dsctl man page

dsctl

Synopsis

dsctl [-h] [-v] [-j] [-l] [instance] {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate} ...

Options

instance

The name of the instance to act upon

Sub-commands

dsctl restart

Restart an instance of Directory Server, if it is running: else start it.

dsctl start

Start an instance of Directory Server, if it is not currently running

dsctl stop

Stop an instance of Directory Server, if it is currently running

dsctl status

Check running status of an instance of Directory Server

dsctl remove

Destroy an instance of Directory Server, and remove all data.

dsctl db2index

Initialise a reindex of the server database. The server must be stopped for this to proceed.

dsctl db2bak

Initialise a BDB backup of the database. The server must be stopped for this to proceed.

dsctl db2ldif

Initialise an LDIF dump of the database. The server must be stopped for this to proceed.

dsctl dbverify

Perform a db verification. You should only do this at direction of support

dsctl bak2db

Restore a BDB backup of the database. The server must be stopped for this to proceed.

dsctl ldif2db

Restore an LDIF dump of the database. The server must be stopped for this to proceed.

dsctl backups

List backup's found in the server's default backup directory

dsctl ldifs

List all the LDIF files located in the server's LDIF directory

dsctl tls

Manage TLS certificates

dsctl healthcheck

Run a healthcheck report on a local Directory Server instance. This is a safe and read-only operation.  Do not attempt to run this on a remote Directory Server as this tool needs access to local resources, otherwise the report may be inaccurate.

dsctl get-nsstate

Get the replication nsState in a human readable format

Replica DN:           The DN of the replication configuration entry Replica SUffix:       The replicated suffix Replica ID:           The Replica identifier Gen Time              The time the CSN generator was created Gen Time String:      The time string of generator Gen as CSN:           The generation CSN Local Offset:         The offset due to the local clock being set back Local Offset String:  The offset in a nice human format Remote Offset:        The offset due to clock difference with remote systems Remote Offset String: The offset in a nice human format Time Skew:            The time skew between this server and its replicas Time Skew String:     The time skew in a nice human format Seq Num:              The number of multiple csns within a second System Time:          The local system time Diff in Seconds:      The time difference in seconds from the CSN generator creation to now Diff in days/secs:    The time difference broken up into days and seconds Endian:               Little/Big Endian

OPTIONS 'dsctl restart'

usage: dsctl [instance] restart [-h]

OPTIONS 'dsctl start'

usage: dsctl [instance] start [-h]

OPTIONS 'dsctl stop'

usage: dsctl [instance] stop [-h]

OPTIONS 'dsctl status'

usage: dsctl [instance] status [-h]

OPTIONS 'dsctl remove'

usage: dsctl [instance] remove [-h] [--do-it]

--do-it

By default we do a dry run. This actually initiates the removal of the instance.

OPTIONS 'dsctl db2index'

usage: dsctl [instance] db2index [-h] backend

backend

The backend to reindex. IE userRoot

OPTIONS 'dsctl db2bak'

usage: dsctl [instance] db2bak [-h] [archive]

archive

The destination for the archive. This will be created during the db2bak process.

OPTIONS 'dsctl db2ldif'

usage: dsctl [instance] db2ldif [-h] [--replication] [--encrypted]
                               backend [ldif]

backend

The backend to output as an LDIF. IE userRoot

ldif

The path to the ldif output location.

--replication

Export replication information, suitable for importing on a new consumer or backups.

--encrypted

Export encrypted attributes

OPTIONS 'dsctl dbverify'

usage: dsctl [instance] dbverify [-h] backend

backend

The backend to verify. IE userRoot

OPTIONS 'dsctl bak2db'

usage: dsctl [instance] bak2db [-h] archive

archive

The archive to restore. This will erase all current server databases.

OPTIONS 'dsctl ldif2db'

usage: dsctl [instance] ldif2db [-h] [--encrypted] backend ldif

backend

The backend to restore from an LDIF. IE userRoot

ldif

The path to the ldif to import

--encrypted

Import encrypted attributes

OPTIONS 'dsctl backups'

usage: dsctl [instance] backups [-h] [--delete DELETE]

--delete DELETE

Delete backup directory

OPTIONS 'dsctl ldifs'

usage: dsctl [instance] ldifs [-h] [--delete DELETE]

--delete DELETE

Delete LDIF file

OPTIONS 'dsctl tls'

usage: dsctl [instance] tls [-h]
                           {list-ca,list-client-ca,show-server-cert,show-cert,generate-server-cert-csr,import-client-ca,import-ca,import-server-cert,import-server-key-cert,remove-cert}
                           ...

Sub-commands

dsctl tls list-ca

list server certificate authorities including intermediates

dsctl tls list-client-ca

list client certificate authorities including intermediates

dsctl tls show-server-cert

Show the active server certificate that clients will see and verify

dsctl tls show-cert

Show a certificate's details referenced by it's nickname. This is analogous to certutil -L -d <path> -n <nickname>

dsctl tls generate-server-cert-csr

Generate a Server-Cert certificate signing request - the csr is then submitted to a CA for verification, and when signed you import with import-ca and import-server-cert

dsctl tls import-client-ca

Import a CA trusted to issue user (client) certificates. This is part of how client certificate authentication functions.

dsctl tls import-ca

Import a CA or intermediate CA for signing this servers certificates (aka Server-Cert). You should import all the CA's in the chain as required.

dsctl tls import-server-cert

Import a new Server-Cert after the csr has been signed from a CA.

dsctl tls import-server-key-cert

Import a new key and Server-Cert after having been signed from a CA. This is used if you have an external csr tool or a service like lets encrypt that generates PEM keys externally.

dsctl tls remove-cert

Delete a certificate from this database. This will remove it from acting as a CA, a client CA or the Server-Cert role.

OPTIONS 'dsctl tls list-ca'

usage: dsctl [instance] tls list-ca [-h]

OPTIONS 'dsctl tls list-client-ca'

usage: dsctl [instance] tls list-client-ca [-h]

OPTIONS 'dsctl tls show-server-cert'

usage: dsctl [instance] tls show-server-cert [-h]

OPTIONS 'dsctl tls show-cert'

usage: dsctl [instance] tls show-cert [-h] nickname

nickname

The nickname (friendly name) of the certificate to display

OPTIONS 'dsctl tls generate-server-cert-csr'

usage: dsctl [instance] tls generate-server-cert-csr [-h] [--subject SUBJECT]
                                                    [alt_names [alt_names ...]]

alt_names

Certificate requests subject alternative names. These are auto-detected if not provided

--subject SUBJECT, -s SUBJECT

Certificate Subject field to use

OPTIONS 'dsctl tls import-client-ca'

usage: dsctl [instance] tls import-client-ca [-h] cert_path nickname

cert_path

The path to the x509 cert to import as a client trust root

nickname

The name of the certificate once imported

OPTIONS 'dsctl tls import-ca'

usage: dsctl [instance] tls import-ca [-h] cert_path nickname

cert_path

The path to the x509 cert to import as a server CA

nickname

The name of the certificate once imported

OPTIONS 'dsctl tls import-server-cert'

usage: dsctl [instance] tls import-server-cert [-h] cert_path

cert_path

The path to the x509 cert to import as Server-Cert

OPTIONS 'dsctl tls import-server-key-cert'

usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path

cert_path

The path to the x509 cert to import as Server-Cert

key_path

The path to the x509 key to import associated to Server-Cert

OPTIONS 'dsctl tls remove-cert'

usage: dsctl [instance] tls remove-cert [-h] nickname

nickname

The name of the certificate to delete

OPTIONS 'dsctl healthcheck'

usage: dsctl [instance] healthcheck [-h]

OPTIONS 'dsctl get-nsstate'

usage: dsctl [instance] get-nsstate [-h] [--suffix SUFFIX] [--flip FLIP]

--suffix SUFFIX

The DN of the replication suffix to read the state from

--flip FLIP

Flip between Little/Big Endian, this might be required for certain architectures

-v, --verbose

Display verbose operation tracing during command execution

-j, --json

Return result in JSON object

-l, --list

List available Directory Server instances

Authors

lib389 was written by Red Hat Inc. <389-devel@lists.fedoraproject.org>.

Distribution

The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html

Info

Manual