROUPING_ATTR
Specifies the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr (autoMemberGroupingAttr)
- --default-group DEFAULT_GROUP
Sets default or fallback group to add the entry to as a member attribute in group entry (autoMemberDefaultGroup)
- --scope SCOPE
Sets the subtree DN to search for entries (autoMemberScope)
- --filter FILTER
Sets a standard LDAP search filter to use to search for matching entries (autoMemberFilter)
OPTIONS 'dsconf plugin automember definition delete'
usage: dsconf instance plugin automember definition DEFNAME delete [-h]
OPTIONS 'dsconf plugin automember definition show'
usage: dsconf instance plugin automember definition DEFNAME show [-h]
OPTIONS 'dsconf plugin automember definition regex'
usage: dsconf instance plugin automember definition DEFNAME regex
[-h] REGEXNAME {add,set,delete,show} ...
- REGEXNAME
The regex entry CN.
Sub-commands
- dsconf plugin automember definition regex add
Create Automembership regex.
- dsconf plugin automember definition regex set
Edit Automembership regex.
- dsconf plugin automember definition regex delete
Remove Automembership regex.
- dsconf plugin automember definition regex show
Display Automembership regex.
OPTIONS 'dsconf plugin automember definition regex add'
usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME add
[-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
[--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP
- --exclusive EXCLUSIVE [EXCLUSIVE ...]
Sets a single regular expression to use to identify entries to exclude (autoMemberExclusiveRegex)
- --inclusive INCLUSIVE [INCLUSIVE ...]
Sets a single regular expression to use to identify entries to include (autoMemberInclusiveRegex)
- --target-group TARGET_GROUP
Sets which group to add the entry to as a member, if it meets the regular expression conditions (autoMemberTargetGroup)
OPTIONS 'dsconf plugin automember definition regex set'
usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME set
[-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
[--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP
- --exclusive EXCLUSIVE [EXCLUSIVE ...]
Sets a single regular expression to use to identify entries to exclude (autoMemberExclusiveRegex)
- --inclusive INCLUSIVE [INCLUSIVE ...]
Sets a single regular expression to use to identify entries to include (autoMemberInclusiveRegex)
- --target-group TARGET_GROUP
Sets which group to add the entry to as a member, if it meets the regular expression conditions (autoMemberTargetGroup)
OPTIONS 'dsconf plugin automember definition regex delete'
usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME delete
[-h]
OPTIONS 'dsconf plugin automember definition regex show'
usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME show
[-h]
OPTIONS 'dsconf plugin automember fixup'
usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
{sub,base,one}
DN
- DN
Base DN that contains entries to fix up
- -f FILTER, --filter FILTER
LDAP filter for entries to fix up.
- -s {sub,base,one}, --scope {sub,base,one}
LDAP search scope for entries to fix up
OPTIONS 'dsconf plugin referential-integrity'
usage: dsconf instance plugin referential-integrity [-h]
{show,enable,disable,status,set,config-entry}
...
Sub-commands
- dsconf plugin referential-integrity show
display plugin configuration
- dsconf plugin referential-integrity enable
enable plugin
- dsconf plugin referential-integrity disable
disable plugin
- dsconf plugin referential-integrity status
display plugin status
- dsconf plugin referential-integrity set
Edit the plugin
- dsconf plugin referential-integrity config-entry
Manage the config entry
OPTIONS 'dsconf plugin referential-integrity show'
usage: dsconf instance plugin referential-integrity show [-h]
OPTIONS 'dsconf plugin referential-integrity enable'
usage: dsconf instance plugin referential-integrity enable [-h]
OPTIONS 'dsconf plugin referential-integrity disable'
usage: dsconf instance plugin referential-integrity disable [-h]
OPTIONS 'dsconf plugin referential-integrity status'
usage: dsconf instance plugin referential-integrity status [-h]
OPTIONS 'dsconf plugin referential-integrity set'
usage: dsconf instance plugin referential-integrity set [-h]
[--update-delay UPDATE_DELAY]
[--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
[--entry-scope ENTRY_SCOPE]
[--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
[--container-scope CONTAINER_SCOPE]
[--log-file LOG_FILE]
[--config-entry CONFIG_ENTRY]
- --update-delay UPDATE_DELAY
Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)
- --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
Specifies attributes to check for and update (referint-membership-attr)
- --entry-scope ENTRY_SCOPE
Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)
- --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)
- --container-scope CONTAINER_SCOPE
Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)
- --log-file LOG_FILE
Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
- --config-entry CONFIG_ENTRY
The value to set as nsslapd-pluginConfigArea
OPTIONS 'dsconf plugin referential-integrity config-entry'
usage: dsconf instance plugin referential-integrity config-entry
[-h] {add,set,show,delete} ...
Sub-commands
- dsconf plugin referential-integrity config-entry add
Add the config entry
- dsconf plugin referential-integrity config-entry set
Edit the config entry
- dsconf plugin referential-integrity config-entry show
Display the config entry
- dsconf plugin referential-integrity config-entry delete
Delete the config entry
OPTIONS 'dsconf plugin referential-integrity config-entry add'
usage: dsconf instance plugin referential-integrity config-entry add
[-h] [--update-delay UPDATE_DELAY]
[--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
[--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
[--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
DN
- DN
The config entry full DN
- --update-delay UPDATE_DELAY
Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)
- --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
Specifies attributes to check for and update (referint-membership-attr)
- --entry-scope ENTRY_SCOPE
Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)
- --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)
- --container-scope CONTAINER_SCOPE
Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)
- --log-file LOG_FILE
Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
OPTIONS 'dsconf plugin referential-integrity config-entry set'
usage: dsconf instance plugin referential-integrity config-entry set
[-h] [--update-delay UPDATE_DELAY]
[--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
[--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
[--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
DN
- DN
The config entry full DN
- --update-delay UPDATE_DELAY
Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)
- --membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]
Specifies attributes to check for and update (referint-membership-attr)
- --entry-scope ENTRY_SCOPE
Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)
- --exclude-entry-scope EXCLUDE_ENTRY_SCOPE
Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)
- --container-scope CONTAINER_SCOPE
Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)
- --log-file LOG_FILE
Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint
OPTIONS 'dsconf plugin referential-integrity config-entry show'
usage: dsconf instance plugin referential-integrity config-entry show [-h] DN
- DN
The config entry full DN
OPTIONS 'dsconf plugin referential-integrity config-entry delete'
usage: dsconf instance plugin referential-integrity config-entry delete
[-h] DN
- DN
The config entry full DN
OPTIONS 'dsconf plugin root-dn'
usage: dsconf instance plugin root-dn [-h]
{show,enable,disable,status,set} ...
Sub-commands
- dsconf plugin root-dn show
display plugin configuration
- dsconf plugin root-dn enable
enable plugin
- dsconf plugin root-dn disable
disable plugin
- dsconf plugin root-dn status
display plugin status
- dsconf plugin root-dn set
Edit the plugin
OPTIONS 'dsconf plugin root-dn show'
usage: dsconf instance plugin root-dn show [-h]
OPTIONS 'dsconf plugin root-dn enable'
usage: dsconf instance plugin root-dn enable [-h]
OPTIONS 'dsconf plugin root-dn disable'
usage: dsconf instance plugin root-dn disable [-h]
OPTIONS 'dsconf plugin root-dn status'
usage: dsconf instance plugin root-dn status [-h]
OPTIONS 'dsconf plugin root-dn set'
usage: dsconf instance plugin root-dn set [-h]
[--allow-host ALLOW_HOST [ALLOW_HOST ...]]
[--deny-host DENY_HOST [DENY_HOST ...]]
[--allow-ip ALLOW_IP [ALLOW_IP ...]]
[--deny-ip DENY_IP [DENY_IP ...]]
[--open-time OPEN_TIME]
[--close-time CLOSE_TIME]
[--days-allowed DAYS_ALLOWED]
- --allow-host ALLOW_HOST [ALLOW_HOST ...]
Sets what hosts, by fully-qualified domain name, the root user is allowed to use to access the Directory Server. Any hosts not listed are implicitly denied (rootdn-allow-host)
- --deny-host DENY_HOST [DENY_HOST ...]
Sets what hosts, by fully-qualified domain name, the root user is not allowed to use to access the Directory Server Any hosts not listed are implicitly allowed (rootdn-deny-host). If an host address is listed in both the rootdn- allow-host and rootdn-deny-host attributes, it is denied access.
- --allow-ip ALLOW_IP [ALLOW_IP ...]
Sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use to access the Directory Server Any IP addresses not listed are implicitly denied (rootdn-allow-ip)
- --deny-ip DENY_IP [DENY_IP ...]
Sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to use to access the Directory Server. Any IP addresses not listed are implicitly allowed (rootdn-deny-ip) If an IP address is listed in both the rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.
- --open-time OPEN_TIME
Sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access begins (rootdn- open-time)
- --close-time CLOSE_TIME
Sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access ends (rootdn-close- time)
- --days-allowed DAYS_ALLOWED
Gives a comma-separated list of what days the root user is allowed to use to access the Directory Server. Any days listed are implicitly denied (rootdn- days-allowed)
OPTIONS 'dsconf plugin usn'
usage: dsconf instance plugin usn [-h]
{show,enable,disable,status,global,cleanup}
...
Sub-commands
- dsconf plugin usn show
display plugin configuration
- dsconf plugin usn enable
enable plugin
- dsconf plugin usn disable
disable plugin
- dsconf plugin usn status
display plugin status
- dsconf plugin usn global
Get or manage global usn mode (nsslapd-entryusn-global)
- dsconf plugin usn cleanup
Run the USN tombstone cleanup task
OPTIONS 'dsconf plugin usn show'
usage: dsconf instance plugin usn show [-h]
OPTIONS 'dsconf plugin usn enable'
usage: dsconf instance plugin usn enable [-h]
OPTIONS 'dsconf plugin usn disable'
usage: dsconf instance plugin usn disable [-h]
OPTIONS 'dsconf plugin usn status'
usage: dsconf instance plugin usn status [-h]
OPTIONS 'dsconf plugin usn global'
usage: dsconf instance plugin usn global [-h] {on,off} ...
Sub-commands
- dsconf plugin usn global on
Enable usn global mode
- dsconf plugin usn global off
Disable usn global mode
OPTIONS 'dsconf plugin usn global on'
usage: dsconf instance plugin usn global on [-h]
OPTIONS 'dsconf plugin usn global off'
usage: dsconf instance plugin usn global off [-h]
OPTIONS 'dsconf plugin usn cleanup'
usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
[-m MAX_USN]
- -s SUFFIX, --suffix SUFFIX
Gives the suffix or subtree in the Directory Server to run the cleanup operation against. If the suffix is not specified, then the back end must be given (suffix)
- -n BACKEND, --backend BACKEND
Gives the Directory Server instance back end, or database, to run the cleanup operation against. If the back end is not specified, then the suffix must be specified. Backend instance in which USN tombstone entries (backend)
- -m MAX_USN, --max-usn MAX_USN
Gives the highest USN value to delete when removing tombstone entries (max_usn_to_delete)
OPTIONS 'dsconf plugin account-policy'
usage: dsconf instance plugin account-policy [-h]
{show,enable,disable,status,set,config-entry}
...
Sub-commands
- dsconf plugin account-policy show
display plugin configuration
- dsconf plugin account-policy enable
enable plugin
- dsconf plugin account-policy disable
disable plugin
- dsconf plugin account-policy status
display plugin status
- dsconf plugin account-policy set
Edit the plugin
- dsconf plugin account-policy config-entry
Manage the config entry
OPTIONS 'dsconf plugin account-policy show'
usage: dsconf instance plugin account-policy show [-h]
OPTIONS 'dsconf plugin account-policy enable'
usage: dsconf instance plugin account-policy enable [-h]
OPTIONS 'dsconf plugin account-policy disable'
usage: dsconf instance plugin account-policy disable [-h]
OPTIONS 'dsconf plugin account-policy status'
usage: dsconf instance plugin account-policy status [-h]
OPTIONS 'dsconf plugin account-policy set'
usage: dsconf instance plugin account-policy set [-h]
[--config-entry CONFIG_ENTRY]
- --config-entry CONFIG_ENTRY
The value to set as nsslapd-pluginConfigArea
OPTIONS 'dsconf plugin account-policy config-entry'
usage: dsconf instance plugin account-policy config-entry [-h]
{add,set,show,delete}
...
Sub-commands
- dsconf plugin account-policy config-entry add
Add the config entry
- dsconf plugin account-policy config-entry set
Edit the config entry
- dsconf plugin account-policy config-entry show
Display the config entry
- dsconf plugin account-policy config-entry delete
Delete the config entry
OPTIONS 'dsconf plugin account-policy config-entry add'
usage: dsconf instance plugin account-policy config-entry add
[-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
[--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
[--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
[--state-attr STATE_ATTR]
DN
- DN
The config entry full DN
- --always-record-login {yes,no}
Sets that every entry records its last login time (alwaysRecordLogin)
- --alt-state-attr ALT_STATE_ATTR
Provides a backup attribute for the server to reference to evaluate the expiration time (altStateAttrName)
- --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
Specifies the attribute to store the time of the last successful login in this attribute in the users directory entry (alwaysRecordLoginAttr)
- --limit-attr LIMIT_ATTR
Specifies the attribute within the policy to use for the account inactivation limit (limitAttrName)
- --spec-attr SPEC_ATTR
Specifies the attribute to identify which entries are account policy configuration entries (specAttrName)
- --state-attr STATE_ATTR
Specifies the primary time attribute used to evaluate an account policy (stateAttrName)
OPTIONS 'dsconf plugin account-policy config-entry set'
usage: dsconf instance plugin account-policy config-entry set
[-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
[--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
[--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
[--state-attr STATE_ATTR]
DN
- DN
The config entry full DN
- --always-record-login {yes,no}
Sets that every entry records its last login time (alwaysRecordLogin)
- --alt-state-attr ALT_STATE_ATTR
Provides a backup attribute for the server to reference to evaluate the expiration time (altStateAttrName)
- --always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR
Specifies the attribute to store the time of the last successful login in this attribute in the users directory entry (alwaysRecordLoginAttr)
- --limit-attr LIMIT_ATTR
Specifies the attribute within the policy to use for the account inactivation limit (limitAttrName)
- --spec-attr SPEC_ATTR
Specifies the attribute to identify which entries are account policy configuration entries (specAttrName)
- --state-attr STATE_ATTR
Specifies the primary time attribute used to evaluate an account policy (stateAttrName)
OPTIONS 'dsconf plugin account-policy config-entry show'
usage: dsconf instance plugin account-policy config-entry show [-h] DN
- DN
The config entry full DN
OPTIONS 'dsconf plugin account-policy config-entry delete'
usage: dsconf instance plugin account-policy config-entry delete [-h] DN
- DN
The config entry full DN
OPTIONS 'dsconf plugin attr-uniq'
usage: dsconf instance plugin attr-uniq [-h]
{list,add,set,show,delete,enable,disable,status}
...
Sub-commands
- dsconf plugin attr-uniq list
List available plugin configs
- dsconf plugin attr-uniq add
Add the config entry
- dsconf plugin attr-uniq set
Edit the config entry
- dsconf plugin attr-uniq show
Display the config entry
- dsconf plugin attr-uniq delete
Delete the config entry
- dsconf plugin attr-uniq enable
enable plugin
- dsconf plugin attr-uniq disable
disable plugin
- dsconf plugin attr-uniq status
display plugin status
OPTIONS 'dsconf plugin attr-uniq list'
usage: dsconf instance plugin attr-uniq list [-h]
OPTIONS 'dsconf plugin attr-uniq add'
usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
[--attr-name ATTR_NAME [ATTR_NAME ...]]
[--subtree SUBTREE [SUBTREE ...]]
[--across-all-subtrees {on,off}]
[--top-entry-oc TOP_ENTRY_OC]
[--subtree-entries-oc SUBTREE_ENTRIES_OC]
NAME
- NAME
Sets the name of the plug-in configuration record. (cn) You can use any string, but "attribute_name Attribute Uniqueness" is recommended.
- --enabled {on,off}
Identifies whether or not the config is enabled.
- --attr-name ATTR_NAME [ATTR_NAME ...]
Sets the name of the attribute whose values must be unique. This attribute is multi-valued. (uniqueness-attribute-name)
- --subtree SUBTREE [SUBTREE ...]
Sets the DN under which the plug-in checks for uniqueness of the attributes value. This attribute is multi-valued (uniqueness-subtrees)
- --across-all-subtrees {on,off}
If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry (uniqueness-across-all-subtrees)
- --top-entry-oc TOP_ENTRY_OC
Verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree (uniqueness-top-entry-oc)
- --subtree-entries-oc SUBTREE_ENTRIES_OC
Verifies if an attribute is unique, if the entry contains the object class set in this parameter (uniqueness-subtree-entries-oc)
OPTIONS 'dsconf plugin attr-uniq set'
usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
[--attr-name ATTR_NAME [ATTR_NAME ...]]
[--subtree SUBTREE [SUBTREE ...]]
[--across-all-subtrees {on,off}]
[--top-entry-oc TOP_ENTRY_OC]
[--subtree-entries-oc SUBTREE_ENTRIES_OC]
NAME
- NAME
Sets the name of the plug-in configuration record. (cn) You can use any string, but "attribute_name Attribute Uniqueness" is recommended.
- --enabled {on,off}
Identifies whether or not the config is enabled.
- --attr-name ATTR_NAME [ATTR_NAME ...]
Sets the name of the attribute whose values must be unique. This attribute is multi-valued. (uniqueness-attribute-name)
- --subtree SUBTREE [SUBTREE ...]
Sets the DN under which the plug-in checks for uniqueness of the attributes value. This attribute is multi-valued (uniqueness-subtrees)
- --across-all-subtrees {on,off}
If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry (uniqueness-across-all-subtrees)
- --top-entry-oc TOP_ENTRY_OC
Verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree (uniqueness-top-entry-oc)
- --subtree-entries-oc SUBTREE_ENTRIES_OC
Verifies if an attribute is unique, if the entry contains the object class set in this parameter (uniqueness-subtree-entries-oc)
OPTIONS 'dsconf plugin attr-uniq show'
usage: dsconf instance plugin attr-uniq show [-h] NAME
- NAME
The name of the plug-in configuration record
OPTIONS 'dsconf plugin attr-uniq delete'
usage: dsconf instance plugin attr-uniq delete [-h] NAME
- NAME
Sets the name of the plug-in configuration record
OPTIONS 'dsconf plugin attr-uniq enable'
usage: dsconf instance plugin attr-uniq enable [-h] NAME
- NAME
Sets the name of the plug-in configuration record
OPTIONS 'dsconf plugin attr-uniq disable'
usage: dsconf instance plugin attr-uniq disable [-h] NAME
- NAME
Sets the name of the plug-in configuration record
OPTIONS 'dsconf plugin attr-uniq status'
usage: dsconf instance plugin attr-uniq status [-h] NAME
- NAME
Sets the name of the plug-in configuration record
OPTIONS 'dsconf plugin dna'
usage: dsconf instance plugin dna [-h]
{show,enable,disable,status,list,config} ...
Sub-commands
- dsconf plugin dna show
display plugin configuration
- dsconf plugin dna enable
enable plugin
- dsconf plugin dna disable
disable plugin
- dsconf plugin dna status
display plugin status
- dsconf plugin dna list
List available plugin configs
- dsconf plugin dna config
Manage plugin configs
OPTIONS 'dsconf plugin dna show'
usage: dsconf instance plugin dna show [-h]
OPTIONS 'dsconf plugin dna enable'
usage: dsconf instance plugin dna enable [-h]
OPTIONS 'dsconf plugin dna disable'
usage: dsconf instance plugin dna disable [-h]
OPTIONS 'dsconf plugin dna status'
usage: dsconf instance plugin dna status [-h]
OPTIONS 'dsconf plugin dna list'
usage: dsconf instance plugin dna list [-h] {configs,shared-configs} ...
Sub-commands
- dsconf plugin dna list configs
List main DNA plugin config entries
- dsconf plugin dna list shared-configs
List DNA plugin shared config entries
OPTIONS 'dsconf plugin dna list configs'
usage: dsconf instance plugin dna list configs [-h]
OPTIONS 'dsconf plugin dna config'
usage: dsconf instance plugin dna config [-h]
NAME
{add,set,show,delete,shared-config-entry}
...
- NAME
The DNA configuration name
Sub-commands
- dsconf plugin dna config add
Add the config entry
- dsconf plugin dna config set
Edit the config entry
- dsconf plugin dna config show
Display the config entry
- dsconf plugin dna config delete
Delete the config entry
- dsconf plugin dna config shared-config-entry
Manage the shared config entry
OPTIONS 'dsconf plugin dna config add'
usage: dsconf instance plugin dna config NAME add [-h]
[--type TYPE [TYPE ...]]
[--prefix PREFIX]
[--next-value NEXT_VALUE]
[--max-value MAX_VALUE]
[--interval INTERVAL]
[--magic-regen MAGIC_REGEN]
[--filter FILTER]
[--scope SCOPE]
[--remote-bind-dn REMOTE_BIND_DN]
[--remote-bind-cred REMOTE_BIND_CRED]
[--shared-config-entry SHARED_CONFIG_ENTRY]
[--threshold THRESHOLD]
[--next-range NEXT_RANGE]
[--range-request-timeout RANGE_REQUEST_TIMEOUT]
- --type TYPE [TYPE ...]
Sets which attributes have unique numbers being generated for them (dnaType)
- --prefix PREFIX
Defines a prefix that can be prepended to the generated number values for the attribute (dnaPrefix)
- --next-value NEXT_VALUE
Gives the next available number which can be assigned (dnaNextValue)
- --max-value MAX_VALUE
Sets the maximum value that can be assigned for the range (dnaMaxValue)
- --interval INTERVAL
Sets an interval to use to increment through numbers in a range (dnaInterval)
- --magic-regen MAGIC_REGEN
Sets a user-defined value that instructs the plug-in to assign a new value for the entry (dnaMagicRegen)
- --filter FILTER
Sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range (dnaFilter)
- --scope SCOPE
Sets the base DN to search for entries to which to apply the distributed numeric assignment (dnaScope)
- --remote-bind-dn REMOTE_BIND_DN
Specifies the Replication Manager DN (dnaRemoteBindDN)
- --remote-bind-cred REMOTE_BIND_CRED
Specifies the Replication Manager's password (dnaRemoteBindCred)
- --shared-config-entry SHARED_CONFIG_ENTRY
Defines a shared identity that the servers can use to transfer ranges to one another (dnaSharedCfgDN)
- --threshold THRESHOLD
Sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range (dnaThreshold)
- --next-range NEXT_RANGE
Defines the next range to use when the current range is exhausted (dnaNextRange)
- --range-request-timeout RANGE_REQUEST_TIMEOUT
sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server (dnaRangeRequestTimeout)
OPTIONS 'dsconf plugin dna config set'
usage: dsconf instance plugin dna config NAME set [-h]
[--type TYPE [TYPE ...]]
[--prefix PREFIX]
[--next-value NEXT_VALUE]
[--max-value MAX_VALUE]
[--interval INTERVAL]
[--magic-regen MAGIC_REGEN]
[--filter FILTER]
[--scope SCOPE]
[--remote-bind-dn REMOTE_BIND_DN]
[--remote-bind-cred REMOTE_BIND_CRED]
[--shared-config-entry SHARED_CONFIG_ENTRY]
[--threshold THRESHOLD]
[--next-range NEXT_RANGE]
[--range-request-timeout RANGE_REQUEST_TIMEOUT]
- --type TYPE [TYPE ...]
Sets which attributes have unique numbers being generated for them (dnaType)
- --prefix PREFIX
Defines a prefix that can be prepended to the generated number values for the attribute (dnaPrefix)
- --next-value NEXT_VALUE
Gives the next available number which can be assigned (dnaNextValue)
- --max-value MAX_VALUE
Sets the maximum value that can be assigned for the range (dnaMaxValue)
- --interval INTERVAL
Sets an interval to use to increment through numbers in a range (dnaInterval)
- --magic-regen MAGIC_REGEN
Sets a user-defined value that instructs the plug-in to assign a new value for the entry (dnaMagicRegen)
- --filter FILTER
Sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range (dnaFilter)
- --scope SCOPE
Sets the base DN to search for entries to which to apply the distributed numeric assignment (dnaScope)
- --remote-bind-dn REMOTE_BIND_DN
Specifies the Replication Manager DN (dnaRemoteBindDN)
- --remote-bind-cred REMOTE_BIND_CRED
Specifies the Replication Manager's password (dnaRemoteBindCred)
- --shared-config-entry SHARED_CONFIG_ENTRY
Defines a shared identity that the servers can use to transfer ranges to one another (dnaSharedCfgDN)
- --threshold THRESHOLD
Sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range (dnaThreshold)
- --next-range NEXT_RANGE
Defines the next range to use when the current range is exhausted (dnaNextRange)
- --range-request-timeout RANGE_REQUEST_TIMEOUT
sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server (dnaRangeRequestTimeout)
OPTIONS 'dsconf plugin dna config show'
usage: dsconf instance plugin dna config NAME show [-h]
OPTIONS 'dsconf plugin dna config delete'
usage: dsconf instance plugin dna config NAME delete [-h]
OPTIONS 'dsconf plugin linked-attr'
usage: dsconf instance plugin linked-attr [-h]
{show,enable,disable,status,fixup,list,config}
...
Sub-commands
- dsconf plugin linked-attr show
display plugin configuration
- dsconf plugin linked-attr enable
enable plugin
- dsconf plugin linked-attr disable
disable plugin
- dsconf plugin linked-attr status
display plugin status
- dsconf plugin linked-attr fixup
Run the fix-up task for linked attributes plugin
- dsconf plugin linked-attr list
List available plugin configs
- dsconf plugin linked-attr config
Manage plugin configs
OPTIONS 'dsconf plugin linked-attr show'
usage: dsconf instance plugin linked-attr show [-h]
OPTIONS 'dsconf plugin linked-attr enable'
usage: dsconf instance plugin linked-attr enable [-h]
OPTIONS 'dsconf plugin linked-attr disable'
usage: dsconf instance plugin linked-attr disable [-h]
OPTIONS 'dsconf plugin linked-attr status'
usage: dsconf instance plugin linked-attr status [-h]
OPTIONS 'dsconf plugin linked-attr fixup'
usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]
- -l LINKDN, --linkdn LINKDN
Base DN that contains entries to fix up
OPTIONS 'dsconf plugin linked-attr list'
usage: dsconf instance plugin linked-attr list [-h]
OPTIONS 'dsconf plugin linked-attr config'
usage: dsconf instance plugin linked-attr config [-h]
NAME {add,set,show,delete}
...
- NAME
The Linked Attributes configuration name
Sub-commands
- dsconf plugin linked-attr config add
Add the config entry
- dsconf plugin linked-attr config set
Edit the config entry
- dsconf plugin linked-attr config show
Display the config entry
- dsconf plugin linked-attr config delete
Delete the config entry
OPTIONS 'dsconf plugin linked-attr config add'
usage: dsconf instance plugin linked-attr config NAME add [-h]
[--link-type LINK_TYPE]
[--managed-type MANAGED_TYPE]
[--link-scope LINK_SCOPE]
- --link-type LINK_TYPE
Sets the attribute that is managed manually by administrators (linkType)
- --managed-type MANAGED_TYPE
Sets the attribute that is created dynamically by the plugin (managedType)
- --link-scope LINK_SCOPE
Sets the scope that restricts the plugin to a specific part of the directory tree (linkScope)
OPTIONS 'dsconf plugin linked-attr config set'
usage: dsconf instance plugin linked-attr config NAME set [-h]
[--link-type LINK_TYPE]
[--managed-type MANAGED_TYPE]
[--link-scope LINK_SCOPE]
- --link-type LINK_TYPE
Sets the attribute that is managed manually by administrators (linkType)
- --managed-type MANAGED_TYPE
Sets the attribute that is created dynamically by the plugin (managedType)
- --link-scope LINK_SCOPE
Sets the scope that restricts the plugin to a specific part of the directory tree (linkScope)
OPTIONS 'dsconf plugin linked-attr config show'
usage: dsconf instance plugin linked-attr config NAME show [-h]
OPTIONS 'dsconf plugin linked-attr config delete'
usage: dsconf instance plugin linked-attr config NAME delete [-h]
OPTIONS 'dsconf plugin managed-entries'
usage: dsconf instance plugin managed-entries [-h]
{show,enable,disable,status,set,list,config,template}
...
Sub-commands
- dsconf plugin managed-entries show
display plugin configuration
- dsconf plugin managed-entries enable
enable plugin
- dsconf plugin managed-entries disable
disable plugin
- dsconf plugin managed-entries status
display plugin status
- dsconf plugin managed-entries set
Edit the plugin
- dsconf plugin managed-entries list
List Managed Entries Plugin configs and templates
- dsconf plugin managed-entries config
Handle Managed Entries Plugin configs
- dsconf plugin managed-entries template
Handle Managed Entries Plugin templates
OPTIONS 'dsconf plugin managed-entries show'
usage: dsconf instance plugin managed-entries show [-h]
OPTIONS 'dsconf plugin managed-entries enable'
usage: dsconf instance plugin managed-entries enable [-h]
OPTIONS 'dsconf plugin managed-entries disable'
usage: dsconf instance plugin managed-entries disable [-h]
OPTIONS 'dsconf plugin managed-entries status'
usage: dsconf instance plugin managed-entries status [-h]
OPTIONS 'dsconf plugin managed-entries set'
usage: dsconf instance plugin managed-entries set [-h]
[--config-area CONFIG_AREA]
- --config-area CONFIG_AREA
The value to set as nsslapd-pluginConfigArea
OPTIONS 'dsconf plugin managed-entries list'
usage: dsconf instance plugin managed-entries list [-h]
{configs,templates} ...
Sub-commands
- dsconf plugin managed-entries list configs
List Managed Entries Plugin configs (list config-area if specified in the main plugin entry)
- dsconf plugin managed-entries list templates
List Managed Entries Plugin templates in the directory
OPTIONS 'dsconf plugin managed-entries list configs'
usage: dsconf instance plugin managed-entries list configs [-h]
OPTIONS 'dsconf plugin managed-entries list templates'
usage: dsconf instance plugin managed-entries list templates [-h] [BASEDN]
- BASEDN
The base DN where to search the templates.
OPTIONS 'dsconf plugin managed-entries config'
usage: dsconf instance plugin managed-entries config [-h]
NAME
{add,set,show,delete} ...
- NAME
The config entry CN.
Sub-commands
- dsconf plugin managed-entries config add
Add the config entry
- dsconf plugin managed-entries config set
Edit the config entry
- dsconf plugin managed-entries config show
Display the config entry
- dsconf plugin managed-entries config delete
Delete the config entry
OPTIONS 'dsconf plugin managed-entries config add'
usage: dsconf instance plugin managed-entries config NAME add
[-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
[--managed-template MANAGED_TEMPLATE]
- --scope SCOPE
Sets the scope of the search to use to see which entries the plug-in monitors (originScope)
- --filter FILTER
Sets the search filter to use to search for and identify the entries within the subtree which require a managed entry (originFilter)
- --managed-base MANAGED_BASE
Sets the subtree under which to create the managed entries (managedBase)
- --managed-template MANAGED_TEMPLATE
Identifies the template entry to use to create the managed entry (managedTemplate)
OPTIONS 'dsconf plugin managed-entries config set'
usage: dsconf instance plugin managed-entries config NAME set
[-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
[--managed-template MANAGED_TEMPLATE]
- --scope SCOPE
Sets the scope of the search to use to see which entries the plug-in monitors (originScope)
- --filter FILTER
Sets the search filter to use to search for and identify the entries within the subtree which require a managed entry (originFilter)
- --managed-base MANAGED_BASE
Sets the subtree under which to create the managed entries (managedBase)
- --managed-template MANAGED_TEMPLATE
Identifies the template entry to use to create the managed entry (managedTemplate)
OPTIONS 'dsconf plugin managed-entries config show'
usage: dsconf instance plugin managed-entries config NAME show [-h]
OPTIONS 'dsconf plugin managed-entries config delete'
usage: dsconf instance plugin managed-entries config NAME delete [-h]
OPTIONS 'dsconf plugin managed-entries template'
usage: dsconf instance plugin managed-entries template [-h]
DN
{add,set,show,delete}
...
- DN
The template entry DN.
Sub-commands
- dsconf plugin managed-entries template add
Add the template entry
- dsconf plugin managed-entries template set
Edit the template entry
- dsconf plugin managed-entries template show
Display the template entry
- dsconf plugin managed-entries template delete
Delete the template entry
OPTIONS 'dsconf plugin managed-entries template add'
usage: dsconf instance plugin managed-entries template DN add
[-h] [--rdn-attr RDN_ATTR]
[--static-attr STATIC_ATTR [STATIC_ATTR ...]]
[--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
- --rdn-attr RDN_ATTR
Sets which attribute to use as the naming attribute in the automatically- generated entry (mepRDNAttr)
- --static-attr STATIC_ATTR [STATIC_ATTR ...]
Sets an attribute with a defined value that must be added to the automatically-generated entry (mepStaticAttr)
- --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
Sets attributes in the Managed Entries template entry which must exist in the generated entry (mepMappedAttr)
OPTIONS 'dsconf plugin managed-entries template set'
usage: dsconf instance plugin managed-entries template DN set
[-h] [--rdn-attr RDN_ATTR]
[--static-attr STATIC_ATTR [STATIC_ATTR ...]]
[--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]
- --rdn-attr RDN_ATTR
Sets which attribute to use as the naming attribute in the automatically- generated entry (mepRDNAttr)
- --static-attr STATIC_ATTR [STATIC_ATTR ...]
Sets an attribute with a defined value that must be added to the automatically-generated entry (mepStaticAttr)
- --mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]
Sets attributes in the Managed Entries template entry which must exist in the generated entry (mepMappedAttr)
OPTIONS 'dsconf plugin managed-entries template show'
usage: dsconf instance plugin managed-entries template DN show [-h]
OPTIONS 'dsconf plugin managed-entries template delete'
usage: dsconf instance plugin managed-entries template DN delete [-h]
OPTIONS 'dsconf plugin pass-through-auth'
usage: dsconf instance plugin pass-through-auth [-h]
{show,enable,disable,status,list,url,pam-config}
...
Sub-commands
- dsconf plugin pass-through-auth show
display plugin configuration
- dsconf plugin pass-through-auth enable
enable plugin
- dsconf plugin pass-through-auth disable
disable plugin
- dsconf plugin pass-through-auth status
display plugin status
- dsconf plugin pass-through-auth list
List pass-though plugin URLs or PAM configurations.
- dsconf plugin pass-through-auth url
Manage PTA URL configurations.
- dsconf plugin pass-through-auth pam-config
Manage PAM PTA configurations.
OPTIONS 'dsconf plugin pass-through-auth show'
usage: dsconf instance plugin pass-through-auth show [-h]
OPTIONS 'dsconf plugin pass-through-auth enable'
usage: dsconf instance plugin pass-through-auth enable [-h]
OPTIONS 'dsconf plugin pass-through-auth disable'
usage: dsconf instance plugin pass-through-auth disable [-h]
OPTIONS 'dsconf plugin pass-through-auth status'
usage: dsconf instance plugin pass-through-auth status [-h]
OPTIONS 'dsconf plugin pass-through-auth list'
usage: dsconf instance plugin pass-through-auth list [-h]
{urls,pam-configs} ...
Sub-commands
- dsconf plugin pass-through-auth list urls
List URLs.
- dsconf plugin pass-through-auth list pam-configs
List PAM configurations.
OPTIONS 'dsconf plugin pass-through-auth list urls'
usage: dsconf instance plugin pass-through-auth list urls [-h]
OPTIONS 'dsconf plugin pass-through-auth list pam-configs'
usage: dsconf instance plugin pass-through-auth list pam-configs [-h]
OPTIONS 'dsconf plugin pass-through-auth url'
usage: dsconf instance plugin pass-through-auth url [-h]
{add,modify,delete} ...
Sub-commands
- dsconf plugin pass-through-auth url add
Add the config entry
- dsconf plugin pass-through-auth url modify
Edit the config entry
- dsconf plugin pass-through-auth url delete
Delete the config entry
OPTIONS 'dsconf plugin pass-through-auth url add'
usage: dsconf instance plugin pass-through-auth url add [-h] URL
- URL
The full LDAP URL in format "ldap|ldaps://authDS/subtree maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional parameter is specified the rest should be specified too
OPTIONS 'dsconf plugin pass-through-auth url modify'
usage: dsconf instance plugin pass-through-auth url modify [-h]
OLD_URL NEW_URL
- OLD_URL
The full LDAP URL you get from the "list" command
- NEW_URL
The full LDAP URL in format "ldap|ldaps://authDS/subtree maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional parameter is specified the rest should be specified too
OPTIONS 'dsconf plugin pass-through-auth url delete'
usage: dsconf instance plugin pass-through-auth url delete [-h] URL
- URL
The full LDAP URL you get from the "list" command
OPTIONS 'dsconf plugin pass-through-auth pam-config'
usage: dsconf instance plugin pass-through-auth pam-config [-h]
NAME
{add,set,show,delete}
...
- NAME
The PAM PTA configuration name
Sub-commands
- dsconf plugin pass-through-auth pam-config add
Add the config entry
- dsconf plugin pass-through-auth pam-config set
Edit the config entry
- dsconf plugin pass-through-auth pam-config show
Display the config entry
- dsconf plugin pass-through-auth pam-config delete
Delete the config entry
OPTIONS 'dsconf plugin pass-through-auth pam-config add'
usage: dsconf instance plugin pass-through-auth pam-config NAME add
[-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
[--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
[--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
[--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method ID_MAP_METHOD]
[--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]
- --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)
- --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
Sets a suffix to include for PAM authentication (pamIncludeSuffix)
- --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
Identifies how to handle missing include or exclude suffixes (pamMissingSuffix)
- --filter FILTER
Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication (pamFilter)
- --id-attr ID_ATTR [ID_ATTR ...]
Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)
- --id_map_method ID_MAP_METHOD
Gives the method to use to map the LDAP bind DN to a PAM identity (pamIDMapMethod)
- --fallback {TRUE,FALSE}
Sets whether to fallback to regular LDAP authentication if PAM authentication fails (pamFallback)
- --secure {TRUE,FALSE}
Requires secure TLS connection for PAM authentication (pamSecure)
- --service SERVICE
Contains the service name to pass to PAM (pamService)
OPTIONS 'dsconf plugin pass-through-auth pam-config set'
usage: dsconf instance plugin pass-through-auth pam-config NAME set
[-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
[--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
[--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
[--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method ID_MAP_METHOD]
[--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]
- --exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]
Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)
- --include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]
Sets a suffix to include for PAM authentication (pamIncludeSuffix)
- --missing-suffix {ERROR,ALLOW,IGNORE,delete,}
Identifies how to handle missing include or exclude suffixes (pamMissingSuffix)
- --filter FILTER
Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication (pamFilter)
- --id-attr ID_ATTR [ID_ATTR ...]
Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)
- --id_map_method ID_MAP_METHOD
Gives the method to use to map the LDAP bind DN to a PAM identity (pamIDMapMethod)
- --fallback {TRUE,FALSE}
Sets whether to fallback to regular LDAP authentication if PAM authentication fails (pamFallback)
- --secure {TRUE,FALSE}
Requires secure TLS connection for PAM authentication (pamSecure)
- --service SERVICE
Contains the service name to pass to PAM (pamService)
OPTIONS 'dsconf plugin pass-through-auth pam-config show'
usage: dsconf instance plugin pass-through-auth pam-config NAME show [-h]
OPTIONS 'dsconf plugin pass-through-auth pam-config delete'
usage: dsconf instance plugin pass-through-auth pam-config NAME delete [-h]
OPTIONS 'dsconf plugin retro-changelog'
usage: dsconf instance plugin retro-changelog [-h]
{show,enable,disable,status,set,add}
...
Sub-commands
- dsconf plugin retro-changelog show
display plugin configuration
- dsconf plugin retro-changelog enable
enable plugin
- dsconf plugin retro-changelog disable
disable plugin
- dsconf plugin retro-changelog status
display plugin status
- dsconf plugin retro-changelog set
Edit the plugin
- dsconf plugin retro-changelog add
Add attributes to the plugin
OPTIONS 'dsconf plugin retro-changelog show'
usage: dsconf instance plugin retro-changelog show [-h]
OPTIONS 'dsconf plugin retro-changelog enable'
usage: dsconf instance plugin retro-changelog enable [-h]
OPTIONS 'dsconf plugin retro-changelog disable'
usage: dsconf instance plugin retro-changelog disable [-h]
OPTIONS 'dsconf plugin retro-changelog status'
usage: dsconf instance plugin retro-changelog status [-h]
OPTIONS 'dsconf plugin retro-changelog set'
usage: dsconf instance plugin retro-changelog set [-h]
[--is-replicated {TRUE,FALSE}]
[--attribute ATTRIBUTE]
[--directory DIRECTORY]
[--max-age MAX_AGE]
[--exclude-suffix EXCLUDE_SUFFIX]
- --is-replicated {TRUE,FALSE}
Sets a flag to indicate on a change in the changelog whether the change is newly made on that server or whether it was replicated over from another server (isReplicated)
- --attribute ATTRIBUTE
Specifies another Directory Server attribute which must be included in the retro changelog entries (nsslapd-attribute)
- --directory DIRECTORY
Specifies the name of the directory in which the changelog database is created the first time the plug-in is run
- --max-age MAX_AGE
This attribute specifies the maximum age of any entry in the changelog (nsslapd-changelogmaxage)
- --exclude-suffix EXCLUDE_SUFFIX
This attribute specifies the suffix which will be excluded from the scope of the plugin (nsslapd-exclude-suffix)
OPTIONS 'dsconf plugin retro-changelog add'
usage: dsconf instance plugin retro-changelog add [-h]
[--is-replicated {TRUE,FALSE}]
[--attribute ATTRIBUTE]
[--directory DIRECTORY]
[--max-age MAX_AGE]
[--exclude-suffix EXCLUDE_SUFFIX]
- --is-replicated {TRUE,FALSE}
Sets a flag to indicate on a change in the changelog whether the change is newly made on that server or whether it was replicated over from another server (isReplicated)
- --attribute ATTRIBUTE
Specifies another Directory Server attribute which must be included in the retro changelog entries (nsslapd-attribute)
- --directory DIRECTORY
Specifies the name of the directory in which the changelog database is created the first time the plug-in is run
- --max-age MAX_AGE
This attribute specifies the maximum age of any entry in the changelog (nsslapd-changelogmaxage)
- --exclude-suffix EXCLUDE_SUFFIX
This attribute specifies the suffix which will be excluded from the scope of the plugin (nsslapd-exclude-suffix)
OPTIONS 'dsconf plugin posix-winsync'
usage: dsconf instance plugin posix-winsync [-h]
{show,enable,disable,status,set,fixup}
...
Sub-commands
- dsconf plugin posix-winsync show
display plugin configuration
- dsconf plugin posix-winsync enable
enable plugin
- dsconf plugin posix-winsync disable
disable plugin
- dsconf plugin posix-winsync status
display plugin status
- dsconf plugin posix-winsync set
Edit the plugin
- dsconf plugin posix-winsync fixup
Run the memberOf fix-up task to correct mismatched member and uniquemember values for synced users
OPTIONS 'dsconf plugin posix-winsync show'
usage: dsconf instance plugin posix-winsync show [-h]
OPTIONS 'dsconf plugin posix-winsync enable'
usage: dsconf instance plugin posix-winsync enable [-h]
OPTIONS 'dsconf plugin posix-winsync disable'
usage: dsconf instance plugin posix-winsync disable [-h]
OPTIONS 'dsconf plugin posix-winsync status'
usage: dsconf instance plugin posix-winsync status [-h]
OPTIONS 'dsconf plugin posix-winsync set'
usage: dsconf instance plugin posix-winsync set [-h]
[--create-memberof-task {true,false}]
[--lower-case-uid {true,false}]
[--map-member-uid {true,false}]
[--map-nested-grouping {true,false}]
[--ms-sfu-schema {true,false}]
- --create-memberof-task {true,false}
Sets whether to run the memberUID fix-up task immediately after a sync run in order to update group memberships for synced users (posixWinsyncCreateMemberOfTask)
- --lower-case-uid {true,false}
Sets whether to store (and, if necessary, convert) the UID value in the memberUID attribute in lower case.(posixWinsyncLowerCaseUID)
- --map-member-uid {true,false}
Sets whether to map the memberUID attribute in an Active Directory group to the uniqueMember attribute in a Directory Server group (posixWinsyncMapMemberUID)
- --map-nested-grouping {true,false}
Manages if nested groups are updated when memberUID attributes in an Active Directory POSIX group change (posixWinsyncMapNestedGrouping)
- --ms-sfu-schema {true,false}
Sets whether to the older Microsoft System Services for Unix 3.0 (msSFU30) schema when syncing Posix attributes from Active Directory (posixWinsyncMsSFUSchema)
OPTIONS 'dsconf plugin posix-winsync fixup'
usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN
- DN
Base DN that contains entries to fix up
- -f FILTER, --filter FILTER
Filter for entries to fix up. If omitted, all entries with objectclass inetuser/inetadmin/nsmemberof under the specified base will have their memberOf attribute regenerated.
OPTIONS 'dsconf plugin contentsync'
usage: dsconf instance plugin contentsync [-h]
{show,enable,disable,status,set,add}
...
Sub-commands
- dsconf plugin contentsync show
display plugin configuration
- dsconf plugin contentsync enable
enable plugin
- dsconf plugin contentsync disable
disable plugin
- dsconf plugin contentsync status
display plugin status
- dsconf plugin contentsync set
Edit the plugin
- dsconf plugin contentsync add
Add attributes to the plugin
OPTIONS 'dsconf plugin contentsync show'
usage: dsconf instance plugin contentsync show [-h]
OPTIONS 'dsconf plugin contentsync enable'
usage: dsconf instance plugin contentsync enable [-h]
OPTIONS 'dsconf plugin contentsync disable'
usage: dsconf instance plugin contentsync disable [-h]
OPTIONS 'dsconf plugin contentsync status'
usage: dsconf instance plugin contentsync status [-h]
OPTIONS 'dsconf plugin contentsync set'
usage: dsconf instance plugin contentsync set [-h] [--allow-openldap {on,off}]
- --allow-openldap {on,off}
Allows openldap servers to act as read only consumers of this server via syncrepl
OPTIONS 'dsconf plugin contentsync add'
usage: dsconf instance plugin contentsync add [-h] [--allow-openldap {on,off}]
- --allow-openldap {on,off}
Allows openldap servers to act as read only consumers of this server via syncrepl
OPTIONS 'dsconf plugin list'
usage: dsconf instance plugin list [-h]
OPTIONS 'dsconf plugin show'
usage: dsconf instance plugin show [-h] [selector]
- selector
The plugin to search for
OPTIONS 'dsconf plugin set'
usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled {on,off}]
[--path PATH] [--initfunc INITFUNC]
[--id ID] [--vendor VENDOR]
[--version VERSION]
[--description DESCRIPTION]
[--depends-on-type DEPENDS_ON_TYPE]
[--depends-on-named DEPENDS_ON_NAMED]
[--precedence PRECEDENCE]
[selector]
- selector
The plugin to edit
- --type TYPE
The type of plugin.
- --enabled {on,off}
Identifies whether or not the plugin is enabled.
- --path PATH
The plugin library name (without the library suffix).
- --initfunc INITFUNC
An initialization function of the plugin.
- --id ID
The plugin ID.
- --vendor VENDOR
The vendor of plugin.
- --version VERSION
The version of plugin.
- --description DESCRIPTION
The description of the plugin.
- --depends-on-type DEPENDS_ON_TYPE
All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in.
- --depends-on-named DEPENDS_ON_NAMED
The plug-in name matching one of the following values will be started by the server prior to this plug-in
- --precedence PRECEDENCE
The priority it has in the execution order of plug-ins
OPTIONS 'dsconf pwpolicy'
usage: dsconf instance pwpolicy [-h] {get,set} ...
Sub-commands
- dsconf pwpolicy get
Get the global password policy entry
- dsconf pwpolicy set
Set an attribute in a global password policy
OPTIONS 'dsconf pwpolicy get'
usage: dsconf instance pwpolicy get [-h]
OPTIONS 'dsconf pwpolicy set'
usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwpinheritglobal PWPINHERITGLOBAL]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
[--pwdlocal PWDLOCAL]
[--pwdisglobal PWDISGLOBAL]
[--pwdallowhash PWDALLOWHASH]
- --pwdscheme PWDSCHEME
The password storage scheme
- --pwdchange PWDCHANGE
Allow users to change their passwords
- --pwdmustchange PWDMUSTCHANGE
User must change their passwrod after it is reset by an Administrator
- --pwdhistory PWDHISTORY
To enable password history set this to "on", otherwise "off"
- --pwdhistorycount PWDHISTORYCOUNT
The number of password to keep in history
- --pwdadmin PWDADMIN
The DN of an entry or a group of account that can bypass password policy constraints
- --pwdtrack PWDTRACK
Set to "on" to track the time the password was last changed
- --pwdwarning PWDWARNING
Send an expiring warning if password expires within this time (in seconds)
- --pwdexpire PWDEXPIRE
Set to "on" to enable password expiration
- --pwdmaxage PWDMAXAGE
The password expiration time in seconds
- --pwdminage PWDMINAGE
The number of seconds that must pass before a user can change their password
- --pwdgracelimit PWDGRACELIMIT
The number of allowed logins after the password has expired
- --pwdsendexpiring PWDSENDEXPIRING
Set to "on" to always send the expiring control regardless of the warning period
- --pwdlockout PWDLOCKOUT
Set to "on" to enable account lockout
- --pwdunlock PWDUNLOCK
Set to "on" to allow an account to become unlocked after the lockout duration
- --pwdlockoutduration PWDLOCKOUTDURATION
The number of seconds an account stays locked out
- --pwdmaxfailures PWDMAXFAILURES
The maximum number of allowed failed password attempts before the account gets locked
- --pwdresetfailcount PWDRESETFAILCOUNT
The number of seconds to wait before reducing the failed login count on an account
- --pwdchecksyntax PWDCHECKSYNTAX
Set to "on" to Enable password syntax checking
- --pwdminlen PWDMINLEN
The minimum number of characters required in a password
- --pwdmindigits PWDMINDIGITS
The minimum number of digit/number characters in a password
- --pwdminalphas PWDMINALPHAS
The minimum number of alpha characters required in a password
- --pwdminuppers PWDMINUPPERS
The minimum number of uppercase characters required in a password
- --pwdminlowers PWDMINLOWERS
The minimum number of lowercase characters required in a password
- --pwdminspecials PWDMINSPECIALS
The minimum number of special characters required in a password
- --pwdmin8bits PWDMIN8BITS
The minimum number of 8-bit characters required in a password
- --pwdmaxrepeats PWDMAXREPEATS
The maximum number of times the same character can appear sequentially in the password
- --pwdpalindrome PWDPALINDROME
Set to "on" to reject passwords that are palindromes
- --pwdmaxseq PWDMAXSEQ
The maximum number of allowed monotonic character sequences in a password
- --pwdmaxseqsets PWDMAXSEQSETS
The maximum number of allowed monotonic character sequences that can be duplicated in a password
- --pwdmaxclasschars PWDMAXCLASSCHARS
The maximum number of sequential characters from the same character class that is allowed in a password
- --pwdmincatagories PWDMINCATAGORIES
The minimum number of syntax category checks
- --pwdmintokenlen PWDMINTOKENLEN
Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"
- --pwdbadwords PWDBADWORDS
A space-separated list of words that can not be in a password
- --pwduserattrs PWDUSERATTRS
A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")
- --pwpinheritglobal PWPINHERITGLOBAL
Set to "on" to allow local policies to inherit the global policy
- --pwddictcheck PWDDICTCHECK
Set to "on" to enforce CrackLib dictionary checking
- --pwddictpath PWDDICTPATH
Filesystem path to specific/custom CrackLib dictionary files
- --pwdlocal PWDLOCAL
Set to "on" to enable fine-grained (subtree/user-level) password policies
- --pwdisglobal PWDISGLOBAL
Set to "on" to enable password policy state attributesto be replicated
- --pwdallowhash PWDALLOWHASH
Set to "on" to allow adding prehashed passwords
OPTIONS 'dsconf localpwp'
usage: dsconf instance localpwp [-h]
{list,get,set,remove,adduser,addsubtree} ...
Sub-commands
- dsconf localpwp list
List all the local password policies
- dsconf localpwp get
Get local password policy entry
- dsconf localpwp set
Set an attribute in a local password policy
- dsconf localpwp remove
Remove a local password policy
- dsconf localpwp adduser
Add new user password policy
- dsconf localpwp addsubtree
Add new subtree password policy
OPTIONS 'dsconf localpwp list'
usage: dsconf instance localpwp list [-h] [DN]
- DN
Suffix to search for local password policies
OPTIONS 'dsconf localpwp get'
usage: dsconf instance localpwp get [-h] DN
- DN
Get the local policy for this entry DN
OPTIONS 'dsconf localpwp set'
usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwpinheritglobal PWPINHERITGLOBAL]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
DN
- DN
Set the local policy for this entry DN
- --pwdscheme PWDSCHEME
The password storage scheme
- --pwdchange PWDCHANGE
Allow users to change their passwords
- --pwdmustchange PWDMUSTCHANGE
User must change their passwrod after it is reset by an Administrator
- --pwdhistory PWDHISTORY
To enable password history set this to "on", otherwise "off"
- --pwdhistorycount PWDHISTORYCOUNT
The number of password to keep in history
- --pwdadmin PWDADMIN
The DN of an entry or a group of account that can bypass password policy constraints
- --pwdtrack PWDTRACK
Set to "on" to track the time the password was last changed
- --pwdwarning PWDWARNING
Send an expiring warning if password expires within this time (in seconds)
- --pwdexpire PWDEXPIRE
Set to "on" to enable password expiration
- --pwdmaxage PWDMAXAGE
The password expiration time in seconds
- --pwdminage PWDMINAGE
The number of seconds that must pass before a user can change their password
- --pwdgracelimit PWDGRACELIMIT
The number of allowed logins after the password has expired
- --pwdsendexpiring PWDSENDEXPIRING
Set to "on" to always send the expiring control regardless of the warning period
- --pwdlockout PWDLOCKOUT
Set to "on" to enable account lockout
- --pwdunlock PWDUNLOCK
Set to "on" to allow an account to become unlocked after the lockout duration
- --pwdlockoutduration PWDLOCKOUTDURATION
The number of seconds an account stays locked out
- --pwdmaxfailures PWDMAXFAILURES
The maximum number of allowed failed password attempts before the account gets locked
- --pwdresetfailcount PWDRESETFAILCOUNT
The number of seconds to wait before reducing the failed login count on an account
- --pwdchecksyntax PWDCHECKSYNTAX
Set to "on" to Enable password syntax checking
- --pwdminlen PWDMINLEN
The minimum number of characters required in a password
- --pwdmindigits PWDMINDIGITS
The minimum number of digit/number characters in a password
- --pwdminalphas PWDMINALPHAS
The minimum number of alpha characters required in a password
- --pwdminuppers PWDMINUPPERS
The minimum number of uppercase characters required in a password
- --pwdminlowers PWDMINLOWERS
The minimum number of lowercase characters required in a password
- --pwdminspecials PWDMINSPECIALS
The minimum number of special characters required in a password
- --pwdmin8bits PWDMIN8BITS
The minimum number of 8-bit characters required in a password
- --pwdmaxrepeats PWDMAXREPEATS
The maximum number of times the same character can appear sequentially in the password
- --pwdpalindrome PWDPALINDROME
Set to "on" to reject passwords that are palindromes
- --pwdmaxseq PWDMAXSEQ
The maximum number of allowed monotonic character sequences in a password
- --pwdmaxseqsets PWDMAXSEQSETS
The maximum number of allowed monotonic character sequences that can be duplicated in a password
- --pwdmaxclasschars PWDMAXCLASSCHARS
The maximum number of sequential characters from the same character class that is allowed in a password
- --pwdmincatagories PWDMINCATAGORIES
The minimum number of syntax category checks
- --pwdmintokenlen PWDMINTOKENLEN
Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"
- --pwdbadwords PWDBADWORDS
A space-separated list of words that can not be in a password
- --pwduserattrs PWDUSERATTRS
A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")
- --pwpinheritglobal PWPINHERITGLOBAL
Set to "on" to allow local policies to inherit the global policy
- --pwddictcheck PWDDICTCHECK
Set to "on" to enforce CrackLib dictionary checking
- --pwddictpath PWDDICTPATH
Filesystem path to specific/custom CrackLib dictionary files
OPTIONS 'dsconf localpwp remove'
usage: dsconf instance localpwp remove [-h] DN
- DN
Remove local policy for this entry DN
OPTIONS 'dsconf localpwp adduser'
usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwpinheritglobal PWPINHERITGLOBAL]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
DN
- DN
Add/replace the local password policy for this entry DN
- --pwdscheme PWDSCHEME
The password storage scheme
- --pwdchange PWDCHANGE
Allow users to change their passwords
- --pwdmustchange PWDMUSTCHANGE
User must change their passwrod after it is reset by an Administrator
- --pwdhistory PWDHISTORY
To enable password history set this to "on", otherwise "off"
- --pwdhistorycount PWDHISTORYCOUNT
The number of password to keep in history
- --pwdadmin PWDADMIN
The DN of an entry or a group of account that can bypass password policy constraints
- --pwdtrack PWDTRACK
Set to "on" to track the time the password was last changed
- --pwdwarning PWDWARNING
Send an expiring warning if password expires within this time (in seconds)
- --pwdexpire PWDEXPIRE
Set to "on" to enable password expiration
- --pwdmaxage PWDMAXAGE
The password expiration time in seconds
- --pwdminage PWDMINAGE
The number of seconds that must pass before a user can change their password
- --pwdgracelimit PWDGRACELIMIT
The number of allowed logins after the password has expired
- --pwdsendexpiring PWDSENDEXPIRING
Set to "on" to always send the expiring control regardless of the warning period
- --pwdlockout PWDLOCKOUT
Set to "on" to enable account lockout
- --pwdunlock PWDUNLOCK
Set to "on" to allow an account to become unlocked after the lockout duration
- --pwdlockoutduration PWDLOCKOUTDURATION
The number of seconds an account stays locked out
- --pwdmaxfailures PWDMAXFAILURES
The maximum number of allowed failed password attempts before the account gets locked
- --pwdresetfailcount PWDRESETFAILCOUNT
The number of seconds to wait before reducing the failed login count on an account
- --pwdchecksyntax PWDCHECKSYNTAX
Set to "on" to Enable password syntax checking
- --pwdminlen PWDMINLEN
The minimum number of characters required in a password
- --pwdmindigits PWDMINDIGITS
The minimum number of digit/number characters in a password
- --pwdminalphas PWDMINALPHAS
The minimum number of alpha characters required in a password
- --pwdminuppers PWDMINUPPERS
The minimum number of uppercase characters required in a password
- --pwdminlowers PWDMINLOWERS
The minimum number of lowercase characters required in a password
- --pwdminspecials PWDMINSPECIALS
The minimum number of special characters required in a password
- --pwdmin8bits PWDMIN8BITS
The minimum number of 8-bit characters required in a password
- --pwdmaxrepeats PWDMAXREPEATS
The maximum number of times the same character can appear sequentially in the password
- --pwdpalindrome PWDPALINDROME
Set to "on" to reject passwords that are palindromes
- --pwdmaxseq PWDMAXSEQ
The maximum number of allowed monotonic character sequences in a password
- --pwdmaxseqsets PWDMAXSEQSETS
The maximum number of allowed monotonic character sequences that can be duplicated in a password
- --pwdmaxclasschars PWDMAXCLASSCHARS
The maximum number of sequential characters from the same character class that is allowed in a password
- --pwdmincatagories PWDMINCATAGORIES
The minimum number of syntax category checks
- --pwdmintokenlen PWDMINTOKENLEN
Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"
- --pwdbadwords PWDBADWORDS
A space-separated list of words that can not be in a password
- --pwduserattrs PWDUSERATTRS
A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")
- --pwpinheritglobal PWPINHERITGLOBAL
Set to "on" to allow local policies to inherit the global policy
- --pwddictcheck PWDDICTCHECK
Set to "on" to enforce CrackLib dictionary checking
- --pwddictpath PWDDICTPATH
Filesystem path to specific/custom CrackLib dictionary files
OPTIONS 'dsconf localpwp addsubtree'
usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwpinheritglobal PWPINHERITGLOBAL]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
DN
- DN
Add/replace the subtree policy for this entry DN
- --pwdscheme PWDSCHEME
The password storage scheme
- --pwdchange PWDCHANGE
Allow users to change their passwords
- --pwdmustchange PWDMUSTCHANGE
User must change their passwrod after it is reset by an Administrator
- --pwdhistory PWDHISTORY
To enable password history set this to "on", otherwise "off"
- --pwdhistorycount PWDHISTORYCOUNT
The number of password to keep in history
- --pwdadmin PWDADMIN
The DN of an entry or a group of account that can bypass password policy constraints
- --pwdtrack PWDTRACK
Set to "on" to track the time the password was last changed
- --pwdwarning PWDWARNING
Send an expiring warning if password expires within this time (in seconds)
- --pwdexpire PWDEXPIRE
Set to "on" to enable password expiration
- --pwdmaxage PWDMAXAGE
The password expiration time in seconds
- --pwdminage PWDMINAGE
The number of seconds that must pass before a user can change their password
- --pwdgracelimit PWDGRACELIMIT
The number of allowed logins after the password has expired
- --pwdsendexpiring PWDSENDEXPIRING
Set to "on" to always send the expiring control regardless of the warning period
- --pwdlockout PWDLOCKOUT
Set to "on" to enable account lockout
- --pwdunlock PWDUNLOCK
Set to "on" to allow an account to become unlocked after the lockout duration
- --pwdlockoutduration PWDLOCKOUTDURATION
The number of seconds an account stays locked out
- --pwdmaxfailures PWDMAXFAILURES
The maximum number of allowed failed password attempts before the account gets locked
- --pwdresetfailcount PWDRESETFAILCOUNT
The number of seconds to wait before reducing the failed login count on an account
- --pwdchecksyntax PWDCHECKSYNTAX
Set to "on" to Enable password syntax checking
- --pwdminlen PWDMINLEN
The minimum number of characters required in a password
- --pwdmindigits PWDMINDIGITS
The minimum number of digit/number characters in a password
- --pwdminalphas PWDMINALPHAS
The minimum number of alpha characters required in a password
- --pwdminuppers PWDMINUPPERS
The minimum number of uppercase characters required in a password
- --pwdminlowers PWDMINLOWERS
The minimum number of lowercase characters required in a password
- --pwdminspecials PWDMINSPECIALS
The minimum number of special characters required in a password
- --pwdmin8bits PWDMIN8BITS
The minimum number of 8-bit characters required in a password
- --pwdmaxrepeats PWDMAXREPEATS
The maximum number of times the same character can appear sequentially in the password
- --pwdpalindrome PWDPALINDROME
Set to "on" to reject passwords that are palindromes
- --pwdmaxseq PWDMAXSEQ
The maximum number of allowed monotonic character sequences in a password
- --pwdmaxseqsets PWDMAXSEQSETS
The maximum number of allowed monotonic character sequences that can be duplicated in a password
- --pwdmaxclasschars PWDMAXCLASSCHARS
The maximum number of sequential characters from the same character class that is allowed in a password
- --pwdmincatagories PWDMINCATAGORIES
The minimum number of syntax category checks
- --pwdmintokenlen PWDMINTOKENLEN
Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"
- --pwdbadwords PWDBADWORDS
A space-separated list of words that can not be in a password
- --pwduserattrs PWDUSERATTRS
A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")
- --pwpinheritglobal PWPINHERITGLOBAL
Set to "on" to allow local policies to inherit the global policy
- --pwddictcheck PWDDICTCHECK
Set to "on" to enforce CrackLib dictionary checking
- --pwddictpath PWDDICTPATH
Filesystem path to specific/custom CrackLib dictionary files
OPTIONS 'dsconf replication'
usage: dsconf instance replication [-h]
{enable,disable,get-ruv,list,status,winsync-status,promote,create-manager,delete-manager,demote,get,set-changelog,get-changelog,export-changelog,import-changelog,set,monitor}
...
Sub-commands
- dsconf replication enable
Enable replication for a suffix
- dsconf replication disable
Disable replication for a suffix
- dsconf replication get-ruv
Get the database RUV entry for his suffix
- dsconf replication list
List all the replicated suffixes
- dsconf replication status
Get the current status of all the replication agreements
- dsconf replication winsync-status
Get the current status of all the replication agreements
- dsconf replication promote
Promote replica to a Hub or Supplier
- dsconf replication create-manager
Create a replication manager entry
- dsconf replication delete-manager
Delete a replication manager entry
- dsconf replication demote
Demote replica to a Hub or Consumer
- dsconf replication get
Get replication configuration
- dsconf replication set-changelog
Set replication changelog attributes.
- dsconf replication get-changelog
Display replication changelog attributes.
- dsconf replication export-changelog
Export the Directory Server replication changelog to an LDIF
- dsconf replication import-changelog
Restore/Import Directory Server replication change log from an LDIF file. This is typically used when managing changelog encryption
- dsconf replication set
Set an attribute in the replication configuration
- dsconf replication monitor
Get the full replication topology report
OPTIONS 'dsconf replication enable'
usage: dsconf instance replication enable [-h] --suffix SUFFIX --role ROLE
[--replica-id REPLICA_ID]
[--bind-group-dn BIND_GROUP_DN]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
- --suffix SUFFIX
The DN of the suffix to be enabled for replication
- --role ROLE
The Replication role: "supplier", "hub", or "consumer"
- --replica-id REPLICA_ID
The replication identifier for a "supplier". Values range from 1 - 65534
- --bind-group-dn BIND_GROUP_DN
A group entry DN containing members that are "bind/supplier" DNs
- --bind-dn BIND_DN
The Bind or Supplier DN that can make replication updates
- --bind-passwd BIND_PASSWD
Password for replication manager(--bind-dn). This will create the manager entry if a value is set
OPTIONS 'dsconf replication disable'
usage: dsconf instance replication disable [-h] --suffix SUFFIX
- --suffix SUFFIX
The DN of the suffix to have replication disabled
OPTIONS 'dsconf replication get-ruv'
usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX
- --suffix SUFFIX
The DN of the replicated suffix
OPTIONS 'dsconf replication list'
usage: dsconf instance replication list [-h]
OPTIONS 'dsconf replication status'
usage: dsconf instance replication status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
- --suffix SUFFIX
The DN of the replication suffix
- --bind-dn BIND_DN
The DN to use to authenticate to the consumer
- --bind-passwd BIND_PASSWD
The password for the bind DN
OPTIONS 'dsconf replication winsync-status'
usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
- --suffix SUFFIX
The DN of the replication suffix
- --bind-dn BIND_DN
The DN to use to authenticate to the consumer
- --bind-passwd BIND_PASSWD
The password for the bind DN
OPTIONS 'dsconf replication promote'
usage: dsconf instance replication promote [-h] --suffix SUFFIX --newrole
NEWROLE [--replica-id REPLICA_ID]
[--bind-group-dn BIND_GROUP_DN]
[--bind-dn BIND_DN]
- --suffix SUFFIX
The DN of the replication suffix to promote
- --newrole NEWROLE
Promote this replica to a "hub" or "supplier"
- --replica-id REPLICA_ID
The replication identifier for a "supplier". Values range from 1 - 65534
- --bind-group-dn BIND_GROUP_DN
A group entry DN containing members that are "bind/supplier" DNs
- --bind-dn BIND_DN
The Bind or Supplier DN that can make replication updates
OPTIONS 'dsconf replication create-manager'
usage: dsconf instance replication create-manager [-h] [--name NAME]
[--passwd PASSWD]
[--suffix SUFFIX]
- --name NAME
The NAME of the new replication manager entry. For example, if the NAME is "replication manager" then the new manager entry's DN would be "cn=replication manager,cn=config".
- --passwd PASSWD
Password for replication manager. If not provided, you will be prompted for the password
- --suffix SUFFIX
The DN of the replication suffix whose replication configuration you want to add this new manager to (OPTIONAL)
OPTIONS 'dsconf replication delete-manager'
usage: dsconf instance replication delete-manager [-h] [--name NAME]
[--suffix SUFFIX]
- --name NAME
The NAME of the replication manager entry under cn=config: "cn=NAME,cn=config"
- --suffix SUFFIX
The DN of the replication suffix whose replication configuration you want to remove this manager from (OPTIONAL)
OPTIONS 'dsconf replication demote'
usage: dsconf instance replication demote [-h] --suffix SUFFIX --newrole
NEWROLE
- --suffix SUFFIX
Promote this replica to a "hub" or "consumer"
- --newrole NEWROLE
The Replication role: "hub", or "consumer"
OPTIONS 'dsconf replication get'
usage: dsconf instance replication get [-h] --suffix SUFFIX
- --suffix SUFFIX
Get the replication configuration for this suffix DN
OPTIONS 'dsconf replication set-changelog'
usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
[--max-entries MAX_ENTRIES]
[--max-age MAX_AGE]
[--trim-interval TRIM_INTERVAL]
[--encrypt]
[--disable-encrypt]
- --suffix SUFFIX
The suffix that uses the changelog
- --max-entries MAX_ENTRIES
The maximum number of entries to get in the replication changelog
- --max-age MAX_AGE
The maximum age of a replication changelog entry
- --trim-interval TRIM_INTERVAL
The interval to check if the replication changelog can be trimmed
- --encrypt
Set the replication changelog to use encryption. You must export & import the changelog after setting this.
- --disable-encrypt
Set the replication changelog to not use encryption. You must export & import the changelog after setting this.
OPTIONS 'dsconf replication get-changelog'
usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX
- --suffix SUFFIX
The suffix that uses the changelog
OPTIONS 'dsconf replication export-changelog'
usage: dsconf instance replication export-changelog [-h] {to-ldif,default} ...
Sub-commands
- dsconf replication export-changelog to-ldif
Export the specific single LDIF file. This is typically used for setting up changelog encryption
- dsconf replication export-changelog default
Export the replication changelog to the server's default LDIF directory.
OPTIONS 'dsconf replication export-changelog to-ldif'
usage: dsconf instance replication export-changelog to-ldif
[-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r REPLICA_ROOT
- -c, --csn-only
Export and interpret CSN only. This option can be used with or without -i option. The LDIF file that is generated can not be imported and is only used debugging purposes
- -d, --decode
Decode the base64 values in each changelog entry. The LDIF file that is generated can not be imported and is only used debugging purposes
- -l, --preserve-ldif-done
Preserve generated ldif.done files in changelog dirextory.
- -i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF
If you already have a changelog LDIF file, but the changes in that file are encoded, you may use this option to decode the changes in that LDIF file.
- -o OUTPUT_FILE, --output-file OUTPUT_FILE
Path name for the final result.
- -r REPLICA_ROOT, --replica-root REPLICA_ROOT
Specify replica root whose changelog you want to export.
OPTIONS 'dsconf replication export-changelog default'
usage: dsconf instance replication export-changelog default
[-h] -r REPLICA_ROOT
- -r REPLICA_ROOT, --replica-root REPLICA_ROOT
Specify replica root whose changelog you want to export.
OPTIONS 'dsconf replication import-changelog'
usage: dsconf instance replication import-changelog [-h]
{from-ldif,default} ...
Sub-commands
- dsconf replication import-changelog from-ldif
Restore/Import a specific single LDIF file.
- dsconf replication import-changelog default
Import the default changelog LDIF file created by the server.
OPTIONS 'dsconf replication import-changelog from-ldif'
usage: dsconf instance replication import-changelog from-ldif
[-h] -r REPLICA_ROOT LDIF_PATH
- LDIF_PATH
The path of the changelog LDIF file.
- -r REPLICA_ROOT, --replica-root REPLICA_ROOT
Specify the replica root whose changelog you want to import.
OPTIONS 'dsconf replication import-changelog default'
usage: dsconf instance replication import-changelog default
[-h] -r REPLICA_ROOT
- -r REPLICA_ROOT, --replica-root REPLICA_ROOT
Specify the replica root whose changelog you want to import.
OPTIONS 'dsconf replication set'
usage: dsconf instance replication set [-h] --suffix SUFFIX
[--repl-add-bind-dn REPL_ADD_BIND_DN]
[--repl-del-bind-dn REPL_DEL_BIND_DN]
[--repl-add-ref REPL_ADD_REF]
[--repl-del-ref REPL_DEL_REF]
[--repl-purge-delay REPL_PURGE_DELAY]
[--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL]
[--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING]
[--repl-bind-group REPL_BIND_GROUP]
[--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL]
[--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT]
[--repl-backoff-max REPL_BACKOFF_MAX]
[--repl-backoff-min REPL_BACKOFF_MIN]
[--repl-release-timeout REPL_RELEASE_TIMEOUT]
- --suffix SUFFIX
The DN of the replication suffix
- --repl-add-bind-dn REPL_ADD_BIND_DN
Add a bind (supplier) DN
- --repl-del-bind-dn REPL_DEL_BIND_DN
Remove a bind (supplier) DN
- --repl-add-ref REPL_ADD_REF
Add a replication referral (for consumers only)
- --repl-del-ref REPL_DEL_REF
Remove a replication referral (for conusmers only)
- --repl-purge-delay REPL_PURGE_DELAY
The replication purge delay
- --repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL
The interval in seconds to check for tombstones that can be purged
- --repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING
Set to "on" to improve tombstone purging performance
- --repl-bind-group REPL_BIND_GROUP
A group entry DN containing members that are "bind/supplier" DNs
- --repl-bind-group-interval REPL_BIND_GROUP_INTERVAL
An interval in seconds to check if the bind group has been updated
- --repl-protocol-timeout REPL_PROTOCOL_TIMEOUT
A timeout in seconds on how long to wait before stopping replication when the server is under load
- --repl-backoff-max REPL_BACKOFF_MAX
The maximum time in seconds a replication agreement should stay in a backoff state while waiting to acquire the consumer. Default is 300 seconds
- --repl-backoff-min REPL_BACKOFF_MIN
The starting time in seconds a replication agreement should stay in a backoff state while waiting to acquire the consumer. Default is 3 seconds
- --repl-release-timeout REPL_RELEASE_TIMEOUT
A timeout in seconds a replication supplier should send updates before it yields its replication session
OPTIONS 'dsconf replication monitor'
usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
[-a [ALIASES ...]]
- -c [CONNECTIONS ...], --connections [CONNECTIONS ...]
The connection values for monitoring other not connected topologies. The format: 'host:port:binddn:bindpwd'. You can use regex for host and port. You can set bindpwd to * and it will be requested at the runtime or you can include the path to the password file in square brackets - [~/pwd.txt]
- -a [ALIASES ...], --aliases [ALIASES ...]
If a host:port is assigned an alias, then the alias instead of host:port will be displayed in the output. The format: alias=host:port
OPTIONS 'dsconf repl-agmt'
usage: dsconf instance repl-agmt [-h]
{list,enable,disable,init,init-status,poke,status,delete,create,set,get}
...
Sub-commands
- dsconf repl-agmt list
List all the replication agreements
- dsconf repl-agmt enable
Enable replication agreement
- dsconf repl-agmt disable
Disable replication agreement
- dsconf repl-agmt init
Initialize replication agreement
- dsconf repl-agmt init-status
Check the agreement initialization status
- dsconf repl-agmt poke
Trigger replication to send updates now
- dsconf repl-agmt status
Get the current status of the replication agreement
- dsconf repl-agmt delete
Delete replication agreement
- dsconf repl-agmt create
Initialize replication agreement
- dsconf repl-agmt set
Set an attribute in the replication agreement
- dsconf repl-agmt get
Get replication configuration
OPTIONS 'dsconf repl-agmt list'
usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry ENTRY]
- --suffix SUFFIX
The DN of the suffix to look up replication agreements
- --entry ENTRY
Return the entire entry for each agreement
OPTIONS 'dsconf repl-agmt enable'
usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-agmt disable'
usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-agmt init'
usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-agmt init-status'
usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-agmt poke'
usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-agmt status'
usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
- --bind-dn BIND_DN
The DN to use to authenticate to the consumer
- --bind-passwd BIND_PASSWD
The password for the bind DN
OPTIONS 'dsconf repl-agmt delete'
usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-agmt create'
usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host HOST
--port PORT --conn-protocol
CONN_PROTOCOL [--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
--bind-method BIND_METHOD
[--frac-list FRAC_LIST]
[--frac-list-total FRAC_LIST_TOTAL]
[--strip-list STRIP_LIST]
[--schedule SCHEDULE]
[--conn-timeout CONN_TIMEOUT]
[--protocol-timeout PROTOCOL_TIMEOUT]
[--wait-async-results WAIT_ASYNC_RESULTS]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
[--flow-control-window FLOW_CONTROL_WINDOW]
[--flow-control-pause FLOW_CONTROL_PAUSE]
[--bootstrap-bind-dn BOOTSTRAP_BIND_DN]
[--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD]
[--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL]
[--bootstrap-bind-method BOOTSTRAP_BIND_METHOD]
[--init]
AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
- --host HOST
The hostname of the remote replica
- --port PORT
The port number of the remote replica
- --conn-protocol CONN_PROTOCOL
The replication connection protocol: LDAP, LDAPS, or StartTLS
- --bind-dn BIND_DN
The Bind DN the agreement uses to authenticate to the replica
- --bind-passwd BIND_PASSWD
The credentials for the Bind DN
- --bind-method BIND_METHOD
The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or "SASL/GSSAPI"
- --frac-list FRAC_LIST
List of attributes to NOT replicate to the consumer during incremental updates
- --frac-list-total FRAC_LIST_TOTAL
List of attributes to NOT replicate during a total initialization
- --strip-list STRIP_LIST
A list of attributes that are removed from updates only if the event would otherwise be empty. Typically this is set to "modifiersname" and "modifytimestmap"
- --schedule SCHEDULE
Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday - Saturday).
- --conn-timeout CONN_TIMEOUT
The timeout used for replication connections
- --protocol-timeout PROTOCOL_TIMEOUT
A timeout in seconds on how long to wait before stopping replication when the server is under load
- --wait-async-results WAIT_ASYNC_RESULTS
The amount of time in milliseconds the server waits if the consumer is not ready before resending data
- --busy-wait-time BUSY_WAIT_TIME
The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.
- --session-pause-time SESSION_PAUSE_TIME
The amount of time in seconds a supplier should wait between update sessions.
- --flow-control-window FLOW_CONTROL_WINDOW
Sets the maximum number of entries and updates sent by a supplier, which are not acknowledged by the consumer.
- --flow-control-pause FLOW_CONTROL_PAUSE
The time in milliseconds to pause after reaching the number of entries and updates set in "--flow-control-window"
- --bootstrap-bind-dn BOOTSTRAP_BIND_DN
An optional Bind DN the agreement can use to bootstrap initialization when bind groups are being used
- --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
The bootstrap credentials for the Bind DN
- --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
The replication bootstrap connection protocol: LDAP, LDAPS, or StartTLS
- --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
The bind method: "SIMPLE", or "SSLCLIENTAUTH"
- --init
Initialize the agreement after creating it.
OPTIONS 'dsconf repl-agmt set'
usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
[--port PORT]
[--conn-protocol CONN_PROTOCOL]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
[--bind-method BIND_METHOD]
[--frac-list FRAC_LIST]
[--frac-list-total FRAC_LIST_TOTAL]
[--strip-list STRIP_LIST]
[--schedule SCHEDULE]
[--conn-timeout CONN_TIMEOUT]
[--protocol-timeout PROTOCOL_TIMEOUT]
[--wait-async-results WAIT_ASYNC_RESULTS]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
[--flow-control-window FLOW_CONTROL_WINDOW]
[--flow-control-pause FLOW_CONTROL_PAUSE]
[--bootstrap-bind-dn BOOTSTRAP_BIND_DN]
[--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD]
[--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL]
[--bootstrap-bind-method BOOTSTRAP_BIND_METHOD]
AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
- --host HOST
The hostname of the remote replica
- --port PORT
The port number of the remote replica
- --conn-protocol CONN_PROTOCOL
The replication connection protocol: LDAP, LDAPS, or StartTLS
- --bind-dn BIND_DN
The Bind DN the agreement uses to authenticate to the replica
- --bind-passwd BIND_PASSWD
The credentials for the Bind DN
- --bind-method BIND_METHOD
The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or "SASL/GSSAPI"
- --frac-list FRAC_LIST
List of attributes to NOT replicate to the consumer during incremental updates
- --frac-list-total FRAC_LIST_TOTAL
List of attributes to NOT replicate during a total initialization
- --strip-list STRIP_LIST
A list of attributes that are removed from updates only if the event would otherwise be empty. Typically this is set to "modifiersname" and "modifytimestmap"
- --schedule SCHEDULE
Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday - Saturday).
- --conn-timeout CONN_TIMEOUT
The timeout used for replication connections
- --protocol-timeout PROTOCOL_TIMEOUT
A timeout in seconds on how long to wait before stopping replication when the server is under load
- --wait-async-results WAIT_ASYNC_RESULTS
The amount of time in milliseconds the server waits if the consumer is not ready before resending data
- --busy-wait-time BUSY_WAIT_TIME
The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.
- --session-pause-time SESSION_PAUSE_TIME
The amount of time in seconds a supplier should wait between update sessions.
- --flow-control-window FLOW_CONTROL_WINDOW
Sets the maximum number of entries and updates sent by a supplier, which are not acknowledged by the consumer.
- --flow-control-pause FLOW_CONTROL_PAUSE
The time in milliseconds to pause after reaching the number of entries and updates set in "--flow-control-window"
- --bootstrap-bind-dn BOOTSTRAP_BIND_DN
An optional Bind DN the agreement can use to bootstrap initialization when bind groups are being used
- --bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD
The bootstrap credentials for the Bind DN
- --bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL
The replication bootstrap connection protocol: LDAP, LDAPS, or StartTLS
- --bootstrap-bind-method BOOTSTRAP_BIND_METHOD
The bind method: "SIMPLE", or "SSLCLIENTAUTH"
OPTIONS 'dsconf repl-agmt get'
usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
Get the replication configuration for this suffix DN
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-winsync-agmt'
usage: dsconf instance repl-winsync-agmt [-h]
{list,enable,disable,init,init-status,poke,status,delete,create,set,get}
...
Sub-commands
- dsconf repl-winsync-agmt list
List all the replication winsync agreements
- dsconf repl-winsync-agmt enable
Enable replication winsync agreement
- dsconf repl-winsync-agmt disable
Disable replication winsync agreement
- dsconf repl-winsync-agmt init
Initialize replication winsync agreement
- dsconf repl-winsync-agmt init-status
Check the agreement initialization status
- dsconf repl-winsync-agmt poke
Trigger replication to send updates now
- dsconf repl-winsync-agmt status
Get the current status of the replication agreement
- dsconf repl-winsync-agmt delete
Delete replication winsync agreement
- dsconf repl-winsync-agmt create
Initialize replication winsync agreement
- dsconf repl-winsync-agmt set
Set an attribute in the replication winsync agreement
- dsconf repl-winsync-agmt get
Get replication configuration
OPTIONS 'dsconf repl-winsync-agmt list'
usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX
- --suffix SUFFIX
The DN of the suffix to look up replication winsync agreements
OPTIONS 'dsconf repl-winsync-agmt enable'
usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
OPTIONS 'dsconf repl-winsync-agmt disable'
usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
OPTIONS 'dsconf repl-winsync-agmt init'
usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
OPTIONS 'dsconf repl-winsync-agmt init-status'
usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUFFIX
AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-winsync-agmt poke'
usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
OPTIONS 'dsconf repl-winsync-agmt status'
usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication agreement
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-winsync-agmt delete'
usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
OPTIONS 'dsconf repl-winsync-agmt create'
usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX --host
HOST --port PORT
--conn-protocol CONN_PROTOCOL
--bind-dn BIND_DN
--bind-passwd BIND_PASSWD
[--frac-list FRAC_LIST]
[--schedule SCHEDULE]
--win-subtree WIN_SUBTREE
--ds-subtree DS_SUBTREE
--win-domain WIN_DOMAIN
[--sync-users SYNC_USERS]
[--sync-groups SYNC_GROUPS]
[--sync-interval SYNC_INTERVAL]
[--one-way-sync ONE_WAY_SYNC]
[--move-action MOVE_ACTION]
[--win-filter WIN_FILTER]
[--ds-filter DS_FILTER]
[--subtree-pair SUBTREE_PAIR]
[--conn-timeout CONN_TIMEOUT]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
[--init]
AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
- --host HOST
The hostname of the AD server
- --port PORT
The port number of the AD server
- --conn-protocol CONN_PROTOCOL
The replication winsync connection protocol: LDAP, LDAPS, or StartTLS
- --bind-dn BIND_DN
The Bind DN the agreement uses to authenticate to the AD Server
- --bind-passwd BIND_PASSWD
The credentials for the Bind DN
- --frac-list FRAC_LIST
List of attributes to NOT replicate to the consumer during incremental updates
- --schedule SCHEDULE
Sets the replication update schedule
- --win-subtree WIN_SUBTREE
The suffix of the AD Server
- --ds-subtree DS_SUBTREE
The Directory Server suffix
- --win-domain WIN_DOMAIN
The AD Domain
- --sync-users SYNC_USERS
Synchronize Users between AD and DS
- --sync-groups SYNC_GROUPS
Synchronize Groups between AD and DS
- --sync-interval SYNC_INTERVAL
The interval that DS checks AD for changes in entries
- --one-way-sync ONE_WAY_SYNC
Sets which direction to perform synchronization: "toWindows", "fromWindows", "both"
- --move-action MOVE_ACTION
Sets instructions on how to handle moved or deleted entries: "none", "unsync", or "delete"
- --win-filter WIN_FILTER
Custom filter for finding users in AD Server
- --ds-filter DS_FILTER
Custom filter for finding AD users in DS Server
- --subtree-pair SUBTREE_PAIR
Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
- --conn-timeout CONN_TIMEOUT
The timeout used for replicaton connections
- --busy-wait-time BUSY_WAIT_TIME
The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.
- --session-pause-time SESSION_PAUSE_TIME
The amount of time in seconds a supplier should wait between update sessions.
- --init
Initialize the agreement after creating it.
OPTIONS 'dsconf repl-winsync-agmt set'
usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
[--host HOST] [--port PORT]
[--conn-protocol CONN_PROTOCOL]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
[--frac-list FRAC_LIST]
[--schedule SCHEDULE]
[--win-subtree WIN_SUBTREE]
[--ds-subtree DS_SUBTREE]
[--win-domain WIN_DOMAIN]
[--sync-users SYNC_USERS]
[--sync-groups SYNC_GROUPS]
[--sync-interval SYNC_INTERVAL]
[--one-way-sync ONE_WAY_SYNC]
[--move-action MOVE_ACTION]
[--win-filter WIN_FILTER]
[--ds-filter DS_FILTER]
[--subtree-pair SUBTREE_PAIR]
[--conn-timeout CONN_TIMEOUT]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
AGMT_NAME
- AGMT_NAME
The name of the replication winsync agreement
- --suffix SUFFIX
The DN of the replication winsync suffix
- --host HOST
The hostname of the AD server
- --port PORT
The port number of the AD server
- --conn-protocol CONN_PROTOCOL
The replication winsync connection protocol: LDAP, LDAPS, or StartTLS
- --bind-dn BIND_DN
The Bind DN the agreement uses to authenticate to the AD Server
- --bind-passwd BIND_PASSWD
The credentials for the Bind DN
- --frac-list FRAC_LIST
List of attributes to NOT replicate to the consumer during incremental updates
- --schedule SCHEDULE
Sets the replication update schedule
- --win-subtree WIN_SUBTREE
The suffix of the AD Server
- --ds-subtree DS_SUBTREE
The Directory Server suffix
- --win-domain WIN_DOMAIN
The AD Domain
- --sync-users SYNC_USERS
Synchronize Users between AD and DS
- --sync-groups SYNC_GROUPS
Synchronize Groups between AD and DS
- --sync-interval SYNC_INTERVAL
The interval that DS checks AD for changes in entries
- --one-way-sync ONE_WAY_SYNC
Sets which direction to perform synchronization: "toWindows", "fromWindows", "both"
- --move-action MOVE_ACTION
Sets instructions on how to handle moved or deleted entries: "none", "unsync", or "delete"
- --win-filter WIN_FILTER
Custom filter for finding users in AD Server
- --ds-filter DS_FILTER
Custom filter for finding AD users in DS Server
- --subtree-pair SUBTREE_PAIR
Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>
- --conn-timeout CONN_TIMEOUT
The timeout used for replicaton connections
- --busy-wait-time BUSY_WAIT_TIME
The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.
- --session-pause-time SESSION_PAUSE_TIME
The amount of time in seconds a supplier should wait between update sessions.
OPTIONS 'dsconf repl-winsync-agmt get'
usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX AGMT_NAME
- AGMT_NAME
Get the replication configuration for this suffix DN
- --suffix SUFFIX
The DN of the replication suffix
OPTIONS 'dsconf repl-tasks'
usage: dsconf instance repl-tasks [-h]
{cleanallruv,list-cleanruv-tasks,abort-cleanallruv,list-abortruv-tasks}
...
Sub-commands
- dsconf repl-tasks cleanallruv
Cleanup old/removed replica IDs
- dsconf repl-tasks list-cleanruv-tasks
List all the running CleanAllRUV tasks
- dsconf repl-tasks abort-cleanallruv
Abort cleanallruv tasks
- dsconf repl-tasks list-abortruv-tasks
List all the running CleanAllRUV abort Tasks
OPTIONS 'dsconf repl-tasks cleanallruv'
usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
--replica-id REPLICA_ID
[--force-cleaning]
- --suffix SUFFIX
The Directory Server suffix
- --replica-id REPLICA_ID
The replica ID to remove/clean
- --force-cleaning
Ignore errors and do a best attempt to clean all the replicas
OPTIONS 'dsconf repl-tasks list-cleanruv-tasks'
usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix SUFFIX]
- --suffix SUFFIX
List only tasks from for suffix
OPTIONS 'dsconf repl-tasks abort-cleanallruv'
usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUFFIX
--replica-id REPLICA_ID
[--certify]
- --suffix SUFFIX
The Directory Server suffix
- --replica-id REPLICA_ID
The replica ID of the cleaning task to abort
- --certify
Enforce that the abort task completed on all replicas
OPTIONS 'dsconf repl-tasks list-abortruv-tasks'
usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix SUFFIX]
- --suffix SUFFIX
List only tasks from for suffix
OPTIONS 'dsconf sasl'
usage: dsconf instance sasl [-h] {list,get-mechs,get,create,delete} ...
Sub-commands
- dsconf sasl list
List available SASL mappings
- dsconf sasl get-mechs
List available SASL mechanisms
- dsconf sasl get
get
- dsconf sasl create
create
- dsconf sasl delete
deletes the object
OPTIONS 'dsconf sasl list'
usage: dsconf instance sasl list [-h] [--details]
- --details
Get each SASL Mapping in detail.
OPTIONS 'dsconf sasl get-mechs'
usage: dsconf instance sasl get-mechs [-h]
OPTIONS 'dsconf sasl get'
usage: dsconf instance sasl get [-h] [selector]
- selector
SASL mapping name to get
OPTIONS 'dsconf sasl create'
usage: dsconf instance sasl create [-h] [--cn [CN]]
[--nsSaslMapRegexString [NSSASLMAPREGEXSTRING]]
[--nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]]
[--nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]]
[--nsSaslMapPriority [NSSASLMAPPRIORITY]]
- --cn [CN]
Value of cn
- --nsSaslMapRegexString [NSSASLMAPREGEXSTRING]
Value of nsSaslMapRegexString
- --nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]
Value of nsSaslMapBaseDNTemplate
- --nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]
Value of nsSaslMapFilterTemplate
- --nsSaslMapPriority [NSSASLMAPPRIORITY]
Value of nsSaslMapPriority
OPTIONS 'dsconf sasl delete'
usage: dsconf instance sasl delete [-h] map_name
- map_name
The SASL Mapping name ("cn" value)
OPTIONS 'dsconf security'
usage: dsconf instance security [-h]
{set,get,enable,disable,disable_plain_port,certificate,ca-certificate,rsa,ciphers}
...
Sub-commands
- dsconf security set
Set general security options
- dsconf security get
Get general security options
- dsconf security enable
Enable security
- dsconf security disable
Disable security
- dsconf security disable_plain_port
Disables the plain text LDAP port, allowing only LDAPS to function
- dsconf security certificate
Manage TLS certificates
- dsconf security ca-certificate
Manage TLS Certificate Authorities
- dsconf security rsa
Query and manipulate RSA security options
- dsconf security ciphers
Manage secure ciphers
OPTIONS 'dsconf security set'
usage: dsconf instance security set [-h] [--security SECURITY]
[--listen-host LISTEN_HOST]
[--secure-port SECURE_PORT]
[--tls-client-auth TLS_CLIENT_AUTH]
[--tls-client-renegotiation TLS_CLIENT_RENEGOTIATION]
[--require-secure-authentication REQUIRE_SECURE_AUTHENTICATION]
[--check-hostname CHECK_HOSTNAME]
[--verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP]
[--session-timeout SESSION_TIMEOUT]
[--tls-protocol-min TLS_PROTOCOL_MIN]
[--tls-protocol-max TLS_PROTOCOL_MAX]
[--allow-insecure-ciphers ALLOW_INSECURE_CIPHERS]
[--allow-weak-dh-param ALLOW_WEAK_DH_PARAM]
[--cipher-pref CIPHER_PREF]
Use this command for setting security related options located in cn=config and cn=encryption,cn=config.
To enable/disable security you can use enable and disable commands instead.
- --security SECURITY
Enable or disable security (nsslapd-security)
- --listen-host LISTEN_HOST
Host/address to listen on for LDAPS (nsslapd-securelistenhost)
- --secure-port SECURE_PORT
Port for LDAPS to listen on (nsslapd-securePort)
- --tls-client-auth TLS_CLIENT_AUTH
Client authentication requirement (nsSSLClientAuth)
- --tls-client-renegotiation TLS_CLIENT_RENEGOTIATION
Allow client TLS renegotiation (nsTLSAllowClientRenegotiation)
- --require-secure-authentication REQUIRE_SECURE_AUTHENTICATION
Require binds over LDAPS, StartTLS, or SASL (nsslapd-require-secure-binds)
- --check-hostname CHECK_HOSTNAME
Check Subject of remote certificate against the hostname (nsslapd-ssl-check- hostname)
- --verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP
Validate server certificate during startup (nsslapd-validate-cert)
- --session-timeout SESSION_TIMEOUT
Secure session timeout (nsSSLSessionTimeout)
- --tls-protocol-min TLS_PROTOCOL_MIN
Secure protocol minimal allowed version (sslVersionMin)
- --tls-protocol-max TLS_PROTOCOL_MAX
Secure protocol maximal allowed version (sslVersionMax)
- --allow-insecure-ciphers ALLOW_INSECURE_CIPHERS
Allow weak ciphers for legacy use (allowWeakCipher)
- --allow-weak-dh-param ALLOW_WEAK_DH_PARAM
Allow short DH params for legacy use (allowWeakDHParam)
- --cipher-pref CIPHER_PREF
Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list of cipher names (prefixed with + or -), optionally including +all or -all. The attribute may optionally be prefixed by keyword default. Please refer to documentation of the attribute for a more detailed description. (nsSSL3Ciphers)
OPTIONS 'dsconf security get'
usage: dsconf instance security get [-h]
OPTIONS 'dsconf security enable'
usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]
If missing, create security database, then turn on security functionality. Please note this is usually not enough for TLS connections to work - proper setup of CA and server certificate is necessary.
- --cert-name CERT_NAME
The name of the certificate the server should use
OPTIONS 'dsconf security disable'
usage: dsconf instance security disable [-h]
Turn off security functionality. The rest of the configuration will be left untouched.
OPTIONS 'dsconf security disable_plain_port'
usage: dsconf instance security disable_plain_port [-h]
OPTIONS 'dsconf security certificate'
usage: dsconf instance security certificate [-h]
{add,set-trust-flags,del,get,list}
...
Sub-commands
- dsconf security certificate add
Add a server certificate
- dsconf security certificate set-trust-flags
Set the Trust flags
- dsconf security certificate del
Delete a certificate
- dsconf security certificate get
Get a server certificate's information
- dsconf security certificate list
List the server certificates
OPTIONS 'dsconf security certificate add'
usage: dsconf instance security certificate add [-h] --file FILE --name NAME
[--primary-cert]
Add a server certificate to the NSS database
- --file FILE
The file name of the certificate
- --name NAME
The name/nickname of the certificate
- --primary-cert
Set this certificate as the server's certificate
OPTIONS 'dsconf security certificate set-trust-flags'
usage: dsconf instance security certificate set-trust-flags
[-h] --flags FLAGS name
Change the trust flags of a server certificate
- name
The name/nickname of the certificate
- --flags FLAGS
The trust flags for the server certificate
OPTIONS 'dsconf security certificate del'
usage: dsconf instance security certificate del [-h] name
Delete a certificate from the NSS database
- name
The name/nickname of the certificate
OPTIONS 'dsconf security certificate get'
usage: dsconf instance security certificate get [-h] name
Get detailed information about a certificate, like trust attributes, expiration dates, Subject and Issuer DNs
- name
The name/nickname of the certificate
OPTIONS 'dsconf security certificate list'
usage: dsconf instance security certificate list [-h]
List the server certificates in the NSS database
OPTIONS 'dsconf security ca-certificate'
usage: dsconf instance security ca-certificate [-h]
{add,set-trust-flags,del,get,list}
...
Sub-commands
- dsconf security ca-certificate add
Add a Certificate Authority
- dsconf security ca-certificate set-trust-flags
Set the Trust flags
- dsconf security ca-certificate del
Delete a certificate
- dsconf security ca-certificate get
Get a Certificate Authority's information
- dsconf security ca-certificate list
List the Certificate Authorities
OPTIONS 'dsconf security ca-certificate add'
usage: dsconf instance security ca-certificate add [-h] --file FILE --name
NAME
Add a Certificate Authority to the NSS database
- --file FILE
The file name of the CA certificate
- --name NAME
The name/nickname of the CA certificate
OPTIONS 'dsconf security ca-certificate set-trust-flags'
usage: dsconf instance security ca-certificate set-trust-flags
[-h] --flags FLAGS name
Change the trust attributes of a CA certificate. Certificate Authorities typically use "CT,,"
- name
The name/nickname of the CA certificate
- --flags FLAGS
The trust flags for the CA certificate
OPTIONS 'dsconf security ca-certificate del'
usage: dsconf instance security ca-certificate del [-h] name
Delete a CA certificate from the NSS database
- name
The name/nickname of the CA certificate
OPTIONS 'dsconf security ca-certificate get'
usage: dsconf instance security ca-certificate get [-h] name
Get detailed information about a CA certificate, like trust attributes, expiration dates, Subject and Issuer DN
- name
The name/nickname of the CA certificate
OPTIONS 'dsconf security ca-certificate list'
usage: dsconf instance security ca-certificate list [-h]
List the CA certificates in the NSS database
OPTIONS 'dsconf security rsa'
usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...
Sub-commands
- dsconf security rsa set
Set RSA security options
- dsconf security rsa get
Get RSA security options
- dsconf security rsa enable
Enable RSA
- dsconf security rsa disable
Disable RSA
OPTIONS 'dsconf security rsa set'
usage: dsconf instance security rsa set [-h]
[--tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES]
[--nss-cert-name NSS_CERT_NAME]
[--nss-token NSS_TOKEN]
Use this command for setting RSA (private key) related options located in cn=RSA,cn=encryption,cn=config.
To enable/disable RSA you can use enable and disable commands instead.
- --tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES
Activate use of RSA certificates (nsSSLActivation)
- --nss-cert-name NSS_CERT_NAME
Server certificate name in NSS DB (nsSSLPersonalitySSL)
- --nss-token NSS_TOKEN
Security token name (module of NSS DB) (nsSSLToken)
OPTIONS 'dsconf security rsa get'
usage: dsconf instance security rsa get [-h]
OPTIONS 'dsconf security rsa enable'
usage: dsconf instance security rsa enable [-h]
OPTIONS 'dsconf security rsa disable'
usage: dsconf instance security rsa disable [-h]
OPTIONS 'dsconf security ciphers'
usage: dsconf instance security ciphers [-h] {enable,disable,get,set,list} ...
Sub-commands
- dsconf security ciphers enable
Enable ciphers
- dsconf security ciphers disable
Disable ciphers
- dsconf security ciphers get
Get ciphers attribute
- dsconf security ciphers set
Set ciphers attribute
- dsconf security ciphers list
List ciphers
OPTIONS 'dsconf security ciphers enable'
usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]
Use this command to enable specific ciphers.
cipher
OPTIONS 'dsconf security ciphers disable'
usage: dsconf instance security ciphers disable [-h] cipher [cipher ...]
Use this command to disable specific ciphers.
cipher
OPTIONS 'dsconf security ciphers get'
usage: dsconf instance security ciphers get [-h]
Use this command to get contents of nsSSL3Ciphers attribute.
OPTIONS 'dsconf security ciphers set'
usage: dsconf instance security ciphers set [-h] cipher-string
Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list of cipher names (prefixed with + or -), optionally including +all or -all. The attribute may optionally be prefixed by keyword default. Please refer to documentation of the attribute for a more detailed description.
cipher-string
OPTIONS 'dsconf security ciphers list'
usage: dsconf instance security ciphers list [-h]
[--enabled | --supported | --disabled]
List secure ciphers. Without arguments, list ciphers as configured in nsSSL3Ciphers attribute.
- --enabled
Only enabled ciphers
- --supported
Only supported ciphers
- --disabled
Only supported ciphers without enabled ciphers
OPTIONS 'dsconf schema'
usage: dsconf instance schema [-h]
{list,attributetypes,objectclasses,matchingrules,reload,validate-syntax,import-openldap-file}
...
Sub-commands
- dsconf schema list
List all schema objects on this system
- dsconf schema attributetypes
Work with attribute types on this system
- dsconf schema objectclasses
Work with objectClasses on this system
- dsconf schema matchingrules
Work with matching rules on this system
- dsconf schema reload
Dynamically reload schema while server is running
- dsconf schema validate-syntax
Run a task to check every modification to attributes to make sure that the new value has the required syntax for that attribute type
- dsconf schema import-openldap-file
Import an openldap formatted dynamic schema ldifs. These will contain values like olcAttributeTypes and olcObjectClasses.
OPTIONS 'dsconf schema list'
usage: dsconf instance schema list [-h]
OPTIONS 'dsconf schema attributetypes'
usage: dsconf instance schema attributetypes [-h]
{get_syntaxes,list,query,add,replace,remove}
...
Sub-commands
- dsconf schema attributetypes get_syntaxes
List all available attribute type syntaxes
- dsconf schema attributetypes list
List available attribute types on this system
- dsconf schema attributetypes query
Query an attribute to determine object classes that may or must take it
- dsconf schema attributetypes add
Add an attribute type to this system
- dsconf schema attributetypes replace
Replace an attribute type on this system
- dsconf schema attributetypes remove
Remove an attribute type on this system
OPTIONS 'dsconf schema attributetypes get_syntaxes'
usage: dsconf instance schema attributetypes get_syntaxes [-h]
OPTIONS 'dsconf schema attributetypes list'
usage: dsconf instance schema attributetypes list [-h]
OPTIONS 'dsconf schema attributetypes query'
usage: dsconf instance schema attributetypes query [-h] [name]
- name
Attribute type to query
OPTIONS 'dsconf schema attributetypes add'
usage: dsconf instance schema attributetypes add [-h] [--oid OID]
[--desc DESC]
[--x-origin X_ORIGIN]
[--aliases ALIASES [ALIASES ...]]
[--single-value]
[--multi-value]
[--no-user-mod] [--user-mod]
[--equality EQUALITY]
[--substr SUBSTR]
[--ordering ORDERING]
[--usage USAGE]
[--sup SUP [SUP ...]]
--syntax SYNTAX
name
- name
NAME of the object
- --oid OID
OID assigned to the object
- --desc DESC
Description text(DESC) of the object
- --x-origin X_ORIGIN
Provides information about where the attribute type is defined
- --aliases ALIASES [ALIASES ...]
Additional NAMEs of the object.
- --single-value
True if the matching rule must have only one valueOnly one of the flags this or --multi-value should be specified
- --multi-value
True if the matching rule may have multiple values (default)Only one of the flags this or --single-value should be specified
- --no-user-mod
True if the attribute is not modifiable by a client applicationOnly one of the flags this or --user-mod should be specified
- --user-mod
True if the attribute is modifiable by a client application (default)Only one of the flags this or --no-user-mode should be specified
- --equality EQUALITY
NAME or OID of the matching rule used for checkingwhether attribute values are equal
- --substr SUBSTR
NAME or OID of the matching rule used for checkingwhether an attribute value contains another value
- --ordering ORDERING
NAME or OID of the matching rule used for checkingwhether attribute values are lesser - equal than
- --usage USAGE
The flag indicates how the attribute type is to be used. Choose from the list: userApplications (default), directoryOperation, distributedOperation, dSAOperation
- --sup SUP [SUP ...]
The list of NAMEs or OIDs of attribute typesthis attribute type is derived from
- --syntax SYNTAX
OID of the LDAP syntax assigned to the attribute
OPTIONS 'dsconf schema attributetypes replace'
usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
[--desc DESC]
[--x-origin X_ORIGIN]
[--aliases ALIASES [ALIASES ...]]
[--single-value]
[--multi-value]
[--no-user-mod]
[--user-mod]
[--equality EQUALITY]
[--substr SUBSTR]
[--ordering ORDERING]
[--usage USAGE]
[--sup SUP [SUP ...]]
[--syntax SYNTAX]
name
- name
NAME of the object
- --oid OID
OID assigned to the object
- --desc DESC
Description text(DESC) of the object
- --x-origin X_ORIGIN
Provides information about where the attribute type is defined
- --aliases ALIASES [ALIASES ...]
Additional NAMEs of the object.
- --single-value
True if the matching rule must have only one valueOnly one of the flags this or --multi-value should be specified
- --multi-value
True if the matching rule may have multiple values (default)Only one of the flags this or --single-value should be specified
- --no-user-mod
True if the attribute is not modifiable by a client applicationOnly one of the flags this or --user-mod should be specified
- --user-mod
True if the attribute is modifiable by a client application (default)Only one of the flags this or --no-user-mode should be specified
- --equality EQUALITY
NAME or OID of the matching rule used for checkingwhether attribute values are equal
- --substr SUBSTR
NAME or OID of the matching rule used for checkingwhether an attribute value contains another value
- --ordering ORDERING
NAME or OID of the matching rule used for checkingwhether attribute values are lesser - equal than
- --usage USAGE
The flag indicates how the attribute type is to be used. Choose from the list: userApplications (default), directoryOperation, distributedOperation, dSAOperation
- --sup SUP [SUP ...]
The list of NAMEs or OIDs of attribute typesthis attribute type is derived from
- --syntax SYNTAX
OID of the LDAP syntax assigned to the attribute
OPTIONS 'dsconf schema attributetypes remove'
usage: dsconf instance schema attributetypes remove [-h] name
- name
NAME of the object
OPTIONS 'dsconf schema objectclasses'
usage: dsconf instance schema objectclasses [-h]
{list,query,add,replace,remove}
...
Sub-commands
- dsconf schema objectclasses list
List available objectClasses on this system
- dsconf schema objectclasses query
Query an objectClass
- dsconf schema objectclasses add
Add an objectClass to this system
- dsconf schema objectclasses replace
Replace an objectClass on this system
- dsconf schema objectclasses remove
Remove an objectClass on this system
OPTIONS 'dsconf schema objectclasses list'
usage: dsconf instance schema objectclasses list [-h]
OPTIONS 'dsconf schema objectclasses query'
usage: dsconf instance schema objectclasses query [-h] [name]
- name
ObjectClass to query
OPTIONS 'dsconf schema objectclasses add'
usage: dsconf instance schema objectclasses add [-h] [--oid OID] [--desc DESC]
[--x-origin X_ORIGIN]
[--must MUST [MUST ...]]
[--may MAY [MAY ...]]
[--kind KIND]
[--sup SUP [SUP ...]]
name
- name
NAME of the object
- --oid OID
OID assigned to the object
- --desc DESC
Description text(DESC) of the object
- --x-origin X_ORIGIN
Provides information about where the attribute type is defined
- --must MUST [MUST ...]
NAMEs or OIDs of all attributes an entry of the object must have
- --may MAY [MAY ...]
NAMEs or OIDs of additional attributes an entry of the object may have
- --kind KIND
Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
- --sup SUP [SUP ...]
NAMEs or OIDs of object classes this object is derived from
OPTIONS 'dsconf schema objectclasses replace'
usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
[--desc DESC]
[--x-origin X_ORIGIN]
[--must MUST [MUST ...]]
[--may MAY [MAY ...]]
[--kind KIND]
[--sup SUP [SUP ...]]
name
- name
NAME of the object
- --oid OID
OID assigned to the object
- --desc DESC
Description text(DESC) of the object
- --x-origin X_ORIGIN
Provides information about where the attribute type is defined
- --must MUST [MUST ...]
NAMEs or OIDs of all attributes an entry of the object must have
- --may MAY [MAY ...]
NAMEs or OIDs of additional attributes an entry of the object may have
- --kind KIND
Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY
- --sup SUP [SUP ...]
NAMEs or OIDs of object classes this object is derived from
OPTIONS 'dsconf schema objectclasses remove'
usage: dsconf instance schema objectclasses remove [-h] name
- name
NAME of the object
OPTIONS 'dsconf schema matchingrules'
usage: dsconf instance schema matchingrules [-h] {list,query} ...
Sub-commands
- dsconf schema matchingrules list
List available matching rules on this system
- dsconf schema matchingrules query
Query a matching rule
OPTIONS 'dsconf schema matchingrules list'
usage: dsconf instance schema matchingrules list [-h]
OPTIONS 'dsconf schema matchingrules query'
usage: dsconf instance schema matchingrules query [-h] [name]
- name
Matching rule to query
OPTIONS 'dsconf schema reload'
usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]
- -d SCHEMADIR, --schemadir SCHEMADIR
directory where schema files are located
- --wait
Wait for the reload task to complete
OPTIONS 'dsconf schema validate-syntax'
usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN
- DN
Base DN that contains entries to validate
- -f FILTER, --filter FILTER
Filter for entries to validate. If omitted, all entries with filter "(objectclass=*)" are validated
OPTIONS 'dsconf schema import-openldap-file'
usage: dsconf instance schema import-openldap-file [-h] [--confirm]
schema_file
- schema_file
Path to the openldap dynamic schema ldif to import
- --confirm
Confirm that you want to apply these schema migration actions to the 389-ds instance. By default no actions are taken.
OPTIONS 'dsconf repl-conflict'
usage: dsconf instance repl-conflict [-h]
{list,compare,delete,swap,convert,list-glue,delete-glue,convert-glue}
...
Sub-commands
- dsconf repl-conflict list
List conflict entries
- dsconf repl-conflict compare
Compare the conflict entry with its valid counterpart
- dsconf repl-conflict delete
Delete a conflict entry
- dsconf repl-conflict swap
Replace the valid entry with the conflict entry
- dsconf repl-conflict convert
Convert the conflict entry to a valid entry, while keeping the original valid entry counterpart. This requires that the converted conflict entry have a new RDN value. For example: "cn=my_new_rdn_value".
- dsconf repl-conflict list-glue
List replication glue entries
- dsconf repl-conflict delete-glue
Delete the glue entry and its child entries
- dsconf repl-conflict convert-glue
Convert the glue entry into a regular entry
OPTIONS 'dsconf repl-conflict list'
usage: dsconf instance repl-conflict list [-h] suffix
- suffix
The backend name, or suffix, to look for conflict entries
OPTIONS 'dsconf repl-conflict compare'
usage: dsconf instance repl-conflict compare [-h] DN
- DN
The DN of the conflict entry
OPTIONS 'dsconf repl-conflict delete'
usage: dsconf instance repl-conflict delete [-h] DN
- DN
The DN of the conflict entry
OPTIONS 'dsconf repl-conflict swap'
usage: dsconf instance repl-conflict swap [-h] DN
- DN
The DN of the conflict entry
OPTIONS 'dsconf repl-conflict convert'
usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN
- DN
The DN of the conflict entry
- --new-rdn NEW_RDN
The new RDN for the converted conflict entry. For example: "cn=my_new_rdn_value"
OPTIONS 'dsconf repl-conflict list-glue'
usage: dsconf instance repl-conflict list-glue [-h] suffix
- suffix
The backend name, or suffix, to look for glue entries
OPTIONS 'dsconf repl-conflict delete-glue'
usage: dsconf instance repl-conflict delete-glue [-h] DN
- DN
The DN of the glue entry
OPTIONS 'dsconf repl-conflict convert-glue'
usage: dsconf instance repl-conflict convert-glue [-h] DN
- DN
The DN of the glue entry
- -v, --verbose
Display verbose operation tracing during command execution
- -D BINDDN, --binddn BINDDN
The account to bind as for executing operations
- -w BINDPW, --bindpw BINDPW
Password for binddn
- -W, --prompt
Prompt for password for the bind DN
- -y PWDFILE, --pwdfile PWDFILE
Specifies a file containing the password for the binddn
- -b BASEDN, --basedn BASEDN
Basedn (root naming context) of the instance to manage
- -Z, --starttls
Connect with StartTLS
- -j, --json
Return result in JSON object
Authors
lib389 was written by Red Hat Inc., and William Brown <389-devel@lists.fedoraproject.org>.
Distribution
The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html