dsctl - Man Page

Synopsis

dsctl [-h] [-v] [-j] [-l] [instance] {restart,start,stop,status,remove,db2index,db2bak,db2ldif,dbverify,bak2db,ldif2db,backups,ldifs,tls,healthcheck,get-nsstate,ldifgen} ...

Options

instance

The name of the instance to act upon

Sub-commands

dsctl restart

Restart an instance of Directory Server, if it is running: else start it.

dsctl start

Start an instance of Directory Server, if it is not currently running

dsctl stop

Stop an instance of Directory Server, if it is currently running

dsctl status

Check running status of an instance of Directory Server

dsctl remove

Destroy an instance of Directory Server, and remove all data.

dsctl db2index

Initialise a reindex of the server database. The server must be stopped for this to proceed.

dsctl db2bak

Initialise a BDB backup of the database. The server must be stopped for this to proceed.

dsctl db2ldif

Initialise an LDIF dump of the database. The server must be stopped for this to proceed.

dsctl dbverify

Perform a db verification. You should only do this at direction of support

dsctl bak2db

Restore a BDB backup of the database. The server must be stopped for this to proceed.

dsctl ldif2db

Restore an LDIF dump of the database. The server must be stopped for this to proceed.

dsctl backups

List backup's found in the server's default backup directory

dsctl ldifs

List all the LDIF files located in the server's LDIF directory

dsctl tls

Manage TLS certificates

dsctl healthcheck

Run a healthcheck report on a local Directory Server instance. This is a safe and read-only operation.  Do not attempt to run this on a remote Directory Server as this tool needs access to local resources, otherwise the report may be inaccurate.

dsctl get-nsstate

Get the replication nsState in a human readable format

Replica DN:           The DN of the replication configuration entry Replica Suffix:       The replicated suffix Replica ID:           The Replica identifier Gen Time              The time the CSN generator was created Gen Time String:      The time string of generator Gen as CSN:           The generation CSN Local Offset:         The offset due to the local clock being set back Local Offset String:  The offset in a nice human format Remote Offset:        The offset due to clock difference with remote systems Remote Offset String: The offset in a nice human format Time Skew:            The time skew between this server and its replicas Time Skew String:     The time skew in a nice human format Seq Num:              The number of multiple csns within a second System Time:          The local system time Diff in Seconds:      The time difference in seconds from the CSN generator creation to now Diff in days/secs:    The time difference broken up into days and seconds Endian:               Little/Big Endian

dsctl ldifgen

LDIF generator to make sample LDIF files for testing

OPTIONS 'dsctl restart'

usage: dsctl [instance] restart [-h]

OPTIONS 'dsctl start'

usage: dsctl [instance] start [-h]

OPTIONS 'dsctl stop'

usage: dsctl [instance] stop [-h]

OPTIONS 'dsctl status'

usage: dsctl [instance] status [-h]

OPTIONS 'dsctl remove'

usage: dsctl [instance] remove [-h] [--do-it]

--do-it

By default we do a dry run. This actually initiates the removal of the instance.

OPTIONS 'dsctl db2index'

usage: dsctl [instance] db2index [-h] backend

backend

The backend to reindex. IE userRoot

OPTIONS 'dsctl db2bak'

usage: dsctl [instance] db2bak [-h] [archive]

archive

The destination for the archive. This will be created during the db2bak process.

OPTIONS 'dsctl db2ldif'

usage: dsctl [instance] db2ldif [-h] [--replication] [--encrypted]
                               backend [ldif]

backend

The backend to output as an LDIF. IE userRoot

ldif

The path to the ldif output location.

--replication

Export replication information, suitable for importing on a new consumer or backups.

--encrypted

Export encrypted attributes

OPTIONS 'dsctl dbverify'

usage: dsctl [instance] dbverify [-h] backend

backend

The backend to verify. IE userRoot

OPTIONS 'dsctl bak2db'

usage: dsctl [instance] bak2db [-h] archive

archive

The archive to restore. This will erase all current server databases.

OPTIONS 'dsctl ldif2db'

usage: dsctl [instance] ldif2db [-h] [--encrypted] backend ldif

backend

The backend to restore from an LDIF. IE userRoot

ldif

The path to the ldif to import

--encrypted

Import encrypted attributes

OPTIONS 'dsctl backups'

usage: dsctl [instance] backups [-h] [--delete DELETE]

--delete DELETE

Delete backup directory

OPTIONS 'dsctl ldifs'

usage: dsctl [instance] ldifs [-h] [--delete DELETE]

--delete DELETE

Delete LDIF file

OPTIONS 'dsctl tls'

usage: dsctl [instance] tls [-h]
                           {list-ca,list-client-ca,show-server-cert,show-cert,generate-server-cert-csr,import-client-ca,import-ca,import-server-cert,import-server-key-cert,remove-cert}
                           ...

Sub-commands

dsctl tls list-ca

list server certificate authorities including intermediates

dsctl tls list-client-ca

list client certificate authorities including intermediates

dsctl tls show-server-cert

Show the active server certificate that clients will see and verify

dsctl tls show-cert

Show a certificate's details referenced by it's nickname. This is analogous to certutil -L -d <path> -n <nickname>

dsctl tls generate-server-cert-csr

Generate a Server-Cert certificate signing request - the csr is then submitted to a CA for verification, and when signed you import with import-ca and import-server-cert

dsctl tls import-client-ca

Import a CA trusted to issue user (client) certificates. This is part of how client certificate authentication functions.

dsctl tls import-ca

Import a CA or intermediate CA for signing this servers certificates (aka Server-Cert). You should import all the CA's in the chain as required.

dsctl tls import-server-cert

Import a new Server-Cert after the csr has been signed from a CA.

dsctl tls import-server-key-cert

Import a new key and Server-Cert after having been signed from a CA. This is used if you have an external csr tool or a service like lets encrypt that generates PEM keys externally.

dsctl tls remove-cert

Delete a certificate from this database. This will remove it from acting as a CA, a client CA or the Server-Cert role.

OPTIONS 'dsctl tls list-ca'

usage: dsctl [instance] tls list-ca [-h]

OPTIONS 'dsctl tls list-client-ca'

usage: dsctl [instance] tls list-client-ca [-h]

OPTIONS 'dsctl tls show-server-cert'

usage: dsctl [instance] tls show-server-cert [-h]

OPTIONS 'dsctl tls show-cert'

usage: dsctl [instance] tls show-cert [-h] nickname

nickname

The nickname (friendly name) of the certificate to display

OPTIONS 'dsctl tls generate-server-cert-csr'

usage: dsctl [instance] tls generate-server-cert-csr [-h] [--subject SUBJECT]
                                                    [alt_names ...]

alt_names

Certificate requests subject alternative names. These are auto-detected if not provided

--subject SUBJECT, -s SUBJECT

Certificate Subject field to use

OPTIONS 'dsctl tls import-client-ca'

usage: dsctl [instance] tls import-client-ca [-h] cert_path nickname

cert_path

The path to the x509 cert to import as a client trust root

nickname

The name of the certificate once imported

OPTIONS 'dsctl tls import-ca'

usage: dsctl [instance] tls import-ca [-h] cert_path nickname

cert_path

The path to the x509 cert to import as a server CA

nickname

The name of the certificate once imported

OPTIONS 'dsctl tls import-server-cert'

usage: dsctl [instance] tls import-server-cert [-h] cert_path

cert_path

The path to the x509 cert to import as Server-Cert

OPTIONS 'dsctl tls import-server-key-cert'

usage: dsctl [instance] tls import-server-key-cert [-h] cert_path key_path

cert_path

The path to the x509 cert to import as Server-Cert

key_path

The path to the x509 key to import associated to Server-Cert

OPTIONS 'dsctl tls remove-cert'

usage: dsctl [instance] tls remove-cert [-h] nickname

nickname

The name of the certificate to delete

OPTIONS 'dsctl healthcheck'

usage: dsctl [instance] healthcheck [-h]

OPTIONS 'dsctl get-nsstate'

usage: dsctl [instance] get-nsstate [-h] [--suffix SUFFIX] [--flip FLIP]

--suffix SUFFIX

The DN of the replication suffix to read the state from

--flip FLIP

Flip between Little/Big Endian, this might be required for certain architectures

OPTIONS 'dsctl ldifgen'

usage: dsctl [instance] ldifgen [-h]
                               {users,groups,cos-def,cos-template,roles,mod-load,nested}
                               ...

Sub-commands

dsctl ldifgen users

Generate a LDIF containing user entries

dsctl ldifgen groups

Generate a LDIF containing groups and members

dsctl ldifgen cos-def

Generate a LDIF containing a COS definition (classic, pointer, or indirect)

dsctl ldifgen cos-template

Generate a LDIF containing a COS template

dsctl ldifgen roles

Generate a LDIF containing a role entry (managed, filtered, or indirect)

dsctl ldifgen mod-load

Generate a LDIF containing modify operations.  This is intended to be consumed by ldapmodify.

dsctl ldifgen nested

Generate a heavily nested database LDIF in a cascading/fractal tree design

OPTIONS 'dsctl ldifgen users'

usage: dsctl [instance] ldifgen users [-h] [--number NUMBER] [--suffix SUFFIX]
                                     [--parent PARENT] [--generic]
                                     [--start-idx START_IDX] [--rdn-cn]
                                     [--localize] [--ldif-file LDIF_FILE]

--number NUMBER

The number of users to create.

--suffix SUFFIX

The database suffix where the entries will be created.

--parent PARENT

The parent entry that the user entries should be created under. If not specified, the entries are stored under random Organizational Units.

--generic

Create generic entries in the format of "uid=user####". These entries are also compatible with ldclt.

--start-idx START_IDX

For generic LDIF's you can choose the starting index for the user entries. The default is "0".

--rdn-cn

Use the attribute "cn" as the RDN attribute in the DN instead of "uid"

--localize

Localize the LDIF data

--ldif-file LDIF_FILE

The LDIF file name. Default location is the server's LDIF directory using the name 'users.ldif'

OPTIONS 'dsctl ldifgen groups'

usage: dsctl [instance] ldifgen groups [-h] [--number NUMBER]
                                      [--suffix SUFFIX] [--parent PARENT]
                                      [--num-members NUM_MEMBERS]
                                      [--create-members]
                                      [--member-parent MEMBER_PARENT]
                                      [--member-attr MEMBER_ATTR]
                                      [--ldif-file LDIF_FILE]
                                      NAME

NAME

The group name.

--number NUMBER

The number of groups to create.

--suffix SUFFIX

The database suffix where the groups will be created.

--parent PARENT

The parent entry that the group entries should be created under. If not specified the groups are stored under the suffix.

--num-members NUM_MEMBERS

The number of members in the group. Default is 10000

--create-members

Create the member user entries.

--member-parent MEMBER_PARENT

The entry DN that the members should be created under. The default is the suffix entry.

--member-attr MEMBER_ATTR

The membership attribute to use in the group. Default is "uniquemember".

--ldif-file LDIF_FILE

The LDIF file name. Default is "/tmp/ldifgen.ldif"

OPTIONS 'dsctl ldifgen cos-def'

usage: dsctl [instance] ldifgen cos-def [-h] [--type TYPE] [--parent PARENT]
                                       [--create-parent]
                                       [--cos-specifier COS_SPECIFIER]
                                       [--cos-template COS_TEMPLATE]
                                       [--cos-attr [COS_ATTR ...]]
                                       [--ldif-file LDIF_FILE]
                                       NAME

NAME

The COS definition name.

--type TYPE

The COS definition type: "classic", "pointer", or "indirect".

--parent PARENT

The parent entry that the COS definition should be created under.

--create-parent

Create the parent entry

--cos-specifier COS_SPECIFIER

Used in a classic COS definition, this attribute located in the user entry is used to select which COS template to use.

--cos-template COS_TEMPLATE

The DN of the COS template entry, only used for "classic" and "pointer" COS definitions.

--cos-attr [COS_ATTR ...]

A list of attributes which defines which attribute the COS generates values for.

--ldif-file LDIF_FILE

The LDIF file name. Default is "/tmp/ldifgen.ldif"

OPTIONS 'dsctl ldifgen cos-template'

usage: dsctl [instance] ldifgen cos-template [-h] [--parent PARENT]
                                            [--create-parent]
                                            [--cos-priority COS_PRIORITY]
                                            [--cos-attr-val COS_ATTR_VAL]
                                            [--ldif-file LDIF_FILE]
                                            NAME

NAME

The COS template name.

--parent PARENT

The DN of the entry to store the COS template entry under.

--create-parent

Create the parent entry

--cos-priority COS_PRIORITY

Sets the priority of this conflicting/competing COS templates.

--cos-attr-val COS_ATTR_VAL

defines the attribute and value that the template provides.

--ldif-file LDIF_FILE

The LDIF file name. Default is "/tmp/ldifgen.ldif"

OPTIONS 'dsctl ldifgen roles'

usage: dsctl [instance] ldifgen roles [-h] [--type TYPE] [--parent PARENT]
                                     [--create-parent] [--filter FILTER]
                                     [--role-dn [ROLE_DN ...]]
                                     [--ldif-file LDIF_FILE]
                                     NAME

NAME

The Role name.

--type TYPE

The Role type: "managed", "filtered", or "nested".

--parent PARENT

The DN of the entry to store the Role entry under

--create-parent

Create the parent entry

--filter FILTER

A search filter for gathering Role members. Required for a "filtered" role.

--role-dn [ROLE_DN ...]

A DN of a role entry that should be included in this role. Used for "nested" roles only.

--ldif-file LDIF_FILE

The LDIF file name. Default is "/tmp/ldifgen.ldif"

OPTIONS 'dsctl ldifgen mod-load'

usage: dsctl [instance] ldifgen mod-load [-h] [--create-users]
                                        [--delete-users]
                                        [--num-users NUM_USERS]
                                        [--parent PARENT] [--create-parent]
                                        [--add-users ADD_USERS]
                                        [--del-users DEL_USERS]
                                        [--modrdn-users MODRDN_USERS]
                                        [--mod-users MOD_USERS]
                                        [--mod-attrs [MOD_ATTRS ...]]
                                        [--randomize] [--ldif-file LDIF_FILE]

--create-users

Create the entries that will be modified or deleted. By default the script assumes the user entries already exist.

--delete-users

Delete all the user entries at the end of the LDIF.

--num-users NUM_USERS

The number of user entries that will be modified or deleted

--parent PARENT

The DN of the parent entry where the user entries are located.

--create-parent

Create the parent entry

--add-users ADD_USERS

The number of additional entries to add during the load.

--del-users DEL_USERS

The number of entries to delete during the load.

--modrdn-users MODRDN_USERS

The number of entries to perform a modrdn operation on.

--mod-users MOD_USERS

The number of entries to modify.

--mod-attrs [MOD_ATTRS ...]

List of attributes the script will randomly choose from when modifying an entry. The default is "description".

--randomize

Randomly perform the specified add, mod, delete, and modrdn operations

--ldif-file LDIF_FILE

The LDIF file name. Default is "/tmp/ldifgen.ldif"

OPTIONS 'dsctl ldifgen nested'

usage: dsctl [instance] ldifgen nested [-h] [--num-users NUM_USERS]
                                      [--node-limit NODE_LIMIT]
                                      [--suffix SUFFIX]
                                      [--ldif-file LDIF_FILE]

--num-users NUM_USERS

The total number of user entries to create in the entire LDIF (does not include the container entries).

--node-limit NODE_LIMIT

The total number of user entries to create under each node/subtree

--suffix SUFFIX

The suffix DN for the LDIF

--ldif-file LDIF_FILE

The LDIF file name. Default location is the server's LDIF directory using the name 'users.ldif'

-v, --verbose

Display verbose operation tracing during command execution

-j, --json

Return result in JSON object

-l, --list

List available Directory Server instances

Authors

lib389 was written by Red Hat Inc. <389-devel@lists.fedoraproject.org>.

Distribution

The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html

Info

Manual