Configuration Parameters

irectory server runtime activities are controlled using configuration parameters. This chapter details the configuration parameters used with the directory server and includes the following topics:

Changing Configuration Parameter Values

You can change parameter values through the server manager. Alternatively, you can change these parameter values by directly editing the slapd.conf or slapd.dynamic_ldbm.conf file.


# comment - slapd.at.conf contains common attribute


# definitions, slapd.oc.conf contains common


# object class definitions.


include /usr/ns-home/ns-slapd/config/slapd.at.conf


include /usr/ns-home/ns-slapd/config/slapd.oc.conf





# The first parameters apply to ns-slapd as a whole


<general parameter>


<general parameter>


...


# The database ldbm parameter that follows must appear as a separator


# between the general and the database parameters.


database ldbm


<database parameter>


<database parameter>


...

Changing Parameter Values Using slapd.dynamic_ldbm.conf

slapd.dynamic_ldbm.conf is used to contain those server parameters that can be changed dynamically; that is, when they are changed from the server manager, they do not require a restart of the directory server. This file is included into slapd.conf using the dynamicconf parameter.

slapd.dynamic_ldbm.conf currently only supports the index parameter. It is a flat ASCII file that contains a simple listing of index parameters. For more information on indexing, see "Creating Indexes Using slapd.dynamic_ldbm.conf".

Validating Your Server Settings

You can perform a limited validation of your slapd.conf file using the server manager. This validation ensures that valid parameters are placed in your slapd.conf file by performing the same parsing of the file that ns-slapd performs when it reads the file.

Note

This function does not ensure that the values set for your server parameters are valid. That is, this function does not exercise the parameters in any way, other than to ensure that they can be successfully parsed by ns-slapd. Some of the problems this function will uncover are:

slapd.conf, slapd.at.conf, or slapd.oc.conf does not exist
a single line in any of the configuration file contains more than 101 words
parameters that have no parameter value
port values that are out of range

To perform this validation, go to Server Preferences | Validate Server Preferences.

General Server Parameters

Table 14.1 describes the server parameters that apply to general directory server operations

Parameter	Description
Port Number	Integer specifying the TCP/IP port number used for non-SSL communications.
Encryption Enabled	Boolean specifying whether the server is to use SSL communications.
Encryption Ciphers	String specifying the type of encryption supported by this server.
Encrypted Port Number	Integer specifying the TCP/IP port number used for SSL communications.
Audit Log	String specifying the file used to store changes made to each database as well as the machine data area.
Access Log	String specifying the file used to log information about each database access.
Error Log	String specifying the file used to log error messages generated by ns-slapd.
Size Limit in Entries	Integer specifying the maximum number of entries to return from a search operation.
Time Limit in Seconds	Integer specifying the maximum number of seconds ns-slapd will spend performing a search request.
Look Through Limit in Entries	Integer specifying the maximum number of entries that ns-slapd will check before returning a resource limit error.
Schema Checking	Boolean indicating whether the schema will be enforced during entry insertion or modification.
Track Modifies	Boolean indicating whether ns-slapd will maintain modification attributes for entries.
Log Level	Integer representing the level at which debugging statements and operation statistics will be logged.
Referral	String specifying an LDAP URL to pass back to a client when ns-slapd cannot find a local database to handle a request.
Supplier DN	String specifying the distinguished name used to update local replicated entries.
Supplier Password	String specifying the password the consumer server expects the supplier server to use when binding.
Supplier SSL Clients	String specifying the subject name(s) or the certificate(s) that correspond to the supplier DN defined for the consumer server.
Changelog DB Directory	String specifying the suffix for the change log database.
Changelog Suffix	String displaying the suffix for the change log database.
Max Changelog Records	Integer representing the maximum number of records the change log may contain.
Max Changelog Age	Integer and ID specifying the maximum allowable age of any entry in the change log.
Password Storage Scheme	String specifying the type of encryption used for password storage.
Certificate and Key Directory	String specifying the path to the SSL directory. This parameter can only be updated by editing `slapd.conf`; it cannot be edited in the server manager.
Encryption Alias	String representing the encryption alias for this server's certificate.
attribute	String associating a syntax with an attribute name. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server manager.
objectClass	List of strings defining a new object class to be added to the database schema. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server manager.
threadnumber	Number of threads obtained by the directory server at startup time. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server manager.
maxthreadsperconn	Maximum number of threads allowed for use by each connection. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server manager.
NLS	String that displays the directory where the files to support internationalization are kept.
Password Maximum Age	Integer representing the number of days after which user passwords will expire.
Password Expiration	Boolean indicating whether user passwords will expire after a given number of days.
Password Minimum Length	Integer representing the minimum number of characters that must be used in directory server passwords.
Password History	Boolean indicating whether users can reuse passwords.
Number of Passwords to Remember	Integer representing the number of passwords the directory server stores in history.
Password Change	Keyword indicating whether users may or must change their passwords.
Check Password Syntax	Boolean indicating whether the password syntax will be checked before the password is saved.
Send Warning	Integer representing the number days before a user's password is due to expire that the user will be sent a warning message.
Account Lockout	Boolean indicating whether users will be locked out of the directory after a given number of failed bind attempts.
Maximum Password Failures	Integer representing the number failed bind attempts after which a user will be locked out of the directory.
Reset Password Failure Count After	Integer representing the amount of time in minutes after which the password failure counter will be reset.
Unlock Account	Boolean indicating whether users will be locked out of the directory until the administrator resets the password after an account lockout.
Lockout Duration	Integer representing the amount of time in minutes that users will be locked out of the directory after an account lockout.
NT Synchronization Service Enabled	Turns on the NT Synchronization Service server plug-ins.
NT Synchronization Service Port Number	Indicates the port that the directory server will use to for non-LDAP communications with the NT Synchronization Service.
orcauto	Indicates whether a server will automatically use online consumer (replica) creation in the event that an inconsistency is detected between the databases on the supplier and the consumer servers.

Port Number

Description

TCP/IP port number used for non-SSL communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Note that for UNIX systems, specifying a port number of less than 1024 requires that the administration server run as root, because it must start the directory server with root privileges.

Default value

Valid range

1

slapd.conf syntax

port <integer>

Example

port 389

Encryption Enabled

Description

Specifies whether the directory server is to accept SSL communications on its encrypted port.

Default value

off

Valid range

on | off

slapd.conf syntax

security <Boolean>

Example

security off

Encryption Ciphers

Description

Specifies the type of encryption the directory server will use when using SSL communications. For more information on the ciphers supported by the directory server, refer to

"Managing SSL"

Default value

N/A

Valid range

For domestic versions, any combination of the following:

RC4-40 MD5
RC2-40 MD5
RC4-128 MD5
Triple DES-168 SHA
DES-56 SHA
clear MD5

For export versions, any combination of the following:

RC4-40 MD5
RC2-40 MD5
clear MD5

slapd.conf syntax

SSL3ciphers <

[,<

, <

, . . .]

where <cipher> is any of the following:

SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_WITH_DES_CBC_SHA
SSL_RSA_WITH_NULL_MD5

Export versions can use only the following ciphers:

SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_RSA_WITH_NULL_MD5

White spaces are not allowed in the list of ciphers.

Example

SSL3cipher SSL_RSA_EXPORT_WITH_RC4_40_MD5,SSL_RSA_

EXPORT_WITH_RC2_CBC_40_MD5

Encrypted Port Number

Description

TCP/IP port number used for SSL communications. This selected port must be unique on the host system; make sure no other application is attempting to use the same port number. Note that for UNIX systems, specifying a port number of less than 1024 requires that the administration server run as root, because it must start the directory server with root privileges.

Default value

Valid range

1

slapd.conf syntax

secure-port <integer>

Example

secure-port 636

Audit Log

Description

Specifies the pathname and filename of the log used to record changes made to each database as well as to the machine data area.

Default value

<NSHOME>/slapd-<

/logs/audit

Valid range

Any valid filename

slapd.conf syntax

auditlog <filename>

Example

auditlog /usr/ns-home/slapd-<serverID>/logs/audit

Access Log

Description

Specifies the path and filename of the log used to record each database access. The following information is recorded in the log file:

IP
of the client machine that accessed the database
operations performed (for example, search, add, modify)
result of the access (for example, the number of entries returned)

To turn access logging off, leave this parameter blank. For more information on turning access logging off, see

"Turning Off the Access Log"

Default value

<NSHOME>/slapd-<

/logs/access

Valid range

Any valid filename

slapd.conf syntax

accesslog <filename>

Example

accesslog /usr/ns-home/slapd-<serverID>/logs/access

Error Log

Description

ns-slapd

server startup and shutdown times
port number the server uses

This log will contain differing amounts of information depending on the current setting of the Log Level parameter. See

"Log Level"

Default value

<NSHOME>/slapd-<serverID>/logs/error

Valid range

Any valid filename

slapd.conf syntax

errorlog <filename>

Example

errorlog /usr/ns-home/slapd-<serverId>/logs/error

Size Limit in Entries

Description

ns-slapd

slapd.conf

Default value

Valid range

³¹

slapd.conf

slapd.conf syntax

sizelimit <integer>

Example

sizelimit 2000

Time Limit in Seconds

Description

Valid range

³¹

slapd.conf

slapd.conf syntax

timelimit <integer>

Example

timelimit 3600

Look Through Limit in Entries

Description

Specifies the maximum number of entries that ns-slapd will check when seeking candidate entries in response for a search request. If this limit is reached, ns-slapd returns any entries it has located that match the search request, as well as an exceeded size limit error. For a general discussion of the searching algorithm, refer to

"The Searching Algorithm"

Valid range

³¹

slapd.conf

slapd.conf syntax

lookthroughlimit <integer>

Example

lookthroughlimit 5000

Schema Checking

Description

Note

on

Valid range

on|off

slapd.conf syntax

schemacheck <Boolean>

Example

schemacheck on

Track Modifies

Description

ns-slapd

modifiersname--The distinguished name of the person who last modified the entry.
modifytimestamp--The timestamp for when the entry was last modified.
creatorsname--The distinguished name of the person who initially created the entry.
createtimestamp--The timestamp for when the entry was created.

If you are using your directory server with the NT user synchronization, then this parameter must be turned on.

Default value

on

Valid range

on|off

slapd.conf syntax

lastmod <Boolean>

Example

lastmod off

Log Level

Description

Specifies the level of logging to be used by the directory server. The log level is additive; that is, specifying a value of 3 causes both levels 1 and 2 to be performed.

To turn off logging, remove the loglevel parameter from slapd.conf and restart the directory server.

Default value

loglevel

Valid range

1

2

4

8

16

32

64

128

1024

2048

4096

8192

slapd.conf syntax

loglevel <integer>

Example

loglevel 8192

Referral

Description

Specifies the default LDAP URL to pass back when the receives a request for an entry that is not a member of the local tree, that is, an entry whose suffix does not match the value specified on any of the

Suffix


	ou=People, o=Airius.com

but the request is for this entry:


	ou=Groups, o=Airius.com

In this case, the referral would be passed back to the client in an attempt to allow the LDAP client to locate a database that contains the requested entry.

Note that if a smart referral can be found to return as a result of the request, the server will return that referral instead of the value specified on this parameter.

Note that only one referral is allowed per directory server instance.

For more information on managing referrals, see

"Managing Referrals"

Default value

null string

Valid range

Any LDAP URL of the form:


	ldap://<server location>

If you want to use SSL communications, the Referral parameter should be of the form:


	ldaps://<server location>

slapd.conf syntax

referral <url>

Example

referral ldap://ldap.aceindustry.com

Supplier DN

Specifies the distinguished name that supplier servers use to update your server with replicated data. For more information on replication, refer to

Chapter 11, "Managing Replication and Referrals"

Default value

null string

Valid range

Any valid distinguished name representing an entry in the local directory tree.

slapd.conf syntax

updatedn <"DN">

Example

updatedn "cn=Replication Admin, o=Airius.com"

Supplier Password

The password the consumer server expects the supplier server to use when binding. The supplier password is only required if the consumer server is not configured to accept certificate-based authentication.

Default value

null string

Valid range

Any valid password of 8 or more characters. Possible Encryption methods are described in

"Password Storage Scheme"

slapd.conf syntax

updatepw <{encryption method} encrypted password>

Example

updatepw {crypt} 9EKo74BXRKnL

Supplier SSL Clients

The subject name(s) of the certificate(s) that correspond to the

supplier DN

Default value

null string

Valid range

Any valid certificate subject DN.

slapd.conf syntax

updateSSLclient <certificate subject DN>

Example

updateSSLclient "cn=master.airius.com, o=airius.com"

Changelog DB Directory

Description

Specifies the name of the directory in which the change log database is stored. Netscape recommends that this database be stored in:


	<NSHOME>/slapd-<serverID>/changelogdb

The change log is used to record modifications made to a supplier server's database. When the supplier server's directory is modified, and entry is written to the change log that contains:

A number that uniquely identifies the modification. This number is sequential with respect to other entries in the the change log.
The modification action; that is, exactly how the directory was modified.

When the supplier server updates a consumer server, the supplier uses the change log information to determine if any modifications have occurred that need to be propagated to the consumer server. If so, the supplier server modifies the consumer server based on the modification(s) recorded in the change log.

This parameter must be set to a valid directory name before replication can occur. For more information on replication, refer to

Chapter 11, "Managing Replication and Referrals."

Default value

null string

Valid range

Any valid file name

slapd.conf syntax

changelogdir <directory>

Example

changelogdir /usr/ns-home/slapd-local/changelogdb

Changelog Suffix

Description

Specifies the suffix used for the change log directory. For information on the change log directory, see "

Changelog DB Directory

Default value

null string

Valid range

Any valid string

slapd.conf syntax

changelogsuffix <suffix>

Example

changelogsuffix cn=changelog

Max Changelog Records

Description

Specifies the maximum number of records the change log may contain. If this parameter is absent, there is no maximum number of records the change log can contain. For information on the change log, see "

Changelog DB Directory

Default value

none

Valid range

0 to maximum integer

slapd.conf syntax

changelogmaxentries <integer>

Example

changelogmaxentries 5000

Max Changelog Age

Description

Specifies the maximum age of any entry in the change log. The change log contains a record for each directory modification and is used when synchronizing consumer servers. Each record contains a timestamp. Any record with a timestamp that is older than the value specified in this parameter will be removed. If this parameter is absent, there is no age limit on change log records. For information on the change log, see "

Changelog DB Directory

Default

none

Valid range

0 to maximum integer

slapd.conf syntax

changelogmaxage <integer> <Age ID>

where Age ID is "s" for seconds, "m" for minutes, "h" for hours, "d" for days, or "w" for weeks.

Example

changelogmaxage 30 d

Password Storage Scheme

Description

Specifies the type of encryption used to store directory server passwords. A null string entered in the form of two double quotation marks ("") indicates that passwords are to be stored in plain text.

The following encryption types are available:

sha is the Secure Hash Algorithm. It is the most secure of the choices and is the one Netscape recommends.
crypt is the UNIX crypt algorithm. It is provided for compatibility with UNIX passwords.

Default value

sha

Valid range

crypt|sha|""

slapd.conf syntax

passwdhash <string>

Example

passwdhash sha

Certificate and Key Directory

Description

slapd.conf

Default value

<NSHOME>/slapd-<serverID>/ssl

Valid range

Currently this directory must be set to the default.

slapd.conf syntax

security-path <string>

Example

security-path /usr/ns-home/slapd-directory/ssl

Encryption Alias

Description

The encryption alias you want to use for this server's certificate. You create the encryption alias when you create your server's certificate database. For more information on creating certificate databases, see the "Enabling SSL Encryption" section in Managing Netscape Servers.

Default value

none

Valid range

Any valid string

slapd.conf syntax

encryption-alias <string>

Example

encryption-alias secure-LDAP

attribute

Description

cis

This parameter is intended to allow the extension of the standard schema when schema checking is turned on.

This parameter is not available from the server manager.

Valid range

Possible syntaxes are:

bin--binary
ces--case exact string (case must be matched during comparison)
cis--case ignore string (case is ignored during comparison)
tel--telephone number (identical to cis, but blanks and dashes [-] are ignored during comparisons)
dn--distinguished name

slapd.conf syntax

attribute <name> [<name2> <syntax>]

Example

attribute commonName cn cis

objectClass

Description

Used to define the schema rules for the specified object class. This parameter is intended to allow the extension of the standard schema when schema checking is turned on.

This parameter is not available from the server manager.

slapd.conf syntax

objectClass <name>

		oid <oid number>

		superior <superior object class>

		requires <list of attributes>

		allows <list of attributes>

Example

objectClass person

	requires

		objectClass,

sn,

cn

	allows

		description,

		seeAlso,

		telephoneNumber,

		userPassword,

		subtreeACI

threadnumber

Description

Defines the number of operation threads that the directory server will create during start up.

This parameter is not available from the server manager.

Default value

Valid range

1

slapd.conf syntax

threadnumber <number threads>

Example

threadnumber 20

maxthreadsperconn

Description

Defines the maximum number of threads that a connection should use. For normal operations where a client binds and only performs one or two operations before unbinding, you should use the default value. For situations where a client binds and does many operations, you should increase this value to allow each connection enough resources to perform all the operations.

A value of 0 turns off maxthreadsperconn and causes the server to allow each connection to obtain as many threads as the connection requires, up to the value set by

threadnumber

This parameter is not available from the server manager.

Default value

Valid range

0

slapd.conf syntax

maxthreadsperconn <number of threads>

Example

maxthreadsperconn 5

NLS

Description

Used to define the directory where the internationalization files are kept.

This parameter is not available from the server manager.

Default value

<NSHOME>/nls

Valid range

N/A

slapd.conf syntax

NLS "<directory>"

Example

NLS "/usr/ns-home/nls"

Password Maximum Age

Description

Indicates the number of days after which user passwords will expire. To use this parameter, you must enable password expiration using the

Password Expiration

slapd.conf

passwordLockout

For more information on password policies, see

"Understanding Password Policies"

Default Value

100

Valid Range

1

24,855

Password Expiration

Description

Indicates whether user passwords will expire after a given number of days. By default, user passwords do not expire. Once password expiration is enabled, you can set the number of days after which the password will expire using the

Password Maximum Age

slapd.conf

passwordExp

For more information on password policies, see

"Understanding Password Policies"

Default Value

Off

Password Minimum Length

Description

Specifies the minimum number of characters that must be used in directory server passwords. In general, shorter passwords are easier to crack, so you are recommended to set a password length of at least 6 or 7 characters. This is long enough to be difficult to crack, but short enough that users can remember the password without writing it down.

slapd.conf

passwordMinLength

For more information on password policies, see

"Understanding Password Policies"

Default Value

6

Valid Range

2

512

Password History

Description

Enables password history. Password history refers to whether users are allowed to reuse passwords. By default, password history is disabled and users can reuse passwords. You can modify the No Password History parameter so that the directory stores a given number of old passwords and prevents users from reusing any of the stored passwords. You set the number of old passwords the directory server stores using the

Number of Passwords to Remember

slapd.conf

passwordKeepHistory

For more information on password policies, see

"Understanding Password Policies"

Default Value

Off

Number of Passwords to Remember

Description

Indicates the number of passwords the directory server stores in history. Passwords that are stored in history cannot be reused by users. By default, the password history feature is disabled. That is, the directory server does not store any old passwords and so users can reuse passwords. You can enable password history by using the

Password History

slapd.conf

passwordInHistory

For more information on password policies, see

"Understanding Password Policies"

Default Value

6

Valid Range

2

24

Password Change

Description

Indicates whether users may or must change their passwords. Options are

may, which indicates that users may change their own passwords.
must, which indicates that users must change their passwords the first time they bind to the directory or after their passwords are reset by the administrator.
no, which indicates that users may not change their own passwords.

slapd.conf

passwordChange

For more information on password policies, see

"Understanding Password Policies"

Default Value

may

Valid Range

may | must | no

Check Password Syntax

Description

Indicates whether the password syntax will be checked before the password is saved. The password syntax checking mechanism checks that the password meets or exceeds the

password minimum length

slapd.conf

passwordCheckSyntax

For more information on password policies, see

"Understanding Password Policies"

Default Value

Off

Send Warning

Description

Indicates the number days before a user's password is due to expire that the user will be sent a warning message. Depending on the LDAP client, the user may also be prompted to change their password at the time the warning is sent.

slapd.conf

passwordWarning

For more information on password policies, see

"Understanding Password Policies"

Default Value

1

Valid Range

1

24,855

Account Lockout

Description

Indicates whether users will be locked out of the directory after a given number of failed bind attempts. By default, users will not be locked out of the directory after a series of failed bind attempts. If you enable account lockout, you can set the number of failed bind attempts after which the user will be locked out using the

Maximum Password Failures

slapd.conf

passwordLockout

For more information on password policies, see

"Understanding Password Policies"

Default Value

On

Maximum Password Failures

Description

Indicates the number failed bind attempts after which a user will be locked out of the directory. By default, account lockout is disabled. You can enable account lockout by modifying the

Account Lockout

slapd.conf

passwordMaxFailure

For more information on password policies, see

"Understanding Password Policies"

Default Value

3

Valid Range

1

32,767

Reset Password Failure Count After

Description

Indicates the amount of time in minutes after which the password failure counter will be reset. Each time an invalid password is sent from the user's account, the password failure counter is incremented. If the account lockout feature is enabled, users will be locked out of the directory when the counter reaches the number of failures specified by the

Maximum Password Failures

Lockout Duration

Account Lockout

slapd.conf

passwordresetduration

For more information on password policies, see

"Understanding Password Policies"

Default Value

10

Valid Range

1

35,791,394

Unlock Account

Description

Indicates whether users will be locked out of the directory until the administrator resets the password after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the

For more information on password policies, see

"Understanding Password Policies"

Default Value

Off

Lockout Duration

Description

Indicates the amount of time in minutes that users will be locked out of the directory after an account lockout. The account lockout feature protects against hackers who try to break into the directory by repeatedly trying to guess a user's password. You enable and disable the account lockout feature using the

Account Lockout

Unlock Account

slapd.conf

passwordlockoutduration

For more information on password policies, see

"Understanding Password Policies"

Default Value

60

Valid Range

1

35,791,394

NT Synchronization Service Enabled

Description

Indicates whether the NT Synchronization Service plug-ins are used by the directory server. These plug-ins cause the directory server to validate all NT Directory Data with the appropriate NT primary domain controller. These plug- ins also transfer NT user and group changes to the synchronization service for inclusion on NT user and group accounts.

For more information on the NT synchronization service, see

Chapter 12, "NT Directory Synchronization."

Default Value

No

Valid Range

Yes | No

Slapd.conf Syntax

ntsynch on|off

Example

ntsynch on

NT Synchronization Service Port Number

Description

Specifies the port number that directory server will use for non-LDAP communications with the NT Synchronization Service. This port is used to validate directory changes with the NT domain, and to transfer directory changes to NT. Note that for UNIX systems, specifying a port number of less than 1024 requires that administration server run as root, because it must start the directory server with root privileges.

For more information on the NT synchronization service, see

Chapter 12, "NT Directory Synchronization."

Default Value

Valid Range

1 to 65535

Slapd.conf Syntax

ntsynch-port <integer>

Example

ntsynch-port 5005

orcauto

Description

on

Online consumer creation applies to both supplier-initiated replication and consumer-initiated replication. If supplier-initiated replication is used, then online consumer creation is either turned on or off for all consumer servers. Similarly, if consumer-initiated replication is used then then online consumer creation is either turned on or off for all supplier servers.

Note that caution should be used before turning this feature on. For more information, see

"Initializing Consumers"

This parameter is not available from the server manager.

Default Value

off

Valid Range

on | off

Slapd.conf Syntax

orcauto <Boolean>

Example

ntsynch-port on

Database Parameters

Table 14.2 describes the server parameters that apply to the directory server database.

Table 14.2 Directory server database parameters


Parameter	Description
Suffix	String specifying the distinguished name suffix used for the local database.
DB Directory	String specifying the directory that contains the database and associated indexes.
Root DN	String specifying the distinguished name of an entry that is not subject to access control or administrative limit restrictions for operations on the database.
Root Password	String displaying the current root password.
Root Password Storage Scheme	String displaying the current root password encryption method used for the root password.
Read-only	Boolean indicating whether the database is in read-only mode.
Maximum Entries in Cache	Integer specifying the number of entries to be contained in the in-memory cache.
Maximum DB Cache size in Bytes	Integer specifying the size in bytes of the in-memory cache associated with each open index file.
Attribute to be Indexed	String specifying the indexes to maintain for a given attribute.
database	String marking the beginning of a new database instance definition within slapd.conf. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server manager.
mode	Integer specifying the file protection used for newly created database index files. This parameter can only be updated by editing slapd.conf; it cannot be edited in the server manager.
Database Checkpoint Interval	The amount of time in seconds after which the directory server sends a checkpoint entry to the database transaction log.
Database Durable Transactions	Indicates whether database transaction log entries are immediately written to the disk.
Database Transaction Log Directory	Specifies the path and directory name of the directory containing the database transaction log.
dynamicconf	Specifies the path to the file containing dynamically changeable configuration parameters.

Suffix

Description

Specifies the distinguished name suffix used for the local database. Incoming queries must have a suffix matching this value. Queries for entries using a suffix other than the value specified in this parameter will be referred to the LDAP server identified on the

Referral

Multiple suffixes can be configured for your local database if multiple root points are used in your database. Note that two suffixes always exist for a directory server database. The first is the suffix you configure when you initially install the directory server, and this suffix represents your directory tree's root point. The second suffix is used for machine data.

See "Machine data" for more information.

A suffix must always be set for your directory tree in order for clients to successfully access the tree.

For information on setting suffixes for your directory, see

"Setting Suffixes for Your Database"

Valid range

Any valid distinguished name.

slapd.conf syntax

suffix <string>

Example

suffix "o=airius.com"

Note that if the suffix DN contains a comma, the comma must be escaped by a single backslash (on NT) or double backslashes (on Unix). For example, to set a suffix of Airius Bolivia, S.A., you would enter

suffix "o=Airius Bolivia\, S.A."

on NT or

suffix "o=Airius Bolivia\\, S.A."

on Unix.

DB Directory

Description

Specifies the directory containing the database and associated index files.

Default value

<NSHOME>/slapd-<

/db

Valid range

Currently this directory must be set to the default.

slapd.conf syntax

directory <string>

Example

directory /usr/ns-home/slapd-myserver/db

Root DN

Description

Specifies the distinguished name of an entry that is not subject to access control or administrative limit restrictions for operations on the database.

Size Limit in Entries

Time Limit in Seconds

Look Through Limit in Entries

For information on changing the Root DN, see

"Managing the Root DN"

Valid range

Any valid distinguished name.

slapd.conf syntax

rootdn <"string">

Example

rootdn

cn=Directory Manager, o=airius.com

Root Password

Description

slapd.conf

Warning

slapd.conf

Valid range

Any valid password. Possible encryption methods are described in

"Password Storage Scheme"

slapd.conf syntax

rootpw <{encryption method}encrypted password>

Example

rootpw {crypt}9Eko69APCJfF

Root Password Storage Scheme

Description

Available only from the server manager. This parameter indicates the encryption method used for the root password.

Default value

Clear text

Valid range

Any encryption method as described in

"Password Storage Scheme"

slapd.conf syntax

rootpw {encryption method}encrypted password

Example

rootpw {crypt}9Eko69APCJfF

Read-only

Description

Specifies whether the database is in read-only mode. Any attempt to modify a database in read-only mode returns an error indicating that the server is unwilling to perform the operation.

Default value

off

Valid range

on|off

slapd.conf syntax

readonly <Boolean>

Example

readonly off

Maximum Entries in Cache

Description

Specifies the number of entries the directory server will maintain in cache. Increasing this number uses more memory but can substantially improve search performance. The actual amount of memory required per additional entry depends on the nature of the data stored within the directory server. However, as a general guideline, you can estimate that each entry maintained in cache requires approximately 1 KB (1024 bytes) of memory.

For more information on this parameter, see the

Entry Cache Hit Ratio

"General Information Table"

Default value

1000

Valid range

1 to the total number of database entries.

slapd.conf syntax

cachesize <integer>

Example

cachesize 1000

Maximum DB Cache size in Bytes

Description

Specifies the size in bytes of the in-memory cache. Increasing this number uses more memory but can substantially improve server performance, especially during modifications or when the indexes are being built. Do not increase this number beyond the available resources for your machine.

For more information on this parameter, see the

Entry Cache Hit Ratio

"General Information Table"

Default value

1000000

Valid range

1 to maximum integer

slapd.conf syntax

dbcachesize <integer>

Example

dbcachesize 1000000

Attribute to be Indexed

Description

Specifies the indexes to maintain for the specified attribute(s). If only a list of attributes is provided, all possible indexes are maintained. If a value of default is provided in the place of a list of attributes, all attributes are indexed.

Valid indexes are:

pres
eq
approx
sub
none

For a complete description of indexing, refer to

Chapter 7, "Managing Indexes."

Default value

Only default indexing is performed. This includes a presence index for subtreeACI.

Valid range

Any valid attribute and any valid index type. For a list of the commonly used attributes, see

Appendix B, "Attributes."

slapd.conf syntax

index [<attribute list>|default] [<list of indexes>]

Example

index cn

index sn,uid eq,sub,approx

index default none

cn

sn

uid

database

Description

slapd.conf

Default value

ldbm

Valid range

ldbm

slapd.conf syntax

database ldbm

mode

Description

Specifies the permissions used for newly created index files. This parameter is not available from the server manager.

Default value

0600

Valid range

ns-slapd

slapd.conf syntax

mode <protection mode>

Example

mode 0600

Database Checkpoint Interval

Description

slapd.conf

For more information on database transaction logging, see

"Managing Database Transaction Logging"

Default Value

60 seconds

Valid Range

10 to 300 seconds

Slapd.conf Syntax

db_checkpoint_interval <integer>

Example

db_checkpoint_interval 120

Database Durable Transactions

Description

slapd.conf

For more information on database transaction logging, see

"Managing Database Transaction Logging"

Default Value

Slapd.conf Syntax

db_durable_transactions on|off

Example

db_durable_transactions off

Database Transaction Log Directory

Description

<NSHOME>/slapd-<serverID>/db

slapd.conf

For more information on database transaction logging, see

"Managing Database Transaction Logging"

Default Value

<NSHOME>/slapd-<serverID>/db

Valid Range

Any valid path and directory name.

Slapd.conf Syntax

db_logdirectory "<directory name>"

Example

db_logdirectory "/logs/txnlog"

dynamicconf

Description

slapd.dynamic_ldbm.conf

slapd.conf

slapd.dynamic_ldbm.conf

For more information about slapd.dynamic_ldbm.conf, see

"Changing Parameter Values Using slapd.dynamic_ldbm.conf"

Default Value

<NSHOME>/slapd-<serverID>/config/slapd.dynamic_ldbm.conf

Valid Range

Any valid path and directory name.

Slapd.conf Syntax

dynamicconf <filename>

Example

dynamicconf /usr/ns-home/slapd-fire/config/
slapd.dynamic_ldbm.conf

Configuration Parameters

Changing Configuration Parameter Values

Changing Parameter Values Using the Server Manager

Changing Parameter Values Using slapd.conf

slapd.conf File Format

Changing Parameter Values Using slapd.dynamic_ldbm.conf

Validating Your Server Settings

General Server Parameters

Port Number

Encryption Enabled

Encryption Ciphers

Encrypted Port Number

Audit Log

Access Log

Error Log

Size Limit in Entries

Time Limit in Seconds

Look Through Limit in Entries

Schema Checking

Track Modifies

Log Level

Referral

Supplier DN

Supplier Password

Supplier SSL Clients

Changelog DB Directory

Changelog Suffix

Max Changelog Records

Max Changelog Age

Password Storage Scheme

Certificate and Key Directory

Encryption Alias

attribute

objectClass

threadnumber

maxthreadsperconn

NLS

Password Maximum Age

Password Expiration

Password Minimum Length

Password History

Number of Passwords to Remember

Password Change

Check Password Syntax

Send Warning

Account Lockout

Maximum Password Failures

Reset Password Failure Count After

Unlock Account

Lockout Duration

NT Synchronization Service Enabled

NT Synchronization Service Port Number

orcauto

Database Parameters

Suffix

DB Directory

Root DN

Root Password

Root Password Storage Scheme

Read-only

Maximum Entries in Cache

Maximum DB Cache size in Bytes

Attribute to be Indexed

database

mode

Database Checkpoint Interval

Database Durable Transactions

Database Transaction Log Directory

dynamicconf