dsconf - Man Page

dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN] [-Z] [-j] instance {backend,backup,chaining,config,directory_manager,monitor,plugin,pwpolicy,localpwp,replication,repl-agmt,repl-winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...

instance

The instance name OR the LDAP url to connect to, IE localhost, ldap://mai.example.com:389

usage: dsconf instance backend [-h]
                              {suffix,index,vlv-index,attr-encrypt,config,monitor,import,export,create,delete,get-tree}
                              ...

usage: dsconf instance backend suffix [-h]
                                     {list,get,get-dn,get-sub-suffixes,set}
                                     ...

usage: dsconf instance backend suffix list [-h] [--suffix]
                                          [--skip-subsuffixes]

--suffix

Just display the suffix, and not the backend name

--skip-subsuffixes

Skip over sub-suffixes

usage: dsconf instance backend suffix get [-h] [selector]

selector

The backend to search for

usage: dsconf instance backend suffix get-dn [-h] [dn]

dn

The backend dn to get

usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix] be_name

be_name

The backend name or suffix to search for sub-suffixes

--suffix

Just display the suffix, and not the backend name

usage: dsconf instance backend suffix set [-h] [--enable-readonly]
                                         [--disable-readonly]
                                         [--require-index] [--ignore-index]
                                         [--add-referral ADD_REFERRAL]
                                         [--del-referral DEL_REFERRAL]
                                         [--enable] [--disable]
                                         [--cache-size CACHE_SIZE]
                                         [--cache-memsize CACHE_MEMSIZE]
                                         [--dncache-memsize DNCACHE_MEMSIZE]
                                         be_name

be_name

The backend name or suffix to delete

--enable-readonly

Set backend database to be read-only

--disable-readonly

Disable read-only mode for backend database

--require-index

Only allow indexed searches

--ignore-index

Allow all searches even if they are unindexed

--add-referral ADD_REFERRAL

Add a LDAP referral to the backend

--del-referral DEL_REFERRAL

Remove a LDAP referral to the backend

--enable

Enable the backend database

--disable

Disable the backend database

--cache-size CACHE_SIZE

The maximum number of entries to keep in the entry cache

--cache-memsize CACHE_MEMSIZE

The maximum size in bytes that the entry cache can grow to

--dncache-memsize DNCACHE_MEMSIZE

The maximum size in bytes that the DN cache can grow to

usage: dsconf instance backend index [-h]
                                    {add,set,get,list,delete,reindex} ...

usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
                                        [--matching-rule MATCHING_RULE]
                                        [--reindex] --attr ATTR
                                        be_name

be_name

The backend name or suffix to delete

--index-type INDEX_TYPE

An indexing type: eq, sub, pres, or approximate

--matching-rule MATCHING_RULE

Matching rule for the index

--reindex

After adding new index, reindex the database

--attr ATTR

The index attribute's name

usage: dsconf instance backend index set [-h] --attr ATTR
                                        [--add-type ADD_TYPE]
                                        [--del-type DEL_TYPE]
                                        [--add-mr ADD_MR] [--del-mr DEL_MR]
                                        [--reindex]
                                        be_name

be_name

The backend name or suffix to edit an index from

--attr ATTR

The index name to edit

--add-type ADD_TYPE

An index type to add to the index: eq, sub, pres, or approx

--del-type DEL_TYPE

An index type to remove from the index: eq, sub, pres, or approx

--add-mr ADD_MR

A matching-rule to add to the index

--del-mr DEL_MR

A matching-rule to remove from the index

--reindex

After editing index, reindex the database

usage: dsconf instance backend index get [-h] --attr ATTR be_name

be_name

The backend name or suffix to get the index from

--attr ATTR

The index name to get

usage: dsconf instance backend index list [-h] [--just-names] be_name

be_name

The backend name or suffix to list indexes from

--just-names

Return a list of just the attribute names for a backend

usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name

be_name

The backend name or suffix to delete

--attr ATTR

The index attribute's name

usage: dsconf instance backend index reindex [-h] [--attr ATTR] [--wait]
                                            be_name

be_name

The backend name or suffix to reindex

--attr ATTR

The index attribute's name to reindex. Skip this argument to reindex all attributes

--wait

Wait for the index task to complete and report the status

usage: dsconf instance backend vlv-index [-h]
                                        {list,get,add-search,edit-search,del-search,add-index,del-index,reindex}
                                        ...

usage: dsconf instance backend vlv-index list [-h] [--just-names] be_name

be_name

The backend name of the VLV index

--just-names

List just the names of the VLV search entries

usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name

be_name

The backend name of the VLV index

--name NAME

Get the VLV search entry and its index entries

usage: dsconf instance backend vlv-index add-search [-h] --name NAME
                                                   --search-base SEARCH_BASE
                                                   --search-scope
                                                   SEARCH_SCOPE
                                                   --search-filter
                                                   SEARCH_FILTER
                                                   be_name

be_name

The backend name of the VLV index

--name NAME

Name of the VLV search entry

--search-base SEARCH_BASE

The VLV search base

--search-scope SEARCH_SCOPE

The VLV search scope: 0 (base search), 1 (one-level search), or 2 (subtree search)

--search-filter SEARCH_FILTER

The VLV search filter

usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
                                                    [--search-base SEARCH_BASE]
                                                    [--search-scope SEARCH_SCOPE]
                                                    [--search-filter SEARCH_FILTER]
                                                    [--reindex]
                                                    be_name

be_name

The backend name of the VLV index

--name NAME

Name of the VLV index

--search-base SEARCH_BASE

The VLV search base

--search-scope SEARCH_SCOPE

The VLV search scope: 0 (base search), 1 (one-level search), or 2 (subtree search)

--search-filter SEARCH_FILTER

The VLV search filter

--reindex

Reindex all the VLV database indexes

usage: dsconf instance backend vlv-index del-search [-h] --name NAME be_name

be_name

The backend name of the VLV index

--name NAME

Name of the VLV search index

usage: dsconf instance backend vlv-index add-index [-h] --parent-name
                                                  PARENT_NAME --index-name
                                                  INDEX_NAME --sort SORT
                                                  [--index-it]
                                                  be_name

be_name

The backend name of the VLV index

--parent-name PARENT_NAME

Name, or "cn" attribute value, of the parent VLV search entry

--index-name INDEX_NAME

Name of the new VLV index

--sort SORT

A space separated list of attributes to sort for this VLV index

--index-it

Create the database index for this VLV index definition

usage: dsconf instance backend vlv-index del-index [-h] --parent-name
                                                  PARENT_NAME
                                                  [--index-name INDEX_NAME]
                                                  [--sort SORT]
                                                  be_name

be_name

The backend name of the VLV index

--parent-name PARENT_NAME

Name, or "cn" attribute value, of the parent VLV search entry

--index-name INDEX_NAME

Name of the VLV index to delete

--sort SORT

Delete a VLV index that has this vlvsort value

usage: dsconf instance backend vlv-index reindex [-h]
                                                [--index-name INDEX_NAME]
                                                --parent-name PARENT_NAME
                                                be_name

be_name

The backend name of the VLV index

--index-name INDEX_NAME

Name of the VLV Index entry to reindex. If not set, all indexes are reindexed

--parent-name PARENT_NAME

Name, or "cn" attribute value, of the parent VLV search entry

usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-names]
                                           [--add-attr ADD_ATTR]
                                           [--del-attr DEL_ATTR]
                                           be_name

be_name

The backend name or suffix to to reindex

--list

List all the encrypted attributes for this backend

--just-names

List just the names of the encrypted attributes (used with --list)

--add-attr ADD_ATTR

Add an attribute to be encrypted

--del-attr DEL_ATTR

Remove an attribute from being encrypted

usage: dsconf instance backend config [-h] {get,set} ...

usage: dsconf instance backend config get [-h]

usage: dsconf instance backend config set [-h]
                                         [--lookthroughlimit LOOKTHROUGHLIMIT]
                                         [--mode MODE]
                                         [--idlistscanlimit IDLISTSCANLIMIT]
                                         [--directory DIRECTORY]
                                         [--dbcachesize DBCACHESIZE]
                                         [--logdirectory LOGDIRECTORY]
                                         [--durable-txn DURABLE_TXN]
                                         [--txn-wait TXN_WAIT]
                                         [--checkpoint-interval CHECKPOINT_INTERVAL]
                                         [--compactdb-interval COMPACTDB_INTERVAL]
                                         [--txn-batch-val TXN_BATCH_VAL]
                                         [--txn-batch-min TXN_BATCH_MIN]
                                         [--txn-batch-max TXN_BATCH_MAX]
                                         [--logbufsize LOGBUFSIZE]
                                         [--locks LOCKS]
                                         [--import-cache-autosize IMPORT_CACHE_AUTOSIZE]
                                         [--cache-autosize CACHE_AUTOSIZE]
                                         [--cache-autosize-split CACHE_AUTOSIZE_SPLIT]
                                         [--import-cachesize IMPORT_CACHESIZE]
                                         [--exclude-from-export EXCLUDE_FROM_EXPORT]
                                         [--pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT]
                                         [--pagedidlistscanlimit PAGEDIDLISTSCANLIMIT]
                                         [--rangelookthroughlimit RANGELOOKTHROUGHLIMIT]
                                         [--backend-opt-level BACKEND_OPT_LEVEL]
                                         [--deadlock-policy DEADLOCK_POLICY]
                                         [--db-home-directory DB_HOME_DIRECTORY]

--lookthroughlimit LOOKTHROUGHLIMIT

specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a search request

--mode MODE

Specifies the permissions used for newly created index files

--idlistscanlimit IDLISTSCANLIMIT

Specifies the number of entry IDs that are searched during a search operation

--directory DIRECTORY

Specifies absolute path to database instance

--dbcachesize DBCACHESIZE

Specifies the database index cache size, in bytes.

--logdirectory LOGDIRECTORY

Specifies the path to the directory that contains the database transaction logs

--durable-txn DURABLE_TXN

Sets whether database transaction log entries are immediately written to the disk.

--txn-wait TXN_WAIT

Sets whether the server should should wait if there are no db locks available

--checkpoint-interval CHECKPOINT_INTERVAL

Sets the amount of time in seconds after which the Directory Server sends a checkpoint entry to the database transaction log

--compactdb-interval COMPACTDB_INTERVAL

Sets the interval in seconds when the database is compacted

--txn-batch-val TXN_BATCH_VAL

Specifies how many transactions will be batched before being committed

--txn-batch-min TXN_BATCH_MIN

Controls when transactions should be flushed earliest, independently of the batch count (only works when txn-batch-val is set)

--txn-batch-max TXN_BATCH_MAX

Controls when transactions should be flushed latest, independently of the batch count (only works when txn-batch-val is set)

--logbufsize LOGBUFSIZE

Specifies the transaction log information buffer size

--locks LOCKS

Sets the maximum number of database locks

--import-cache-autosize IMPORT_CACHE_AUTOSIZE

Set to "on" or "off" to automatically set the size of the import cache to be used during the the import process of LDIF files

--cache-autosize CACHE_AUTOSIZE

Sets the percentage of free memory that is used in total for the database and entry cache. Set to "0" to disable this feature.

--cache-autosize-split CACHE_AUTOSIZE_SPLIT

Sets the percentage of RAM that is used for the database cache. The remaining percentage is used for the entry cache

--import-cachesize IMPORT_CACHESIZE

Sets the size, in bytes, of the database cache used in the import process.

--exclude-from-export EXCLUDE_FROM_EXPORT

List of attributes to not include during database export operations

--pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT

Specifies the maximum number of entries that the Directory Server will check when examining candidate entries for a search which uses the simple paged results control

--pagedidlistscanlimit PAGEDIDLISTSCANLIMIT

Specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control.

--rangelookthroughlimit RANGELOOKTHROUGHLIMIT

Specifies the maximum number of entries that the Directory Server will check when examining candidate entries in response to a range search request.

--backend-opt-level BACKEND_OPT_LEVEL

WARNING this parameter can trigger experimental code to improve write performance. Valid values are: 0, 1, 2, or 4

--deadlock-policy DEADLOCK_POLICY

Adjusts the backend database deadlock policy (Advanced setting)

--db-home-directory DB_HOME_DIRECTORY

Sets the directory for the database mmapped files (Advanced setting)

usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]

--suffix SUFFIX

Get just the suffix monitor entry

usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
                                     [-g GEN_UNIQ_ID] [-O]
                                     [-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
                                     [-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
                                     [be_name] [ldifs ...]

be_name

The backend name or the root suffix where to import

ldifs

Specifies the filename of the input LDIF files.When multiple files are imported, they are imported in the orderthey are specified on the command line.

-c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE

The number of chunks to have during the import operation.

-E, --encrypted

Decrypts encrypted data during export. This option is used onlyif database encryption is enabled.

-g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID

Generate a unique id. Type none for no unique ID to be generatedand deterministic for the generated unique ID to be name-based.By default, a time- based unique ID is generated.When using the deterministic generation to have a name-based unique ID,it is also possible to specify the namespace for the server to use.namespaceId is a string of charactersin the format 00-xxxxxxxx- xxxxxxxx-xxxxxxxx-xxxxxxxx.

-O, --only-core

Requests that only the core database is created without attribute indexes.

-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]

Specifies the suffixes or the subtrees to be included.

-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]

Specifies the suffixes to be excluded.

usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m] [-N] [-r]
                                     [-u] [-U]
                                     [-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
                                     [-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
                                     be_names [be_names ...]

be_names

The backend names or the root suffixes from where to export.

-l LDIF, --ldif LDIF

Gives the filename of the output LDIF file.If more than one are specified, use a space as a separator

-C, --use-id2entry

Uses only the main database file.

-E, --encrypted

Decrypts encrypted data during export. This option is used only if database encryption is enabled.

-m, --min-base64

Sets minimal base-64 encoding.

-N, --no-seq-num

Enables you to suppress printing the sequence number.

-r, --replication

Exports the information required to initialize a replica when the LDIF is imported

-u, --no-dump-uniq-id

Requests that the unique ID is not exported.

-U, --not-folded

Requests that the output LDIF is not folded.

-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]

Specifies the suffixes or the subtrees to be included.

-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]

Specifies the suffixes to be excluded.

usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUFFIX]
                                     --suffix SUFFIX --be-name BE_NAME
                                     [--create-entries] [--create-suffix]

--parent-suffix PARENT_SUFFIX

Sets the parent suffix only if this backend is a sub-suffix

--suffix SUFFIX

The database suffix DN, for example "dc=example,dc=com"

--be-name BE_NAME

The database backend name, for example "userroot"

--create-entries

Create sample entries in the database

--create-suffix

Create the suffix object entry in the database. Only suffixes using the attributes 'dc', 'o', 'ou', or 'cn' are supported in this feature

usage: dsconf instance backend delete [-h] be_name

be_name

The backend name or suffix to delete

usage: dsconf instance backend get-tree [-h]

usage: dsconf instance backup [-h] {create,restore} ...

usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]

archive

The directory where the backup files will be stored.The /var/lib/dirsrv/slapd- instance/bak directory is used by default.The backup file is named according to the year-month-day-hour format.

-t DB_TYPE, --db-type DB_TYPE

Database type (default: ldbm database).

usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive

archive

The directory of the backup files.

-t DB_TYPE, --db-type DB_TYPE

Database type (default: ldbm database).

usage: dsconf instance chaining [-h]
                               {config-get,config-set,config-get-def,config-set-def,link-create,link-get,link-set,link-delete,monitor,link-list}
                               ...

usage: dsconf instance chaining config-get [-h] [--avail-controls]
                                          [--avail-comps]

--avail-controls

List available controls for chaining

--avail-comps

List available plugin components for chaining

usage: dsconf instance chaining config-set [-h] [--add-control ADD_CONTROL]
                                          [--del-control DEL_CONTROL]
                                          [--add-comp ADD_COMP]
                                          [--del-comp DEL_COMP]

--add-control ADD_CONTROL

Add a transmitted control OID

--del-control DEL_CONTROL

Delete a transmitted control OID

--add-comp ADD_COMP

Add a chaining component

--del-comp DEL_COMP

Delete a chaining component

usage: dsconf instance chaining config-get-def [-h]

usage: dsconf instance chaining config-set-def [-h]
                                              [--conn-bind-limit CONN_BIND_LIMIT]
                                              [--conn-op-limit CONN_OP_LIMIT]
                                              [--abandon-check-interval ABANDON_CHECK_INTERVAL]
                                              [--bind-limit BIND_LIMIT]
                                              [--op-limit OP_LIMIT]
                                              [--proxied-auth PROXIED_AUTH]
                                              [--conn-lifetime CONN_LIFETIME]
                                              [--bind-timeout BIND_TIMEOUT]
                                              [--return-ref RETURN_REF]
                                              [--check-aci CHECK_ACI]
                                              [--bind-attempts BIND_ATTEMPTS]
                                              [--size-limit SIZE_LIMIT]
                                              [--time-limit TIME_LIMIT]
                                              [--hop-limit HOP_LIMIT]
                                              [--response-delay RESPONSE_DELAY]
                                              [--test-response-delay TEST_RESPONSE_DELAY]
                                              [--use-starttls USE_STARTTLS]

--conn-bind-limit CONN_BIND_LIMIT

The maximum number of BIND connections the database link establishes with the remote server.

--conn-op-limit CONN_OP_LIMIT

The maximum number of LDAP connections the database link establishes with the remote server.

--abandon-check-interval ABANDON_CHECK_INTERVAL

The number of seconds that pass before the server checks for abandoned operations.

--bind-limit BIND_LIMIT

The maximum number of concurrent bind operations per TCP connection.

--op-limit OP_LIMIT

The maximum number of concurrent operations allowed.

--proxied-auth PROXIED_AUTH

Set to "off" to disable proxied authorization, then binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute (on/off).

--conn-lifetime CONN_LIFETIME

Specifies connection lifetime in seconds. 0 keeps connection open forever.

--bind-timeout BIND_TIMEOUT

The amount of time in seconds before a bind attempt times out.

--return-ref RETURN_REF

Sets whether referrals are returned by scoped searches (on/off).

--check-aci CHECK_ACI

Set whether ACIs are evaluated on the database link as well as the remote data server (on/off).

--bind-attempts BIND_ATTEMPTS

Sets the number of times the server tries to bind with the remote server.

--size-limit SIZE_LIMIT

Sets the maximum number of entries to return from a search operation.

--time-limit TIME_LIMIT

Sets the maximum number of seconds allowed for an operation.

--hop-limit HOP_LIMIT

Sets the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another.

--response-delay RESPONSE_DELAY

The maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.

--test-response-delay TEST_RESPONSE_DELAY

Sets the duration of the test issued by the database link to check whether the remote server is responding.

--use-starttls USE_STARTTLS

Set to "on" specifies that the database links should use StartTLS for its secure connections.

usage: dsconf instance chaining link-create [-h]
                                           [--conn-bind-limit CONN_BIND_LIMIT]
                                           [--conn-op-limit CONN_OP_LIMIT]
                                           [--abandon-check-interval ABANDON_CHECK_INTERVAL]
                                           [--bind-limit BIND_LIMIT]
                                           [--op-limit OP_LIMIT]
                                           [--proxied-auth PROXIED_AUTH]
                                           [--conn-lifetime CONN_LIFETIME]
                                           [--bind-timeout BIND_TIMEOUT]
                                           [--return-ref RETURN_REF]
                                           [--check-aci CHECK_ACI]
                                           [--bind-attempts BIND_ATTEMPTS]
                                           [--size-limit SIZE_LIMIT]
                                           [--time-limit TIME_LIMIT]
                                           [--hop-limit HOP_LIMIT]
                                           [--response-delay RESPONSE_DELAY]
                                           [--test-response-delay TEST_RESPONSE_DELAY]
                                           [--use-starttls USE_STARTTLS]
                                           --suffix SUFFIX --server-url
                                           SERVER_URL --bind-mech BIND_MECH
                                           --bind-dn BIND_DN --bind-pw
                                           BIND_PW
                                           CHAIN_NAME

CHAIN_NAME

The name of the database link

--conn-bind-limit CONN_BIND_LIMIT

The maximum number of BIND connections the database link establishes with the remote server.

--conn-op-limit CONN_OP_LIMIT

The maximum number of LDAP connections the database link establishes with the remote server.

--abandon-check-interval ABANDON_CHECK_INTERVAL

The number of seconds that pass before the server checks for abandoned operations.

--bind-limit BIND_LIMIT

The maximum number of concurrent bind operations per TCP connection.

--op-limit OP_LIMIT

The maximum number of concurrent operations allowed.

--proxied-auth PROXIED_AUTH

Set to "off" to disable proxied authorization, then binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute (on/off).

--conn-lifetime CONN_LIFETIME

Specifies connection lifetime in seconds. 0 keeps connection open forever.

--bind-timeout BIND_TIMEOUT

The amount of time in seconds before a bind attempt times out.

--return-ref RETURN_REF

Sets whether referrals are returned by scoped searches (on/off).

--check-aci CHECK_ACI

Set whether ACIs are evaluated on the database link as well as the remote data server (on/off).

--bind-attempts BIND_ATTEMPTS

Sets the number of times the server tries to bind with the remote server.

--size-limit SIZE_LIMIT

Sets the maximum number of entries to return from a search operation.

--time-limit TIME_LIMIT

Sets the maximum number of seconds allowed for an operation.

--hop-limit HOP_LIMIT

Sets the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another.

--response-delay RESPONSE_DELAY

The maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.

--test-response-delay TEST_RESPONSE_DELAY

Sets the duration of the test issued by the database link to check whether the remote server is responding.

--use-starttls USE_STARTTLS

Set to "on" specifies that the database links should use StartTLS for its secure connections.

--suffix SUFFIX

The suffix managed by the database link.

--server-url SERVER_URL

Gives the LDAP/LDAPS URL of the remote server.

--bind-mech BIND_MECH

Sets the authentication method to use to authenticate to the remote server: <leave empty for LDAP/LDAPS>, EXTERNAL, DIGEST-MD5, or GSSAPI

--bind-dn BIND_DN

DN of the administrative entry used to communicate with the remote server

--bind-pw BIND_PW

Password for the administrative user.

usage: dsconf instance chaining link-get [-h] CHAIN_NAME

CHAIN_NAME

The chaining link name, or suffix, to retrieve

usage: dsconf instance chaining link-set [-h]
                                        [--conn-bind-limit CONN_BIND_LIMIT]
                                        [--conn-op-limit CONN_OP_LIMIT]
                                        [--abandon-check-interval ABANDON_CHECK_INTERVAL]
                                        [--bind-limit BIND_LIMIT]
                                        [--op-limit OP_LIMIT]
                                        [--proxied-auth PROXIED_AUTH]
                                        [--conn-lifetime CONN_LIFETIME]
                                        [--bind-timeout BIND_TIMEOUT]
                                        [--return-ref RETURN_REF]
                                        [--check-aci CHECK_ACI]
                                        [--bind-attempts BIND_ATTEMPTS]
                                        [--size-limit SIZE_LIMIT]
                                        [--time-limit TIME_LIMIT]
                                        [--hop-limit HOP_LIMIT]
                                        [--response-delay RESPONSE_DELAY]
                                        [--test-response-delay TEST_RESPONSE_DELAY]
                                        [--use-starttls USE_STARTTLS]
                                        [--suffix SUFFIX]
                                        [--server-url SERVER_URL]
                                        [--bind-mech BIND_MECH]
                                        [--bind-dn BIND_DN]
                                        [--bind-pw BIND_PW]
                                        CHAIN_NAME

CHAIN_NAME

The name of the database link

--conn-bind-limit CONN_BIND_LIMIT

The maximum number of BIND connections the database link establishes with the remote server.

--conn-op-limit CONN_OP_LIMIT

The maximum number of LDAP connections the database link establishes with the remote server.

--abandon-check-interval ABANDON_CHECK_INTERVAL

The number of seconds that pass before the server checks for abandoned operations.

--bind-limit BIND_LIMIT

The maximum number of concurrent bind operations per TCP connection.

--op-limit OP_LIMIT

The maximum number of concurrent operations allowed.

--proxied-auth PROXIED_AUTH

Set to "off" to disable proxied authorization, then binds for chained operations are executed as the user set in the nsMultiplexorBindDn attribute (on/off).

--conn-lifetime CONN_LIFETIME

Specifies connection lifetime in seconds. 0 keeps connection open forever.

--bind-timeout BIND_TIMEOUT

The amount of time in seconds before a bind attempt times out.

--return-ref RETURN_REF

Sets whether referrals are returned by scoped searches (on/off).

--check-aci CHECK_ACI

Set whether ACIs are evaluated on the database link as well as the remote data server (on/off).

--bind-attempts BIND_ATTEMPTS

Sets the number of times the server tries to bind with the remote server.

--size-limit SIZE_LIMIT

Sets the maximum number of entries to return from a search operation.

--time-limit TIME_LIMIT

Sets the maximum number of seconds allowed for an operation.

--hop-limit HOP_LIMIT

Sets the maximum number of times a database is allowed to chain; that is, the number of times a request can be forwarded from one database link to another.

--response-delay RESPONSE_DELAY

The maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected.

--test-response-delay TEST_RESPONSE_DELAY

Sets the duration of the test issued by the database link to check whether the remote server is responding.

--use-starttls USE_STARTTLS

Set to "on" specifies that the database links should use StartTLS for its secure connections.

--suffix SUFFIX

The suffix managed by the database link.

--server-url SERVER_URL

Gives the LDAP/LDAPS URL of the remote server.

--bind-mech BIND_MECH

Sets the authentication method to use to authenticate to the remote server: <leave empty for LDAP/LDAPS>, EXTERNAL, DIGEST-MD5, or GSSAPI

--bind-dn BIND_DN

DN of the administrative entry used to communicate with the remote server

--bind-pw BIND_PW

Password for the administrative user.

usage: dsconf instance chaining link-delete [-h] CHAIN_NAME

CHAIN_NAME

The name of the database link

usage: dsconf instance chaining monitor [-h] CHAIN_NAME

CHAIN_NAME

The name of the database link

usage: dsconf instance chaining link-list [-h]

usage: dsconf instance config [-h] {get,add,replace,delete} ...

usage: dsconf instance config get [-h] [attrs ...]

attrs

Configuration attribute(s) to get

usage: dsconf instance config add [-h] [attr ...]

attr

Configuration attribute to add

usage: dsconf instance config replace [-h] [attr ...]

attr

Configuration attribute to replace

usage: dsconf instance config delete [-h] [attr ...]

attr

Configuration attribute to delete

usage: dsconf instance directory_manager [-h] {password_change} ...

usage: dsconf instance directory_manager password_change [-h]

usage: dsconf instance monitor [-h]
                              {server,dbmon,ldbm,backend,snmp,chaining,disk}
                              ...

usage: dsconf instance monitor server [-h]

usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]

-b BACKENDS, --backends BACKENDS

List of space separated backends to monitor. Default is all backends.

-x, --indexes

Show index stats for each backend

usage: dsconf instance monitor ldbm [-h]

usage: dsconf instance monitor backend [-h] [backend]

backend

Optional name of the backend to monitor

usage: dsconf instance monitor snmp [-h]

usage: dsconf instance monitor chaining [-h] [backend]

backend

Optional name of the chaining backend to monitor

usage: dsconf instance monitor disk [-h]

usage: dsconf instance plugin [-h]
                             {memberof,automember,referential-integrity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-entries,pass-through-auth,retro-changelog,posix-winsync,list,show,set}
                             ...

usage: dsconf instance plugin memberof [-h]
                                      {show,enable,disable,status,set,config-entry,fixup}
                                      ...

usage: dsconf instance plugin memberof show [-h]

usage: dsconf instance plugin memberof enable [-h]

usage: dsconf instance plugin memberof disable [-h]

usage: dsconf instance plugin memberof status [-h]

usage: dsconf instance plugin memberof set [-h] [--attr ATTR [ATTR ...]]
                                          [--groupattr GROUPATTR [GROUPATTR ...]]
                                          [--allbackends {on,off}]
                                          [--skipnested {on,off}]
                                          [--scope SCOPE] [--exclude EXCLUDE]
                                          [--autoaddoc AUTOADDOC]
                                          [--config-entry CONFIG_ENTRY]

--attr ATTR [ATTR ...]

Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)

--groupattr GROUPATTR [GROUPATTR ...]

Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)

--allbackends {on,off}

Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)

--skipnested {on,off}

Specifies wherher to skip nested groups or not (memberOfSkipNested)

--scope SCOPE

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)

--exclude EXCLUDE

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)

--autoaddoc AUTOADDOC

If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter

--config-entry CONFIG_ENTRY

The value to set as nsslapd-pluginConfigArea

usage: dsconf instance plugin memberof config-entry [-h]
                                                   {add,set,show,delete} ...

usage: dsconf instance plugin memberof config-entry add [-h]
                                                       [--attr ATTR [ATTR ...]]
                                                       [--groupattr GROUPATTR [GROUPATTR ...]]
                                                       [--allbackends {on,off}]
                                                       [--skipnested {on,off}]
                                                       [--scope SCOPE]
                                                       [--exclude EXCLUDE]
                                                       [--autoaddoc AUTOADDOC]
                                                       DN

DN

The config entry full DN

--attr ATTR [ATTR ...]

Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)

--groupattr GROUPATTR [GROUPATTR ...]

Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)

--allbackends {on,off}

Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)

--skipnested {on,off}

Specifies wherher to skip nested groups or not (memberOfSkipNested)

--scope SCOPE

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)

--exclude EXCLUDE

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)

--autoaddoc AUTOADDOC

If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter

usage: dsconf instance plugin memberof config-entry set [-h]
                                                       [--attr ATTR [ATTR ...]]
                                                       [--groupattr GROUPATTR [GROUPATTR ...]]
                                                       [--allbackends {on,off}]
                                                       [--skipnested {on,off}]
                                                       [--scope SCOPE]
                                                       [--exclude EXCLUDE]
                                                       [--autoaddoc AUTOADDOC]
                                                       DN

DN

The config entry full DN

--attr ATTR [ATTR ...]

Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)

--groupattr GROUPATTR [GROUPATTR ...]

Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)

--allbackends {on,off}

Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)

--skipnested {on,off}

Specifies wherher to skip nested groups or not (memberOfSkipNested)

--scope SCOPE

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)

--exclude EXCLUDE

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)

--autoaddoc AUTOADDOC

If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter

usage: dsconf instance plugin memberof config-entry show [-h] DN

DN

The config entry full DN

usage: dsconf instance plugin memberof config-entry delete [-h] DN

DN

The config entry full DN

usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] DN

DN

Base DN that contains entries to fix up

-f FILTER, --filter FILTER

Filter for entries to fix up. If omitted, all entries with objectclass inetuser/inetadmin/nsmemberof under the specified base will have their memberOf attribute regenerated.

usage: dsconf instance plugin automember [-h]
                                        {show,enable,disable,status,list,definition,fixup}
                                        ...

usage: dsconf instance plugin automember show [-h]

usage: dsconf instance plugin automember enable [-h]

usage: dsconf instance plugin automember disable [-h]

usage: dsconf instance plugin automember status [-h]

usage: dsconf instance plugin automember list [-h] {definitions,regexes} ...

usage: dsconf instance plugin automember list definitions [-h]

usage: dsconf instance plugin automember list regexes [-h] DEFNAME

DEFNAME

The definition entry CN.

usage: dsconf instance plugin automember definition [-h]
                                                   DEFNAME
                                                   {add,set,delete,show,regex}
                                                   ...

DEFNAME

The definition entry CN.

usage: dsconf instance plugin automember definition DEFNAME add
      [-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
      --scope SCOPE --filter FILTER

--grouping-attr GROUPING_ATTR

Specifies the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr (autoMemberGroupingAttr)

--default-group DEFAULT_GROUP

Sets default or fallback group to add the entry to as a member attribute in group entry (autoMemberDefaultGroup)

--scope SCOPE

Sets the subtree DN to search for entries (autoMemberScope)

--filter FILTER

Sets a standard LDAP search filter to use to search for matching entries (autoMemberFilter)

usage: dsconf instance plugin automember definition DEFNAME set
      [-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
      --scope SCOPE --filter FILTER

--grouping-attr GROUPING_ATTR

Specifies the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr (autoMemberGroupingAttr)

--default-group DEFAULT_GROUP

Sets default or fallback group to add the entry to as a member attribute in group entry (autoMemberDefaultGroup)

--scope SCOPE

Sets the subtree DN to search for entries (autoMemberScope)

--filter FILTER

Sets a standard LDAP search filter to use to search for matching entries (autoMemberFilter)

usage: dsconf instance plugin automember definition DEFNAME delete [-h]

usage: dsconf instance plugin automember definition DEFNAME show [-h]

usage: dsconf instance plugin automember definition DEFNAME regex
      [-h] REGEXNAME {add,set,delete,show} ...

REGEXNAME

The regex entry CN.

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME add
      [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
      [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP

--exclusive EXCLUSIVE [EXCLUSIVE ...]

Sets a single regular expression to use to identify entries to exclude (autoMemberExclusiveRegex)

--inclusive INCLUSIVE [INCLUSIVE ...]

Sets a single regular expression to use to identify entries to include (autoMemberInclusiveRegex)

--target-group TARGET_GROUP

Sets which group to add the entry to as a member, if it meets the regular expression conditions (autoMemberTargetGroup)

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME set
      [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
      [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP

--exclusive EXCLUSIVE [EXCLUSIVE ...]

Sets a single regular expression to use to identify entries to exclude (autoMemberExclusiveRegex)

--inclusive INCLUSIVE [INCLUSIVE ...]

Sets a single regular expression to use to identify entries to include (autoMemberInclusiveRegex)

--target-group TARGET_GROUP

Sets which group to add the entry to as a member, if it meets the regular expression conditions (autoMemberTargetGroup)

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME delete
      [-h]

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME show
      [-h]

usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
                                              {sub,base,one}
                                              DN

DN

Base DN that contains entries to fix up

-f FILTER, --filter FILTER

LDAP filter for entries to fix up.

-s {sub,base,one}, --scope {sub,base,one}

LDAP search scope for entries to fix up

usage: dsconf instance plugin referential-integrity [-h]
                                                   {show,enable,disable,status,set,config-entry}
                                                   ...

usage: dsconf instance plugin referential-integrity show [-h]

usage: dsconf instance plugin referential-integrity enable [-h]

usage: dsconf instance plugin referential-integrity disable [-h]

usage: dsconf instance plugin referential-integrity status [-h]

usage: dsconf instance plugin referential-integrity set [-h]
                                                       [--update-delay UPDATE_DELAY]
                                                       [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
                                                       [--entry-scope ENTRY_SCOPE]
                                                       [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
                                                       [--container-scope CONTAINER_SCOPE]
                                                       [--log-file LOG_FILE]
                                                       [--config-entry CONFIG_ENTRY]

--update-delay UPDATE_DELAY

Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)

--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]

Specifies attributes to check for and update (referint-membership-attr)

--entry-scope ENTRY_SCOPE

Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)

--exclude-entry-scope EXCLUDE_ENTRY_SCOPE

Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)

--container-scope CONTAINER_SCOPE

Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)

--log-file LOG_FILE

Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint

--config-entry CONFIG_ENTRY

The value to set as nsslapd-pluginConfigArea

usage: dsconf instance plugin referential-integrity config-entry
      [-h] {add,set,show,delete} ...

usage: dsconf instance plugin referential-integrity config-entry add
      [-h] [--update-delay UPDATE_DELAY]
      [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
      [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
      [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
      DN

DN

The config entry full DN

--update-delay UPDATE_DELAY

Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)

--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]

Specifies attributes to check for and update (referint-membership-attr)

--entry-scope ENTRY_SCOPE

Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)

--exclude-entry-scope EXCLUDE_ENTRY_SCOPE

Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)

--container-scope CONTAINER_SCOPE

Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)

--log-file LOG_FILE

Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint

usage: dsconf instance plugin referential-integrity config-entry set
      [-h] [--update-delay UPDATE_DELAY]
      [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
      [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
      [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
      DN

DN

The config entry full DN

--update-delay UPDATE_DELAY

Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)

--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]

Specifies attributes to check for and update (referint-membership-attr)

--entry-scope ENTRY_SCOPE

Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)

--exclude-entry-scope EXCLUDE_ENTRY_SCOPE

Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)

--container-scope CONTAINER_SCOPE

Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)

--log-file LOG_FILE

Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint

usage: dsconf instance plugin referential-integrity config-entry show [-h] DN

DN

The config entry full DN

usage: dsconf instance plugin referential-integrity config-entry delete
      [-h] DN

DN

The config entry full DN

usage: dsconf instance plugin root-dn [-h]
                                     {show,enable,disable,status,set} ...

usage: dsconf instance plugin root-dn show [-h]

usage: dsconf instance plugin root-dn enable [-h]

usage: dsconf instance plugin root-dn disable [-h]

usage: dsconf instance plugin root-dn status [-h]

usage: dsconf instance plugin root-dn set [-h]
                                         [--allow-host ALLOW_HOST [ALLOW_HOST ...]]
                                         [--deny-host DENY_HOST [DENY_HOST ...]]
                                         [--allow-ip ALLOW_IP [ALLOW_IP ...]]
                                         [--deny-ip DENY_IP [DENY_IP ...]]
                                         [--open-time OPEN_TIME]
                                         [--close-time CLOSE_TIME]
                                         [--days-allowed DAYS_ALLOWED]

--allow-host ALLOW_HOST [ALLOW_HOST ...]

Sets what hosts, by fully-qualified domain name, the root user is allowed to use to access the Directory Server. Any hosts not listed are implicitly denied (rootdn-allow-host)

--deny-host DENY_HOST [DENY_HOST ...]

Sets what hosts, by fully-qualified domain name, the root user is not allowed to use to access the Directory Server Any hosts not listed are implicitly allowed (rootdn-deny-host). If an host address is listed in both the rootdn- allow-host and rootdn-deny-host attributes, it is denied access.

--allow-ip ALLOW_IP [ALLOW_IP ...]

Sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use to access the Directory Server Any IP addresses not listed are implicitly denied (rootdn-allow-ip)

--deny-ip DENY_IP [DENY_IP ...]

Sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to use to access the Directory Server. Any IP addresses not listed are implicitly allowed (rootdn-deny-ip) If an IP address is listed in both the rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.

--open-time OPEN_TIME

Sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access begins (rootdn- open-time)

--close-time CLOSE_TIME

Sets part of a time period or range when the root user is allowed to access the Directory Server. This sets when the time-based access ends (rootdn-close- time)

--days-allowed DAYS_ALLOWED

Gives a comma-separated list of what days the root user is allowed to use to access the Directory Server. Any days listed are implicitly denied (rootdn- days-allowed)

usage: dsconf instance plugin usn [-h]
                                 {show,enable,disable,status,global,cleanup}
                                 ...

usage: dsconf instance plugin usn show [-h]

usage: dsconf instance plugin usn enable [-h]

usage: dsconf instance plugin usn disable [-h]

usage: dsconf instance plugin usn status [-h]

usage: dsconf instance plugin usn global [-h] {on,off} ...

usage: dsconf instance plugin usn global on [-h]

usage: dsconf instance plugin usn global off [-h]

usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
                                         [-m MAX_USN]

-s SUFFIX, --suffix SUFFIX

Gives the suffix or subtree in the Directory Server to run the cleanup operation against. If the suffix is not specified, then the back end must be given (suffix)

-n BACKEND, --backend BACKEND

Gives the Directory Server instance back end, or database, to run the cleanup operation against. If the back end is not specified, then the suffix must be specified. Backend instance in which USN tombstone entries (backend)

-m MAX_USN, --max-usn MAX_USN

Gives the highest USN value to delete when removing tombstone entries (max_usn_to_delete)

usage: dsconf instance plugin account-policy [-h]
                                            {show,enable,disable,status,set,config-entry}
                                            ...

usage: dsconf instance plugin account-policy show [-h]

usage: dsconf instance plugin account-policy enable [-h]

usage: dsconf instance plugin account-policy disable [-h]

usage: dsconf instance plugin account-policy status [-h]

usage: dsconf instance plugin account-policy set [-h]
                                                [--config-entry CONFIG_ENTRY]

--config-entry CONFIG_ENTRY

The value to set as nsslapd-pluginConfigArea

usage: dsconf instance plugin account-policy config-entry [-h]
                                                         {add,set,show,delete}
                                                         ...

usage: dsconf instance plugin account-policy config-entry add
      [-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
      [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
      [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
      [--state-attr STATE_ATTR]
      DN

DN

The config entry full DN

--always-record-login {yes,no}

Sets that every entry records its last login time (alwaysRecordLogin)

--alt-state-attr ALT_STATE_ATTR

Provides a backup attribute for the server to reference to evaluate the expiration time (altStateAttrName)

--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR

Specifies the attribute to store the time of the last successful login in this attribute in the users directory entry (alwaysRecordLoginAttr)

--limit-attr LIMIT_ATTR

Specifies the attribute within the policy to use for the account inactivation limit (limitAttrName)

--spec-attr SPEC_ATTR

Specifies the attribute to identify which entries are account policy configuration entries (specAttrName)

--state-attr STATE_ATTR

Specifies the primary time attribute used to evaluate an account policy (stateAttrName)

usage: dsconf instance plugin account-policy config-entry set
      [-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
      [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
      [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
      [--state-attr STATE_ATTR]
      DN

DN

The config entry full DN

--always-record-login {yes,no}

Sets that every entry records its last login time (alwaysRecordLogin)

--alt-state-attr ALT_STATE_ATTR

Provides a backup attribute for the server to reference to evaluate the expiration time (altStateAttrName)

--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR

Specifies the attribute to store the time of the last successful login in this attribute in the users directory entry (alwaysRecordLoginAttr)

--limit-attr LIMIT_ATTR

Specifies the attribute within the policy to use for the account inactivation limit (limitAttrName)

--spec-attr SPEC_ATTR

Specifies the attribute to identify which entries are account policy configuration entries (specAttrName)

--state-attr STATE_ATTR

Specifies the primary time attribute used to evaluate an account policy (stateAttrName)

usage: dsconf instance plugin account-policy config-entry show [-h] DN

DN

The config entry full DN

usage: dsconf instance plugin account-policy config-entry delete [-h] DN

DN

The config entry full DN

usage: dsconf instance plugin attr-uniq [-h]
                                       {list,add,set,show,delete,enable,disable,status}
                                       ...

usage: dsconf instance plugin attr-uniq list [-h]

usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
                                           [--attr-name ATTR_NAME [ATTR_NAME ...]]
                                           [--subtree SUBTREE [SUBTREE ...]]
                                           [--across-all-subtrees {on,off}]
                                           [--top-entry-oc TOP_ENTRY_OC]
                                           [--subtree-entries-oc SUBTREE_ENTRIES_OC]
                                           NAME

NAME

Sets the name of the plug-in configuration record. (cn) You can use any string, but "attribute_name Attribute Uniqueness" is recommended.

--enabled {on,off}

Identifies whether or not the config is enabled.

--attr-name ATTR_NAME [ATTR_NAME ...]

Sets the name of the attribute whose values must be unique. This attribute is multi-valued. (uniqueness-attribute-name)

--subtree SUBTREE [SUBTREE ...]

Sets the DN under which the plug-in checks for uniqueness of the attributes value. This attribute is multi-valued (uniqueness-subtrees)

--across-all-subtrees {on,off}

If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry (uniqueness-across-all-subtrees)

--top-entry-oc TOP_ENTRY_OC

Verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree (uniqueness-top-entry-oc)

--subtree-entries-oc SUBTREE_ENTRIES_OC

Verifies if an attribute is unique, if the entry contains the object class set in this parameter (uniqueness-subtree-entries-oc)

usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
                                           [--attr-name ATTR_NAME [ATTR_NAME ...]]
                                           [--subtree SUBTREE [SUBTREE ...]]
                                           [--across-all-subtrees {on,off}]
                                           [--top-entry-oc TOP_ENTRY_OC]
                                           [--subtree-entries-oc SUBTREE_ENTRIES_OC]
                                           NAME

NAME

Sets the name of the plug-in configuration record. (cn) You can use any string, but "attribute_name Attribute Uniqueness" is recommended.

--enabled {on,off}

Identifies whether or not the config is enabled.

--attr-name ATTR_NAME [ATTR_NAME ...]

Sets the name of the attribute whose values must be unique. This attribute is multi-valued. (uniqueness-attribute-name)

--subtree SUBTREE [SUBTREE ...]

Sets the DN under which the plug-in checks for uniqueness of the attributes value. This attribute is multi-valued (uniqueness-subtrees)

--across-all-subtrees {on,off}

If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry (uniqueness-across-all-subtrees)

--top-entry-oc TOP_ENTRY_OC

Verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree (uniqueness-top-entry-oc)

--subtree-entries-oc SUBTREE_ENTRIES_OC

Verifies if an attribute is unique, if the entry contains the object class set in this parameter (uniqueness-subtree-entries-oc)

usage: dsconf instance plugin attr-uniq show [-h] NAME

NAME

The name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq delete [-h] NAME

NAME

Sets the name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq enable [-h] NAME

NAME

Sets the name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq disable [-h] NAME

NAME

Sets the name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq status [-h] NAME

NAME

Sets the name of the plug-in configuration record

usage: dsconf instance plugin dna [-h]
                                 {show,enable,disable,status,list,config} ...

usage: dsconf instance plugin dna show [-h]

usage: dsconf instance plugin dna enable [-h]

usage: dsconf instance plugin dna disable [-h]

usage: dsconf instance plugin dna status [-h]

usage: dsconf instance plugin dna list [-h] {configs,shared-configs} ...

usage: dsconf instance plugin dna list configs [-h]

usage: dsconf instance plugin dna list shared-configs [-h] BASEDN

BASEDN

The search DN

usage: dsconf instance plugin dna config [-h]
                                        NAME
                                        {add,set,show,delete,shared-config-entry}
                                        ...

NAME

The DNA configuration name

usage: dsconf instance plugin dna config NAME add [-h]
                                                 [--type TYPE [TYPE ...]]
                                                 [--prefix PREFIX]
                                                 [--next-value NEXT_VALUE]
                                                 [--max-value MAX_VALUE]
                                                 [--interval INTERVAL]
                                                 [--magic-regen MAGIC_REGEN]
                                                 [--filter FILTER]
                                                 [--scope SCOPE]
                                                 [--remote-bind-dn REMOTE_BIND_DN]
                                                 [--remote-bind-cred REMOTE_BIND_CRED]
                                                 [--shared-config-entry SHARED_CONFIG_ENTRY]
                                                 [--threshold THRESHOLD]
                                                 [--next-range NEXT_RANGE]
                                                 [--range-request-timeout RANGE_REQUEST_TIMEOUT]

--type TYPE [TYPE ...]

Sets which attributes have unique numbers being generated for them (dnaType)

--prefix PREFIX

Defines a prefix that can be prepended to the generated number values for the attribute (dnaPrefix)

--next-value NEXT_VALUE

Gives the next available number which can be assigned (dnaNextValue)

--max-value MAX_VALUE

Sets the maximum value that can be assigned for the range (dnaMaxValue)

--interval INTERVAL

Sets an interval to use to increment through numbers in a range (dnaInterval)

--magic-regen MAGIC_REGEN

Sets a user-defined value that instructs the plug-in to assign a new value for the entry (dnaMagicRegen)

--filter FILTER

Sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range (dnaFilter)

--scope SCOPE

Sets the base DN to search for entries to which to apply the distributed numeric assignment (dnaScope)

--remote-bind-dn REMOTE_BIND_DN

Specifies the Replication Manager DN (dnaRemoteBindDN)

--remote-bind-cred REMOTE_BIND_CRED

Specifies the Replication Manager's password (dnaRemoteBindCred)

--shared-config-entry SHARED_CONFIG_ENTRY

Defines a shared identity that the servers can use to transfer ranges to one another (dnaSharedCfgDN)

--threshold THRESHOLD

Sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range (dnaThreshold)

--next-range NEXT_RANGE

Defines the next range to use when the current range is exhausted (dnaNextRange)

--range-request-timeout RANGE_REQUEST_TIMEOUT

sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server (dnaRangeRequestTimeout)

usage: dsconf instance plugin dna config NAME set [-h]
                                                 [--type TYPE [TYPE ...]]
                                                 [--prefix PREFIX]
                                                 [--next-value NEXT_VALUE]
                                                 [--max-value MAX_VALUE]
                                                 [--interval INTERVAL]
                                                 [--magic-regen MAGIC_REGEN]
                                                 [--filter FILTER]
                                                 [--scope SCOPE]
                                                 [--remote-bind-dn REMOTE_BIND_DN]
                                                 [--remote-bind-cred REMOTE_BIND_CRED]
                                                 [--shared-config-entry SHARED_CONFIG_ENTRY]
                                                 [--threshold THRESHOLD]
                                                 [--next-range NEXT_RANGE]
                                                 [--range-request-timeout RANGE_REQUEST_TIMEOUT]

--type TYPE [TYPE ...]

Sets which attributes have unique numbers being generated for them (dnaType)

--prefix PREFIX

Defines a prefix that can be prepended to the generated number values for the attribute (dnaPrefix)

--next-value NEXT_VALUE

Gives the next available number which can be assigned (dnaNextValue)

--max-value MAX_VALUE

Sets the maximum value that can be assigned for the range (dnaMaxValue)

--interval INTERVAL

Sets an interval to use to increment through numbers in a range (dnaInterval)

--magic-regen MAGIC_REGEN

Sets a user-defined value that instructs the plug-in to assign a new value for the entry (dnaMagicRegen)

--filter FILTER

Sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range (dnaFilter)

--scope SCOPE

Sets the base DN to search for entries to which to apply the distributed numeric assignment (dnaScope)

--remote-bind-dn REMOTE_BIND_DN

Specifies the Replication Manager DN (dnaRemoteBindDN)

--remote-bind-cred REMOTE_BIND_CRED

Specifies the Replication Manager's password (dnaRemoteBindCred)

--shared-config-entry SHARED_CONFIG_ENTRY

Defines a shared identity that the servers can use to transfer ranges to one another (dnaSharedCfgDN)

--threshold THRESHOLD

Sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range (dnaThreshold)

--next-range NEXT_RANGE

Defines the next range to use when the current range is exhausted (dnaNextRange)

--range-request-timeout RANGE_REQUEST_TIMEOUT

sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server (dnaRangeRequestTimeout)

usage: dsconf instance plugin dna config NAME show [-h]

usage: dsconf instance plugin dna config NAME delete [-h]

usage: dsconf instance plugin dna config NAME shared-config-entry
      [-h] HOSTNAME PORT {add,set,show,delete} ...

HOSTNAME

Identifies the host name of a server in a shared range, as part of the DNA range configuration for that specific host in multi-master replication (dnaHostname)

PORT

Gives the standard port number to use to connect to the host identified in dnaHostname (dnaPortNum)

usage: dsconf instance plugin dna config NAME shared-config-entry HOSTNAME PORT add
      [-h] [--secure-port SECURE_PORT]
      [--remote-bind-method REMOTE_BIND_METHOD]
      [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
      [--remaining-values REMAINING_VALUES]

--secure-port SECURE_PORT

Gives the secure (TLS) port number to use to connect to the host identified in dnaHostname (dnaSecurePortNum)

--remote-bind-method REMOTE_BIND_METHOD

Specifies the remote bind method (dnaRemoteBindMethod)

--remote-conn-protocol REMOTE_CONN_PROTOCOL

Specifies the remote connection protocol (dnaRemoteConnProtocol)

--remaining-values REMAINING_VALUES

Contains the number of values that are remaining and available to a server to assign to entries (dnaRemainingValues)

usage: dsconf instance plugin dna config NAME shared-config-entry HOSTNAME PORT set
      [-h] [--secure-port SECURE_PORT]
      [--remote-bind-method REMOTE_BIND_METHOD]
      [--remote-conn-protocol REMOTE_CONN_PROTOCOL]
      [--remaining-values REMAINING_VALUES]

--secure-port SECURE_PORT

Gives the secure (TLS) port number to use to connect to the host identified in dnaHostname (dnaSecurePortNum)

--remote-bind-method REMOTE_BIND_METHOD

Specifies the remote bind method (dnaRemoteBindMethod)

--remote-conn-protocol REMOTE_CONN_PROTOCOL

Specifies the remote connection protocol (dnaRemoteConnProtocol)

--remaining-values REMAINING_VALUES

Contains the number of values that are remaining and available to a server to assign to entries (dnaRemainingValues)

usage: dsconf instance plugin dna config NAME shared-config-entry HOSTNAME PORT show
      [-h]

usage: dsconf instance plugin dna config NAME shared-config-entry HOSTNAME PORT delete
      [-h]

usage: dsconf instance plugin linked-attr [-h]
                                         {show,enable,disable,status,fixup,list,config}
                                         ...

usage: dsconf instance plugin linked-attr show [-h]

usage: dsconf instance plugin linked-attr enable [-h]

usage: dsconf instance plugin linked-attr disable [-h]

usage: dsconf instance plugin linked-attr status [-h]

usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]

-l LINKDN, --linkdn LINKDN

Base DN that contains entries to fix up

usage: dsconf instance plugin linked-attr list [-h]

usage: dsconf instance plugin linked-attr config [-h]
                                                NAME {add,set,show,delete}
                                                ...

NAME

The Linked Attributes configuration name

usage: dsconf instance plugin linked-attr config NAME add [-h]
                                                         [--link-type LINK_TYPE]
                                                         [--managed-type MANAGED_TYPE]
                                                         [--link-scope LINK_SCOPE]

--link-type LINK_TYPE

Sets the attribute that is managed manually by administrators (linkType)

--managed-type MANAGED_TYPE

Sets the attribute that is created dynamically by the plugin (managedType)

--link-scope LINK_SCOPE

Sets the scope that restricts the plugin to a specific part of the directory tree (linkScope)

usage: dsconf instance plugin linked-attr config NAME set [-h]
                                                         [--link-type LINK_TYPE]
                                                         [--managed-type MANAGED_TYPE]
                                                         [--link-scope LINK_SCOPE]

--link-type LINK_TYPE

Sets the attribute that is managed manually by administrators (linkType)

--managed-type MANAGED_TYPE

Sets the attribute that is created dynamically by the plugin (managedType)

--link-scope LINK_SCOPE

Sets the scope that restricts the plugin to a specific part of the directory tree (linkScope)

usage: dsconf instance plugin linked-attr config NAME show [-h]

usage: dsconf instance plugin linked-attr config NAME delete [-h]

usage: dsconf instance plugin managed-entries [-h]
                                             {show,enable,disable,status,set,list,config,template}
                                             ...

usage: dsconf instance plugin managed-entries show [-h]

usage: dsconf instance plugin managed-entries enable [-h]

usage: dsconf instance plugin managed-entries disable [-h]

usage: dsconf instance plugin managed-entries status [-h]

usage: dsconf instance plugin managed-entries set [-h]
                                                 [--config-area CONFIG_AREA]

--config-area CONFIG_AREA

The value to set as nsslapd-pluginConfigArea

usage: dsconf instance plugin managed-entries list [-h]
                                                  {configs,templates} ...

usage: dsconf instance plugin managed-entries list configs [-h]

usage: dsconf instance plugin managed-entries list templates [-h] BASEDN

BASEDN

The base DN where to search the templates.

usage: dsconf instance plugin managed-entries config [-h]
                                                    NAME
                                                    {add,set,show,delete} ...

NAME

The config entry CN.

usage: dsconf instance plugin managed-entries config NAME add
      [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
      [--managed-template MANAGED_TEMPLATE]

--scope SCOPE

Sets the scope of the search to use to see which entries the plug-in monitors (originScope)

--filter FILTER

Sets the search filter to use to search for and identify the entries within the subtree which require a managed entry (originFilter)

--managed-base MANAGED_BASE

Sets the subtree under which to create the managed entries (managedBase)

--managed-template MANAGED_TEMPLATE

Identifies the template entry to use to create the managed entry (managedTemplate)

usage: dsconf instance plugin managed-entries config NAME set
      [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
      [--managed-template MANAGED_TEMPLATE]

--scope SCOPE

Sets the scope of the search to use to see which entries the plug-in monitors (originScope)

--filter FILTER

Sets the search filter to use to search for and identify the entries within the subtree which require a managed entry (originFilter)

--managed-base MANAGED_BASE

Sets the subtree under which to create the managed entries (managedBase)

--managed-template MANAGED_TEMPLATE

Identifies the template entry to use to create the managed entry (managedTemplate)

usage: dsconf instance plugin managed-entries config NAME show [-h]

usage: dsconf instance plugin managed-entries config NAME delete [-h]

usage: dsconf instance plugin managed-entries template [-h]
                                                      DN
                                                      {add,set,show,delete}
                                                      ...

DN

The template entry DN.

usage: dsconf instance plugin managed-entries template DN add
      [-h] [--rdn-attr RDN_ATTR] [--static-attr STATIC_ATTR]
      [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]

--rdn-attr RDN_ATTR

Sets which attribute to use as the naming attribute in the automatically- generated entry (mepRDNAttr)

--static-attr STATIC_ATTR

Sets an attribute with a defined value that must be added to the automatically-generated entry (mepStaticAttr)

--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]

Sets attributes in the Managed Entries template entry which must exist in the generated entry (mepMappedAttr)

usage: dsconf instance plugin managed-entries template DN set
      [-h] [--rdn-attr RDN_ATTR] [--static-attr STATIC_ATTR]
      [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]

--rdn-attr RDN_ATTR

Sets which attribute to use as the naming attribute in the automatically- generated entry (mepRDNAttr)

--static-attr STATIC_ATTR

Sets an attribute with a defined value that must be added to the automatically-generated entry (mepStaticAttr)

--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]

Sets attributes in the Managed Entries template entry which must exist in the generated entry (mepMappedAttr)

usage: dsconf instance plugin managed-entries template DN show [-h]

usage: dsconf instance plugin managed-entries template DN delete [-h]

usage: dsconf instance plugin pass-through-auth [-h]
                                               {show,enable,disable,status,list,url,pam-config}
                                               ...

usage: dsconf instance plugin pass-through-auth show [-h]

usage: dsconf instance plugin pass-through-auth enable [-h]

usage: dsconf instance plugin pass-through-auth disable [-h]

usage: dsconf instance plugin pass-through-auth status [-h]

usage: dsconf instance plugin pass-through-auth list [-h]
                                                    {urls,pam-configs} ...

usage: dsconf instance plugin pass-through-auth list urls [-h]

usage: dsconf instance plugin pass-through-auth list pam-configs [-h]

usage: dsconf instance plugin pass-through-auth url [-h]
                                                   {add,modify,delete} ...

usage: dsconf instance plugin pass-through-auth url add [-h] URL

URL

The full LDAP URL in format "ldap|ldaps://authDS/subtree maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional parameter is specified the rest should be specified too

usage: dsconf instance plugin pass-through-auth url modify [-h]
                                                          OLD_URL NEW_URL

OLD_URL

The full LDAP URL you get from the "list" command

NEW_URL

The full LDAP URL in format "ldap|ldaps://authDS/subtree maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional parameter is specified the rest should be specified too

usage: dsconf instance plugin pass-through-auth url delete [-h] URL

URL

The full LDAP URL you get from the "list" command

usage: dsconf instance plugin pass-through-auth pam-config [-h]
                                                          NAME
                                                          {add,set,show,delete}
                                                          ...

NAME

The PAM PTA configuration name

usage: dsconf instance plugin pass-through-auth pam-config NAME add
      [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
      [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
      [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
      [--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method ID_MAP_METHOD]
      [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]

--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]

Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)

--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]

Sets a suffix to include for PAM authentication (pamIncludeSuffix)

--missing-suffix {ERROR,ALLOW,IGNORE,delete,}

Identifies how to handle missing include or exclude suffixes (pamMissingSuffix)

--filter FILTER

Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication (pamFilter)

--id-attr ID_ATTR [ID_ATTR ...]

Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)

--id_map_method ID_MAP_METHOD

Gives the method to use to map the LDAP bind DN to a PAM identity (pamIDMapMethod)

--fallback {TRUE,FALSE}

Sets whether to fallback to regular LDAP authentication if PAM authentication fails (pamFallback)

--secure {TRUE,FALSE}

Requires secure TLS connection for PAM authentication (pamSecure)

--service SERVICE

Contains the service name to pass to PAM (pamService)

usage: dsconf instance plugin pass-through-auth pam-config NAME set
      [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
      [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
      [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
      [--id-attr ID_ATTR [ID_ATTR ...]] [--id_map_method ID_MAP_METHOD]
      [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]

--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]

Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)

--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]

Sets a suffix to include for PAM authentication (pamIncludeSuffix)

--missing-suffix {ERROR,ALLOW,IGNORE,delete,}

Identifies how to handle missing include or exclude suffixes (pamMissingSuffix)

--filter FILTER

Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication (pamFilter)

--id-attr ID_ATTR [ID_ATTR ...]

Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)

--id_map_method ID_MAP_METHOD

Gives the method to use to map the LDAP bind DN to a PAM identity (pamIDMapMethod)

--fallback {TRUE,FALSE}

Sets whether to fallback to regular LDAP authentication if PAM authentication fails (pamFallback)

--secure {TRUE,FALSE}

Requires secure TLS connection for PAM authentication (pamSecure)

--service SERVICE

Contains the service name to pass to PAM (pamService)

usage: dsconf instance plugin pass-through-auth pam-config NAME show [-h]

usage: dsconf instance plugin pass-through-auth pam-config NAME delete [-h]

usage: dsconf instance plugin retro-changelog [-h]
                                             {show,enable,disable,status,set}
                                             ...

usage: dsconf instance plugin retro-changelog show [-h]

usage: dsconf instance plugin retro-changelog enable [-h]

usage: dsconf instance plugin retro-changelog disable [-h]

usage: dsconf instance plugin retro-changelog status [-h]

usage: dsconf instance plugin retro-changelog set [-h]
                                                 [--is-replicated {TRUE,FALSE}]
                                                 [--attribute ATTRIBUTE]
                                                 [--directory DIRECTORY]
                                                 [--max-age MAX_AGE]
                                                 [--exclude-suffix EXCLUDE_SUFFIX]

--is-replicated {TRUE,FALSE}

Sets a flag to indicate on a change in the changelog whether the change is newly made on that server or whether it was replicated over from another server (isReplicated)

--attribute ATTRIBUTE

Specifies another Directory Server attribute which must be included in the retro changelog entries (nsslapd-attribute)

--directory DIRECTORY

Specifies the name of the directory in which the changelog database is created the first time the plug-in is run

--max-age MAX_AGE

This attribute specifies the maximum age of any entry in the changelog (nsslapd-changelogmaxage)

--exclude-suffix EXCLUDE_SUFFIX

This attribute specifies the suffix which will be excluded from the scope of the plugin (nsslapd-exclude-suffix)

usage: dsconf instance plugin posix-winsync [-h]
                                           {show,enable,disable,status,set,fixup}
                                           ...

usage: dsconf instance plugin posix-winsync show [-h]

usage: dsconf instance plugin posix-winsync enable [-h]

usage: dsconf instance plugin posix-winsync disable [-h]

usage: dsconf instance plugin posix-winsync status [-h]

usage: dsconf instance plugin posix-winsync set [-h]
                                               [--create-memberof-task {true,false}]
                                               [--lower-case-uid {true,false}]
                                               [--map-member-uid {true,false}]
                                               [--map-nested-grouping {true,false}]
                                               [--ms-sfu-schema {true,false}]

--create-memberof-task {true,false}

Sets whether to run the memberUID fix-up task immediately after a sync run in order to update group memberships for synced users (posixWinsyncCreateMemberOfTask)

--lower-case-uid {true,false}

Sets whether to store (and, if necessary, convert) the UID value in the memberUID attribute in lower case.(posixWinsyncLowerCaseUID)

--map-member-uid {true,false}

Sets whether to map the memberUID attribute in an Active Directory group to the uniqueMember attribute in a Directory Server group (posixWinsyncMapMemberUID)

--map-nested-grouping {true,false}

Manages if nested groups are updated when memberUID attributes in an Active Directory POSIX group change (posixWinsyncMapNestedGrouping)

--ms-sfu-schema {true,false}

Sets whether to the older Microsoft System Services for Unix 3.0 (msSFU30) schema when syncing Posix attributes from Active Directory (posixWinsyncMsSFUSchema)

usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN

DN

Base DN that contains entries to fix up

-f FILTER, --filter FILTER

Filter for entries to fix up. If omitted, all entries with objectclass inetuser/inetadmin/nsmemberof under the specified base will have their memberOf attribute regenerated.

usage: dsconf instance plugin list [-h]

usage: dsconf instance plugin show [-h] [selector]

selector

The plugin to search for

usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled {on,off}]
                                 [--path PATH] [--initfunc INITFUNC]
                                 [--id ID] [--vendor VENDOR]
                                 [--version VERSION]
                                 [--description DESCRIPTION]
                                 [--depends-on-type DEPENDS_ON_TYPE]
                                 [--depends-on-named DEPENDS_ON_NAMED]
                                 [--precedence PRECEDENCE]
                                 [selector]

selector

The plugin to edit

--type TYPE

The type of plugin.

--enabled {on,off}

Identifies whether or not the plugin is enabled.

--path PATH

The plugin library name (without the library suffix).

--initfunc INITFUNC

An initialization function of the plugin.

--id ID

The plugin ID.

--vendor VENDOR

The vendor of plugin.

--version VERSION

The version of plugin.

--description DESCRIPTION

The description of the plugin.

--depends-on-type DEPENDS_ON_TYPE

All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in.

--depends-on-named DEPENDS_ON_NAMED

The plug-in name matching one of the following values will be started by the server prior to this plug-in

--precedence PRECEDENCE

The priority it has in the execution order of plug-ins

usage: dsconf instance pwpolicy [-h] {get,set} ...

usage: dsconf instance pwpolicy get [-h]

usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
                                   [--pwdchange PWDCHANGE]
                                   [--pwdmustchange PWDMUSTCHANGE]
                                   [--pwdhistory PWDHISTORY]
                                   [--pwdhistorycount PWDHISTORYCOUNT]
                                   [--pwdadmin PWDADMIN]
                                   [--pwdtrack PWDTRACK]
                                   [--pwdwarning PWDWARNING]
                                   [--pwdexpire PWDEXPIRE]
                                   [--pwdmaxage PWDMAXAGE]
                                   [--pwdminage PWDMINAGE]
                                   [--pwdgracelimit PWDGRACELIMIT]
                                   [--pwdsendexpiring PWDSENDEXPIRING]
                                   [--pwdlockout PWDLOCKOUT]
                                   [--pwdunlock PWDUNLOCK]
                                   [--pwdlockoutduration PWDLOCKOUTDURATION]
                                   [--pwdmaxfailures PWDMAXFAILURES]
                                   [--pwdresetfailcount PWDRESETFAILCOUNT]
                                   [--pwdchecksyntax PWDCHECKSYNTAX]
                                   [--pwdminlen PWDMINLEN]
                                   [--pwdmindigits PWDMINDIGITS]
                                   [--pwdminalphas PWDMINALPHAS]
                                   [--pwdminuppers PWDMINUPPERS]
                                   [--pwdminlowers PWDMINLOWERS]
                                   [--pwdminspecials PWDMINSPECIALS]
                                   [--pwdmin8bits PWDMIN8BITS]
                                   [--pwdmaxrepeats PWDMAXREPEATS]
                                   [--pwdpalindrome PWDPALINDROME]
                                   [--pwdmaxseq PWDMAXSEQ]
                                   [--pwdmaxseqsets PWDMAXSEQSETS]
                                   [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                   [--pwdmincatagories PWDMINCATAGORIES]
                                   [--pwdmintokenlen PWDMINTOKENLEN]
                                   [--pwdbadwords PWDBADWORDS]
                                   [--pwduserattrs PWDUSERATTRS]
                                   [--pwpinheritglobal PWPINHERITGLOBAL]
                                   [--pwddictcheck PWDDICTCHECK]
                                   [--pwddictpath PWDDICTPATH]
                                   [--pwdlocal PWDLOCAL]
                                   [--pwdisglobal PWDISGLOBAL]
                                   [--pwdallowhash PWDALLOWHASH]

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

User must change their passwrod after it is reset by an Administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of password to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to Enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwpinheritglobal PWPINHERITGLOBAL

Set to "on" to allow local policies to inherit the global policy

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

--pwdlocal PWDLOCAL

Set to "on" to enable fine-grained (subtree/user-level) password policies

--pwdisglobal PWDISGLOBAL

Set to "on" to enable password policy state attributesto be replicated

--pwdallowhash PWDALLOWHASH

Set to "on" to allow adding prehashed passwords

usage: dsconf instance localpwp [-h]
                               {list,get,set,remove,adduser,addsubtree} ...

usage: dsconf instance localpwp list [-h] [DN]

DN

Suffix to search for local password policies

usage: dsconf instance localpwp get [-h] DN

DN

Get the local policy for this entry DN

usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
                                   [--pwdchange PWDCHANGE]
                                   [--pwdmustchange PWDMUSTCHANGE]
                                   [--pwdhistory PWDHISTORY]
                                   [--pwdhistorycount PWDHISTORYCOUNT]
                                   [--pwdadmin PWDADMIN]
                                   [--pwdtrack PWDTRACK]
                                   [--pwdwarning PWDWARNING]
                                   [--pwdexpire PWDEXPIRE]
                                   [--pwdmaxage PWDMAXAGE]
                                   [--pwdminage PWDMINAGE]
                                   [--pwdgracelimit PWDGRACELIMIT]
                                   [--pwdsendexpiring PWDSENDEXPIRING]
                                   [--pwdlockout PWDLOCKOUT]
                                   [--pwdunlock PWDUNLOCK]
                                   [--pwdlockoutduration PWDLOCKOUTDURATION]
                                   [--pwdmaxfailures PWDMAXFAILURES]
                                   [--pwdresetfailcount PWDRESETFAILCOUNT]
                                   [--pwdchecksyntax PWDCHECKSYNTAX]
                                   [--pwdminlen PWDMINLEN]
                                   [--pwdmindigits PWDMINDIGITS]
                                   [--pwdminalphas PWDMINALPHAS]
                                   [--pwdminuppers PWDMINUPPERS]
                                   [--pwdminlowers PWDMINLOWERS]
                                   [--pwdminspecials PWDMINSPECIALS]
                                   [--pwdmin8bits PWDMIN8BITS]
                                   [--pwdmaxrepeats PWDMAXREPEATS]
                                   [--pwdpalindrome PWDPALINDROME]
                                   [--pwdmaxseq PWDMAXSEQ]
                                   [--pwdmaxseqsets PWDMAXSEQSETS]
                                   [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                   [--pwdmincatagories PWDMINCATAGORIES]
                                   [--pwdmintokenlen PWDMINTOKENLEN]
                                   [--pwdbadwords PWDBADWORDS]
                                   [--pwduserattrs PWDUSERATTRS]
                                   [--pwpinheritglobal PWPINHERITGLOBAL]
                                   [--pwddictcheck PWDDICTCHECK]
                                   [--pwddictpath PWDDICTPATH]
                                   DN

DN

Set the local policy for this entry DN

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

User must change their passwrod after it is reset by an Administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of password to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to Enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwpinheritglobal PWPINHERITGLOBAL

Set to "on" to allow local policies to inherit the global policy

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

usage: dsconf instance localpwp remove [-h] DN

DN

Remove local policy for this entry DN

usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
                                       [--pwdchange PWDCHANGE]
                                       [--pwdmustchange PWDMUSTCHANGE]
                                       [--pwdhistory PWDHISTORY]
                                       [--pwdhistorycount PWDHISTORYCOUNT]
                                       [--pwdadmin PWDADMIN]
                                       [--pwdtrack PWDTRACK]
                                       [--pwdwarning PWDWARNING]
                                       [--pwdexpire PWDEXPIRE]
                                       [--pwdmaxage PWDMAXAGE]
                                       [--pwdminage PWDMINAGE]
                                       [--pwdgracelimit PWDGRACELIMIT]
                                       [--pwdsendexpiring PWDSENDEXPIRING]
                                       [--pwdlockout PWDLOCKOUT]
                                       [--pwdunlock PWDUNLOCK]
                                       [--pwdlockoutduration PWDLOCKOUTDURATION]
                                       [--pwdmaxfailures PWDMAXFAILURES]
                                       [--pwdresetfailcount PWDRESETFAILCOUNT]
                                       [--pwdchecksyntax PWDCHECKSYNTAX]
                                       [--pwdminlen PWDMINLEN]
                                       [--pwdmindigits PWDMINDIGITS]
                                       [--pwdminalphas PWDMINALPHAS]
                                       [--pwdminuppers PWDMINUPPERS]
                                       [--pwdminlowers PWDMINLOWERS]
                                       [--pwdminspecials PWDMINSPECIALS]
                                       [--pwdmin8bits PWDMIN8BITS]
                                       [--pwdmaxrepeats PWDMAXREPEATS]
                                       [--pwdpalindrome PWDPALINDROME]
                                       [--pwdmaxseq PWDMAXSEQ]
                                       [--pwdmaxseqsets PWDMAXSEQSETS]
                                       [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                       [--pwdmincatagories PWDMINCATAGORIES]
                                       [--pwdmintokenlen PWDMINTOKENLEN]
                                       [--pwdbadwords PWDBADWORDS]
                                       [--pwduserattrs PWDUSERATTRS]
                                       [--pwpinheritglobal PWPINHERITGLOBAL]
                                       [--pwddictcheck PWDDICTCHECK]
                                       [--pwddictpath PWDDICTPATH]
                                       DN

DN

Add/replace the local password policy for this entry DN

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

User must change their passwrod after it is reset by an Administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of password to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to Enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwpinheritglobal PWPINHERITGLOBAL

Set to "on" to allow local policies to inherit the global policy

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
                                          [--pwdchange PWDCHANGE]
                                          [--pwdmustchange PWDMUSTCHANGE]
                                          [--pwdhistory PWDHISTORY]
                                          [--pwdhistorycount PWDHISTORYCOUNT]
                                          [--pwdadmin PWDADMIN]
                                          [--pwdtrack PWDTRACK]
                                          [--pwdwarning PWDWARNING]
                                          [--pwdexpire PWDEXPIRE]
                                          [--pwdmaxage PWDMAXAGE]
                                          [--pwdminage PWDMINAGE]
                                          [--pwdgracelimit PWDGRACELIMIT]
                                          [--pwdsendexpiring PWDSENDEXPIRING]
                                          [--pwdlockout PWDLOCKOUT]
                                          [--pwdunlock PWDUNLOCK]
                                          [--pwdlockoutduration PWDLOCKOUTDURATION]
                                          [--pwdmaxfailures PWDMAXFAILURES]
                                          [--pwdresetfailcount PWDRESETFAILCOUNT]
                                          [--pwdchecksyntax PWDCHECKSYNTAX]
                                          [--pwdminlen PWDMINLEN]
                                          [--pwdmindigits PWDMINDIGITS]
                                          [--pwdminalphas PWDMINALPHAS]
                                          [--pwdminuppers PWDMINUPPERS]
                                          [--pwdminlowers PWDMINLOWERS]
                                          [--pwdminspecials PWDMINSPECIALS]
                                          [--pwdmin8bits PWDMIN8BITS]
                                          [--pwdmaxrepeats PWDMAXREPEATS]
                                          [--pwdpalindrome PWDPALINDROME]
                                          [--pwdmaxseq PWDMAXSEQ]
                                          [--pwdmaxseqsets PWDMAXSEQSETS]
                                          [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                          [--pwdmincatagories PWDMINCATAGORIES]
                                          [--pwdmintokenlen PWDMINTOKENLEN]
                                          [--pwdbadwords PWDBADWORDS]
                                          [--pwduserattrs PWDUSERATTRS]
                                          [--pwpinheritglobal PWPINHERITGLOBAL]
                                          [--pwddictcheck PWDDICTCHECK]
                                          [--pwddictpath PWDDICTPATH]
                                          DN

DN

Add/replace the subtree policy for this entry DN

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

User must change their passwrod after it is reset by an Administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of password to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to Enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwpinheritglobal PWPINHERITGLOBAL

Set to "on" to allow local policies to inherit the global policy

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

usage: dsconf instance replication [-h]
                                  {enable,disable,get-ruv,list,status,winsync-status,promote,create-manager,delete-manager,demote,get,create-changelog,delete-changelog,set-changelog,get-changelog,dump-changelog,restore-changelog,set,monitor}
                                  ...

usage: dsconf instance replication enable [-h] --suffix SUFFIX --role ROLE
                                         [--replica-id REPLICA_ID]
                                         [--bind-group-dn BIND_GROUP_DN]
                                         [--bind-dn BIND_DN]
                                         [--bind-passwd BIND_PASSWD]

--suffix SUFFIX

The DN of the suffix to be enabled for replication

--role ROLE

The Replication role: "master", "hub", or "consumer"

--replica-id REPLICA_ID

The replication identifier for a "master". Values range from 1 - 65534

--bind-group-dn BIND_GROUP_DN

A group entry DN containing members that are "bind/supplier" DNs

--bind-dn BIND_DN

The Bind or Supplier DN that can make replication updates

--bind-passwd BIND_PASSWD

Password for replication manager(--bind-dn). This will create the manager entry if a value is set

usage: dsconf instance replication disable [-h] --suffix SUFFIX

--suffix SUFFIX

The DN of the suffix to have replication disabled

usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX

--suffix SUFFIX

The DN of the replicated suffix

usage: dsconf instance replication list [-h]

usage: dsconf instance replication status [-h] --suffix SUFFIX
                                         [--bind-dn BIND_DN]
                                         [--bind-passwd BIND_PASSWD]

--suffix SUFFIX

The DN of the replication suffix

--bind-dn BIND_DN

The DN to use to authenticate to the consumer

--bind-passwd BIND_PASSWD

The password for the bind DN

usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
                                                 [--bind-dn BIND_DN]
                                                 [--bind-passwd BIND_PASSWD]

--suffix SUFFIX

The DN of the replication suffix

--bind-dn BIND_DN

The DN to use to authenticate to the consumer

--bind-passwd BIND_PASSWD

The password for the bind DN

usage: dsconf instance replication promote [-h] --suffix SUFFIX --newrole
                                          NEWROLE [--replica-id REPLICA_ID]
                                          [--bind-group-dn BIND_GROUP_DN]
                                          [--bind-dn BIND_DN]

--suffix SUFFIX

The DN of the replication suffix to promote

--newrole NEWROLE

Promote this replica to a "hub" or "master"

--replica-id REPLICA_ID

The replication identifier for a "master". Values range from 1 - 65534

--bind-group-dn BIND_GROUP_DN

A group entry DN containing members that are "bind/supplier" DNs

--bind-dn BIND_DN

The Bind or Supplier DN that can make replication updates

usage: dsconf instance replication create-manager [-h] [--name NAME]
                                                 [--passwd PASSWD]
                                                 [--suffix SUFFIX]

--name NAME

The NAME of the new replication manager entry. For example, if the NAME is "replication manager" then the new manager entry's DN would be "cn=replication manager,cn=config".

--passwd PASSWD

Password for replication manager. If not provided, you will be prompted for the password

--suffix SUFFIX

The DN of the replication suffix whose replication configuration you want to add this new manager to (OPTIONAL)

usage: dsconf instance replication delete-manager [-h] [--name NAME]
                                                 [--suffix SUFFIX]

--name NAME

The NAME of the replication manager entry under cn=config: "cn=NAME,cn=config"

--suffix SUFFIX

The DN of the replication suffix whose replication configuration you want to remove this manager from (OPTIONAL)

usage: dsconf instance replication demote [-h] --suffix SUFFIX --newrole
                                         NEWROLE

--suffix SUFFIX

Promte this replica to a "hub" or "consumer"

--newrole NEWROLE

The Replication role: "hub", or "consumer"

usage: dsconf instance replication get [-h] --suffix SUFFIX

--suffix SUFFIX

Get the replication configuration for this suffix DN

usage: dsconf instance replication create-changelog [-h]

usage: dsconf instance replication delete-changelog [-h]

usage: dsconf instance replication set-changelog [-h] [--cl-dir CL_DIR]
                                                [--max-entries MAX_ENTRIES]
                                                [--max-age MAX_AGE]
                                                [--compact-interval COMPACT_INTERVAL]
                                                [--trim-interval TRIM_INTERVAL]

--cl-dir CL_DIR

The replication changelog location on the filesystem

--max-entries MAX_ENTRIES

The maximum number of entries to get in the replication changelog

--max-age MAX_AGE

The maximum age of a replication changelog entry

--compact-interval COMPACT_INTERVAL

The replication changelog compaction interval

--trim-interval TRIM_INTERVAL

The interval to check if the replication changelog can be trimmed

usage: dsconf instance replication get-changelog [-h]

usage: dsconf instance replication dump-changelog [-h] [-c] [-l]
                                                 [-i CHANGELOG_LDIF]
                                                 [-o OUTPUT_FILE]
                                                 [-r REPLICA_ROOTS [REPLICA_ROOTS ...]]

-c, --csn-only

Dump and interpret CSN only. This option can be used with or without -i option.

-l, --preserve-ldif-done

Preserve generated ldif.done files from changelogdir.

-i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF

If you already have a ldif-like changelog, but the changes in that file are encoded, you may use this option to decode that ldif-like changelog. It should be base64 encoded.

-o OUTPUT_FILE, --output-file OUTPUT_FILE

Path name for the final result. Default to STDOUT if omitted.

-r REPLICA_ROOTS [REPLICA_ROOTS ...], --replica-roots REPLICA_ROOTS [REPLICA_ROOTS ...]

Specify replica roots whose changelog you want to dump. The replica roots may be seperated by comma. All the replica roots would be dumped if the option is omitted.

usage: dsconf instance replication restore-changelog [-h]
                                                    {from-ldif,from-changelogdir}
                                                    ...

usage: dsconf instance replication restore-changelog from-ldif
      [-h] -r REPLICA_ROOT LDIF_PATH

LDIF_PATH

The path of changelog LDIF file.

-r REPLICA_ROOT, --replica-root REPLICA_ROOT

Specify one replica root whose changelog you want to restore. The replica root will be consumed from the LDIF file name if the option is omitted.

usage: dsconf instance replication restore-changelog from-changelogdir
      [-h] REPLICA_ROOTS [REPLICA_ROOTS ...]

REPLICA_ROOTS

Specify replica roots whose changelog you want to restore. The replica roots may be seperated by comma. All the replica roots would be dumped if the option is omitted.

usage: dsconf instance replication set [-h] --suffix SUFFIX
                                      [--repl-add-bind-dn REPL_ADD_BIND_DN]
                                      [--repl-del-bind-dn REPL_DEL_BIND_DN]
                                      [--repl-add-ref REPL_ADD_REF]
                                      [--repl-del-ref REPL_DEL_REF]
                                      [--repl-purge-delay REPL_PURGE_DELAY]
                                      [--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL]
                                      [--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING]
                                      [--repl-bind-group REPL_BIND_GROUP]
                                      [--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL]
                                      [--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT]
                                      [--repl-backoff-max REPL_BACKOFF_MAX]
                                      [--repl-backoff-min REPL_BACKOFF_MIN]
                                      [--repl-release-timeout REPL_RELEASE_TIMEOUT]

--suffix SUFFIX

The DN of the replication suffix

--repl-add-bind-dn REPL_ADD_BIND_DN

Add a bind (supplier) DN

--repl-del-bind-dn REPL_DEL_BIND_DN

Remove a bind (supplier) DN

--repl-add-ref REPL_ADD_REF

Add a replication referral (for consumers only)

--repl-del-ref REPL_DEL_REF

Remove a replication referral (for conusmers only)

--repl-purge-delay REPL_PURGE_DELAY

The replication purge delay

--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL

The interval in seconds to check for tombstones that can be purged

--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING

Set to "on" to improve tombstone purging performance

--repl-bind-group REPL_BIND_GROUP

A group entry DN containing members that are "bind/supplier" DNs

--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL

An interval in seconds to check if the bind group has been updated

--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT

A timeout in seconds on how long to wait before stopping replication when the server is under load

--repl-backoff-max REPL_BACKOFF_MAX

The maximum time in seconds a replication agreement should stay in a backoff state while waiting to acquire the consumer. Default is 300 seconds

--repl-backoff-min REPL_BACKOFF_MIN

The starting time in seconds a replication agreement should stay in a backoff state while waiting to acquire the consumer. Default is 3 seconds

--repl-release-timeout REPL_RELEASE_TIMEOUT

A timeout in seconds a replication master should send updates before it yields its replication session

usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
                                          [-a [ALIASES ...]]

-c [CONNECTIONS ...], --connections [CONNECTIONS ...]

The connection values for monitoring other not connected topologies. The format: 'host:port:binddn:bindpwd'. You can use regex for host and port. You can set bindpwd to * and it will be requested at the runtime or you can include the path to the password file in square brackets - [~/pwd.txt]

-a [ALIASES ...], --aliases [ALIASES ...]

If a host:port is assigned an alias, then the alias instead of host:port will be displayed in the output. The format: alias=host:port

usage: dsconf instance repl-agmt [-h]
                                {list,enable,disable,init,init-status,poke,status,delete,create,set,get}
                                ...

usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry ENTRY]

--suffix SUFFIX

The DN of the suffix to look up replication agreements

--entry ENTRY

Return the entire entry for each agreement

usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
                                       [--bind-dn BIND_DN]
                                       [--bind-passwd BIND_PASSWD]
                                       AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

--bind-dn BIND_DN

The DN to use to authenticate to the consumer

--bind-passwd BIND_PASSWD

The password for the bind DN

usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host HOST
                                       --port PORT --conn-protocol
                                       CONN_PROTOCOL [--bind-dn BIND_DN]
                                       [--bind-passwd BIND_PASSWD]
                                       --bind-method BIND_METHOD
                                       [--frac-list FRAC_LIST]
                                       [--frac-list-total FRAC_LIST_TOTAL]
                                       [--strip-list STRIP_LIST]
                                       [--schedule SCHEDULE]
                                       [--conn-timeout CONN_TIMEOUT]
                                       [--protocol-timeout PROTOCOL_TIMEOUT]
                                       [--wait-async-results WAIT_ASYNC_RESULTS]
                                       [--busy-wait-time BUSY_WAIT_TIME]
                                       [--session-pause-time SESSION_PAUSE_TIME]
                                       [--flow-control-window FLOW_CONTROL_WINDOW]
                                       [--flow-control-pause FLOW_CONTROL_PAUSE]
                                       [--init]
                                       AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

--host HOST

The hostname of the remote replica

--port PORT

The port number of the remote replica

--conn-protocol CONN_PROTOCOL

The replication connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

The Bind DN the agreement uses to authenticate to the replica

--bind-passwd BIND_PASSWD

The credentials for the Bind DN

--bind-method BIND_METHOD

The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or "SASL/GSSAPI"

--frac-list FRAC_LIST

List of attributes to NOT replicate to the consumer during incremental updates

--frac-list-total FRAC_LIST_TOTAL

List of attributes to NOT replicate during a total initialization

--strip-list STRIP_LIST

A list of attributes that are removed from updates only if the event would otherwise be empty. Typically this is set to "modifiersname" and "modifytimestmap"

--schedule SCHEDULE

Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday - Saturday).

--conn-timeout CONN_TIMEOUT

The timeout used for replicaton connections

--protocol-timeout PROTOCOL_TIMEOUT

A timeout in seconds on how long to wait before stopping replication when the server is under load

--wait-async-results WAIT_ASYNC_RESULTS

The amount of time in milliseconds the server waits if the consumer is not ready before resending data

--busy-wait-time BUSY_WAIT_TIME

The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

--session-pause-time SESSION_PAUSE_TIME

The amount of time in seconds a supplier should wait between update sessions.

--flow-control-window FLOW_CONTROL_WINDOW

Sets the maximum number of entries and updates sent by a supplier, which are not acknowledged by the consumer.

--flow-control-pause FLOW_CONTROL_PAUSE

The time in milliseconds to pause after reaching the number of entries and updates set in "--flow-control-window"

--init

Initialize the agreement after creating it.

usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
                                    [--port PORT]
                                    [--conn-protocol CONN_PROTOCOL]
                                    [--bind-dn BIND_DN]
                                    [--bind-passwd BIND_PASSWD]
                                    [--bind-method BIND_METHOD]
                                    [--frac-list FRAC_LIST]
                                    [--frac-list-total FRAC_LIST_TOTAL]
                                    [--strip-list STRIP_LIST]
                                    [--schedule SCHEDULE]
                                    [--conn-timeout CONN_TIMEOUT]
                                    [--protocol-timeout PROTOCOL_TIMEOUT]
                                    [--wait-async-results WAIT_ASYNC_RESULTS]
                                    [--busy-wait-time BUSY_WAIT_TIME]
                                    [--session-pause-time SESSION_PAUSE_TIME]
                                    [--flow-control-window FLOW_CONTROL_WINDOW]
                                    [--flow-control-pause FLOW_CONTROL_PAUSE]
                                    AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

--host HOST

The hostname of the remote replica

--port PORT

The port number of the remote replica

--conn-protocol CONN_PROTOCOL

The replication connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

The Bind DN the agreement uses to authenticate to the replica

--bind-passwd BIND_PASSWD

The credentials for the Bind DN

--bind-method BIND_METHOD

The bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or "SASL/GSSAPI"

--frac-list FRAC_LIST

List of attributes to NOT replicate to the consumer during incremental updates

--frac-list-total FRAC_LIST_TOTAL

List of attributes to NOT replicate during a total initialization

--strip-list STRIP_LIST

A list of attributes that are removed from updates only if the event would otherwise be empty. Typically this is set to "modifiersname" and "modifytimestmap"

--schedule SCHEDULE

Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday - Saturday).

--conn-timeout CONN_TIMEOUT

The timeout used for replicaton connections

--protocol-timeout PROTOCOL_TIMEOUT

A timeout in seconds on how long to wait before stopping replication when the server is under load

--wait-async-results WAIT_ASYNC_RESULTS

The amount of time in milliseconds the server waits if the consumer is not ready before resending data

--busy-wait-time BUSY_WAIT_TIME

The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

--session-pause-time SESSION_PAUSE_TIME

The amount of time in seconds a supplier should wait between update sessions.

--flow-control-window FLOW_CONTROL_WINDOW

Sets the maximum number of entries and updates sent by a supplier, which are not acknowledged by the consumer.

--flow-control-pause FLOW_CONTROL_PAUSE

The time in milliseconds to pause after reaching the number of entries and updates set in "--flow-control-window"

usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

Get the replication configuration for this suffix DN

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-winsync-agmt [-h]
                                        {list,enable,disable,init,init-status,poke,status,delete,create,set,get}
                                        ...

usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX

--suffix SUFFIX

The DN of the suffix to look up replication winsync agreements

usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
                                                AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUFFIX
                                                    AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX --host
                                               HOST --port PORT
                                               --conn-protocol CONN_PROTOCOL
                                               --bind-dn BIND_DN
                                               --bind-passwd BIND_PASSWD
                                               [--frac-list FRAC_LIST]
                                               [--schedule SCHEDULE]
                                               --win-subtree WIN_SUBTREE
                                               --ds-subtree DS_SUBTREE
                                               --win-domain WIN_DOMAIN
                                               [--sync-users SYNC_USERS]
                                               [--sync-groups SYNC_GROUPS]
                                               [--sync-interval SYNC_INTERVAL]
                                               [--one-way-sync ONE_WAY_SYNC]
                                               [--move-action MOVE_ACTION]
                                               [--win-filter WIN_FILTER]
                                               [--ds-filter DS_FILTER]
                                               [--subtree-pair SUBTREE_PAIR]
                                               [--conn-timeout CONN_TIMEOUT]
                                               [--busy-wait-time BUSY_WAIT_TIME]
                                               [--session-pause-time SESSION_PAUSE_TIME]
                                               [--init]
                                               AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

--host HOST

The hostname of the AD server

--port PORT

The port number of the AD server

--conn-protocol CONN_PROTOCOL

The replication winsync connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

The Bind DN the agreement uses to authenticate to the AD Server

--bind-passwd BIND_PASSWD

The credentials for the Bind DN

--frac-list FRAC_LIST

List of attributes to NOT replicate to the consumer during incremental updates

--schedule SCHEDULE

Sets the replication update schedule

--win-subtree WIN_SUBTREE

The suffix of the AD Server

--ds-subtree DS_SUBTREE

The Directory Server suffix

--win-domain WIN_DOMAIN

The AD Domain

--sync-users SYNC_USERS

Synchronize Users between AD and DS

--sync-groups SYNC_GROUPS

Synchronize Groups between AD and DS

--sync-interval SYNC_INTERVAL

The interval that DS checks AD for changes in entries

--one-way-sync ONE_WAY_SYNC

Sets which direction to perform synchronization: "toWindows", "fromWindows", "both"

--move-action MOVE_ACTION

Sets instructions on how to handle moved or deleted entries: "none", "unsync", or "delete"

--win-filter WIN_FILTER

Custom filter for finding users in AD Server

--ds-filter DS_FILTER

Custom filter for finding AD users in DS Server

--subtree-pair SUBTREE_PAIR

Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>

--conn-timeout CONN_TIMEOUT

The timeout used for replicaton connections

--busy-wait-time BUSY_WAIT_TIME

The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

--session-pause-time SESSION_PAUSE_TIME

The amount of time in seconds a supplier should wait between update sessions.

--init

Initialize the agreement after creating it.

usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
                                            [--host HOST] [--port PORT]
                                            [--conn-protocol CONN_PROTOCOL]
                                            [--bind-dn BIND_DN]
                                            [--bind-passwd BIND_PASSWD]
                                            [--frac-list FRAC_LIST]
                                            [--schedule SCHEDULE]
                                            [--win-subtree WIN_SUBTREE]
                                            [--ds-subtree DS_SUBTREE]
                                            [--win-domain WIN_DOMAIN]
                                            [--sync-users SYNC_USERS]
                                            [--sync-groups SYNC_GROUPS]
                                            [--sync-interval SYNC_INTERVAL]
                                            [--one-way-sync ONE_WAY_SYNC]
                                            [--move-action MOVE_ACTION]
                                            [--win-filter WIN_FILTER]
                                            [--ds-filter DS_FILTER]
                                            [--subtree-pair SUBTREE_PAIR]
                                            [--conn-timeout CONN_TIMEOUT]
                                            [--busy-wait-time BUSY_WAIT_TIME]
                                            [--session-pause-time SESSION_PAUSE_TIME]
                                            AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

The DN of the replication winsync suffix

--host HOST

The hostname of the AD server

--port PORT

The port number of the AD server

--conn-protocol CONN_PROTOCOL

The replication winsync connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

The Bind DN the agreement uses to authenticate to the AD Server

--bind-passwd BIND_PASSWD

The credentials for the Bind DN

--frac-list FRAC_LIST

List of attributes to NOT replicate to the consumer during incremental updates

--schedule SCHEDULE

Sets the replication update schedule

--win-subtree WIN_SUBTREE

The suffix of the AD Server

--ds-subtree DS_SUBTREE

The Directory Server suffix

--win-domain WIN_DOMAIN

The AD Domain

--sync-users SYNC_USERS

Synchronize Users between AD and DS

--sync-groups SYNC_GROUPS

Synchronize Groups between AD and DS

--sync-interval SYNC_INTERVAL

The interval that DS checks AD for changes in entries

--one-way-sync ONE_WAY_SYNC

Sets which direction to perform synchronization: "toWindows", "fromWindows", "both"

--move-action MOVE_ACTION

Sets instructions on how to handle moved or deleted entries: "none", "unsync", or "delete"

--win-filter WIN_FILTER

Custom filter for finding users in AD Server

--ds-filter DS_FILTER

Custom filter for finding AD users in DS Server

--subtree-pair SUBTREE_PAIR

Set the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>

--conn-timeout CONN_TIMEOUT

The timeout used for replicaton connections

--busy-wait-time BUSY_WAIT_TIME

The amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

--session-pause-time SESSION_PAUSE_TIME

The amount of time in seconds a supplier should wait between update sessions.

usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

Get the replication configuration for this suffix DN

--suffix SUFFIX

The DN of the replication suffix

usage: dsconf instance repl-tasks [-h]
                                 {cleanallruv,list-cleanruv-tasks,abort-cleanallruv,list-abortruv-tasks}
                                 ...

usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
                                             --replica-id REPLICA_ID
                                             [--force-cleaning]

--suffix SUFFIX

The Directory Server suffix

--replica-id REPLICA_ID

The replica ID to remove/clean

--force-cleaning

Ignore errors and do a best attempt to clean all the replicas

usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix SUFFIX]

--suffix SUFFIX

List only tasks from for suffix

usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUFFIX
                                                   --replica-id REPLICA_ID
                                                   [--certify]

--suffix SUFFIX

The Directory Server suffix

--replica-id REPLICA_ID

The replica ID of the cleaning task to abort

--certify

Enforce that the abort task completed on all replicas

usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix SUFFIX]

--suffix SUFFIX

List only tasks from for suffix

usage: dsconf instance sasl [-h] {list,get-mechs,get,create,delete} ...

usage: dsconf instance sasl list [-h] [--details]

--details

Get each SASL Mapping in detail.

usage: dsconf instance sasl get-mechs [-h]

usage: dsconf instance sasl get [-h] [selector]

selector

SASL mapping name to get

usage: dsconf instance sasl create [-h] [--cn [CN]]
                                  [--nsSaslMapRegexString [NSSASLMAPREGEXSTRING]]
                                  [--nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]]
                                  [--nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]]
                                  [--nsSaslMapPriority [NSSASLMAPPRIORITY]]