dsconf - Man Page

Synopsis

dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN] [-Z] [-j] instance {backend,backup,chaining,config,directory_manager,monitor,plugin,pwpolicy,localpwp,replication,repl-agmt,repl-winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...

Options

instance

The name of the instance or its LDAP URL, such as ldap://server.example.com:389

Sub-commands

dsconf backend

Manage database suffixes and backends

dsconf backup

Manage online backups

dsconf chaining

Manage database chaining and database links

dsconf config

Manage the server configuration

dsconf directory_manager

Manage the Directory Manager account

dsconf monitor

Monitor the state of the instance

dsconf plugin

Manage plug-ins available on the server

dsconf pwpolicy

Manage the global password policy settings

dsconf localpwp

Manage the local user and subtree password policies

dsconf replication

Manage replication for a suffix

dsconf repl-agmt

Manage replication agreements

dsconf repl-winsync-agmt

Manage Winsync agreements

dsconf repl-tasks

Manage replication tasks

dsconf sasl

Manage SASL mappings

dsconf security

Manage security settings

dsconf schema

Manage the directory schema

dsconf repl-conflict

Manage replication conflicts

OPTIONS 'dsconf backend'

usage: dsconf instance backend [-h]
                              {suffix,index,vlv-index,attr-encrypt,config,monitor,import,export,create,delete,get-tree,compact-db}
                              ...

Sub-commands

dsconf backend suffix

Manage backend suffixes

dsconf backend index

Manage backend indexes

dsconf backend vlv-index

Manage VLV searches and indexes

dsconf backend attr-encrypt

Manage encrypted attribute settings

dsconf backend config

Manage the global database configuration settings

dsconf backend monitor

Displays global database or suffix monitoring information

dsconf backend import

Online import of a suffix

dsconf backend export

Online export of a suffix

dsconf backend create

Create a backend database

dsconf backend delete

Delete a backend database

dsconf backend get-tree

Display the suffix tree

dsconf backend compact-db

Compact the database and the replication changelog

OPTIONS 'dsconf backend suffix'

usage: dsconf instance backend suffix [-h]
                                     {list,get,get-dn,get-sub-suffixes,set}
                                     ...

Sub-commands

dsconf backend suffix list

List active backends and suffixes

dsconf backend suffix get

Display the suffix entry

dsconf backend suffix get-dn

Display the DN of a backend

dsconf backend suffix get-sub-suffixes

Display sub-suffixes

dsconf backend suffix set

Set configuration settings for a specific backend

OPTIONS 'dsconf backend suffix list'

usage: dsconf instance backend suffix list [-h] [--suffix]
                                          [--skip-subsuffixes]

--suffix

Displays the suffixes without backend name

--skip-subsuffixes

Displays the list of suffixes without sub-suffixes

OPTIONS 'dsconf backend suffix get'

usage: dsconf instance backend suffix get [-h] [selector]

selector

The backend database name to search for

OPTIONS 'dsconf backend suffix get-dn'

usage: dsconf instance backend suffix get-dn [-h] [dn]

dn

The DN to the database entry in cn=ldbm database,cn=plugins,cn=config

OPTIONS 'dsconf backend suffix get-sub-suffixes'

usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix] be_name

be_name

The backend name or suffix

--suffix

Displays the list of suffixes without backend name

OPTIONS 'dsconf backend suffix set'

usage: dsconf instance backend suffix set [-h] [--enable-readonly]
                                         [--disable-readonly]
                                         [--require-index] [--ignore-index]
                                         [--add-referral ADD_REFERRAL]
                                         [--del-referral DEL_REFERRAL]
                                         [--enable] [--disable]
                                         [--cache-size CACHE_SIZE]
                                         [--cache-memsize CACHE_MEMSIZE]
                                         [--dncache-memsize DNCACHE_MEMSIZE]
                                         [--state STATE]
                                         be_name

be_name

The backend name or suffix

--enable-readonly

Enables read-only mode for the backend database

--disable-readonly

Disables read-only mode for the backend database

--require-index

Allows only indexed searches

--ignore-index

Allows all searches even if they are unindexed

--add-referral ADD_REFERRAL

Adds an LDAP referral to the backend

--del-referral DEL_REFERRAL

Removes an LDAP referral from the backend

--enable

Enables the backend database

--disable

Disables the backend database

--cache-size CACHE_SIZE

Sets the maximum number of entries to keep in the entry cache

--cache-memsize CACHE_MEMSIZE

Sets the maximum size in bytes that the entry cache can grow to

--dncache-memsize DNCACHE_MEMSIZE

Sets the maximum size in bytes that the DN cache can grow to

--state STATE

Changes the backend state to: "database", "disabled", "referral", or "referral on update"

OPTIONS 'dsconf backend index'

usage: dsconf instance backend index [-h]
                                    {add,set,get,list,delete,reindex} ...

Sub-commands

dsconf backend index add

Add an index

dsconf backend index set

Update an index

dsconf backend index get

Display an index entry

dsconf backend index list

Display the index

dsconf backend index delete

Delete an index

dsconf backend index reindex

Re-index the database for a single index or all indexes

OPTIONS 'dsconf backend index add'

usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
                                        [--matching-rule MATCHING_RULE]
                                        [--reindex] --attr ATTR
                                        be_name

be_name

The backend name or suffix

--index-type INDEX_TYPE

Sets the indexing type (eq, sub, pres, or approx)

--matching-rule MATCHING_RULE

Sets the matching rule for the index

--reindex

Re-indexes the database after adding a new index

--attr ATTR

Sets the attribute name to index

OPTIONS 'dsconf backend index set'

usage: dsconf instance backend index set [-h] --attr ATTR
                                        [--add-type ADD_TYPE]
                                        [--del-type DEL_TYPE]
                                        [--add-mr ADD_MR] [--del-mr DEL_MR]
                                        [--reindex]
                                        be_name

be_name

The backend name or suffix

--attr ATTR

Sets the indexed attribute to update

--add-type ADD_TYPE

Adds an index type to the index (eq, sub, pres, or approx)

--del-type DEL_TYPE

Removes an index type from the index: (eq, sub, pres, or approx)

--add-mr ADD_MR

Adds a matching-rule to the index

--del-mr DEL_MR

Removes a matching-rule from the index

--reindex

Re-indexes the database after editing the index

OPTIONS 'dsconf backend index get'

usage: dsconf instance backend index get [-h] --attr ATTR be_name

be_name

The backend name or suffix

--attr ATTR

Sets the index name to display

OPTIONS 'dsconf backend index list'

usage: dsconf instance backend index list [-h] [--just-names] be_name

be_name

The backend name or suffix

--just-names

Displays only the names of indexed attributes

OPTIONS 'dsconf backend index delete'

usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name

be_name

The backend name or suffix

--attr ATTR

Sets the name of the attribute to delete from the index

OPTIONS 'dsconf backend index reindex'

usage: dsconf instance backend index reindex [-h] [--attr ATTR] [--wait]
                                            be_name

be_name

The backend name or suffix

--attr ATTR

Sets the name of the attribute to re-index. Omit this argument to re-index all attributes

--wait

Waits for the index task to complete and reports the status

OPTIONS 'dsconf backend vlv-index'

usage: dsconf instance backend vlv-index [-h]
                                        {list,get,add-search,edit-search,del-search,add-index,del-index,reindex}
                                        ...

Sub-commands

dsconf backend vlv-index list

List VLV search and index entries

dsconf backend vlv-index get

Display a VLV search and indexes

dsconf backend vlv-index add-search

Add a VLV search entry. The search entry is the parent entry of the VLV index entries, and it specifies the search parameters that are used to match entries for those indexes.

dsconf backend vlv-index edit-search

Update a VLV search and index

dsconf backend vlv-index del-search

Delete VLV search & index

dsconf backend vlv-index add-index

Create a VLV index under a VLV search entry (parent entry). The VLV index specifies the attributes to sort

dsconf backend vlv-index del-index

Delete a VLV index under a VLV search entry (parent entry)

dsconf backend vlv-index reindex

Index/re-index the VLV database index

OPTIONS 'dsconf backend vlv-index list'

usage: dsconf instance backend vlv-index list [-h] [--just-names] be_name

be_name

The backend name of the VLV index

--just-names

Displays only the names of VLV search entries

OPTIONS 'dsconf backend vlv-index get'

usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name

be_name

The backend name of the VLV index

--name NAME

Displays the VLV search entry and its index entries

OPTIONS 'dsconf backend vlv-index add-search'

usage: dsconf instance backend vlv-index add-search [-h] --name NAME
                                                   --search-base SEARCH_BASE
                                                   --search-scope
                                                   SEARCH_SCOPE
                                                   --search-filter
                                                   SEARCH_FILTER
                                                   be_name

be_name

The backend name of the VLV index

--name NAME

Sets the name of the VLV search entry

--search-base SEARCH_BASE

Sets the VLV search base

--search-scope SEARCH_SCOPE

Sets the VLV search scope: 0 (base search), 1 (one-level search), or 2 (subtree search)

--search-filter SEARCH_FILTER

Sets the VLV search filter

OPTIONS 'dsconf backend vlv-index edit-search'

usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
                                                    [--search-base SEARCH_BASE]
                                                    [--search-scope SEARCH_SCOPE]
                                                    [--search-filter SEARCH_FILTER]
                                                    [--reindex]
                                                    be_name

be_name

The backend name of the VLV index to update

--name NAME

Sets the name of the VLV index

--search-base SEARCH_BASE

Sets the VLV search base

--search-scope SEARCH_SCOPE

Sets the VLV search scope: 0 (base search), 1 (one-level search), or 2 (subtree search)

--search-filter SEARCH_FILTER

Sets the VLV search filter

--reindex

Re-indexes all VLV database indexes

OPTIONS 'dsconf backend vlv-index del-search'

usage: dsconf instance backend vlv-index del-search [-h] --name NAME be_name

be_name

The backend name of the VLV index

--name NAME

Sets the name of the VLV search index

OPTIONS 'dsconf backend vlv-index add-index'

usage: dsconf instance backend vlv-index add-index [-h] --parent-name
                                                  PARENT_NAME --index-name
                                                  INDEX_NAME --sort SORT
                                                  [--index-it]
                                                  be_name

be_name

The backend name of the VLV index

--parent-name PARENT_NAME

Sets the name or "cn" attribute of the parent VLV search entry

--index-name INDEX_NAME

Sets the name of the new VLV index

--sort SORT

Sets a space-separated list of attributes to sort for this VLV index

--index-it

Creates the database index for this VLV index definition

OPTIONS 'dsconf backend vlv-index del-index'

usage: dsconf instance backend vlv-index del-index [-h] --parent-name
                                                  PARENT_NAME
                                                  [--index-name INDEX_NAME]
                                                  [--sort SORT]
                                                  be_name

be_name

The backend name of the VLV index

--parent-name PARENT_NAME

Sets the name or "cn" attribute value of the parent VLV search entry

--index-name INDEX_NAME

Sets the name of the VLV index to delete

--sort SORT

Delete a VLV index that has this vlvsort value

OPTIONS 'dsconf backend vlv-index reindex'

usage: dsconf instance backend vlv-index reindex [-h]
                                                [--index-name INDEX_NAME]
                                                --parent-name PARENT_NAME
                                                be_name

be_name

The backend name of the VLV index

--index-name INDEX_NAME

Sets the name of the VLV index entry to re-index. If not set, all indexes are re-indexed

--parent-name PARENT_NAME

Sets the name or "cn" attribute value of the parent VLV search entry

OPTIONS 'dsconf backend attr-encrypt'

usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-names]
                                           [--add-attr ADD_ATTR]
                                           [--del-attr DEL_ATTR]
                                           be_name

be_name

The backend name or suffix

--list

Lists all encrypted attributes in the backend

--just-names

List only the names of the encrypted attributes when used with --list

--add-attr ADD_ATTR

Enables encryption for the specified attribute

--del-attr DEL_ATTR

Disables encryption for the specified attribute

OPTIONS 'dsconf backend config'

usage: dsconf instance backend config [-h] {get,set} ...

Sub-commands

dsconf backend config get

Display the global database configuration

dsconf backend config set

Set the global database configuration

OPTIONS 'dsconf backend config get'

usage: dsconf instance backend config get [-h]

OPTIONS 'dsconf backend config set'

usage: dsconf instance backend config set [-h]
                                         [--lookthroughlimit LOOKTHROUGHLIMIT]
                                         [--mode MODE]
                                         [--idlistscanlimit IDLISTSCANLIMIT]
                                         [--directory DIRECTORY]
                                         [--dbcachesize DBCACHESIZE]
                                         [--logdirectory LOGDIRECTORY]
                                         [--durable-txn DURABLE_TXN]
                                         [--txn-wait TXN_WAIT]
                                         [--checkpoint-interval CHECKPOINT_INTERVAL]
                                         [--compactdb-interval COMPACTDB_INTERVAL]
                                         [--compactdb-time COMPACTDB_TIME]
                                         [--txn-batch-val TXN_BATCH_VAL]
                                         [--txn-batch-min TXN_BATCH_MIN]
                                         [--txn-batch-max TXN_BATCH_MAX]
                                         [--logbufsize LOGBUFSIZE]
                                         [--locks LOCKS]
                                         [--locks-monitoring-enabled LOCKS_MONITORING_ENABLED]
                                         [--locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD]
                                         [--locks-monitoring-pause LOCKS_MONITORING_PAUSE]
                                         [--import-cache-autosize IMPORT_CACHE_AUTOSIZE]
                                         [--cache-autosize CACHE_AUTOSIZE]
                                         [--cache-autosize-split CACHE_AUTOSIZE_SPLIT]
                                         [--import-cachesize IMPORT_CACHESIZE]
                                         [--exclude-from-export EXCLUDE_FROM_EXPORT]
                                         [--pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT]
                                         [--pagedidlistscanlimit PAGEDIDLISTSCANLIMIT]
                                         [--rangelookthroughlimit RANGELOOKTHROUGHLIMIT]
                                         [--backend-opt-level BACKEND_OPT_LEVEL]
                                         [--deadlock-policy DEADLOCK_POLICY]
                                         [--db-home-directory DB_HOME_DIRECTORY]

--lookthroughlimit LOOKTHROUGHLIMIT

Specifies the maximum number of entries that the server will check when examining candidate entries in response to a search request

--mode MODE

Specifies the permissions used for newly created index files

--idlistscanlimit IDLISTSCANLIMIT

Specifies the number of entry IDs that are searched during a search operation

--directory DIRECTORY

Specifies absolute path to database instance

--dbcachesize DBCACHESIZE

Specifies the database index cache size in bytes

--logdirectory LOGDIRECTORY

Specifies the path to the directory that contains the database transaction logs

--durable-txn DURABLE_TXN

Enables or disables whether database transaction log entries are immediately written to the disk

--txn-wait TXN_WAIT

Sets whether the server should should wait if there are no db locks available

--checkpoint-interval CHECKPOINT_INTERVAL

Sets the amount of time in seconds after which the server sends a checkpoint entry to the database transaction log

--compactdb-interval COMPACTDB_INTERVAL

Sets the interval in seconds when the database is compacted

--compactdb-time COMPACTDB_TIME

Sets the time (HH:MM format) of day when to compact the database after the "compactdb interval" has been reached

--txn-batch-val TXN_BATCH_VAL

Specifies how many transactions will be batched before being committed

--txn-batch-min TXN_BATCH_MIN

Controls when transactions should be flushed earliest, independently of the batch count. Requires that txn-batch-val is set

--txn-batch-max TXN_BATCH_MAX

Controls when transactions should be flushed latest, independently of the batch count. Requires that txn-batch-val is set)

--logbufsize LOGBUFSIZE

Specifies the transaction log information buffer size

--locks LOCKS

Sets the maximum number of database locks

--locks-monitoring-enabled LOCKS_MONITORING_ENABLED

Enables or disables monitoring of DB locks when the value crosses the percentage set with "--locks-monitoring-threshold"

--locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD

Sets the DB lock exhaustion threshold in percentage (valid range is 70-90). When the threshold is reached, all searches are aborted until the number of active locks decreases below the configured threshold and/or the administrator increases the number of database locks (nsslapd-db-locks). This threshold is a safeguard against DB corruption which might be caused by locks exhaustion.

--locks-monitoring-pause LOCKS_MONITORING_PAUSE

Sets the DB lock monitoring value in milliseconds for the amount of time that the monitoring thread spends waiting between checks.

--import-cache-autosize IMPORT_CACHE_AUTOSIZE

Enables or disables to automatically set the size of the import cache to be used during the import process of LDIF files

--cache-autosize CACHE_AUTOSIZE

Sets the percentage of free memory that is used in total for the database and entry cache. "0" disables this feature.

--cache-autosize-split CACHE_AUTOSIZE_SPLIT

Sets the percentage of RAM that is used for the database cache. The remaining percentage is used for the entry cache

--import-cachesize IMPORT_CACHESIZE

Sets the size in bytes of the database cache used in the import process.

--exclude-from-export EXCLUDE_FROM_EXPORT

List of attributes to not include during database export operations

--pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT

Specifies the maximum number of entries that the server will check when examining candidate entries for a search which uses the simple paged results control

--pagedidlistscanlimit PAGEDIDLISTSCANLIMIT

Specifies the number of entry IDs that are searched, specifically, for a search operation using the simple paged results control.

--rangelookthroughlimit RANGELOOKTHROUGHLIMIT

Specifies the maximum number of entries that the server will check when examining candidate entries in response to a range search request.

--backend-opt-level BACKEND_OPT_LEVEL

Sets the backend optimization level for write performance (0, 1, 2, or 4). WARNING: This parameter can trigger experimental code.

--deadlock-policy DEADLOCK_POLICY

Adjusts the backend database deadlock policy (Advanced setting)

--db-home-directory DB_HOME_DIRECTORY

Sets the directory for the database mmapped files (Advanced setting)

OPTIONS 'dsconf backend monitor'

usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]

--suffix SUFFIX

Displays monitoring information only for the specified suffix

OPTIONS 'dsconf backend import'

usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
                                     [-g GEN_UNIQ_ID] [-O]
                                     [-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
                                     [-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
                                     [be_name] [ldifs ...]

be_name

The backend name or the root suffix

ldifs

Specifies the filename of the input LDIF files. Multiple files are imported in the specified order.

-c CHUNKS_SIZE, --chunks-size CHUNKS_SIZE

The number of chunks to have during the import operation

-E, --encrypted

Encrypt attributes configured in the database for encryption

-g GEN_UNIQ_ID, --gen-uniq-id GEN_UNIQ_ID

Generate a unique id. Set "none" for no unique ID to be generated and "deterministic" for the generated unique ID to be name-based. By default, a time-based unique ID is generated. When using the deterministic generation to have a name-based unique ID, it is also possible to specify the namespace for the server to use. namespaceId is a string of characters in the format 00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.

-O, --only-core

Creates only the core database attribute indexes

-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]

Specifies the suffixes or the subtrees to be included

-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]

Specifies the suffixes to be excluded

OPTIONS 'dsconf backend export'

usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m] [-N] [-r]
                                     [-u] [-U]
                                     [-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
                                     [-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
                                     be_names [be_names ...]

be_names

The backend names or the root suffixes

-l LDIF, --ldif LDIF

Sets the filename of the output LDIF file. Separate multiple file names with spaces.

-C, --use-id2entry

Uses only the main database file

-E, --encrypted

Decrypts encrypted data during export. This option is used only if database encryption is enabled.

-m, --min-base64

Sets minimal base-64 encoding

-N, --no-seq-num

Suppresses printing the sequence numbers

-r, --replication

Exports the data with information required to initialize a replica

-u, --no-dump-uniq-id

Omits exporting the unique ID

-U, --not-folded

Disables folding the output

-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...], --include-suffixes INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]

Specifies the suffixes or the subtrees to be included

-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...], --exclude-suffixes EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]

Specifies the suffixes to be excluded

OPTIONS 'dsconf backend create'

usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUFFIX]
                                     --suffix SUFFIX --be-name BE_NAME
                                     [--create-entries] [--create-suffix]

--parent-suffix PARENT_SUFFIX

Sets the parent suffix only if this backend is a sub-suffix

--suffix SUFFIX

Sets the database suffix DN

--be-name BE_NAME

Sets the database backend name"

--create-entries

Adds sample entries to the database

--create-suffix

Creates the suffix object entry in the database. Only suffixes using the 'dc',

OPTIONS 'dsconf backend delete'

usage: dsconf instance backend delete [-h] be_name

be_name

The backend name or suffix

OPTIONS 'dsconf backend get-tree'

usage: dsconf instance backend get-tree [-h]

OPTIONS 'dsconf backend compact-db'

usage: dsconf instance backend compact-db [-h] [--only-changelog]

--only-changelog

Compacts only the replication change log

OPTIONS 'dsconf backup'

usage: dsconf instance backup [-h] {create,restore} ...

Sub-commands

dsconf backup create

Creates a backup of the database

dsconf backup restore

Restores a database from a backup

OPTIONS 'dsconf backup create'

usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]

archive

Sets the directory where to store the backup files. Format: instance_name- year_month_date_hour_minutes_seconds. Default: /var/lib/dirsrv/slapd- instance/bak/

-t DB_TYPE, --db-type DB_TYPE

Sets the database type. Default: ldbm database

OPTIONS 'dsconf backup restore'

usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive

archive

Set the directory that contains the backup files

-t DB_TYPE, --db-type DB_TYPE

Sets the database type. Default: ldbm database

OPTIONS 'dsconf chaining'

usage: dsconf instance chaining [-h]
                               {config-get,config-set,config-get-def,config-set-def,link-create,link-get,link-set,link-delete,monitor,link-list}
                               ...

Sub-commands

dsconf chaining config-get

Display the chaining controls and server component lists

dsconf chaining config-set

Set the chaining controls and server component lists

dsconf chaining config-get-def

Display the default creation parameters for new database links

dsconf chaining config-set-def

Set the default creation parameters for new database links

dsconf chaining link-create

Create a database link to a remote server

dsconf chaining link-get

Displays chaining database links

dsconf chaining link-set

Edit a database link to a remote server

dsconf chaining link-delete

Delete a database link

dsconf chaining monitor

Display monitor information for a database chaining link

dsconf chaining link-list

List database links

OPTIONS 'dsconf chaining config-get'

usage: dsconf instance chaining config-get [-h] [--avail-controls]
                                          [--avail-comps]

--avail-controls

Lists available chaining controls

--avail-comps

Lists available chaining plugin components

OPTIONS 'dsconf chaining config-set'

usage: dsconf instance chaining config-set [-h] [--add-control ADD_CONTROL]
                                          [--del-control DEL_CONTROL]
                                          [--add-comp ADD_COMP]
                                          [--del-comp DEL_COMP]

--add-control ADD_CONTROL

Adds a transmitted control OID

--del-control DEL_CONTROL

Deletes a transmitted control OID

--add-comp ADD_COMP

Adds a chaining component

--del-comp DEL_COMP

Deletes a chaining component

OPTIONS 'dsconf chaining config-get-def'

usage: dsconf instance chaining config-get-def [-h]

OPTIONS 'dsconf chaining config-set-def'

usage: dsconf instance chaining config-set-def [-h]
                                              [--conn-bind-limit CONN_BIND_LIMIT]
                                              [--conn-op-limit CONN_OP_LIMIT]
                                              [--abandon-check-interval ABANDON_CHECK_INTERVAL]
                                              [--bind-limit BIND_LIMIT]
                                              [--op-limit OP_LIMIT]
                                              [--proxied-auth PROXIED_AUTH]
                                              [--conn-lifetime CONN_LIFETIME]
                                              [--bind-timeout BIND_TIMEOUT]
                                              [--return-ref RETURN_REF]
                                              [--check-aci CHECK_ACI]
                                              [--bind-attempts BIND_ATTEMPTS]
                                              [--size-limit SIZE_LIMIT]
                                              [--time-limit TIME_LIMIT]
                                              [--hop-limit HOP_LIMIT]
                                              [--response-delay RESPONSE_DELAY]
                                              [--test-response-delay TEST_RESPONSE_DELAY]
                                              [--use-starttls USE_STARTTLS]

--conn-bind-limit CONN_BIND_LIMIT

Sets the maximum number of BIND connections the database link establishes with the remote server

--conn-op-limit CONN_OP_LIMIT

Sets the maximum number of LDAP connections the database link establishes with the remote server

--abandon-check-interval ABANDON_CHECK_INTERVAL

Sets the number of seconds that pass before the server checks for abandoned operations

--bind-limit BIND_LIMIT

Sets the maximum number of concurrent bind operations per TCP connection

--op-limit OP_LIMIT

Sets the maximum number of concurrent operations allowed

--proxied-auth PROXIED_AUTH

Enables or disables proxied authorization. If set to "off", the server executes bind for chained operations as the user set in the nsMultiplexorBindDn attribute.

--conn-lifetime CONN_LIFETIME

Specifies connection lifetime in seconds. "0" keeps the connection open forever.

--bind-timeout BIND_TIMEOUT

Sets the amount of time in seconds before a bind attempt times out

--return-ref RETURN_REF

Enables or disables whether referrals are returned by scoped searches

--check-aci CHECK_ACI

Enables or disables whether the server evaluates ACIs on the database link as well as the remote data server

--bind-attempts BIND_ATTEMPTS

Sets the number of times the server tries to bind to the remote server

--size-limit SIZE_LIMIT

Sets the maximum number of entries to return from a search operation

--time-limit TIME_LIMIT

Sets the maximum number of seconds allowed for an operation

--hop-limit HOP_LIMIT

Sets the maximum number of times a database is allowed to chain. That is the number of times a request can be forwarded from one database link to another.

--response-delay RESPONSE_DELAY

Sets the maximum amount of time it can take a remote server to respond to an LDAP operation request made by a database link before an error is suspected

--test-response-delay TEST_RESPONSE_DELAY

Sets the duration of the test issued by the database link to check whether the remote server is responding

--use-starttls USE_STARTTLS

Configured that database links use StartTLS if set to "on"

OPTIONS 'dsconf chaining monitor'

usage: dsconf instance chaining monitor [-h] CHAIN_NAME

CHAIN_NAME

The name of the database link

OPTIONS 'dsconf config'

usage: dsconf instance config [-h] {get,add,replace,delete} ...

Sub-commands

dsconf config get

get

dsconf config add

Add attribute value to configuration

dsconf config replace

Replace attribute value in configuration

dsconf config delete

Delete attribute value in configuration

OPTIONS 'dsconf config get'

usage: dsconf instance config get [-h] [attrs ...]

attrs

Configuration attribute(s) to get

OPTIONS 'dsconf config add'

usage: dsconf instance config add [-h] [attr ...]

attr

Configuration attribute to add

OPTIONS 'dsconf config replace'

usage: dsconf instance config replace [-h] [attr ...]

attr

Configuration attribute to replace

OPTIONS 'dsconf config delete'

usage: dsconf instance config delete [-h] [attr ...]

attr

Configuration attribute to delete

OPTIONS 'dsconf directory_manager'

usage: dsconf instance directory_manager [-h] {password_change} ...

Sub-commands

dsconf directory_manager password_change

Changes the password of the Directory Manager account

OPTIONS 'dsconf directory_manager password_change'

usage: dsconf instance directory_manager password_change [-h]

OPTIONS 'dsconf monitor'

usage: dsconf instance monitor [-h]
                              {server,dbmon,ldbm,backend,snmp,chaining,disk}
                              ...

Sub-commands

dsconf monitor server

Displays the server statistics, connections, and operations

dsconf monitor dbmon

Monitor all database statistics in a single report

dsconf monitor ldbm

Monitor the LDBM statistics, such as dbcache

dsconf monitor backend

Monitor the behavior of a backend database

dsconf monitor snmp

Displays the SNMP statistics

dsconf monitor chaining

Monitor database chaining statistics

dsconf monitor disk

Displays the disk space statistics. All values are in bytes.

OPTIONS 'dsconf monitor server'

usage: dsconf instance monitor server [-h]

OPTIONS 'dsconf monitor dbmon'

usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]

-b BACKENDS, --backends BACKENDS

Specifies a list of space-separated backends to monitor. Default is all backends.

-x,  --indexes

Shows index stats for each backend

OPTIONS 'dsconf monitor ldbm'

usage: dsconf instance monitor ldbm [-h]

OPTIONS 'dsconf monitor backend'

usage: dsconf instance monitor backend [-h] [backend]

backend

The optional name of the backend to monitor

OPTIONS 'dsconf monitor snmp'

usage: dsconf instance monitor snmp [-h]

OPTIONS 'dsconf monitor chaining'

usage: dsconf instance monitor chaining [-h] [backend]

backend

The optional name of the chaining backend to monitor

OPTIONS 'dsconf monitor disk'

usage: dsconf instance monitor disk [-h]

OPTIONS 'dsconf plugin'

usage: dsconf instance plugin [-h]
                             {memberof,automember,referential-integrity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-entries,pass-through-auth,retro-changelog,posix-winsync,contentsync,list,show,set}
                             ...

Sub-commands

dsconf plugin memberof

Manage and configure MemberOf plugin

dsconf plugin automember

Manage and configure Automembership plugin

dsconf plugin referential-integrity

Manage and configure Referential Integrity Postoperation plugin

dsconf plugin root-dn

Manage and configure RootDN Access Control plugin

dsconf plugin usn

Manage and configure USN plugin

dsconf plugin account-policy

Manage and configure Account Policy plugin

dsconf plugin attr-uniq

Manage and configure Attribute Uniqueness plugin

dsconf plugin dna

Manage and configure DNA plugin

dsconf plugin linked-attr

Manage and configure Linked Attributes plugin

dsconf plugin managed-entries

Manage and configure Managed Entries Plugin

dsconf plugin pass-through-auth

Manage and configure Pass-Through Authentication plugins (URLs and PAM)

dsconf plugin retro-changelog

Manage and configure Retro Changelog plugin

dsconf plugin posix-winsync

Manage and configure the Posix Winsync API plugin

dsconf plugin contentsync

Manage and configure Content Sync Plugin (aka syncrepl)

dsconf plugin list

List current configured (enabled and disabled) plugins

dsconf plugin show

Show the plugin data

dsconf plugin set

Edit the plugin settings

OPTIONS 'dsconf plugin memberof'

usage: dsconf instance plugin memberof [-h]
                                      {show,enable,disable,status,set,config-entry,fixup}
                                      ...

Sub-commands

dsconf plugin memberof show

Displays the plugin configuration

dsconf plugin memberof enable

Enables the plugin

dsconf plugin memberof disable

Disables the plugin

dsconf plugin memberof status

Displays the plugin status

dsconf plugin memberof set

Edit the plugin settings

dsconf plugin memberof config-entry

Manage the config entry

dsconf plugin memberof fixup

Run the fix-up task for memberOf plugin

OPTIONS 'dsconf plugin memberof show'

usage: dsconf instance plugin memberof show [-h]

OPTIONS 'dsconf plugin memberof enable'

usage: dsconf instance plugin memberof enable [-h]

OPTIONS 'dsconf plugin memberof disable'

usage: dsconf instance plugin memberof disable [-h]

OPTIONS 'dsconf plugin memberof status'

usage: dsconf instance plugin memberof status [-h]

OPTIONS 'dsconf plugin memberof set'

usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
                                          [--groupattr GROUPATTR [GROUPATTR ...]]
                                          [--allbackends {on,off}]
                                          [--skipnested {on,off}]
                                          [--scope SCOPE [SCOPE ...]]
                                          [--exclude EXCLUDE [EXCLUDE ...]]
                                          [--autoaddoc AUTOADDOC]
                                          [--config-entry CONFIG_ENTRY]

--attr ATTR

Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)

--groupattr GROUPATTR [GROUPATTR ...]

Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)

--allbackends {on,off}

Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)

--skipnested {on,off}

Specifies whether to skip nested groups or not (memberOfSkipNested)

--scope SCOPE [SCOPE ...]

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)

--exclude EXCLUDE [EXCLUDE ...]

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)

--autoaddoc AUTOADDOC

If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter

--config-entry CONFIG_ENTRY

The value to set as nsslapd-pluginConfigArea

OPTIONS 'dsconf plugin memberof config-entry'

usage: dsconf instance plugin memberof config-entry [-h]
                                                   {add,set,show,delete} ...

Sub-commands

dsconf plugin memberof config-entry add

Add the config entry

dsconf plugin memberof config-entry set

Edit the config entry

dsconf plugin memberof config-entry show

Display the config entry

dsconf plugin memberof config-entry delete

Delete the config entry

OPTIONS 'dsconf plugin memberof config-entry add'

usage: dsconf instance plugin memberof config-entry add [-h] [--attr ATTR]
                                                       [--groupattr GROUPATTR [GROUPATTR ...]]
                                                       [--allbackends {on,off}]
                                                       [--skipnested {on,off}]
                                                       [--scope SCOPE [SCOPE ...]]
                                                       [--exclude EXCLUDE [EXCLUDE ...]]
                                                       [--autoaddoc AUTOADDOC]
                                                       DN

DN

The config entry full DN

--attr ATTR

Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)

--groupattr GROUPATTR [GROUPATTR ...]

Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)

--allbackends {on,off}

Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)

--skipnested {on,off}

Specifies whether to skip nested groups or not (memberOfSkipNested)

--scope SCOPE [SCOPE ...]

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)

--exclude EXCLUDE [EXCLUDE ...]

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)

--autoaddoc AUTOADDOC

If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter

OPTIONS 'dsconf plugin memberof config-entry set'

usage: dsconf instance plugin memberof config-entry set [-h] [--attr ATTR]
                                                       [--groupattr GROUPATTR [GROUPATTR ...]]
                                                       [--allbackends {on,off}]
                                                       [--skipnested {on,off}]
                                                       [--scope SCOPE [SCOPE ...]]
                                                       [--exclude EXCLUDE [EXCLUDE ...]]
                                                       [--autoaddoc AUTOADDOC]
                                                       DN

DN

The config entry full DN

--attr ATTR

Specifies the attribute in the user entry for the Directory Server to manage to reflect group membership (memberOfAttr)

--groupattr GROUPATTR [GROUPATTR ...]

Specifies the attribute in the group entry to use to identify the DNs of group members (memberOfGroupAttr)

--allbackends {on,off}

Specifies whether to search the local suffix for user entries on all available suffixes (memberOfAllBackends)

--skipnested {on,off}

Specifies whether to skip nested groups or not (memberOfSkipNested)

--scope SCOPE [SCOPE ...]

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to work on (memberOfEntryScope)

--exclude EXCLUDE [EXCLUDE ...]

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to exclude (memberOfEntryScopeExcludeSubtree)

--autoaddoc AUTOADDOC

If an entry does not have an object class that allows the memberOf attribute then the memberOf plugin will automatically add the object class listed in the memberOfAutoAddOC parameter

OPTIONS 'dsconf plugin memberof config-entry show'

usage: dsconf instance plugin memberof config-entry show [-h] DN

DN

The config entry full DN

OPTIONS 'dsconf plugin memberof config-entry delete'

usage: dsconf instance plugin memberof config-entry delete [-h] DN

DN

The config entry full DN

OPTIONS 'dsconf plugin memberof fixup'

usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] DN

DN

Base DN that contains entries to fix up

-f FILTER, --filter FILTER

Filter for entries to fix up. If omitted, all entries with objectclass inetuser/inetadmin/nsmemberof under the specified base will have their memberOf attribute regenerated.

OPTIONS 'dsconf plugin automember'

usage: dsconf instance plugin automember [-h]
                                        {show,enable,disable,status,list,definition,fixup}
                                        ...

Sub-commands

dsconf plugin automember show

Displays the plugin configuration

dsconf plugin automember enable

Enables the plugin

dsconf plugin automember disable

Disables the plugin

dsconf plugin automember status

Displays the plugin status

dsconf plugin automember list

List Automembership definitions or regex rules.

dsconf plugin automember definition

Manage Automembership definition.

dsconf plugin automember fixup

Run a rebuild membership task.

OPTIONS 'dsconf plugin automember show'

usage: dsconf instance plugin automember show [-h]

OPTIONS 'dsconf plugin automember enable'

usage: dsconf instance plugin automember enable [-h]

OPTIONS 'dsconf plugin automember disable'

usage: dsconf instance plugin automember disable [-h]

OPTIONS 'dsconf plugin automember status'

usage: dsconf instance plugin automember status [-h]

OPTIONS 'dsconf plugin automember list'

usage: dsconf instance plugin automember list [-h] {definitions,regexes} ...

Sub-commands

dsconf plugin automember list definitions

Lists Automembership definitions.

dsconf plugin automember list regexes

List Automembership regex rules.

OPTIONS 'dsconf plugin automember list definitions'

usage: dsconf instance plugin automember list definitions [-h]

OPTIONS 'dsconf plugin automember list regexes'

usage: dsconf instance plugin automember list regexes [-h] DEFNAME

DEFNAME

The definition entry CN

OPTIONS 'dsconf plugin automember definition'

usage: dsconf instance plugin automember definition [-h]
                                                   DEFNAME
                                                   {add,set,delete,show,regex}
                                                   ...

DEFNAME

The definition entry CN.

Sub-commands

dsconf plugin automember definition add

Creates Automembership definition.

dsconf plugin automember definition set

Edits Automembership definition.

dsconf plugin automember definition delete

Removes Automembership definition.

dsconf plugin automember definition show

Displays Automembership definition.

dsconf plugin automember definition regex

Manage Automembership regex rules.

OPTIONS 'dsconf plugin automember definition add'

usage: dsconf instance plugin automember definition DEFNAME add
      [-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
      --scope SCOPE --filter FILTER

--grouping-attr GROUPING_ATTR

Specifies the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr (autoMemberGroupingAttr)

--default-group DEFAULT_GROUP

Sets default or fallback group to add the entry to as a member attribute in group entry (autoMemberDefaultGroup)

--scope SCOPE

Sets the subtree DN to search for entries (autoMemberScope)

--filter FILTER

Sets a standard LDAP search filter to use to search for matching entries (autoMemberFilter)

OPTIONS 'dsconf plugin automember definition set'

usage: dsconf instance plugin automember definition DEFNAME set
      [-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
      --scope SCOPE --filter FILTER

--grouping-attr GROUPING_ATTR

Specifies the name of the member attribute in the group entry and the attribute in the object entry that supplies the member attribute value, in the format group_member_attr:entry_attr (autoMemberGroupingAttr)

--default-group DEFAULT_GROUP

Sets default or fallback group to add the entry to as a member attribute in group entry (autoMemberDefaultGroup)

--scope SCOPE

Sets the subtree DN to search for entries (autoMemberScope)

--filter FILTER

Sets a standard LDAP search filter to use to search for matching entries (autoMemberFilter)

OPTIONS 'dsconf plugin automember definition delete'

usage: dsconf instance plugin automember definition DEFNAME delete [-h]

OPTIONS 'dsconf plugin automember definition show'

usage: dsconf instance plugin automember definition DEFNAME show [-h]

OPTIONS 'dsconf plugin automember definition regex'

usage: dsconf instance plugin automember definition DEFNAME regex
      [-h] REGEXNAME {add,set,delete,show} ...

REGEXNAME

The regex entry CN

Sub-commands

dsconf plugin automember definition regex add

Creates Automembership regex.

dsconf plugin automember definition regex set

Edits Automembership regex.

dsconf plugin automember definition regex delete

Removes Automembership regex.

dsconf plugin automember definition regex show

Displays Automembership regex.

OPTIONS 'dsconf plugin automember definition regex add'

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME add
      [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
      [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP

--exclusive EXCLUSIVE [EXCLUSIVE ...]

Sets a single regular expression to use to identify entries to exclude (autoMemberExclusiveRegex)

--inclusive INCLUSIVE [INCLUSIVE ...]

Sets a single regular expression to use to identify entries to include (autoMemberInclusiveRegex)

--target-group TARGET_GROUP

Sets which group to add the entry to as a member, if it meets the regular expression conditions (autoMemberTargetGroup)

OPTIONS 'dsconf plugin automember definition regex set'

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME set
      [-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
      [--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP

--exclusive EXCLUSIVE [EXCLUSIVE ...]

Sets a single regular expression to use to identify entries to exclude (autoMemberExclusiveRegex)

--inclusive INCLUSIVE [INCLUSIVE ...]

Sets a single regular expression to use to identify entries to include (autoMemberInclusiveRegex)

--target-group TARGET_GROUP

Sets which group to add the entry to as a member, if it meets the regular expression conditions (autoMemberTargetGroup)

OPTIONS 'dsconf plugin automember definition regex delete'

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME delete
      [-h]

OPTIONS 'dsconf plugin automember definition regex show'

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME show
      [-h]

OPTIONS 'dsconf plugin automember fixup'

usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
                                              {sub,base,one}
                                              DN

DN

Base DN that contains entries to fix up

-f FILTER, --filter FILTER

Sets the LDAP filter for entries to fix up

-s {sub,base,one}, --scope {sub,base,one}

Sets the LDAP search scope for entries to fix up

OPTIONS 'dsconf plugin referential-integrity'

usage: dsconf instance plugin referential-integrity [-h]
                                                   {show,enable,disable,status,set,config-entry}
                                                   ...

Sub-commands

dsconf plugin referential-integrity show

Displays the plugin configuration

dsconf plugin referential-integrity enable

Enables the plugin

dsconf plugin referential-integrity disable

Disables the plugin

dsconf plugin referential-integrity status

Displays the plugin status

dsconf plugin referential-integrity set

Edit the plugin settings

dsconf plugin referential-integrity config-entry

Manage the config entry

OPTIONS 'dsconf plugin referential-integrity show'

usage: dsconf instance plugin referential-integrity show [-h]

OPTIONS 'dsconf plugin referential-integrity enable'

usage: dsconf instance plugin referential-integrity enable [-h]

OPTIONS 'dsconf plugin referential-integrity disable'

usage: dsconf instance plugin referential-integrity disable [-h]

OPTIONS 'dsconf plugin referential-integrity status'

usage: dsconf instance plugin referential-integrity status [-h]

OPTIONS 'dsconf plugin referential-integrity set'

usage: dsconf instance plugin referential-integrity set [-h]
                                                       [--update-delay UPDATE_DELAY]
                                                       [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
                                                       [--entry-scope ENTRY_SCOPE]
                                                       [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
                                                       [--container-scope CONTAINER_SCOPE]
                                                       [--log-file LOG_FILE]
                                                       [--config-entry CONFIG_ENTRY]

--update-delay UPDATE_DELAY

Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)

--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]

Specifies attributes to check for and update (referint-membership-attr)

--entry-scope ENTRY_SCOPE

Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)

--exclude-entry-scope EXCLUDE_ENTRY_SCOPE

Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)

--container-scope CONTAINER_SCOPE

Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)

--log-file LOG_FILE

Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint

--config-entry CONFIG_ENTRY

The value to set as nsslapd-pluginConfigArea

OPTIONS 'dsconf plugin referential-integrity config-entry'

usage: dsconf instance plugin referential-integrity config-entry
      [-h] {add,set,show,delete} ...

Sub-commands

dsconf plugin referential-integrity config-entry add

Add the config entry

dsconf plugin referential-integrity config-entry set

Edit the config entry

dsconf plugin referential-integrity config-entry show

Display the config entry

dsconf plugin referential-integrity config-entry delete

Delete the config entry

OPTIONS 'dsconf plugin referential-integrity config-entry add'

usage: dsconf instance plugin referential-integrity config-entry add
      [-h] [--update-delay UPDATE_DELAY]
      [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
      [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
      [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
      DN

DN

The config entry full DN

--update-delay UPDATE_DELAY

Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)

--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]

Specifies attributes to check for and update (referint-membership-attr)

--entry-scope ENTRY_SCOPE

Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)

--exclude-entry-scope EXCLUDE_ENTRY_SCOPE

Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)

--container-scope CONTAINER_SCOPE

Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)

--log-file LOG_FILE

Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint

OPTIONS 'dsconf plugin referential-integrity config-entry set'

usage: dsconf instance plugin referential-integrity config-entry set
      [-h] [--update-delay UPDATE_DELAY]
      [--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
      [--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
      [--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
      DN

DN

The config entry full DN

--update-delay UPDATE_DELAY

Sets the update interval. Special values: 0 - The check is performed immediately, -1 - No check is performed (referint-update-delay)

--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]

Specifies attributes to check for and update (referint-membership-attr)

--entry-scope ENTRY_SCOPE

Defines the subtree in which the plug-in looks for the delete or rename operations of a user entry (nsslapd-pluginEntryScope)

--exclude-entry-scope EXCLUDE_ENTRY_SCOPE

Defines the subtree in which the plug-in ignores any operations for deleting or renaming a user (nsslapd-pluginExcludeEntryScope)

--container-scope CONTAINER_SCOPE

Specifies which branch the plug-in searches for the groups to which the user belongs. It only updates groups that are under the specified container branch, and leaves all other groups not updated (nsslapd-pluginContainerScope)

--log-file LOG_FILE

Specifies a path to the Referential integrity logfile.For example: /var/log/dirsrv/slapd-YOUR_INSTANCE/referint

OPTIONS 'dsconf plugin referential-integrity config-entry show'

usage: dsconf instance plugin referential-integrity config-entry show [-h] DN

DN

The config entry full DN

OPTIONS 'dsconf plugin referential-integrity config-entry delete'

usage: dsconf instance plugin referential-integrity config-entry delete
      [-h] DN

DN

The config entry full DN

OPTIONS 'dsconf plugin root-dn'

usage: dsconf instance plugin root-dn [-h]
                                     {show,enable,disable,status,set} ...

Sub-commands

dsconf plugin root-dn show

Displays the plugin configuration

dsconf plugin root-dn enable

Enables the plugin

dsconf plugin root-dn disable

Disables the plugin

dsconf plugin root-dn status

Displays the plugin status

dsconf plugin root-dn set

Edit the plugin settings

OPTIONS 'dsconf plugin root-dn show'

usage: dsconf instance plugin root-dn show [-h]

OPTIONS 'dsconf plugin root-dn enable'

usage: dsconf instance plugin root-dn enable [-h]

OPTIONS 'dsconf plugin root-dn disable'

usage: dsconf instance plugin root-dn disable [-h]

OPTIONS 'dsconf plugin root-dn status'

usage: dsconf instance plugin root-dn status [-h]

OPTIONS 'dsconf plugin root-dn set'

usage: dsconf instance plugin root-dn set [-h]
                                         [--allow-host ALLOW_HOST [ALLOW_HOST ...]]
                                         [--deny-host DENY_HOST [DENY_HOST ...]]
                                         [--allow-ip ALLOW_IP [ALLOW_IP ...]]
                                         [--deny-ip DENY_IP [DENY_IP ...]]
                                         [--open-time OPEN_TIME]
                                         [--close-time CLOSE_TIME]
                                         [--days-allowed DAYS_ALLOWED]

--allow-host ALLOW_HOST [ALLOW_HOST ...]

Sets what hosts, by fully-qualified domain name, the root user is allowed to use to access Directory Server. Any hosts not listed are implicitly denied (rootdn-allow-host)

--deny-host DENY_HOST [DENY_HOST ...]

Sets what hosts, by fully-qualified domain name, the root user is not allowed to use to access Directory Server. Any hosts not listed are implicitly allowed (rootdn-deny-host). If a host address is listed in both the rootdn-allow-host and rootdn-deny-host attributes, it is denied access.

--allow-ip ALLOW_IP [ALLOW_IP ...]

Sets what IP addresses, either IPv4 or IPv6, for machines the root user is allowed to use to access Directory Server. Any IP addresses not listed are implicitly denied (rootdn-allow-ip)

--deny-ip DENY_IP [DENY_IP ...]

Sets what IP addresses, either IPv4 or IPv6, for machines the root user is not allowed to use to access Directory Server. Any IP addresses not listed are implicitly allowed (rootdn-deny-ip). If an IP address is listed in both the rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.

--open-time OPEN_TIME

Sets part of a time period or range when the root user is allowed to access Directory Server. This sets when the time-based access begins (rootdn-open- time)

--close-time CLOSE_TIME

Sets part of a time period or range when the root user is allowed to access Directory Server. This sets when the time-based access ends (rootdn-close- time)

--days-allowed DAYS_ALLOWED

Sets a comma-separated list of what days the root user is allowed to use to access Directory Server. Any days listed are implicitly denied (rootdn-days- allowed)

OPTIONS 'dsconf plugin usn'

usage: dsconf instance plugin usn [-h]
                                 {show,enable,disable,status,global,cleanup}
                                 ...

Sub-commands

dsconf plugin usn show

Displays the plugin configuration

dsconf plugin usn enable

Enables the plugin

dsconf plugin usn disable

Disables the plugin

dsconf plugin usn status

Displays the plugin status

dsconf plugin usn global

Get or manage global USN mode (nsslapd-entryusn-global)

dsconf plugin usn cleanup

Runs the USN tombstone cleanup task

OPTIONS 'dsconf plugin usn show'

usage: dsconf instance plugin usn show [-h]

OPTIONS 'dsconf plugin usn enable'

usage: dsconf instance plugin usn enable [-h]

OPTIONS 'dsconf plugin usn disable'

usage: dsconf instance plugin usn disable [-h]

OPTIONS 'dsconf plugin usn status'

usage: dsconf instance plugin usn status [-h]

OPTIONS 'dsconf plugin usn global'

usage: dsconf instance plugin usn global [-h] {on,off} ...

Sub-commands

dsconf plugin usn global on

Enables USN global mode

dsconf plugin usn global off

Disables USN global mode

OPTIONS 'dsconf plugin usn global on'

usage: dsconf instance plugin usn global on [-h]

OPTIONS 'dsconf plugin usn global off'

usage: dsconf instance plugin usn global off [-h]

OPTIONS 'dsconf plugin usn cleanup'

usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
                                         [-m MAX_USN]

-s SUFFIX, --suffix SUFFIX

Sets the suffix or subtree in Directory Server to run the cleanup operation against. If the suffix is not specified, then the back end must be specified (suffix).

-n BACKEND, --backend BACKEND

Sets the Directory Server instance back end, or database, to run the cleanup operation against. If the back end is not specified, then the suffix must be specified. Backend instance in which USN tombstone entries (backend)

-m MAX_USN, --max-usn MAX_USN

Sets the highest USN value to delete when removing tombstone entries (max_usn_to_delete)

OPTIONS 'dsconf plugin account-policy'

usage: dsconf instance plugin account-policy [-h]
                                            {show,enable,disable,status,set,config-entry}
                                            ...

Sub-commands

dsconf plugin account-policy show

Displays the plugin configuration

dsconf plugin account-policy enable

Enables the plugin

dsconf plugin account-policy disable

Disables the plugin

dsconf plugin account-policy status

Displays the plugin status

dsconf plugin account-policy set

Edit the plugin settings

dsconf plugin account-policy config-entry

Manage the config entry

OPTIONS 'dsconf plugin account-policy show'

usage: dsconf instance plugin account-policy show [-h]

OPTIONS 'dsconf plugin account-policy enable'

usage: dsconf instance plugin account-policy enable [-h]

OPTIONS 'dsconf plugin account-policy disable'

usage: dsconf instance plugin account-policy disable [-h]

OPTIONS 'dsconf plugin account-policy status'

usage: dsconf instance plugin account-policy status [-h]

OPTIONS 'dsconf plugin account-policy set'

usage: dsconf instance plugin account-policy set [-h]
                                                [--config-entry CONFIG_ENTRY]

--config-entry CONFIG_ENTRY

Sets the nsslapd-pluginConfigArea attribute

OPTIONS 'dsconf plugin account-policy config-entry'

usage: dsconf instance plugin account-policy config-entry [-h]
                                                         {add,set,show,delete}
                                                         ...

Sub-commands

dsconf plugin account-policy config-entry add

Add the config entry

dsconf plugin account-policy config-entry set

Edit the config entry

dsconf plugin account-policy config-entry show

Display the config entry

dsconf plugin account-policy config-entry delete

Delete the config entry

OPTIONS 'dsconf plugin account-policy config-entry add'

usage: dsconf instance plugin account-policy config-entry add
      [-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
      [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
      [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
      [--state-attr STATE_ATTR]
      DN

DN

The full DN of the config entry

--always-record-login {yes,no}

Sets that every entry records its last login time (alwaysRecordLogin)

--alt-state-attr ALT_STATE_ATTR

Provides a backup attribute for the server to reference to evaluate the expiration time (altStateAttrName)

--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR

Specifies the attribute to store the time of the last successful login in this attribute in the users directory entry (alwaysRecordLoginAttr)

--limit-attr LIMIT_ATTR

Specifies the attribute within the policy to use for the account inactivation limit (limitAttrName)

--spec-attr SPEC_ATTR

Specifies the attribute to identify which entries are account policy configuration entries (specAttrName)

--state-attr STATE_ATTR

Specifies the primary time attribute used to evaluate an account policy (stateAttrName)

OPTIONS 'dsconf plugin account-policy config-entry set'

usage: dsconf instance plugin account-policy config-entry set
      [-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
      [--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
      [--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
      [--state-attr STATE_ATTR]
      DN

DN

The full DN of the config entry

--always-record-login {yes,no}

Sets that every entry records its last login time (alwaysRecordLogin)

--alt-state-attr ALT_STATE_ATTR

Provides a backup attribute for the server to reference to evaluate the expiration time (altStateAttrName)

--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR

Specifies the attribute to store the time of the last successful login in this attribute in the users directory entry (alwaysRecordLoginAttr)

--limit-attr LIMIT_ATTR

Specifies the attribute within the policy to use for the account inactivation limit (limitAttrName)

--spec-attr SPEC_ATTR

Specifies the attribute to identify which entries are account policy configuration entries (specAttrName)

--state-attr STATE_ATTR

Specifies the primary time attribute used to evaluate an account policy (stateAttrName)

OPTIONS 'dsconf plugin account-policy config-entry show'

usage: dsconf instance plugin account-policy config-entry show [-h] DN

DN

The full DN of the config entry

OPTIONS 'dsconf plugin account-policy config-entry delete'

usage: dsconf instance plugin account-policy config-entry delete [-h] DN

DN

The full DN of the config entry

OPTIONS 'dsconf plugin attr-uniq'

usage: dsconf instance plugin attr-uniq [-h]
                                       {list,add,set,show,delete,enable,disable,status}
                                       ...

Sub-commands

dsconf plugin attr-uniq list

Lists available plugin configs

dsconf plugin attr-uniq add

Add the config entry

dsconf plugin attr-uniq set

Edit the config entry

dsconf plugin attr-uniq show

Display the config entry

dsconf plugin attr-uniq delete

Delete the config entry

dsconf plugin attr-uniq enable

enable plugin

dsconf plugin attr-uniq disable

disable plugin

dsconf plugin attr-uniq status

display plugin status

OPTIONS 'dsconf plugin attr-uniq list'

usage: dsconf instance plugin attr-uniq list [-h]

OPTIONS 'dsconf plugin attr-uniq add'

usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
                                           [--attr-name ATTR_NAME [ATTR_NAME ...]]
                                           [--subtree SUBTREE [SUBTREE ...]]
                                           [--across-all-subtrees {on,off}]
                                           [--top-entry-oc TOP_ENTRY_OC]
                                           [--subtree-entries-oc SUBTREE_ENTRIES_OC]
                                           NAME

NAME

The name of the plug-in configuration record. (cn) You can use any string, but "attribute_name Attribute Uniqueness" is recommended.

--enabled {on,off}

Identifies whether or not the config is enabled.

--attr-name ATTR_NAME [ATTR_NAME ...]

Sets the name of the attribute whose values must be unique. This attribute is multi-valued. (uniqueness-attribute-name)

--subtree SUBTREE [SUBTREE ...]

Sets the DN under which the plug-in checks for uniqueness of the attributes value. This attribute is multi-valued (uniqueness-subtrees)

--across-all-subtrees {on,off}

If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry (uniqueness-across-all-subtrees)

--top-entry-oc TOP_ENTRY_OC

Verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree (uniqueness-top-entry-oc)

--subtree-entries-oc SUBTREE_ENTRIES_OC

Verifies if an attribute is unique, if the entry contains the object class set in this parameter (uniqueness-subtree-entries-oc)

OPTIONS 'dsconf plugin attr-uniq set'

usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
                                           [--attr-name ATTR_NAME [ATTR_NAME ...]]
                                           [--subtree SUBTREE [SUBTREE ...]]
                                           [--across-all-subtrees {on,off}]
                                           [--top-entry-oc TOP_ENTRY_OC]
                                           [--subtree-entries-oc SUBTREE_ENTRIES_OC]
                                           NAME

NAME

The name of the plug-in configuration record. (cn) You can use any string, but "attribute_name Attribute Uniqueness" is recommended.

--enabled {on,off}

Identifies whether or not the config is enabled.

--attr-name ATTR_NAME [ATTR_NAME ...]

Sets the name of the attribute whose values must be unique. This attribute is multi-valued. (uniqueness-attribute-name)

--subtree SUBTREE [SUBTREE ...]

Sets the DN under which the plug-in checks for uniqueness of the attributes value. This attribute is multi-valued (uniqueness-subtrees)

--across-all-subtrees {on,off}

If enabled (on), the plug-in checks that the attribute is unique across all subtrees set. If you set the attribute to off, uniqueness is only enforced within the subtree of the updated entry (uniqueness-across-all-subtrees)

--top-entry-oc TOP_ENTRY_OC

Verifies that the value of the attribute set in uniqueness-attribute-name is unique in this subtree (uniqueness-top-entry-oc)

--subtree-entries-oc SUBTREE_ENTRIES_OC

Verifies if an attribute is unique, if the entry contains the object class set in this parameter (uniqueness-subtree-entries-oc)

OPTIONS 'dsconf plugin attr-uniq show'

usage: dsconf instance plugin attr-uniq show [-h] NAME

NAME

The name of the plug-in configuration record

OPTIONS 'dsconf plugin attr-uniq delete'

usage: dsconf instance plugin attr-uniq delete [-h] NAME

NAME

The name of the plug-in configuration record

OPTIONS 'dsconf plugin attr-uniq enable'

usage: dsconf instance plugin attr-uniq enable [-h] NAME

NAME

The name of the plug-in configuration record

OPTIONS 'dsconf plugin attr-uniq disable'

usage: dsconf instance plugin attr-uniq disable [-h] NAME

NAME

The name of the plug-in configuration record

OPTIONS 'dsconf plugin attr-uniq status'

usage: dsconf instance plugin attr-uniq status [-h] NAME

NAME

The name of the plug-in configuration record

OPTIONS 'dsconf plugin dna'

usage: dsconf instance plugin dna [-h]
                                 {show,enable,disable,status,list,config} ...

Sub-commands

dsconf plugin dna show

Displays the plugin configuration

dsconf plugin dna enable

Enables the plugin

dsconf plugin dna disable

Disables the plugin

dsconf plugin dna status

Displays the plugin status

dsconf plugin dna list

List available plugin configs

dsconf plugin dna config

Manage plugin configs

OPTIONS 'dsconf plugin dna show'

usage: dsconf instance plugin dna show [-h]

OPTIONS 'dsconf plugin dna enable'

usage: dsconf instance plugin dna enable [-h]

OPTIONS 'dsconf plugin dna disable'

usage: dsconf instance plugin dna disable [-h]

OPTIONS 'dsconf plugin dna status'

usage: dsconf instance plugin dna status [-h]

OPTIONS 'dsconf plugin dna list'

usage: dsconf instance plugin dna list [-h] {configs,shared-configs} ...

Sub-commands

dsconf plugin dna list configs

List main DNA plugin config entries

dsconf plugin dna list shared-configs

List DNA plugin shared config entries

OPTIONS 'dsconf plugin dna list configs'

usage: dsconf instance plugin dna list configs [-h]

OPTIONS 'dsconf plugin dna list shared-configs'

usage: dsconf instance plugin dna list shared-configs [-h] BASEDN

BASEDN

The search DN

OPTIONS 'dsconf plugin dna config'

usage: dsconf instance plugin dna config [-h]
                                        NAME
                                        {add,set,show,delete,shared-config-entry}
                                        ...

NAME

The DNA configuration name

Sub-commands

dsconf plugin dna config add

Add the config entry

dsconf plugin dna config set

Edit the config entry

dsconf plugin dna config show

Display the config entry

dsconf plugin dna config delete

Delete the config entry

dsconf plugin dna config shared-config-entry

Manage the shared config entry

OPTIONS 'dsconf plugin dna config add'

usage: dsconf instance plugin dna config NAME add [-h]
                                                 [--type TYPE [TYPE ...]]
                                                 [--prefix PREFIX]
                                                 [--next-value NEXT_VALUE]
                                                 [--max-value MAX_VALUE]
                                                 [--interval INTERVAL]
                                                 [--magic-regen MAGIC_REGEN]
                                                 [--filter FILTER]
                                                 [--scope SCOPE]
                                                 [--remote-bind-dn REMOTE_BIND_DN]
                                                 [--remote-bind-cred REMOTE_BIND_CRED]
                                                 [--shared-config-entry SHARED_CONFIG_ENTRY]
                                                 [--threshold THRESHOLD]
                                                 [--next-range NEXT_RANGE]
                                                 [--range-request-timeout RANGE_REQUEST_TIMEOUT]

--type TYPE [TYPE ...]

Sets which attributes have unique numbers being generated for them (dnaType)

--prefix PREFIX

Defines a prefix that can be prepended to the generated number values for the attribute (dnaPrefix)

--next-value NEXT_VALUE

Sets the next available number which can be assigned (dnaNextValue)

--max-value MAX_VALUE

Sets the maximum value that can be assigned for the range (dnaMaxValue)

--interval INTERVAL

Sets an interval to use to increment through numbers in a range (dnaInterval)

--magic-regen MAGIC_REGEN

Sets a user-defined value that instructs the plug-in to assign a new value for the entry (dnaMagicRegen)

--filter FILTER

Sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range (dnaFilter)

--scope SCOPE

Sets the base DN to search for entries to which to apply the distributed numeric assignment (dnaScope)

--remote-bind-dn REMOTE_BIND_DN

Specifies the Replication Manager DN (dnaRemoteBindDN)

--remote-bind-cred REMOTE_BIND_CRED

Specifies the Replication Manager's password (dnaRemoteBindCred)

--shared-config-entry SHARED_CONFIG_ENTRY

Defines a shared identity that the servers can use to transfer ranges to one another (dnaSharedCfgDN)

--threshold THRESHOLD

Sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range (dnaThreshold)

--next-range NEXT_RANGE

Defines the next range to use when the current range is exhausted (dnaNextRange)

--range-request-timeout RANGE_REQUEST_TIMEOUT

Sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server (dnaRangeRequestTimeout)

OPTIONS 'dsconf plugin dna config set'

usage: dsconf instance plugin dna config NAME set [-h]
                                                 [--type TYPE [TYPE ...]]
                                                 [--prefix PREFIX]
                                                 [--next-value NEXT_VALUE]
                                                 [--max-value MAX_VALUE]
                                                 [--interval INTERVAL]
                                                 [--magic-regen MAGIC_REGEN]
                                                 [--filter FILTER]
                                                 [--scope SCOPE]
                                                 [--remote-bind-dn REMOTE_BIND_DN]
                                                 [--remote-bind-cred REMOTE_BIND_CRED]
                                                 [--shared-config-entry SHARED_CONFIG_ENTRY]
                                                 [--threshold THRESHOLD]
                                                 [--next-range NEXT_RANGE]
                                                 [--range-request-timeout RANGE_REQUEST_TIMEOUT]

--type TYPE [TYPE ...]

Sets which attributes have unique numbers being generated for them (dnaType)

--prefix PREFIX

Defines a prefix that can be prepended to the generated number values for the attribute (dnaPrefix)

--next-value NEXT_VALUE

Sets the next available number which can be assigned (dnaNextValue)

--max-value MAX_VALUE

Sets the maximum value that can be assigned for the range (dnaMaxValue)

--interval INTERVAL

Sets an interval to use to increment through numbers in a range (dnaInterval)

--magic-regen MAGIC_REGEN

Sets a user-defined value that instructs the plug-in to assign a new value for the entry (dnaMagicRegen)

--filter FILTER

Sets an LDAP filter to use to search for and identify the entries to which to apply the distributed numeric assignment range (dnaFilter)

--scope SCOPE

Sets the base DN to search for entries to which to apply the distributed numeric assignment (dnaScope)

--remote-bind-dn REMOTE_BIND_DN

Specifies the Replication Manager DN (dnaRemoteBindDN)

--remote-bind-cred REMOTE_BIND_CRED

Specifies the Replication Manager's password (dnaRemoteBindCred)

--shared-config-entry SHARED_CONFIG_ENTRY

Defines a shared identity that the servers can use to transfer ranges to one another (dnaSharedCfgDN)

--threshold THRESHOLD

Sets a threshold of remaining available numbers in the range. When the server hits the threshold, it sends a request for a new range (dnaThreshold)

--next-range NEXT_RANGE

Defines the next range to use when the current range is exhausted (dnaNextRange)

--range-request-timeout RANGE_REQUEST_TIMEOUT

Sets a timeout period, in seconds, for range requests so that the server does not stall waiting on a new range from one server and can request a range from a new server (dnaRangeRequestTimeout)

OPTIONS 'dsconf plugin dna config show'

usage: dsconf instance plugin dna config NAME show [-h]

OPTIONS 'dsconf plugin dna config delete'

usage: dsconf instance plugin dna config NAME delete [-h]

OPTIONS 'dsconf plugin dna config shared-config-entry'

usage: dsconf instance plugin dna config NAME shared-config-entry
      [-h] SHARED_CFG {set,show,delete} ...

SHARED_CFG

Use HOSTNAME:PORT for this argument to identify the host name and port of a server in a shared range, as part of the DNA range configuration for that specific host in multi-supplier replication. (dnaHostname+dnaPortNum)

Sub-commands

dsconf plugin dna config shared-config-entry set

Edit the shared config entry

dsconf plugin dna config shared-config-entry show

Display the shared config entry

dsconf plugin dna config shared-config-entry delete

Delete the shared config entry

OPTIONS 'dsconf plugin dna config shared-config-entry set'

usage: dsconf instance plugin dna config NAME shared-config-entry SHARED_CFG set
      [-h] [--remote-bind-method REMOTE_BIND_METHOD]
      [--remote-conn-protocol REMOTE_CONN_PROTOCOL]

--remote-bind-method REMOTE_BIND_METHOD

Specifies the remote bind method "SIMPLE", "SSL" (for SSL client auth), "SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)

--remote-conn-protocol REMOTE_CONN_PROTOCOL

Specifies the remote connection protocol "LDAP", or "TLS" (dnaRemoteConnProtocol)

OPTIONS 'dsconf plugin dna config shared-config-entry show'

usage: dsconf instance plugin dna config NAME shared-config-entry SHARED_CFG show
      [-h]

OPTIONS 'dsconf plugin dna config shared-config-entry delete'

usage: dsconf instance plugin dna config NAME shared-config-entry SHARED_CFG delete
      [-h]

OPTIONS 'dsconf plugin linked-attr'

usage: dsconf instance plugin linked-attr [-h]
                                         {show,enable,disable,status,fixup,list,config}
                                         ...

Sub-commands

dsconf plugin linked-attr show

Displays the plugin configuration

dsconf plugin linked-attr enable

Enables the plugin

dsconf plugin linked-attr disable

Disables the plugin

dsconf plugin linked-attr status

Displays the plugin status

dsconf plugin linked-attr fixup

Run the fix-up task for linked attributes plugin

dsconf plugin linked-attr list

List available plugin configs

dsconf plugin linked-attr config

Manage plugin configs

OPTIONS 'dsconf plugin linked-attr show'

usage: dsconf instance plugin linked-attr show [-h]

OPTIONS 'dsconf plugin linked-attr enable'

usage: dsconf instance plugin linked-attr enable [-h]

OPTIONS 'dsconf plugin linked-attr disable'

usage: dsconf instance plugin linked-attr disable [-h]

OPTIONS 'dsconf plugin linked-attr status'

usage: dsconf instance plugin linked-attr status [-h]

OPTIONS 'dsconf plugin linked-attr fixup'

usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN]

-l LINKDN, --linkdn LINKDN

Sets the base DN that contains entries to fix up

OPTIONS 'dsconf plugin linked-attr list'

usage: dsconf instance plugin linked-attr list [-h]

OPTIONS 'dsconf plugin linked-attr config'

usage: dsconf instance plugin linked-attr config [-h]
                                                NAME {add,set,show,delete}
                                                ...

NAME

The Linked Attributes configuration name

Sub-commands

dsconf plugin linked-attr config add

Add the config entry

dsconf plugin linked-attr config set

Edit the config entry

dsconf plugin linked-attr config show

Display the config entry

dsconf plugin linked-attr config delete

Delete the config entry

OPTIONS 'dsconf plugin linked-attr config add'

usage: dsconf instance plugin linked-attr config NAME add [-h]
                                                         [--link-type LINK_TYPE]
                                                         [--managed-type MANAGED_TYPE]
                                                         [--link-scope LINK_SCOPE]

--link-type LINK_TYPE

Sets the attribute that is managed manually by administrators (linkType)

--managed-type MANAGED_TYPE

Sets the attribute that is created dynamically by the plugin (managedType)

--link-scope LINK_SCOPE

Sets the scope that restricts the plugin to a specific part of the directory tree (linkScope)

OPTIONS 'dsconf plugin linked-attr config set'

usage: dsconf instance plugin linked-attr config NAME set [-h]
                                                         [--link-type LINK_TYPE]
                                                         [--managed-type MANAGED_TYPE]
                                                         [--link-scope LINK_SCOPE]

--link-type LINK_TYPE

Sets the attribute that is managed manually by administrators (linkType)

--managed-type MANAGED_TYPE

Sets the attribute that is created dynamically by the plugin (managedType)

--link-scope LINK_SCOPE

Sets the scope that restricts the plugin to a specific part of the directory tree (linkScope)

OPTIONS 'dsconf plugin linked-attr config show'

usage: dsconf instance plugin linked-attr config NAME show [-h]

OPTIONS 'dsconf plugin linked-attr config delete'

usage: dsconf instance plugin linked-attr config NAME delete [-h]

OPTIONS 'dsconf plugin managed-entries'

usage: dsconf instance plugin managed-entries [-h]
                                             {show,enable,disable,status,set,list,config,template}
                                             ...

Sub-commands

dsconf plugin managed-entries show

Displays the plugin configuration

dsconf plugin managed-entries enable

Enables the plugin

dsconf plugin managed-entries disable

Disables the plugin

dsconf plugin managed-entries status

Displays the plugin status

dsconf plugin managed-entries set

Edit the plugin settings

dsconf plugin managed-entries list

List Managed Entries Plugin configs and templates

dsconf plugin managed-entries config

Handle Managed Entries Plugin configs

dsconf plugin managed-entries template

Handle Managed Entries Plugin templates

OPTIONS 'dsconf plugin managed-entries show'

usage: dsconf instance plugin managed-entries show [-h]

OPTIONS 'dsconf plugin managed-entries enable'

usage: dsconf instance plugin managed-entries enable [-h]

OPTIONS 'dsconf plugin managed-entries disable'

usage: dsconf instance plugin managed-entries disable [-h]

OPTIONS 'dsconf plugin managed-entries status'

usage: dsconf instance plugin managed-entries status [-h]

OPTIONS 'dsconf plugin managed-entries set'

usage: dsconf instance plugin managed-entries set [-h]
                                                 [--config-area CONFIG_AREA]

--config-area CONFIG_AREA

Sets the value of the nsslapd-pluginConfigArea attribute

OPTIONS 'dsconf plugin managed-entries list'

usage: dsconf instance plugin managed-entries list [-h]
                                                  {configs,templates} ...

Sub-commands

dsconf plugin managed-entries list configs

List Managed Entries Plugin configs (list config-area if specified in the main plugin entry)

dsconf plugin managed-entries list templates

List Managed Entries Plugin templates in the directory

OPTIONS 'dsconf plugin managed-entries list configs'

usage: dsconf instance plugin managed-entries list configs [-h]

OPTIONS 'dsconf plugin managed-entries list templates'

usage: dsconf instance plugin managed-entries list templates [-h] [BASEDN]

BASEDN

The base DN where to search the templates

OPTIONS 'dsconf plugin managed-entries config'

usage: dsconf instance plugin managed-entries config [-h]
                                                    NAME
                                                    {add,set,show,delete} ...

NAME

The config entry CN

Sub-commands

dsconf plugin managed-entries config add

Add the config entry

dsconf plugin managed-entries config set

Edit the config entry

dsconf plugin managed-entries config show

Display the config entry

dsconf plugin managed-entries config delete

Delete the config entry

OPTIONS 'dsconf plugin managed-entries config add'

usage: dsconf instance plugin managed-entries config NAME add
      [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
      [--managed-template MANAGED_TEMPLATE]

--scope SCOPE

Sets the scope of the search to use to see which entries the plug-in monitors (originScope)

--filter FILTER

Sets the search filter to use to search for and identify the entries within the subtree which require a managed entry (originFilter)

--managed-base MANAGED_BASE

Sets the subtree under which to create the managed entries (managedBase)

--managed-template MANAGED_TEMPLATE

Identifies the template entry to use to create the managed entry (managedTemplate)

OPTIONS 'dsconf plugin managed-entries config set'

usage: dsconf instance plugin managed-entries config NAME set
      [-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
      [--managed-template MANAGED_TEMPLATE]

--scope SCOPE

Sets the scope of the search to use to see which entries the plug-in monitors (originScope)

--filter FILTER

Sets the search filter to use to search for and identify the entries within the subtree which require a managed entry (originFilter)

--managed-base MANAGED_BASE

Sets the subtree under which to create the managed entries (managedBase)

--managed-template MANAGED_TEMPLATE

Identifies the template entry to use to create the managed entry (managedTemplate)

OPTIONS 'dsconf plugin managed-entries config show'

usage: dsconf instance plugin managed-entries config NAME show [-h]

OPTIONS 'dsconf plugin managed-entries config delete'

usage: dsconf instance plugin managed-entries config NAME delete [-h]

OPTIONS 'dsconf plugin managed-entries template'

usage: dsconf instance plugin managed-entries template [-h]
                                                      DN
                                                      {add,set,show,delete}
                                                      ...

DN

The template entry DN.

Sub-commands

dsconf plugin managed-entries template add

Add the template entry

dsconf plugin managed-entries template set

Edit the template entry

dsconf plugin managed-entries template show

Display the template entry

dsconf plugin managed-entries template delete

Delete the template entry

OPTIONS 'dsconf plugin managed-entries template add'

usage: dsconf instance plugin managed-entries template DN add
      [-h] [--rdn-attr RDN_ATTR]
      [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
      [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]

--rdn-attr RDN_ATTR

Sets which attribute to use as the naming attribute in the automatically- generated entry (mepRDNAttr)

--static-attr STATIC_ATTR [STATIC_ATTR ...]

Sets an attribute with a defined value that must be added to the automatically-generated entry (mepStaticAttr)

--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]

Sets attributes in the Managed Entries template entry which must exist in the generated entry (mepMappedAttr)

OPTIONS 'dsconf plugin managed-entries template set'

usage: dsconf instance plugin managed-entries template DN set
      [-h] [--rdn-attr RDN_ATTR]
      [--static-attr STATIC_ATTR [STATIC_ATTR ...]]
      [--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]

--rdn-attr RDN_ATTR

Sets which attribute to use as the naming attribute in the automatically- generated entry (mepRDNAttr)

--static-attr STATIC_ATTR [STATIC_ATTR ...]

Sets an attribute with a defined value that must be added to the automatically-generated entry (mepStaticAttr)

--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]

Sets attributes in the Managed Entries template entry which must exist in the generated entry (mepMappedAttr)

OPTIONS 'dsconf plugin managed-entries template show'

usage: dsconf instance plugin managed-entries template DN show [-h]

OPTIONS 'dsconf plugin managed-entries template delete'

usage: dsconf instance plugin managed-entries template DN delete [-h]

OPTIONS 'dsconf plugin pass-through-auth'

usage: dsconf instance plugin pass-through-auth [-h]
                                               {show,enable,disable,status,list,url,pam-config}
                                               ...

Sub-commands

dsconf plugin pass-through-auth show

Displays the plugin configuration

dsconf plugin pass-through-auth enable

Enables the plugin

dsconf plugin pass-through-auth disable

Disables the plugin

dsconf plugin pass-through-auth status

Displays the plugin status

dsconf plugin pass-through-auth enable

Enable the pass through authentication plugins

dsconf plugin pass-through-auth disable

Disable the pass through authentication plugins

dsconf plugin pass-through-auth list

List pass-though plugin URLs or PAM configurations

dsconf plugin pass-through-auth url

Manage PTA URL configurations

dsconf plugin pass-through-auth pam-config

Manage PAM PTA configurations.

OPTIONS 'dsconf plugin pass-through-auth show'

usage: dsconf instance plugin pass-through-auth show [-h]

OPTIONS 'dsconf plugin pass-through-auth enable'

usage: dsconf instance plugin pass-through-auth enable [-h]

OPTIONS 'dsconf plugin pass-through-auth disable'

usage: dsconf instance plugin pass-through-auth disable [-h]

OPTIONS 'dsconf plugin pass-through-auth status'

usage: dsconf instance plugin pass-through-auth status [-h]

OPTIONS 'dsconf plugin pass-through-auth list'

usage: dsconf instance plugin pass-through-auth list [-h]
                                                    {urls,pam-configs} ...

Sub-commands

dsconf plugin pass-through-auth list urls

Lists URLs

dsconf plugin pass-through-auth list pam-configs

Lists PAM configurations

OPTIONS 'dsconf plugin pass-through-auth list urls'

usage: dsconf instance plugin pass-through-auth list urls [-h]

OPTIONS 'dsconf plugin pass-through-auth list pam-configs'

usage: dsconf instance plugin pass-through-auth list pam-configs [-h]

OPTIONS 'dsconf plugin pass-through-auth url'

usage: dsconf instance plugin pass-through-auth url [-h]
                                                   {add,modify,delete} ...

Sub-commands

dsconf plugin pass-through-auth url add

Add the config entry

dsconf plugin pass-through-auth url modify

Edit the config entry

dsconf plugin pass-through-auth url delete

Delete the config entry

OPTIONS 'dsconf plugin pass-through-auth url add'

usage: dsconf instance plugin pass-through-auth url add [-h] URL

URL

The full LDAP URL in format "ldap|ldaps://authDS/subtree maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional parameter is specified the rest should be specified too

OPTIONS 'dsconf plugin pass-through-auth url modify'

usage: dsconf instance plugin pass-through-auth url modify [-h]
                                                          OLD_URL NEW_URL

OLD_URL

The full LDAP URL you get from the "list" command

NEW_URL

Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional parameter is specified the rest should be specified too.

OPTIONS 'dsconf plugin pass-through-auth url delete'

usage: dsconf instance plugin pass-through-auth url delete [-h] URL

URL

The full LDAP URL you get from the "list" command

OPTIONS 'dsconf plugin pass-through-auth pam-config'

usage: dsconf instance plugin pass-through-auth pam-config [-h]
                                                          NAME
                                                          {add,set,show,delete}
                                                          ...

NAME

The PAM PTA configuration name

Sub-commands

dsconf plugin pass-through-auth pam-config add

Add the config entry

dsconf plugin pass-through-auth pam-config set

Edit the config entry

dsconf plugin pass-through-auth pam-config show

Display the config entry

dsconf plugin pass-through-auth pam-config delete

Delete the config entry

OPTIONS 'dsconf plugin pass-through-auth pam-config add'

usage: dsconf instance plugin pass-through-auth pam-config NAME add
      [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
      [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
      [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
      [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
      [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]

--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]

Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)

--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]

Sets a suffix to include for PAM authentication (pamIncludeSuffix)

--missing-suffix {ERROR,ALLOW,IGNORE,delete,}

Identifies how to handle missing include or exclude suffixes (pamMissingSuffix)

--filter FILTER

Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication (pamFilter)

--id-attr ID_ATTR

Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)

--id_map_method ID_MAP_METHOD

Sets the method to use to map the LDAP bind DN to a PAM identity (pamIDMapMethod)

--fallback {TRUE,FALSE}

Sets whether to fallback to regular LDAP authentication if PAM authentication fails (pamFallback)

--secure {TRUE,FALSE}

Requires secure TLS connection for PAM authentication (pamSecure)

--service SERVICE

Contains the service name to pass to PAM (pamService)

OPTIONS 'dsconf plugin pass-through-auth pam-config set'

usage: dsconf instance plugin pass-through-auth pam-config NAME set
      [-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
      [--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
      [--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
      [--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
      [--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]

--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]

Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)

--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]

Sets a suffix to include for PAM authentication (pamIncludeSuffix)

--missing-suffix {ERROR,ALLOW,IGNORE,delete,}

Identifies how to handle missing include or exclude suffixes (pamMissingSuffix)

--filter FILTER

Sets an LDAP filter to use to identify specific entries within the included suffixes for which to use PAM pass-through authentication (pamFilter)

--id-attr ID_ATTR

Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)

--id_map_method ID_MAP_METHOD

Sets the method to use to map the LDAP bind DN to a PAM identity (pamIDMapMethod)

--fallback {TRUE,FALSE}

Sets whether to fallback to regular LDAP authentication if PAM authentication fails (pamFallback)

--secure {TRUE,FALSE}

Requires secure TLS connection for PAM authentication (pamSecure)

--service SERVICE

Contains the service name to pass to PAM (pamService)

OPTIONS 'dsconf plugin pass-through-auth pam-config show'

usage: dsconf instance plugin pass-through-auth pam-config NAME show [-h]

OPTIONS 'dsconf plugin pass-through-auth pam-config delete'

usage: dsconf instance plugin pass-through-auth pam-config NAME delete [-h]

OPTIONS 'dsconf plugin retro-changelog'

usage: dsconf instance plugin retro-changelog [-h]
                                             {show,enable,disable,status,set,add}
                                             ...

Sub-commands

dsconf plugin retro-changelog show

Displays the plugin configuration

dsconf plugin retro-changelog enable

Enables the plugin

dsconf plugin retro-changelog disable

Disables the plugin

dsconf plugin retro-changelog status

Displays the plugin status

dsconf plugin retro-changelog set

Edit the plugin

dsconf plugin retro-changelog add

Add attributes to the plugin

OPTIONS 'dsconf plugin retro-changelog show'

usage: dsconf instance plugin retro-changelog show [-h]

OPTIONS 'dsconf plugin retro-changelog enable'

usage: dsconf instance plugin retro-changelog enable [-h]

OPTIONS 'dsconf plugin retro-changelog disable'

usage: dsconf instance plugin retro-changelog disable [-h]

OPTIONS 'dsconf plugin retro-changelog status'

usage: dsconf instance plugin retro-changelog status [-h]

OPTIONS 'dsconf plugin retro-changelog set'

usage: dsconf instance plugin retro-changelog set [-h]
                                                 [--is-replicated {TRUE,FALSE}]
                                                 [--attribute ATTRIBUTE]
                                                 [--directory DIRECTORY]
                                                 [--max-age MAX_AGE]
                                                 [--trim-interval TRIM_INTERVAL]
                                                 [--exclude-suffix EXCLUDE_SUFFIX]
                                                 [--exclude-attrs EXCLUDE_ATTRS]

--is-replicated {TRUE,FALSE}

Sets a flag to indicate on a change in the changelog whether the change is newly made on that server or whether it was replicated over from another server (isReplicated)

--attribute ATTRIBUTE

Specifies another Directory Server attribute which must be included in the retro changelog entries (nsslapd-attribute)

--directory DIRECTORY

Specifies the name of the directory in which the changelog database is created the first time the plug-in is run

--max-age MAX_AGE

This attribute specifies the maximum age of any entry in the changelog. Used to trim the changelog (nsslapd-changelogmaxage)

--trim-interval TRIM_INTERVAL
--exclude-suffix EXCLUDE_SUFFIX

This attribute specifies the suffix which will be excluded from the scope of the plugin (nsslapd-exclude-suffix)

--exclude-attrs EXCLUDE_ATTRS

This attribute specifies the attributes which will be excluded from the scope of the plugin (nsslapd-exclude-attrs)

OPTIONS 'dsconf plugin retro-changelog add'

usage: dsconf instance plugin retro-changelog add [-h]
                                                 [--is-replicated {TRUE,FALSE}]
                                                 [--attribute ATTRIBUTE]
                                                 [--directory DIRECTORY]
                                                 [--max-age MAX_AGE]
                                                 [--trim-interval TRIM_INTERVAL]
                                                 [--exclude-suffix EXCLUDE_SUFFIX]
                                                 [--exclude-attrs EXCLUDE_ATTRS]

--is-replicated {TRUE,FALSE}

Sets a flag to indicate on a change in the changelog whether the change is newly made on that server or whether it was replicated over from another server (isReplicated)

--attribute ATTRIBUTE

Specifies another Directory Server attribute which must be included in the retro changelog entries (nsslapd-attribute)

--directory DIRECTORY

Specifies the name of the directory in which the changelog database is created the first time the plug-in is run

--max-age MAX_AGE

This attribute specifies the maximum age of any entry in the changelog. Used to trim the changelog (nsslapd-changelogmaxage)

--trim-interval TRIM_INTERVAL
--exclude-suffix EXCLUDE_SUFFIX

This attribute specifies the suffix which will be excluded from the scope of the plugin (nsslapd-exclude-suffix)

--exclude-attrs EXCLUDE_ATTRS

This attribute specifies the attributes which will be excluded from the scope of the plugin (nsslapd-exclude-attrs)

OPTIONS 'dsconf plugin posix-winsync'

usage: dsconf instance plugin posix-winsync [-h]
                                           {show,enable,disable,status,set,fixup}
                                           ...

Sub-commands

dsconf plugin posix-winsync show

Displays the plugin configuration

dsconf plugin posix-winsync enable

Enables the plugin

dsconf plugin posix-winsync disable

Disables the plugin

dsconf plugin posix-winsync status

Displays the plugin status

dsconf plugin posix-winsync set

Edit the plugin settings

dsconf plugin posix-winsync fixup

Run the memberOf fix-up task to correct mismatched member and uniquemember values for synced users

OPTIONS 'dsconf plugin posix-winsync show'

usage: dsconf instance plugin posix-winsync show [-h]

OPTIONS 'dsconf plugin posix-winsync enable'

usage: dsconf instance plugin posix-winsync enable [-h]

OPTIONS 'dsconf plugin posix-winsync disable'

usage: dsconf instance plugin posix-winsync disable [-h]

OPTIONS 'dsconf plugin posix-winsync status'

usage: dsconf instance plugin posix-winsync status [-h]

OPTIONS 'dsconf plugin posix-winsync set'

usage: dsconf instance plugin posix-winsync set [-h]
                                               [--create-memberof-task {true,false}]
                                               [--lower-case-uid {true,false}]
                                               [--map-member-uid {true,false}]
                                               [--map-nested-grouping {true,false}]
                                               [--ms-sfu-schema {true,false}]

--create-memberof-task {true,false}

Sets whether to run the memberUID fix-up task immediately after a sync run in order to update group memberships for synced users (posixWinsyncCreateMemberOfTask)

--lower-case-uid {true,false}

Sets whether to store (and, if necessary, convert) the UID value in the memberUID attribute in lower case.(posixWinsyncLowerCaseUID)

--map-member-uid {true,false}

Sets whether to map the memberUID attribute in an Active Directory group to the uniqueMember attribute in a Directory Server group (posixWinsyncMapMemberUID)

--map-nested-grouping {true,false}

Manages if nested groups are updated when memberUID attributes in an Active Directory POSIX group change (posixWinsyncMapNestedGrouping)

--ms-sfu-schema {true,false}

Sets whether to the older Microsoft System Services for Unix 3.0 (msSFU30) schema when syncing Posix attributes from Active Directory (posixWinsyncMsSFUSchema)

OPTIONS 'dsconf plugin posix-winsync fixup'

usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN

DN

Set the base DN that contains entries to fix up

-f FILTER, --filter FILTER

Filter for entries to fix up. If omitted, all entries with objectclass inetuser/inetadmin/nsmemberof under the specified base will have their memberOf attribute regenerated.

OPTIONS 'dsconf plugin contentsync'

usage: dsconf instance plugin contentsync [-h]
                                         {show,enable,disable,status,set,add}
                                         ...

Sub-commands

dsconf plugin contentsync show

Displays the plugin configuration

dsconf plugin contentsync enable

Enables the plugin

dsconf plugin contentsync disable

Disables the plugin

dsconf plugin contentsync status

Displays the plugin status

dsconf plugin contentsync set

Edit the plugin settings

dsconf plugin contentsync add

Add attributes to the plugin

OPTIONS 'dsconf plugin contentsync show'

usage: dsconf instance plugin contentsync show [-h]

OPTIONS 'dsconf plugin contentsync enable'

usage: dsconf instance plugin contentsync enable [-h]

OPTIONS 'dsconf plugin contentsync disable'

usage: dsconf instance plugin contentsync disable [-h]

OPTIONS 'dsconf plugin contentsync status'

usage: dsconf instance plugin contentsync status [-h]

OPTIONS 'dsconf plugin contentsync set'

usage: dsconf instance plugin contentsync set [-h] [--allow-openldap {on,off}]

--allow-openldap {on,off}

Allows openldap servers to act as read only consumers of this server via syncrepl

OPTIONS 'dsconf plugin contentsync add'

usage: dsconf instance plugin contentsync add [-h] [--allow-openldap {on,off}]

--allow-openldap {on,off}

Allows openldap servers to act as read only consumers of this server via syncrepl

OPTIONS 'dsconf plugin list'

usage: dsconf instance plugin list [-h]

OPTIONS 'dsconf plugin show'

usage: dsconf instance plugin show [-h] [selector]

selector

The plugin to search for

OPTIONS 'dsconf plugin set'

usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled {on,off}]
                                 [--path PATH] [--initfunc INITFUNC]
                                 [--id ID] [--vendor VENDOR]
                                 [--version VERSION]
                                 [--description DESCRIPTION]
                                 [--depends-on-type DEPENDS_ON_TYPE]
                                 [--depends-on-named DEPENDS_ON_NAMED]
                                 [--precedence PRECEDENCE]
                                 [selector]

selector

The plugin to edit

--type TYPE

The type of plugin.

--enabled {on,off}

Identifies whether or not the plugin is enabled.

--path PATH

The plugin library name (without the library suffix).

--initfunc INITFUNC

An initialization function of the plugin.

--id ID

The plugin ID.

--vendor VENDOR

The vendor of plugin.

--version VERSION

The version of plugin.

--description DESCRIPTION

The description of the plugin.

--depends-on-type DEPENDS_ON_TYPE

All plug-ins with a type value which matches one of the values in the following valid range will be started by the server prior to this plug-in.

--depends-on-named DEPENDS_ON_NAMED

The plug-in name matching one of the following values will be started by the server prior to this plug-in

--precedence PRECEDENCE

The priority it has in the execution order of plug-ins

OPTIONS 'dsconf pwpolicy'

usage: dsconf instance pwpolicy [-h] {get,set} ...

Sub-commands

dsconf pwpolicy get

Get the global password policy entry

dsconf pwpolicy set

Set an attribute in a global password policy

OPTIONS 'dsconf pwpolicy get'

usage: dsconf instance pwpolicy get [-h]

OPTIONS 'dsconf pwpolicy set'

usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
                                   [--pwdchange PWDCHANGE]
                                   [--pwdmustchange PWDMUSTCHANGE]
                                   [--pwdhistory PWDHISTORY]
                                   [--pwdhistorycount PWDHISTORYCOUNT]
                                   [--pwdadmin PWDADMIN]
                                   [--pwdtrack PWDTRACK]
                                   [--pwdwarning PWDWARNING]
                                   [--pwdexpire PWDEXPIRE]
                                   [--pwdmaxage PWDMAXAGE]
                                   [--pwdminage PWDMINAGE]
                                   [--pwdgracelimit PWDGRACELIMIT]
                                   [--pwdsendexpiring PWDSENDEXPIRING]
                                   [--pwdlockout PWDLOCKOUT]
                                   [--pwdunlock PWDUNLOCK]
                                   [--pwdlockoutduration PWDLOCKOUTDURATION]
                                   [--pwdmaxfailures PWDMAXFAILURES]
                                   [--pwdresetfailcount PWDRESETFAILCOUNT]
                                   [--pwdchecksyntax PWDCHECKSYNTAX]
                                   [--pwdminlen PWDMINLEN]
                                   [--pwdmindigits PWDMINDIGITS]
                                   [--pwdminalphas PWDMINALPHAS]
                                   [--pwdminuppers PWDMINUPPERS]
                                   [--pwdminlowers PWDMINLOWERS]
                                   [--pwdminspecials PWDMINSPECIALS]
                                   [--pwdmin8bits PWDMIN8BITS]
                                   [--pwdmaxrepeats PWDMAXREPEATS]
                                   [--pwdpalindrome PWDPALINDROME]
                                   [--pwdmaxseq PWDMAXSEQ]
                                   [--pwdmaxseqsets PWDMAXSEQSETS]
                                   [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                   [--pwdmincatagories PWDMINCATAGORIES]
                                   [--pwdmintokenlen PWDMINTOKENLEN]
                                   [--pwdbadwords PWDBADWORDS]
                                   [--pwduserattrs PWDUSERATTRS]
                                   [--pwddictcheck PWDDICTCHECK]
                                   [--pwddictpath PWDDICTPATH]
                                   [--pwptprmaxuse PWPTPRMAXUSE]
                                   [--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
                                   [--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
                                   [--pwdlocal PWDLOCAL]
                                   [--pwdisglobal PWDISGLOBAL]
                                   [--pwdallowhash PWDALLOWHASH]
                                   [--pwpinheritglobal PWPINHERITGLOBAL]

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

Users must change their password after it was reset by an administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of passwords to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

--pwptprmaxuse PWPTPRMAXUSE

Number of times a reset password can be used for authentication

--pwptprdelayexpireat PWPTPRDELAYEXPIREAT

Number of seconds after which a reset password expires

--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM

Number of seconds to wait before using a reset password to authenticated

--pwdlocal PWDLOCAL

Set to "on" to enable fine-grained (subtree/user-level) password policies

--pwdisglobal PWDISGLOBAL

Set to "on" to enable password policy state attributes to be replicated

--pwdallowhash PWDALLOWHASH

Set to "on" to allow adding prehashed passwords

--pwpinheritglobal PWPINHERITGLOBAL

Set to "on" to allow local policies to inherit the global policy

OPTIONS 'dsconf localpwp'

usage: dsconf instance localpwp [-h]
                               {list,get,set,remove,adduser,addsubtree} ...

Sub-commands

dsconf localpwp list

List all the local password policies

dsconf localpwp get

Get local password policy entry

dsconf localpwp set

Set an attribute in a local password policy

dsconf localpwp remove

Remove a local password policy

dsconf localpwp adduser

Add new user password policy

dsconf localpwp addsubtree

Add new subtree password policy

OPTIONS 'dsconf localpwp list'

usage: dsconf instance localpwp list [-h] [DN]

DN

Suffix to search for local password policies

OPTIONS 'dsconf localpwp get'

usage: dsconf instance localpwp get [-h] DN

DN

Get the local policy for this entry DN

OPTIONS 'dsconf localpwp set'

usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
                                   [--pwdchange PWDCHANGE]
                                   [--pwdmustchange PWDMUSTCHANGE]
                                   [--pwdhistory PWDHISTORY]
                                   [--pwdhistorycount PWDHISTORYCOUNT]
                                   [--pwdadmin PWDADMIN]
                                   [--pwdtrack PWDTRACK]
                                   [--pwdwarning PWDWARNING]
                                   [--pwdexpire PWDEXPIRE]
                                   [--pwdmaxage PWDMAXAGE]
                                   [--pwdminage PWDMINAGE]
                                   [--pwdgracelimit PWDGRACELIMIT]
                                   [--pwdsendexpiring PWDSENDEXPIRING]
                                   [--pwdlockout PWDLOCKOUT]
                                   [--pwdunlock PWDUNLOCK]
                                   [--pwdlockoutduration PWDLOCKOUTDURATION]
                                   [--pwdmaxfailures PWDMAXFAILURES]
                                   [--pwdresetfailcount PWDRESETFAILCOUNT]
                                   [--pwdchecksyntax PWDCHECKSYNTAX]
                                   [--pwdminlen PWDMINLEN]
                                   [--pwdmindigits PWDMINDIGITS]
                                   [--pwdminalphas PWDMINALPHAS]
                                   [--pwdminuppers PWDMINUPPERS]
                                   [--pwdminlowers PWDMINLOWERS]
                                   [--pwdminspecials PWDMINSPECIALS]
                                   [--pwdmin8bits PWDMIN8BITS]
                                   [--pwdmaxrepeats PWDMAXREPEATS]
                                   [--pwdpalindrome PWDPALINDROME]
                                   [--pwdmaxseq PWDMAXSEQ]
                                   [--pwdmaxseqsets PWDMAXSEQSETS]
                                   [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                   [--pwdmincatagories PWDMINCATAGORIES]
                                   [--pwdmintokenlen PWDMINTOKENLEN]
                                   [--pwdbadwords PWDBADWORDS]
                                   [--pwduserattrs PWDUSERATTRS]
                                   [--pwddictcheck PWDDICTCHECK]
                                   [--pwddictpath PWDDICTPATH]
                                   [--pwptprmaxuse PWPTPRMAXUSE]
                                   [--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
                                   [--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
                                   DN

DN

Set the local policy for this entry DN

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

Users must change their password after it was reset by an administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of passwords to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

--pwptprmaxuse PWPTPRMAXUSE

Number of times a reset password can be used for authentication

--pwptprdelayexpireat PWPTPRDELAYEXPIREAT

Number of seconds after which a reset password expires

--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM

Number of seconds to wait before using a reset password to authenticated

OPTIONS 'dsconf localpwp remove'

usage: dsconf instance localpwp remove [-h] DN

DN

Remove local policy for this entry DN

OPTIONS 'dsconf localpwp adduser'

usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
                                       [--pwdchange PWDCHANGE]
                                       [--pwdmustchange PWDMUSTCHANGE]
                                       [--pwdhistory PWDHISTORY]
                                       [--pwdhistorycount PWDHISTORYCOUNT]
                                       [--pwdadmin PWDADMIN]
                                       [--pwdtrack PWDTRACK]
                                       [--pwdwarning PWDWARNING]
                                       [--pwdexpire PWDEXPIRE]
                                       [--pwdmaxage PWDMAXAGE]
                                       [--pwdminage PWDMINAGE]
                                       [--pwdgracelimit PWDGRACELIMIT]
                                       [--pwdsendexpiring PWDSENDEXPIRING]
                                       [--pwdlockout PWDLOCKOUT]
                                       [--pwdunlock PWDUNLOCK]
                                       [--pwdlockoutduration PWDLOCKOUTDURATION]
                                       [--pwdmaxfailures PWDMAXFAILURES]
                                       [--pwdresetfailcount PWDRESETFAILCOUNT]
                                       [--pwdchecksyntax PWDCHECKSYNTAX]
                                       [--pwdminlen PWDMINLEN]
                                       [--pwdmindigits PWDMINDIGITS]
                                       [--pwdminalphas PWDMINALPHAS]
                                       [--pwdminuppers PWDMINUPPERS]
                                       [--pwdminlowers PWDMINLOWERS]
                                       [--pwdminspecials PWDMINSPECIALS]
                                       [--pwdmin8bits PWDMIN8BITS]
                                       [--pwdmaxrepeats PWDMAXREPEATS]
                                       [--pwdpalindrome PWDPALINDROME]
                                       [--pwdmaxseq PWDMAXSEQ]
                                       [--pwdmaxseqsets PWDMAXSEQSETS]
                                       [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                       [--pwdmincatagories PWDMINCATAGORIES]
                                       [--pwdmintokenlen PWDMINTOKENLEN]
                                       [--pwdbadwords PWDBADWORDS]
                                       [--pwduserattrs PWDUSERATTRS]
                                       [--pwddictcheck PWDDICTCHECK]
                                       [--pwddictpath PWDDICTPATH]
                                       [--pwptprmaxuse PWPTPRMAXUSE]
                                       [--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
                                       [--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
                                       DN

DN

Add/replace the local password policy for this entry DN

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

Users must change their password after it was reset by an administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of passwords to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

--pwptprmaxuse PWPTPRMAXUSE

Number of times a reset password can be used for authentication

--pwptprdelayexpireat PWPTPRDELAYEXPIREAT

Number of seconds after which a reset password expires

--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM

Number of seconds to wait before using a reset password to authenticated

OPTIONS 'dsconf localpwp addsubtree'

usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
                                          [--pwdchange PWDCHANGE]
                                          [--pwdmustchange PWDMUSTCHANGE]
                                          [--pwdhistory PWDHISTORY]
                                          [--pwdhistorycount PWDHISTORYCOUNT]
                                          [--pwdadmin PWDADMIN]
                                          [--pwdtrack PWDTRACK]
                                          [--pwdwarning PWDWARNING]
                                          [--pwdexpire PWDEXPIRE]
                                          [--pwdmaxage PWDMAXAGE]
                                          [--pwdminage PWDMINAGE]
                                          [--pwdgracelimit PWDGRACELIMIT]
                                          [--pwdsendexpiring PWDSENDEXPIRING]
                                          [--pwdlockout PWDLOCKOUT]
                                          [--pwdunlock PWDUNLOCK]
                                          [--pwdlockoutduration PWDLOCKOUTDURATION]
                                          [--pwdmaxfailures PWDMAXFAILURES]
                                          [--pwdresetfailcount PWDRESETFAILCOUNT]
                                          [--pwdchecksyntax PWDCHECKSYNTAX]
                                          [--pwdminlen PWDMINLEN]
                                          [--pwdmindigits PWDMINDIGITS]
                                          [--pwdminalphas PWDMINALPHAS]
                                          [--pwdminuppers PWDMINUPPERS]
                                          [--pwdminlowers PWDMINLOWERS]
                                          [--pwdminspecials PWDMINSPECIALS]
                                          [--pwdmin8bits PWDMIN8BITS]
                                          [--pwdmaxrepeats PWDMAXREPEATS]
                                          [--pwdpalindrome PWDPALINDROME]
                                          [--pwdmaxseq PWDMAXSEQ]
                                          [--pwdmaxseqsets PWDMAXSEQSETS]
                                          [--pwdmaxclasschars PWDMAXCLASSCHARS]
                                          [--pwdmincatagories PWDMINCATAGORIES]
                                          [--pwdmintokenlen PWDMINTOKENLEN]
                                          [--pwdbadwords PWDBADWORDS]
                                          [--pwduserattrs PWDUSERATTRS]
                                          [--pwddictcheck PWDDICTCHECK]
                                          [--pwddictpath PWDDICTPATH]
                                          [--pwptprmaxuse PWPTPRMAXUSE]
                                          [--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
                                          [--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
                                          DN

DN

Add/replace the subtree policy for this entry DN

--pwdscheme PWDSCHEME

The password storage scheme

--pwdchange PWDCHANGE

Allow users to change their passwords

--pwdmustchange PWDMUSTCHANGE

Users must change their password after it was reset by an administrator

--pwdhistory PWDHISTORY

To enable password history set this to "on", otherwise "off"

--pwdhistorycount PWDHISTORYCOUNT

The number of passwords to keep in history

--pwdadmin PWDADMIN

The DN of an entry or a group of account that can bypass password policy constraints

--pwdtrack PWDTRACK

Set to "on" to track the time the password was last changed

--pwdwarning PWDWARNING

Send an expiring warning if password expires within this time (in seconds)

--pwdexpire PWDEXPIRE

Set to "on" to enable password expiration

--pwdmaxage PWDMAXAGE

The password expiration time in seconds

--pwdminage PWDMINAGE

The number of seconds that must pass before a user can change their password

--pwdgracelimit PWDGRACELIMIT

The number of allowed logins after the password has expired

--pwdsendexpiring PWDSENDEXPIRING

Set to "on" to always send the expiring control regardless of the warning period

--pwdlockout PWDLOCKOUT

Set to "on" to enable account lockout

--pwdunlock PWDUNLOCK

Set to "on" to allow an account to become unlocked after the lockout duration

--pwdlockoutduration PWDLOCKOUTDURATION

The number of seconds an account stays locked out

--pwdmaxfailures PWDMAXFAILURES

The maximum number of allowed failed password attempts before the account gets locked

--pwdresetfailcount PWDRESETFAILCOUNT

The number of seconds to wait before reducing the failed login count on an account

--pwdchecksyntax PWDCHECKSYNTAX

Set to "on" to enable password syntax checking

--pwdminlen PWDMINLEN

The minimum number of characters required in a password

--pwdmindigits PWDMINDIGITS

The minimum number of digit/number characters in a password

--pwdminalphas PWDMINALPHAS

The minimum number of alpha characters required in a password

--pwdminuppers PWDMINUPPERS

The minimum number of uppercase characters required in a password

--pwdminlowers PWDMINLOWERS

The minimum number of lowercase characters required in a password

--pwdminspecials PWDMINSPECIALS

The minimum number of special characters required in a password

--pwdmin8bits PWDMIN8BITS

The minimum number of 8-bit characters required in a password

--pwdmaxrepeats PWDMAXREPEATS

The maximum number of times the same character can appear sequentially in the password

--pwdpalindrome PWDPALINDROME

Set to "on" to reject passwords that are palindromes

--pwdmaxseq PWDMAXSEQ

The maximum number of allowed monotonic character sequences in a password

--pwdmaxseqsets PWDMAXSEQSETS

The maximum number of allowed monotonic character sequences that can be duplicated in a password

--pwdmaxclasschars PWDMAXCLASSCHARS

The maximum number of sequential characters from the same character class that is allowed in a password

--pwdmincatagories PWDMINCATAGORIES

The minimum number of syntax category checks

--pwdmintokenlen PWDMINTOKENLEN

Sets the smallest attribute value length that is used for trivial/user words checking. This also impacts "--pwduserattrs"

--pwdbadwords PWDBADWORDS

A space-separated list of words that can not be in a password

--pwduserattrs PWDUSERATTRS

A space-separated list of attributes whose values can not appear in the password (See "--pwdmintokenlen")

--pwddictcheck PWDDICTCHECK

Set to "on" to enforce CrackLib dictionary checking

--pwddictpath PWDDICTPATH

Filesystem path to specific/custom CrackLib dictionary files

--pwptprmaxuse PWPTPRMAXUSE

Number of times a reset password can be used for authentication

--pwptprdelayexpireat PWPTPRDELAYEXPIREAT

Number of seconds after which a reset password expires

--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM

Number of seconds to wait before using a reset password to authenticated

OPTIONS 'dsconf replication'

usage: dsconf instance replication [-h]
                                  {enable,disable,get-ruv,list,status,winsync-status,promote,create-manager,delete-manager,demote,get,set-changelog,get-changelog,export-changelog,import-changelog,set,monitor}
                                  ...

Sub-commands

dsconf replication enable

Enable replication for a suffix

dsconf replication disable

Disable replication for a suffix

dsconf replication get-ruv

Display the database RUV entry for a suffix

dsconf replication list

Lists all the replicated suffixes

dsconf replication status

Display the current status of all the replication agreements

dsconf replication winsync-status

Display the current status of all the replication agreements

dsconf replication promote

Promote a replica to a hub or supplier

dsconf replication create-manager

Create a replication manager entry

dsconf replication delete-manager

Delete a replication manager entry

dsconf replication demote

Demote replica to a hub or consumer

dsconf replication get

Display the replication configuration

dsconf replication set-changelog

Set replication changelog attributes

dsconf replication get-changelog

Display replication changelog attributes

dsconf replication export-changelog

Export the Directory Server replication changelog to an LDIF file

dsconf replication import-changelog

Restore/import Directory Server replication change log from an LDIF file. This is typically used when managing changelog encryption

dsconf replication set

Set an attribute in the replication configuration

dsconf replication monitor

Display the full replication topology report

OPTIONS 'dsconf replication enable'

usage: dsconf instance replication enable [-h] --suffix SUFFIX --role ROLE
                                         [--replica-id REPLICA_ID]
                                         [--bind-group-dn BIND_GROUP_DN]
                                         [--bind-dn BIND_DN]
                                         [--bind-passwd BIND_PASSWD]

--suffix SUFFIX

Sets the DN of the suffix to be enabled for replication

--role ROLE

Sets the replication role: "supplier", "hub", or "consumer"

--replica-id REPLICA_ID

Sets the replication identifier for a "supplier". Values range from 1 - 65534

--bind-group-dn BIND_GROUP_DN

Sets a group entry DN containing members that are "bind/supplier" DNs

--bind-dn BIND_DN

Sets the bind or supplier DN that can make replication updates

--bind-passwd BIND_PASSWD

Sets the password for replication manager (--bind-dn). This will create the manager entry if a value is set

OPTIONS 'dsconf replication disable'

usage: dsconf instance replication disable [-h] --suffix SUFFIX

--suffix SUFFIX

Sets the DN of the suffix to have replication disabled

OPTIONS 'dsconf replication get-ruv'

usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX

--suffix SUFFIX

Sets the DN of the replicated suffix

OPTIONS 'dsconf replication list'

usage: dsconf instance replication list [-h]

OPTIONS 'dsconf replication status'

usage: dsconf instance replication status [-h] --suffix SUFFIX
                                         [--bind-dn BIND_DN]
                                         [--bind-passwd BIND_PASSWD]

--suffix SUFFIX

Sets the DN of the replication suffix

--bind-dn BIND_DN

Sets the DN to use to authenticate to the consumer

--bind-passwd BIND_PASSWD

Sets the password for the bind DN

OPTIONS 'dsconf replication winsync-status'

usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
                                                 [--bind-dn BIND_DN]
                                                 [--bind-passwd BIND_PASSWD]

--suffix SUFFIX

Sets the DN of the replication suffix

--bind-dn BIND_DN

Sets the DN to use to authenticate to the consumer

--bind-passwd BIND_PASSWD

Sets the password of the bind DN

OPTIONS 'dsconf replication promote'

usage: dsconf instance replication promote [-h] --suffix SUFFIX --newrole
                                          NEWROLE [--replica-id REPLICA_ID]
                                          [--bind-group-dn BIND_GROUP_DN]
                                          [--bind-dn BIND_DN]

--suffix SUFFIX

Sets the DN of the replication suffix to promote

--newrole NEWROLE

Sets the new replica role to "hub" or "supplier"

--replica-id REPLICA_ID

Sets the replication identifier for a "supplier". Values range from 1 - 65534

--bind-group-dn BIND_GROUP_DN

Sets a group entry DN containing members that are "bind/supplier" DNs

--bind-dn BIND_DN

Sets the bind or supplier DN that can make replication updates

OPTIONS 'dsconf replication create-manager'

usage: dsconf instance replication create-manager [-h] [--name NAME]
                                                 [--passwd PASSWD]
                                                 [--suffix SUFFIX]

--name NAME

Sets the name of the new replication manager entry.For example, if the name is "replication manager" then the new manager entry's DN would be "cn=replication manager,cn=config".

--passwd PASSWD

Sets the password for replication manager. If not provided, you will be prompted for the password

--suffix SUFFIX

The DN of the replication suffix whose replication configuration you want to add this new manager to (OPTIONAL)

OPTIONS 'dsconf replication delete-manager'

usage: dsconf instance replication delete-manager [-h] [--name NAME]
                                                 [--suffix SUFFIX]

--name NAME

Sets the name of the replication manager entry under cn=config: "cn=NAME,cn=config"

--suffix SUFFIX

Sets the DN of the replication suffix whose replication configuration you want to remove this manager from (OPTIONAL)

OPTIONS 'dsconf replication demote'

usage: dsconf instance replication demote [-h] --suffix SUFFIX --newrole
                                         NEWROLE

--suffix SUFFIX

Sets the DN of the replication suffix

--newrole NEWROLE

Sets the new replication role to "hub", or "consumer"

OPTIONS 'dsconf replication get'

usage: dsconf instance replication get [-h] --suffix SUFFIX

--suffix SUFFIX

Sets the suffix DN for the replication configuration to display

OPTIONS 'dsconf replication set-changelog'

usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
                                                [--max-entries MAX_ENTRIES]
                                                [--max-age MAX_AGE]
                                                [--trim-interval TRIM_INTERVAL]
                                                [--encrypt]
                                                [--disable-encrypt]

--suffix SUFFIX

Sets the suffix that uses the changelog

--max-entries MAX_ENTRIES

Sets the maximum number of entries to get in the replication changelog

--max-age MAX_AGE

Set the maximum age of a replication changelog entry

--trim-interval TRIM_INTERVAL

Sets the interval to check if the replication changelog can be trimmed

--encrypt

Sets the replication changelog to use encryption. You must export and import the changelog after setting this.

--disable-encrypt

Sets the replication changelog to not use encryption. You must export and import the changelog after setting this.

OPTIONS 'dsconf replication get-changelog'

usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX

--suffix SUFFIX

Sets the suffix that uses the changelog

OPTIONS 'dsconf replication export-changelog'

usage: dsconf instance replication export-changelog [-h] {to-ldif,default} ...

Sub-commands

dsconf replication export-changelog to-ldif

Sets the LDIF file name. This is typically used for setting up changelog encryption

dsconf replication export-changelog default

Export the replication changelog to the server's default LDIF directory

OPTIONS 'dsconf replication export-changelog to-ldif'

usage: dsconf instance replication export-changelog to-ldif
      [-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r REPLICA_ROOT

-c, --csn-only

Enables to export and interpret CSN only. This option can be used with or without -i option. The LDIF file that is generated can not be imported and is only used for debugging purposes.

-d, --decode

Decodes the base64 values in each changelog entry. The LDIF file that is generated can not be imported and is only used for debugging purposes.

-l, --preserve-ldif-done

Preserves generated LDIF "files.done" files in changelog directory.

-i CHANGELOG_LDIF, --changelog-ldif CHANGELOG_LDIF

Decodes changes in an LDIF file. Use this option if you already have a changelog LDIF file, but the changes in that file are encoded.

-o OUTPUT_FILE, --output-file OUTPUT_FILE

Sets the path name for the final result

-r REPLICA_ROOT, --replica-root REPLICA_ROOT

Specifies the replica root whose changelog you want to export

OPTIONS 'dsconf replication export-changelog default'

usage: dsconf instance replication export-changelog default
      [-h] -r REPLICA_ROOT

-r REPLICA_ROOT, --replica-root REPLICA_ROOT

Specifies the replica root whose changelog you want to export

OPTIONS 'dsconf replication import-changelog'

usage: dsconf instance replication import-changelog [-h]
                                                   {from-ldif,default} ...

Sub-commands

dsconf replication import-changelog from-ldif

Restore/import a specific single LDIF file

dsconf replication import-changelog default

Import the default changelog LDIF file created by the server

OPTIONS 'dsconf replication import-changelog from-ldif'

usage: dsconf instance replication import-changelog from-ldif
      [-h] -r REPLICA_ROOT LDIF_PATH

LDIF_PATH

The path of the changelog LDIF file

-r REPLICA_ROOT, --replica-root REPLICA_ROOT

Specifies the replica root whose changelog you want to import

OPTIONS 'dsconf replication import-changelog default'

usage: dsconf instance replication import-changelog default
      [-h] -r REPLICA_ROOT

-r REPLICA_ROOT, --replica-root REPLICA_ROOT

Specifies the replica root whose changelog you want to import

OPTIONS 'dsconf replication set'

usage: dsconf instance replication set [-h] --suffix SUFFIX
                                      [--repl-add-bind-dn REPL_ADD_BIND_DN]
                                      [--repl-del-bind-dn REPL_DEL_BIND_DN]
                                      [--repl-add-ref REPL_ADD_REF]
                                      [--repl-del-ref REPL_DEL_REF]
                                      [--repl-purge-delay REPL_PURGE_DELAY]
                                      [--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL]
                                      [--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING]
                                      [--repl-bind-group REPL_BIND_GROUP]
                                      [--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL]
                                      [--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT]
                                      [--repl-backoff-max REPL_BACKOFF_MAX]
                                      [--repl-backoff-min REPL_BACKOFF_MIN]
                                      [--repl-release-timeout REPL_RELEASE_TIMEOUT]

--suffix SUFFIX

Sets the DN of the replication suffix

--repl-add-bind-dn REPL_ADD_BIND_DN

Adds a bind (supplier) DN

--repl-del-bind-dn REPL_DEL_BIND_DN

Removes a bind (supplier) DN

--repl-add-ref REPL_ADD_REF

Adds a replication referral (for consumers only)

--repl-del-ref REPL_DEL_REF

Removes a replication referral (for conusmers only)

--repl-purge-delay REPL_PURGE_DELAY

Sets the replication purge delay

--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL

Sets the interval in seconds to check for tombstones that can be purged

--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING

Enables or disables improving the tombstone purging performance

--repl-bind-group REPL_BIND_GROUP

Sets a group entry DN containing members that are "bind/supplier" DNs

--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL

Sets an interval in seconds to check if the bind group has been updated

--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT

Sets a timeout in seconds on how long to wait before stopping replication when the server is under load

--repl-backoff-max REPL_BACKOFF_MAX

The maximum time in seconds a replication agreement should stay in a backoff state while waiting to acquire the consumer. Default is 300 seconds

--repl-backoff-min REPL_BACKOFF_MIN

The starting time in seconds a replication agreement should stay in a backoff state while waiting to acquire the consumer. Default is 3 seconds

--repl-release-timeout REPL_RELEASE_TIMEOUT

A timeout in seconds a replication supplier should send updates before it yields its replication session

OPTIONS 'dsconf replication monitor'

usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
                                          [-a [ALIASES ...]]

-c [CONNECTIONS ...], --connections [CONNECTIONS ...]

Sets the connection values for monitoring other not connected topologies. The format: 'host:port:binddn:bindpwd'. You can use regex for host and port. You can set bindpwd to * and it will be requested at the runtime or you can include the path to the password file in square brackets - [~/pwd.txt]

-a [ALIASES ...], --aliases [ALIASES ...]

Enables displaying an alias instead of host:port, if an alias is assigned to a host:port combination. The format: alias=host:port

OPTIONS 'dsconf repl-agmt'

usage: dsconf instance repl-agmt [-h]
                                {list,enable,disable,init,init-status,poke,status,delete,create,set,get}
                                ...

Sub-commands

dsconf repl-agmt list

List all replication agreements

dsconf repl-agmt enable

Enable replication agreement

dsconf repl-agmt disable

Disable replication agreement

dsconf repl-agmt init

Initialize replication agreement

dsconf repl-agmt init-status

Check the agreement initialization status

dsconf repl-agmt poke

Trigger replication to send updates now

dsconf repl-agmt status

Displays the current status of the replication agreement

dsconf repl-agmt delete

Delete replication agreement

dsconf repl-agmt create

Initialize replication agreement

dsconf repl-agmt set

Set an attribute in the replication agreement

dsconf repl-agmt get

Get replication configuration

OPTIONS 'dsconf repl-agmt list'

usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry ENTRY]

--suffix SUFFIX

Sets the DN of the suffix to look up replication agreements for

--entry ENTRY

Returns the entire entry for each agreement

OPTIONS 'dsconf repl-agmt enable'

usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-agmt disable'

usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-agmt init'

usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-agmt init-status'

usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-agmt poke'

usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-agmt status'

usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
                                       [--bind-dn BIND_DN]
                                       [--bind-passwd BIND_PASSWD]
                                       AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

--bind-dn BIND_DN

Sets the DN to use to authenticate to the consumer

--bind-passwd BIND_PASSWD

Sets the password for the bind DN

OPTIONS 'dsconf repl-agmt delete'

usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-agmt create'

usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host HOST
                                       --port PORT --conn-protocol
                                       CONN_PROTOCOL [--bind-dn BIND_DN]
                                       [--bind-passwd BIND_PASSWD]
                                       --bind-method BIND_METHOD
                                       [--frac-list FRAC_LIST]
                                       [--frac-list-total FRAC_LIST_TOTAL]
                                       [--strip-list STRIP_LIST]
                                       [--schedule SCHEDULE]
                                       [--conn-timeout CONN_TIMEOUT]
                                       [--protocol-timeout PROTOCOL_TIMEOUT]
                                       [--wait-async-results WAIT_ASYNC_RESULTS]
                                       [--busy-wait-time BUSY_WAIT_TIME]
                                       [--session-pause-time SESSION_PAUSE_TIME]
                                       [--flow-control-window FLOW_CONTROL_WINDOW]
                                       [--flow-control-pause FLOW_CONTROL_PAUSE]
                                       [--bootstrap-bind-dn BOOTSTRAP_BIND_DN]
                                       [--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD]
                                       [--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL]
                                       [--bootstrap-bind-method BOOTSTRAP_BIND_METHOD]
                                       [--init]
                                       AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

--host HOST

Sets the hostname of the remote replica

--port PORT

Sets the port number of the remote replica

--conn-protocol CONN_PROTOCOL

Sets the replication connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

Sets the bind DN the agreement uses to authenticate to the replica

--bind-passwd BIND_PASSWD

Sets the credentials for the bind DN

--bind-method BIND_METHOD

Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or "SASL/GSSAPI"

--frac-list FRAC_LIST

Sets the list of attributes to NOT replicate to the consumer during incremental updates

--frac-list-total FRAC_LIST_TOTAL

Sets the list of attributes to NOT replicate during a total initialization

--strip-list STRIP_LIST

Sets a list of attributes that are removed from updates only if the event would otherwise be empty. Typically this is set to "modifiersname" and "modifytimestmap"

--schedule SCHEDULE

Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday - Saturday).

--conn-timeout CONN_TIMEOUT

Sets the timeout used for replication connections

--protocol-timeout PROTOCOL_TIMEOUT

Sets a timeout in seconds on how long to wait before stopping replication when the server is under load

--wait-async-results WAIT_ASYNC_RESULTS

Sets the amount of time in milliseconds the server waits if the consumer is not ready before resending data

--busy-wait-time BUSY_WAIT_TIME

Sets the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

--session-pause-time SESSION_PAUSE_TIME

Sets the amount of time in seconds a supplier should wait between update sessions.

--flow-control-window FLOW_CONTROL_WINDOW

Sets the maximum number of entries and updates sent by a supplier, which are not acknowledged by the consumer.

--flow-control-pause FLOW_CONTROL_PAUSE

Sets the time in milliseconds to pause after reaching the number of entries and updates set in "--flow-control-window"

--bootstrap-bind-dn BOOTSTRAP_BIND_DN

Sets an optional bind DN the agreement can use to bootstrap initialization when bind groups are being used

--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD

Sets the bootstrap credentials for the bind DN

--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL

Sets the replication bootstrap connection protocol: LDAP, LDAPS, or StartTLS

--bootstrap-bind-method BOOTSTRAP_BIND_METHOD

Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"

--init

Initializes the agreement after creating it

OPTIONS 'dsconf repl-agmt set'

usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
                                    [--port PORT]
                                    [--conn-protocol CONN_PROTOCOL]
                                    [--bind-dn BIND_DN]
                                    [--bind-passwd BIND_PASSWD]
                                    [--bind-method BIND_METHOD]
                                    [--frac-list FRAC_LIST]
                                    [--frac-list-total FRAC_LIST_TOTAL]
                                    [--strip-list STRIP_LIST]
                                    [--schedule SCHEDULE]
                                    [--conn-timeout CONN_TIMEOUT]
                                    [--protocol-timeout PROTOCOL_TIMEOUT]
                                    [--wait-async-results WAIT_ASYNC_RESULTS]
                                    [--busy-wait-time BUSY_WAIT_TIME]
                                    [--session-pause-time SESSION_PAUSE_TIME]
                                    [--flow-control-window FLOW_CONTROL_WINDOW]
                                    [--flow-control-pause FLOW_CONTROL_PAUSE]
                                    [--bootstrap-bind-dn BOOTSTRAP_BIND_DN]
                                    [--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD]
                                    [--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL]
                                    [--bootstrap-bind-method BOOTSTRAP_BIND_METHOD]
                                    AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

--host HOST

Sets the hostname of the remote replica

--port PORT

Sets the port number of the remote replica

--conn-protocol CONN_PROTOCOL

Sets the replication connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

Sets the Bind DN the agreement uses to authenticate to the replica

--bind-passwd BIND_PASSWD

Sets the credentials for the bind DN

--bind-method BIND_METHOD

Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or "SASL/GSSAPI"

--frac-list FRAC_LIST

Sets a list of attributes to NOT replicate to the consumer during incremental updates

--frac-list-total FRAC_LIST_TOTAL

Sets a list of attributes to NOT replicate during a total initialization

--strip-list STRIP_LIST

Sets a list of attributes that are removed from updates only if the event would otherwise be empty. Typically this is set to "modifiersname" and "modifytimestmap"

--schedule SCHEDULE

Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday - Saturday).

--conn-timeout CONN_TIMEOUT

Sets the timeout used for replication connections

--protocol-timeout PROTOCOL_TIMEOUT

Sets a timeout in seconds on how long to wait before stopping replication when the server is under load

--wait-async-results WAIT_ASYNC_RESULTS

Sets the amount of time in milliseconds the server waits if the consumer is not ready before resending data

--busy-wait-time BUSY_WAIT_TIME

Sets the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access.

--session-pause-time SESSION_PAUSE_TIME

Sets the amount of time in seconds a supplier should wait between update sessions.

--flow-control-window FLOW_CONTROL_WINDOW

Sets the maximum number of entries and updates sent by a supplier, which are not acknowledged by the consumer.

--flow-control-pause FLOW_CONTROL_PAUSE

Sets the time in milliseconds to pause after reaching the number of entries and updates set in "--flow-control-window"

--bootstrap-bind-dn BOOTSTRAP_BIND_DN

Sets an optional bind DN the agreement can use to bootstrap initialization when bind groups are being used

--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD

sets the bootstrap credentials for the bind DN

--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL

Sets the replication bootstrap connection protocol: LDAP, LDAPS, or StartTLS

--bootstrap-bind-method BOOTSTRAP_BIND_METHOD

Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"

OPTIONS 'dsconf repl-agmt get'

usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The suffix DN for which to display the replication configuration

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-winsync-agmt'

usage: dsconf instance repl-winsync-agmt [-h]
                                        {list,enable,disable,init,init-status,poke,status,delete,create,set,get}
                                        ...

Sub-commands

dsconf repl-winsync-agmt list

List all the replication winsync agreements

dsconf repl-winsync-agmt enable

Enable replication winsync agreement

dsconf repl-winsync-agmt disable

Disable replication winsync agreement

dsconf repl-winsync-agmt init

Initialize replication winsync agreement

dsconf repl-winsync-agmt init-status

Check the agreement initialization status

dsconf repl-winsync-agmt poke

Trigger replication to send updates now

dsconf repl-winsync-agmt status

Display the current status of the replication agreement

dsconf repl-winsync-agmt delete

Delete replication winsync agreement

dsconf repl-winsync-agmt create

Initialize replication winsync agreement

dsconf repl-winsync-agmt set

Set an attribute in the replication winsync agreement

dsconf repl-winsync-agmt get

Display replication configuration

OPTIONS 'dsconf repl-winsync-agmt list'

usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX

--suffix SUFFIX

Sets the DN of the suffix to look up replication winsync agreements

OPTIONS 'dsconf repl-winsync-agmt enable'

usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

OPTIONS 'dsconf repl-winsync-agmt disable'

usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
                                                AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

OPTIONS 'dsconf repl-winsync-agmt init'

usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

OPTIONS 'dsconf repl-winsync-agmt init-status'

usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUFFIX
                                                    AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-winsync-agmt poke'

usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

OPTIONS 'dsconf repl-winsync-agmt status'

usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication agreement

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-winsync-agmt delete'

usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

OPTIONS 'dsconf repl-winsync-agmt create'

usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX --host
                                               HOST --port PORT
                                               --conn-protocol CONN_PROTOCOL
                                               --bind-dn BIND_DN
                                               --bind-passwd BIND_PASSWD
                                               [--frac-list FRAC_LIST]
                                               [--schedule SCHEDULE]
                                               --win-subtree WIN_SUBTREE
                                               --ds-subtree DS_SUBTREE
                                               --win-domain WIN_DOMAIN
                                               [--sync-users SYNC_USERS]
                                               [--sync-groups SYNC_GROUPS]
                                               [--sync-interval SYNC_INTERVAL]
                                               [--one-way-sync ONE_WAY_SYNC]
                                               [--move-action MOVE_ACTION]
                                               [--win-filter WIN_FILTER]
                                               [--ds-filter DS_FILTER]
                                               [--subtree-pair SUBTREE_PAIR]
                                               [--conn-timeout CONN_TIMEOUT]
                                               [--busy-wait-time BUSY_WAIT_TIME]
                                               [--session-pause-time SESSION_PAUSE_TIME]
                                               [--init]
                                               AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

--host HOST

Sets the hostname of the AD server

--port PORT

Sets the port number of the AD server

--conn-protocol CONN_PROTOCOL

Sets the replication winsync connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

Sets the bind DN the agreement uses to authenticate to the AD Server

--bind-passwd BIND_PASSWD

Sets the credentials for the Bind DN

--frac-list FRAC_LIST

Sets a list of attributes to NOT replicate to the consumer during incremental updates

--schedule SCHEDULE

Sets the replication update schedule

--win-subtree WIN_SUBTREE

Sets the suffix of the AD Server

--ds-subtree DS_SUBTREE

Sets the Directory Server suffix

--win-domain WIN_DOMAIN

Sets the AD Domain

--sync-users SYNC_USERS

Synchronizes users between AD and DS

--sync-groups SYNC_GROUPS

Synchronizes groups between AD and DS

--sync-interval SYNC_INTERVAL

Sets the interval that DS checks AD for changes in entries

--one-way-sync ONE_WAY_SYNC

Sets which direction to perform synchronization: "toWindows", "fromWindows", "both"

--move-action MOVE_ACTION

Sets instructions on how to handle moved or deleted entries: "none", "unsync", or "delete"

--win-filter WIN_FILTER

Sets a custom filter for finding users in AD Server

--ds-filter DS_FILTER

Sets a custom filter for finding AD users in DS

--subtree-pair SUBTREE_PAIR

Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>

--conn-timeout CONN_TIMEOUT

Sets the timeout used for replicaton connections

--busy-wait-time BUSY_WAIT_TIME

Sets the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access

--session-pause-time SESSION_PAUSE_TIME

Sets the amount of time in seconds a supplier should wait between update sessions

--init

Initializes the agreement after creating it

OPTIONS 'dsconf repl-winsync-agmt set'

usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
                                            [--host HOST] [--port PORT]
                                            [--conn-protocol CONN_PROTOCOL]
                                            [--bind-dn BIND_DN]
                                            [--bind-passwd BIND_PASSWD]
                                            [--frac-list FRAC_LIST]
                                            [--schedule SCHEDULE]
                                            [--win-subtree WIN_SUBTREE]
                                            [--ds-subtree DS_SUBTREE]
                                            [--win-domain WIN_DOMAIN]
                                            [--sync-users SYNC_USERS]
                                            [--sync-groups SYNC_GROUPS]
                                            [--sync-interval SYNC_INTERVAL]
                                            [--one-way-sync ONE_WAY_SYNC]
                                            [--move-action MOVE_ACTION]
                                            [--win-filter WIN_FILTER]
                                            [--ds-filter DS_FILTER]
                                            [--subtree-pair SUBTREE_PAIR]
                                            [--conn-timeout CONN_TIMEOUT]
                                            [--busy-wait-time BUSY_WAIT_TIME]
                                            [--session-pause-time SESSION_PAUSE_TIME]
                                            AGMT_NAME

AGMT_NAME

The name of the replication winsync agreement

--suffix SUFFIX

Sets the DN of the replication winsync suffix

--host HOST

Sets the hostname of the AD server

--port PORT

Sets the port number of the AD server

--conn-protocol CONN_PROTOCOL

Sets the replication winsync connection protocol: LDAP, LDAPS, or StartTLS

--bind-dn BIND_DN

Sets the bind DN the agreement uses to authenticate to the AD Server

--bind-passwd BIND_PASSWD

Sets the credentials for the Bind DN

--frac-list FRAC_LIST

Sets a list of attributes to NOT replicate to the consumer during incremental updates

--schedule SCHEDULE

Sets the replication update schedule

--win-subtree WIN_SUBTREE

Sets the suffix of the AD Server

--ds-subtree DS_SUBTREE

Sets the Directory Server suffix

--win-domain WIN_DOMAIN

Sets the AD Domain

--sync-users SYNC_USERS

Synchronizes users between AD and DS

--sync-groups SYNC_GROUPS

Synchronizes groups between AD and DS

--sync-interval SYNC_INTERVAL

Sets the interval that DS checks AD for changes in entries

--one-way-sync ONE_WAY_SYNC

Sets which direction to perform synchronization: "toWindows", "fromWindows", "both"

--move-action MOVE_ACTION

Sets instructions on how to handle moved or deleted entries: "none", "unsync", or "delete"

--win-filter WIN_FILTER

Sets a custom filter for finding users in AD Server

--ds-filter DS_FILTER

Sets a custom filter for finding AD users in DS

--subtree-pair SUBTREE_PAIR

Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>

--conn-timeout CONN_TIMEOUT

Sets the timeout used for replicaton connections

--busy-wait-time BUSY_WAIT_TIME

Sets the amount of time in seconds a supplier should wait after a consumer sends back a busy response before making another attempt to acquire access

--session-pause-time SESSION_PAUSE_TIME

Sets the amount of time in seconds a supplier should wait between update sessions

OPTIONS 'dsconf repl-winsync-agmt get'

usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX AGMT_NAME

AGMT_NAME

The suffix DN for the replication configuration to display

--suffix SUFFIX

Sets the DN of the replication suffix

OPTIONS 'dsconf repl-tasks'

usage: dsconf instance repl-tasks [-h]
                                 {cleanallruv,list-cleanruv-tasks,abort-cleanallruv,list-abortruv-tasks}
                                 ...

Sub-commands

dsconf repl-tasks cleanallruv

Cleanup old/removed replica IDs

dsconf repl-tasks list-cleanruv-tasks

List all the running CleanAllRUV tasks

dsconf repl-tasks abort-cleanallruv

Abort cleanallruv tasks

dsconf repl-tasks list-abortruv-tasks

List all the running CleanAllRUV abort tasks

OPTIONS 'dsconf repl-tasks cleanallruv'

usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
                                             --replica-id REPLICA_ID
                                             [--force-cleaning]

--suffix SUFFIX

Sets the Directory Server suffix

--replica-id REPLICA_ID

Sets the replica ID to remove/clean

--force-cleaning

Ignores errors and make a best attempt to clean all replicas

OPTIONS 'dsconf repl-tasks list-cleanruv-tasks'

usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix SUFFIX]

--suffix SUFFIX

Lists only tasks for the specified suffix

OPTIONS 'dsconf repl-tasks abort-cleanallruv'

usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUFFIX
                                                   --replica-id REPLICA_ID
                                                   [--certify]

--suffix SUFFIX

Sets the Directory Server suffix

--replica-id REPLICA_ID

Sets the replica ID of the cleaning task to abort

--certify

Enforces that the abort task completed on all replicas

OPTIONS 'dsconf repl-tasks list-abortruv-tasks'

usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix SUFFIX]

--suffix SUFFIX

Lists only tasks for the specified suffix

OPTIONS 'dsconf sasl'

usage: dsconf instance sasl [-h] {list,get-mechs,get,create,delete} ...

Sub-commands

dsconf sasl list

Display available SASL mappings

dsconf sasl get-mechs

Display available SASL mechanisms

dsconf sasl get

Displays SASL mappings

dsconf sasl create

Create a SASL mapping

dsconf sasl delete

Deletes the SASL object

OPTIONS 'dsconf sasl list'

usage: dsconf instance sasl list [-h] [--details]

--details

Displays each SASL mapping in detail

OPTIONS 'dsconf sasl get-mechs'

usage: dsconf instance sasl get-mechs [-h]

OPTIONS 'dsconf sasl get'

usage: dsconf instance sasl get [-h] [selector]

selector

The SASL mapping name to display

OPTIONS 'dsconf sasl create'

usage: dsconf instance sasl create [-h] [--cn [CN]]
                                  [--nsSaslMapRegexString [NSSASLMAPREGEXSTRING]]
                                  [--nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]]
                                  [--nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]]
                                  [--nsSaslMapPriority [NSSASLMAPPRIORITY]]

--cn [CN]

Value of cn

--nsSaslMapRegexString [NSSASLMAPREGEXSTRING]

Value of nsSaslMapRegexString

--nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]

Value of nsSaslMapBaseDNTemplate

--nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]

Value of nsSaslMapFilterTemplate

--nsSaslMapPriority [NSSASLMAPPRIORITY]

Value of nsSaslMapPriority

OPTIONS 'dsconf sasl delete'

usage: dsconf instance sasl delete [-h] map_name

map_name

The SASL mapping name ("cn" value)

OPTIONS 'dsconf security'

usage: dsconf instance security [-h]
                               {set,get,enable,disable,disable_plain_port,certificate,ca-certificate,rsa,ciphers}
                               ...

Sub-commands

dsconf security set

Set general security options

dsconf security get

Display general security options

dsconf security enable

Enable security

dsconf security disable

Disable security

dsconf security disable_plain_port

Disables the plain text LDAP port, allowing only LDAPS to function

dsconf security certificate

Manage TLS certificates

dsconf security ca-certificate

Manage TLS certificate authorities

dsconf security rsa

Query and update RSA security options

dsconf security ciphers

Manage secure ciphers

OPTIONS 'dsconf security set'

usage: dsconf instance security set [-h] [--security SECURITY]
                                   [--listen-host LISTEN_HOST]
                                   [--secure-port SECURE_PORT]
                                   [--tls-client-auth TLS_CLIENT_AUTH]
                                   [--tls-client-renegotiation TLS_CLIENT_RENEGOTIATION]
                                   [--require-secure-authentication REQUIRE_SECURE_AUTHENTICATION]
                                   [--check-hostname CHECK_HOSTNAME]
                                   [--verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP]
                                   [--session-timeout SESSION_TIMEOUT]
                                   [--tls-protocol-min TLS_PROTOCOL_MIN]
                                   [--tls-protocol-max TLS_PROTOCOL_MAX]
                                   [--allow-insecure-ciphers ALLOW_INSECURE_CIPHERS]
                                   [--allow-weak-dh-param ALLOW_WEAK_DH_PARAM]
                                   [--cipher-pref CIPHER_PREF]

Use this command for setting security related options located in cn=config and cn=encryption,cn=config.

To enable/disable security you can use enable and disable commands instead.

--security SECURITY

Enables or disables security (nsslapd-security)

--listen-host LISTEN_HOST

Sets the host or IP address to listen on for LDAPS (nsslapd-securelistenhost)

--secure-port SECURE_PORT

Sets the port for LDAPS to listen on (nsslapd-securePort)

--tls-client-auth TLS_CLIENT_AUTH

Configures client authentication requirement (nsSSLClientAuth)

--tls-client-renegotiation TLS_CLIENT_RENEGOTIATION

Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)

--require-secure-authentication REQUIRE_SECURE_AUTHENTICATION

Configures whether binds over LDAPS, StartTLS, or SASL are required (nsslapd- require-secure-binds)

--check-hostname CHECK_HOSTNAME

Checks the subject of remote certificate against the hostname (nsslapd-ssl- check-hostname)

--verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP

Validates the server certificate during startup (nsslapd-validate-cert)

--session-timeout SESSION_TIMEOUT

Sets the secure session timeout (nsSSLSessionTimeout)

--tls-protocol-min TLS_PROTOCOL_MIN

Sets the minimal allowed secure protocol version (sslVersionMin)

--tls-protocol-max TLS_PROTOCOL_MAX

Sets the maximal allowed secure protocol version (sslVersionMax)

--allow-insecure-ciphers ALLOW_INSECURE_CIPHERS

Allows weak ciphers for legacy use (allowWeakCipher)

--allow-weak-dh-param ALLOW_WEAK_DH_PARAM

Allows short DH params for legacy use (allowWeakDHParam)

--cipher-pref CIPHER_PREF

Directly sets the nsSSL3Ciphers attribute. It is a comma-separated list of cipher names (prefixed with + or -), optionally including +all or -all. The attribute may optionally be prefixed by keyword "default". Please refer to documentation of the attribute for a more detailed description. (nsSSL3Ciphers)

OPTIONS 'dsconf security get'

usage: dsconf instance security get [-h]

OPTIONS 'dsconf security enable'

usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]

If missing, create security database, then turn on security functionality. Please note this is usually not enough for TLS connections to work - proper setup of CA and server certificate is necessary.

--cert-name CERT_NAME

Sets the name of the certificate the server should use

OPTIONS 'dsconf security disable'

usage: dsconf instance security disable [-h]

Turn off security functionality. The rest of the configuration will be left untouched.

OPTIONS 'dsconf security disable_plain_port'

usage: dsconf instance security disable_plain_port [-h]

OPTIONS 'dsconf security certificate'

usage: dsconf instance security certificate [-h]
                                           {add,set-trust-flags,del,get,list}
                                           ...

Sub-commands

dsconf security certificate add

Add a server certificate

dsconf security certificate set-trust-flags

Set the Trust flags

dsconf security certificate del

Delete a certificate

dsconf security certificate get

Display a server certificate's information

dsconf security certificate list

List the server certificates

OPTIONS 'dsconf security certificate add'

usage: dsconf instance security certificate add [-h] --file FILE --name NAME
                                               [--primary-cert]

Add a server certificate to the NSS database

--file FILE

Sets the file name of the certificate

--name NAME

Sets the name/nickname of the certificate

--primary-cert

Sets this certificate as the server's certificate

OPTIONS 'dsconf security certificate set-trust-flags'

usage: dsconf instance security certificate set-trust-flags
      [-h] --flags FLAGS name

Change the trust flags of a server certificate

name

The name/nickname of the certificate

--flags FLAGS

Sets the trust flags for the server certificate

OPTIONS 'dsconf security certificate del'

usage: dsconf instance security certificate del [-h] name

Delete a certificate from the NSS database

name

The name/nickname of the certificate

OPTIONS 'dsconf security certificate get'

usage: dsconf instance security certificate get [-h] name

Displays detailed information about a certificate, such as trust attributes, expiration dates, Subject and Issuer DNs

name

Set the name/nickname of the certificate

OPTIONS 'dsconf security certificate list'

usage: dsconf instance security certificate list [-h]

Lists the server certificates in the NSS database

OPTIONS 'dsconf security ca-certificate'

usage: dsconf instance security ca-certificate [-h]
                                              {add,set-trust-flags,del,get,list}
                                              ...

Sub-commands

dsconf security ca-certificate add

Add a Certificate Authority

dsconf security ca-certificate set-trust-flags

Set the Trust flags

dsconf security ca-certificate del

Delete a certificate

dsconf security ca-certificate get

Displays a Certificate Authority's information

dsconf security ca-certificate list

List the Certificate Authorities

OPTIONS 'dsconf security ca-certificate add'

usage: dsconf instance security ca-certificate add [-h] --file FILE --name
                                                  NAME

Add a Certificate Authority to the NSS database

--file FILE

Sets the file name of the CA certificate

--name NAME

Sets the name/nickname of the CA certificate

OPTIONS 'dsconf security ca-certificate set-trust-flags'

usage: dsconf instance security ca-certificate set-trust-flags
      [-h] --flags FLAGS name

Change the trust attributes of a CA certificate.  Certificate Authorities typically use "CT,,"

name

The name/nickname of the CA certificate

--flags FLAGS

Sets the trust flags for the CA certificate

OPTIONS 'dsconf security ca-certificate del'

usage: dsconf instance security ca-certificate del [-h] name

Delete a CA certificate from the NSS database

name

The name/nickname of the CA certificate

OPTIONS 'dsconf security ca-certificate get'

usage: dsconf instance security ca-certificate get [-h] name

Get detailed information about a CA certificate, like trust attributes, expiration dates, Subject and Issuer DN

name

The name/nickname of the CA certificate

OPTIONS 'dsconf security ca-certificate list'

usage: dsconf instance security ca-certificate list [-h]

List the CA certificates in the NSS database

OPTIONS 'dsconf security rsa'

usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...

Sub-commands

dsconf security rsa set

Set RSA security options

dsconf security rsa get

Get RSA security options

dsconf security rsa enable

Enable RSA

dsconf security rsa disable

Disable RSA

OPTIONS 'dsconf security rsa set'

usage: dsconf instance security rsa set [-h]
                                       [--tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES]
                                       [--nss-cert-name NSS_CERT_NAME]
                                       [--nss-token NSS_TOKEN]

Use this command for setting RSA (private key) related options located in cn=RSA,cn=encryption,cn=config.

To enable/disable RSA you can use enable and disable commands instead.

--tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES

Activates the use of RSA certificates (nsSSLActivation)

--nss-cert-name NSS_CERT_NAME

Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)

--nss-token NSS_TOKEN

Sets the security token name (module of NSS DB) (nsSSLToken)

OPTIONS 'dsconf security rsa get'

usage: dsconf instance security rsa get [-h]

OPTIONS 'dsconf security rsa enable'

usage: dsconf instance security rsa enable [-h]

OPTIONS 'dsconf security rsa disable'

usage: dsconf instance security rsa disable [-h]

OPTIONS 'dsconf security ciphers'

usage: dsconf instance security ciphers [-h] {enable,disable,get,set,list} ...

Sub-commands

dsconf security ciphers enable

Enable ciphers

dsconf security ciphers disable

Disable ciphers

dsconf security ciphers get

Get ciphers attribute

dsconf security ciphers set

Set ciphers attribute

dsconf security ciphers list

List ciphers

OPTIONS 'dsconf security ciphers enable'

usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]

Use this command to enable specific ciphers.

cipher

OPTIONS 'dsconf security ciphers disable'

usage: dsconf instance security ciphers disable [-h] cipher [cipher ...]

Use this command to disable specific ciphers.

cipher

OPTIONS 'dsconf security ciphers get'

usage: dsconf instance security ciphers get [-h]

Use this command to get contents of nsSSL3Ciphers attribute.

OPTIONS 'dsconf security ciphers set'

usage: dsconf instance security ciphers set [-h] cipher-string

Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list of cipher names (prefixed with + or -), optionally including +all or -all. The attribute may optionally be prefixed by keyword default. Please refer to documentation of the attribute for a more detailed description.

cipher-string

OPTIONS 'dsconf security ciphers list'

usage: dsconf instance security ciphers list [-h]
                                            [--enabled | --supported | --disabled]

List secure ciphers. Without arguments, list ciphers as configured in nsSSL3Ciphers attribute.

--enabled

Lists only enabled ciphers

--supported

Lists only supported ciphers

--disabled

Lists only supported ciphers but without enabled ciphers

OPTIONS 'dsconf schema'

usage: dsconf instance schema [-h]
                             {list,attributetypes,objectclasses,matchingrules,reload,validate-syntax,import-openldap-file}
                             ...

Sub-commands

dsconf schema list

List all schema objects on this system

dsconf schema attributetypes

Work with attribute types on this system

dsconf schema objectclasses

Work with objectClasses on this system

dsconf schema matchingrules

Work with matching rules on this system

dsconf schema reload

Dynamically reload schema while server is running

dsconf schema validate-syntax

Run a task to check every modification to attributes to make sure that the new value has the required syntax for that attribute type

dsconf schema import-openldap-file

Import an openldap formatted dynamic schema ldifs. These will contain values like olcAttributeTypes and olcObjectClasses.

OPTIONS 'dsconf schema list'

usage: dsconf instance schema list [-h]

OPTIONS 'dsconf schema attributetypes'

usage: dsconf instance schema attributetypes [-h]
                                            {get_syntaxes,list,query,add,replace,remove}
                                            ...

Sub-commands

dsconf schema attributetypes get_syntaxes

List all available attribute type syntaxes

dsconf schema attributetypes list

List available attribute types on this system

dsconf schema attributetypes query

Query an attribute to determine object classes that may or must take it

dsconf schema attributetypes add

Add an attribute type to this system

dsconf schema attributetypes replace

Replace an attribute type on this system

dsconf schema attributetypes remove

Remove an attribute type on this system

OPTIONS 'dsconf schema attributetypes get_syntaxes'

usage: dsconf instance schema attributetypes get_syntaxes [-h]

OPTIONS 'dsconf schema attributetypes list'

usage: dsconf instance schema attributetypes list [-h]

OPTIONS 'dsconf schema attributetypes query'

usage: dsconf instance schema attributetypes query [-h] [name]

name

Attribute type to query

OPTIONS 'dsconf schema attributetypes add'

usage: dsconf instance schema attributetypes add [-h] [--oid OID]
                                                [--desc DESC]
                                                [--x-origin X_ORIGIN]
                                                [--aliases ALIASES [ALIASES ...]]
                                                [--single-value]
                                                [--multi-value]
                                                [--no-user-mod] [--user-mod]
                                                [--equality EQUALITY]
                                                [--substr SUBSTR]
                                                [--ordering ORDERING]
                                                [--usage USAGE] [--sup SUP]
                                                --syntax SYNTAX
                                                name

name

NAME of the object

--oid OID

OID assigned to the object

--desc DESC

Description text(DESC) of the object

--x-origin X_ORIGIN

Provides information about where the attribute type is defined

--aliases ALIASES [ALIASES ...]

Additional NAMEs of the object.

--single-value

True if the matching rule must have only one valueOnly one of the flags this or --multi-value should be specified

--multi-value

True if the matching rule may have multiple values (default)Only one of the flags this or --single-value should be specified

--no-user-mod

True if the attribute is not modifiable by a client applicationOnly one of the flags this or --user-mod should be specified

--user-mod

True if the attribute is modifiable by a client application (default)Only one of the flags this or --no-user-mode should be specified

--equality EQUALITY

NAME or OID of the matching rule used for checkingwhether attribute values are equal

--substr SUBSTR

NAME or OID of the matching rule used for checkingwhether an attribute value contains another value

--ordering ORDERING

NAME or OID of the matching rule used for checkingwhether attribute values are lesser - equal than

--usage USAGE

The flag indicates how the attribute type is to be used. Choose from the list: userApplications (default), directoryOperation, distributedOperation, dSAOperation

--sup SUP

The NAME or OID of attribute type this attribute type is derived from

--syntax SYNTAX

OID of the LDAP syntax assigned to the attribute

OPTIONS 'dsconf schema attributetypes replace'

usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
                                                    [--desc DESC]
                                                    [--x-origin X_ORIGIN]
                                                    [--aliases ALIASES [ALIASES ...]]
                                                    [--single-value]
                                                    [--multi-value]
                                                    [--no-user-mod]
                                                    [--user-mod]
                                                    [--equality EQUALITY]
                                                    [--substr SUBSTR]
                                                    [--ordering ORDERING]
                                                    [--usage USAGE]
                                                    [--sup SUP]
                                                    [--syntax SYNTAX]
                                                    name

name

NAME of the object

--oid OID

OID assigned to the object

--desc DESC

Description text(DESC) of the object

--x-origin X_ORIGIN

Provides information about where the attribute type is defined

--aliases ALIASES [ALIASES ...]

Additional NAMEs of the object.

--single-value

True if the matching rule must have only one valueOnly one of the flags this or --multi-value should be specified

--multi-value

True if the matching rule may have multiple values (default)Only one of the flags this or --single-value should be specified

--no-user-mod

True if the attribute is not modifiable by a client applicationOnly one of the flags this or --user-mod should be specified

--user-mod

True if the attribute is modifiable by a client application (default)Only one of the flags this or --no-user-mode should be specified

--equality EQUALITY

NAME or OID of the matching rule used for checkingwhether attribute values are equal

--substr SUBSTR

NAME or OID of the matching rule used for checkingwhether an attribute value contains another value

--ordering ORDERING

NAME or OID of the matching rule used for checkingwhether attribute values are lesser - equal than

--usage USAGE

The flag indicates how the attribute type is to be used. Choose from the list: userApplications (default), directoryOperation, distributedOperation, dSAOperation

--sup SUP

The NAME or OID of attribute type this attribute type is derived from

--syntax SYNTAX

OID of the LDAP syntax assigned to the attribute

OPTIONS 'dsconf schema attributetypes remove'

usage: dsconf instance schema attributetypes remove [-h] name

name

NAME of the object

OPTIONS 'dsconf schema objectclasses'

usage: dsconf instance schema objectclasses [-h]
                                           {list,query,add,replace,remove}
                                           ...

Sub-commands

dsconf schema objectclasses list

List available objectClasses on this system

dsconf schema objectclasses query

Query an objectClass

dsconf schema objectclasses add

Add an objectClass to this system

dsconf schema objectclasses replace

Replace an objectClass on this system

dsconf schema objectclasses remove

Remove an objectClass on this system

OPTIONS 'dsconf schema objectclasses list'

usage: dsconf instance schema objectclasses list [-h]

OPTIONS 'dsconf schema objectclasses query'

usage: dsconf instance schema objectclasses query [-h] [name]

name

ObjectClass to query

OPTIONS 'dsconf schema objectclasses add'

usage: dsconf instance schema objectclasses add [-h] [--oid OID] [--desc DESC]
                                               [--x-origin X_ORIGIN]
                                               [--must MUST [MUST ...]]
                                               [--may MAY [MAY ...]]
                                               [--kind KIND]
                                               [--sup SUP [SUP ...]]
                                               name

name

NAME of the object

--oid OID

OID assigned to the object

--desc DESC

Description text(DESC) of the object

--x-origin X_ORIGIN

Provides information about where the attribute type is defined

--must MUST [MUST ...]

NAMEs or OIDs of all attributes an entry of the object must have

--may MAY [MAY ...]

NAMEs or OIDs of additional attributes an entry of the object may have

--kind KIND

Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY

--sup SUP [SUP ...]

NAME or OIDs of object classes this object is derived from

OPTIONS 'dsconf schema objectclasses replace'

usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
                                                   [--desc DESC]
                                                   [--x-origin X_ORIGIN]
                                                   [--must MUST [MUST ...]]
                                                   [--may MAY [MAY ...]]
                                                   [--kind KIND]
                                                   [--sup SUP [SUP ...]]
                                                   name

name

NAME of the object

--oid OID

OID assigned to the object

--desc DESC

Description text(DESC) of the object

--x-origin X_ORIGIN

Provides information about where the attribute type is defined

--must MUST [MUST ...]

NAMEs or OIDs of all attributes an entry of the object must have

--may MAY [MAY ...]

NAMEs or OIDs of additional attributes an entry of the object may have

--kind KIND

Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY

--sup SUP [SUP ...]

NAME or OIDs of object classes this object is derived from

OPTIONS 'dsconf schema objectclasses remove'

usage: dsconf instance schema objectclasses remove [-h] name

name

NAME of the object

OPTIONS 'dsconf schema matchingrules'

usage: dsconf instance schema matchingrules [-h] {list,query} ...

Sub-commands

dsconf schema matchingrules list

List available matching rules on this system

dsconf schema matchingrules query

Query a matching rule

OPTIONS 'dsconf schema matchingrules list'

usage: dsconf instance schema matchingrules list [-h]

OPTIONS 'dsconf schema matchingrules query'

usage: dsconf instance schema matchingrules query [-h] [name]

name

Matching rule to query

OPTIONS 'dsconf schema reload'

usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]

-d SCHEMADIR, --schemadir SCHEMADIR

directory where schema files are located

--wait

Wait for the reload task to complete

OPTIONS 'dsconf schema validate-syntax'

usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN

DN

Base DN that contains entries to validate

-f FILTER, --filter FILTER

Filter for entries to validate. If omitted, all entries with filter "(objectclass=*)" are validated

OPTIONS 'dsconf schema import-openldap-file'

usage: dsconf instance schema import-openldap-file [-h] [--confirm]
                                                  schema_file

schema_file

Path to the openldap dynamic schema ldif to import

--confirm

Confirm that you want to apply these schema migration actions to the 389-ds instance. By default no actions are taken.

OPTIONS 'dsconf repl-conflict'

usage: dsconf instance repl-conflict [-h]
                                    {list,compare,delete,swap,convert,list-glue,delete-glue,convert-glue}
                                    ...

Sub-commands

dsconf repl-conflict list

List conflict entries

dsconf repl-conflict compare

Compare the conflict entry with its valid counterpart

dsconf repl-conflict delete

Delete a conflict entry

dsconf repl-conflict swap

Replace the valid entry with the conflict entry

dsconf repl-conflict convert

Convert the conflict entry to a valid entry, while keeping the original valid entry counterpart.  This requires that the converted conflict entry have a new RDN value.  For example: "cn=my_new_rdn_value".

dsconf repl-conflict list-glue

List replication glue entries

dsconf repl-conflict delete-glue

Delete the glue entry and its child entries

dsconf repl-conflict convert-glue

Convert the glue entry into a regular entry

OPTIONS 'dsconf repl-conflict list'

usage: dsconf instance repl-conflict list [-h] suffix

suffix

Sets the backend name, or suffix, to look for conflict entries

OPTIONS 'dsconf repl-conflict compare'

usage: dsconf instance repl-conflict compare [-h] DN

DN

The DN of the conflict entry

OPTIONS 'dsconf repl-conflict delete'

usage: dsconf instance repl-conflict delete [-h] DN

DN

The DN of the conflict entry

OPTIONS 'dsconf repl-conflict swap'

usage: dsconf instance repl-conflict swap [-h] DN

DN

The DN of the conflict entry

OPTIONS 'dsconf repl-conflict convert'

usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN

DN

The DN of the conflict entry

--new-rdn NEW_RDN

Sets the new RDN for the converted conflict entry. For example: "cn=my_new_rdn_value"

OPTIONS 'dsconf repl-conflict list-glue'

usage: dsconf instance repl-conflict list-glue [-h] suffix

suffix

The backend name, or suffix, to look for glue entries

OPTIONS 'dsconf repl-conflict delete-glue'

usage: dsconf instance repl-conflict delete-glue [-h] DN

DN

The DN of the glue entry

OPTIONS 'dsconf repl-conflict convert-glue'

usage: dsconf instance repl-conflict convert-glue [-h] DN

DN

The DN of the glue entry

-v, --verbose

Display verbose operation tracing during command execution

-D BINDDN, --binddn BINDDN

The account to bind as for executing operations

-w BINDPW, --bindpw BINDPW

Password for the bind DN

-W, --prompt

Prompt for password of the bind DN

-y PWDFILE, --pwdfile PWDFILE

Specifies a file containing the password of the bind DN

-b BASEDN, --basedn BASEDN

Base DN (root naming context) of the instance to manage

-Z, --starttls

Connect with StartTLS

-j, --json

Return result in JSON object

Authors

lib389 was written by Red Hat Inc., and William Brown <389-devel@lists.fedoraproject.org>.

Distribution

The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html

Info

Manual