Configuration settings accessible through the dsconfig command.

About This Reference

This reference describes server configuration settings that you can view and edit with the dsconfig command. The dsconfig command is the primary tool for managing the server configuration, which follows an object-oriented configuration model. Each configuration object has its own properties. Configuration objects can be related to each other by inheritance and by reference.

The server configuration model exposes a wide range of configurable features. As a consequence, the dsconfig command has many subcommands. Subcommands exist to create, list, and delete configuration objects, and to get and set properties of configuration objects. Their names reflect these five actions:

  • create-object

  • list-objects

  • delete-object

  • get-object-prop

  • set-object-prop

Each configuration object has a user-friendly name, such as Connection Handler. Subcommand names use lower-case, hyphenated versions of the friendly names, as in create-connection-handler.

Chapter 1. Subcommands

This chapter describes dsconfig subcommands.

1.1. Subcommands by Category

1.1.1. Core Server

Administration Connector
Alert Handler
Connection Handler
Extended Operation Handler
Global Configuration
Group Implementation
HTTP Endpoint
Monitor Provider
Plugin
Plugin Root
Root DN
Root DSE Backend
Schema Provider
Virtual Attribute
Work Queue

1.1.9. Help

list-properties

1.2. create-access-log-filtering-criteria

Creates Access Log Filtering Criteria.

The dsconfig create-access-log-filtering-criteria command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

--criteria-name {name}

The name of the new Access Log Filtering Criteria.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Log Filtering Criteria.

1.3. create-account-status-notification-handler

Creates Account Status Notification Handlers.

The dsconfig create-account-status-notification-handler command takes the following options:

--handler-name {name}

The name of the new Account Status Notification Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Account Status Notification Handler which should be created. The value for TYPE can be one of: custom | error-log | smtp.

Properties used in options depend on the type of object to configure.

For details about available properties, see Account Status Notification Handler.

1.4. create-alert-handler

Creates Alert Handlers.

The dsconfig create-alert-handler command takes the following options:

--handler-name {name}

The name of the new Alert Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Alert Handler which should be created. The value for TYPE can be one of: custom | jmx | smtp.

Properties used in options depend on the type of object to configure.

For details about available properties, see Alert Handler.

1.5. create-backend

Creates Backends.

The dsconfig create-backend command takes the following options:

--backend-name {STRING}

The name of the new Backend which will also be used as the value of the "backend-id" property: Specifies a name to identify the associated backend.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Backend which should be created. The value for TYPE can be one of: backup | custom | custom-local | je | ldif | memory | monitor | null | pdb | proxy | schema | task | trust-store.

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend.

1.6. create-backend-index

Creates Backend Indexes.

The dsconfig create-backend-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {OID}

The name of the new Backend Index which will also be used as the value of the "attribute" property: Specifies the name of the attribute for which the index is to be maintained.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend Index.

1.7. create-backend-vlv-index

Creates Backend VLV Indexes.

The dsconfig create-backend-vlv-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {STRING}

The name of the new Backend VLV Index which will also be used as the value of the "name" property: Specifies a unique name for this VLV index.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend VLV Index.

1.8. create-certificate-mapper

Creates Certificate Mappers.

The dsconfig create-certificate-mapper command takes the following options:

--mapper-name {name}

The name of the new Certificate Mapper.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Certificate Mapper which should be created. The value for TYPE can be one of: custom | fingerprint | subject-attribute-to-user-attribute | subject-dn-to-user-attribute | subject-equals-dn.

Properties used in options depend on the type of object to configure.

For details about available properties, see Certificate Mapper.

1.9. create-connection-handler

Creates Connection Handlers.

The dsconfig create-connection-handler command takes the following options:

--handler-name {name}

The name of the new Connection Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Connection Handler which should be created. The value for TYPE can be one of: custom | http | jmx | ldap | ldif | snmp.

Properties used in options depend on the type of object to configure.

For details about available properties, see Connection Handler.

1.10. create-debug-target

Creates Debug Targets.

The dsconfig create-debug-target command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

--target-name {STRING}

The name of the new Debug Target which will also be used as the value of the "debug-scope" property: Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Debug Target.

1.11. create-entry-cache

Creates Entry Caches.

The dsconfig create-entry-cache command takes the following options:

--cache-name {name}

The name of the new Entry Cache.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Entry Cache which should be created. The value for TYPE can be one of: custom | fifo | soft-reference.

Properties used in options depend on the type of object to configure.

For details about available properties, see Entry Cache.

1.12. create-extended-operation-handler

Creates Extended Operation Handlers.

The dsconfig create-extended-operation-handler command takes the following options:

--handler-name {name}

The name of the new Extended Operation Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Extended Operation Handler which should be created. The value for TYPE can be one of: cancel | custom | get-connection-id | get-symmetric-key | password-modify | password-policy-state | start-tls | who-am-i.

Properties used in options depend on the type of object to configure.

For details about available properties, see Extended Operation Handler.

1.13. create-global-access-control-policy

Creates Global Access Control Policies.

The dsconfig create-global-access-control-policy command takes the following options:

--policy-name {name}

The name of the new Global Access Control Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Access Control Policy.

1.14. create-group-implementation

Creates Group Implementations.

The dsconfig create-group-implementation command takes the following options:

--implementation-name {name}

The name of the new Group Implementation.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Group Implementation which should be created. The value for TYPE can be one of: custom | dynamic | static | virtual-static.

Properties used in options depend on the type of object to configure.

For details about available properties, see Group Implementation.

1.15. create-http-authorization-mechanism

Creates HTTP Authorization Mechanisms.

The dsconfig create-http-authorization-mechanism command takes the following options:

--mechanism-name {name}

The name of the new HTTP Authorization Mechanism.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of HTTP Authorization Mechanism which should be created. The value for TYPE can be one of: http-anonymous-authorization-mechanism | http-basic-authorization-mechanism | http-oauth2-cts-authorization-mechanism | http-oauth2-file-authorization-mechanism | http-oauth2-openam-authorization-mechanism | http-oauth2-token-introspection-authorization-mechanism.

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Authorization Mechanism.

1.16. create-http-endpoint

Creates HTTP Endpoints.

The dsconfig create-http-endpoint command takes the following options:

--endpoint-name {STRING}

The name of the new HTTP Endpoint which will also be used as the value of the "base-path" property: All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of HTTP Endpoint which should be created (Default: generic). The value for TYPE can be one of: admin-endpoint | generic | rest2ldap-endpoint.

Default: generic

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Endpoint.

1.17. create-identity-mapper

Creates Identity Mappers.

The dsconfig create-identity-mapper command takes the following options:

--mapper-name {name}

The name of the new Identity Mapper.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Identity Mapper which should be created. The value for TYPE can be one of: custom | exact-match | regular-expression.

Properties used in options depend on the type of object to configure.

For details about available properties, see Identity Mapper.

1.18. create-key-manager-provider

Creates Key Manager Providers.

The dsconfig create-key-manager-provider command takes the following options:

--provider-name {name}

The name of the new Key Manager Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Key Manager Provider which should be created. The value for TYPE can be one of: custom | file-based | ldap | pkcs11.

Properties used in options depend on the type of object to configure.

For details about available properties, see Key Manager Provider.

1.19. create-log-publisher

Creates Log Publishers.

The dsconfig create-log-publisher command takes the following options:

--publisher-name {name}

The name of the new Log Publisher.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Log Publisher which should be created. The value for TYPE can be one of: csv-file-access | csv-file-http-access | custom-access | custom-debug | custom-error | custom-http-access | external-access | external-http-access | file-based-access | file-based-audit | file-based-debug | file-based-error | file-based-http-access | json-file-access | json-file-http-access.

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Publisher.

1.20. create-log-retention-policy

Creates Log Retention Policies.

The dsconfig create-log-retention-policy command takes the following options:

--policy-name {name}

The name of the new Log Retention Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Log Retention Policy which should be created. The value for TYPE can be one of: custom | file-count | free-disk-space | size-limit.

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Retention Policy.

1.21. create-log-rotation-policy

Creates Log Rotation Policies.

The dsconfig create-log-rotation-policy command takes the following options:

--policy-name {name}

The name of the new Log Rotation Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Log Rotation Policy which should be created. The value for TYPE can be one of: custom | fixed-time | size-limit | time-limit.

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Rotation Policy.

1.22. create-monitor-provider

Creates Monitor Providers.

The dsconfig create-monitor-provider command takes the following options:

--provider-name {name}

The name of the new Monitor Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Monitor Provider which should be created. The value for TYPE can be one of: client-connection | custom | entry-cache | memory-usage | stack-trace | system-info | version.

Properties used in options depend on the type of object to configure.

For details about available properties, see Monitor Provider.

1.23. create-password-generator

Creates Password Generators.

The dsconfig create-password-generator command takes the following options:

--generator-name {name}

The name of the new Password Generator.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Password Generator which should be created. The value for TYPE can be one of: custom | random.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Generator.

1.24. create-password-policy

Creates Authentication Policies.

The dsconfig create-password-policy command takes the following options:

--policy-name {name}

The name of the new Authentication Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Authentication Policy which should be created. The value for TYPE can be one of: ldap-pass-through | password-policy.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Policy.

1.25. create-password-storage-scheme

Creates Password Storage Schemes.

The dsconfig create-password-storage-scheme command takes the following options:

--scheme-name {name}

The name of the new Password Storage Scheme.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Password Storage Scheme which should be created. The value for TYPE can be one of: aes | base64 | bcrypt | blowfish | clear | crypt | custom | md5 | pbkdf2 | pkcs5s2 | rc4 | salted-md5 | salted-sha1 | salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-des.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Storage Scheme.

1.26. create-password-validator

Creates Password Validators.

The dsconfig create-password-validator command takes the following options:

--validator-name {name}

The name of the new Password Validator.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Password Validator which should be created. The value for TYPE can be one of: attribute-value | character-set | custom | dictionary | length-based | repeated-characters | similarity-based | unique-characters.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Validator.

1.27. create-plugin

Creates Plugins.

The dsconfig create-plugin command takes the following options:

--plugin-name {name}

The name of the new Plugin.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Plugin which should be created. The value for TYPE can be one of: attribute-cleanup | change-number-control | custom | entry-uuid | fractional-ldif-import | last-mod | ldap-attribute-description-list | password-policy-import | profiler | referential-integrity | samba-password | seven-bit-clean | unique-attribute.

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin.

1.28. create-replication-domain

Creates Replication Domains.

The dsconfig create-replication-domain command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--domain-name {name}

The name of the new Replication Domain.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Domain.

1.29. create-replication-server

Creates Replication Servers.

The dsconfig create-replication-server command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Server.

1.30. create-sasl-mechanism-handler

Creates SASL Mechanism Handlers.

The dsconfig create-sasl-mechanism-handler command takes the following options:

--handler-name {name}

The name of the new SASL Mechanism Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of SASL Mechanism Handler which should be created. The value for TYPE can be one of: anonymous | cram-md5 | custom | digest-md5 | external | gssapi | plain.

Properties used in options depend on the type of object to configure.

For details about available properties, see SASL Mechanism Handler.

1.31. create-schema-provider

Creates Schema Providers.

The dsconfig create-schema-provider command takes the following options:

--provider-name {name}

The name of the new Schema Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Schema Provider which should be created (Default: generic). The value for TYPE can be one of: core-schema | generic | json-schema.

Default: generic

Properties used in options depend on the type of object to configure.

For details about available properties, see Schema Provider.

1.32. create-service-discovery-mechanism

Creates Service Discovery Mechanisms.

The dsconfig create-service-discovery-mechanism command takes the following options:

--mechanism-name {name}

The name of the new Service Discovery Mechanism.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Service Discovery Mechanism which should be created. The value for TYPE can be one of: custom | replication | static.

Properties used in options depend on the type of object to configure.

For details about available properties, see Service Discovery Mechanism.

1.33. create-synchronization-provider

Creates Synchronization Providers.

The dsconfig create-synchronization-provider command takes the following options:

--provider-name {name}

The name of the new Synchronization Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Synchronization Provider which should be created. The value for TYPE can be one of: custom | replication.

Properties used in options depend on the type of object to configure.

For details about available properties, see Synchronization Provider.

1.34. create-trust-manager-provider

Creates Trust Manager Providers.

The dsconfig create-trust-manager-provider command takes the following options:

--provider-name {name}

The name of the new Trust Manager Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Trust Manager Provider which should be created. The value for TYPE can be one of: blind | custom | file-based | ldap | pkcs11.

Properties used in options depend on the type of object to configure.

For details about available properties, see Trust Manager Provider.

1.35. create-virtual-attribute

Creates Virtual Attributes.

The dsconfig create-virtual-attribute command takes the following options:

--name {name}

The name of the new Virtual Attribute.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

-t | --type {type}

The type of Virtual Attribute which should be created. The value for TYPE can be one of: collective-attribute-subentries | custom | entity-tag | entry-dn | entry-uuid | governing-structure-rule | has-subordinates | is-member-of | member | num-subordinates | password-expiration-time | password-policy-subentry | structural-object-class | subschema-subentry | user-defined.

Properties used in options depend on the type of object to configure.

For details about available properties, see Virtual Attribute.

1.36. delete-access-log-filtering-criteria

Deletes Access Log Filtering Criteria.

The dsconfig delete-access-log-filtering-criteria command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

--criteria-name {name}

The name of the Access Log Filtering Criteria.

-f | --force

Ignore non-existent Access Log Filtering Criteria.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Log Filtering Criteria.

1.37. delete-account-status-notification-handler

Deletes Account Status Notification Handlers.

The dsconfig delete-account-status-notification-handler command takes the following options:

--handler-name {name}

The name of the Account Status Notification Handler.

-f | --force

Ignore non-existent Account Status Notification Handlers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Account Status Notification Handler.

1.38. delete-alert-handler

Deletes Alert Handlers.

The dsconfig delete-alert-handler command takes the following options:

--handler-name {name}

The name of the Alert Handler.

-f | --force

Ignore non-existent Alert Handlers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Alert Handler.

1.39. delete-backend

Deletes Backends.

The dsconfig delete-backend command takes the following options:

--backend-name {name}

The name of the Backend.

-f | --force

Ignore non-existent Backends.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend.

1.40. delete-backend-index

Deletes Backend Indexes.

The dsconfig delete-backend-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {name}

The name of the Backend Index.

-f | --force

Ignore non-existent Backend Indexes.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend Index.

1.41. delete-backend-vlv-index

Deletes Backend VLV Indexes.

The dsconfig delete-backend-vlv-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {name}

The name of the Backend VLV Index.

-f | --force

Ignore non-existent Backend VLV Indexes.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend VLV Index.

1.42. delete-certificate-mapper

Deletes Certificate Mappers.

The dsconfig delete-certificate-mapper command takes the following options:

--mapper-name {name}

The name of the Certificate Mapper.

-f | --force

Ignore non-existent Certificate Mappers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Certificate Mapper.

1.43. delete-connection-handler

Deletes Connection Handlers.

The dsconfig delete-connection-handler command takes the following options:

--handler-name {name}

The name of the Connection Handler.

-f | --force

Ignore non-existent Connection Handlers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Connection Handler.

1.44. delete-debug-target

Deletes Debug Targets.

The dsconfig delete-debug-target command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

--target-name {name}

The name of the Debug Target.

-f | --force

Ignore non-existent Debug Targets.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Debug Target.

1.45. delete-entry-cache

Deletes Entry Caches.

The dsconfig delete-entry-cache command takes the following options:

--cache-name {name}

The name of the Entry Cache.

-f | --force

Ignore non-existent Entry Caches.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Entry Cache.

1.46. delete-extended-operation-handler

Deletes Extended Operation Handlers.

The dsconfig delete-extended-operation-handler command takes the following options:

--handler-name {name}

The name of the Extended Operation Handler.

-f | --force

Ignore non-existent Extended Operation Handlers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Extended Operation Handler.

1.47. delete-global-access-control-policy

Deletes Global Access Control Policies.

The dsconfig delete-global-access-control-policy command takes the following options:

--policy-name {name}

The name of the Global Access Control Policy.

-f | --force

Ignore non-existent Global Access Control Policies.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Access Control Policy.

1.48. delete-group-implementation

Deletes Group Implementations.

The dsconfig delete-group-implementation command takes the following options:

--implementation-name {name}

The name of the Group Implementation.

-f | --force

Ignore non-existent Group Implementations.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Group Implementation.

1.49. delete-http-authorization-mechanism

Deletes HTTP Authorization Mechanisms.

The dsconfig delete-http-authorization-mechanism command takes the following options:

--mechanism-name {name}

The name of the HTTP Authorization Mechanism.

-f | --force

Ignore non-existent HTTP Authorization Mechanisms.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Authorization Mechanism.

1.50. delete-http-endpoint

Deletes HTTP Endpoints.

The dsconfig delete-http-endpoint command takes the following options:

--endpoint-name {name}

The name of the HTTP Endpoint.

-f | --force

Ignore non-existent HTTP Endpoints.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Endpoint.

1.51. delete-identity-mapper

Deletes Identity Mappers.

The dsconfig delete-identity-mapper command takes the following options:

--mapper-name {name}

The name of the Identity Mapper.

-f | --force

Ignore non-existent Identity Mappers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Identity Mapper.

1.52. delete-key-manager-provider

Deletes Key Manager Providers.

The dsconfig delete-key-manager-provider command takes the following options:

--provider-name {name}

The name of the Key Manager Provider.

-f | --force

Ignore non-existent Key Manager Providers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Key Manager Provider.

1.53. delete-log-publisher

Deletes Log Publishers.

The dsconfig delete-log-publisher command takes the following options:

--publisher-name {name}

The name of the Log Publisher.

-f | --force

Ignore non-existent Log Publishers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Publisher.

1.54. delete-log-retention-policy

Deletes Log Retention Policies.

The dsconfig delete-log-retention-policy command takes the following options:

--policy-name {name}

The name of the Log Retention Policy.

-f | --force

Ignore non-existent Log Retention Policies.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Retention Policy.

1.55. delete-log-rotation-policy

Deletes Log Rotation Policies.

The dsconfig delete-log-rotation-policy command takes the following options:

--policy-name {name}

The name of the Log Rotation Policy.

-f | --force

Ignore non-existent Log Rotation Policies.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Rotation Policy.

1.56. delete-monitor-provider

Deletes Monitor Providers.

The dsconfig delete-monitor-provider command takes the following options:

--provider-name {name}

The name of the Monitor Provider.

-f | --force

Ignore non-existent Monitor Providers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Monitor Provider.

1.57. delete-password-generator

Deletes Password Generators.

The dsconfig delete-password-generator command takes the following options:

--generator-name {name}

The name of the Password Generator.

-f | --force

Ignore non-existent Password Generators.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Generator.

1.58. delete-password-policy

Deletes Authentication Policies.

The dsconfig delete-password-policy command takes the following options:

--policy-name {name}

The name of the Authentication Policy.

-f | --force

Ignore non-existent Authentication Policies.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Policy.

1.59. delete-password-storage-scheme

Deletes Password Storage Schemes.

The dsconfig delete-password-storage-scheme command takes the following options:

--scheme-name {name}

The name of the Password Storage Scheme.

-f | --force

Ignore non-existent Password Storage Schemes.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Storage Scheme.

1.60. delete-password-validator

Deletes Password Validators.

The dsconfig delete-password-validator command takes the following options:

--validator-name {name}

The name of the Password Validator.

-f | --force

Ignore non-existent Password Validators.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Validator.

1.61. delete-plugin

Deletes Plugins.

The dsconfig delete-plugin command takes the following options:

--plugin-name {name}

The name of the Plugin.

-f | --force

Ignore non-existent Plugins.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin.

1.62. delete-replication-domain

Deletes Replication Domains.

The dsconfig delete-replication-domain command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--domain-name {name}

The name of the Replication Domain.

-f | --force

Ignore non-existent Replication Domains.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Domain.

1.63. delete-replication-server

Deletes Replication Servers.

The dsconfig delete-replication-server command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

-f | --force

Ignore non-existent Replication Servers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Server.

1.64. delete-sasl-mechanism-handler

Deletes SASL Mechanism Handlers.

The dsconfig delete-sasl-mechanism-handler command takes the following options:

--handler-name {name}

The name of the SASL Mechanism Handler.

-f | --force

Ignore non-existent SASL Mechanism Handlers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see SASL Mechanism Handler.

1.65. delete-schema-provider

Deletes Schema Providers.

The dsconfig delete-schema-provider command takes the following options:

--provider-name {name}

The name of the Schema Provider.

-f | --force

Ignore non-existent Schema Providers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Schema Provider.

1.66. delete-service-discovery-mechanism

Deletes Service Discovery Mechanisms.

The dsconfig delete-service-discovery-mechanism command takes the following options:

--mechanism-name {name}

The name of the Service Discovery Mechanism.

-f | --force

Ignore non-existent Service Discovery Mechanisms.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Service Discovery Mechanism.

1.67. delete-synchronization-provider

Deletes Synchronization Providers.

The dsconfig delete-synchronization-provider command takes the following options:

--provider-name {name}

The name of the Synchronization Provider.

-f | --force

Ignore non-existent Synchronization Providers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Synchronization Provider.

1.68. delete-trust-manager-provider

Deletes Trust Manager Providers.

The dsconfig delete-trust-manager-provider command takes the following options:

--provider-name {name}

The name of the Trust Manager Provider.

-f | --force

Ignore non-existent Trust Manager Providers.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Trust Manager Provider.

1.69. delete-virtual-attribute

Deletes Virtual Attributes.

The dsconfig delete-virtual-attribute command takes the following options:

--name {name}

The name of the Virtual Attribute.

-f | --force

Ignore non-existent Virtual Attributes.

Default: false

Properties used in options depend on the type of object to configure.

For details about available properties, see Virtual Attribute.

1.70. get-access-control-handler-prop

Shows Access Control Handler properties.

The dsconfig get-access-control-handler-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Control Handler.

1.71. get-access-log-filtering-criteria-prop

Shows Access Log Filtering Criteria properties.

The dsconfig get-access-log-filtering-criteria-prop command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

--criteria-name {name}

The name of the Access Log Filtering Criteria.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Log Filtering Criteria.

1.72. get-account-status-notification-handler-prop

Shows Account Status Notification Handler properties.

The dsconfig get-account-status-notification-handler-prop command takes the following options:

--handler-name {name}

The name of the Account Status Notification Handler.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Account Status Notification Handler.

1.73. get-administration-connector-prop

Shows Administration Connector properties.

The dsconfig get-administration-connector-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Administration Connector.

1.74. get-alert-handler-prop

Shows Alert Handler properties.

The dsconfig get-alert-handler-prop command takes the following options:

--handler-name {name}

The name of the Alert Handler.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Alert Handler.

1.75. get-backend-index-prop

Shows Backend Index properties.

The dsconfig get-backend-index-prop command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {name}

The name of the Backend Index.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend Index.

1.76. get-backend-prop

Shows Backend properties.

The dsconfig get-backend-prop command takes the following options:

--backend-name {name}

The name of the Backend.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend.

1.77. get-backend-vlv-index-prop

Shows Backend VLV Index properties.

The dsconfig get-backend-vlv-index-prop command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {name}

The name of the Backend VLV Index.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend VLV Index.

1.78. get-certificate-mapper-prop

Shows Certificate Mapper properties.

The dsconfig get-certificate-mapper-prop command takes the following options:

--mapper-name {name}

The name of the Certificate Mapper.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Certificate Mapper.

1.79. get-connection-handler-prop

Shows Connection Handler properties.

The dsconfig get-connection-handler-prop command takes the following options:

--handler-name {name}

The name of the Connection Handler.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Connection Handler.

1.80. get-crypto-manager-prop

Shows Crypto Manager properties.

The dsconfig get-crypto-manager-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Crypto Manager.

1.81. get-debug-target-prop

Shows Debug Target properties.

The dsconfig get-debug-target-prop command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

--target-name {name}

The name of the Debug Target.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Debug Target.

1.82. get-entry-cache-prop

Shows Entry Cache properties.

The dsconfig get-entry-cache-prop command takes the following options:

--cache-name {name}

The name of the Entry Cache.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Entry Cache.

1.83. get-extended-operation-handler-prop

Shows Extended Operation Handler properties.

The dsconfig get-extended-operation-handler-prop command takes the following options:

--handler-name {name}

The name of the Extended Operation Handler.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Extended Operation Handler.

1.84. get-external-changelog-domain-prop

Shows External Changelog Domain properties.

The dsconfig get-external-changelog-domain-prop command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--domain-name {name}

The name of the Replication Domain.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see External Changelog Domain.

1.85. get-global-access-control-policy-prop

Shows Global Access Control Policy properties.

The dsconfig get-global-access-control-policy-prop command takes the following options:

--policy-name {name}

The name of the Global Access Control Policy.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Access Control Policy.

1.86. get-global-configuration-prop

Shows Global Configuration properties.

The dsconfig get-global-configuration-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Configuration.

1.87. get-group-implementation-prop

Shows Group Implementation properties.

The dsconfig get-group-implementation-prop command takes the following options:

--implementation-name {name}

The name of the Group Implementation.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Group Implementation.

1.88. get-http-authorization-mechanism-prop

Shows HTTP Authorization Mechanism properties.

The dsconfig get-http-authorization-mechanism-prop command takes the following options:

--mechanism-name {name}

The name of the HTTP Authorization Mechanism.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Authorization Mechanism.

1.89. get-http-endpoint-prop

Shows HTTP Endpoint properties.

The dsconfig get-http-endpoint-prop command takes the following options:

--endpoint-name {name}

The name of the HTTP Endpoint.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Endpoint.

1.90. get-identity-mapper-prop

Shows Identity Mapper properties.

The dsconfig get-identity-mapper-prop command takes the following options:

--mapper-name {name}

The name of the Identity Mapper.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Identity Mapper.

1.91. get-key-manager-provider-prop

Shows Key Manager Provider properties.

The dsconfig get-key-manager-provider-prop command takes the following options:

--provider-name {name}

The name of the Key Manager Provider.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Key Manager Provider.

1.92. get-log-publisher-prop

Shows Log Publisher properties.

The dsconfig get-log-publisher-prop command takes the following options:

--publisher-name {name}

The name of the Log Publisher.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Publisher.

1.93. get-log-retention-policy-prop

Shows Log Retention Policy properties.

The dsconfig get-log-retention-policy-prop command takes the following options:

--policy-name {name}

The name of the Log Retention Policy.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Retention Policy.

1.94. get-log-rotation-policy-prop

Shows Log Rotation Policy properties.

The dsconfig get-log-rotation-policy-prop command takes the following options:

--policy-name {name}

The name of the Log Rotation Policy.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Rotation Policy.

1.95. get-monitor-provider-prop

Shows Monitor Provider properties.

The dsconfig get-monitor-provider-prop command takes the following options:

--provider-name {name}

The name of the Monitor Provider.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Monitor Provider.

1.96. get-password-generator-prop

Shows Password Generator properties.

The dsconfig get-password-generator-prop command takes the following options:

--generator-name {name}

The name of the Password Generator.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Generator.

1.97. get-password-policy-prop

Shows Authentication Policy properties.

The dsconfig get-password-policy-prop command takes the following options:

--policy-name {name}

The name of the Authentication Policy.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Policy.

1.98. get-password-storage-scheme-prop

Shows Password Storage Scheme properties.

The dsconfig get-password-storage-scheme-prop command takes the following options:

--scheme-name {name}

The name of the Password Storage Scheme.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Storage Scheme.

1.99. get-password-validator-prop

Shows Password Validator properties.

The dsconfig get-password-validator-prop command takes the following options:

--validator-name {name}

The name of the Password Validator.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Validator.

1.100. get-plugin-prop

Shows Plugin properties.

The dsconfig get-plugin-prop command takes the following options:

--plugin-name {name}

The name of the Plugin.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin.

1.101. get-plugin-root-prop

Shows Plugin Root properties.

The dsconfig get-plugin-root-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin Root.

1.102. get-replication-domain-prop

Shows Replication Domain properties.

The dsconfig get-replication-domain-prop command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--domain-name {name}

The name of the Replication Domain.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Domain.

1.103. get-replication-server-prop

Shows Replication Server properties.

The dsconfig get-replication-server-prop command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Server.

1.104. get-root-dn-prop

Shows Root DN properties.

The dsconfig get-root-dn-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Root DN.

1.105. get-root-dse-backend-prop

Shows Root DSE Backend properties.

The dsconfig get-root-dse-backend-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Root DSE Backend.

1.106. get-sasl-mechanism-handler-prop

Shows SASL Mechanism Handler properties.

The dsconfig get-sasl-mechanism-handler-prop command takes the following options:

--handler-name {name}

The name of the SASL Mechanism Handler.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see SASL Mechanism Handler.

1.107. get-schema-provider-prop

Shows Schema Provider properties.

The dsconfig get-schema-provider-prop command takes the following options:

--provider-name {name}

The name of the Schema Provider.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Schema Provider.

1.108. get-service-discovery-mechanism-prop

Shows Service Discovery Mechanism properties.

The dsconfig get-service-discovery-mechanism-prop command takes the following options:

--mechanism-name {name}

The name of the Service Discovery Mechanism.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Service Discovery Mechanism.

1.109. get-synchronization-provider-prop

Shows Synchronization Provider properties.

The dsconfig get-synchronization-provider-prop command takes the following options:

--provider-name {name}

The name of the Synchronization Provider.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Synchronization Provider.

1.110. get-trust-manager-provider-prop

Shows Trust Manager Provider properties.

The dsconfig get-trust-manager-provider-prop command takes the following options:

--provider-name {name}

The name of the Trust Manager Provider.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Trust Manager Provider.

1.111. get-virtual-attribute-prop

Shows Virtual Attribute properties.

The dsconfig get-virtual-attribute-prop command takes the following options:

--name {name}

The name of the Virtual Attribute.

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Virtual Attribute.

1.112. get-work-queue-prop

Shows Work Queue properties.

The dsconfig get-work-queue-prop command takes the following options:

--property {property}

The name of a property to be displayed.

--record

Modifies the display output to show one property value per line.

Default: false

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Work Queue.

1.113. list-access-log-filtering-criteria

Lists existing Access Log Filtering Criteria.

The dsconfig list-access-log-filtering-criteria command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Log Filtering Criteria.

1.114. list-account-status-notification-handlers

Lists existing Account Status Notification Handlers.

The dsconfig list-account-status-notification-handlers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Account Status Notification Handler.

1.115. list-alert-handlers

Lists existing Alert Handlers.

The dsconfig list-alert-handlers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Alert Handler.

1.116. list-backend-indexes

Lists existing Backend Indexes.

The dsconfig list-backend-indexes command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend Index.

1.117. list-backend-vlv-indexes

Lists existing Backend VLV Indexes.

The dsconfig list-backend-vlv-indexes command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend VLV Index.

1.118. list-backends

Lists existing Backends.

The dsconfig list-backends command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend.

1.119. list-certificate-mappers

Lists existing Certificate Mappers.

The dsconfig list-certificate-mappers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Certificate Mapper.

1.120. list-connection-handlers

Lists existing Connection Handlers.

The dsconfig list-connection-handlers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Connection Handler.

1.121. list-debug-targets

Lists existing Debug Targets.

The dsconfig list-debug-targets command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Debug Target.

1.122. list-entry-caches

Lists existing Entry Caches.

The dsconfig list-entry-caches command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Entry Cache.

1.123. list-extended-operation-handlers

Lists existing Extended Operation Handlers.

The dsconfig list-extended-operation-handlers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Extended Operation Handler.

1.124. list-global-access-control-policies

Lists existing Global Access Control Policies.

The dsconfig list-global-access-control-policies command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Access Control Policy.

1.125. list-group-implementations

Lists existing Group Implementations.

The dsconfig list-group-implementations command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Group Implementation.

1.126. list-http-authorization-mechanisms

Lists existing HTTP Authorization Mechanisms.

The dsconfig list-http-authorization-mechanisms command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Authorization Mechanism.

1.127. list-http-endpoints

Lists existing HTTP Endpoints.

The dsconfig list-http-endpoints command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Endpoint.

1.128. list-identity-mappers

Lists existing Identity Mappers.

The dsconfig list-identity-mappers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Identity Mapper.

1.129. list-key-manager-providers

Lists existing Key Manager Providers.

The dsconfig list-key-manager-providers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Key Manager Provider.

1.130. list-log-publishers

Lists existing Log Publishers.

The dsconfig list-log-publishers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Publisher.

1.131. list-log-retention-policies

Lists existing Log Retention Policies.

The dsconfig list-log-retention-policies command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Retention Policy.

1.132. list-log-rotation-policies

Lists existing Log Rotation Policies.

The dsconfig list-log-rotation-policies command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Rotation Policy.

1.133. list-monitor-providers

Lists existing Monitor Providers.

The dsconfig list-monitor-providers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Monitor Provider.

1.134. list-password-generators

Lists existing Password Generators.

The dsconfig list-password-generators command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Generator.

1.135. list-password-policies

Lists existing Password Policies.

The dsconfig list-password-policies command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Policy.

1.136. list-password-storage-schemes

Lists existing Password Storage Schemes.

The dsconfig list-password-storage-schemes command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Storage Scheme.

1.137. list-password-validators

Lists existing Password Validators.

The dsconfig list-password-validators command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Validator.

1.138. list-plugins

Lists existing Plugins.

The dsconfig list-plugins command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin.

1.139. list-properties

Describes managed objects and their properties.

The dsconfig list-properties command takes the following options:

-c | --category {category}

The category of components whose properties should be described.

-t | --type {type}

The type of components whose properties should be described. The value for TYPE must be one of the component types associated with the CATEGORY specified using the "--category" option.

--inherited

Modifies the display output to show the inherited properties of components.

Default: false

--property {property}

The name of a property to be displayed.

1.140. list-replication-domains

Lists existing Replication Domains.

The dsconfig list-replication-domains command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Domain.

1.141. list-replication-server

Lists existing Replication Server.

The dsconfig list-replication-server command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Server.

1.142. list-sasl-mechanism-handlers

Lists existing SASL Mechanism Handlers.

The dsconfig list-sasl-mechanism-handlers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see SASL Mechanism Handler.

1.143. list-schema-providers

Lists existing Schema Providers.

The dsconfig list-schema-providers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Schema Provider.

1.144. list-service-discovery-mechanisms

Lists existing Service Discovery Mechanisms.

The dsconfig list-service-discovery-mechanisms command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Service Discovery Mechanism.

1.145. list-synchronization-providers

Lists existing Synchronization Providers.

The dsconfig list-synchronization-providers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Synchronization Provider.

1.146. list-trust-manager-providers

Lists existing Trust Manager Providers.

The dsconfig list-trust-manager-providers command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Trust Manager Provider.

1.147. list-virtual-attributes

Lists existing Virtual Attributes.

The dsconfig list-virtual-attributes command takes the following options:

--property {property}

The name of a property to be displayed.

-z | --unit-size {unit}

Display size data using the specified unit. The value for UNIT can be one of b, kb, mb, gb, or tb (bytes, kilobytes, megabytes, gigabytes, or terabytes).

-m | --unit-time {unit}

Display time data using the specified unit. The value for UNIT can be one of ms, s, m, h, d, or w (milliseconds, seconds, minutes, hours, days, or weeks).

Properties used in options depend on the type of object to configure.

For details about available properties, see Virtual Attribute.

1.148. set-access-control-handler-prop

Modifies Access Control Handler properties.

The dsconfig set-access-control-handler-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Control Handler.

1.149. set-access-log-filtering-criteria-prop

Modifies Access Log Filtering Criteria properties.

The dsconfig set-access-log-filtering-criteria-prop command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

--criteria-name {name}

The name of the Access Log Filtering Criteria.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Access Log Filtering Criteria.

1.150. set-account-status-notification-handler-prop

Modifies Account Status Notification Handler properties.

The dsconfig set-account-status-notification-handler-prop command takes the following options:

--handler-name {name}

The name of the Account Status Notification Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Account Status Notification Handler.

1.151. set-administration-connector-prop

Modifies Administration Connector properties.

The dsconfig set-administration-connector-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Administration Connector.

1.152. set-alert-handler-prop

Modifies Alert Handler properties.

The dsconfig set-alert-handler-prop command takes the following options:

--handler-name {name}

The name of the Alert Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Alert Handler.

1.153. set-backend-index-prop

Modifies Backend Index properties.

The dsconfig set-backend-index-prop command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {name}

The name of the Backend Index.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend Index.

1.154. set-backend-prop

Modifies Backend properties.

The dsconfig set-backend-prop command takes the following options:

--backend-name {name}

The name of the Backend.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend.

1.155. set-backend-vlv-index-prop

Modifies Backend VLV Index properties.

The dsconfig set-backend-vlv-index-prop command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

--index-name {name}

The name of the Backend VLV Index.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Backend VLV Index.

1.156. set-certificate-mapper-prop

Modifies Certificate Mapper properties.

The dsconfig set-certificate-mapper-prop command takes the following options:

--mapper-name {name}

The name of the Certificate Mapper.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Certificate Mapper.

1.157. set-connection-handler-prop

Modifies Connection Handler properties.

The dsconfig set-connection-handler-prop command takes the following options:

--handler-name {name}

The name of the Connection Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Connection Handler.

1.158. set-crypto-manager-prop

Modifies Crypto Manager properties.

The dsconfig set-crypto-manager-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Crypto Manager.

1.159. set-debug-target-prop

Modifies Debug Target properties.

The dsconfig set-debug-target-prop command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

--target-name {name}

The name of the Debug Target.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Debug Target.

1.160. set-entry-cache-prop

Modifies Entry Cache properties.

The dsconfig set-entry-cache-prop command takes the following options:

--cache-name {name}

The name of the Entry Cache.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Entry Cache.

1.161. set-extended-operation-handler-prop

Modifies Extended Operation Handler properties.

The dsconfig set-extended-operation-handler-prop command takes the following options:

--handler-name {name}

The name of the Extended Operation Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Extended Operation Handler.

1.162. set-external-changelog-domain-prop

Modifies External Changelog Domain properties.

The dsconfig set-external-changelog-domain-prop command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--domain-name {name}

The name of the Replication Domain.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see External Changelog Domain.

1.163. set-global-access-control-policy-prop

Modifies Global Access Control Policy properties.

The dsconfig set-global-access-control-policy-prop command takes the following options:

--policy-name {name}

The name of the Global Access Control Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Access Control Policy.

1.164. set-global-configuration-prop

Modifies Global Configuration properties.

The dsconfig set-global-configuration-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Global Configuration.

1.165. set-group-implementation-prop

Modifies Group Implementation properties.

The dsconfig set-group-implementation-prop command takes the following options:

--implementation-name {name}

The name of the Group Implementation.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Group Implementation.

1.166. set-http-authorization-mechanism-prop

Modifies HTTP Authorization Mechanism properties.

The dsconfig set-http-authorization-mechanism-prop command takes the following options:

--mechanism-name {name}

The name of the HTTP Authorization Mechanism.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Authorization Mechanism.

1.167. set-http-endpoint-prop

Modifies HTTP Endpoint properties.

The dsconfig set-http-endpoint-prop command takes the following options:

--endpoint-name {name}

The name of the HTTP Endpoint.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see HTTP Endpoint.

1.168. set-identity-mapper-prop

Modifies Identity Mapper properties.

The dsconfig set-identity-mapper-prop command takes the following options:

--mapper-name {name}

The name of the Identity Mapper.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Identity Mapper.

1.169. set-key-manager-provider-prop

Modifies Key Manager Provider properties.

The dsconfig set-key-manager-provider-prop command takes the following options:

--provider-name {name}

The name of the Key Manager Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Key Manager Provider.

1.170. set-log-publisher-prop

Modifies Log Publisher properties.

The dsconfig set-log-publisher-prop command takes the following options:

--publisher-name {name}

The name of the Log Publisher.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Publisher.

1.171. set-log-retention-policy-prop

Modifies Log Retention Policy properties.

The dsconfig set-log-retention-policy-prop command takes the following options:

--policy-name {name}

The name of the Log Retention Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Retention Policy.

1.172. set-log-rotation-policy-prop

Modifies Log Rotation Policy properties.

The dsconfig set-log-rotation-policy-prop command takes the following options:

--policy-name {name}

The name of the Log Rotation Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Log Rotation Policy.

1.173. set-monitor-provider-prop

Modifies Monitor Provider properties.

The dsconfig set-monitor-provider-prop command takes the following options:

--provider-name {name}

The name of the Monitor Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Monitor Provider.

1.174. set-password-generator-prop

Modifies Password Generator properties.

The dsconfig set-password-generator-prop command takes the following options:

--generator-name {name}

The name of the Password Generator.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Generator.

1.175. set-password-policy-prop

Modifies Authentication Policy properties.

The dsconfig set-password-policy-prop command takes the following options:

--policy-name {name}

The name of the Authentication Policy.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Policy.

1.176. set-password-storage-scheme-prop

Modifies Password Storage Scheme properties.

The dsconfig set-password-storage-scheme-prop command takes the following options:

--scheme-name {name}

The name of the Password Storage Scheme.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Storage Scheme.

1.177. set-password-validator-prop

Modifies Password Validator properties.

The dsconfig set-password-validator-prop command takes the following options:

--validator-name {name}

The name of the Password Validator.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Password Validator.

1.178. set-plugin-prop

Modifies Plugin properties.

The dsconfig set-plugin-prop command takes the following options:

--plugin-name {name}

The name of the Plugin.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin.

1.179. set-plugin-root-prop

Modifies Plugin Root properties.

The dsconfig set-plugin-root-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Plugin Root.

1.180. set-replication-domain-prop

Modifies Replication Domain properties.

The dsconfig set-replication-domain-prop command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--domain-name {name}

The name of the Replication Domain.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Domain.

1.181. set-replication-server-prop

Modifies Replication Server properties.

The dsconfig set-replication-server-prop command takes the following options:

--provider-name {name}

The name of the Replication Synchronization Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Replication Server.

1.182. set-root-dn-prop

Modifies Root DN properties.

The dsconfig set-root-dn-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Root DN.

1.183. set-root-dse-backend-prop

Modifies Root DSE Backend properties.

The dsconfig set-root-dse-backend-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Root DSE Backend.

1.184. set-sasl-mechanism-handler-prop

Modifies SASL Mechanism Handler properties.

The dsconfig set-sasl-mechanism-handler-prop command takes the following options:

--handler-name {name}

The name of the SASL Mechanism Handler.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see SASL Mechanism Handler.

1.185. set-schema-provider-prop

Modifies Schema Provider properties.

The dsconfig set-schema-provider-prop command takes the following options:

--provider-name {name}

The name of the Schema Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Schema Provider.

1.186. set-service-discovery-mechanism-prop

Modifies Service Discovery Mechanism properties.

The dsconfig set-service-discovery-mechanism-prop command takes the following options:

--mechanism-name {name}

The name of the Service Discovery Mechanism.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Service Discovery Mechanism.

1.187. set-synchronization-provider-prop

Modifies Synchronization Provider properties.

The dsconfig set-synchronization-provider-prop command takes the following options:

--provider-name {name}

The name of the Synchronization Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Synchronization Provider.

1.188. set-trust-manager-provider-prop

Modifies Trust Manager Provider properties.

The dsconfig set-trust-manager-provider-prop command takes the following options:

--provider-name {name}

The name of the Trust Manager Provider.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Trust Manager Provider.

1.189. set-virtual-attribute-prop

Modifies Virtual Attribute properties.

The dsconfig set-virtual-attribute-prop command takes the following options:

--name {name}

The name of the Virtual Attribute.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Virtual Attribute.

1.190. set-work-queue-prop

Modifies Work Queue properties.

The dsconfig set-work-queue-prop command takes the following options:

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

--reset {property}

Resets a property back to its default values where PROP is the name of the property to be reset.

--add {PROP:VALUE}

Adds a single value to a property where PROP is the name of the property and VALUE is the single value to be added.

--remove {PROP:VALUE}

Removes a single value from a property where PROP is the name of the property and VALUE is the single value to be removed.

Properties used in options depend on the type of object to configure.

For details about available properties, see Work Queue.

Chapter 2. Objects

This chapter describes dsconfig configuration objects.

2.1. Objects by Inheritance

This section lists inheritance relationships between configuration objects.

2.1.1. Core Server

2.2. Access Control Handler

This is an abstract object type that cannot be instantiated.

Access Control Handlers manage the application-wide access control. The OpenDJ access control handler is defined through an extensible interface, so that alternate implementations can be created. Only one access control handler may be active in the server at any given time.

Note that OpenDJ also has a privilege subsystem, which may have an impact on what clients may be allowed to do in the server. For example, any user with the bypass-acl privilege is not subject to access control checking regardless of whether the access control implementation is enabled.

2.2.1. Access Control Handlers

The following Access Control Handlers are available:

These Access Control Handlers inherit the properties described below.

2.2.2. Basic Properties

enabled

SynopsisIndicates whether the Access Control Handler is enabled. If set to FALSE, then no access control is enforced, and any client (including unauthenticated or anonymous clients) could be allowed to perform any operation if not subject to other restrictions, such as those enforced by the privilege subsystem.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Access Control Handler implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AccessControlHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.3. Access Log Filtering Criteria

A set of rules which together determine whether a log record should be logged or not.

2.3.1. Dependencies

The following objects have Access Log Filtering Criteria:

2.3.2. Basic Properties

connection-client-address-equal-to

SynopsisFilters log records associated with connections which match at least one of the specified client host names or address masks.
DescriptionValid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
Default Value

None

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-client-address-not-equal-to

SynopsisFilters log records associated with connections which do not match any of the specified client host names or address masks.
DescriptionValid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
Default Value

None

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-port-equal-to

SynopsisFilters log records associated with connections to any of the specified listener port numbers.
Default Value

None

Allowed Values

An integer.

Lower limit: 1.

Upper limit: 65535.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

connection-protocol-equal-to

SynopsisFilters log records associated with connections which match any of the specified protocols.
DescriptionTypical values include "ldap", "ldaps", or "jmx".
Default Value

None

Allowed Values

The protocol name as reported in the access log.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

log-record-type

SynopsisFilters log records based on their type.
Default Value

None

Allowed Values

abandon: Abandon operations

add: Add operations

bind: Bind operations

compare: Compare operations

connect: Client connections

delete: Delete operations

disconnect: Client disconnections

extended: Extended operations

modify: Modify operations

rename: Rename operations

search: Search operations

unbind: Unbind operations

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-equal-to

SynopsisFilters operation log records associated with operations which target entries matching at least one of the specified DN patterns.
DescriptionValid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

request-target-dn-not-equal-to

SynopsisFilters operation log records associated with operations which target entries matching none of the specified DN patterns.
DescriptionValid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-etime-greater-than

SynopsisFilters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-etime-less-than

SynopsisFilters operation response log records associated with operations which took less than the specified number of milli-seconds to complete.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-result-code-equal-to

SynopsisFilters operation response log records associated with operations which include any of the specified result codes.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

response-result-code-not-equal-to

SynopsisFilters operation response log records associated with operations which do not include any of the specified result codes.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

search-response-is-indexed

SynopsisFilters search operation response log records associated with searches which were either indexed or unindexed.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

search-response-nentries-greater-than

SynopsisFilters search operation response log records associated with searches which returned more than the specified number of entries.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

search-response-nentries-less-than

SynopsisFilters search operation response log records associated with searches which returned less than the specified number of entries.
DescriptionIt is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.
Default Value

None

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-dn-equal-to

SynopsisFilters log records associated with users matching at least one of the specified DN patterns.
DescriptionValid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-dn-not-equal-to

SynopsisFilters log records associated with users which do not match any of the specified DN patterns.
DescriptionValid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).
Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-is-member-of

SynopsisFilters log records associated with users which are members of at least one of the specified groups.
Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

user-is-not-member-of

SynopsisFilters log records associated with users which are not members of any of the specified groups.
Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.4. Access Log Publisher

This is an abstract object type that cannot be instantiated.

Access Log Publishers are responsible for distributing access log messages from the access logger to a destination.

Access log messages provide information about the types of operations processed by the server.

2.4.1. Access Log Publishers

The following Access Log Publishers are available:

These Access Log Publishers inherit the properties described below.

2.4.2. Parent

The Access Log Publisher object inherits from Log Publisher.

2.4.3. Dependencies

The following objects belong to Access Log Publishers:

2.4.4. Basic Properties

enabled

SynopsisIndicates whether the Log Publisher is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

filtering-policy

SynopsisSpecifies how filtering criteria should be applied to log records.
Default Value

no-filtering

Allowed Values

exclusive: Records must not match any of the filtering criteria in order to be logged.

inclusive: Records must match at least one of the filtering criteria in order to be logged.

no-filtering: No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisThe fully-qualified name of the Java class that provides the Access Log Publisher implementation.
Default Value

org.opends.server.loggers.AccessLogPublisher

Allowed Values

A Java class that extends or implements:

  • org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.4.5. Advanced Properties

Use the --advanced option to access advanced properties.

suppress-internal-operations

SynopsisIndicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

suppress-synchronization-operations

SynopsisIndicates whether access messages that are generated by synchronization operations should be suppressed.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.5. Account Status Notification Handler

This is an abstract object type that cannot be instantiated.

Account Status Notification Handlers are invoked to provide notification to users in some form (for example, by an email message) when the status of a user's account has changed in some way. The Account Status Notification Handler can be used to notify the user and/or administrators of the change.

2.5.1. Account Status Notification Handlers

The following Account Status Notification Handlers are available:

These Account Status Notification Handlers inherit the properties described below.

2.5.2. Dependencies

The following objects depend on Account Status Notification Handlers:

2.5.3. Basic Properties

enabled

SynopsisIndicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Account Status Notification Handler implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AccountStatusNotificationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.6. Admin Endpoint

The Admin Endpoint provides RESTful access to OpenDJ's monitoring and configuration backends.

2.6.1. Parent

The Admin Endpoint object inherits from HTTP Endpoint.

2.6.2. Basic Properties

authorization-mechanism

SynopsisThe HTTP authorization mechanisms supported by this HTTP Endpoint.
Default Value

None

Allowed Values

The name of an existing HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

base-path

SynopsisAll HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.
Default Value

None

Allowed Values

A string.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

Yes

enabled

SynopsisIndicates whether the HTTP Endpoint is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.6.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.
Default Value

org.opends.server.protocols.http.rest2ldap.AdminEndpoint

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.HttpEndpoint

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.7. Administration Connector

The Administration Connector is used to interact with administration tools using LDAP.

It is a dedicated entry point for administration.

2.7.1. Dependencies

Administration Connectors depend on the following objects:

2.7.2. Basic Properties

allowed-client

SynopsisSpecifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Administration Connector.
DescriptionValid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced

No

Read-Only

No

denied-client

SynopsisSpecifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Administration Connector.
DescriptionValid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced

No

Read-Only

No

key-manager-provider

SynopsisSpecifies the name of the key manager that is used with the Administration Connector .
Default Value

None

Allowed Values

The name of an existing Key Manager Provider. The referenced key manager provider must be enabled.

Multi-valued

No

Required

Yes

Admin Action Required

Restart the server for changes to take effect.

Advanced

No

Read-Only

No

listen-address

SynopsisSpecifies the address or set of addresses on which this Administration Connector should listen for connections from LDAP clients.
DescriptionMultiple addresses may be provided as separate values for this attribute. If no values are provided, then the Administration Connector listens on all interfaces.
Default Value

0.0.0.0

Allowed Values

An IP address.

Multi-valued

Yes

Required

No

Admin Action Required

Restart the server for changes to take effect.

Advanced

No

Read-Only

No

listen-port

SynopsisSpecifies the port number on which the Administration Connector will listen for connections from clients.
DescriptionOnly a single port number may be provided.
Default Value

None

Allowed Values

An integer.

Lower limit: 1.

Upper limit: 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

ssl-cert-nickname

SynopsisSpecifies the nicknames (also called the aliases) of the keys or key pairs that the Administration Connector should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key.
Default Value

Let the server decide.

Allowed Values

A string.

Multi-valued

Yes

Required

Yes

Admin Action Required

Restart the server for changes to take effect.

Advanced

No

Read-Only

No

ssl-cipher-suite

SynopsisSpecifies the names of the SSL cipher suites that are allowed for use in SSL communication.
Default Value

Uses the default set of SSL cipher suites provided by the server's JVM.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.

Advanced

No

Read-Only

No

ssl-protocol

SynopsisSpecifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.
Default Value

Uses the default set of SSL protocols provided by the server's JVM.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced

No

Read-Only

No

trust-manager-provider

SynopsisSpecifies the name of the trust manager that is used with the Administration Connector .
Default Value

None

Allowed Values

The name of an existing Trust Manager Provider. The referenced trust manager provider must be enabled.

Multi-valued

No

Required

Yes

Admin Action Required

Restart the server for changes to take effect.

Advanced

No

Read-Only

No

2.8. AES Password Storage Scheme

The AES Password Storage Scheme provides a mechanism for encoding user passwords using the AES reversible encryption mechanism.

This scheme contains only an implementation for the user password syntax, with a storage scheme name of "AES".

2.8.1. Parent

The AES Password Storage Scheme object inherits from Password Storage Scheme.

2.8.2. Basic Properties

enabled

SynopsisIndicates whether the Password Storage Scheme is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.8.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.
Default Value

org.opends.server.extensions.AESPasswordStorageScheme

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.9. Alert Handler

This is an abstract object type that cannot be instantiated.

Alert Handlers are used to notify administrators of significant problems or notable events that occur in the OpenDJ directory server.

2.9.1. Alert Handlers

The following Alert Handlers are available:

These Alert Handlers inherit the properties described below.

2.9.2. Basic Properties

disabled-alert-type

SynopsisSpecifies the names of the alert types that are disabled for this alert handler.
DescriptionIf there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.
Default Value

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Alert Handler is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

enabled-alert-type

SynopsisSpecifies the names of the alert types that are enabled for this alert handler.
DescriptionIf there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.
Default Value

All alerts with types not included in the set of disabled alert types are allowed.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Alert Handler implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AlertHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.10. Anonymous SASL Mechanism Handler

The ANONYMOUS SASL mechanism provides the ability for clients to perform an anonymous bind using a SASL mechanism.

The only real benefit that this provides over a normal anonymous bind (that is, using simple authentication with no password) is that the ANONYMOUS SASL mechanism also allows the client to include a trace string in the request. This trace string can help identify the application that performed the bind (although since there is no authentication, there is no assurance that some other client did not spoof that trace string).

2.10.1. Parent

The Anonymous SASL Mechanism Handler object inherits from SASL Mechanism Handler.

2.10.2. Basic Properties

enabled

SynopsisIndicates whether the SASL mechanism handler is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.10.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
Default Value

org.opends.server.extensions.AnonymousSASLMechanismHandler

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.11. Attribute Cleanup Plugin

A pre-parse plugin which can be used to remove and rename attributes in ADD and MODIFY requests before being processed.

This plugin should be used in order maintain interoperability with client applications which attempt to update attributes in a way which is incompatible with LDAPv3 or OpenDJ. For example, this plugin may be used in order to remove changes to operational attributes such as modifiersName, creatorsName, modifyTimestamp, and createTimestamp (Sun DSEE chaining does this).

2.11.1. Parent

The Attribute Cleanup Plugin object inherits from Plugin.

2.11.2. Basic Properties

enabled

SynopsisIndicates whether the plug-in is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the plug-in implementation.
Default Value

org.opends.server.plugins.AttributeCleanupPlugin

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

remove-inbound-attributes

SynopsisA list of attributes which should be removed from incoming add or modify requests.
Default Value

No attributes will be removed

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

rename-inbound-attributes

SynopsisA list of attributes which should be renamed in incoming add or modify requests.
Default Value

No attributes will be renamed

Allowed Values

An attribute name mapping.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.11.3. Advanced Properties

Use the --advanced option to access advanced properties.

invoke-for-internal-operations

SynopsisIndicates whether the plug-in should be invoked for internal operations.
DescriptionAny plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

plugin-type

SynopsisSpecifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
Default Value

preparseadd

preparsemodify

Allowed Values

intermediateresponse: Invoked before sending an intermediate repsonse message to the client.

ldifexport: Invoked for each operation to be written during an LDIF export.

ldifimport: Invoked for each entry read during an LDIF import.

ldifimportbegin: Invoked at the beginning of an LDIF import session.

ldifimportend: Invoked at the end of an LDIF import session.

postconnect: Invoked whenever a new connection is established to the server.

postdisconnect: Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon: Invoked after completing the abandon processing.

postoperationadd: Invoked after completing the core add processing but before sending the response to the client.

postoperationbind: Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare: Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete: Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended: Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify: Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn: Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch: Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind: Invoked after completing the unbind processing.

postresponseadd: Invoked after sending the add response to the client.

postresponsebind: Invoked after sending the bind response to the client.

postresponsecompare: Invoked after sending the compare response to the client.

postresponsedelete: Invoked after sending the delete response to the client.

postresponseextended: Invoked after sending the extended response to the client.

postresponsemodify: Invoked after sending the modify response to the client.

postresponsemodifydn: Invoked after sending the modify DN response to the client.

postresponsesearch: Invoked after sending the search result done message to the client.

postsynchronizationadd: Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete: Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify: Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn: Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd: Invoked prior to performing the core add processing.

preoperationbind: Invoked prior to performing the core bind processing.

preoperationcompare: Invoked prior to performing the core compare processing.

preoperationdelete: Invoked prior to performing the core delete processing.

preoperationextended: Invoked prior to performing the core extended processing.

preoperationmodify: Invoked prior to performing the core modify processing.

preoperationmodifydn: Invoked prior to performing the core modify DN processing.

preoperationsearch: Invoked prior to performing the core search processing.

preparseabandon: Invoked prior to parsing an abandon request.

preparseadd: Invoked prior to parsing an add request.

preparsebind: Invoked prior to parsing a bind request.

preparsecompare: Invoked prior to parsing a compare request.

preparsedelete: Invoked prior to parsing a delete request.

preparseextended: Invoked prior to parsing an extended request.

preparsemodify: Invoked prior to parsing a modify request.

preparsemodifydn: Invoked prior to parsing a modify DN request.

preparsesearch: Invoked prior to parsing a search request.

preparseunbind: Invoked prior to parsing an unbind request.

searchresultentry: Invoked before sending a search result entry to the client.

searchresultreference: Invoked before sending a search result reference to the client.

shutdown: Invoked during a graceful directory server shutdown.

startup: Invoked during the directory server startup process.

subordinatedelete: Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn: Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.12. Attribute Value Password Validator

The Attribute Value Password Validator attempts to determine whether a proposed password is acceptable for use by determining whether that password is contained in any attribute within the user's entry.

It can be configured to look in all attributes or in a specified subset of attributes.

2.12.1. Parent

The Attribute Value Password Validator object inherits from Password Validator.

2.12.2. Basic Properties

check-substrings

SynopsisIndicates whether this password validator is to match portions of the password string against attribute values.
DescriptionIf "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the password validator is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

match-attribute

SynopsisSpecifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.
Default Value

All attributes in the user entry will be checked.

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

min-substring-length

SynopsisIndicates the minimal length of the substring within the password in case substring checking is enabled.
DescriptionIf "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
Default Value

5

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

test-reversed-password

SynopsisIndicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.12.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the password validator implementation.
Default Value

org.opends.server.extensions.AttributeValuePasswordValidator

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.13. Authentication Policy

This is an abstract object type that cannot be instantiated.

Authentication Policies define the policies which should be used for authenticating users and managing the password and other account related state.

2.13.1. Authentication Policies

The following Authentication Policies are available:

These Authentication Policies inherit the properties described below.

2.13.2. Dependencies

The following objects depend on Authentication Policies:

2.13.3. Basic Properties

java-class

SynopsisSpecifies the fully-qualified name of the Java class which provides the Authentication Policy implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AuthenticationPolicyFactory

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.14. Backend

This is an abstract object type that cannot be instantiated.

Backends are responsible for providing access to the underlying data presented by the server.

The data may be stored locally in an embedded database, remotely in an external system, or generated on the fly (for example, calculated from other information that is available).

2.14.1. Backends

The following Backends are available:

These Backends inherit the properties described below.

2.14.2. Basic Properties

backend-id

SynopsisSpecifies a name to identify the associated backend.
DescriptionThe name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
Default Value

None

Allowed Values

A string.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

Yes

enabled

SynopsisIndicates whether the backend is enabled in the server.
DescriptionIf a backend is not enabled, then its contents are not accessible when processing operations.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the backend implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.15. Backend Index

Backend Indexes are used to store information that makes it possible to locate entries very quickly when processing search operations.

Indexing is performed on a per-attribute level and different types of indexing may be performed for different kinds of attributes, based on how they are expected to be accessed during search operations.

2.15.1. Dependencies

The following objects have Backend Indexes:

2.15.2. Basic Properties

attribute

SynopsisSpecifies the name of the attribute for which the index is to be maintained.
Default Value

None

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

Yes

confidentiality-enabled

SynopsisSpecifies whether contents of the index should be confidential.
DescriptionSetting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.

Advanced

No

Read-Only

No

index-extensible-matching-rule

SynopsisThe extensible matching rule in an extensible index.
DescriptionAn extensible matching rule must be specified using either LOCALE or OID of the matching rule.
Default Value

No extensible matching rules will be indexed.

Allowed Values

A Locale or an OID.

Multi-valued

Yes

Required

No

Admin Action Required

None

The index must be rebuilt before it will reflect the new value.

Advanced

No

Read-Only

No

index-type

SynopsisSpecifies the type(s) of indexing that should be performed for the associated attribute.
DescriptionFor equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.
Default Value

None

Allowed Values

approximate: This index type is used to improve the efficiency of searches using approximate matching search filters.

equality: This index type is used to improve the efficiency of searches using equality search filters.

extensible: This index type is used to improve the efficiency of searches using extensible matching search filters.

ordering: This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.

presence: This index type is used to improve the efficiency of searches using the presence search filters.

substring: This index type is used to improve the efficiency of searches using substring search filters.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.

Advanced

No

Read-Only

No

2.15.3. Advanced Properties

Use the --advanced option to access advanced properties.

index-entry-limit

SynopsisSpecifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained.
DescriptionThis is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value. Changing the index entry limit significantly can result in serious performance degradation. Please read the documentation before changing this setting.
Default Value

4000

Allowed Values

An integer.

Lower limit: 0.

Upper limit: 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.

Advanced

Yes

Read-Only

No

substring-length

SynopsisThe length of substrings in a substring index.
Default Value

6

Allowed Values

An integer.

Lower limit: 3.

Multi-valued

No

Required

No

Admin Action Required

None

The index must be rebuilt before it will reflect the new value.

Advanced

Yes

Read-Only

No

2.16. Backend VLV Index

Backend VLV Indexes are used to store information about a specific search request that makes it possible to efficiently process them using the VLV control.

A VLV index effectively notifies the server that a virtual list view, with specific query and sort parameters, will be performed. This index also allows the server to collect and maintain the information required to make using the virtual list view faster.

2.16.1. Dependencies

The following objects have Backend VLV Indexes:

2.16.2. Basic Properties

base-dn

SynopsisSpecifies the base DN used in the search query that is being indexed.
Default Value

None

Allowed Values

A valid DN.

Multi-valued

No

Required

Yes

Admin Action Required

None

The index must be rebuilt after modifying this property.

Advanced

No

Read-Only

No

filter

SynopsisSpecifies the LDAP filter used in the query that is being indexed.
Default Value

None

Allowed Values

A valid LDAP search filter.

Multi-valued

No

Required

Yes

Admin Action Required

None

The index must be rebuilt after modifying this property.

Advanced

No

Read-Only

No

name

SynopsisSpecifies a unique name for this VLV index.
Default Value

None

Allowed Values

A string.

Multi-valued

No

Required

Yes

Admin Action Required

None

The VLV index name cannot be altered after the index is created.

Advanced

No

Read-Only

Yes

scope

SynopsisSpecifies the LDAP scope of the query that is being indexed.
Default Value

None

Allowed Values

base-object: Search the base object only.

single-level: Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree: Search the entire subtree below the base object but do not include the base object itself.

whole-subtree: Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

Yes

Admin Action Required

None

The index must be rebuilt after modifying this property.

Advanced

No

Read-Only

No

sort-order

SynopsisSpecifies the names of the attributes that are used to sort the entries for the query being indexed.
DescriptionMultiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.
Default Value

None

Allowed Values

Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.

Multi-valued

No

Required

Yes

Admin Action Required

None

The index must be rebuilt after modifying this property.

Advanced

No

Read-Only

No

2.17. Backup Backend

The Backup Backend provides read-only access to the set of backups that are available for OpenDJ.

It is provided as a convenience feature that makes it easier to determine what backups are available to be restored if necessary.

2.17.1. Parent

The Backup Backend object inherits from Local Backend.

2.17.2. Basic Properties

backend-id

SynopsisSpecifies a name to identify the associated backend.
DescriptionThe name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.
Default Value

None

Allowed Values

A string.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

Yes

backup-directory

SynopsisSpecifies the path to a backup directory containing one or more backups for a particular backend.
DescriptionThis is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.
Default Value

None

Allowed Values

A string.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the backend is enabled in the server.
DescriptionIf a backend is not enabled, then its contents are not accessible when processing operations.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.17.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the backend implementation.
Default Value

org.opends.server.backends.BackupBackend

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

writability-mode

SynopsisSpecifies the behavior that the backend should use when processing write operations.
Default Value

disabled

Allowed Values

disabled: Causes all write attempts to fail.

enabled: Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only: Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.18. Base64 Password Storage Scheme

The Base64 Password Storage Scheme provides a mechanism for encoding user passwords using the BASE64 encoding mechanism.

This scheme contains only an implementation for the user password syntax, with a storage scheme name of "BASE64". The Base64 Password Storage Scheme merely obscures the password so that the clear-text password is not available to casual observers. However, it offers no real protection and should only be used if there are client applications that specifically require this capability.

2.18.1. Parent

The Base64 Password Storage Scheme object inherits from Password Storage Scheme.

2.18.2. Basic Properties

enabled

SynopsisIndicates whether the Password Storage Scheme is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.18.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.
Default Value

org.opends.server.extensions.Base64PasswordStorageScheme

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.19. Bcrypt Password Storage Scheme

The Bcrypt Password Storage Scheme provides a mechanism for encoding user passwords using the bcrypt message digest algorithm.

This scheme contains an implementation for the user password syntax, with a storage scheme name of "BCRYPT".

2.19.1. Parent

The Bcrypt Password Storage Scheme object inherits from Password Storage Scheme.

2.19.2. Basic Properties

bcrypt-cost

SynopsisThe cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.
Default Value

12

Allowed Values

An integer.

Lower limit: 4.

Upper limit: 30.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Password Storage Scheme is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.19.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.
Default Value

org.opends.server.extensions.BcryptPasswordStorageScheme

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.20. Blind Trust Manager Provider

The blind trust manager provider always trusts any certificate that is presented to it, regardless of its issuer, subject, and validity dates.

Use the blind trust manager provider only for testing purposes, because it allows clients to use forged certificates and authenticate as virtually any user in the server.

2.20.1. Parent

The Blind Trust Manager Provider object inherits from Trust Manager Provider.

2.20.2. Basic Properties

enabled

SynopsisIndicate whether the Trust Manager Provider is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.20.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisThe fully-qualified name of the Java class that provides the Blind Trust Manager Provider implementation.
Default Value

org.opends.server.extensions.BlindTrustManagerProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.TrustManagerProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.21. Blowfish Password Storage Scheme

The Blowfish Password Storage Scheme provides a mechanism for encoding user passwords using the Blowfish reversible encryption mechanism.

This scheme contains only an implementation for the user password syntax, with a storage scheme name of "BLOWFISH".

2.21.1. Parent

The Blowfish Password Storage Scheme object inherits from Password Storage Scheme.

2.21.2. Basic Properties

enabled

SynopsisIndicates whether the Password Storage Scheme is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.21.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.
Default Value

org.opends.server.extensions.BlowfishPasswordStorageScheme

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.22. Cancel Extended Operation Handler

The Cancel Extended Operation Handler provides support for the LDAP cancel extended operation as defined in RFC 3909.

It allows clients to cancel operations initiated from earlier requests. The property ensures that both the cancel request and the operation being canceled receives response messages.

2.22.1. Parent

The Cancel Extended Operation Handler object inherits from Extended Operation Handler.

2.22.2. Basic Properties

enabled

SynopsisIndicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.22.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.
Default Value

org.opends.server.extensions.CancelExtendedOperation

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.23. Certificate Mapper

This is an abstract object type that cannot be instantiated.

Certificate Mappers are responsible for establishing a mapping between a client certificate and the entry for the user that corresponds to that certificate.

2.23.1. Certificate Mappers

The following Certificate Mappers are available:

These Certificate Mappers inherit the properties described below.

2.23.2. Dependencies

The following objects depend on Certificate Mappers:

2.23.3. Basic Properties

enabled

SynopsisIndicates whether the Certificate Mapper is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Certificate Mapper implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.24. Change Number Control Plugin

The Change Number Control Plugin returns the change number generated by the replication subsystem.

The Change Number Control Plugin returns the change number generated by the Multi-Master Replication subsystem when : - the Multi-Master Replication is configured and enabled - the request is a write operation (add, delete, modify, moddn) - the control is part of a request. If all of the above are true, the response contains a control response with a string representing the change number. The implementation for the chnage number control plug-in is contained in the org.opends.server.plugins.ChangeNumberControlPlugin class. It must be configured with the postOperationAdd, postOperationDelete, postOperationModify and postOperationModifyDN plug-in types, but it does not have any other custom configuration.

2.24.1. Parent

The Change Number Control Plugin object inherits from Plugin.

2.24.2. Basic Properties

enabled

SynopsisIndicates whether the plug-in is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.24.3. Advanced Properties

Use the --advanced option to access advanced properties.

invoke-for-internal-operations

SynopsisIndicates whether the plug-in should be invoked for internal operations.
DescriptionAny plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the plug-in implementation.
Default Value

org.opends.server.plugins.ChangeNumberControlPlugin

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

plugin-type

SynopsisSpecifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
Default Value

postOperationAdd

postOperationDelete

postOperationModify

postOperationModifyDN

Allowed Values

intermediateresponse: Invoked before sending an intermediate repsonse message to the client.

ldifexport: Invoked for each operation to be written during an LDIF export.

ldifimport: Invoked for each entry read during an LDIF import.

ldifimportbegin: Invoked at the beginning of an LDIF import session.

ldifimportend: Invoked at the end of an LDIF import session.

postconnect: Invoked whenever a new connection is established to the server.

postdisconnect: Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon: Invoked after completing the abandon processing.

postoperationadd: Invoked after completing the core add processing but before sending the response to the client.

postoperationbind: Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare: Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete: Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended: Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify: Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn: Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch: Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind: Invoked after completing the unbind processing.

postresponseadd: Invoked after sending the add response to the client.

postresponsebind: Invoked after sending the bind response to the client.

postresponsecompare: Invoked after sending the compare response to the client.

postresponsedelete: Invoked after sending the delete response to the client.

postresponseextended: Invoked after sending the extended response to the client.

postresponsemodify: Invoked after sending the modify response to the client.

postresponsemodifydn: Invoked after sending the modify DN response to the client.

postresponsesearch: Invoked after sending the search result done message to the client.

postsynchronizationadd: Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete: Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify: Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn: Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd: Invoked prior to performing the core add processing.

preoperationbind: Invoked prior to performing the core bind processing.

preoperationcompare: Invoked prior to performing the core compare processing.

preoperationdelete: Invoked prior to performing the core delete processing.

preoperationextended: Invoked prior to performing the core extended processing.

preoperationmodify: Invoked prior to performing the core modify processing.

preoperationmodifydn: Invoked prior to performing the core modify DN processing.

preoperationsearch: Invoked prior to performing the core search processing.

preparseabandon: Invoked prior to parsing an abandon request.

preparseadd: Invoked prior to parsing an add request.

preparsebind: Invoked prior to parsing a bind request.

preparsecompare: Invoked prior to parsing a compare request.

preparsedelete: Invoked prior to parsing a delete request.

preparseextended: Invoked prior to parsing an extended request.

preparsemodify: Invoked prior to parsing a modify request.

preparsemodifydn: Invoked prior to parsing a modify DN request.

preparsesearch: Invoked prior to parsing a search request.

preparseunbind: Invoked prior to parsing an unbind request.

searchresultentry: Invoked before sending a search result entry to the client.

searchresultreference: Invoked before sending a search result reference to the client.

shutdown: Invoked during a graceful directory server shutdown.

startup: Invoked during the directory server startup process.

subordinatedelete: Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn: Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.25. Character Set Password Validator

The Character Set Password Validator determines whether a proposed password is acceptable by checking whether it contains a sufficient number of characters from one or more user-defined character sets and ranges.

For example, the validator can ensure that passwords must have at least one lowercase letter, one uppercase letter, one digit, and one symbol.

2.25.1. Parent

The Character Set Password Validator object inherits from Password Validator.

2.25.2. Basic Properties

allow-unclassified-characters

SynopsisIndicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges.
DescriptionIf this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

character-set

SynopsisSpecifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set.
DescriptionEach value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.
Default Value

If no sets are specified, the validator only uses the defined character ranges.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

character-set-ranges

SynopsisSpecifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range.
DescriptionEach value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.
Default Value

If no ranges are specified, the validator only uses the defined character sets.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the password validator is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

min-character-sets

SynopsisSpecifies the minimum number of character sets and ranges that a password must contain.
DescriptionThis property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.
Default Value

The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.25.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the password validator implementation.
Default Value

org.opends.server.extensions.CharacterSetPasswordValidator

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.26. Clear Password Storage Scheme

The Clear Password Storage Scheme provides a mechanism for storing user passwords in clear text, without any form of obfuscation.

This scheme contains only an implementation for the user password syntax, with a storage scheme name of "CLEAR". The Clear Password Storage Scheme should only be used if there are client applications that specifically require this capability.

2.26.1. Parent

The Clear Password Storage Scheme object inherits from Password Storage Scheme.

2.26.2. Basic Properties

enabled

SynopsisIndicates whether the Password Storage Scheme is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.26.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.
Default Value

org.opends.server.extensions.ClearPasswordStorageScheme

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.27. Client Connection Monitor Provider

The Client Connection Monitor Provider exposes monitor information about the set of client connections that are established to the OpenDJ directory server.

2.27.1. Parent

The Client Connection Monitor Provider object inherits from Monitor Provider.

2.27.2. Basic Properties

enabled

SynopsisIndicates whether the Monitor Provider is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.27.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.
Default Value

org.opends.server.monitors.ClientConnectionMonitorProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.28. Collective Attribute Subentries Virtual Attribute

The Collective Attribute Subentries Virtual Attribute generates a virtual attribute that specifies all collective attribute subentries that affect the entry.

2.28.1. Parent

The Collective Attribute Subentries Virtual Attribute object inherits from Virtual Attribute.

2.28.2. Basic Properties

attribute-type

SynopsisSpecifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
Default Value

collectiveAttributeSubentries

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

base-dn

SynopsisSpecifies the base DNs for the branches containing entries that are eligible to use this virtual attribute.
DescriptionIf no values are given, then the server generates virtual attributes anywhere in the server.
Default Value

The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Virtual Attribute is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

filter

SynopsisSpecifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries.
DescriptionIf no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
Default Value

(objectClass=*)

Allowed Values

Any valid search filter string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

group-dn

SynopsisSpecifies the DNs of the groups whose members can be eligible to use this virtual attribute.
DescriptionIf no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
Default Value

Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

scope

SynopsisSpecifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
Default Value

whole-subtree

Allowed Values

base-object: Search the base object only.

single-level: Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree: Search the entire subtree below the base object but do not include the base object itself.

whole-subtree: Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.28.3. Advanced Properties

Use the --advanced option to access advanced properties.

conflict-behavior

SynopsisSpecifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
Default Value

virtual-overrides-real

Allowed Values

merge-real-and-virtual: Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.

real-overrides-virtual: Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.

virtual-overrides-real: Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
Default Value

org.opends.server.extensions.CollectiveAttributeSubentriesVirtualAttributeProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.VirtualAttributeProvider

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.29. Connection Handler

This is an abstract object type that cannot be instantiated.

Connection Handlers are responsible for handling all interaction with the clients, including accepting the connections, reading requests, and sending responses.

2.29.1. Connection Handlers

The following Connection Handlers are available:

These Connection Handlers inherit the properties described below.

2.29.2. Basic Properties

allowed-client

SynopsisSpecifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler.
DescriptionValid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.
Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced

No

Read-Only

No

denied-client

SynopsisSpecifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler.
DescriptionValid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.
Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Connection Handler is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Connection Handler implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.30. Core Schema

Core Schema define the core schema elements to load.

Core schema provider configuration.

2.30.1. Parent

The Core Schema object inherits from Schema Provider.

2.30.2. Basic Properties

disabled-matching-rule

SynopsisThe set of disabled matching rules.
DescriptionMatching rules must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
Default Value

NONE

Allowed Values

The OID of the disabled matching rule.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

disabled-syntax

SynopsisThe set of disabled syntaxes.
DescriptionSyntaxes must be specified using the syntax: OID, or use the default value 'NONE' to specify no value.
Default Value

NONE

Allowed Values

The OID of the disabled syntax, or NONE

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Schema Provider is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.30.3. Advanced Properties

Use the --advanced option to access advanced properties.

allow-attribute-types-with-no-sup-or-syntax

SynopsisIndicates whether the schema should allow attribute type definitions that do not declare a superior attribute type or syntax
DescriptionWhen set to true, invalid attribute type definitions will use the default syntax.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

allow-zero-length-values-directory-string

SynopsisIndicates whether zero-length (that is, an empty string) values are allowed for directory string.
DescriptionThis is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Core Schema implementation.
Default Value

org.opends.server.schema.CoreSchemaProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.schema.SchemaProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

json-validation-policy

SynopsisSpecifies the policy that will be used when validating JSON syntax values.
Default Value

strict

Allowed Values

disabled: JSON syntax values will not be validated and, as a result any sequence of bytes will be acceptable.

lenient: JSON syntax values must comply with RFC 7159 except: 1) comments are allowed, 2) single quotes may be used instead of double quotes, and 3) unquoted control characters are allowed in strings.

strict: JSON syntax values must strictly conform to RFC 7159.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

strict-format-certificates

SynopsisIndicates whether X.509 Certificate values are required to strictly comply with the standard definition for this syntax.
DescriptionWhen set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

strict-format-country-string

SynopsisIndicates whether country code values are required to strictly comply with the standard definition for this syntax.
DescriptionWhen set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

strict-format-jpeg-photos

SynopsisIndicates whether to require JPEG values to strictly comply with the standard definition for this syntax.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

strict-format-telephone-numbers

SynopsisIndicates whether to require telephone number values to strictly comply with the standard definition for this syntax.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

strip-syntax-min-upper-bound-attribute-type-description

SynopsisIndicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off.
DescriptionWhen retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.31. CRAM-MD5 SASL Mechanism Handler

The CRAM-MD5 SASL mechanism provides the ability for clients to perform password-based authentication in a manner that does not expose their password in the clear.

Rather than including the password in the bind request, the CRAM-MD5 mechanism uses a two-step process in which the client needs only to prove that it knows the password. The server sends randomly-generated data to the client that is to be used in the process, which makes it resistant to replay attacks. The one-way message digest algorithm ensures that the original clear-text password is not exposed. Note that the algorithm used by the CRAM-MD5 mechanism requires that both the client and the server have access to the clear-text password (or potentially a value that is derived from the clear-text password). In order to authenticate to the server using CRAM-MD5, the password for a user's account must be encoded using a reversible password storage scheme that allows the server to have access to the clear-text value.

2.31.1. Parent

The CRAM-MD5 SASL Mechanism Handler object inherits from SASL Mechanism Handler.

2.31.2. Dependencies

CRAM-MD5 SASL Mechanism Handlers depend on the following objects:

2.31.3. Basic Properties

enabled

SynopsisIndicates whether the SASL mechanism handler is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

identity-mapper

SynopsisSpecifies the name of the identity mapper used with this SASL mechanism handler to match the authentication ID included in the SASL bind request to the corresponding user in the directory.
Default Value

None

Allowed Values

The name of an existing Identity Mapper. The referenced identity mapper must be enabled when the CRAM-MD5 SASL Mechanism Handler is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.31.4. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
Default Value

org.opends.server.extensions.CRAMMD5SASLMechanismHandler

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.32. Crypt Password Storage Scheme

The Crypt Password Storage Scheme provides a mechanism for encoding user passwords like Unix crypt does. Like on most Unix systems, the password may be encrypted using different algorithms, either Unix crypt, md5, sha256 or sha512.

This scheme contains only an implementation for the user password syntax, with a storage scheme name of "CRYPT". Like on most Unixes, the "CRYPT" storage scheme has different algorithms, the default being Unix crypt. Warning: even though Unix crypt is a one-way digest, it is very weak by today's standards. Only the first 8 characters in a password are used, and it only uses the bottom 7 bits of each character. It only supports a 12-bit salt (meaning that there are only 4096 possible ways to encode a given password), so it is vulnerable to dictionary attacks. You should therefore use this algorithm only in cases where an external application expects to retrieve the password and verify it outside of the directory, instead of by performing an LDAP bind.

2.32.1. Parent

The Crypt Password Storage Scheme object inherits from Password Storage Scheme.

2.32.2. Basic Properties

crypt-password-storage-encryption-algorithm

SynopsisSpecifies the algorithm to use to encrypt new passwords.
DescriptionSelect the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.
Default Value

unix

Allowed Values

md5: New passwords are encrypted with the BSD MD5 algorithm.

sha256: New passwords are encrypted with the Unix crypt SHA256 algorithm.

sha512: New passwords are encrypted with the Unix crypt SHA512 algorithm.

unix: New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Password Storage Scheme is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.32.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.
Default Value

org.opends.server.extensions.CryptPasswordStorageScheme

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.33. Crypto Manager

The Crypto Manager provides a common interface for performing compression, decompression, hashing, encryption and other kinds of cryptographic operations.

2.33.1. Basic Properties

key-wrapping-transformation

SynopsisThe preferred key wrapping transformation for the directory server. This value must be the same for all server instances in a replication topology.
Default Value

RSA/ECB/OAEPWITHSHA-1ANDMGF1PADDING

Allowed Values

A string.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect immediately but will only affect cryptographic operations performed after the change.

Advanced

No

Read-Only

No

ssl-cert-nickname

SynopsisSpecifies the nicknames (also called the aliases) of the keys or key pairs that the Crypto Manager should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key.
DescriptionThis is only applicable when the Crypto Manager is configured to use SSL.
Default Value

Let the server decide.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

ssl-cipher-suite

SynopsisSpecifies the names of the SSL cipher suites that are allowed for use in SSL or TLS communication.
Default Value

Uses the default set of SSL cipher suites provided by the server's JVM.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced

No

Read-Only

No

ssl-encryption

SynopsisSpecifies whether SSL/TLS is used to provide encrypted communication between two OpenDJ server components.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced

No

Read-Only

No

ssl-protocol

SynopsisSpecifies the names of the SSL protocols that are allowed for use in SSL or TLS communication.
Default Value

Uses the default set of SSL protocols provided by the server's JVM.

Allowed Values

A string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced

No

Read-Only

No

2.33.2. Advanced Properties

Use the --advanced option to access advanced properties.

cipher-key-length

SynopsisSpecifies the key length in bits for the preferred cipher.
Default Value

128

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-Only

No

cipher-transformation

SynopsisSpecifies the cipher for the directory server using the syntax algorithm/mode/padding.
DescriptionThe full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.
Default Value

AES/CBC/PKCS5Padding

Allowed Values

A string.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-Only

No

digest-algorithm

SynopsisSpecifies the preferred message digest algorithm for the directory server.
Default Value

SHA-1

Allowed Values

A string.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately and only affect cryptographic operations performed after the change.

Advanced

Yes

Read-Only

No

mac-algorithm

SynopsisSpecifies the preferred MAC algorithm for the directory server.
Default Value

HmacSHA1

Allowed Values

A string.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-Only

No

mac-key-length

SynopsisSpecifies the key length in bits for the preferred MAC algorithm.
Default Value

128

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced

Yes

Read-Only

No

2.34. CSV File Access Log Publisher

CSV File Access Log Publishers publish access messages to CSV files.

2.34.1. Parent

The CSV File Access Log Publisher object inherits from Access Log Publisher.

2.34.2. Dependencies

CSV File Access Log Publishers depend on the following objects:

2.34.3. Basic Properties

csv-delimiter-char

SynopsisThe delimiter character to use when writing in CSV format.
Default Value

,

Allowed Values

The delimiter character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Log Publisher is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

filtering-policy

SynopsisSpecifies how filtering criteria should be applied to log records.
Default Value

no-filtering

Allowed Values

exclusive: Records must not match any of the filtering criteria in order to be logged.

inclusive: Records must match at least one of the filtering criteria in order to be logged.

no-filtering: No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

key-store-file

SynopsisSpecifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root.
DescriptionChanges to this property will take effect the next time that the key store is accessed.
Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

key-store-pin-file

SynopsisSpecifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the CSV File Access Log Publisher .
Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the CSV File Access Log Publisher is accessed.

Advanced

No

Read-Only

No

log-control-oids

SynopsisSpecifies whether control OIDs will be included in operation log records.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

log-directory

SynopsisThe directory to use for the log files generated by the CSV File Access Log Publisher. The path to the directory is relative to the server root.
Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

retention-policy

SynopsisThe retention policy to use for the CSV File Access Log Publisher .
DescriptionWhen multiple policies are used, log files are cleaned when any of the policy's conditions are met.
Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The name of an existing Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

rotation-policy

SynopsisThe rotation policy to use for the CSV File Access Log Publisher .
DescriptionWhen multiple policies are used, rotation will occur if any policy's conditions are met.
Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The name of an existing Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

tamper-evident

SynopsisSpecifies whether the log should be signed in order to detect tampering.
DescriptionEvery log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.34.4. Advanced Properties

Use the --advanced option to access advanced properties.

asynchronous

SynopsisIndicates whether the CSV File Access Log Publisher will publish records asynchronously.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

auto-flush

SynopsisSpecifies whether to flush the writer after every log record.
DescriptionIf the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

csv-eol-symbols

SynopsisThe string that marks the end of a line.
Default Value

Use the platform specific end of line character sequence.

Allowed Values

The string that marks the end of a line.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

csv-quote-char

SynopsisThe character to append and prepend to a CSV field when writing in CSV format.
Default Value

"

Allowed Values

The quote character to use when writting in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisThe fully-qualified name of the Java class that provides the CSV File Access Log Publisher implementation.
Default Value

org.opends.server.loggers.CsvFileAccessLogPublisher

Allowed Values

A Java class that extends or implements:

  • org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

signature-time-interval

SynopsisSpecifies the interval at which to sign the log file when the tamper-evident option is enabled.
Default Value

3s

Allowed Values

Uses Duration Syntax.

Lower limit: 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

suppress-internal-operations

SynopsisIndicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

suppress-synchronization-operations

SynopsisIndicates whether access messages that are generated by synchronization operations should be suppressed.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.35. CSV File HTTP Access Log Publisher

CSV File HTTP Access Log Publishers publish HTTP access messages to CSV files.

2.35.1. Parent

The CSV File HTTP Access Log Publisher object inherits from HTTP Access Log Publisher.

2.35.2. Dependencies

CSV File HTTP Access Log Publishers depend on the following objects:

2.35.3. Basic Properties

csv-delimiter-char

SynopsisThe delimiter character to use when writing in CSV format.
Default Value

,

Allowed Values

The delimiter character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Log Publisher is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

key-store-file

SynopsisSpecifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root.
DescriptionChanges to this property will take effect the next time that the key store is accessed.
Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

key-store-pin-file

SynopsisSpecifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the CSV File HTTP Access Log Publisher .
Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the CSV File HTTP Access Log Publisher is accessed.

Advanced

No

Read-Only

No

log-directory

SynopsisThe directory to use for the log files generated by the CSV File HTTP Access Log Publisher. The path to the directory is relative to the server root.
Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

retention-policy

SynopsisThe retention policy to use for the CSV File HTTP Access Log Publisher .
DescriptionWhen multiple policies are used, log files are cleaned when any of the policy's conditions are met.
Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The name of an existing Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

rotation-policy

SynopsisThe rotation policy to use for the CSV File HTTP Access Log Publisher .
DescriptionWhen multiple policies are used, rotation will occur if any policy's conditions are met.
Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The name of an existing Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

tamper-evident

SynopsisSpecifies whether the log should be signed in order to detect tampering.
DescriptionEvery log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.35.4. Advanced Properties

Use the --advanced option to access advanced properties.

asynchronous

SynopsisIndicates whether the CSV File HTTP Access Log Publisher will publish records asynchronously.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

auto-flush

SynopsisSpecifies whether to flush the writer after every log record.
DescriptionIf the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

csv-eol-symbols

SynopsisThe string that marks the end of a line.
Default Value

Use the platform specific end of line character sequence.

Allowed Values

The string that marks the end of a line.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

csv-quote-char

SynopsisThe character to append and prepend to a CSV field when writing in CSV format.
Default Value

"

Allowed Values

The quote character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisThe fully-qualified name of the Java class that provides the CSV File HTTP Access Log Publisher implementation.
Default Value

org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher

Allowed Values

A Java class that extends or implements:

  • org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

signature-time-interval

SynopsisSpecifies the interval at which to sign the log file when secure option is enabled.
Default Value

3s

Allowed Values

Uses Duration Syntax.

Lower limit: 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.36. Debug Log Publisher

This is an abstract object type that cannot be instantiated.

Debug Log Publishers are responsible for distributing debug log messages from the debug logger to a destination.

Debug log messages provide information that can be used for debugging or troubleshooting problems in the server, or for providing more detailed information about the processing that the server performs.

2.36.1. Debug Log Publishers

The following Debug Log Publishers are available:

These Debug Log Publishers inherit the properties described below.

2.36.2. Parent

The Debug Log Publisher object inherits from Log Publisher.

2.36.3. Dependencies

The following objects belong to Debug Log Publishers:

2.36.4. Basic Properties

default-debug-exceptions-only

SynopsisIndicates whether only logs with exception should be logged.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

default-include-throwable-cause

SynopsisIndicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

default-omit-method-entry-arguments

SynopsisIndicates whether to include method arguments in debug messages logged by default.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

default-omit-method-return-value

SynopsisIndicates whether to include the return value in debug messages logged by default.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

default-throwable-stack-frames

SynopsisIndicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.
Default Value

2147483647

Allowed Values

An integer.

Lower limit: 0.

Upper limit: 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Log Publisher is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisThe fully-qualified name of the Java class that provides the Debug Log Publisher implementation.
Default Value

org.opends.server.loggers.DebugLogPublisher

Allowed Values

A Java class that extends or implements:

  • org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.37. Debug Target

Debug Targets define the types of messages logged by the debug logPublisher.

Debug targets allow for fine-grain control of which messages are logged based on the package, class, or method that generated the message. Each debug target configuration entry resides below the entry with RDN of "cn=Debug Target" immediately below the parent ds-cfg-debug-log-publisher entry.

2.37.1. Dependencies

The following objects have Debug Targets:

2.37.2. Basic Properties

debug-exceptions-only

SynopsisIndicates whether only logs with exception should be logged.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

debug-scope

SynopsisSpecifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).
Default Value

None

Allowed Values

The fully-qualified OpenDJ Java package, class, or method name.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

Yes

enabled

SynopsisIndicates whether the Debug Target is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

include-throwable-cause

SynopsisSpecifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

omit-method-entry-arguments

SynopsisSpecifies the property to indicate whether to include method arguments in debug messages.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

omit-method-return-value

SynopsisSpecifies the property to indicate whether to include the return value in debug messages.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

throwable-stack-frames

SynopsisSpecifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.
Default Value

0

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.38. Dictionary Password Validator

The Dictionary Password Validator determines whether a proposed password is acceptable based on whether the given password value appears in a provided dictionary file.

A large dictionary file is provided with the server, but the administrator can supply an alternate dictionary. In this case, then the dictionary must be a plain-text file with one word per line.

2.38.1. Parent

The Dictionary Password Validator object inherits from Password Validator.

2.38.2. Basic Properties

case-sensitive-validation

SynopsisIndicates whether this password validator is to treat password characters in a case-sensitive manner.
DescriptionIf it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.
Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

check-substrings

SynopsisIndicates whether this password validator is to match portions of the password string against dictionary words.
DescriptionIf "false" then only match the entire password against words otherwise ("true") check whether the password contains words.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

dictionary-file

SynopsisSpecifies the path to the file containing a list of words that cannot be used as passwords.
DescriptionIt should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.
Default Value

For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt

Allowed Values

The path to any text file contained on the system that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the password validator is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

min-substring-length

SynopsisIndicates the minimal length of the substring within the password in case substring checking is enabled.
DescriptionIf "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.
Default Value

5

Allowed Values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

test-reversed-password

SynopsisIndicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given.
DescriptionFor example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.38.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the password validator implementation.
Default Value

org.opends.server.extensions.DictionaryPasswordValidator

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.39. DIGEST-MD5 SASL Mechanism Handler

The DIGEST-MD5 SASL mechanism is used to perform all processing related to SASL DIGEST-MD5 authentication.

The DIGEST-MD5 SASL mechanism is very similar to the CRAM-MD5 mechanism in that it allows for password-based authentication without exposing the password in the clear (although it does require that both the client and the server have access to the clear-text password). Like the CRAM-MD5 mechanism, it uses data that is randomly generated by the server to make it resistant to replay attacks, but it also includes randomly-generated data from the client, which makes it also resistant to problems resulting from weak server-side random number generation.

2.39.1. Parent

The DIGEST-MD5 SASL Mechanism Handler object inherits from SASL Mechanism Handler.

2.39.2. Dependencies

DIGEST-MD5 SASL Mechanism Handlers depend on the following objects:

2.39.3. Basic Properties

enabled

SynopsisIndicates whether the SASL mechanism handler is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

identity-mapper

SynopsisSpecifies the name of the identity mapper that is to be used with this SASL mechanism handler to match the authentication or authorization ID included in the SASL bind request to the corresponding user in the directory.
Default Value

None

Allowed Values

The name of an existing Identity Mapper. The referenced identity mapper must be enabled when the DIGEST-MD5 SASL Mechanism Handler is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

quality-of-protection

SynopsisThe name of a property that specifies the quality of protection the server will support.
Default Value

none

Allowed Values

confidentiality: Quality of protection equals authentication with integrity and confidentiality protection.

integrity: Quality of protection equals authentication with integrity protection.

none: QOP equals authentication only.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

realm

SynopsisSpecifies the realms that is to be used by the server for DIGEST-MD5 authentication.
DescriptionIf this value is not provided, then the server defaults to use the fully qualified hostname of the machine.
Default Value

If this value is not provided, then the server defaults to use the fully qualified hostname of the machine.

Allowed Values

Any realm string that does not contain a comma.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

server-fqdn

SynopsisSpecifies the DNS-resolvable fully-qualified domain name for the server that is used when validating the digest-uri parameter during the authentication process.
DescriptionIf this configuration attribute is present, then the server expects that clients use a digest-uri equal to "ldap/" followed by the value of this attribute. For example, if the attribute has a value of "directory.example.com", then the server expects clients to use a digest-uri of "ldap/directory.example.com". If no value is provided, then the server does not attempt to validate the digest-uri provided by the client and accepts any value.
Default Value

The server attempts to determine the fully-qualified domain name dynamically.

Allowed Values

The fully-qualified address that is expected for clients to use when connecting to the server and authenticating via DIGEST-MD5.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.39.4. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the SASL mechanism handler implementation.
Default Value

org.opends.server.extensions.DigestMD5SASLMechanismHandler

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.SASLMechanismHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.40. DSEE Compatible Access Control Handler

The DSEE Compatible Access Control Handler provides an implementation that uses syntax compatible with the Sun Java System Directory Server Enterprise Edition access control handlers.

2.40.1. Parent

The DSEE Compatible Access Control Handler object inherits from Access Control Handler.

2.40.2. Basic Properties

enabled

SynopsisIndicates whether the Access Control Handler is enabled. If set to FALSE, then no access control is enforced, and any client (including unauthenticated or anonymous clients) could be allowed to perform any operation if not subject to other restrictions, such as those enforced by the privilege subsystem.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

global-aci

SynopsisDefines global access control rules.
DescriptionGlobal access control rules apply to all entries anywhere in the data managed by the OpenDJ directory server. The global access control rules may be overridden by more specific access control rules placed in the data.
Default Value

No global access control rules are defined, which means that no access is allowed for any data in the server unless specifically granted by access control rules in the data.

Allowed Values

An access control instruction (ACI).

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.40.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the DSEE Compatible Access Control Handler implementation.
Default Value

org.opends.server.authorization.dseecompat.AciHandler

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AccessControlHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.41. Dynamic Group Implementation

The Dynamic Group Implementation provides a grouping mechanism in which the group membership is determined based on criteria defined in one or more LDAP URLs.

2.41.1. Parent

The Dynamic Group Implementation object inherits from Group Implementation.

2.41.2. Basic Properties

enabled

SynopsisIndicates whether the Group Implementation is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.41.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.
Default Value

org.opends.server.extensions.DynamicGroup

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.42. Entity Tag Virtual Attribute

The Entity Tag Virtual Attribute ensures that all entries contain an "entity tag" or "Etag" as defined in section 3.11 of RFC 2616.

The entity tag may be used by clients, in conjunction with the assertion control, for optimistic concurrency control, as a way to help prevent simultaneous updates of an entry from conflicting with each other.

2.42.1. Parent

The Entity Tag Virtual Attribute object inherits from Virtual Attribute.

2.42.2. Basic Properties

attribute-type

SynopsisSpecifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
Default Value

etag

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

base-dn

SynopsisSpecifies the base DNs for the branches containing entries that are eligible to use this virtual attribute.
DescriptionIf no values are given, then the server generates virtual attributes anywhere in the server.
Default Value

The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

checksum-algorithm

SynopsisThe algorithm which should be used for calculating the entity tag checksum value.
Default Value

adler-32

Allowed Values

adler-32: The Adler-32 checksum algorithm which is almost as reliable as a CRC-32 but can be computed much faster.

crc-32: The CRC-32 checksum algorithm.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Virtual Attribute is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

excluded-attribute

SynopsisThe list of attributes which should be ignored when calculating the entity tag checksum value.
DescriptionCertain attributes like "ds-sync-hist" may vary between replicas due to different purging schedules and should not be included in the checksum.
Default Value

ds-sync-hist

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

filter

SynopsisSpecifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries.
DescriptionIf no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
Default Value

(objectClass=*)

Allowed Values

Any valid search filter string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

group-dn

SynopsisSpecifies the DNs of the groups whose members can be eligible to use this virtual attribute.
DescriptionIf no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
Default Value

Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

scope

SynopsisSpecifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
Default Value

whole-subtree

Allowed Values

base-object: Search the base object only.

single-level: Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree: Search the entire subtree below the base object but do not include the base object itself.

whole-subtree: Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.42.3. Advanced Properties

Use the --advanced option to access advanced properties.

conflict-behavior

SynopsisSpecifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
Default Value

real-overrides-virtual

Allowed Values

merge-real-and-virtual: Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.

real-overrides-virtual: Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.

virtual-overrides-real: Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
Default Value

org.opends.server.extensions.EntityTagVirtualAttributeProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.VirtualAttributeProvider

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.43. Entry Cache

This is an abstract object type that cannot be instantiated.

Entry Caches are responsible for caching entries which are likely to be accessed by client applications in order to improve OpenDJ directory server performance.

2.43.1. Entry Caches

The following Entry Caches are available:

These Entry Caches inherit the properties described below.

2.43.2. Basic Properties

cache-level

SynopsisSpecifies the cache level in the cache order if more than one instance of the cache is configured.
Default Value

None

Allowed Values

An integer.

Lower limit: 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Entry Cache is enabled.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Entry Cache implementation.
Default Value

None

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.EntryCache

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

No

Read-Only

No

2.44. Entry Cache Monitor Provider

The Entry Cache Monitor Provider exposes monitor information about the state of OpenDJ directory server entry caches.

2.44.1. Parent

The Entry Cache Monitor Provider object inherits from Monitor Provider.

2.44.2. Basic Properties

enabled

SynopsisIndicates whether the Monitor Provider is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.44.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.
Default Value

org.opends.server.monitors.EntryCacheMonitorProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

2.45. entryDN Virtual Attribute

The entryDN Virtual Attribute generates the entryDN operational attribute in directory entries, which contains a normalized form of the entry's DN.

This attribute is defined in the draft-zeilenga-ldap-entrydn Internet Draft and contains the DN of the entry in which it is contained. This component provides the ability to use search filters containing the entry's DN.

2.45.1. Parent

The entryDN Virtual Attribute object inherits from Virtual Attribute.

2.45.2. Basic Properties

attribute-type

SynopsisSpecifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
Default Value

entryDN

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

base-dn

SynopsisSpecifies the base DNs for the branches containing entries that are eligible to use this virtual attribute.
DescriptionIf no values are given, then the server generates virtual attributes anywhere in the server.
Default Value

The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Virtual Attribute is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

filter

SynopsisSpecifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries.
DescriptionIf no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
Default Value

(objectClass=*)

Allowed Values

Any valid search filter string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

group-dn

SynopsisSpecifies the DNs of the groups whose members can be eligible to use this virtual attribute.
DescriptionIf no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
Default Value

Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

scope

SynopsisSpecifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
Default Value

whole-subtree

Allowed Values

base-object: Search the base object only.

single-level: Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree: Search the entire subtree below the base object but do not include the base object itself.

whole-subtree: Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.45.3. Advanced Properties

Use the --advanced option to access advanced properties.

conflict-behavior

SynopsisSpecifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
Default Value

virtual-overrides-real

Allowed Values

merge-real-and-virtual: Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.

real-overrides-virtual: Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.

virtual-overrides-real: Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
Default Value

org.opends.server.extensions.EntryDNVirtualAttributeProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.VirtualAttributeProvider

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.46. entryUUID Plugin

The entryUUID Plugin generates values for the entryUUID operational attribute whenever an entry is added via protocol or imported from LDIF.

The entryUUID plug-in ensures that all entries added to the server, whether through an LDAP add operation or via an LDIF import, are assigned an entryUUID operational attribute if they do not already have one. The entryUUID attribute contains a universally unique identifier that can be used to identify an entry in a manner that does not change (even in the event of a modify DN operation). This plug-in generates a random UUID for entries created by an add operation, but the UUID is constructed from the DN of the entry during an LDIF import (which means that the same LDIF file can be imported on different systems but still get the same value for the entryUUID attribute). This behavior is based on the specification contained in RFC 4530. The implementation for the entry UUID plug-in is contained in the org.opends.server.plugins.EntryUUIDPlugin class. It must be configured with the preOperationAdd and ldifImport plug-in types, but it does not have any other custom configuration. This plug-in must be enabled in any directory that is intended to be used in a synchronization environment.

2.46.1. Parent

The entryUUID Plugin object inherits from Plugin.

2.46.2. Basic Properties

enabled

SynopsisIndicates whether the plug-in is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.46.3. Advanced Properties

Use the --advanced option to access advanced properties.

invoke-for-internal-operations

SynopsisIndicates whether the plug-in should be invoked for internal operations.
DescriptionAny plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.
Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the plug-in implementation.
Default Value

org.opends.server.plugins.EntryUUIDPlugin

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

Yes

Read-Only

No

plugin-type

SynopsisSpecifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.
Default Value

ldifimport

preoperationadd

Allowed Values

intermediateresponse: Invoked before sending an intermediate repsonse message to the client.

ldifexport: Invoked for each operation to be written during an LDIF export.

ldifimport: Invoked for each entry read during an LDIF import.

ldifimportbegin: Invoked at the beginning of an LDIF import session.

ldifimportend: Invoked at the end of an LDIF import session.

postconnect: Invoked whenever a new connection is established to the server.

postdisconnect: Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon: Invoked after completing the abandon processing.

postoperationadd: Invoked after completing the core add processing but before sending the response to the client.

postoperationbind: Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare: Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete: Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended: Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify: Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn: Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch: Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind: Invoked after completing the unbind processing.

postresponseadd: Invoked after sending the add response to the client.

postresponsebind: Invoked after sending the bind response to the client.

postresponsecompare: Invoked after sending the compare response to the client.

postresponsedelete: Invoked after sending the delete response to the client.

postresponseextended: Invoked after sending the extended response to the client.

postresponsemodify: Invoked after sending the modify response to the client.

postresponsemodifydn: Invoked after sending the modify DN response to the client.

postresponsesearch: Invoked after sending the search result done message to the client.

postsynchronizationadd: Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete: Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify: Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn: Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd: Invoked prior to performing the core add processing.

preoperationbind: Invoked prior to performing the core bind processing.

preoperationcompare: Invoked prior to performing the core compare processing.

preoperationdelete: Invoked prior to performing the core delete processing.

preoperationextended: Invoked prior to performing the core extended processing.

preoperationmodify: Invoked prior to performing the core modify processing.

preoperationmodifydn: Invoked prior to performing the core modify DN processing.

preoperationsearch: Invoked prior to performing the core search processing.

preparseabandon: Invoked prior to parsing an abandon request.

preparseadd: Invoked prior to parsing an add request.

preparsebind: Invoked prior to parsing a bind request.

preparsecompare: Invoked prior to parsing a compare request.

preparsedelete: Invoked prior to parsing a delete request.

preparseextended: Invoked prior to parsing an extended request.

preparsemodify: Invoked prior to parsing a modify request.

preparsemodifydn: Invoked prior to parsing a modify DN request.

preparsesearch: Invoked prior to parsing a search request.

preparseunbind: Invoked prior to parsing an unbind request.

searchresultentry: Invoked before sending a search result entry to the client.

searchresultreference: Invoked before sending a search result reference to the client.

shutdown: Invoked during a graceful directory server shutdown.

startup: Invoked during the directory server startup process.

subordinatedelete: Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn: Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.47. entryUUID Virtual Attribute

The entryUUID Virtual Attribute ensures that all entries contained in private backends have values for the entryUUID operational attribute.

The entryUUID values are generated based on a normalized representation of the entry's DN, which does not cause a consistency problem because OpenDJ does not allow modify DN operations to be performed in private backends.

2.47.1. Parent

The entryUUID Virtual Attribute object inherits from Virtual Attribute.

2.47.2. Basic Properties

attribute-type

SynopsisSpecifies the attribute type for the attribute whose values are to be dynamically assigned by the virtual attribute.
Default Value

entryUUID

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

base-dn

SynopsisSpecifies the base DNs for the branches containing entries that are eligible to use this virtual attribute.
DescriptionIf no values are given, then the server generates virtual attributes anywhere in the server.
Default Value

The location of the entry in the server is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Virtual Attribute is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

filter

SynopsisSpecifies the search filters to be applied against entries to determine if the virtual attribute is to be generated for those entries.
DescriptionIf no values are given, then any entry is eligible to have the value generated. If one or more filters are specified, then only entries that match at least one of those filters are allowed to have the virtual attribute.
Default Value

(objectClass=*)

Allowed Values

Any valid search filter string.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

group-dn

SynopsisSpecifies the DNs of the groups whose members can be eligible to use this virtual attribute.
DescriptionIf no values are given, then group membership is not taken into account when generating the virtual attribute. If one or more group DNs are specified, then only members of those groups are allowed to have the virtual attribute.
Default Value

Group membership is not taken into account when determining whether an entry is eligible to use this virtual attribute.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

scope

SynopsisSpecifies the LDAP scope associated with base DNs for entries that are eligible to use this virtual attribute.
Default Value

whole-subtree

Allowed Values

base-object: Search the base object only.

single-level: Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree: Search the entire subtree below the base object but do not include the base object itself.

whole-subtree: Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.47.3. Advanced Properties

Use the --advanced option to access advanced properties.

conflict-behavior

SynopsisSpecifies the behavior that the server is to exhibit for entries that already contain one or more real values for the associated attribute.
Default Value

real-overrides-virtual

Allowed Values

merge-real-and-virtual: Indicates that the virtual attribute provider is to preserve any real values contained in the entry and merge them with the set of generated virtual values so that both the real and virtual values are used.

real-overrides-virtual: Indicates that any real values contained in the entry are preserved and used, and virtual values are not generated.

virtual-overrides-real: Indicates that the virtual attribute provider suppresses any real values contained in the entry and generates virtual values and uses them.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced

Yes

Read-Only

No

java-class

SynopsisSpecifies the fully-qualified name of the virtual attribute provider class that generates the attribute values.
Default Value

org.opends.server.extensions.EntryUUIDVirtualAttributeProvider

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.VirtualAttributeProvider

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.48. Error Log Account Status Notification Handler

The Error Log Account Status Notification Handler is a notification handler that writes information to the server error log whenever an appropriate account status event occurs.

2.48.1. Parent

The Error Log Account Status Notification Handler object inherits from Account Status Notification Handler.

2.48.2. Basic Properties

account-status-notification-type

SynopsisIndicates which types of event can trigger an account status notification.
Default Value

None

Allowed Values

account-disabled: Generate a notification whenever a user account has been disabled by an administrator.

account-enabled: Generate a notification whenever a user account has been enabled by an administrator.

account-expired: Generate a notification whenever a user authentication has failed because the account has expired.

account-idle-locked: Generate a notification whenever a user account has been locked because it was idle for too long.

account-permanently-locked: Generate a notification whenever a user account has been permanently locked after too many failed attempts.

account-reset-locked: Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.

account-temporarily-locked: Generate a notification whenever a user account has been temporarily locked after too many failed attempts.

account-unlocked: Generate a notification whenever a user account has been unlocked by an administrator.

password-changed: Generate a notification whenever a user changes his/her own password.

password-expired: Generate a notification whenever a user authentication has failed because the password has expired.

password-expiring: Generate a notification whenever a password expiration warning is encountered for a user password for the first time.

password-reset: Generate a notification whenever a user's password is reset by an administrator.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

2.48.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.
Default Value

org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.AccountStatusNotificationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.49. Error Log Publisher

This is an abstract object type that cannot be instantiated.

Error Log Publishers are responsible for distributing error log messages from the error logger to a destination.

Error log messages provide information about any warnings, errors, or significant events that are encountered during server processing.

2.49.1. Error Log Publishers

The following Error Log Publishers are available:

These Error Log Publishers inherit the properties described below.

2.49.2. Parent

The Error Log Publisher object inherits from Log Publisher.

2.49.3. Basic Properties

default-severity

SynopsisSpecifies the default severity levels for the logger.
Default Value

error

warning

Allowed Values

all: Messages of all severity levels are logged.

debug: The error log severity that is used for messages that provide debugging information triggered during processing.

error: The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.

info: The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.

none: No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.

notice: The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).

warning: The error log severity that is used for messages that provide information about warnings triggered during processing.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

enabled

SynopsisIndicates whether the Log Publisher is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

java-class

SynopsisThe fully-qualified name of the Java class that provides the Error Log Publisher implementation.
Default Value

org.opends.server.loggers.ErrorLogPublisher

Allowed Values

A Java class that extends or implements:

  • org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

override-severity

SynopsisSpecifies the override severity levels for the logger based on the category of the messages.
DescriptionEach override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, setup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.
Default Value

All messages with the default severity levels are logged.

Allowed Values

A string in the form category=severity1,severity2...

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.50. Exact Match Identity Mapper

The Exact Match Identity Mapper maps an identifier string to user entries by searching for the entry containing a specified attribute whose value is the provided identifier. For example, the username provided by the client for DIGEST-MD5 authentication must match the value of the uid attribute

2.50.1. Parent

The Exact Match Identity Mapper object inherits from Identity Mapper.

2.50.2. Basic Properties

enabled

SynopsisIndicates whether the Identity Mapper is enabled for use.
Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

match-attribute

SynopsisSpecifies the attribute whose value should exactly match the ID string provided to this identity mapper.
DescriptionAt least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.
Default Value

uid

Allowed Values

The name of an attribute type defined in the LDAP schema.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced

No

Read-Only

No

match-base-dn

SynopsisSpecifies the set of base DNs below which to search for users.
DescriptionThe base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.
Default Value

The server searches below all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced

No

Read-Only

No

2.50.3. Advanced Properties

Use the --advanced option to access advanced properties.

java-class

SynopsisSpecifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.
Default Value

org.opends.server.extensions.ExactMatchIdentityMapper

Allowed Values

A Java class that extends or implements:

  • org.opends.server.api.IdentityMapper

Multi-valued

No

Required

Yes

Admin Action Required

The object must be disabled and re-enabled for changes to take effect.

Advanced

Yes

Read-Only

No

2.51. Extended Operation Handler

This is an abstract object type that cannot be instantiated.

Extended Operation Handlers processes the different types of extended operations in the server.