Reference for ForgeRock® Directory Services, including bundled tools.

Preface

ForgeRock Identity Platform™ serves as the basis for our simple and comprehensive Identity and Access Management solution. We help our customers deepen their relationships with their customers, and improve the productivity and connectivity of their employees and partners. For more information about ForgeRock and about the platform, see https://www.forgerock.com.

The ForgeRock Common REST API works across the platform to provide common ways to access web resources and collections of resources.

This reference covers Directory Services configuration, tools, and other topics such as supported languages and standards. For the dsconfig command, also see Configuration Reference. For API specifications suitable for Directory Services developers, see the appropriate Javadoc.

Chapter 1. REST to LDAP Configuration

DS software offers two alternatives for access to directory data over HTTP:

DS servers have an HTTP connection handler that exposes RESTful APIs to directory data over HTTP (or HTTPS). You configure an HTTP connection handler, and the HTTP endpoints that it serves, by using the dsconfig command. For each HTTP endpoint served by an HTTP connection handler that exposes your directory data, you configure mappings between JSON resources and LDAP entries.
The DS REST to LDAP gateway runs in a Servlet container independent from the directory service. You configure the gateway to access the directory service by editing configuration files for the gateway web application.

Interface stability: Evolving (See "ForgeRock Product Interface Stability" in the Release Notes)

The files for configuring the gateway and the JSON resource to LDAP entry mappings are in JSON format.

In DS server installations, the default location for the configuration files is under /path/to/opendj/config.

In a REST to LDAP gateway Servlet, the configuration files are under WEB-INF/classes.

The format and relative locations of the mapping files are the same for DS servers and the DS REST to LDAP gateway. Only DS REST to LDAP gateway, however, has files for configuring how the gateway connects to LDAP servers, how user identities extracted from HTTP requests map to LDAP user identities, and what LDAP features the gateway uses. In DS servers these capabilities are part of the server configuration.

The parser for REST to LDAP configuration files is lenient. It lets you include comments in the JSON, although the JSON standard does not allow comments.

The following list describes the configuration files, indicated by relative location under the configuration directory:

config.json (gateway only)

This file defines how the gateway connects to LDAP servers, and how user identities extracted from HTTP requests map to LDAP user identities.

For details, see "Gateway Configuration File".

rest2ldap/rest2ldap.json (gateway only)

This file defines which LDAP features the gateway uses.

For details, see "Gateway REST2LDAP Configuration File".

rest2ldap/endpoints/base-path/root-resource.json

These files define JSON resource to LDAP entry mappings.

For details about the configuration fields, see "Mapping Configuration File".

1.1. Gateway Configuration File

The config.json file for the REST to LDAP gateway can hold the configuration objects described in this section.

The order of the settings in the JSON file is not meaningful. Here, the order shown is that of the default configuration file:

security

Configures security parameters for establishing secure connections between the gateway (as a client) and the servers it contacts, such as LDAP directory servers and OAuth 2.0 authorization servers.

This field has the following properties:

trustManager (optional)

This setting configures how the servers are trusted. This setting is ignored for connections to LDAP servers if connectionSecurity is set to none:

file means trust server certificates signed by a CA that is trusted according to the file-based truststore configured with fileBasedTrustManager* settings described below.
jvm (default) means trust server certificates signed by a CA trusted by the Java environment.
trustAll means blindly trust all server certificates.
Caution
This setting is not secure and makes man-in-the-middle attacks possible.

fileBasedTrustManagerType (optional)

If trustManager is set to file, then this setting configures the format for the data in the truststore file specified by the fileBasedTrustManagerFile setting. Formats include the following, though other implementations might be supported as well, depending on the Java environment:

JKS specifies Java Keystore format.
PKCS12 specifies Public-Key Cryptography Standards 12 format.

fileBasedTrustManagerFile

If trustManager is set to file, then this setting must specify the location of the truststore file.

Example: /path/to/truststore

fileBasedTrustManagerPasswordFile (optional)

If trustManager is set to file, then this setting specifies the file containing the truststore password.

Example: /path/to/pinfile

keyManager (optional)

This setting configures how the keys are managed for the gateway when the gateway is acting as a client of an LDAP server or OAuth 2.0 authorization server. The client keys are used to establish a secure connection to a server when the server requires client authentication.

This field can take the following values:

jvm (default) means look for client keys in the default keystore for the Java environment.
file means look for client keys in the specified keystore file, configured with the fileBasedKeyManager* settings.
pkcs11 means look for client keys in a PKCS #11 cryptographic token, where the PIN file is configured with the pkcs11KeyManagerPasswordFile setting described below.

fileBasedKeyManagerFile

If keyManager is set to file, then this setting must specify the keystore file.

Example: /path/to/keystore

fileBasedKeyManagerPasswordFile (optional)

If keyManager is set to file, then this setting specifies the file containing the keystore password.

Example: /path/to/pinfile

fileBasedKeyManagerType (optional)

If keyManager is set to file, then this setting specifies the format of the keystore specified by the fileBasedKeyManagerFile setting. Formats include the following, though other implementations might be supported as well, depending on the Java environment:

JKS specifies Java Keystore format.
PKCS12 specifies Public-Key Cryptography Standards 12 format.

pkcs11KeyManagerPasswordFile (optional)

If keyManager is set to pkcs11, then this setting specifies the file containing the PKCS #11 token password.

Example: /path/to/pinfile

ldapConnectionFactories

Configures how the gateway connects to LDAP servers. This entire configuration object applies only to the REST to LDAP gateway.

Configures at least a connection factory for unauthenticated connections that are used for bind requests. By default, also configures a factory for authenticated connections that are used for searches during authentication and for proxied authorization operations.

The default configuration is set to connect to a local directory server listening for LDAP connections on port 1389, authenticating as the directory superuser, cn=Directory Manager, with the password password:

bind

Configures the unauthenticated connection factory for bind operations:

connectionSecurity (optional)

Whether connections to LDAP servers should be secured by using SSL or StartTLS. The following values are supported:

none (default) means connections use plain LDAP and are not secured.
ssl means connections are secured using LDAPS.
startTLS means connections are secured using LDAP and StartTLS.

If you set connectionSecurity, also review the trustManager and fileBasedTrustManager* settings in the security field.

sslCertAlias (optional)

If secure connections to LDAP servers require client authentication, this identifies the alias of the certificate to use for client authentication when establishing a secure connection.

If you uses this setting because client authentication is required, make sure the keyManager settings in the security field are properly configured.

If this field is missing, then the certificate is chosen during the SSL handshake.

Example: client-cert

connectionPoolSize (optional)

The gateway creates connection pools to the primary and secondary LDAP servers. The connection pools maintain up to connectionPoolSize connections to the servers.

Default: 24

heartBeatIntervalSeconds (optional)

The gateway tests its connections every heartBeatIntervalSeconds to detect whether the connection is still alive. The first test is performed immediately when the gateway gets a connection. Subsequent tests follow every heartBeatIntervalSeconds.

Default: 30 (seconds)

heartBeatTimeoutMilliSeconds (optional)

When the gateway tests a connection, if the heartbeat does not come back after heartBeatTimeoutMilliSeconds the connection is marked as closed.

Default: 500 (milliseconds)

primaryLdapServers (required)

The gateway accesses this array of LDAP servers before failing over to the secondary LDAP servers. These might be LDAP servers in the same data center, for example:

{
    "primaryLdapServers": [
        {
            "hostname": "local1.example.com",
            "port": 1389
        },
        {
            "hostname": "local2.example.com",
            "port": 1389
        }
    ]
}

By default, the gateway connects to the server listening on port 1389 on the local host.

secondaryLdapServers (optional)

The gateway accesses this array of LDAP servers if primary LDAP servers cannot be contacted. These might be LDAP servers in the same remote data center, for example:

{
    "secondaryLdapServers": [
        {
            "hostname": "remote1.example.com",
            "port": 1389
        },
        {
            "hostname": "remote2.example.com",
            "port": 1389
        }
    ]
}

No secondary LDAP servers are configured by default.

root

Configures the authenticated connection factory:

inheritFrom (optional)

Identifies the unauthenticated connection factory to inherit the settings from. If this connection factory does not inherit from another configuration object, then you must specify the configuration here.

Default: bind

authentication (required)

The gateway authenticates by simple bind using the credentials specified:

{
    "authentication": {
        "bindDn": "cn=Directory Manager",
        "password": "password"
    }
}

If the OAuth 2.0 authorization policy is configured for the gateway, then the directory service must be configured to allow the user configured here to perform proxied authorization.

authorization

Configures how authorization is performed for REST operations. This entire configuration object applies only to the REST to LDAP gateway.

The default configuration handles authorization by mapping HTTP Basic authentication credentials to LDAP bind credentials. User entries are inetOrgPerson entries expected to have uid=username, and expected to be found under ou=people,dc=example,dc=com.

The default configuration also allows alternative, HTTP header-based authentication in the style of OpenIDM software.

To protect passwords, configure HTTPS for the container where the REST to LDAP gateway runs.

This object has the following configuration fields:

policies

Which authorization policies are allowed, where the supported policies include:

anonymous
basic (HTTP Basic)
oauth2

When more than one policy is specified, policies are applied in the following order:

If the client request has an Authorization header, and policies include oauth2, the server attempts to apply the OAuth 2.0 policy.
If the client request has an Authorization header, or has the custom credentials headers specified in the configuration, and policies includes basic, the server attempts to apply the Basic Auth policy.
Otherwise, if policies includes anonymous, and none of the previous policies apply, the server attempts to apply the policy for anonymous requests.

Default: [ "basic" ]

anonymous

Configuration for authorization when the HTTP connection to the gateway is not authenticated.

Operations are performed using connections from the specified factory:

ldapConnectionFactory

Factor providing LDAP connections to use for anonymous HTTP requests.

In effect, you add "anonymous" to the array of policies allowed without otherwise changing the default configuration, anonymous HTTP requests result in LDAP requests performed by Directory Manager. Take care to adjust this setting appropriately when allowing anonymous requests.

Default: root

basic

Configuration for authorization using HTTP Basic credentials.

The HTTP Basic credentials are mapped to LDAP credentials. The LDAP credentials are then used to bind to the directory service.

This object has the following configuration fields:

supportAltAuthentication

Whether to allow alternative, HTTP header-based authentication. If this is set to true, then the headers containing credentials are specified as the values for altAuthenticationUsernameHeader and altAuthenticationPasswordHeader, and the bind DN is resolved using a template.

Default: true

altAuthenticationUsernameHeader

The HTTP header containing the username for authentication when alternative, HTTP header-based authentication is allowed.

Default: X-OpenIDM-Username

altAuthenticationPasswordHeader

The HTTP header containing the password for authentication when alternative, HTTP header-based authentication is allowed.

Default: X-OpenIDM-Password

bind

How HTTP Basic credentials are mapped to LDAP credentials used to bind to the directory service.

The following values are supported:

search (default) means the gateway performs a search based on the HTTP Basic user name to obtain the bind DN.
sasl-plain means the gateway transforms the HTTP Basic user name to an authorization ID (authzid) using a template.
simple means the HTTP Basic user name is mapped to a component of the LDAP bind DN.

simple

How to reuse HTTP Basic credentials for an LDAP simple bind.

This object has the following configuration fields:

ldapConnectionFactory

The factory providing LDAP connections to the directory service.

Default: bind

bindDnTemplate

The template to produce the bind DN from the HTTP Basic user name.

A single occurrence of the string {username} is replaced in the template with the HTTP Basic user name.

Default: uid={username},ou=People,dc=example,dc=com (The HTTP Basic user name is the UID of the LDAP entry.)

sasl-plain

How to reuse HTTP Basic credentials for an LDAP SASL plain bind.

This object has the following configuration fields:

ldapConnectionFactory

The factory providing LDAP connections to the directory service.

Default: bind

authzIdTemplate

The template to produce the authorization ID from the HTTP Basic user name.

A single occurrence of the string {username} is replaced in the template with the HTTP Basic user name.

If the user name is also the authorization ID, use u:{username}.

If the user name is the LDAP bind DN, use dn:{username}.

search

How to reuse HTTP Basic credentials to find the bind DN for an LDAP simple bind.

This object has the following configuration fields:

searchLdapConnectionFactory

The factory providing LDAP connections to the directory service for the LDAP search operation.

Default: root

bindLdapConnectionFactory

The factory providing LDAP connections to the directory service for the LDAP bind operation that uses the bind DN returned by the search.

Default: bind

baseDn

The base DN for the LDAP search.

Example: ou=People,dc=example,dc=com.

scope

The scope for the LDAP search.

Use sub for a subtree search, one for a one-level search.

filterTemplate

The template for the filter of the LDAP search.

A single occurrence of the string {username} is replaced in the template with the HTTP Basic user name.

If the user name is also the UID, use (&(uid={username})(objectClass=inetOrgPerson)).

oauth2

Configuration for authorization based on OAuth 2.0, where the gateway plays the role of resource server.

This object has the following configuration fields:

realm

Realm associated with access tokens presented to the gateway.

requiredScopes

Array of OAuth 2.0 scopes that are required to allow access.

This array must not be empty.

Example: [ "read", "write", "uid" ]

resolver

How to resolve OAuth 2.0 access tokens presented to the gateway.

Supported values include the following:

cts to resolve tokens in a directory service acting as a Core Token Service (CTS) store for AM
openam to send requests for token resolution to an AM server
rfc7662 to send requests for token resolution to an RFC 7622-compliant server

Each access token resolution mechanism has its own configuration.

accessTokenCache

How to cache OAuth 2.0 token information to avoid repeating calls for access token resolution.

This object has the following configuration fields:

enabled

Whether to cache access token information obtained from the resolver.

Default: false

cacheExpiration

How long to cache information for a particular token if caching is enabled.

Default: 5 minutes

openam

Configuration for resolving OAuth 2.0 tokens by a request to AM.

This object has the following configuration fields:

endpointUrl

AM URL for requests for token information, which depends on AM's OAuth 2.0 authorization server configuration.

Example: https://openam.example.com:8443/openam/oauth2/tokeninfo

sslCertAlias (optional)

If secure connections to the authorization server require client authentication, this identifies the alias of the certificate to use for client authentication when establishing a secure connection.

If you uses this setting because client authentication is required, make sure the keyManager settings in the security field are properly configured.

If this field is missing, then the certificate is chosen during the SSL handshake.

Example: client-cert

authzIdTemplate

The template to produce the authorization ID from OAuth 2.0 token information.

A JSON pointer value in braces is replaced in the template with a field value from the JSON returned during token resolution.

This template must start with u: or dn:.

For example, if token resolution returns a JSON document where the value of the uid field is the UID of the user entry in the directory, you might use u:{uid} or dn:{uid},ou=People,dc=example,dc=com.

rfc7662

Configuration for resolving OAuth 2.0 tokens by a request to an RFC 7662-compliant authorization server.

RFC 7662, OAuth 2.0 Token Introspection, defines a standard method for resolving access tokens.

This object has the following configuration fields:

endpointUrl

Authorization server URL for requests for token information with HTTP Basic authentication for OAuth 2.0 clients.

Example: https://as.example.com/introspect

sslCertAlias (optional)

If secure connections to the authorization server require client authentication, this identifies the alias of the certificate to use for client authentication when establishing a secure connection.

If you uses this setting because client authentication is required, make sure the keyManager settings in the security field are properly configured.

If this field is missing, then the certificate is chosen during the SSL handshake.

Example: client-cert

clientId

OAuth 2.0 client identifier defined during registration with the authorization server.

clientSecret

OAuth 2.0 client secret defined during registration with the authorization server.

authzIdTemplate

The template to produce the authorization ID from OAuth 2.0 token information.

A JSON pointer value in braces is replaced in the template with a field value from the JSON returned during token resolution.

This template must start with u: or dn:.

For example, if token resolution returns a JSON document where the value of the username field is the UID of the user entry in the directory, you might use u:{username} or dn:{username},ou=People,dc=example,dc=com.

cts

Configuration for resolving OAuth 2.0 tokens when the directory service acts as AM's CTS store.

AM's CTS store is constrained to a specific layout. The authzIdTemplate must therefore use {userName/0} for the user identifier.

This mechanism makes it possible to resolve access tokens by making a request to the CTS directory service, without making a request to AM. This mechanism does not, however, ensure that the token requested will have already been replicated to the directory server where the request is routed.

This object has the following configuration fields:

ldapConnectionFactory

The factory providing LDAP connections used to obtain token information from the CTS directory service.

Default: root

baseDn

The base DN in the CTS directory service where tokens are found.

If the base DN configured for CTS in AM is dc=cts,dc=example,dc=com, then use ou=famrecords,ou=openam-session,ou=tokens,dc=cts,dc=example,dc=com.

authzIdTemplate

The template to produce the authorization ID from OAuth 2.0 token information.

A JSON pointer value in braces is replaced in the template with a field value from the JSON returned during token resolution.

This template must start with u: or dn:.

In AM CTS, the user name field is an array. For example, if the user name is the UID of the user entry, the use u:{userName/0} or dn:{userName/0},ou=People,dc=example,dc=com.

1.2. Gateway REST2LDAP Configuration File

The rest2ldap/rest2ldap.json for the REST to LDAP gateway can hold the configuration objects described in this section.

The order of the settings in the JSON file is not meaningful. Here, the order shown is that of the default configuration file:

localSortMaxEntries

The maximum number of entries supported by the local sort mechanism. The local sort mechanism is used when sort keys reference JSON attributes. See the description for useServerSideSortForJson below.

Default: 1000

When a request to the gateway includes a _sortKey parameter, the gateway does the following:

If the _sortKey parameter targets a normal LDAP attribute, the gateway includes a server-side sort request for the LDAP server to sort the results.
If the _sortKey parameter targets a JSON syntax LDAP attribute, the gateway's action depending on the setting for useServerSideSortForJson, described below.
If the _sortKey parameter targets an attribute that is in a referenced entry, the gateway sorts the results locally.

useMvcc

Whether the gateway supports multi-version concurrency control (MVCC). If true, also specify an mvccAttribute to use for MVCC.

Default: true

mvccAttribute

The LDAP attribute whose value is used for MVCC. Before performing a write operation, the client application can check, for example, whether it is modifying the correct version of a resource by matching the value of the header If-Match: value.

Default: etag

readOnUpdatePolicy

The policy used to read an entry before it is deleted, or to read an entry after it is added or modified. One of the following:

controls: (default) use RFC 4527 read-entry controls to reflect the state of the resource at the time the update was performed.
The directory service must support RFC 4527.
disabled: do not read the entry or return the resource on update.
search: perform an LDAP search to retrieve the entry before deletion or after it is added or modified.
The JSON resource returned might differ from the LDAP entry that was updated.

useSubtreeDelete

Whether to use the LDAP Subtree Delete request control (OID: 1.2.840.113556.1.4.805) for LDAP delete operations resulting from delete operations on resources. Clients applications that request deletes for resources with children must have access to use the control.

If this setting is true, REST to LDAP attempts to use the control, but falls back to searching for and deleting children if the server rejects the request, because the control is not supported, for example.

Default: true

Set this to false if the LDAP server does not support the control.

usePermissiveModify

Whether to use the LDAP Permissive Modify request control (OID: 1.2.840.113556.1.4.1413) for LDAP modify operations resulting from patch and update operations on resources.

Default: true

Set this to false when using the gateway if the LDAP server does not support the control.

useServerSideSortForJson

Whether to use the LDAP Server-Side Sort request control (OID: 1.2.840.113556.1.4.473) to request that the server sort the results before returning them.

Default: true

When you set this to false, the gateway sorts search results locally. In this case, you can set localSortMaxEntries to limit the maximum number of results that the gateway sorts locally. The localSortMaxEntries setting then effectively limits the maximum _pageSize that the gateway accepts.

1.3. Mapping Configuration File

The rest2ldap/endpoints/base-path/root-resource.json files define how JSON resources map to LDAP entries.

For each base path exposing a REST API, a base-path directory holds one or more root-resource.json files. In the DS server configuration, the Rest2ldap endpoint base-path must match the base-path directory name.

Each root-resource.json file defines mappings for a specific version of the API. The root-resource in the file name must match the name of the root resource defined in the file.

If there is more than one version of the API, then client applications must select the version by setting a version header:

Accept-API-Version: resource=version

If more than one version of the API is available, and the client application does not select the version by setting a version header, then the latest version is returned.

Here, version is the value of the version field in the mapping configuration file.

The file rest2ldap/endpoints/api/example-v1.json is delivered as an example mapping. This file has the following basic structure:

{
  "version": "1.0",         // Version for this API.
  "resourceTypes": {        // Resources for this API.
    "example-v1": {         // Root resource type. Name matches file basename.
      "subResources": {     // The base resource, at /api, is not defined.
        "users": {},        // The subresources at /api/users/ and
        "groups": {}        // /api/groups are defined, however.
      }
    },

    // In addition to the root resource type,
    // the example defines a number of other resource type schemas.
    // These are used to describe the resources exposed under the root resource.
    // In the example file, you can see how these are used for inheritance.
    "frapi:opendj:rest2ldap:object:1.0": {},    // Parent type of all objects.
    "frapi:opendj:rest2ldap:user:1.0": {},      // Basic user type, parent of
    "frapi:opendj:rest2ldap:posixUser:1.0": {}, // user with uid, gid, home dir.
    "frapi:opendj:rest2ldap:group:1.0": {}      // Basic group type.
  }
}

The following list describes the individual fields in more detail.

The order of the settings in the JSON file is not meaningful. Here, the order shown is that of the default example configuration file:

version (optional)

The version string for the root resource of this API.

Valid values are *, integer, and integer.integer, where integer is a positive decimal integer.

If the version is set, and the client application sets the request header Accept-API-Version: resource=version, The mapping with the matching version value is selected.

If more than one version of the API is available, and the client application does not select the version by setting a version header, then the latest version is returned.

Default: * (no version specified)

resourceTypes (required)

The map of resource type names to resource type definitions for this API.

One of the resource type name must match the basename of the mapping file. This resource is referred to as the root resource for this version of the API.

The value of a resource type is an object whose properties are described in "Resource Type Properties".

Resource Type Properties

Property	Description
`resourceTypeProperty` (string, required for inheritance)	Name of the resource type property that specifies the type of this resource. REST to LDAP uses this to determine the resource subtype when creating a resource. This points the mapper to the type of the resource. The specified property must be of type `resourceType`.
`properties` (map, optional)	Map of property names to property definitions. Unlike LDAP entries, JSON resources are not necessarily flat. You can define nested properties of type `object` that have their own properties. For details on properties configuration, see "Properties of Resource Type Properties Objects".
`subResources` (map, optional)	Map of subresource names to subresource definitions. The subresource names are URL templates. A URL template sets the relative URL template beneath which the subresources are located. If empty, the subresources are located directly beneath the parent resource. URL templates can set variables in braces `{}`. Any URL template variables will be substituted into the DN template. For example, suppose LDAP entries for devices are located under the following base DNs: `ou=others,ou=devices,dc=example,dc=com` `ou=pcs,ou=devices,dc=example,dc=com` `ou=phones,ou=devices,dc=example,dc=com` `ou=tablets,ou=devices,dc=example,dc=com` The subresource name `/{type}` would be substituted in actual paths with `/others`, `/pcs`, `/phones`, and `/tablets`. The DN template for the subresource would specify `ou={type},ou=devices,dc=example,dc=com` in order to locate the entries in the correct LDAP organizational unit. In the example, REST to LDAP substitutes `{type}` in the DN template with the type defined in the request URL path. For details on subresource configuration, see "Sub-Resource Properties".
`isAbstract` (boolean, optional)	Whether this is an abstract resource type used only for inheritance. Default: `false`
`superType` (string, optional)	Name of the resource type that this resource type extends. Resource types that extend another type inherit properties of the extended type, and inherit subresource definitions. Default: none. This resource type does not extend another type.
`objectClasses` (array, optional)	Names of the LDAP object classes that this type corresponds to. When an object of this type is created, these object class names are added to the list of object classes on the LDAP entry. The LDAP object classes are not shown in the JSON resource. Default: none.
`supportedActions` (array, optional)	Names of the ForgeRock® Common REST actions that this resource type supports. The names must match actions allowed on the resource in the underlying implementation. Default: none.
`includeAllUserAttributesByDefault` (boolean, optional)	Whether to include all LDAP user attributes as properties of the JSON resource. If `true`, the property names in the JSON resource match the attribute names in the LDAP entries. Default: `false`
`excludedDefaultUserAttributes` (array, optional)	Names of the LDAP user attributes to exclude from the JSON resource when `includeAllUserAttributesByDefault` is `true`. Default: none.

Properties of Resource Type Properties Objects

Property	Description
`type` (string, required)	Determines the type of the mapping property, and therefore which other properties the object has. The type must be one of the following: `constant` The property maps the JSON resource property to a fixed value specified by the `value` property. `json` The property value maps the JSON resource property to a `Json` syntax LDAP attribute. When the type is `json`, the mapping must specify an `ldapAttribute` property that specifies the `Json` syntax LDAP attribute. The mapping may have the following optional properties: `defaultJsonValue` `extensibleJsonOrderingMatchingRule` `isMultiValued` `isRequired` `jsonQueryEqualityMatchingRule` `schema` `writability` `object` The property value is a JSON object with its own type and mapping specified by the object's `properties`. `reference` The property maps a JSON field to an LDAP entry found by reference. This is useful for LDAP attributes that reference other entries, such as `manager`, and (group) `member`. When the type is `reference`, the mapping must have the following required properties. `baseDn` `ldapAttribute` `mapper` `primaryKey` The mapping may have the following optional properties. `isMultiValued` `isRequired` `searchFilter` `writability` `resourceType` The property value is the name of a resource type defined in this mapping file. The name of the property with this type should match the `resourceTypeProperty` name. For example, if `"resourceTypeProperty": "_schema"` then the following should be specified or inherited: `"_schema": { "type": "resourceType" }`. `simple` The property maps a JSON property to an LDAP attribute. Use simple mappings where the correspondence between JSON properties and LDAP attributes is one-to-one. When the type is `simple`, the mapping must specify an `ldapAttribute` property. The mapping may have the following optional properties. `defaultJsonValue` `isBinary` `isMultiValued` `isRequired` `writability`
`baseDn`	Indicates the base LDAP DN under which to find entries referenced by the JSON resource. Base DN values can be literal values, such as `dc=example,dc=com`, and can also use the following notation: `{url-template}` The `{url-template}` used in the description of the URL to the resource is replaced with the literal value used in the request. For example, suppose the path defined for the resources is `/{tenant}/users` and the base DN is `ou=people,dc={tenant},dc=com`. For a request to `/example/users`, the base DN is `ou=people,dc=example,dc=com`. `..` The `..` refers to the relative parent RDN. This is like `..` in a file system path, where `..` refers to the parent directory. Keep in mind that file system paths are big endian, whereas DNs are little endian. You write `../../file-in-grandparent-directory`, but `cn=Child of Grandparent Entry,..,..`. The following excerpt from the default example configuration shows how this could be used to reference a manager's entry (the mapper configuration is not shown): { "manager": { "type": "reference", "ldapAttribute": "manager", "baseDn": "..", "primaryKey": "uid", "mapper": {} } } In this case, if the current LDAP entry for the resource `uid=bjensen,ou=people,dc=example,dc=com`, then the base DN is `ou=people,dc=example,dc=com`. Another excerpt from the default example configuration shows a reference to group member entries (again, the mapper configuration is not shown): { "members": { "type": "reference", "ldapAttribute": "uniqueMember", "baseDn": "ou=people,..,..", "primaryKey": "uid", "isMultiValued": true, "mapper": {} } } In this case, if the current LDAP entry for the resource `cn=Directory Administrators,ou=groups,dc=example,dc=com`, then the base DN is `ou=people,dc=example,dc=com`. Notice a limitation in this reference to group member entries: all group members must be people; the configuration does not handle nested groups and other types of members.
`defaultJsonValue`	Sets the JSON value if no corresponding LDAP attribute is present. No default is set if this is omitted.
`extensibleJsonOrderingMatchingRule`	Sets the JSON ordering matching rule to use when requesting an extensible server-side sort. The default rule will ignore case and whitespace when sorting values of JSON fields. For a description of the extended server-side sort syntax, see "Search: Server-Side Sort" in the Developer's Guide.
`isBinary`	Whether the underlying LDAP attribute holds a binary value, such as a JPEG photo or a digital certificate. If `true`, the JSON property takes the base64-encoded value. Binary values can also be handled directly as described in "Working With Alternative Content Types" in the Developer's Guide. Default: `false`.
`isMultiValued`	Whether the JSON resource property can take an array value. Most LDAP attributes can take multiple values. A literal-minded mapping from LDAP to JSON would therefore be full of array properties, many with only one value. To minimize inconvenience, REST to LDAP generally returns single value scalars, even when the underlying LDAP attribute is multi-valued. If this property is omitted or set to `false`, then the JSON resource contains the first value returned for multi-valued LDAP attributes with more than value. If this property is `true`, then if the LDAP attribute only has one value, it is returned as a scalar. If the LDAP attribute has more than one value, the values are returned in an array. Default: `false`
`isRequired`	`true` means the LDAP attribute is mandatory and must be provided to create the resource; `false` means it is optional. Default: `false`.
`jsonQueryEqualityMatchingRule`	When a query filter in the HTTP request uses a JSON path that points to a field in a JSON attribute value, it uses the matching rule specified by this property to compare the query filter with attribute values. You can set this to the following matching rule names: `caseExactJsonQueryMatch` means respect case when finding matches. `caseIgnoreJsonQueryMatch` means ignore case when finding matches. Default: `caseIgnoreJsonQueryMatch`.
`ldapAttribute`	Specifies the LDAP attribute in the entry underlying the JSON resource whose value points to the referenced entry. For example, a `manager` attribute value is the DN of the manager's entry. Default: use the name of the JSON property. For example, the JSON property `description` maps to the LDAP attribute `description` by default.
`mapper`	Describes how the referenced entry content maps to the content of this JSON property. A mapper object is a properties object of its own.
`primaryKey`	Indicates which LDAP attribute in the mapper holds the primary key to the referenced entry.
`schema`	Specifies a JSON Schema that applies values of type `json`. Default: No schema is specified; values may be arbitrary JSON.
`searchFilter`	Specifies the LDAP filter to use to search for the referenced entry. Default: `"(objectClass=*)"`
`value`	Use with `"type": "constant"` to specify the constant value.
`writability`	Indicates whether the mapping supports updates. The `writability` property takes one of the following values: `createOnly`: This attribute can be set only when the entry is created. Attempts to update this attribute thereafter result in errors. `createOnlyDiscardWrites`: This attribute can be set only when the entry is created. Attempts to update this attribute thereafter do not result in errors. Instead the update value is discarded. `readOnly`: This attribute cannot be written. Attempts to write this attribute result in errors. `readOnlyDiscardWrites`: This attribute cannot be written. Attempts to write this attribute do not result in errors. Instead the value to write is discarded. `readWrite`: (default) This attribute can be set at creation and updated thereafter.

Sub-Resource Properties

Property	Description
`type` (string, required)	The type of this subresource, either `collection` or `singleton`. A collection subresource is a container for other resources, which can be created, read, updated, deleted, patched, and queried. A collection definition has the following required properties: `namingStrategy` `resource` A collection definition has the following optional properties: `dnTemplate` `glueObjectClasses` `isReadOnly` A singleton subresource is a resource with no children. A singleton definition has the following required properties: `resource` A singleton definition has the following optional properties: `dnTemplate` `isReadOnly`
`dnTemplate` (string, optional)	Sets the relative DN template beneath which the subresource LDAP entries are located. If this is an empty string, the LDAP entries are located directly beneath the parent LDAP entry. DN templates can use variables in braces `{}`. DN template variables are substituted using values extracted from the URL template. Default: empty string
`glueObjectClasses` (array, required if the DN template contains one or more RDNs)	Specifies one or more LDAP object class names associated with any intermediate "glue" entries forming the DN template. Default: no object classes are specified
`isReadOnly` (boolean, optional)	Whether this resource is read-only. Default: `false`
`namingStrategy` (object, required)	Specifies the approach used to map LDAP entry names to JSON resources. LDAP entries mapped to JSON resources must be immediate subordinates of the mapping's `baseDn`. The following naming strategies are supported: RDN and resource ID are both derived from a single user attribute in the LDAP entry, as in the following example, where the `uid` attribute is the RDN and its value is the JSON resource ID: { "namingStrategy": { "type": "clientDnNaming", "dnAttribute": "uid" } } RDN and resource ID are derived from separate user attributes in the LDAP entry, as in the following example, where the RDN attribute is `uid`, but the JSON resource ID is the value of the `mail` attribute: { "namingStrategy": { "type": "clientNaming", "dnAttribute": "uid", "idAttribute": "mail" } } RDN is derived from a user attribute and the resource ID from an operational attribute in the LDAP entry, as in the following example, where the RDN attribute is `uid`, but the JSON resource ID is the value of the `entryUUID` operational attribute: { "namingStrategy": { "type": "serverNaming", "dnAttribute": "uid", "idAttribute": "entryUUID" } }
`resource` (string, required)	Specifies the resource type name of the subresource. A collection can contain objects with different subresource types as long as all types inherit from the same super type. In that case, set `resource` to the super type name.

Chapter 2. Request Handling

This chapter describes how DS services respond to requests.

2.1. Requests to Servers

DS servers listen for client requests using connection handlers. A connection handler interacts with client applications, accepting connections, reading requests, and sending responses. Most connection handlers expose configurable listen ports with security settings. The security settings point to other configuration objects, so two connection handlers can share the same certificate and private key, for example.

DS servers use different ports for different protocols. For example, a directory server might listen on port 389 for LDAP requests, port 443 for HTTPS requests, and port 4444 for administration requests from server configuration tools. Because DS servers use a different connection handler for each port, DS servers have several connection handlers enabled.

The setup command lets you initially configure connection handlers for LDAP(S), HTTP(S), and administrative traffic. The dsconfig command offers full access to all connection handler configurations.

When a client application opens a secure connection to a server, the JVM has responsibility for transport layer security negotiations. You can configure how connection handlers access keys required during the negotiations. You can also configure which clients on the network are allowed to use the connection handler. For details, see "Connection Handler" in the Configuration Reference.

Connection handlers receive incoming requests, and pass them along for processing by the core server subsystem.

For example, an LDAP connection handler enqueues requests to the core server, which in turn requests data from the appropriate backend as necessary. For more information about backends, see "About Database Backends" in the Administration Guide. The core server returns the LDAP response.

LDAP Requests

LDAP request processing occurs in the core directory server.

An HTTP connection handler translates each request to LDAP. Internally, the core server subsystem processes the resulting LDAP requests.

HTTP Requests

An HTTP connection handler translates to LDAP based on its configuration.

DS servers support other types of connection handlers. For example, JMX and SNMP connection handlers support monitoring applications. A special LDIF connection handler consumes LDIF files. For details, see "Configuring Connection Handlers" in the Administration Guide.

When deploying a server, decide which listen ports to expose over which networks. Determine how you want to secure the connections, as described in "Securing Network Connections" in the Security Guide.

2.2. Requests to Gateways

The gateway applications translate each HTTP request from the user-agent to the application server into one or more LDAP requests to remote directory services.

A DSML gateway translates each HTTP request into one or more LDAP requests. The translation depends on the DSML protocol. You configure only how HTTP user IDs map to LDAP identities for authentication.

Requests Through a DSML Gateway

DSML translates HTTP to LDAP based on the DSML protocol.

A REST to LDAP gateway translates an HTTP request into one or more LDAP requests. The translation depends on the specific REST to LDAP gateway configuration. An identity mapper translates the user identity into an LDAP identity for the bind. Then the REST to LDAP mapping defines how the REST JSON resource corresponds to LDAP entries. The gateway handles the mapping configuration in the same way as an HTTP connection handler.

Requests Through a REST to LDAP Gateway

REST to LDAP translates HTTP to LDAP based on its configuration.

Chapter 3. LDAP Result Codes

An operation result code as defined in RFC 4511 section 4.1.9 is used to indicate the final status of an operation. If a server detects multiple errors for an operation, only one result code is returned. The server should return the result code that best indicates the nature of the error encountered. Servers may return substituted result codes to prevent unauthorized disclosures.

OpenDJ LDAP Result Codes

Result Code	Name	Description
-1	Undefined	The result code that should only be used if the actual result code has not yet been determined. Despite not being a standard result code, it is an implementation of the null object design pattern for this type.
0	Success	The result code that indicates that the operation completed successfully.
1	Operations Error	The result code that indicates that the operation is not properly sequenced with relation to other operations (of same or different type). For example, this code is returned if the client attempts to StartTLS [RFC4346] while there are other uncompleted operations or if a TLS layer was already installed.
2	Protocol Error	The result code that indicates that the client sent a malformed or illegal request to the server.
3	Time Limit Exceeded	The result code that indicates that a time limit was exceeded while attempting to process the request.
4	Size Limit Exceeded	The result code that indicates that a size limit was exceeded while attempting to process the request.
5	Compare False	The result code that indicates that the attribute value assertion included in a compare request did not match the targeted entry.
6	Compare True	The result code that indicates that the attribute value assertion included in a compare request did match the targeted entry.
7	Authentication Method Not Supported	The result code that indicates that the requested authentication attempt failed because it referenced an invalid SASL mechanism.
8	Strong Authentication Required	The result code that indicates that the requested operation could not be processed because it requires that the client has completed a strong form of authentication.
10	Referral	The result code that indicates that a referral was encountered. Strictly speaking this result code should not be exceptional since it is considered as a "success" response. However, referrals should occur rarely in practice and, when they do occur, should not be ignored since the application may believe that a request has succeeded when, in fact, nothing was done.
11	Administrative Limit Exceeded	The result code that indicates that processing on the requested operation could not continue because an administrative limit was exceeded.
12	Unavailable Critical Extension	The result code that indicates that the requested operation failed because it included a critical extension that is unsupported or inappropriate for that request.
13	Confidentiality Required	The result code that indicates that the requested operation could not be processed because it requires confidentiality for the communication between the client and the server.
14	SASL Bind in Progress	The result code that should be used for intermediate responses in multi-stage SASL bind operations.
16	No Such Attribute	The result code that indicates that the requested operation failed because it targeted an attribute or attribute value that did not exist in the specified entry.
17	Undefined Attribute Type	The result code that indicates that the requested operation failed because it referenced an attribute that is not defined in the server schema.
18	Inappropriate Matching	The result code that indicates that the requested operation failed because it attempted to perform an inappropriate type of matching against an attribute.
19	Constraint Violation	The result code that indicates that the requested operation failed because it would have violated some constraint defined in the server.
20	Attribute or Value Exists	The result code that indicates that the requested operation failed because it would have resulted in a conflict with an existing attribute or attribute value in the target entry.
21	Invalid Attribute Syntax	The result code that indicates that the requested operation failed because it violated the syntax for a specified attribute.
32	No Such Entry	The result code that indicates that the requested operation failed because it referenced an entry that does not exist.
33	Alias Problem	The result code that indicates that the requested operation failed because it attempted to perform an illegal operation on an alias.
34	Invalid DN Syntax	The result code that indicates that the requested operation failed because it would have resulted in an entry with an invalid or malformed DN.
36	Alias Dereferencing Problem	The result code that indicates that a problem was encountered while attempting to dereference an alias for a search operation.
48	Inappropriate Authentication	The result code that indicates that an authentication attempt failed because the requested type of authentication was not appropriate for the targeted entry.
49	Invalid Credentials	The result code that indicates that an authentication attempt failed because the user did not provide a valid set of credentials.
50	Insufficient Access Rights	The result code that indicates that the client does not have sufficient permission to perform the requested operation.
51	Busy	The result code that indicates that the server is too busy to process the requested operation.
52	Unavailable	The result code that indicates that either the entire server or one or more required resources were not available for use in processing the request.
53	Unwilling to Perform	The result code that indicates that the server is unwilling to perform the requested operation.
54	Loop Detected	The result code that indicates that a referral or chaining loop was detected while processing the request.
60	Sort Control Missing	The result code that indicates that a search request included a VLV request control without a server-side sort control.
61	Offset Range Error	The result code that indicates that a search request included a VLV request control with an invalid offset.
64	Naming Violation	The result code that indicates that the requested operation failed because it would have violated the server's naming configuration.
65	Object Class Violation	The result code that indicates that the requested operation failed because it would have resulted in an entry that violated the server schema.
66	Not Allowed on Non-Leaf	The result code that indicates that the requested operation is not allowed for non-leaf entries.
67	Not Allowed on RDN	The result code that indicates that the requested operation is not allowed on an RDN attribute.
68	Entry Already Exists	The result code that indicates that the requested operation failed because it would have resulted in an entry that conflicts with an entry that already exists.
69	Object Class Modifications Prohibited	The result code that indicates that the operation could not be processed because it would have modified the objectclasses associated with an entry in an illegal manner.
71	Affects Multiple DSAs	The result code that indicates that the operation could not be processed because it would impact multiple DSAs or other repositories.
76	Virtual List View Error	The result code that indicates that the operation could not be processed because there was an error while processing the virtual list view control.
80	Other	The result code that should be used if no other result code is appropriate.
81	Server Connection Closed	The client-side result code that indicates that the server is down. This is for client-side use only and should never be transferred over protocol.
82	Local Error	The client-side result code that indicates that a local error occurred that had nothing to do with interaction with the server. This is for client-side use only and should never be transferred over protocol.
83	Encoding Error	The client-side result code that indicates that an error occurred while encoding a request to send to the server. This is for client-side use only and should never be transferred over protocol.
84	Decoding Error	The client-side result code that indicates that an error occurred while decoding a response from the server. This is for client-side use only and should never be transferred over protocol.
85	Client-Side Timeout	The client-side result code that indicates that the client did not receive an expected response in a timely manner. This is for client-side use only and should never be transferred over protocol.
86	Unknown Authentication Mechanism	The client-side result code that indicates that the user requested an unknown or unsupported authentication mechanism. This is for client-side use only and should never be transferred over protocol.
87	Filter Error	The client-side result code that indicates that the filter provided by the user was malformed and could not be parsed. This is for client-side use only and should never be transferred over protocol.
88	Cancelled by User	The client-side result code that indicates that the user cancelled an operation. This is for client-side use only and should never be transferred over protocol.
89	Parameter Error	The client-side result code that indicates that there was a problem with one or more of the parameters provided by the user. This is for client-side use only and should never be transferred over protocol.
90	Out of Memory	The client-side result code that indicates that the client application was not able to allocate enough memory for the requested operation. This is for client-side use only and should never be transferred over protocol.
91	Connect Error	The client-side result code that indicates that the client was not able to establish a connection to the server. This is for client-side use only and should never be transferred over protocol.
92	Operation Not Supported	The client-side result code that indicates that the user requested an operation that is not supported. This is for client-side use only and should never be transferred over protocol.
93	Control Not Found	The client-side result code that indicates that the client expected a control to be present in the response from the server but it was not included. This is for client-side use only and should never be transferred over protocol.
94	No Results Returned	The client-side result code that indicates that the requested single entry search operation or read operation failed because the Directory Server did not return any matching entries. This is for client-side use only and should never be transferred over protocol.
95	Unexpected Results Returned	The client-side result code that the requested single entry search operation or read operation failed because the Directory Server returned multiple matching entries (or search references) when only a single matching entry was expected. This is for client-side use only and should never be transferred over protocol.
96	Referral Loop Detected	The client-side result code that indicates that the client detected a referral loop caused by servers referencing each other in a circular manner. This is for client-side use only and should never be transferred over protocol.
97	Referral Hop Limit Exceeded	The client-side result code that indicates that the client reached the maximum number of hops allowed when attempting to follow a referral (i.e., following one referral resulted in another referral which resulted in another referral and so on). This is for client-side use only and should never be transferred over protocol.
118	Canceled	The result code that indicates that a cancel request was successful, or that the specified operation was canceled.
119	No Such Operation	The result code that indicates that a cancel request was unsuccessful because the targeted operation did not exist or had already completed.
120	Too Late	The result code that indicates that a cancel request was unsuccessful because processing on the targeted operation had already reached a point at which it could not be canceled.
121	Cannot Cancel	The result code that indicates that a cancel request was unsuccessful because the targeted operation was one that could not be canceled.
122	Assertion Failed	The result code that indicates that the filter contained in an assertion control failed to match the target entry.
123	Authorization Denied	The result code that should be used if the server will not allow the client to use the requested authorization.
16,654	No Operation	The result code that should be used if the server did not actually complete processing on the associated operation because the request included the LDAP No-Op control.

Chapter 4. File Layout

DS software installs and creates the following files and directories. The following table is not meant to be exhaustive.

File Locations

File or Directory	Description
`bak`	Base directory for backup archives
`bat`	Windows command-line tools
`bin`	UNIX/Linux command-line tools
`changelogDb`	Backend data for the external change log when using replication
`classes`	Directory added to the server classpath, permitting individual classes to be patched
`config`	(Optionally) immutable server configuration files
`config/audit-handlers`	Templates for configuring external Common Audit event handlers
`config/config.ldif`	LDIF representation of current DS server configuration
`config/MakeLDIF`	Templates for use with the makeldif LDIF generation tool
`db`	Backend database files
`db/admin`	Mutable administrative backend files
`db/ads-truststore`	Mutable truststore for keys and certificates used by replication
`db/monitorUser`	Default monitor user backend files If a monitor user is created at setup time, this directory holds the files.
`db/rootUser`	Default root user backend files
`db/schema`	LDAP schema files
`db/tasks`	Task scheduler backend files
`db/userRoot`	Files for default persistent, indexed backend that holds user data
`example-plugin.zip`	Sample DS plugin code Install custom plugins in the `lib/extensions` directory.
`extlib`	Directory for additional .jar files used by your custom plugins If the instance path is not the same as the binaries, copy additional files into the `instance-path/extlib/` directory.
`import-tmp`	Working directory used when importing LDIF data
`ldif`	Directory for saving LDIF export files
`legal-notices`	License information
`lib`	Scripts and libraries shipped with DS servers
`lib/extensions`	Directory for custom plugins
`locks`	Lock files that prevent more than one process from using the same backend
`logs`	Access, errors, audit, and replication logs
`logs/server.pid`	Contains the process ID for a running server
`opendj_logo.png`	DS splash logo
`README`	About DS servers
`setup`	UNIX/Linux setup tool
`setup.bat`	Windows setup tool
`snmp`	SNMP support files
`template`	Templates for setting up a server instance
`upgrade`	UNIX/Linux upgrade tool
`upgrade.bat`	Windows upgrade tool
`var`	Files the DS server writes to during operation

Chapter 5. Ports Used

DS server software uses the TCP/IP ports described in "Server Ports".

Server Ports

Protocols	Conventional Ports	Active by Default?	Description
LDAP	389	No	Port for cleartext LDAP requests; also used to request StartTLS for a secure connection. The reserved LDAP port number is 389. Interactive setup initially suggests this port number. If the initially suggested port is not free or cannot be used due to lack of privileges, interactive setup adds 1000 to the port number and tries again, repeatedly adding 1000 until a free port is found. If LDAP is used, leave this port open to client applications.
LDAPS	636	No	Port for secure LDAPS requests. The standard LDAPS port number is 636. Interactive setup initially suggests this port number. If the initially suggested port is not free or cannot be used due to lack of privileges, interactive setup adds 1000 to the port number and tries again, repeatedly adding 1000 until a free port is found. If LDAPS is used, leave this port open to client applications.
HTTP, HTTPS	80, 443	No	Port for HTTP client requests, such as RESTful API calls. The standard HTTP port number is 80. The standard HTTPS port number is 443. Interactive setup initially suggests 8080 and 8443 instead. If an initially suggested port is not free or cannot be used due to lack of privileges, interactive setup adds 1000 to the port number and tries again, repeatedly adding 1000 until a free port is found. If HTTP or HTTPS is used, leave this port open to client applications. For production deployments, use HTTPS instead of HTTP.
Server administration	4444	Yes	Port for administrative requests, such as requests from the dsconfig command. Interactive setup initially suggests 4444. If an initially suggested port is not free or cannot be used due to lack of privileges, interactive setup adds 1000 to the port number and tries again, repeatedly adding 1000 until a free port is found. Initial setup secures access to this port.
Directory data replication	8989	No	Port for replication requests, using the DS-specific replication protocol. Interactive setup initially suggests 8989. If an initially suggested port is not free or cannot be used due to lack of privileges, interactive setup adds 1000 to the port number and tries again, repeatedly adding 1000 until a free port is found. If replication is used, leave this port open to other replicas. For production deployments, secure access to this port.
JMX	1689	No	Port for Java Management eXtension requests (1689), and JMX RMI requests. The default setting for the JMX RMI port is `0`, meaning the service chooses a port of its own. This can be configured using the JMX connection handler `rmi-port` setting If used in production deployments, secure access to this port.
SNMP	161, 162	No	Reserved ports are 161 for regular SNMP requests and 162 for traps. If used in production deployments, secure access to these ports.

Chapter 6. Standards, RFCs, and Internet-Drafts

DS 6 software implements the following RFCs, Internet-Drafts, and standards:

RFC 1274: The COSINE and Internet X.500 Schema

X.500 Directory Schema, or Naming Architecture, for use in the COSINE and Internet X.500 pilots.

RFC 1321: The MD5 Message-Digest Algorithm

MD5 message-digest algorithm that takes as input a message of arbitrary length and produces as output a 128-bit "fingerprint" or "message digest" of the input.

RFC 1777: Lightweight Directory Access Protocol (LDAPv2)

Provide access to the X.500 Directory while not incurring the resource requirements of the Directory Access Protocol.

Classified as an Historic document.

RFC 1778: The String Representation of Standard Attribute Syntaxes

Defines the requirements that must be satisfied by encoding rules used to render X.500 Directory attribute syntaxes into a form suitable for use in the LDAP, then defines the encoding rules for the standard set of attribute syntaxes.

Classified as an Historic document.

RFC 1779: A String Representation of Distinguished Names

Defines a string format for representing names, which is designed to give a clean representation of commonly used names, whilst being able to represent any distinguished name.

Classified as an Historic document.

RFC 2079: Definition of an X.500 Attribute Type and an Object Class to Hold Uniform Resource Identifiers (URIs)

Defines a new attribute type and an auxiliary object class to allow URIs, including URLs, to be stored in directory entries in a standard way.

RFC 2222: Simple Authentication and Security Layer (SASL)

Describes a method for adding authentication support to connection-based protocols.

RFC 2246: The TLS Protocol Version 1.0

Specifies Version 1.0 of the Transport Layer Security protocol.

RFC 2247: Using Domains in LDAP/X.500 Distinguished Names

Defines an algorithm by which a name registered with the Internet Domain Name Service can be represented as an LDAP distinguished name.

RFC 2251: Lightweight Directory Access Protocol (v3)

Describes a directory access protocol designed to provide access to directories supporting the X.500 models, while not incurring the resource requirements of the X.500 Directory Access Protocol.

RFC 2252: Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions

Defines a set of syntaxes for LDAPv3, and the rules by which attribute values of these syntaxes are represented as octet strings for transmission in the LDAP protocol.

RFC 2253: Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names

Defines a common UTF-8 format to represent distinguished names unambiguously.

RFC 2254: The String Representation of LDAP Search Filters

Defines the string format for representing names, which is designed to give a clean representation of commonly used distinguished names, while being able to represent any distinguished name.

RFC 2255: The LDAP URL Format

Describes a format for an LDAP Uniform Resource Locator.

RFC 2256: A Summary of the X.500(96) User Schema for use with LDAPv3

Provides an overview of the attribute types and object classes defined by the ISO and ITU-T committees in the X.500 documents, in particular those intended for use by directory clients.

RFC 2307: An Approach for Using LDAP as a Network Information Service

Describes an experimental mechanism for mapping entities related to TCP/IP and the UNIX system into X.500 entries so that they may be resolved with the Lightweight Directory Access Protocol.

RFC 2377: Naming Plan for Internet Directory-Enabled Applications

Proposes a new directory naming plan that leverages the strengths of the most popular and successful Internet naming schemes for naming objects in a hierarchical directory.

RFC 2696: LDAP Control Extension for Simple Paged Results Manipulation

Allows a client to control the rate at which an LDAP server returns the results of an LDAP search operation.

RFC 2713: Schema for Representing Java(tm) Objects in an LDAP Directory

Defines a common way for applications to store and retrieve Java objects from the directory.

RFC 2714: Schema for Representing CORBA Object References in an LDAP Directory

Define a common way for applications to store and retrieve CORBA object references from the directory.

RFC 2739: Calendar Attributes for vCard and LDAP

Defines a mechanism to locate a user calendar and free/busy time using the LDAP protocol.

RFC 2798: Definition of the inetOrgPerson LDAP Object Class

Define an object class called inetOrgPerson for use in LDAP and X.500 directory services that extends the X.521 standard organizationalPerson class.

RFC 2829: Authentication Methods for LDAP

Specifies particular combinations of security mechanisms which are required and recommended in LDAP implementations.

RFC 2830: Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security

Defines the "Start Transport Layer Security (TLS) Operation" for LDAP.

RFC 2849: The LDAP Data Interchange Format (LDIF) - Technical Specification

Describes a file format suitable for describing directory information or modifications made to directory information.

RFC 2891: LDAP Control Extension for Server Side Sorting of Search Results

Describes two LDAPv3 control extensions for server-side sorting of search results.

RFC 2926: Conversion of LDAP Schemas to and from SLP Templates

Describes a procedure for mapping between Service Location Protocol service advertisements and lightweight directory access protocol descriptions of services.

RFC 3045: Storing Vendor Information in the LDAP root DSE

Specifies two Lightweight Directory Access Protocol attributes, vendorName and vendorVersion that MAY be included in the root DSA-specific Entry (DSE) to advertise vendor-specific information.

RFC 3062: LDAP Password Modify Extended Operation

Describes an LDAP extended operation to allow modification of user passwords which is not dependent upon the form of the authentication identity nor the password storage mechanism used.

RFC 3112: LDAP Authentication Password Schema

Describes schema in support of user/password authentication in a LDAP directory including the authPassword attribute type. This attribute type holds values derived from the user's password(s) (commonly using cryptographic strength one-way hash).

RFC 3296: Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories

Details schema and protocol elements for representing and managing named subordinate references in Lightweight Directory Access Protocol (LDAP) Directories.

RFC 3377: Lightweight Directory Access Protocol (v3): Technical Specification

Specifies the set of RFCs comprising the Lightweight Directory Access Protocol Version 3 (LDAPv3), and addresses the "IESG Note" attached to RFCs 2251 through 2256.

RFC 3383: Internet Assigned Numbers Authority (IANA) Considerations for the Lightweight Directory Access Protocol (LDAP)

Provides procedures for registering extensible elements of the Lightweight Directory Access Protocol (LDAP).

RFC 3546: Transport Layer Security (TLS) Extensions

Describes extensions that may be used to add functionality to Transport Layer Security.

RFC 3671: Collective Attributes in the Lightweight Directory Access Protocol (LDAP)

Summarizes the X.500 information model for collective attributes and describes use of collective attributes in LDAP.

RFC 3672: Subentries in the Lightweight Directory Access Protocol (LDAP)

Adapts X.500 subentries mechanisms for use with the Lightweight Directory Access Protocol (LDAP).

RFC 3673: Lightweight Directory Access Protocol version 3 (LDAPv3): All Operational Attributes

Describes an LDAP extension which clients may use to request the return of all operational attributes.

RFC 3674: Feature Discovery in Lightweight Directory Access Protocol (LDAP)

Introduces a general mechanism for discovery of elective features and extensions which cannot be discovered using existing mechanisms.

RFC 3712: Lightweight Directory Access Protocol (LDAP): Schema for Printer Services

Defines a schema, object classes and attributes, for printers and printer services, for use with directories that support Lightweight Directory Access Protocol v3 (LDAP).

RFC 3771: Lightweight Directory Access Protocol (LDAP) Intermediate Response Message

Defines and describes the IntermediateResponse message, a general mechanism for defining single-request/multiple-response operations in Lightweight Directory Access Protocol.

RFC 3829: Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls

Extends the Lightweight Directory Access Protocol bind operation with a mechanism for requesting and returning the authorization identity it establishes.

RFC 3876: Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3)

Describes a control for the Lightweight Directory Access Protocol version 3 that is used to return a subset of attribute values from an entry.

RFC 3909: Lightweight Directory Access Protocol (LDAP) Cancel Operation

Describes a Lightweight Directory Access Protocol extended operation to cancel (or abandon) an outstanding operation, with a response to indicate the outcome of the operation.

RFC 4346: The Transport Layer Security (TLS) Protocol Version 1.1

Specifies Version 1.1 of the Transport Layer Security protocol.

RFC 4370: Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control

Defines the Proxy Authorization Control, that allows a client to request that an operation be processed under a provided authorization identity instead of under the current authorization identity associated with the connection.

RFC 4403: Lightweight Directory Access Protocol (LDAP) Schema for Universal Description, Discovery, and Integration version 3 (UDDIv3)

Defines the Lightweight Directory Access Protocol schema for representing Universal Description, Discovery, and Integration data types in an LDAP directory.

RFC 4422: Simple Authentication and Security Layer (SASL)

Describes a framework for providing authentication and data security services in connection-oriented protocols via replaceable mechanisms.

RFC 4505: Anonymous Simple Authentication and Security Layer (SASL) Mechanism

Describes a new way to provide anonymous login is needed within the context of the Simple Authentication and Security Layer framework.

RFC 4510: Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map

Provides a road map of the LDAP Technical Specification.

RFC 4511: Lightweight Directory Access Protocol (LDAP): The Protocol

Describes the protocol elements, along with their semantics and encodings, of the Lightweight Directory Access Protocol.

RFC 4512: Lightweight Directory Access Protocol (LDAP): Directory Information Models

Describes the X.500 Directory Information Models as used in LDAP.

RFC 4513: Lightweight Directory Access Protocol (LDAP): Authentication Methods and Security Mechanisms

Describes authentication methods and security mechanisms of the Lightweight Directory Access Protocol.

RFC 4514: Lightweight Directory Access Protocol (LDAP): String Representation of Distinguished Names

Defines the string representation used in the Lightweight Directory Access Protocol to transfer distinguished names.

RFC 4515: Lightweight Directory Access Protocol (LDAP): String Representation of Search Filters

Defines a human-readable string representation of LDAP search filters that is appropriate for use in LDAP URLs and in other applications.

RFC 4516: Lightweight Directory Access Protocol (LDAP): Uniform Resource Locator

Describes a format for a Lightweight Directory Access Protocol Uniform Resource Locator.

RFC 4517: Lightweight Directory Access Protocol (LDAP): Syntaxes and Matching Rules

Defines a base set of syntaxes and matching rules for use in defining attributes for LDAP directories.

RFC 4518: Lightweight Directory Access Protocol (LDAP): Internationalized String Preparation

Defines string preparation algorithms for character-based matching rules defined for use in LDAP.

RFC 4519: Lightweight Directory Access Protocol (LDAP): Schema for User Applications

Provides a technical specification of attribute types and object classes intended for use by LDAP directory clients for many directory services, such as White Pages.

RFC 4523: Lightweight Directory Access Protocol (LDAP) Schema Definitions for X.509 Certificates

Describes schema for representing X.509 certificates, X.521 security information, and related elements in directories accessible using the Lightweight Directory Access Protocol (LDAP).

RFC 4524: COSINE LDAP/X.500 Schema

Provides a collection of schema elements for use with the Lightweight Directory Access Protocol from the COSINE and Internet X.500 pilot projects.

RFC 4525: Lightweight Directory Access Protocol (LDAP) Modify-Increment Extension

Describes an extension to the Lightweight Directory Access Protocol Modify operation to support an increment capability.

RFC 4526: Lightweight Directory Access Protocol (LDAP) Absolute True and False Filters

Extends the Lightweight Directory Access Protocol to support absolute True and False filters based upon similar capabilities found in X.500 directory systems.

RFC 4527: Lightweight Directory Access Protocol (LDAP) Read Entry Controls

Specifies an extension to the Lightweight Directory Access Protocol to allow the client to read the target entry of an update operation.

RFC 4528: Lightweight Directory Access Protocol (LDAP) Assertion Control

Defines the Lightweight Directory Access Protocol Assertion Control, which allows a client to specify that a directory operation should only be processed if an assertion applied to the target entry of the operation is true.

RFC 4529: Requesting Attributes by Object Class in the Lightweight Directory Access Protocol (LDAP)

Extends LDAP to support a mechanism that LDAP clients may use to request the return of all attributes of an object class.

RFC 4530: Lightweight Directory Access Protocol (LDAP) entryUUID Operational Attribute

Describes the LDAP/X.500 'entryUUID' operational attribute and associated matching rules and syntax.

RFC 4532: Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation

Provides a mechanism for Lightweight Directory Access Protocol clients to obtain the authorization identity the server has associated with the user or application entity.

RFC 4616: The PLAIN Simple Authentication and Security Layer (SASL) Mechanism

Defines a simple cleartext user/password Simple Authentication and Security Layer mechanism called the PLAIN mechanism.

RFC 4634: US Secure Hash Algorithms (SHA and HMAC-SHA)

Specifies Secure Hash Algorithms, SHA-256, SHA-384, and SHA-512, for computing a condensed representation of a message or a data file.

RFC 4752: The Kerberos V5 ("GSSAPI") Simple Authentication and Security Layer (SASL) Mechanism

Describes the method for using the Generic Security Service Application Program Interface (GSS-API) Kerberos V5 in the Simple Authentication and Security Layer, called the GSSAPI mechanism.

RFC 4876: A Configuration Profile Schema for Lightweight Directory Access Protocol (LDAP)-Based Agents

Defines a schema for storing a profile for agents that make use of the Lightweight Directory Access protocol (LDAP).

RFC 5020: The Lightweight Directory Access Protocol (LDAP) entryDN Operational Attribute

Describes the Lightweight Directory Access Protocol (LDAP) / X.500 'entryDN' operational attribute, that provides a copy of the entry's distinguished name for use in attribute value assertions.

FIPS 180-1: Secure Hash Standard (SHA-1)

Specifies a Secure Hash Algorithm, SHA-1, for computing a condensed representation of a message or a data file.

FIPS 180-2: Secure Hash Standard (SHA-1, SHA-256, SHA-384, SHA-512)

Specifies four Secure Hash Algorithms for computing a condensed representation of electronic data.

DSMLv2: Directory Service Markup Language

Provides a method for expressing directory queries and updates as XML documents.

JavaScript Object Notation

A data-interchange format that aims to be both "easy for humans to read and write," and also "easy for machines to parse and generate."

Simple Cloud Identity Management: Core Schema 1.0

Platform neutral schema and extension model for representing users and groups in JSON and XML formats. DS supports the JSON formats.

Chapter 7. LDAP Controls

Controls provide a mechanism whereby the semantics and arguments of existing LDAP operations may be extended. One or more controls may be attached to a single LDAP message. A control only affects the semantics of the message it is attached to. Controls sent by clients are termed request controls, and those sent by servers are termed response controls.

DS software supports the following LDAP controls:

Account Usability Control

Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

Control originally provided by Sun Microsystems, used to determine whether a user account can be used to authenticate to the directory.

Assertion request control

Object Identifier: 1.3.6.1.1.12

RFC: RFC 4528 - Lightweight Directory Access Protocol (LDAP) Assertion Control

Authorization Identity request control

Object Identifier: 2.16.840.1.113730.3.4.16

RFC: RFC 3829 - Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls

Authorization Identity response control

Object Identifier: 2.16.840.1.113730.3.4.15

RFC: RFC 3829 - Lightweight Directory Access Protocol (LDAP) Authorization Identity Request and Response Controls

Entry Change Notification response control

Object Identifier: 2.16.840.1.113730.3.4.7

Internet-Draft: draft-ietf-ldapext-psearch - Persistent Search: A Simple LDAP Change Notification Mechanism

Get Effective Rights request control

Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

Internet-Draft: draft-ietf-ldapext-acl-model - Access Control Model for LDAPv3

Manage DSAIT request control

Object Identifier: 2.16.840.1.113730.3.4.2

RFC: RFC 3296 - Named Subordinate References in Lightweight Directory Access Protocol (LDAP) Directories

Matched Values request control

Object Identifier: 1.2.826.0.1.3344810.2.3

RFC: RFC 3876 - Returning Matched Values with the Lightweight Directory Access Protocol version 3 (LDAPv3)

No-Op Control

Object Identifier: 1.3.6.1.4.1.4203.1.10.2

Internet-Draft: draft-zeilenga-ldap-noop - LDAP No-Op Control

Password Expired response control

Object Identifier: 2.16.840.1.113730.3.4.4

Internet-Draft: draft-vchu-ldap-pwd-policy - Password Policy for LDAP Directories

Password Expiring response control

Object Identifier: 2.16.840.1.113730.3.4.5

Internet-Draft: draft-vchu-ldap-pwd-policy - Password Policy for LDAP Directories

Password Policy response control

Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

Internet-Draft: draft-behera-ldap-password-policy - Password Policy for LDAP Directories

Permissive Modify request control

Object Identifier: 1.2.840.113556.1.4.1413

Microsoft defined this control that, "Allows an LDAP modify to work under less restrictive conditions. Without it, a delete will fail if an attribute done not exist, and an add will fail if an attribute already exists. No data is needed in this control." (source of quote)

Persistent Search request control

Object Identifier: 2.16.840.1.113730.3.4.3

Internet-Draft: draft-ietf-ldapext-psearch - Persistent Search: A Simple LDAP Change Notification Mechanism

Post-Read request control

Object Identifier: 1.3.6.1.1.13.2

RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls

Post-Read response control

Object Identifier: 1.3.6.1.1.13.2

RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls

Pre-Read request control

Object Identifier: 1.3.6.1.1.13.1

RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls

Pre-Read response control

Object Identifier: 1.3.6.1.1.13.1

RFC: RFC 4527 - Lightweight Directory Access Protocol (LDAP) Read Entry Controls

Proxied Authorization v1 request control

Object Identifier: 2.16.840.1.113730.3.4.12

Internet-Draft: draft-weltman-ldapv3-proxy-04 - LDAP Proxied Authorization Control

Proxied Authorization v2 request control

Object Identifier: 2.16.840.1.113730.3.4.18

RFC: RFC 4370 - Lightweight Directory Access Protocol (LDAP) Proxied Authorization Control

Public Changelog Exchange Control

Object Identifier: 1.3.6.1.4.1.26027.1.5.4

DS specific, for using the bookmark cookie when reading the external change log.

Server-Side Sort request control

Object Identifier: 1.2.840.113556.1.4.473

RFC: RFC 2891 - LDAP Control Extension for Server Side Sorting of Search Results

Server-Side Sort response control

Object Identifier: 1.2.840.113556.1.4.474

RFC: RFC 2891 - LDAP Control Extension for Server Side Sorting of Search Results

Simple Paged Results Control

Object Identifier: 1.2.840.113556.1.4.319

RFC: RFC 2696 - LDAP Control Extension for Simple Paged Results Manipulation

Subentries request controls

Object Identifier: 1.3.6.1.4.1.4203.1.10.1

RFC: Subentries in the Lightweight Directory Access Protocol (LDAP)

Object Identifier: 1.3.6.1.4.1.7628.5.101.1

Internet-Draft: draft-ietf-ldup-subentry - LDAP Subentry Schema

Subtree Delete request control

Object Identifier: 1.2.840.113556.1.4.805

Internet-Draft: draft-armijo-ldap-treedelete - Tree Delete Control

Transaction ID control

Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

ForgeRock control that enables Common Audit to associate an ID with a request. The ID is recorded with audit events, and can be used to correlate and track user interactions as they traverse the components of the ForgeRock platform.

The control's value is the UTF-8 encoding of the transaction ID.

Virtual List View request control

Object Identifier: 2.16.840.1.113730.3.4.9

Internet-Draft: draft-ietf-ldapext-ldapv3-vlv - LDAP Extensions for Scrolling View Browsing of Search Results

Virtual List View response control

Object Identifier: 2.16.840.1.113730.3.4.10

Internet-Draft: draft-ietf-ldapext-ldapv3-vlv - LDAP Extensions for Scrolling View Browsing of Search Results

Chapter 8. LDAP Extended Operations

Extended operations allow additional operations to be defined for services not already available in the protocol

DS software supports the following LDAP extended operations:

Cancel Extended Request

Object Identifier: 1.3.6.1.1.8

RFC: RFC 3909 - Lightweight Directory Access Protocol (LDAP) Cancel Operation

Get Connection ID Extended Request

Object Identifier: 1.3.6.1.4.1.26027.1.6.2

DS extended operation to return the connection ID of the associated client connection. This extended operation is intended for DS internal use.

Password Modify Extended Request

Object Identifier: 1.3.6.1.4.1.4203.1.11.1

RFC: RFC 3062 - LDAP Password Modify Extended Operation

Password Policy State Extended Operation

Object Identifier: 1.3.6.1.4.1.26027.1.6.1

DS extended operation to query and update password policy state for a given user entry. This extended operation is intended for DS internal use.

Start Transport Layer Security Extended Request

Object Identifier: 1.3.6.1.4.1.1466.20037

RFC: RFC 4511 - Lightweight Directory Access Protocol (LDAP): The Protocol

Who am I? Extended Request

Object Identifier: 1.3.6.1.4.1.4203.1.11.3

RFC: RFC 4532 - Lightweight Directory Access Protocol (LDAP) "Who am I?" Operation

Chapter 9. Localization

DS software stores data in UTF-8 format. It enables you to store and to search for attribute values according to a variety of language specific locales. DS software is also itself localized for a smaller variety of languages.

9.1. DS Languages

DS 6 software is localized in the following languages:

French
German
Japanese
Simplified Chinese
Spanish

Note

Certain messages have also been translated into Catalan, Korean, Polish, and Traditional Chinese. Some error messages including messages labeled ERROR are provided only in English.

9.2. Directory Support For Locales and Language Subtypes

OpenDJ software supports the following locales with their associated language and country codes and their collation order object identifiers. Locale support depends on the Java Virtual Machine used at run time. The following list reflects all supported locales.

Supported Locales

Afrikaans

Code tag: af

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.1.1

Albanian

Code tag: sq

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.127.1

Amharic

Code tag: am

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.2.1

Arabic

Code tag: ar

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.3.1

Arabic (Algeria)

Code tag: ar-DZ

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.6.1

Arabic (Bahrain)

Code tag: ar-BH

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.5.1

Arabic (Egypt)

Code tag: ar-EG

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.7.1

Arabic (India)

Code tag: ar-IN

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.8.1

Arabic (Iraq)

Code tag: ar-IQ

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.9.1

Arabic (Jordan)

Code tag: ar-JO

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.10.1

Arabic (Kuwait)

Code tag: ar-KW

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.11.1

Arabic (Lebanon)

Code tag: ar-LB

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.12.1

Arabic (Libya)

Code tag: ar-LY

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.13.1

Arabic (Morocco)

Code tag: ar-MA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.14.1

Arabic (Oman)

Code tag: ar-OM

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.15.1

Arabic (Qatar)

Code tag: ar-QA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.16.1

Arabic (Saudi Arabia)

Code tag: ar-SA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.17.1

Arabic (Sudan)

Code tag: ar-SD

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.18.1

Arabic (Syria)

Code tag: ar-SY

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.19.1

Arabic (Tunisia)

Code tag: ar-TN

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.20.1

Arabic (United Arab Emirates)

Code tag: ar-AE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.4.1

Arabic (Yemen)

Code tag: ar-YE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.21.1

Armenian

Code tag: hy

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.89.1

Basque

Code tag: eu

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.70.1

Belarusian

Code tag: be

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.22.1

Bengali

Code tag: bn

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.24.1

Bulgarian

Code tag: bg

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.23.1

Catalan

Code tag: ca

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.25.1

Chinese

Code tag: zh

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.143.1

Chinese (China)

Code tag: zh-CN

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.144.1

Chinese (Hong Kong)

Code tag: zh-HK

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.145.1

Chinese (Macao)

Code tag: zh-MO

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.146.1

Chinese (Singapore)

Code tag: zh-SG

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.147.1

Chinese (Taiwan)

Code tag: zh-TW

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.148.1

Cornish

Code tag: kw

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.99.1

Croatian

Code tag: hr

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.87.1

Czech

Code tag: cs

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.26.1

Danish

Code tag: da

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.27.1

Dutch

Code tag: nl

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.105.1

Dutch (Belgium)

Code tag: nl-BE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.106.1

Dutch (Netherlands)

Code tag: nl-NL

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.105.1

English

Code tag: en

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.34.1

English (Australia)

Code tag: en-AU

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.35.1

English (Canada)

Code tag: en-CA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.36.1

English (Hong Kong)

Code tag: en-HK

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.38.1

English (India)

Code tag: en-IN

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.40.1

English (Ireland)

Code tag: en-IE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.39.1

English (Malta)

Code tag: en-MT

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.41.1

English (New Zealand)

Code tag: en-NZ

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.42.1

English (Philippines)

Code tag: en-PH

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.43.1

English (Singapore)

Code tag: en-SG

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.44.1

English (South Africa)

Code tag: en-ZA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.46.1

English (U.S. Virgin Islands)

Code tag: en-VI

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.45.1

English (United Kingdom)

Code tag: en-GB

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.37.1

English (United States)

Code tag: en-US

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.34.1

English (Zimbabwe)

Code tag: en-ZW

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.47.1

Esperanto

Code tag: eo

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.48.1

Estonian

Code tag: et

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.69.1

Faroese

Code tag: fo

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.75.1

Finnish

Code tag: fi

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.74.1

French

Code tag: fr

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.76.1

French (Belgium)

Code tag: fr-BE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.77.1

French (Canada)

Code tag: fr-CA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.78.1

French (France)

Code tag: fr-FR

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.76.1

French (Luxembourg)

Code tag: fr-LU

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.80.1

French (Switzerland)

Code tag: fr-CH

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.79.1

Gallegan

Code tag: gl

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.82.1

German

Code tag: de

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.28.1

German (Austria)

Code tag: de-AT

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.29.1

German (Belgium)

Code tag: de-BE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.30.1

German (Germany)

Code tag: de-DE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.28.1

German (Luxembourg)

Code tag: de-LU

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.32.1

German (Switzerland)

Code tag: de-CH

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.31.1

Greek

Code tag: el

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.33.1

Greenlandic

Code tag: kl

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.95.1

Gujarati

Code tag: gu

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.83.1

Hebrew

Code tag: iw

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.85.1

Hindi

Code tag: hi

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.86.1

Hungarian

Code tag: hu

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.88.1

Icelandic

Code tag: is

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.91.1

Indonesian

Code tag: in

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.90.1

Irish

Code tag: ga

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.81.1

Italian

Code tag: it

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.92.1

Italian (Switzerland)

Code tag: it-CH

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.93.1

Japanese

Code tag: ja

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.94.1

Kannada

Code tag: kn

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.96.1

Konkani

Code tag: kok

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.98.1

Korean

Code tag: ko

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.97.1

Latvian

Code tag: lv

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.101.1

Lithuanian

Code tag: lt

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.100.1

Macedonian

Code tag: mk

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.102.1

Maltese

Code tag: mt

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.104.1

Manx

Code tag: gv

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.84.1

Marathi

Code tag: mr

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.103.1

Norwegian

Code tag: no

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.107.1

Norwegian (Norway)

Code tag: no-NO-NY

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.108.1

Norwegian Bokmål

Code tag: nb

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.110.1

Norwegian Nynorsk

Code tag: nn

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.109.1

Oromo

Code tag: om

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.111.1

Oromo (Ethiopia)

Code tag: om-ET

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.112.1

Oromo (Kenya)

Code tag: om-KE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.113.1

Persian

Code tag: fa

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.71.1

Persian (India)

Code tag: fa-IN

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.72.1

Persian (Iran)

Code tag: fa-IR

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.73.1

Polish

Code tag: pl

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.114.1

Portuguese

Code tag: pt

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.115.1

Portuguese (Brazil)

Code tag: pt-BR

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.116.1

Portuguese (Portugal)

Code tag: pt-PT

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.115.1

Romanian

Code tag: ro

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.117.1

Russian

Code tag: ru

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.118.1

Russian (Russia)

Code tag: ru-RU

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.118.1

Russian (Ukraine)

Code tag: ru-UA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.119.1

Serbian

Code tag: sr

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.128.1

Serbo-Croatian

Code tag: sh

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.120.1

Slovak

Code tag: sk

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.121.1

Slovenian

Code tag: sl

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.122.1

Somali

Code tag: so

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.123.1

Somali (Djibouti)

Code tag: so-DJ

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.124.1

Somali (Ethiopia)

Code tag: so-ET

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.125.1

Somali (Kenya)

Code tag: so-KE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.126.1

Somali (Somalia)

Code tag: so-SO

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.123.1

Spanish

Code tag: es

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.49.1

Spanish (Argentina)

Code tag: es-AR

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.50.1

Spanish (Bolivia)

Code tag: es-BO

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.51.1

Spanish (Chile)

Code tag: es-CL

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.52.1

Spanish (Colombia)

Code tag: es-CO

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.53.1

Spanish (Costa Rica)

Code tag: es-CR

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.54.1

Spanish (Dominican Republic)

Code tag: es-DO

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.55.1

Spanish (Ecuador)

Code tag: es-EC

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.56.1

Spanish (El Salvador)

Code tag: es-SV

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.65.1

Spanish (Guatemala)

Code tag: es-GT

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.57.1

Spanish (Honduras)

Code tag: es-HN

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.58.1

Spanish (Mexico)

Code tag: es-MX

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.59.1

Spanish (Nicaragua)

Code tag: es-NI

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.60.1

Spanish (Panama)

Code tag: es-PA

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.61.1

Spanish (Paraguay)

Code tag: es-PY

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.64.1

Spanish (Peru)

Code tag: es-PE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.62.1

Spanish (Puerto Rico)

Code tag: es-PR

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.63.1

Spanish (Spain)

Code tag: es-ES

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.49.1

Spanish (United States)

Code tag: es-US

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.66.1

Spanish (Uruguay)

Code tag: es-UY

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.67.1

Spanish (Venezuela)

Code tag: es-VE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.68.1

Swahili

Code tag: sw

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.131.1

Swahili (Kenya)

Code tag: sw-KE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.132.1

Swahili (Tanzania)

Code tag: sw-TZ

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.133.1

Swedish

Code tag: sv

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.129.1

Swedish (Finland)

Code tag: sv-FI

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.130.1

Swedish (Sweden)

Code tag: sv-SE

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.129.1

Tamil

Code tag: ta

Collation order object identifier: 1 3 1.3.6.1.4.1.42.2.27.9.4.134.1

Telugu

Code tag: te

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.135.1

Thai

Code tag: th

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.136.1

Tigrinya

Code tag: ti

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.137.1

Tigrinya (Eritrea)

Code tag: ti-ER

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.138.1

Tigrinya (Ethiopia)

Code tag: ti-ET

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.139.1

Turkish

Code tag: tr

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.140.1

Ukrainian

Code tag: uk

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.141.1

Vietnamese

Code tag: vi

Collation order object identifier: 1.3.6.1.4.1.42.2.27.9.4.142.1

Supported Language Subtypes

Afrikaans, af
Albanian, sq
Amharic, am
Arabic, ar
Armenian, hy
Basque, eu
Belarusian, be
Bengali, bn
Bulgarian, bg
Catalan, ca
Chinese, zh
Cornish, kw
Croatian, hr
Czech, cs
Danish, da
Dutch, nl
English, en
Esperanto, eo
Estonian, et
Faroese, fo
Finnish, fi
French, fr
Gallegan, gl
German, de
Greek, el
Greenlandic, kl
Gujarati, gu
Hebrew, iw
Hindi, hi
Hungarian, hu
Icelandic, is
Indonesian, in
Irish, ga
Italian, it
Japanese, ja
Kannada, kn
Konkani, kok
Korean, ko
Latvian, lv
Lithuanian, lt
Macedonian, mk
Maltese, mt
Manx, gv
Marathi, mr
Norwegian, no
Norwegian Bokmål, nb
Norwegian Nynorsk, nn
Oromo, om
Persian, fa
Polish, pl
Portuguese, pt
Romanian, ro
Russian, ru
Serbian, sr
Serbo-Croatian, sh
Slovak, sk
Slovenian, sl
Somali, so
Spanish, es
Swahili, sw
Swedish, sv
Tamil, ta
Telugu, te
Thai, th
Tigrinya, ti
Turkish, tr
Ukrainian, uk
Vietnamese, vi

Chapter 10. Monitoring Metrics

DS server software exposes the monitoring metrics described in this chapter.

10.1. Metric Types

The following table describes the monitoring metrics that are available in each interface:

Type	Description
Counter	Cumulative metric for a numerical value that only increases.
Gauge	Metric for a numerical value that can increase or decrease.
Summary	Metric that samples observations, providing a count of observations, sum total of observed amounts, average rate of events, and moving average rates across sliding time windows. Common REST and LDAP views show summaries as JSON objects. JSON summaries have the following fields: { "count": number, // Events recorded for this metric "total": number, // Sum of the amounts of events recorded for this metric "mean_rate": number, // Average rate "m1_rate": number, // One-minute average rate "m5_rate": number, // Five-minute average rate "m15_rate": number, // Fifteen-minute average rate } The Prometheus view does not provide time-based statistics, as rates can be calculated from the time-series data. Instead, the Prometheus view includes summary metrics whose names have the following suffixes or labels: `_count`: number of events recorded `_total`: sum of the amounts of events recorded `{quantile="0.5"}`: 50% at or below this value `{quantile="0.75"}`: 75% at or below this value `{quantile="0.95"}`: 95% at or below this value `{quantile="0.98"}`: 98% at or below this value `{quantile="0.99"}`: 99% at or below this value `{quantile="0.999"}`: 99.9% at or below this value
Timer	Metric combining a summary with other statistics. Common REST and LDAP views show summaries as JSON objects. JSON summaries have the following fields: { "count": number, // Events recorded for this metric "total": number, // Sum of the durations of events recorded for this metric "mean_rate": number, // Average rate "m1_rate": number, // One-minute average rate "m5_rate": number, // Five-minute average rate "m15_rate": number, // Fifteen-minute average rate "mean": number, // Total/count, or 0 if count is 0 "min": number, // Minimum duration recorded "max": number, // Maximum duration recorded "stddev": number, // Standard deviation of recorded durations "p50": number, // 50% at or below this value "p75": number, // 75% at or below this value "p95": number, // 95% at or below this value "p98": number, // 98% at or below this value "p99": number, // 99% at or below this value "p999": number, // 99.9% at or below this value "p9999": number, // 99.99% at or below this value "p99999": number //99.999% at or below this value } The Prometheus view does not provide time-based statistics. Rates can be calculated from the time-series data.

Some LDAP monitoring attributes use other syntaxes beyond the types described in this section. LDAP syntaxes are detailed in the LDAP Schema Reference.

10.2. LDAP Metrics

This section lists available LDAP metrics by name, indicating their types as described in "Metric Types".

LDAP metrics are exposed as LDAP attributes on entries under cn=monitor. Metrics entry object class names start with ds-monitor. Metrics attribute names start with ds-mon. The LDAP Schema Reference describes object classes, attribute types, and syntaxes.

LDAP Metrics by Name

Name	Syntax	Description
`ds-mon-abandoned-requests`	Counter metric	Total number of abandoned operations since startup
`ds-mon-active-connections-count`	Integer	Number of active client connections
`ds-mon-active-persistent-searches`	Integer	Number of active persistent searches
`ds-mon-approx-oldest-change-not-synchronized`	Generalized Time	Approximate date and time of the oldest change not yet synchronized
`ds-mon-approximate-delay`	Duration in milli-seconds	Approximate delay between this server and the connected replica
`ds-mon-assured-sd-acknowledged-updates`	Counter metric	Number of updates sent in the safe-data mode of assured replication that have been successfully acknowledged
`ds-mon-assured-sd-received-updates-timeout`	Counter metric	Number of updates received in the safe-data mode of assured replication that timed out
`ds-mon-assured-sd-received-updates`	Integer	Number of updates received in the safe-data mode of assured replication
`ds-mon-assured-sd-sent-updates-timeout`	Counter metric	Number of updates sent in the safe-data mode of assured replication that timed out
`ds-mon-assured-sd-sent-updates`	Counter metric	Number of updates sent in the safe-data mode of assured replication
`ds-mon-assured-sd-server-timeout-updates`	Json	Number of updates sent to other servers in the safe-data mode of assured replication that have not been acknowledged successfully due to timeout
`ds-mon-assured-sd-timeout-updates`	Counter metric	Number of updates sent in the safe-data mode of assured replication that have not been successfully acknowledged because of timeout
`ds-mon-assured-sr-acknowledged-updates`	Counter metric	Number of updates sent in the safe-read mode of assured replication that this server acknowledged successfully
`ds-mon-assured-sr-not-acknowledged-updates`	Counter metric	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully (due to timeout, incorrect status, or error during replay)
`ds-mon-assured-sr-received-updates-acked`	Counter metric	Number of updates received in the safe-read mode of assured replication that this server acknowledged without errors
`ds-mon-assured-sr-received-updates-not-acked`	Counter metric	Number of updates received in the safe-read mode of assured replication that this server acknowledged with errors
`ds-mon-assured-sr-received-updates-timeout`	Counter metric	Number of updates received in the safe-read mode of assured replication that timed out
`ds-mon-assured-sr-received-updates`	Counter metric	Number of updates received in the safe-read mode of assured replication
`ds-mon-assured-sr-replay-error-updates`	Counter metric	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully due to replay errors
`ds-mon-assured-sr-sent-updates-timeout`	Counter metric	Number of updates sent in the safe-read mode of assured replication that timed out
`ds-mon-assured-sr-sent-updates`	Counter metric	Number of updates sent in the safe-read mode of assured replication
`ds-mon-assured-sr-server-not-acknowledged-updates`	Json	Number of updates sent to other servers in the safe-read mode of assured replication that have not been acknowledged successfully (due to timeout, incorrect status, or error during replay)
`ds-mon-assured-sr-timeout-updates`	Counter metric	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully due to timeout
`ds-mon-assured-sr-wrong-status-updates`	Counter metric	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully due to incorrect status
`ds-mon-backend-degraded-index-count`	Integer	Number of degraded indexes in the backend
`ds-mon-backend-degraded-index`	Directory String	Backend degraded index
`ds-mon-backend-entry-count`	Integer	Number of entries contained in the backend
`ds-mon-backend-filter-use-indexed`	Integer	Number of indexed searches performed against the backend
`ds-mon-backend-filter-use-start-time`	Generalized Time	Time when recording started for statistical information about the simple search filters processed against the backend
`ds-mon-backend-filter-use-unindexed`	Integer	Number of unindexed searches performed against the backend
`ds-mon-backend-filter-use`	Json	Information about the simple search filter processed against the backend
`ds-mon-backend-is-private`	Boolean	Whether the base DNs of this backend should be considered public or private
`ds-mon-backend-proxy-base-dn`	DN	Base DNs routed to remote LDAP servers by the proxy backend
`ds-mon-backend-proxy-partition`	Summary metric	Remote LDAP servers that the proxy backend forwards requests to
`ds-mon-backend-ttl-entries-deleted`	Summary metric	Summary for entries purged by time-to-live
`ds-mon-backend-ttl-is-running`	Boolean	Indicates whether time-to-live is in the process of purging expired entries
`ds-mon-backend-ttl-last-run-time`	Generalized Time	Last date and time when time-to-live finished purging expired entries
`ds-mon-backend-ttl-queue-size`	Integer	Number of entries queued for purging by the time-to-live service
`ds-mon-backend-ttl-thread-count`	Integer	Number of active time-to-live threads
`ds-mon-backend-writability-mode`	Directory String	Current backend behavior when processing write operations, can either be "disabled", "enabled" or "internal-only"
`ds-mon-base-dn-entry-count`	Integer	Number of subordinate entries of the base DN, including the base DN
`ds-mon-base-dn`	DN	Base DN handled by a backend
`ds-mon-build-number`	Integer	Build number of the Directory Server
`ds-mon-build-time`	Generalized Time	Build date and time of the Directory Server
`ds-mon-bytes-read`	Summary metric	Network bytes read summary
`ds-mon-bytes-written`	Summary metric	Network bytes written summary
`ds-mon-cache-entry-count`	Integer	Current number of entries held in this cache
`ds-mon-cache-max-entry-count`	Integer	Maximum number of entries allowed in this cache
`ds-mon-cache-max-size-bytes`	Size in bytes	Memory limit for this cache
`ds-mon-cache-misses`	Summary metric	Number of attempts to retrieve an entry that was not held in this cache
`ds-mon-cache-total-tries`	Summary metric	Number of attempts to retrieve an entry from this cache
`ds-mon-certificate-expires-at`	Generalized Time	Certificate expiration date and time
`ds-mon-certificate-issuer-dn`	DN	Certificate issuer DN
`ds-mon-certificate-serial-number`	Integer	Certificate serial number
`ds-mon-certificate-subject-dn`	DN	Certificate subject DN
`ds-mon-compact-version`	Directory String	Compact version of the Directory Server
`ds-mon-config-dn`	DN	DN of the configuration entry
`ds-mon-connected-to-server-hostport`	Host port	Host and replication port of the server that this server is connected to
`ds-mon-connected-to-server-id`	Integer	Identifier of the server that this server is connected to
`ds-mon-connection`	Json	Client connection summary information
`ds-mon-connections`	Summary metric	Connection summary
`ds-mon-current-connections`	Integer	Number of client connections currently established with the Directory Server
`ds-mon-current-delay`	Duration in milli-seconds	Current local delay in replaying replicated operations
`ds-mon-current-receive-window`	Integer	Current replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds-mon-current-send-window`	Integer	Current replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds-mon-current-time`	Generalized Time	Current date and time
`ds-mon-db-cache-evict-internal-nodes-count`	Integer	Number of internal nodes evicted from the database cache
`ds-mon-db-cache-evict-leaf-nodes-count`	Integer	Number of leaf nodes (data records) evicted from the database cache
`ds-mon-db-cache-misses-internal-nodes`	Integer	Number of internal nodes requested by btree operations that were not in the database cache
`ds-mon-db-cache-misses-leaf-nodes`	Integer	Number of leaf nodes (data records) requested by btree operations that were not in the database cache
`ds-mon-db-cache-size-active`	Size in bytes	Size of the database cache
`ds-mon-db-cache-total-tries-internal-nodes`	Integer	Number of internal nodes requested by btree operations
`ds-mon-db-cache-total-tries-leaf-nodes`	Integer	Number of leaf nodes (data records) requested by btree operations
`ds-mon-db-checkpoint-count`	Integer	Number of checkpoints run so far
`ds-mon-db-log-cleaner-file-deletion-count`	Integer	Number of cleaner file deletions
`ds-mon-db-log-files-open`	Integer	Number of files currently open in the database file cache
`ds-mon-db-log-files-opened`	Integer	Number of times a log file has been opened
`ds-mon-db-log-size-active`	Size in bytes	Bytes used by all active data files (files required for basic database operation)
`ds-mon-db-log-size-total`	Size in bytes	Size used by all data files on disk
`ds-mon-db-log-utilization-max`	Integer	Current maximum (upper bound) log utilization as a percentage
`ds-mon-db-log-utilization-min`	Integer	Current minimum (lower bound) log utilization as a percentage
`ds-mon-db-version`	Directory String	Database version used by the backend
`ds-mon-disk-dir`	Filesystem path	A monitored directory containing data that may change over time
`ds-mon-disk-free`	Size in bytes	Amount of free disk space
`ds-mon-disk-full-threshold`	Size in bytes	Effective full disk space threshold
`ds-mon-disk-low-threshold`	Size in bytes	Effective low disk space threshold
`ds-mon-disk-root`	Filesystem path	Monitored disk root
`ds-mon-disk-state`	Directory String	Current disk state, can be either "normal", "low" or "full"
`ds-mon-domain-generation-id`	Integer	Replication domain generation identifier
`ds-mon-domain-name`	DN	Replication domain name
`ds-mon-entries-awaiting-updates-count`	Duration in milli-seconds	Number of entries for which an update operation has been received but not replayed yet by this replica
`ds-mon-fix-ids`	Directory String	IDs of issues that have been fixed in this Directory Server build
`ds-mon-full-version`	Directory String	Full version of the Directory Server
`ds-mon-install-path`	Filesystem path	Directory Server root installation path
`ds-mon-instance-path`	Filesystem path	Directory Server instance path
`ds-mon-jvm-architecture`	Directory String	Java virtual machine architecture (e.g. 32-bit, 64-bit)
`ds-mon-jvm-arguments`	Directory String	Input arguments passed to the Java virtual machine
`ds-mon-jvm-available-cpus`	Integer	Number of processors available to the Java virtual machine
`ds-mon-jvm-class-path`	Filesystem path	Path used to find directories and JAR archives containing Java class files
`ds-mon-jvm-classes-loaded`	Integer	Number of classes loaded since the Java virtual machine started
`ds-mon-jvm-classes-unloaded`	Integer	Number of classes unloaded since the Java virtual machine started
`ds-mon-jvm-garbage-collector-concurrent-mark-sweep-count`	Integer	Number of collections performed by the "concurrent mark sweep" garbage collection algorithm
`ds-mon-jvm-garbage-collector-concurrent-mark-sweep-time`	Duration in milli-seconds	Approximate accumulated time taken by the "concurrent mark sweep" garbage collection algorithm
`ds-mon-jvm-garbage-collector-copy-count`	Integer	Number of collections performed by the "copy" garbage collection algorithm
`ds-mon-jvm-garbage-collector-copy-time`	Duration in milli-seconds	Approximate accumulated time taken by the "copy" garbage collection algorithm
`ds-mon-jvm-garbage-collector-g1-old-generation-count`	Integer	Number of collections performed by the "g1 old generation" garbage collection algorithm
`ds-mon-jvm-garbage-collector-g1-old-generation-time`	Duration in milli-seconds	Approximate accumulated time taken by the "g1 old generation" garbage collection algorithm
`ds-mon-jvm-garbage-collector-g1-young-generation-count`	Integer	Number of collections performed by the "g1 young generation" garbage collection algorithm
`ds-mon-jvm-garbage-collector-g1-young-generation-time`	Duration in milli-seconds	Approximate accumulated time taken by the "g1 young generation" garbage collection algorithm
`ds-mon-jvm-garbage-collector-mark-sweep-compact-count`	Integer	Number of collections performed by the "mark sweep compact" garbage collection algorithm
`ds-mon-jvm-garbage-collector-mark-sweep-compact-time`	Duration in milli-seconds	Approximate accumulated time taken by the "mark sweep compact" garbage collection algorithm
`ds-mon-jvm-garbage-collector-par-new-count`	Integer	Number of collections performed by the "par new" garbage collection algorithm
`ds-mon-jvm-garbage-collector-par-new-time`	Duration in milli-seconds	Approximate accumulated time taken by the "par new" garbage collection algorithm
`ds-mon-jvm-garbage-collector-ps-mark-sweep-count`	Integer	Number of collections performed by the "parallel scavenge mark sweep" garbage collection algorithm
`ds-mon-jvm-garbage-collector-ps-mark-sweep-time`	Duration in milli-seconds	Approximate accumulated time taken by the "parallel scavenge mark sweep" garbage collection algorithm
`ds-mon-jvm-garbage-collector-ps-scavenge-count`	Integer	Number of collections performed by the "parallel scavenge" garbage collection algorithm
`ds-mon-jvm-garbage-collector-ps-scavenge-time`	Duration in milli-seconds	Approximate accumulated time taken by the "parallel scavenge" garbage collection algorithm
`ds-mon-jvm-java-home`	Filesystem path	Installation directory for Java runtime environment (JRE)
`ds-mon-jvm-java-vendor`	Directory String	Java runtime environment (JRE) vendor
`ds-mon-jvm-java-version`	Directory String	Java runtime environment (JRE) version
`ds-mon-jvm-memory-heap-init`	Size in bytes	Amount of heap memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-heap-max`	Size in bytes	Maximum amount of heap memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-heap-reserved`	Size in bytes	Amount of heap memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-heap-used`	Size in bytes	Amount of heap memory used by the Java virtual machine
`ds-mon-jvm-memory-init`	Size in bytes	Amount of memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-max`	Size in bytes	Maximum amount of memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-non-heap-init`	Size in bytes	Amount of non-heap memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-non-heap-max`	Size in bytes	Maximum amount of non-heap memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-non-heap-reserved`	Size in bytes	Amount of non-heap memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-non-heap-used`	Size in bytes	Amount of non-heap memory used by the Java virtual machine
`ds-mon-jvm-memory-pools-code-cache-init`	Size in bytes	Amount of "code cache" memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-pools-code-cache-max`	Size in bytes	Maximum amount of "code cache" memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-pools-code-cache-reserved`	Size in bytes	Amount of "code cache" memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-pools-code-cache-used`	Size in bytes	Amount of "code cache" memory used by the Java virtual machine
`ds-mon-jvm-memory-pools-compressed-class-space-init`	Size in bytes	Amount of "compressed class space" memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-pools-compressed-class-space-max`	Size in bytes	Maximum amount of "compressed class space" memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-pools-compressed-class-space-reserved`	Size in bytes	Amount of "compressed class space" memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-pools-compressed-class-space-used`	Size in bytes	Amount of "compressed class space" memory used by the Java virtual machine
`ds-mon-jvm-memory-pools-metaspace-init`	Size in bytes	Amount of "metaspace" memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-pools-metaspace-max`	Size in bytes	Maximum amount of "metaspace" memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-pools-metaspace-reserved`	Size in bytes	Amount of "metaspace" memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-pools-metaspace-used`	Size in bytes	Amount of "metaspace" memory used by the Java virtual machine
`ds-mon-jvm-memory-pools-ps-eden-space-init`	Size in bytes	Amount of "parallel scavenge eden space" memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-pools-ps-eden-space-max`	Size in bytes	Maximum amount of "parallel scavenge eden space" memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-pools-ps-eden-space-reserved`	Size in bytes	Amount of "parallel scavenge eden space" memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-pools-ps-eden-space-used-after-gc`	Size in bytes	Amount of "parallel scavenge eden space" memory after the last time garbage collection recycled unused objects in this memory pool
`ds-mon-jvm-memory-pools-ps-eden-space-used`	Size in bytes	Amount of "parallel scavenge eden space" memory used by the Java virtual machine
`ds-mon-jvm-memory-pools-ps-old-gen-init`	Size in bytes	Amount of "parallel scavenge old generation" memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-pools-ps-old-gen-max`	Size in bytes	Maximum amount of "parallel scavenge old generation" memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-pools-ps-old-gen-reserved`	Size in bytes	Amount of "parallel scavenge old generation" memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-pools-ps-old-gen-used-after-gc`	Size in bytes	Amount of "parallel scavenge old generation" memory after the last time garbage collection recycled unused objects in this memory pool
`ds-mon-jvm-memory-pools-ps-old-gen-used`	Size in bytes	Amount of "parallel scavenge old generation" memory used by the Java virtual machine
`ds-mon-jvm-memory-pools-ps-survivor-space-init`	Size in bytes	Amount of "parallel scavenge survivor space" memory that the Java virtual machine initially requested from the operating system
`ds-mon-jvm-memory-pools-ps-survivor-space-max`	Size in bytes	Maximum amount of "parallel scavenge survivor space" memory that the Java virtual machine will attempt to use
`ds-mon-jvm-memory-pools-ps-survivor-space-reserved`	Size in bytes	Amount of "parallel scavenge survivor space" memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-pools-ps-survivor-space-used-after-gc`	Size in bytes	Amount of "parallel scavenge survivor space" memory after the last time garbage collection recycled unused objects in this memory pool
`ds-mon-jvm-memory-pools-ps-survivor-space-used`	Size in bytes	Amount of "parallel scavenge survivor space" memory used by the Java virtual machine
`ds-mon-jvm-memory-reserved`	Size in bytes	Amount of memory that is committed for the Java virtual machine to use
`ds-mon-jvm-memory-used`	Size in bytes	Amount of memory used by the Java virtual machine
`ds-mon-jvm-supported-tls-ciphers`	Directory String	Transport Layer Security (TLS) cipher suites supported by this Directory Server
`ds-mon-jvm-supported-tls-protocols`	Directory String	Transport Layer Security (TLS) protocols supported by this Directory Server
`ds-mon-jvm-threads-blocked-count`	Integer	Number of threads in the BLOCKED state
`ds-mon-jvm-threads-count`	Integer	Number of live threads including both daemon and non-daemon threads
`ds-mon-jvm-threads-daemon-count`	Integer	Number of live daemon threads
`ds-mon-jvm-threads-deadlock-count`	Integer	Number of deadlocked threads
`ds-mon-jvm-threads-deadlocks`	Directory String	Diagnostic stack traces for deadlocked threads
`ds-mon-jvm-threads-new-count`	Integer	Number of threads in the NEW state
`ds-mon-jvm-threads-runnable-count`	Integer	Number of threads in the RUNNABLE state
`ds-mon-jvm-threads-terminated-count`	Integer	Number of threads in the TERMINATED state
`ds-mon-jvm-threads-timed-waiting-count`	Integer	Number of threads in the TIMED_WAITING state
`ds-mon-jvm-threads-waiting-count`	Integer	Number of threads in the WAITING state
`ds-mon-jvm-vendor`	Directory String	Java virtual machine vendor
`ds-mon-jvm-version`	Directory String	Java virtual machine version
`ds-mon-listen-address`	Directory String	Host and port
`ds-mon-lost-connections`	Duration in milli-seconds	Number of times the replica lost its connection to the replication server
`ds-mon-major-version`	Integer	Major version number of the Directory Server
`ds-mon-max-connections`	Integer	Maximum number of simultaneous client connections that have been established with the Directory Server
`ds-mon-max-receive-window`	Integer	Maximum replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds-mon-max-send-window`	Integer	Maximum replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds-mon-minor-version`	Integer	Minor version number of the Directory Server
`ds-mon-missing-changes`	Integer	Missing changes for replication
`ds-mon-newest-change-number`	Integer	Newest change number present in the change number index database
`ds-mon-newest-csn-timestamp`	Generalized Time	Timestamp of the newest CSN present in the replica database
`ds-mon-newest-csn`	CSN (Change Sequence Number)	Newest CSN present in the replica database
`ds-mon-oldest-change-number`	Integer	Oldest change number present in the change number index database
`ds-mon-oldest-csn-timestamp`	Generalized Time	Timestamp of the oldest CSN present in the replica database
`ds-mon-oldest-csn`	CSN (Change Sequence Number)	Oldest CSN present in the replica database
`ds-mon-os-architecture`	Directory String	Operating system architecture
`ds-mon-os-name`	Directory String	Operating system name
`ds-mon-os-version`	Directory String	Operating system version
`ds-mon-point-version`	Integer	Point version number of the Directory Server
`ds-mon-product-name`	Directory String	Full name of the Directory Server
`ds-mon-protocol`	Directory String	Network protocol
`ds-mon-replayed-updates-conflicts-resolved`	Counter metric	Number of updates replayed on this replica for which replication naming conflicts have been resolved
`ds-mon-replayed-updates-conflicts-unresolved`	Counter metric	Number of updates replayed on this replica for which replication naming conflicts have not been resolved
`ds-mon-replayed-updates`	Timer metric	Timer for updates that have been replayed on this replica
`ds-mon-requests-abandon`	Timer metric	Abandon request timer
`ds-mon-requests-add`	Timer metric	Add request timer
`ds-mon-requests-bind`	Timer metric	Bind request timer
`ds-mon-requests-compare`	Timer metric	Compare request timer
`ds-mon-requests-delete`	Timer metric	Delete request timer
`ds-mon-requests-extended`	Timer metric	Extended request timer
`ds-mon-requests-failure-client-invalid-request`	Timer metric	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds-mon-requests-failure-client-redirect`	Timer metric	Timer for requests that could not complete because further action is required (associated HTTP status codes: redirection (3xx))
`ds-mon-requests-failure-client-referral`	Timer metric	Timer for requests that failed because the server did not hold the request targeted entry (but was able to provide alternative servers that may) (associated LDAP result code: 10)
`ds-mon-requests-failure-client-resource-limit`	Timer metric	Timer for requests that failed because they were trying to exceed the resource limits allocated to the associated clients (associated LDAP result codes: time, size and admin limit exceeded (respectively 4, 5 and 11)
`ds-mon-requests-failure-client-security`	Timer metric	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds-mon-requests-failure-server`	Timer metric	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds-mon-requests-failure-uncategorized`	Timer metric	Timer for requests that failed due to uncategorized reasons
`ds-mon-requests-get`	Timer metric	GET request timer
`ds-mon-requests-in-queue`	Integer	Number of requests in the work queue that have not yet been picked up for processing
`ds-mon-requests-modify-dn`	Timer metric	Modify DN request timer
`ds-mon-requests-modify`	Timer metric	Modify request timer
`ds-mon-requests-patch`	Timer metric	PATCH request timer
`ds-mon-requests-post`	Timer metric	POST request timer
`ds-mon-requests-put`	Timer metric	PUT request timer
`ds-mon-requests-rejected-queue-full`	Summary metric	Summary for operations that have been rejected because the work queue was already at its maximum capacity
`ds-mon-requests-search-base`	Timer metric	Base object search request timer
`ds-mon-requests-search-one`	Timer metric	One level search request timer
`ds-mon-requests-search-sub`	Timer metric	Subtree search request timer
`ds-mon-requests-submitted`	Summary metric	Summary for operations that have been successfully submitted to the work queue
`ds-mon-requests-unbind`	Timer metric	Unbind request timer
`ds-mon-requests-uncategorized`	Timer metric	Uncategorized request timer
`ds-mon-revision`	Directory String	Revision ID in the source repository from which the Directory Server is build
`ds-mon-sent-updates`	Counter metric	Number of replication updates sent by this replica
`ds-mon-server-hostport`	Host port	Host and port of a server
`ds-mon-server-id`	Integer	Server identifier
`ds-mon-server-state`	CSN (Change Sequence Number)	Replication server state
`ds-mon-short-name`	Directory String	Short name of the Directory Server
`ds-mon-ssl-encryption`	Boolean	Whether SSL encryption is used when exchanging mesages with this server
`ds-mon-start-time`	Generalized Time	Start date and time for the Directory Server
`ds-mon-status-last-changed`	Generalized Time	Last date and time the replication status of the local replica changed
`ds-mon-status`	Directory String	Replication status of the local replica, can either be "Invalid", "Not connected", "Normal", "Degraded", "Full update", "Bad generation id"
`ds-mon-system-name`	Directory String	Fully qualified domain name of the system where the Directory Server is running
`ds-mon-total-connections`	Integer	Total number of client connections that have been established with the Directory Server since it started
`ds-mon-updates-inbound-queue`	Duration in milli-seconds	Number of remote updates received from the replication server but not replayed yet on this replica
`ds-mon-updates-outbound-queue`	Duration in milli-seconds	Number of local updates that are waiting to be sent to the replication server once they complete
`ds-mon-updates-totals-per-replay-thread`	Json	JSON array of the number of updates replayed per replay thread
`ds-mon-vendor-name`	Directory String	Vendor name of the Directory Server
`ds-mon-version-qualifier`	Directory String	Version qualifier of the Directory Server
`ds-mon-working-directory`	Filesystem path	Current working directory of the user running the Directory Server

10.3. Prometheus Metrics

This section lists available Prometheus metrics by name, indicating their types as described in "Metric Types".

The labels are listed in braces. For example, the labels in ds_backend_db_cache_misses_internal_nodes{backend,type} are backend and type.

Prometheus Metrics by Name

Name	Type	Description
`ds_all_entry_caches_cache_entry_count`	Gauge	Current number of entries held in this cache
`ds_all_entry_caches_cache_misses_count`	Summary	Number of attempts to retrieve an entry that was not held in this cache
`ds_all_entry_caches_cache_misses_total`	Summary	Number of attempts to retrieve an entry that was not held in this cache
`ds_all_entry_caches_cache_total_tries_count`	Summary	Number of attempts to retrieve an entry from this cache
`ds_all_entry_caches_cache_total_tries_total`	Summary	Number of attempts to retrieve an entry from this cache
`ds_backend_db_cache_evict_internal_nodes_count{backend,type}`	Gauge	Number of internal nodes evicted from the database cache
`ds_backend_db_cache_evict_leaf_nodes_count{backend,type}`	Gauge	Number of leaf nodes (data records) evicted from the database cache
`ds_backend_db_cache_misses_internal_nodes{backend,type}`	Gauge	Number of internal nodes requested by btree operations that were not in the database cache
`ds_backend_db_cache_misses_leaf_nodes{backend,type}`	Gauge	Number of leaf nodes (data records) requested by btree operations that were not in the database cache
`ds_backend_db_cache_size_active_bytes{backend,type}`	Gauge	Size of the database cache
`ds_backend_db_cache_total_tries_internal_nodes{backend,type}`	Gauge	Number of internal nodes requested by btree operations
`ds_backend_db_cache_total_tries_leaf_nodes{backend,type}`	Gauge	Number of leaf nodes (data records) requested by btree operations
`ds_backend_db_checkpoint_count{backend,type}`	Gauge	Number of checkpoints run so far
`ds_backend_db_log_cleaner_file_deletion_count{backend,type}`	Gauge	Number of cleaner file deletions
`ds_backend_db_log_files_open{backend,type}`	Gauge	Number of files currently open in the database file cache
`ds_backend_db_log_files_opened{backend,type}`	Gauge	Number of times a log file has been opened
`ds_backend_db_log_size_active_bytes{backend,type}`	Gauge	Bytes used by all active data files (files required for basic database operation)
`ds_backend_db_log_size_total_bytes{backend,type}`	Gauge	Size used by all data files on disk
`ds_backend_db_log_utilization_max{backend,type}`	Gauge	Current maximum (upper bound) log utilization as a percentage
`ds_backend_db_log_utilization_min{backend,type}`	Gauge	Current minimum (lower bound) log utilization as a percentage
`ds_backend_degraded_index_count{backend,type}`	Gauge	Number of degraded indexes in the backend
`ds_backend_entry_count{backend,base_dn,dc,type}`	Gauge	Number of subordinate entries of the base DN, including the base DN
`ds_backend_entry_count{backend,base_dn,type}`	Gauge	Number of subordinate entries of the base DN, including the base DN
`ds_backend_filter_use_indexed{backend,type}`	Gauge	Number of indexed searches performed against the backend
`ds_backend_filter_use_start_time_seconds{backend,type}`	Gauge	Time when recording started for statistical information about the simple search filters processed against the backend
`ds_backend_filter_use_unindexed{backend,type}`	Gauge	Number of unindexed searches performed against the backend
`ds_backend_is_private{backend,type}`	Gauge	Whether the base DNs of this backend should be considered public or private
`ds_backend_ttl_entries_deleted_count{backend,type}`	Summary	Summary for entries purged by time-to-live
`ds_backend_ttl_entries_deleted_total{backend,type}`	Summary	Summary for entries purged by time-to-live
`ds_backend_ttl_is_running{backend,type}`	Gauge	Indicates whether time-to-live is in the process of purging expired entries
`ds_backend_ttl_last_run_time_seconds{backend,type}`	Gauge	Last date and time when time-to-live finished purging expired entries
`ds_backend_ttl_queue_size{backend,type}`	Gauge	Number of entries queued for purging by the time-to-live service
`ds_backend_ttl_thread_count{backend,type}`	Gauge	Number of active time-to-live threads
`ds_certificates_certificate_expires_at_seconds{alias,key_manager}`	Gauge	Certificate expiration date and time
`ds_connection_handlers_http_active_connections_count{http_handler}`	Gauge	Number of active client connections
`ds_connection_handlers_http_bytes_read_count{http_handler}`	Summary	Network bytes read summary
`ds_connection_handlers_http_bytes_read_total{http_handler}`	Summary	Network bytes read summary
`ds_connection_handlers_http_bytes_written_count{http_handler}`	Summary	Network bytes written summary
`ds_connection_handlers_http_bytes_written_total{http_handler}`	Summary	Network bytes written summary
`ds_connection_handlers_http_requests_count{http_handler,type}`	Summary	Delete request timer
`ds_connection_handlers_http_requests_count{http_handler,type}`	Summary	GET request timer
`ds_connection_handlers_http_requests_count{http_handler,type}`	Summary	PATCH request timer
`ds_connection_handlers_http_requests_count{http_handler,type}`	Summary	POST request timer
`ds_connection_handlers_http_requests_count{http_handler,type}`	Summary	PUT request timer
`ds_connection_handlers_http_requests_count{http_handler,type}`	Summary	Uncategorized request timer
`ds_connection_handlers_http_requests_failure_count{http_handler,type}`	Summary	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds_connection_handlers_http_requests_failure_count{http_handler,type}`	Summary	Timer for requests that could not complete because further action is required (associated HTTP status codes: redirection (3xx))
`ds_connection_handlers_http_requests_failure_count{http_handler,type}`	Summary	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds_connection_handlers_http_requests_failure_count{http_handler,type}`	Summary	Timer for requests that failed due to uncategorized reasons
`ds_connection_handlers_http_requests_failure_count{http_handler,type}`	Summary	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds_connection_handlers_http_requests_failure_seconds_total{http_handler,type}`	Summary	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds_connection_handlers_http_requests_failure_seconds_total{http_handler,type}`	Summary	Timer for requests that could not complete because further action is required (associated HTTP status codes: redirection (3xx))
`ds_connection_handlers_http_requests_failure_seconds_total{http_handler,type}`	Summary	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds_connection_handlers_http_requests_failure_seconds_total{http_handler,type}`	Summary	Timer for requests that failed due to uncategorized reasons
`ds_connection_handlers_http_requests_failure_seconds_total{http_handler,type}`	Summary	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds_connection_handlers_http_requests_failure_seconds{http_handler,type,quantile}`	Summary	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds_connection_handlers_http_requests_failure_seconds{http_handler,type,quantile}`	Summary	Timer for requests that could not complete because further action is required (associated HTTP status codes: redirection (3xx))
`ds_connection_handlers_http_requests_failure_seconds{http_handler,type,quantile}`	Summary	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds_connection_handlers_http_requests_failure_seconds{http_handler,type,quantile}`	Summary	Timer for requests that failed due to uncategorized reasons
`ds_connection_handlers_http_requests_failure_seconds{http_handler,type,quantile}`	Summary	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds_connection_handlers_http_requests_seconds_total{http_handler,type}`	Summary	Delete request timer
`ds_connection_handlers_http_requests_seconds_total{http_handler,type}`	Summary	GET request timer
`ds_connection_handlers_http_requests_seconds_total{http_handler,type}`	Summary	PATCH request timer
`ds_connection_handlers_http_requests_seconds_total{http_handler,type}`	Summary	POST request timer
`ds_connection_handlers_http_requests_seconds_total{http_handler,type}`	Summary	PUT request timer
`ds_connection_handlers_http_requests_seconds_total{http_handler,type}`	Summary	Uncategorized request timer
`ds_connection_handlers_http_requests_seconds{http_handler,type,quantile}`	Summary	Delete request timer
`ds_connection_handlers_http_requests_seconds{http_handler,type,quantile}`	Summary	GET request timer
`ds_connection_handlers_http_requests_seconds{http_handler,type,quantile}`	Summary	PATCH request timer
`ds_connection_handlers_http_requests_seconds{http_handler,type,quantile}`	Summary	POST request timer
`ds_connection_handlers_http_requests_seconds{http_handler,type,quantile}`	Summary	PUT request timer
`ds_connection_handlers_http_requests_seconds{http_handler,type,quantile}`	Summary	Uncategorized request timer
`ds_connection_handlers_ldap_abandoned_requests{ldap_handler}`	Counter	Total number of abandoned operations since startup
`ds_connection_handlers_ldap_active_connections_count{ldap_handler}`	Gauge	Number of active client connections
`ds_connection_handlers_ldap_active_persistent_searches{ldap_handler}`	Gauge	Number of active persistent searches
`ds_connection_handlers_ldap_bytes_read_count{ldap_handler}`	Summary	Network bytes read summary
`ds_connection_handlers_ldap_bytes_read_total{ldap_handler}`	Summary	Network bytes read summary
`ds_connection_handlers_ldap_bytes_written_count{ldap_handler}`	Summary	Network bytes written summary
`ds_connection_handlers_ldap_bytes_written_total{ldap_handler}`	Summary	Network bytes written summary
`ds_connection_handlers_ldap_connections_count{ldap_handler}`	Summary	Connection summary
`ds_connection_handlers_ldap_connections_total{ldap_handler}`	Summary	Connection summary
`ds_connection_handlers_ldap_requests_count{ldap_handler,scope,type}`	Summary	Base object search request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,scope,type}`	Summary	One level search request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,scope,type}`	Summary	Subtree search request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Abandon request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Add request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Bind request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Compare request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Delete request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Extended request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Modify DN request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Modify request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Unbind request timer
`ds_connection_handlers_ldap_requests_count{ldap_handler,type}`	Summary	Uncategorized request timer
`ds_connection_handlers_ldap_requests_failure_count{ldap_handler,type}`	Summary	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds_connection_handlers_ldap_requests_failure_count{ldap_handler,type}`	Summary	Timer for requests that failed because the server did not hold the request targeted entry (but was able to provide alternative servers that may) (associated LDAP result code: 10)
`ds_connection_handlers_ldap_requests_failure_count{ldap_handler,type}`	Summary	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds_connection_handlers_ldap_requests_failure_count{ldap_handler,type}`	Summary	Timer for requests that failed because they were trying to exceed the resource limits allocated to the associated clients (associated LDAP result codes: time, size and admin limit exceeded (respectively 4, 5 and 11)
`ds_connection_handlers_ldap_requests_failure_count{ldap_handler,type}`	Summary	Timer for requests that failed due to uncategorized reasons
`ds_connection_handlers_ldap_requests_failure_count{ldap_handler,type}`	Summary	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds_connection_handlers_ldap_requests_failure_seconds_total{ldap_handler,type}`	Summary	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds_connection_handlers_ldap_requests_failure_seconds_total{ldap_handler,type}`	Summary	Timer for requests that failed because the server did not hold the request targeted entry (but was able to provide alternative servers that may) (associated LDAP result code: 10)
`ds_connection_handlers_ldap_requests_failure_seconds_total{ldap_handler,type}`	Summary	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds_connection_handlers_ldap_requests_failure_seconds_total{ldap_handler,type}`	Summary	Timer for requests that failed because they were trying to exceed the resource limits allocated to the associated clients (associated LDAP result codes: time, size and admin limit exceeded (respectively 4, 5 and 11)
`ds_connection_handlers_ldap_requests_failure_seconds_total{ldap_handler,type}`	Summary	Timer for requests that failed due to uncategorized reasons
`ds_connection_handlers_ldap_requests_failure_seconds_total{ldap_handler,type}`	Summary	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds_connection_handlers_ldap_requests_failure_seconds{ldap_handler,type,quantile}`	Summary	Timer for apparently valid requests that failed because the server was not able to process them (associated LDAP result codes: busy (51), unavailable (52), unwilling to perform (53) and other (80); associated HTTP status codes: server error (5xx))
`ds_connection_handlers_ldap_requests_failure_seconds{ldap_handler,type,quantile}`	Summary	Timer for requests that failed because the server did not hold the request targeted entry (but was able to provide alternative servers that may) (associated LDAP result code: 10)
`ds_connection_handlers_ldap_requests_failure_seconds{ldap_handler,type,quantile}`	Summary	Timer for requests that failed because there was a problem while attempting to perform the associated operation (associated LDAP result codes: 1, 2, 12, 15, 16, 17, 18, 19, 20, 21, 23, 34, 35, 36, 37, 38, 39; associated HTTP status codes: client error (4xx) except 401 and 403)
`ds_connection_handlers_ldap_requests_failure_seconds{ldap_handler,type,quantile}`	Summary	Timer for requests that failed because they were trying to exceed the resource limits allocated to the associated clients (associated LDAP result codes: time, size and admin limit exceeded (respectively 4, 5 and 11)
`ds_connection_handlers_ldap_requests_failure_seconds{ldap_handler,type,quantile}`	Summary	Timer for requests that failed due to uncategorized reasons
`ds_connection_handlers_ldap_requests_failure_seconds{ldap_handler,type,quantile}`	Summary	Timer for requests that failed for security reasons (associated LDAP result codes: 8, 9, 13, 25, 26, 27; associated HTTP status codes: unauthorized (401) and forbidden (403))
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,scope,type}`	Summary	Base object search request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,scope,type}`	Summary	One level search request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,scope,type}`	Summary	Subtree search request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Abandon request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Add request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Bind request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Compare request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Delete request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Extended request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Modify DN request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Modify request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Unbind request timer
`ds_connection_handlers_ldap_requests_seconds_total{ldap_handler,type}`	Summary	Uncategorized request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,scope,type,quantile}`	Summary	Base object search request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,scope,type,quantile}`	Summary	One level search request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,scope,type,quantile}`	Summary	Subtree search request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Abandon request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Add request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Bind request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Compare request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Delete request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Extended request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Modify DN request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Modify request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Unbind request timer
`ds_connection_handlers_ldap_requests_seconds{ldap_handler,type,quantile}`	Summary	Uncategorized request timer
`ds_current_connections`	Gauge	Number of client connections currently established with the Directory Server
`ds_current_time_seconds`	Gauge	Current date and time
`ds_disk_free_space_bytes{disk}`	Gauge	Amount of free disk space
`ds_disk_free_space_full_threshold_bytes{disk}`	Gauge	Effective full disk space threshold
`ds_disk_free_space_low_threshold_bytes{disk}`	Gauge	Effective low disk space threshold
`ds_entry_cache_entry_count{cache}`	Gauge	Current number of entries held in this cache
`ds_entry_cache_max_entry_count{cache}`	Gauge	Maximum number of entries allowed in this cache
`ds_entry_cache_max_size_bytes{cache}`	Gauge	Memory limit for this cache
`ds_entry_cache_misses_count{cache}`	Summary	Number of attempts to retrieve an entry that was not held in this cache
`ds_entry_cache_misses_total{cache}`	Summary	Number of attempts to retrieve an entry that was not held in this cache
`ds_entry_cache_total_tries_count{cache}`	Summary	Number of attempts to retrieve an entry from this cache
`ds_entry_cache_total_tries_total{cache}`	Summary	Number of attempts to retrieve an entry from this cache
`ds_jvm_available_cpus`	Gauge	Number of processors available to the Java virtual machine
`ds_jvm_classes_loaded`	Gauge	Number of classes loaded since the Java virtual machine started
`ds_jvm_classes_unloaded`	Gauge	Number of classes unloaded since the Java virtual machine started
`ds_jvm_garbage_collector_ps_mark_sweep_count`	Gauge	Number of collections performed by the "parallel scavenge mark sweep" garbage collection algorithm
`ds_jvm_garbage_collector_ps_mark_sweep_time_seconds`	Gauge	Approximate accumulated time taken by the "parallel scavenge mark sweep" garbage collection algorithm
`ds_jvm_garbage_collector_ps_scavenge_count`	Gauge	Number of collections performed by the "parallel scavenge" garbage collection algorithm
`ds_jvm_garbage_collector_ps_scavenge_time_seconds`	Gauge	Approximate accumulated time taken by the "parallel scavenge" garbage collection algorithm
`ds_jvm_memory_heap_init_bytes`	Gauge	Amount of heap memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_heap_max_bytes`	Gauge	Maximum amount of heap memory that the Java virtual machine will attempt to use
`ds_jvm_memory_heap_reserved_bytes`	Gauge	Amount of heap memory that is committed for the Java virtual machine to use
`ds_jvm_memory_heap_used_bytes`	Gauge	Amount of heap memory used by the Java virtual machine
`ds_jvm_memory_init_bytes`	Gauge	Amount of memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_max_bytes`	Gauge	Maximum amount of memory that the Java virtual machine will attempt to use
`ds_jvm_memory_non_heap_init_bytes`	Gauge	Amount of non-heap memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_non_heap_max_bytes`	Gauge	Maximum amount of non-heap memory that the Java virtual machine will attempt to use
`ds_jvm_memory_non_heap_reserved_bytes`	Gauge	Amount of non-heap memory that is committed for the Java virtual machine to use
`ds_jvm_memory_non_heap_used_bytes`	Gauge	Amount of non-heap memory used by the Java virtual machine
`ds_jvm_memory_pools_code_cache_init_bytes`	Gauge	Amount of "code cache" memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_pools_code_cache_max_bytes`	Gauge	Maximum amount of "code cache" memory that the Java virtual machine will attempt to use
`ds_jvm_memory_pools_code_cache_reserved_bytes`	Gauge	Amount of "code cache" memory that is committed for the Java virtual machine to use
`ds_jvm_memory_pools_code_cache_used_bytes`	Gauge	Amount of "code cache" memory used by the Java virtual machine
`ds_jvm_memory_pools_compressed_class_space_init_bytes`	Gauge	Amount of "compressed class space" memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_pools_compressed_class_space_max_bytes`	Gauge	Maximum amount of "compressed class space" memory that the Java virtual machine will attempt to use
`ds_jvm_memory_pools_compressed_class_space_reserved_bytes`	Gauge	Amount of "compressed class space" memory that is committed for the Java virtual machine to use
`ds_jvm_memory_pools_compressed_class_space_used_bytes`	Gauge	Amount of "compressed class space" memory used by the Java virtual machine
`ds_jvm_memory_pools_metaspace_init_bytes`	Gauge	Amount of "metaspace" memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_pools_metaspace_max_bytes`	Gauge	Maximum amount of "metaspace" memory that the Java virtual machine will attempt to use
`ds_jvm_memory_pools_metaspace_reserved_bytes`	Gauge	Amount of "metaspace" memory that is committed for the Java virtual machine to use
`ds_jvm_memory_pools_metaspace_used_bytes`	Gauge	Amount of "metaspace" memory used by the Java virtual machine
`ds_jvm_memory_pools_ps_eden_space_init_bytes`	Gauge	Amount of "parallel scavenge eden space" memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_pools_ps_eden_space_max_bytes`	Gauge	Maximum amount of "parallel scavenge eden space" memory that the Java virtual machine will attempt to use
`ds_jvm_memory_pools_ps_eden_space_reserved_bytes`	Gauge	Amount of "parallel scavenge eden space" memory that is committed for the Java virtual machine to use
`ds_jvm_memory_pools_ps_eden_space_used_after_gc_bytes`	Gauge	Amount of "parallel scavenge eden space" memory after the last time garbage collection recycled unused objects in this memory pool
`ds_jvm_memory_pools_ps_eden_space_used_bytes`	Gauge	Amount of "parallel scavenge eden space" memory used by the Java virtual machine
`ds_jvm_memory_pools_ps_old_gen_init_bytes`	Gauge	Amount of "parallel scavenge old generation" memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_pools_ps_old_gen_max_bytes`	Gauge	Maximum amount of "parallel scavenge old generation" memory that the Java virtual machine will attempt to use
`ds_jvm_memory_pools_ps_old_gen_reserved_bytes`	Gauge	Amount of "parallel scavenge old generation" memory that is committed for the Java virtual machine to use
`ds_jvm_memory_pools_ps_old_gen_used_after_gc_bytes`	Gauge	Amount of "parallel scavenge old generation" memory after the last time garbage collection recycled unused objects in this memory pool
`ds_jvm_memory_pools_ps_old_gen_used_bytes`	Gauge	Amount of "parallel scavenge old generation" memory used by the Java virtual machine
`ds_jvm_memory_pools_ps_survivor_space_init_bytes`	Gauge	Amount of "parallel scavenge survivor space" memory that the Java virtual machine initially requested from the operating system
`ds_jvm_memory_pools_ps_survivor_space_max_bytes`	Gauge	Maximum amount of "parallel scavenge survivor space" memory that the Java virtual machine will attempt to use
`ds_jvm_memory_pools_ps_survivor_space_reserved_bytes`	Gauge	Amount of "parallel scavenge survivor space" memory that is committed for the Java virtual machine to use
`ds_jvm_memory_pools_ps_survivor_space_used_after_gc_bytes`	Gauge	Amount of "parallel scavenge survivor space" memory after the last time garbage collection recycled unused objects in this memory pool
`ds_jvm_memory_pools_ps_survivor_space_used_bytes`	Gauge	Amount of "parallel scavenge survivor space" memory used by the Java virtual machine
`ds_jvm_memory_reserved_bytes`	Gauge	Amount of memory that is committed for the Java virtual machine to use
`ds_jvm_memory_used_bytes`	Gauge	Amount of memory used by the Java virtual machine
`ds_jvm_threads_blocked_count`	Gauge	Number of threads in the BLOCKED state
`ds_jvm_threads_count`	Gauge	Number of live threads including both daemon and non-daemon threads
`ds_jvm_threads_daemon_count`	Gauge	Number of live daemon threads
`ds_jvm_threads_deadlock_count`	Gauge	Number of deadlocked threads
`ds_jvm_threads_new_count`	Gauge	Number of threads in the NEW state
`ds_jvm_threads_runnable_count`	Gauge	Number of threads in the RUNNABLE state
`ds_jvm_threads_terminated_count`	Gauge	Number of threads in the TERMINATED state
`ds_jvm_threads_timed_waiting_count`	Gauge	Number of threads in the TIMED_WAITING state
`ds_jvm_threads_waiting_count`	Gauge	Number of threads in the WAITING state
`ds_max_connections`	Gauge	Maximum number of simultaneous client connections that have been established with the Directory Server
`ds_replication_changelog_connected_changelogs_assured_sd_received_updates{changelog_id,domain_name,dc}`	Gauge	Number of updates received in the safe-data mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sd_received_updates{changelog_id,domain_name}`	Gauge	Number of updates received in the safe-data mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sd_sent_updates_timeout{changelog_id,domain_name,dc}`	Counter	Number of updates sent in the safe-data mode of assured replication that timed out
`ds_replication_changelog_connected_changelogs_assured_sd_sent_updates_timeout{changelog_id,domain_name}`	Counter	Number of updates sent in the safe-data mode of assured replication that timed out
`ds_replication_changelog_connected_changelogs_assured_sd_sent_updates{changelog_id,domain_name,dc}`	Gauge	Number of updates sent in the safe-data mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sd_sent_updates{changelog_id,domain_name}`	Gauge	Number of updates sent in the safe-data mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sr_received_updates_timeout{changelog_id,domain_name,dc}`	Counter	Number of updates received in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_changelogs_assured_sr_received_updates_timeout{changelog_id,domain_name}`	Counter	Number of updates received in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_changelogs_assured_sr_received_updates{changelog_id,domain_name,dc}`	Gauge	Number of updates received in the safe-read mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sr_received_updates{changelog_id,domain_name}`	Gauge	Number of updates received in the safe-read mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sr_sent_updates_timeout{changelog_id,domain_name,dc}`	Counter	Number of updates sent in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_changelogs_assured_sr_sent_updates_timeout{changelog_id,domain_name}`	Counter	Number of updates sent in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_changelogs_assured_sr_sent_updates{changelog_id,domain_name,dc}`	Gauge	Number of updates sent in the safe-read mode of assured replication
`ds_replication_changelog_connected_changelogs_assured_sr_sent_updates{changelog_id,domain_name}`	Gauge	Number of updates sent in the safe-read mode of assured replication
`ds_replication_changelog_connected_changelogs_current_receive_window{changelog_id,domain_name,dc}`	Gauge	Current replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_current_receive_window{changelog_id,domain_name}`	Gauge	Current replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_current_send_window{changelog_id,domain_name,dc}`	Gauge	Current replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_current_send_window{changelog_id,domain_name}`	Gauge	Current replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_domain_generation_id{changelog_id,domain_name,dc}`	Gauge	Replication domain generation identifier
`ds_replication_changelog_connected_changelogs_domain_generation_id{changelog_id,domain_name}`	Gauge	Replication domain generation identifier
`ds_replication_changelog_connected_changelogs_max_receive_window{changelog_id,domain_name,dc}`	Gauge	Maximum replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_max_receive_window{changelog_id,domain_name}`	Gauge	Maximum replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_max_send_window{changelog_id,domain_name,dc}`	Gauge	Maximum replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_max_send_window{changelog_id,domain_name}`	Gauge	Maximum replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_changelogs_missing_changes{changelog_id,domain_name,dc}`	Gauge	Missing changes for replication
`ds_replication_changelog_connected_changelogs_missing_changes{changelog_id,domain_name}`	Gauge	Missing changes for replication
`ds_replication_changelog_connected_changelogs_ssl_encryption{changelog_id,domain_name,dc}`	Gauge	Whether SSL encryption is used when exchanging mesages with this server
`ds_replication_changelog_connected_changelogs_ssl_encryption{changelog_id,domain_name}`	Gauge	Whether SSL encryption is used when exchanging mesages with this server
`ds_replication_changelog_connected_replicas_approx_oldest_change_not_synchronized_seconds{domain_name,dc,server_id}`	Gauge	Approximate date and time of the oldest change not yet synchronized
`ds_replication_changelog_connected_replicas_approx_oldest_change_not_synchronized_seconds{domain_name,server_id}`	Gauge	Approximate date and time of the oldest change not yet synchronized
`ds_replication_changelog_connected_replicas_approximate_delay_seconds{domain_name,dc,server_id}`	Gauge	Approximate delay between this server and the connected replica
`ds_replication_changelog_connected_replicas_approximate_delay_seconds{domain_name,server_id}`	Gauge	Approximate delay between this server and the connected replica
`ds_replication_changelog_connected_replicas_assured_sd_received_updates_timeout{domain_name,dc,server_id}`	Counter	Number of updates received in the safe-data mode of assured replication that timed out
`ds_replication_changelog_connected_replicas_assured_sd_received_updates_timeout{domain_name,server_id}`	Counter	Number of updates received in the safe-data mode of assured replication that timed out
`ds_replication_changelog_connected_replicas_assured_sd_received_updates{domain_name,dc,server_id}`	Gauge	Number of updates received in the safe-data mode of assured replication
`ds_replication_changelog_connected_replicas_assured_sd_received_updates{domain_name,server_id}`	Gauge	Number of updates received in the safe-data mode of assured replication
`ds_replication_changelog_connected_replicas_assured_sr_received_updates_timeout{domain_name,dc,server_id}`	Counter	Number of updates received in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_replicas_assured_sr_received_updates_timeout{domain_name,server_id}`	Counter	Number of updates received in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_replicas_assured_sr_received_updates{domain_name,dc,server_id}`	Gauge	Number of updates received in the safe-read mode of assured replication
`ds_replication_changelog_connected_replicas_assured_sr_received_updates{domain_name,server_id}`	Gauge	Number of updates received in the safe-read mode of assured replication
`ds_replication_changelog_connected_replicas_assured_sr_sent_updates_timeout{domain_name,dc,server_id}`	Counter	Number of updates sent in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_replicas_assured_sr_sent_updates_timeout{domain_name,server_id}`	Counter	Number of updates sent in the safe-read mode of assured replication that timed out
`ds_replication_changelog_connected_replicas_assured_sr_sent_updates{domain_name,dc,server_id}`	Gauge	Number of updates sent in the safe-read mode of assured replication
`ds_replication_changelog_connected_replicas_assured_sr_sent_updates{domain_name,server_id}`	Gauge	Number of updates sent in the safe-read mode of assured replication
`ds_replication_changelog_connected_replicas_current_receive_window{domain_name,dc,server_id}`	Gauge	Current replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_current_receive_window{domain_name,server_id}`	Gauge	Current replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_current_send_window{domain_name,dc,server_id}`	Gauge	Current replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_current_send_window{domain_name,server_id}`	Gauge	Current replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_domain_generation_id{domain_name,dc,server_id}`	Gauge	Replication domain generation identifier
`ds_replication_changelog_connected_replicas_domain_generation_id{domain_name,server_id}`	Gauge	Replication domain generation identifier
`ds_replication_changelog_connected_replicas_max_receive_window{domain_name,dc,server_id}`	Gauge	Maximum replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_max_receive_window{domain_name,server_id}`	Gauge	Maximum replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_max_send_window{domain_name,dc,server_id}`	Gauge	Maximum replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_max_send_window{domain_name,server_id}`	Gauge	Maximum replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_changelog_connected_replicas_missing_changes{domain_name,dc,server_id}`	Gauge	Missing changes for replication
`ds_replication_changelog_connected_replicas_missing_changes{domain_name,server_id}`	Gauge	Missing changes for replication
`ds_replication_changelog_connected_replicas_ssl_encryption{domain_name,dc,server_id}`	Gauge	Whether SSL encryption is used when exchanging mesages with this server
`ds_replication_changelog_connected_replicas_ssl_encryption{domain_name,server_id}`	Gauge	Whether SSL encryption is used when exchanging mesages with this server
`ds_replication_changelog_domain_generation_id{domain_name,dc}`	Gauge	Replication domain generation identifier
`ds_replication_changelog_domain_generation_id{domain_name}`	Gauge	Replication domain generation identifier
`ds_replication_changelog_missing_changes{domain_name,dc}`	Gauge	Missing changes for replication
`ds_replication_changelog_missing_changes{domain_name}`	Gauge	Missing changes for replication
`ds_replication_changelog_newest_change_number`	Gauge	Newest change number present in the change number index database
`ds_replication_changelog_oldest_change_number`	Gauge	Oldest change number present in the change number index database
`ds_replication_changelog_replica_dbs_newest_csn_timestamp_seconds{domain_name,dc,server_id}`	Gauge	Timestamp of the newest CSN present in the replica database
`ds_replication_changelog_replica_dbs_oldest_csn_timestamp_seconds{domain_name,dc,server_id}`	Gauge	Timestamp of the oldest CSN present in the replica database
`ds_replication_replica_assured_sd_acknowledged_updates`	Counter	Number of updates sent in the safe-data mode of assured replication that have been successfully acknowledged
`ds_replication_replica_assured_sd_sent_updates`	Counter	Number of updates sent in the safe-data mode of assured replication
`ds_replication_replica_assured_sd_timeout_updates`	Counter	Number of updates sent in the safe-data mode of assured replication that have not been successfully acknowledged because of timeout
`ds_replication_replica_assured_sr_acknowledged_updates`	Counter	Number of updates sent in the safe-read mode of assured replication that this server acknowledged successfully
`ds_replication_replica_assured_sr_not_acknowledged_updates`	Counter	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully (due to timeout, incorrect status, or error during replay)
`ds_replication_replica_assured_sr_received_updates_acked`	Counter	Number of updates received in the safe-read mode of assured replication that this server acknowledged without errors
`ds_replication_replica_assured_sr_received_updates_not_acked`	Counter	Number of updates received in the safe-read mode of assured replication that this server acknowledged with errors
`ds_replication_replica_assured_sr_received_updates`	Counter	Number of updates received in the safe-read mode of assured replication
`ds_replication_replica_assured_sr_replay_error_updates`	Counter	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully due to replay errors
`ds_replication_replica_assured_sr_sent_updates`	Counter	Number of updates sent in the safe-read mode of assured replication
`ds_replication_replica_assured_sr_timeout_updates`	Counter	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully due to timeout
`ds_replication_replica_assured_sr_wrong_status_updates`	Counter	Number of updates sent in the safe-read mode of assured replication that have not been acknowledged successfully due to incorrect status
`ds_replication_replica_current_receive_window`	Gauge	Current replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_replica_current_send_window`	Gauge	Current replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_replica_domain_generation_id`	Gauge	Replication domain generation identifier
`ds_replication_replica_entries_awaiting_updates_count`	Gauge	Number of entries for which an update operation has been received but not replayed yet by this replica
`ds_replication_replica_lost_connections`	Gauge	Number of times the replica lost its connection to the replication server
`ds_replication_replica_max_receive_window`	Gauge	Maximum replication window size for receiving messages, indicating the number of replication messages a remote server can send before waiting on acknowledgement from this server. This does not depend on the TCP window size
`ds_replication_replica_max_send_window`	Gauge	Maximum replication window size for sending messages, indicating the number of replication messages this server can send before waiting on acknowledgement from the receiving server. This does not depend on the TCP window size
`ds_replication_replica_remote_replicas_current_delay_seconds{domain_name,dc,remote_server_id,server_id}`	Gauge	Current local delay in replaying replicated operations
`ds_replication_replica_remote_replicas_replayed_updates_count{domain_name,dc,remote_server_id,server_id}`	Summary	Timer for updates that have been replayed on this replica
`ds_replication_replica_remote_replicas_replayed_updates_seconds_total{domain_name,dc,remote_server_id,server_id}`	Summary	Timer for updates that have been replayed on this replica
`ds_replication_replica_remote_replicas_replayed_updates_seconds{domain_name,dc,remote_server_id,server_id,quantile}`	Summary	Timer for updates that have been replayed on this replica
`ds_replication_replica_replayed_updates_conflicts_resolved`	Counter	Number of updates replayed on this replica for which replication naming conflicts have been resolved
`ds_replication_replica_replayed_updates_conflicts_unresolved`	Counter	Number of updates replayed on this replica for which replication naming conflicts have not been resolved
`ds_replication_replica_replayed_updates_count`	Summary	Timer for updates that have been replayed on this replica
`ds_replication_replica_replayed_updates_seconds_total`	Summary	Timer for updates that have been replayed on this replica
`ds_replication_replica_replayed_updates_seconds{quantile}`	Summary	Timer for updates that have been replayed on this replica
`ds_replication_replica_sent_updates`	Counter	Number of replication updates sent by this replica
`ds_replication_replica_ssl_encryption`	Gauge	Whether SSL encryption is used when exchanging mesages with this server
`ds_replication_replica_status_last_changed_seconds`	Gauge	Last date and time the replication status of the local replica changed
`ds_replication_replica_updates_inbound_queue`	Gauge	Number of remote updates received from the replication server but not replayed yet on this replica
`ds_replication_replica_updates_outbound_queue`	Gauge	Number of local updates that are waiting to be sent to the replication server once they complete
`ds_start_time_seconds`	Gauge	Start date and time for the Directory Server
`ds_total_connections`	Gauge	Total number of client connections that have been established with the Directory Server since it started
`ds_work_queue_requests_in_queue`	Gauge	Number of requests in the work queue that have not yet been picked up for processing
`ds_work_queue_requests_rejected_queue_full_count`	Summary	Summary for operations that have been rejected because the work queue was already at its maximum capacity
`ds_work_queue_requests_rejected_queue_full_total`	Summary	Summary for operations that have been rejected because the work queue was already at its maximum capacity
`ds_work_queue_requests_submitted_count`	Summary	Summary for operations that have been successfully submitted to the work queue
`ds_work_queue_requests_submitted_total`	Summary	Summary for operations that have been successfully submitted to the work queue

Tools Reference

Find the bundled tools where you installed the server, as indicated in "Server Command-Line Tools" in the Administration Guide.

Name

addrate — measure add and delete throughput and response time

Synopsis

addrate {options} template-file-path

Description

This utility can be used to measure add and optionally delete throughput and response time of a directory server using user-defined entries. The {template-file-path} argument identifies a template file that has the same form as a template file for the makeldif command.

Examples:

This example adds entries and randomly deletes them while the number of entries added is greater than 10,000:

addrate -p 1389 -f -c 10 -C random -s 10000 addrate.template

This example adds entries and starts to delete them in the same order if their age is greater than a certain time:

addrate -p 1389 -f -c 10 -C fifo -a 2 addrate.template

For details about the template file, see makeldif.template.

When you do not use the -f option to keep connections open and rebind on the connections, the tool can exhaust its available ports, causing the tool to crash. You can work around this problem on test systems by changing TCP settings on the system.

For example, on Linux systems, set the following parameters in the /etc/sysctl.conf file:

net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

The parameter net.ipv4.tcp_fin_timeout sets the length of time in seconds to wait for a final FIN packet before forcing a close of the socket. The default is 60 (seconds).

The parameter net.ipv4.tcp_tw_recycle enables fast recycling of TIME_WAIT sockets. The default is 0 (false). Enabling this can cause Network Address Translation (NAT) issues.

The parameter net.ipv4.tcp_tw_reuse enables reuse of TIME_WAIT sockets for new connections. The default is 0 (false).

These settings are recommended only for testing, and not for production systems.

After making the changes to /etc/sysctl.conf, reload the configuration with the sysctl command:

# sysctl -p

Options

The addrate command takes the following options:

Command options:

-a | --deleteAgeThreshold {seconds}

Specifies the age at which added entries will become candidates for deletion.

-B | --warmUpDuration {warmUpDuration}

Warm up duration in seconds.

Default: 0

-c | --numConnections {numConnections}

Number of connections.

Default: 1

-C | --deleteMode {fifo | random | off}

The algorithm used for selecting entries to be deleted which must be one of "fifo", "random", or "off".

Default: FIFO

-d | --maxDuration {maxDuration}

Maximum duration in seconds, 0 for unlimited.

Default: 0

-e | --percentile {percentile}

Calculate max response time for a percentile of operations.

-f | --keepConnectionsOpen

Keep connections open.

Default: false

-F | --noRebind

Keep connections open and do not rebind.

Default: false

-g | --constant {name=value}

A constant that overrides the value set in the template file.

-i | --statInterval {statInterval}

Display results each specified number of seconds.

Default: 5

-m | --maxIterations {maxIterations}

Max iterations, 0 for unlimited.

Default: 0

-M | --targetThroughput {targetThroughput}

Target average throughput to achieve.

Default: 0

-n | --noPurge

Disable the purge phase when the tool stops.

Default: false

-r | --resourcePath {path}

Path to look for template resources (e.g. data files).

The utility looks for resources in the following locations in this order:

The current directory where the command is run.
The resource path directory.
The built-in files.

-R | --randomSeed {seed}

The seed to use for initializing the random number generator.

Default: 0

-s | --deleteSizeThreshold {count}

Specifies the number of entries to be added before deletion begins.

Default: 10000

-S | --scriptFriendly

Use script-friendly mode.

Default: false

-t | --numConcurrentRequests {numConcurrentRequests}

Number of concurrent requests per connection.

Default: 1

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
80: The command could not complete due to an input/output error.
89: An error occurred while parsing the command-line arguments.

Examples

The following examples use this template file, addrate.template:


define suffix=dc=example,dc=com
define maildomain=example.com

branch: [suffix]

branch: ou=People,[suffix]
subordinateTemplate: person

template: person
rdnAttr: uid
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: <first>
sn: <last>
cn: {givenName} {sn}
initials: {givenName:1}<random:chars:ABCDEFGHIJKLMNOPQRSTUVWXYZ:1>{sn:1}
employeeNumber: <sequential:0>
uid: user.{employeeNumber}
mail: {uid}@[maildomain]
userPassword: password
telephoneNumber: <random:telephone>
homePhone: <random:telephone>
pager: <random:telephone>
mobile: <random:telephone>
street: <random:numeric:5> <file:streets> Street
l: <file:cities>
st: <file:states>
postalCode: <random:numeric:5>
postalAddress: {cn}${street}${l}, {st}  {postalCode}
description: This is the description for {cn}.

The following example adds entries, and then randomly deletes them when more than 10,000 entries have been added:

$ addrate -p 1389 -D "cn=Directory Manager" -w password \
-f -c 10 -C random -s 10000 addrate.template

-----------------------------------------------------------------------
    Throughput                            Response Time
  (ops/second)                           (milliseconds)
recent  average  recent  average  99.9%  99.99%  99.999%  err/sec  Add%
-----------------------------------------------------------------------
466.7    467.2  20.738   20.738  187.00  201.00   201.00      0.0  100.00
588.9    528.1  17.015   18.661  166.00  201.00   201.00      0.0  100.00
1584.9    880.3   6.076   11.109  150.00  196.00   201.00      0.0  79.87
1577.8   1054.5   6.138    9.252  132.00  192.00   201.00      0.0  50.00
1853.0   1214.4   5.188    8.010  124.00  187.00   201.00      0.0  49.99
^CPurge phase...
2482.7   1426.2   3.790    6.783  114.00  187.00   201.00      0.0  9.77

The following example also adds entries, and then deletes them in the order they were added after they are 10 seconds old:

$ addrate -p 1389 -D "cn=Directory Manager" -w password \
-f -c 10 -C fifo -a 10 addrate.template

-----------------------------------------------------------------------
    Throughput                            Response Time
  (ops/second)                           (milliseconds)
recent  average  recent  average  99.9%  99.99%  99.999%  err/sec  Add%
-----------------------------------------------------------------------
2065.6   2068.1   4.646    4.646  30.00   51.00    58.00      0.0  100.00
1479.7   1773.3   6.567    5.449  46.00   59.00    67.00      0.0  99.23
1443.4   1663.3   6.730    5.820  56.00  112.00   120.00      0.0  50.01
1462.6   1613.0   6.635    6.005  56.00  102.00   120.00      0.0  50.08
1452.2   1580.8   6.678    6.129  62.00  110.00   120.00      0.0  49.97
^CPurge phase...
1344.5   1541.4   7.170    6.280  69.00  176.00  1900.00      0.0  17.30
1703.3   1564.6   5.449    6.151  68.00  176.00  3000.00      0.0  0.00

Name

authrate — measure bind throughput and response time

Synopsis

authrate {options} [filter template string] [attributes ...]

Description

This utility can be used to measure bind throughput and response time of a directory service using user-defined bind or search-then-bind operations.

Template strings may be used in the bind DN option as well as the authid and authzid SASL bind options. A search operation may be used to retrieve the bind DN by specifying the base DN and a filter. The retrieved entry DN will be appended as the last argument in the argument list when evaluating template strings.

Example (bind only):

authrate -p 1389 -D 'uid=user.{},ou=people,dc=example,dc=com' \

-w password -f -c 10 -g 'rand(0,2000)'

Example (search then bind):

authrate -p 1389 -D '{2}' -w password -f -c 10 \

-b 'ou=people,dc=example,dc=com' -s one -g 'rand(0,2000)' '(uid=user.{1})'

Before trying the example, import 2000 randomly generated users.

When you do not use the -f option to keep connections open and rebind on the connections, the tool can exhaust its available ports, causing the tool to crash. You can work around this problem on test systems by changing TCP settings on the system.

For example, on Linux systems, set the following parameters in the /etc/sysctl.conf file:

net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

The parameter net.ipv4.tcp_fin_timeout sets the length of time in seconds to wait for a final FIN packet before forcing a close of the socket. The default is 60 (seconds).

The parameter net.ipv4.tcp_tw_recycle enables fast recycling of TIME_WAIT sockets. The default is 0 (false). Enabling this can cause Network Address Translation (NAT) issues.

The parameter net.ipv4.tcp_tw_reuse enables reuse of TIME_WAIT sockets for new connections. The default is 0 (false).

These settings are recommended only for testing, and not for production systems.

After making the changes to /etc/sysctl.conf, reload the configuration with the sysctl command:

# sysctl -p

Options

The authrate command takes the following options:

Command options:

-a | --dereferencePolicy {dereferencePolicy}

Alias dereference policy ('never', 'always', 'search', or 'find').

Default: never

-b | --baseDn {baseDN}

Base DN template string.

-B | --warmUpDuration {warmUpDuration}

Warm up duration in seconds.

Default: 0

-c | --numConnections {numConnections}

Number of connections.

Default: 1

-d | --maxDuration {maxDuration}

Maximum duration in seconds, 0 for unlimited.

Default: 0

-e | --percentile {percentile}

Calculate max response time for a percentile of operations.

-f | --keepConnectionsOpen

Keep connections open.

Default: false

-g | --argument {generator function or static string}

Argument used to evaluate the Java style template strings in program parameters (ie. Base DN, Search Filter). The set of all arguments provided form the the argument list in order. Besides static string arguments, they can be generated per iteration with the following functions:

"inc({filename})" Consecutive, incremental line from file

"inc({min},{max})" Consecutive, incremental number

"rand({filename})" Random line from file

"rand({min},{max})" Random number

"randstr({length},_charSet_)" Random string of specified length and optionally from characters in the charSet string. A range of character can be specified with [start-end] charSet notation. If no charSet is specified, the default charSet of [A-Z][a-z][0-9] will be used.

-i | --statInterval {statInterval}

Display results each specified number of seconds.

Default: 5

-I | --invalidPassword {invalidPassword}

Calculate max response time for a percentile of operations.

Default: 0

-m | --maxIterations {maxIterations}

Max iterations, 0 for unlimited.

Default: 0

-M | --targetThroughput {targetThroughput}

Target average throughput to achieve.

Default: 0

-s | --searchScope {searchScope}

Search scope ('base', 'one', 'sub', or 'subordinates'). Note: 'subordinates' is an LDAP extension that might not work with all LDAP servers.

Default: sub

-S | --scriptFriendly

Use script-friendly mode.

Default: false

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
89: An error occurred while parsing the command-line arguments.

Examples

The following example demonstrates measuring simple bind performance:

$ authrate -p 1389 -g "rand(names.txt)" \
 -D "uid=%s,ou=people,dc=example,dc=com" -w password -c 10 -f
-----------------------------------------------------------------
     Throughput                            Response Time
   (ops/second)                           (milliseconds)
recent  average  recent  average  99.9%  99.99%  99.999%  err/sec
-----------------------------------------------------------------
9796.9   9816.6   1.029    1.029  12.413  161.451  161.835      0.0
14201.1  12028.1   0.704    0.835  9.508  161.456  167.573      0.0
14450.0  12835.9   0.692    0.782  8.989  161.835  174.518      0.0
12934.3  12860.6   0.773    0.779  9.253  161.339  174.426      0.0
14154.5  13121.0   0.706    0.764  9.025  161.451  177.101      0.0
^C

The names.txt contains all the user IDs for the sample suffix. All user password values have been set to password for this example.

Name

backendstat — gather OpenDJ backend debugging information

Synopsis

backendstat {subcommand} {options}

Description

This utility can be used to debug a backend.

Options

The backendstat command takes the following options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The backendstat command supports the following subcommands:

backendstat dump-index

Dump records from an index, decoding keys and values. Depending on index size, this subcommand can generate lots of output.

Options

The backendstat dump-index command takes the following options:

-n | --backendId {backendName}

The backend ID of the backend.

-b | --baseDn {baseDN}

The base DN within the backend.

-i | --indexName {indexName}

The name of the index.

-q | --statsOnly

Do not display backend data, just statistics.

Default: false

-K | --maxKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-k | --minKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-X | --maxHexKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-x | --minHexKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-S | --maxDataSize {maxDataSize}

Only show records whose data is no larger than the provided value.

Default: -1

-s | --minDataSize {minDataSize}

Only show records whose data is no smaller than the provided value.

Default: -1

-p | --skipDecode

Do not try to decode backend data to their appropriate types.

Default: false

backendstat dump-raw-db

Dump the raw records in hexadecimal format for a low-level database within the pluggable backend's storage engine. Depending on index size, this subcommand can generate lots of output.

Options

The backendstat dump-raw-db command takes the following options:

-n | --backendId {backendName}

The backend ID of the backend.

-d | --dbName {databaseName}

The raw database name.

-q | --statsOnly

Do not display backend data, just statistics.

Default: false

-K | --maxKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-k | --minKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-X | --maxHexKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-x | --minHexKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-S | --maxDataSize {maxDataSize}

Only show records whose data is no larger than the provided value.

Default: -1

-s | --minDataSize {minDataSize}

Only show records whose data is no smaller than the provided value.

Default: -1

-l | --singleLine

Write hexadecimal data on a single line instead of pretty format.

Default: false

backendstat list-backends

List the pluggable backends.

backendstat list-base-dns

List the base DNs in a backend.

Options

The backendstat list-base-dns command takes the following options:

-n | --backendId {backendName}: The backend ID of the backend.

backendstat list-indexes

List the indexes associated with a pluggable backend. This subcommand may take a long time to complete depending on the size of the backend.

Options

The backendstat list-indexes command takes the following options:

-n | --backendId {backendName}: The backend ID of the backend.
-b | --baseDn {baseDN}: The base DN within the backend.

backendstat list-raw-dbs

List the low-level databases within a pluggable backend's storage engine. This subcommand may take a long time to complete depending on the size of the backend.

Options

The backendstat list-raw-dbs command takes the following options:

-n | --backendId {backendName}

The backend ID of the backend.

-u | --useSiUnits

Uses SI Units for printing sizes.

Default: false

backendstat show-index-status

Shows the status of indexes for a backend base DN. This subcommand can take a long time to complete, as it reads all indexes for all backends.

When you run the 'list-index-status' command, the result is a table, followed by a "Total", which is the total number of indexes, followed by a list of indexes with "Over index-entry-limit keys" to show the values for which the number of entries exceeded the index entry limit. The table has the following columns.

Index Name

Name of the index, which takes the form attr.type for attribute indexes, and vlv.name for VLV indexes. Some indexes are for OpenDJ directory server's internal use.

Example: givenName.caseIgnoreSubstringsMatch:6

Tree Name

Name of the backend tree, which reflects how OpenDJ directory server organizes the data in the database.

Example: /dc=example,dc=com/givenName.caseIgnoreSubstringsMatch:6

Index Valid

This is true for valid indexes. If this is false, the index might be degraded. Verify the index, and rebuild the index if necessary.

Record Count

Number of indexed keys. Use the backendstat dump-tree command to see how many entry IDs correspond to each key.

Over Index Entry Limit

Number of keys for which there are too many values to maintain an index, based on the index entry limit. This is recorded as - for VLV indexes.

In other words, with the default index entry limit of 4000, if every user in your large directory has an email address ending in @example.com, and a substring index with default substring length of 6 is maintained for mail, then OpenDJ directory server does not maintain indexes for keys corresponding to substrings in @example.com.

As a result, an LDAP search with the filter "(mail=*@example.com)" becomes an unindexed search even though a substring index exists for the mail attribute. By default OpenDJ directory server does not allow unindexed searches except by privileged users. This is usually exactly the behavior you want in order to prevent client applications from sending searches that return every user in the directory for example. Clients should refine their search filters instead.

95%, 90%, 85%

Number of keys for which the number of values is approaching the index entry limit, having at least the specified percentage. This is a measure of how full the entry ID lists are.

Options

The backendstat show-index-status command takes the following options:

-n | --backendId {backendName}: The backend ID of the backend.
-b | --baseDn {baseDN}: The base DN within the backend.

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example displays index information.

$ bin/backendstat dump-index  -n userRoot -b dc=example,dc=com -i id2childrencount 

    Key (len 2): 1#52
    Value (len 8): 1
    Key (len 2): 2#52
    Value (len 8): 500000
    Key (len 9): Total Children Count
    Value (len 8): 500001

    Total Records: 3
    Total / Average Key Size: 13 bytes / 4 bytes
    Total / Average Data Size: 24 bytes / 8 bytes

Name

backup — back up directory data

Synopsis

backup {options}

Description

This utility can be used to back up one or more Directory Server backends.

Options

The backup command takes the following options:

Command options:

-a | --backUpAll

Back up all backends in the server.

Default: false

-A | --hash

Generate a hash of the backup contents.

Default: false

-B | --incrementalBaseId {backupID}

Backup ID of the source archive for an incremental backup.

-c | --compress

Compress the backup contents.

Default: false

-d | --backupDirectory {backupDir}

Path to the target directory for the backup file(s).

-i | --incremental

Perform an incremental backup rather than a full backup.

Default: false

-I | --backupId {backupID}

Use the provided identifier for the backup.

-n | --backendId {backendName}

Backend ID for the backend to archive.

--offline

Indicates that the command must be run in offline mode.

Default: false

-s | --signHash

Sign the hash of the backup contents.

Default: false

-y | --encrypt

Encrypt the backup contents.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

The schedule pattern for a recurring task supports only the following crontab features:

Time and Date Fields

Field	Allowed Values
minute	0-59
hour	0-23
day of month	1-31
month	1-12 (or names)
day of week	0-7 (0 or 7 is Sunday, or use names)

A field can contain an asterisk, *. An asterisk stands for first-last.

Fields can include ranges of numbers. A range is two numbers separated by a hyphen, and is inclusive. For example, 8-10 for an "hour" field means execution at hours 8, 9, and 10.

Fields can include lists. A list is a set of numbers or ranges separated by commas. For example, 4,8-10 for an "hour" field means execution at hours 4, 8, 9, and 10.

When using names for in "month" or "day of week" fields, use the first three letters of the particular month or day of the week. Case does not matter. Ranges and lists of names are not supported.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
1: An error occurred.

Examples

The following example backs up all user data while the server is online.

$ backup -p 4444 -D "cn=Directory Manager" -w password \
 -a -d /path/to/opendj/bak -t 0
Backup task 20110613143801866 scheduled to start ...

The following example schedules back up of all user data every night at 2 AM when the server is online, and notifies diradmin@example.com when finished, or on error.

$ backup -p 4444 -D "cn=Directory Manager" -w password -a \
 -d /path/to/opendj/bak --recurringTask "00 02 * * *" \
 --completionNotify diradmin@example.com --errorNotify diradmin@example.com
Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
scheduled successfully

The following example backs up all user data while the server is offline.

$ stop-ds
Stopping Server...
...

$ backup --backupAll --backupDirectory /path/to/opendj/bak
... msg=The backup process completed successfully

$ start-ds
... The Directory Server has started successfully

Name

base64 — encode and decode base64 strings

Synopsis

base64 {subcommand} {options}

Description

This utility can be used to encode and decode information using base64.

Options

The base64 command takes the following options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The base64 command supports the following subcommands:

base64 decode

Decode base64-encoded information into raw data. When no options are specified, this subcommand reads from standard input and writes to standard output.

Options

The base64 decode command takes the following options:

-d | --encodedData {data}: The base64-encoded data to be decoded.
-f | --encodedDataFile {path}: The path to a file containing the base64-encoded data to be decoded.
-o | --toRawFile {path}: The path to a file to which the raw base64-decoded data should be written.

base64 encode

Encode raw data using base64. When no options are specified, this subcommand reads from standard input and writes to standard output.

Options

The base64 encode command takes the following options:

-d | --rawData {data}: The raw data to be base64 encoded.
-f | --rawDataFile {path}: The path to a file containing the raw data to be base64 encoded.
-o | --toEncodedFile {path}: The path to a file to which the base64-encoded data should be written.

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following command shows the changes from the external change log in human-readable format.

$ base64 decode -d YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UK\
LQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2V\
yLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW\
1lc3RhbXA6IDIwMTEwNjEzMDcxMjEwWgotCg==
add: description
description: A third change
-
replace: modifiersName
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20110613071210Z
-

Name

create-rc-script — script to manage OpenDJ as a service on UNIX

Synopsis

create-rc-script {options}

Description

Create an RC script that may be used to start, stop, and restart the Directory Server on UNIX-based systems.

Options

The create-rc-script command takes the following options:

Command options:

-f | --outputFile {path}: The path to the output file to create.
-j | --javaHome {path}: The path to the Java installation that should be used to run the server.
-J | --javaArgs {args}: A set of arguments that should be passed to the JVM when running the server.
-u | --userName {userName}: The name of the user account under which the server should run.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example adds a script to start OpenDJ at boot time on a Debian-based system, and then updates the runlevel system to use the script.

$ sudo create-rc-script -f /etc/init.d/opendj -u opendj-user
$ sudo update-rc.d opendj

Name

dsconfig — manage OpenDJ server configuration

Synopsis

dsconfig {subcommand} {options}

Description

This utility can be used to define a base configuration for the Directory Server.

The dsconfig command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, dsconfig prompts you for administration connection information, including the host name, administration port number, administrator bind DN and administrator password. The dsconfig command then connects securely to the directory server over the administration port. Once connected it presents you with a menu-driven interface to the server configuration.

When you pass connection information, subcommands, and additional options to dsconfig, the command runs in script mode and so is not interactive, though it can prompt you to ask whether to apply changes and whether to trust certificates (unless you use the --no-prompt and --trustAll options, respectively).

You can prepare dsconfig batch scripts by running the tool with the --commandFilePath option in interactive mode, then reading from the batch file with the --batchFilePath option in script mode. Batch files can be useful when you have many dsconfig commands to run and want to avoid starting the JVM for each command. Alternatively, you can read commands from standard input by using the --batch option.

The dsconfig command categorizes directory server configuration into components, also called managed objects. Actual components often inherit from a parent component type. For example, one component is a Connection Handler. An LDAP Connection Handler is a type of Connection Handler. You configure the LDAP Connection Handler component to specify how OpenDJ directory server handles LDAP connections coming from client applications.

Configuration components have properties. For example, the LDAP Connection Handler component has properties such as listen-port and allow-start-tls. You can set the component's listen-port property to 389 to use the default LDAP port number. You can set the component's allow-start-tls property to true to permit LDAP client applications to use StartTLS. Much of the configuration you do with dsconfig involves setting component properties.

Options

The dsconfig command takes the following options:

Command options:

--batch

Reads from standard input a set of commands to be executed.

Default: false

--commandFilePath {path}

The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.

--configFile {configFile}

Path to the Directory Server configuration file.

Default: null/config/config.ldif

--help-all

Display all subcommands.

Default: false

--help-core-server

Display subcommands relating to core server.

Default: false

--help-database

Display subcommands relating to caching and backends.

Default: false

--help-logging

Display subcommands relating to logging.

Default: false

--help-proxy

Display subcommands relating to directory proxy.

Default: false

--help-replication

Display subcommands relating to replication.

Default: false

--help-security

Display subcommands relating to authentication and authorization.

Default: false

--help-service-discovery

Display subcommands relating to service discovery mechanism.

Default: false

--help-user-management

Display subcommands relating to user management.

Default: false

--offline

Indicates that the command must be run in offline mode.

Default: false

Configuration Options

--advanced

Allows the configuration of advanced components and properties.

Default: false

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-F | --batchFilePath {batchFilePath}

Path to a batch file containing a set of commands to be executed.

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

-s | --script-friendly

Use script-friendly mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The dsconfig command provides many subcommands.

Subcommands let you create, list, and delete entire configuration components, and also let you get and set component properties. Subcommands therefore have names that reflect these five actions.

create-component
list-components
delete-component
get-component-prop
set-component-prop

Here, component names are names of managed object types. Subcommand component names are lower-case, hyphenated versions of the friendly names. When you act on an actual configuration component, you provide the name of the component as an option argument.

For example, the Log Publisher component has these corresponding subcommands.

create-log-publisher
list-log-publishers
delete-log-publisher
get-log-publisher-prop
set-log-publisher-prop

When you create or delete Log Publisher components and when you get and set their configuration properties, you provide the name of the actual log publisher, which you can find by using the list-log-publishers subcommand:

# Get the log publishers' names:
$ dsconfig \
 list-log-publishers \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll \
 --no-prompt
Log Publisher                      : Type                   : enabled
-----------------------------------:------------------------:--------
...
Json File-Based Access Logger      : json-file-access       : true
...

# Use the name to read a property:
$ dsconfig \
 get-log-publisher-prop \
 --publisher-name "Json File-Based Access Logger" \
 --property rotation-policy \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll \
 --no-prompt
Property        : Value(s)
----------------:--------------------------------------------------------------
rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
                : Policy

Many subcommands let you set property values. Notice in the reference for the subcommands below that specific options are available for handling multi-valued properties. Whereas you can assign a single property value by using the --set option, you assign multiple values to a multi-valued property by using the --add option. You can reset the values of the multi-valued property by using the --reset option.

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

ms: milliseconds
s: seconds
m: minutes
h: hours
d: days
w: weeks

Use the --help* options described above to view help for subcommands.

For help with individual subcommands, either use dsconfig subcommand --help, or start dsconfig in interactive mode, without specifying a subcommand.

To view all component properties, use the dsconfig list-properties command.

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

Much of the OpenDJ Administration Guide consists of dsconfig examples with text in between. This section therefore remains short.

The following example starts dsconfig in interactive, menu-driven mode on the default port of the current host.

$ dsconfig -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password

>>>> OpenDJ configuration console main menu

What do you want to configure?

    1)   Access Control Handler               22)  Key Manager Provider
    2)   Access Log Filtering Criteria        23)  Log Publisher
    3)   Account Status Notification Handler  24)  Log Retention Policy
    4)   Administration Connector             25)  Log Rotation Policy
    5)   Alert Handler                        26)  Password Generator
    6)   Backend                              27)  Password Policy
    7)   Backend Index                        28)  Password Storage Scheme
    8)   Backend VLV Index                    29)  Password Validator
    9)   Certificate Mapper                   30)  Plugin
    10)  Connection Handler                   31)  Plugin Root
    11)  Crypto Manager                       32)  Replication Domain
    12)  Debug Target                         33)  Replication Server
    13)  Entry Cache                          34)  Root DN
    14)  Extended Operation Handler           35)  Root DSE Backend
    15)  External Changelog Domain            36)  SASL Mechanism Handler
    16)  Global Access Control Policy         37)  Schema Provider
    17)  Global Configuration                 38)  Service Discovery Mechanism
    18)  Group Implementation                 39)  Synchronization Provider
    19)  HTTP Authorization Mechanism         40)  Trust Manager Provider
    20)  HTTP Endpoint                        41)  Virtual Attribute
    21)  Identity Mapper                      42)  Work Queue

    q)   quit

Enter choice:

The following example demonstrates generating a batch file that corresponds to an interactive session enabling the debug log. The example then demonstrates using a modified batch file to disable the debug log.

$ dsconfig \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --commandFilePath ~/enable-debug-log.batch
 ...
$ cat ~/enable-debug-log.batch
# dsconfig session start date: 19/Oct/2011:08:52:22 +0000

# Session operation number: 1
# Operation date: 19/Oct/2011:08:55:06 +0000
dsconfig set-log-publisher-prop \
          --publisher-name File-Based\ Debug\ Logger \
          --set enabled:true \
          --hostname opendj.example.com \
          --port 4444 \
          --trustStorePath /path/to/opendj/config/admin-truststore \
          --bindDN cn=Directory\ Manager \
          --bindPassword ****** \
          --no-prompt

$ cp ~/enable-debug-log.batch ~/disable-debug-log.batch
$ vi ~/disable-debug-log.batch
$ cat ~/disable-debug-log.batch
set-log-publisher-prop \
          --publisher-name File-Based\ Debug\ Logger \
          --set enabled:false \
          --hostname opendj.example.com \
          --port 4444 \
          --trustStorePath /path/to/opendj/config/admin-truststore \
          --bindDN cn=Directory\ Manager \
          --bindPassword password \
          --no-prompt

$ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt
set-log-publisher-prop
--publisher-name
File-Based Debug Logger
--set
enabled:false
--hostname
opendj.example.com
--port
4444
--trustStorePath
/path/to/opendj/config/admin-truststore
--bindDN
cn=Directory Manager
--bindPassword
password
--no-prompt

$

Notice that the original command file looks like a shell script with the bind password value replaced by asterisks. To pass the content as a batch file to dsconfig, strip dsconfig itself, and include the bind password for the administrative user or replace that option with an alternative, such as reading the password from a file.

Name

dsreplication — manage directory data replication

Synopsis

dsreplication {subcommand} {options}

Description

This utility manages replication between servers so that their data is synchronized. For replication to work you must first configure replication using the 'configure' subcommand and then initialize the contents of one of the servers with the contents of the other using the 'initialize' subcommand.

Options

The dsreplication command takes the following options:

Command options:

--commandFilePath {path}

The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-j | --adminPasswordFile {bindPasswordFile}

The file containing the password of the global administrator.

-w | --adminPassword {bindPassword}

The global administrator password.

Configuration Options

--advanced

Allows the configuration of advanced components and properties.

Default: false

LDAP connection options:

-I | --adminUid {adminUID}

User ID of the Global Administrator to use to bind to the server. For the 'configure' subcommand if no Global Administrator was defined previously for none of the server the Global Administrator will be created using the provided data.

Default: admin

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The dsreplication command supports the following subcommands:

dsreplication configure

Updates the configuration of the servers to replicate the data under the specified base DN. If one of the specified servers is already replicating the data under the base DN with other servers, executing this subcommand will update the configuration of all the servers (so it is sufficient to execute the command line once for each server we add to the replication topology).

Options

The dsreplication configure command takes the following options:

-h | --host1 {host}

Fully qualified host name or IP address of the first server whose contents will be replicated.

Default: localhost.localdomain

-p | --port1 {port}

Directory server administration port number of the first server whose contents will be replicated.

-D | --bindDn1 {bindDN}

DN to use to bind to the first server whose contents will be replicated. If not specified the global administrator will be used to bind.

Default: cn=Directory Manager

--bindPassword1 {bindPassword}

Password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind.

--bindPasswordFile1 {bindPasswordFile}

File containing the password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind.

-r | --replicationPort1 {port}

Port that will be used by the replication mechanism in the first server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the first server.

--secureReplication1

Specifies whether the communication through the replication port of the first server is encrypted or not. This option will only be taken into account the first time replication is configured on the first server.

Default: false

--noReplicationServer1

Do not configure a replication port or change log on the first server. The first server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure.

Default: false

--onlyReplicationServer1

Configure only a change log and replication port on the first server. The first server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers.

Default: false

-O | --host2 {host}

Fully qualified host name or IP address of the second server whose contents will be replicated.

Default: localhost.localdomain

--port2 {port}

Directory server administration port number of the second server whose contents will be replicated.

--bindDn2 {bindDN}

DN to use to bind to the second server whose contents will be replicated. If not specified the global administrator will be used to bind.

Default: cn=Directory Manager

--bindPassword2 {bindPassword}

Password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind.

-F | --bindPasswordFile2 {bindPasswordFile}

File containing the password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind.

-R | --replicationPort2 {port}

Port that will be used by the replication mechanism in the second server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the second server.

--secureReplication2

Specifies whether the communication through the replication port of the second server is encrypted or not. This option will only be taken into account the first time replication is configured on the second server.

Default: false

--noReplicationServer2

Do not configure a replication port or change log on the second server. The second server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure.

Default: false

--onlyReplicationServer2

Configure only a change log and replication port on the second server. The second server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers.

Default: false

-S | --skipPortCheck

Skip the check to determine whether the specified replication ports are usable.

Default: false

--noSchemaReplication

Do not replicate the schema between the servers.

Default: false

--useSecondServerAsSchemaSource

Use the second server to initialize the schema of the first server. If this option nor option --noSchemaReplication are specified the schema of the first server will be used to initialize the schema of the second server.

Default: false

-b | --baseDn {baseDN}

Base DN(s) of the data to be replicated. Multiple base DNs can be provided by using this option multiple times.

dsreplication initialize

Initialize the contents of the data under the specified base DN on the destination server with the contents on the source server. This operation is required after configuring replication in order replication to work ('initialize-all' can also be used for this purpose).

Options

The dsreplication initialize command takes the following options:

-h | --hostSource {host}

Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server.

Default: localhost.localdomain

-p | --portSource {port}

Directory server administration port number of the source server whose contents will be used to initialize the destination server.

-O | --hostDestination {host}

Fully qualified host name or IP address of the destination server whose contents will be initialized.

Default: localhost.localdomain

--portDestination {port}

Directory server administration port number of the destination server whose contents will be initialized.

-b | --baseDn {baseDN}

Base DN(s) of the data for which replication will be initialized. Multiple base DNs can be provided by using this option multiple times.

dsreplication initialize-all

Initialize the contents of the data under the specified base DN on all the servers whose contents are being replicated with the contents on the specified server. This operation is required after configuring replication for replication to work ('initialize' applied to each server can also be used for this purpose).

Options

The dsreplication initialize-all command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

-b | --baseDn {baseDN}

Base DN(s) of the data for which replication will be initialized. Multiple base DNs can be provided by using this option multiple times.

dsreplication post-external-initialization

This subcommand must be called after initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that have been initialized and you must provide the credentials of any of the servers that are being replicated. See the usage of the subcommand 'pre-external-initialization' for more information.

Options

The dsreplication post-external-initialization command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

-b | --baseDn {baseDN}

Base DN(s) of the data that have been restored from backup. Multiple base DNs can be provided by using this option multiple times.

dsreplication pre-external-initialization

This subcommand must be called before initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that will be initialized and you must provide the credentials of any of the servers that are being replicated. After calling this subcommand, initialize the contents of all the servers in the topology (use the same LDIF file/binary copy on each of the servers), then call the subcommand 'post-external-initialization'.

Options

The dsreplication pre-external-initialization command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

-b | --baseDn {baseDN}

Base DN(s) of the data that will be restored from backup. Multiple base DNs can be provided by using this option multiple times.

dsreplication purge-historical

Launches a purge processing of the historical informations stored in the user entries by replication. Since this processing may take a while, you must specify the maximum duration for this processing.

Options

The dsreplication purge-historical command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

--maximumDuration {maximum duration}

This argument specifies the maximum duration the purge processing must last expressed in seconds.

Default: 3600

-b | --baseDn {baseDN}

Base DN(s) from which historical information will be purged. Multiple base DNs can be provided by using this option multiple times.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

The schedule pattern for a recurring task supports only the following crontab features:

Time and Date Fields

Field	Allowed Values
minute	0-59
hour	0-23
day of month	1-31
month	1-12 (or names)
day of week	0-7 (0 or 7 is Sunday, or use names)

A field can contain an asterisk, *. An asterisk stands for first-last.

Fields can include ranges of numbers. A range is two numbers separated by a hyphen, and is inclusive. For example, 8-10 for an "hour" field means execution at hours 8, 9, and 10.

Fields can include lists. A list is a set of numbers or ranges separated by commas. For example, 4,8-10 for an "hour" field means execution at hours 4, 8, 9, and 10.

When using names for in "month" or "day of week" fields, use the first three letters of the particular month or day of the week. Case does not matter. Ranges and lists of names are not supported.

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

dsreplication reset-change-number

Re-synchronizes the change-log changenumber on one server with the change-log changenumber of another.

Options

The dsreplication reset-change-number command takes the following options:

-h | --hostSource {host}

Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server.

Default: localhost.localdomain

-p | --portSource {port}

Directory server administration port number of the source server whose contents will be used to initialize the destination server.

-O | --hostDestination {host}

Fully qualified host name or IP address of the destination server whose contents will be initialized.

Default: localhost.localdomain

--portDestination {port}

Directory server administration port number of the destination server whose contents will be initialized.

--change-number {change number}

The change number to use as the basis for re-synchronization.

dsreplication resume

Resumes replication on the specified server.

Options

The dsreplication resume command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

dsreplication status

Displays a list with the basic replication configuration of the base DNs of the servers defined in the registration information. If no base DNs are specified as parameter the information for all base DNs is displayed.

Options

The dsreplication status command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

-s | --script-friendly

Use script-friendly mode.

Default: false

-b | --baseDn {baseDN}

This option can be used to filter replication topology base DN(s).

Multiple base DNs can be provided by using this option multiple times. If no base DNs are specified the information for all base DNs is displayed.

dsreplication suspend

Suspends (pauses) replication on the specified server.

Options

The dsreplication suspend command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

dsreplication unconfigure

Unconfigures replication on the specified server for the provided base DN and removes references in the other servers with which it is replicating data.

Options

The dsreplication unconfigure command takes the following options:

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

-a | --unconfigureReplicationServer

Unconfigure the replication server. The replication port and change log will be unconfigured on the specified server.

Default: false

--unconfigureAll

Unconfigure the replication configuration on the specified server. The contents of the server are no longer replicated and the replication server (changelog and replication port) is unconfigured if it is configured.

Default: false

-D | --bindDn {bindDN}

DN to use to bind to the server where we want to unconfigure replication. This option must be used when no Global Administrator has been defined on the server or if the user does not want to remove references in the other replicated servers. The password provided for the Global Administrator will be used when specifying this option.

Default: cn=Directory Manager

-b | --baseDn {baseDN}

Base DN(s) of the data for which replication will be unconfigured. Multiple base DNs can be provided by using this option multiple times.

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example configures and then initializes replication for a new replica on opendj2.example.com from an existing replica on opendj.example.com.

$ dsreplication configure -I admin -w password -X -n -b dc=example,dc=com \
 --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password --replicationPort1 8989 \
 --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password --replicationPort2 8989

$ dsreplication initialize-all -I admin -w password -X -n -b dc=example,dc=com \
 -h opendj.example.com -p 4444

Name

encode-password — encode a password with a storage scheme

Synopsis

encode-password {options}

Description

This utility can be used to encode user passwords with a specified storage scheme, or to determine whether a given clear-text value matches a provided encoded password.

Options

The encode-password command takes the following options:

Command options:

-a | --authPasswordSyntax

Use the authentication password syntax rather than the user password syntax.

Default: false

-c | --clearPassword {clearPW}

Clear-text password to encode or to compare against an encoded password.

-e | --encodedPassword {encodedPW}

Encoded password to compare against the clear-text password.

-E | --encodedPasswordFile {file}

Encoded password file.

-f | --clearPasswordFile {file}

Clear-text password file.

-i | --interactivePassword

The password to encode or to compare against an encoded password is interactively asked to the user.

Default: false

-l | --listSchemes

List available password storage schemes.

Default: false

-r | --useCompareResultCode

Use the LDAP compare result as an exit code for the password comparison.

Default: false

-s | --storageScheme {scheme}

Scheme to use for the encoded password.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
5: The -r option was used, and the compare did not match.
6: The -r option was used, and the compare did match.
other: An error occurred.

Examples

The following example encodes a password, and also shows comparison of a password with the encoded value.

$ encode-password -l
3DES
AES
BASE64
BCRYPT
BLOWFISH
CLEAR
CRYPT
MD5
PBKDF2
PKCS5S2
RC4
SHA
SMD5
SSHA
SSHA256
SSHA384
SSHA512

$ encode-password -c secret12 -s CRYPT
Encoded Password:  "{CRYPT}ZulJ6Dy3TFnrE"

$ encode-password -c secret12 -s CRYPT -e "{CRYPT}ZulJ6Dy3TFnrE" -r
The provided clear-text and encoded passwords match

$ echo $?
6

Name

export-ldif — export directory data in LDIF

Synopsis

export-ldif {options}

Description

This utility can be used to export data from a Directory Server backend in LDIF form.

Options

The export-ldif command takes the following options:

Command options:

-a | --appendToLdif

Append an existing LDIF file rather than overwriting it.

Default: false

-b | --includeBranch {branchDN}

Base DN of a branch to include in the LDIF export.

-B | --excludeBranch {branchDN}

Base DN of a branch to exclude from the LDIF export.

-c | --compress

Compress the LDIF data as it is exported.

Default: false

-e | --excludeAttribute {attribute}

Attribute to exclude from the LDIF export.

--excludeFilter {filter}

Filter to identify entries to exclude from the LDIF export.

-i | --includeAttribute {attribute}

Attribute to include in the LDIF export.

--includeFilter {filter}

Filter to identify entries to include in the LDIF export.

-l | --ldifFile {ldifFile}

Path to the LDIF file to be written.

-n | --backendId {backendName}

Backend ID for the backend to export.

-O | --excludeOperational

Exclude operational attributes from the LDIF export.

Default: false

--offline

Indicates that the command must be run in offline mode.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

The schedule pattern for a recurring task supports only the following crontab features:

Time and Date Fields

Field	Allowed Values
minute	0-59
hour	0-23
day of month	1-31
month	1-12 (or names)
day of week	0-7 (0 or 7 is Sunday, or use names)

A field can contain an asterisk, *. An asterisk stands for first-last.

Fields can include ranges of numbers. A range is two numbers separated by a hyphen, and is inclusive. For example, 8-10 for an "hour" field means execution at hours 8, 9, and 10.

Fields can include lists. A list is a set of numbers or ranges separated by commas. For example, 4,8-10 for an "hour" field means execution at hours 4, 8, 9, and 10.

When using names for in "month" or "day of week" fields, use the first three letters of the particular month or day of the week. Case does not matter. Ranges and lists of names are not supported.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

--wrapColumn {wrapColumn}

Column at which to wrap long lines (0 for no wrapping).

Default: 0

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example exports data to a file, Example.ldif, with the server offline.

$ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif
... category=BACKEND severity=INFORMATION ...
...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)

Name

import-ldif — import directory data from LDIF

Synopsis

import-ldif {options}

Description

This utility can be used to import LDIF data into a Directory Server backend, overwriting existing data. It cannot be used to append data to the backend database.

Options

The import-ldif command takes the following options:

Command options:

-A | --templateFile {templateFile}

Path to a MakeLDIF template to use to generate the import data.

-b | --includeBranch {branchDN}

Base DN of a branch to include in the LDIF import.

-B | --excludeBranch {branchDN}

Base DN of a branch to exclude from the LDIF import.

-c | --isCompressed

LDIF file is compressed.

Default: false

--countRejects

Count the number of entries rejected by the server and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).

Default: false

-e | --excludeAttribute {attribute}

Attribute to exclude from the LDIF import.

--excludeFilter {filter}

Filter to identify entries to exclude from the LDIF import.

-F | --clearBackend

Remove all entries for all base DNs in the backend before importing.

Default: false

-i | --includeAttribute {attribute}

Attribute to include in the LDIF import.

--includeFilter {filter}

Filter to identify entries to include in the LDIF import.

-l | --ldifFile {ldifFile}

Path to the LDIF file to be imported.

-n | --backendId {backendName}

Backend ID for the backend to import.

-O | --overwrite

Overwrite an existing rejects and/or skip file rather than appending to it.

Default: false

--offline

Indicates that the command must be run in offline mode.

Default: false

-R | --rejectFile {rejectFile}

Write rejected entries to the specified file.

-s | --randomSeed {seed}

Seed for the MakeLDIF random number generator.

Default: 0

-S | --skipSchemaValidation

Skip schema validation during the LDIF import.

Default: false

--skipFile {skipFile}

Write skipped entries to the specified file.

--threadCount {count}

Number of threads used to read LDIF file during import. Default value (0) equals: 2 x (number of CPUs).

Default: 0

--tmpDirectory {directory}

Path to temporary directory for index scratch files during LDIF import.

Default: import-tmp

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

The schedule pattern for a recurring task supports only the following crontab features:

Time and Date Fields

Field	Allowed Values
minute	0-59
hour	0-23
day of month	1-31
month	1-12 (or names)
day of week	0-7 (0 or 7 is Sunday, or use names)

A field can contain an asterisk, *. An asterisk stands for first-last.

Fields can include ranges of numbers. A range is two numbers separated by a hyphen, and is inclusive. For example, 8-10 for an "hour" field means execution at hours 8, 9, and 10.

Fields can include lists. A list is a set of numbers or ranges separated by commas. For example, 4,8-10 for an "hour" field means execution at hours 4, 8, 9, and 10.

When using names for in "month" or "day of week" fields, use the first three letters of the particular month or day of the week. Case does not matter. Ranges and lists of names are not supported.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode (no output).

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example imports the content of a file, Example.ldif, with the server offline.

$ import-ldif -b dc=example,dc=com -n userRoot -l /path/to/Example.ldif
... category=RUNTIME_INFORMATION severity=NOTICE...
... msg=Import LDIF environment close took 0 seconds

Name

ldapcompare — perform LDAP compare operations

Synopsis

ldapcompare {options} attribute:value DN

Description

This utility can be used to perform LDAP compare operations in the Directory Server.

Options

The ldapcompare command takes the following options:

Command options:

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

Assertion, LdapAssertion

Assertion Request Control, Object Identifier: 1.3.6.1.1.12

AccountUsable, AccountUsability

Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

AuthzId, AuthorizationIdentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

Csn, ChangeNumber, ChangeSequenceNumber

Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9

This is an internal OpenDJ control.

EffectiveRights, GetEffectiveRights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

ManageDsaIt

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

Noop, No-Op

No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

PwPolicy, PasswordPolicy

Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

PermissiveModify

Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413

PSearch, PersistentSearch

Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3

PostRead

Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2

PreRead

Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1

ProxiedAuthV1

Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12

ProxiedAuth, ProxiedAuthV2

Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18

RealAttrsOnly, RealAttributesOnly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

TreeDelete, SubTreeDelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

Sort, ServerSideSort

Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473

PagedResults, SimplePagedResults

Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319

SubEntries

Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1

TxnId, TransactionId

Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

This is an internal ForgeRock control.

VirtualAttrsOnly, VirtualAttributesOnly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

Vlv, VirtualListView

Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9

-m | --useCompareResultCode

Use the LDAP compare result as an exit code for the LDAP compare operations.

Default: false

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

-S | --scriptFriendly

Use script-friendly mode.

Default: false

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

5

The LDAP compare operation did not match.

6

The -m option was used, and the LDAP compare operation did match.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389

Examples

The following examples demonstrate comparing Babs Jensen's UID.

The following example uses a matching UID value.

$ ldapcompare -p 1389 uid:bjensen uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value bjensen in entry
uid=bjensen,ou=people,dc=example,dc=com
Compare operation returned true for entry
uid=bjensen,ou=people,dc=example,dc=com

The following example uses a UID value that does not match.

$ ldapcompare -p 1389 uid:beavis uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value beavis in entry
uid=bjensen,ou=people,dc=example,dc=com
Compare operation returned false for entry
uid=bjensen,ou=people,dc=example,dc=com

Name

ldapdelete — perform LDAP delete operations

Synopsis

ldapdelete {options} [DN]

Description

This utility can be used to perform LDAP delete operations in the Directory Server.

If standard input is used to specify entries to remove, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).

Options

The ldapdelete command takes the following options:

Command options:

-c | --continueOnError

Continue processing even if there are errors.

Default: false

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

Assertion, LdapAssertion

Assertion Request Control, Object Identifier: 1.3.6.1.1.12

AccountUsable, AccountUsability

Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

AuthzId, AuthorizationIdentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

Csn, ChangeNumber, ChangeSequenceNumber

Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9

This is an internal OpenDJ control.

EffectiveRights, GetEffectiveRights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

ManageDsaIt

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

Noop, No-Op

No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

PwPolicy, PasswordPolicy

Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

PermissiveModify

Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413

PSearch, PersistentSearch

Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3

PostRead

Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2

PreRead

Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1

ProxiedAuthV1

Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12

ProxiedAuth, ProxiedAuthV2

Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18

RealAttrsOnly, RealAttributesOnly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

TreeDelete, SubTreeDelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

Sort, ServerSideSort

Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473

PagedResults, SimplePagedResults

Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319

SubEntries

Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1

TxnId, TransactionId

Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

This is an internal ForgeRock control.

VirtualAttrsOnly, VirtualAttributesOnly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

Vlv, VirtualListView

Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

--numConnections {numConnections}

Number of connections.

Default: 1

-x | --deleteSubtree

Delete the specified entry and all entries below it.

Default: false

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389

Examples

The following command deletes a user entry from the directory.

$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password \
 uid=bjensen,ou=people,dc=example,dc=com
Processing DELETE request for uid=bjensen,ou=people,dc=example,dc=com
DELETE operation successful for DN uid=bjensen,ou=people,dc=example,dc=com

The following command deletes the ou=Groups entry and all entries underneath ou=Groups.

$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password -x \
 ou=groups,dc=example,dc=com
Processing DELETE request for ou=groups,dc=example,dc=com
DELETE operation successful for DN ou=groups,dc=example,dc=com

Name

ldapmodify — perform LDAP modify, add, delete, mod DN operations

Synopsis

ldapmodify {options} [changes_files ...]

Description

This utility can be used to perform LDAP modify, add, delete, and modify DN operations in the Directory Server. When not using file(s) to specify modifications, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).

Options

The ldapmodify command takes the following options:

Command options:

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-c | --continueOnError

Continue processing even if there are errors.

Default: false

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

Assertion, LdapAssertion

Assertion Request Control, Object Identifier: 1.3.6.1.1.12

AccountUsable, AccountUsability

Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

AuthzId, AuthorizationIdentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

Csn, ChangeNumber, ChangeSequenceNumber

Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9

This is an internal OpenDJ control.

EffectiveRights, GetEffectiveRights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

ManageDsaIt

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

Noop, No-Op

No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

PwPolicy, PasswordPolicy

Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

PermissiveModify

Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413

PSearch, PersistentSearch

Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3

PostRead

Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2

PreRead

Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1

ProxiedAuthV1

Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12

ProxiedAuth, ProxiedAuthV2

Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18

RealAttrsOnly, RealAttributesOnly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

TreeDelete, SubTreeDelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

Sort, ServerSideSort

Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473

PagedResults, SimplePagedResults

Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319

SubEntries

Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1

TxnId, TransactionId

Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

This is an internal ForgeRock control.

VirtualAttrsOnly, VirtualAttributesOnly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

Vlv, VirtualListView

Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

--numConnections {numConnections}

Number of connections.

Default: 1

--postReadAttributes {attrList}

Use the LDAP ReadEntry post-read control.

--preReadAttributes {attrList}

Use the LDAP ReadEntry pre-read control.

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389

Examples

The following example demonstrates use of the command to add an entry to the directory:

$ cat newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
facsimileTelephoneNumber: +1 408 555 1213
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: New
cn: New User
cn: Real Name
telephoneNumber: +1 408 555 1212
sn: Jensen
roomNumber: 1234
homeDirectory: /home/newuser
uidNumber: 10389
mail: newuser@example.com
l: South Pole
ou: Product Development
ou: People
gidNumber: 10636

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery newuser.ldif
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com

The following listing shows a UNIX shell script that adds a user entry:

#!/bin/sh
#
# Add a new user with the ldapmodify utility.
#

usage(){
        echo "Usage: $0 uid firstname lastname"
        exit 1
}
[[ $# -lt 3 ]] && usage

LDAPMODIFY=/path/to/opendj/bin/ldapmodify
HOST=opendj.example.com
PORT=1389
ADMIN=uid=kvaughan,ou=people,dc=example,dc=com
PWD=bribery

$LDAPMODIFY -h $HOST -p $PORT -D $ADMIN -w $PWD <<EOF
dn: uid=$1,ou=people,dc=example,dc=com
uid: $1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: $2 $3
givenName: $2
sn: $3
mail: $1@example.com
EOF

The following example demonstrates adding a Description attribute to the new user's entry:

$ cat newdesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: description
description: A new user's entry

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery newdesc.ldif
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com

The following example demonstrates changing the Description attribute for the new user's entry:

$ cat moddesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Another description

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery moddesc.ldif
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com

The following example demonstrates deleting the new user's entry:

$ cat deluser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: delete

$ ldapmodify -p 1389 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery deluser.ldif
Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com

Name

ldappasswordmodify — perform LDAP password modifications

Synopsis

ldappasswordmodify {options}

Description

This utility can be used to perform LDAP password modify operations in the Directory Server.

Options

The ldappasswordmodify command takes the following options:

Command options:

-a | --authzId {authzID}

Authorization ID for the user entry whose password should be changed. The authorization ID is a string having either the prefix "dn:" followed by the user's distinguished name, or the prefix "u:" followed by a user identifier that depends on the identity mapping used to match the user identifier to an entry in the directory. Examples include "dn:uid=bjensen,ou=People,dc=example,dc=com", and, if we assume that "bjensen" is mapped to Barbara Jensen's entry, "u:bjensen".

-c | --currentPassword {currentPassword}

Current password for the target user.

-C | --currentPasswordFile {file}

Path to a file containing the current password for the target user.

-F | --newPasswordFile {file}

Path to a file containing the new password to provide for the target user.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

Assertion, LdapAssertion

Assertion Request Control, Object Identifier: 1.3.6.1.1.12

AccountUsable, AccountUsability

Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

AuthzId, AuthorizationIdentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

Csn, ChangeNumber, ChangeSequenceNumber

Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9

This is an internal OpenDJ control.

EffectiveRights, GetEffectiveRights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

ManageDsaIt

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

Noop, No-Op

No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

PwPolicy, PasswordPolicy

Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

PermissiveModify

Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413

PSearch, PersistentSearch

Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3

PostRead

Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2

PreRead

Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1

ProxiedAuthV1

Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12

ProxiedAuth, ProxiedAuthV2

Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18

RealAttrsOnly, RealAttributesOnly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

TreeDelete, SubTreeDelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

Sort, ServerSideSort

Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473

PagedResults, SimplePagedResults

Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319

SubEntries

Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1

TxnId, TransactionId

Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

This is an internal ForgeRock control.

VirtualAttrsOnly, VirtualAttributesOnly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

Vlv, VirtualListView

Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9

-n | --newPassword {newPassword}

New password to provide for the target user.

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389

Examples

The following example demonstrates a user changing their own password.

$ cat /tmp/currpwd.txt /tmp/newpwd.txt
bribery
secret12

$ ldappasswordmodify -p 1389 -C /tmp/currpwd.txt --newPasswordFile /tmp/newpwd.txt \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
The LDAP password modify operation was successful

Name

ldapsearch — perform LDAP search operations

Synopsis

ldapsearch {options} filter [attributes ...]

Description

This utility can be used to perform LDAP search operations in the Directory Server.

Options

The ldapsearch command takes the following options:

Command options:

-a | --dereferencePolicy {dereferencePolicy}

Alias dereference policy ('never', 'always', 'search', or 'find').

Default: never

-A | --typesOnly

Only retrieve attribute names but not their values.

Default: false

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-b | --baseDn {baseDN}

Search base DN.

-c | --continueOnError

Continue processing even if there are errors.

Default: false

-C | --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]

Use the persistent search control.

A persistent search allows the client to continue receiving new results whenever changes are made to data that is in the scope of the search, thus using the search as a form of change notification.

The optional changetype setting defines the kinds of updates that result in notification. If you do not set the changetype, the default behavior is to send notifications for all updates.

add: Send notifications for LDAP add operations.
del, delete: Send notifications for LDAP delete operations.
mod, modify: Send notifications for LDAP modify operations.
moddn, modrdn, modifydn: Send notifications for LDAP modify DN (rename and move) operations.
all, any: Send notifications for all LDAP update operations.

The optional changesonly setting defines whether the server returns existing entries as well as changes.

true

Do not return existing entries, but instead only notifications about changes.

This is the default setting.

false

Also return existing entries.

The optional entrychgcontrols setting defines whether the server returns an Entry Change Notification control with each entry notification. The Entry Change Notification control provides additional information about the change that caused the entry to be returned by the search. In particular, it indicates the change type, the change number if available, and the previous DN if the change type was a modify DN operation.

true

Do request the Entry Change Notification control.

This is the default setting.

false

Do not request the Entry Change Notification control.

--countEntries

Count the number of entries returned by the server.

Default: false

-e | --getEffectiveRightsAttribute {attribute}

Specifies geteffectiverights control specific attribute list.

-g | --getEffectiveRightsAuthzId {authzID}

Use geteffectiverights control with the provided authzid.

-G | --virtualListView {before:after:index:count | before:after:value}

Use the virtual list view control to retrieve the specified results page.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

Assertion, LdapAssertion

Assertion Request Control, Object Identifier: 1.3.6.1.1.12

AccountUsable, AccountUsability

Account Usability Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

AuthzId, AuthorizationIdentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

Csn, ChangeNumber, ChangeSequenceNumber

Change Sequence Number Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.9

This is an internal OpenDJ control.

EffectiveRights, GetEffectiveRights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

ManageDsaIt

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

Noop, No-Op

No-Op Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

PwPolicy, PasswordPolicy

Password Policy Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

PermissiveModify

Permissive Modify Request Control, Object Identifier: 1.2.840.113556.1.4.1413

PSearch, PersistentSearch

Persistent Search Request Control, Object Identifier: 2.16.840.1.113730.3.4.3

PostRead

Post Read Request Control, Object Identifier: 1.3.6.1.1.13.2

PreRead

Pre Read Request Control, Object Identifier: 1.3.6.1.1.13.1

ProxiedAuthV1

Proxied Authorization Request Control V1, Object Identifier: 2.16.840.1.113730.3.4.12

ProxiedAuth, ProxiedAuthV2

Proxied Authorization Request Control V2, Object Identifier: 2.16.840.1.113730.3.4.18

RealAttrsOnly, RealAttributesOnly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

TreeDelete, SubTreeDelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

Sort, ServerSideSort

Server Side Sort Request Control, Object Identifier: 1.2.840.113556.1.4.473

PagedResults, SimplePagedResults

Simple Paged Results Control, Object Identifier: 1.2.840.113556.1.4.319

SubEntries

Sub-Entries Request Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.1

TxnId, TransactionId

Transaction ID Control, Object Identifier: 1.3.6.1.4.1.36733.2.1.5.1

This is an internal ForgeRock control.

VirtualAttrsOnly, VirtualAttributesOnly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

Vlv, VirtualListView

Virtual List View Request Control, Object Identifier: 2.16.840.1.113730.3.4.9

-l | --timeLimit {timeLimit}

Maximum length of time in seconds to allow for the search.

Default: 0

--matchedValuesFilter {filter}

Use the LDAP matched values control with the provided filter.

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

-s | --searchScope {searchScope}

Search scope ('base', 'one', 'sub', or 'subordinates'). Note: 'subordinates' is an LDAP extension that might not work with all LDAP servers.

Default: sub

-S | --sortOrder {sortOrder}

Use the server side sort control to have the server sort the results using the provided sort order. You can provide multiple comma separated sort keys. Sort key must respect the following pattern: "[-] attributeType [:OrderingRuleNameOrOID]". Minus character represent a descending sort order.

--simplePageSize {numEntries}

Use the simple paged results control with the given page size.

Default: 1000

--subEntries

Use subentries control to specify that subentries are visible and normal entries are not.

Default: false

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

-z | --sizeLimit {sizeLimit}

Maximum number of entries to return from the search.

Default: 0

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-t | --wrapColumn {wrapColumn}

Maximum length of an output line (0 for no wrapping).

Default: 0

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Filters

The filter argument is a string representation of an LDAP search filter as in (cn=Babs Jensen), (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))), or (cn:caseExactMatch:=Fred Flintstone).

Attributes

The optional attribute list specifies the attributes to return in the entries found by the search. In addition to identifying attributes by name such as cn sn mail and so forth, you can use the following notations, too.

*: Return all user attributes such as cn, sn, and mail.
+: Return all operational attributes such as etag and pwdPolicySubentry.
@objectclass: Return all attributes of the specified object class, where objectclass is one of the object classes on the entries returned by the search.
1.1: Return no attributes, only the DNs of matching entries.

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389

Examples

The following example searches for entries with UID containing jensen, returning only DNs and uid values:

$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid
dn: uid=ajensen,ou=People,dc=example,dc=com
uid: ajensen

dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen

dn: uid=gjensen,ou=People,dc=example,dc=com
uid: gjensen

dn: uid=jjensen,ou=People,dc=example,dc=com
uid: jjensen

dn: uid=kjensen,ou=People,dc=example,dc=com
uid: kjensen

dn: uid=rjensen,ou=People,dc=example,dc=com
uid: rjensen

dn: uid=tjensen,ou=People,dc=example,dc=com
uid: tjensen


Result Code:  0 (Success)

You can also use @objectclass notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the inetOrgPerson object class:

$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson
dn: uid=bjensen,ou=People,dc=example,dc=com
givenName: Barbara
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
cn: Barbara Jensen
cn: Babs Jensen
telephoneNumber: +1 408 555 1862
sn: Jensen
roomNumber: 0209
mail: bjensen@example.com
l: San Francisco
ou: Product Development
ou: People
facsimileTelephoneNumber: +1 408 555 1992

You can use + in the attribute list to return all operational attributes, as in the following example:

$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +
dn: uid=bjensen,ou=People,dc=example,dc=com
numSubordinates: 0
structuralObjectClass: inetOrgPerson
etag: 0000000073c29972
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=bjensen,ou=people,dc=example,dc=com
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c

Name

ldifdiff — compare small LDIF files

Synopsis

ldifdiff {options} source target

Description

This utility can be used to compare two LDIF files and report the differences in LDIF format.

If standard input is used to specify source or target, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).

Options

The ldifdiff command takes the following options:

Command options:

-B | --excludeBranch {branchDN}

Base DN of a branch to exclude when comparing entries.

-e | --excludeAttribute {attribute}

Attribute to ignore when comparing entries.

-o | --outputLdif {file}

Write differences to {file} instead of stdout.

Default: stdout

Utility input/output options:

-t | --wrapColumn {wrapColumn}

Maximum length of an output line (0 for no wrapping).

Default: 0

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: No differences were found.
1: Differences were found.
other: An error occurred.

Examples

The following example demonstrates use of the command with two small LDIF files.

$ cat /path/to/newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: changeme

$ cat /path/to/neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: secret12
description: A new description.

$ ldifdiff -s /path/to/newuser.ldif -t /path/to/neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: secret12
-
delete: userPassword
userPassword: changeme
-
add: description
description: A new description.

Name

ldifmodify — apply LDIF changes to LDIF

Synopsis

ldifmodify {options} source_file [changes_files...]

Description

This utility can be used to apply a set of modify, add, and delete operations to entries contained in an LDIF file.

If standard input is used to specify source or changes, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).

Options

The ldifmodify command takes the following options:

Command options:

-c | --continueOnError

Continue processing even if there are errors.

Default: false

-o | --outputLdif {file}

Write updated entries to {file} instead of stdout.

Default: stdout

Utility input/output options:

-t | --wrapColumn {wrapColumn}

Maximum length of an output line (0 for no wrapping).

Default: 0

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example demonstrates use of the command.

$ cat /path/to/newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: changeme

$ cat /path/to/newdiff.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: secret12
-
delete: userPassword
userPassword: changeme
-
add: description
description: A new description.

$ ldifmodify -o neweruser.ldif /path/to/newuser.ldif /path/to/newdiff.ldif

$ cat neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: secret12
description: A new description.

Name

ldifsearch — search LDIF with LDAP filters

Synopsis

ldifsearch {options} source filter [attributes ...]

Description

This utility can be used to perform search operations against entries contained in an LDIF file.

If standard input is used to specify source, end your input with EOF (Ctrl+D on UNIX, Ctrl+Z on Windows).

Options

The ldifsearch command takes the following options:

Command options:

-A | --typesOnly

Only retrieve attribute names but not their values.

Default: false

-b | --baseDn {baseDN}

The base DN for the search. If no base DN is provided, then the root DSE will be used.

Default:

-l | --timeLimit {timeLimit}

Maximum length of time in seconds to allow for the search.

Default: 0

-o | --outputLdif {file}

Write search results to {file} instead of stdout.

Default: stdout

-s | --searchScope {searchScope}

Search scope ('base', 'one', 'sub', or 'subordinates'). Note: 'subordinates' is an LDAP extension that might not work with all LDAP servers.

Default: sub

-z | --sizeLimit {sizeLimit}

Maximum number of entries to return from the search.

Default: 0

Utility input/output options:

-t | --wrapColumn {wrapColumn}

Maximum length of an output line (0 for no wrapping).

Default: 0

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example demonstrates use of the command.

$ ldifsearch -b dc=example,dc=com Example.ldif uid=bjensen
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
userpassword: hifalutin
facsimiletelephonenumber: +1 408 555 1992
givenname: Barbara
cn: Barbara Jensen
cn: Babs Jensen
telephonenumber: +1 408 555 1862
sn: Jensen
roomnumber: 0209
homeDirectory: /home/bjensen
mail: bjensen@example.com
l: San Francisco
ou: Product Development
ou: People
uidNumber: 1076
gidNumber: 1000

You can also use @objectclass notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the posixAccount object class.

$ ldifsearch -b dc=example,dc=com Example.ldif "(uid=bjensen)" @posixaccount
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
userpassword: hifalutin
cn: Barbara Jensen
cn: Babs Jensen
homeDirectory: /home/bjensen
uidNumber: 1076
gidNumber: 1000

Name

makeldif — generate test LDIF

Synopsis

makeldif {options} template-file-path

Description

This utility can be used to generate LDIF data based on a definition in a template file.

The template-file-path can be one of the following:

A full path to the template file such as /path/to/opendj/config/MakeLDIF/example.template.
A relative path to the template file such as ../../my-test-data.template.
A file name that specifies one of the template files that are built into the LDAP Toolkit, such as example.template, or people_and_groups.template.

The LDAP Toolkit includes these built-in template and data files:

cities: List of more than 200 cities.
example.template: Template to generate a base entry and users in a branch ou=people,[suffix], where the default setting for suffix is suffix=dc=example,dc=com.
first.names: List of more than 8000 first names.
last.names: List of more than 13000 last names.
people_and_groups.template: Template to generate a base entry, users, and groups.
states: List of US states by their two-character codes.
streets: List of more than 70 street names.

Options

The makeldif command takes the following options:

Command options:

-c | --constant {name=value}

A constant that overrides the value set in the template file.

-o | --outputLdif {file}

The path to the LDIF file to be written. If the filename ends in .gz, the output will be gzipped.

-r | --resourcePath {path}

Path to look for MakeLDIF resources (e.g., data files).

The utility looks for resources in the following locations in this order:

The current directory where the command is run.
The resource path directory.
The built-in files.

-s | --randomSeed {seed}

The seed to use to initialize the random number generator.

Default: 0

Utility input/output options:

-t | --wrapColumn {wrapColumn}

Maximum length of an output line (0 for no wrapping).

Default: 0

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
1: An error occurred.

Examples

The following example uses the default template to generate LDIF.

$ makeldif -o ../ldif/generated.ldif ../config/MakeLDIF/example.template
Processed 1000 entries
Processed 2000 entries
...
Processed 10000 entries
LDIF processing complete.  10003 entries written

Name

makeldif.template — template file for the makeldif command

Synopsis

# Comment lines start with #.
#
# Notice that this synopsis includes blank lines after entries.
# In the same way you would use blank lines after entries in normal LDIF,
# leave empty lines after "entries" in template files.

# Optionally define constants used in the template.
# To reference constants later, put brackets around the name: [constant-name]
#
define constant-name=value
...

# Define branches by suffix DN, such as the following:
#
#  dc=example,dc=com
#  ou=People,dc=example,dc=com
#  ou=Groups,dc=example,dc=com
#
# makeldif generates the necessary object class definitions and RDNs.
#
# A branch can have subordinateTemplates that define templates to use for
# the branch entry. The optional number at the end
# of the subordinateTemplate specification defines how many entries to generate.
# If you do not specify a number, makeldif continues to generate entries
# indefinitely until you interrupt the command.
#
# A branch can have additional attributes generated on the branch entry. See
# the Description below for more information on specifying attribute values.
#
branch: suffix-dn
objectClass: top
objectClass: suffix-object-class
[subordinateTemplate: template-name[:number]
...]
[attribute: attr-value
...]

...

# Define entries using templates.
#
# A template can extend another template.
# A template defines the RDN attribute(s) used for generated entries.
# A template can have a subordinateTemplate that defines a template to use for
# the generated entries.
#
# A template then defines attributes. See the Description below for more
# information on specifying attribute values.
#
template: template-name
[extends: template-name]
rdnAttr: attribute[+attribute ...]
[subordinateTemplate: template-name:number]
[attribute: attr-value
...]

...

Description

Template files specify how to build LDIF. They allow you to define variables, insert random values from other files, and generally build arbitrarily large LDIF files for testing purposes. You pass template files to the makeldif command when generating LDIF.

The Synopsis above shows the layout for a makeldif template file. This section focuses on what you can do to specify entry attribute values, called attr-value in the Synopsis section.

Specifying Attribute Values

When specifying attribute values in makeldif templates, you can use static text and constants that you have defined, enclosing names for constants in brackets, [myConstant]. You can use more than one constant per line, as in the following example:

description: Description for [org] under [suffix]

You can also use two kinds of tags when specifying attribute values. One kind of tag is replaced with the value of another attribute in the generated entry. Such tags are delimited with braces, { }. For example, if your template includes definitions for first name and last name attributes, use:

givenName: <first>
sn: <last>

Then you can define a mail attribute that uses the values of both attributes, and an initials attribute that takes the first character of each:

mail: {givenName}.{sn}@[myDomain]
initials: {givenName:1}{sn:1}

The other kind of tag is delimited with < and >, as shown above in the example with <first> and <last>. Tag names are not case sensitive. Many tags can take arguments separated by colons, :, from the tag names within the tag.

Use backslashes to escape literal start tag characters (< [ {) as shown in the following example, and to escape literal end tag characters within tags (> ] }):

scimMail: \{"emails": \[\{"value": "{mail}", "type": "work", "primary": true}]}
xml: \<id>{uid}\</id>

The makeldif command supports the following tags:

<DN>

The DN tag is replaced by the distinguished name of the current entry. An optional integer argument specifies the subcomponents of the DN to generate. For example, if the DN of the entry is uid=bjensen,ou=People,dc=example,dc=com, then <DN:1> is replaced by uid=bjensen, and <DN:-2> is replaced by dc=example,dc=com.

<File>

The File tag is replaced by a line from a text file you specify. The File tag takes a required argument, the path to the text file, and an optional second argument, either random or sequential. For the file argument, either specify an absolute path to the file such as <file:/path/to/myDescriptions>, or specify a path relative to the template file such as <file:streets>. For the second argument, if you specify sequential then lines from the file are read in sequential order. Otherwise, lines from the file are read in random order.

<First>

The first name tag is replaced by a random line from first.names. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available.

<GUID>

The GUID tag is replaced by a 128-bit, type 4 (random) universally unique identifier, such as f47ac10b-58cc-4372-a567-0e02b2c3d479.

<IfAbsent>

The IfAbsent tag takes as its first argument the name of another attribute, and optionally, as its second argument, a value to use. This tag causes the attribute to be generated only if the named attribute is not present on the generated entry. Use this tag when you have used <Presence> to define another attribute that is not always present on generated entries.

<IfPresent>

The IfPresent takes as its first argument the name of another attribute, and optionally, as its second argument, a value to use. This tag causes the attribute to be generated only if the named attribute is also present on the generated entry. Use this tag when you have used <Presence> to define another attribute that is sometimes present on generated entries.

<Last>

The last name tag is replaced by a random line from the last names template file, last.names. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available.

<List>

The List tag is replaced by one of the values from the list of arguments you provide. For example, <List:bronze:silver:gold> is replaced with bronze, silver, or gold.

You can weight arguments to ensure that some arguments are selected more often than others. For example, if you want two bronze for one silver and one gold, use <List:bronze;2:silver;1:gold;1>.

<ParentDN>

The ParentDN tag is replaced by the distinguished name of the parent entry. For example, if the DN of the entry is uid=bjensen,ou=People,dc=example,dc=com, <ParentDN> is replaced by ou=People,dc=example,dc=com.

<Presence>

The Presence tag takes a percent argument. It results in the attribute value being generated or not based on the percentage of entries you specify in the argument. For example, description: <Presence:50>A description generates description: A description on half the entries.

<Random>

The Random tag lets you generate a variety of random numbers and strings. The Random tag has the following subtypes, which you include as arguments, that is <Random:subtype>:

alpha:length
alpha:min-length:max-length
numeric:length
numeric:minvalue:maxvalue
numeric:minvalue:maxvalue:format, where format is a java.text.DecimalFormat pattern
alphanumeric:length
alphanumeric:min-length:max-length
chars:characters:length
chars:characters:min-length:max-length
hex:length
hex:min-length:max-length
base64:length
base64:min-length:max-length
month
month:max-length
telephone, a telephone number starting with the country code +1

<RDN>

The RDN tag is replaced with the RDN of the entry. Use this in the template after you have specified rdnAttr so that the RDN has already been generated when this tag is replaced.

An optional integer argument specifies the subcomponents of the RDN to generate.

<Sequential>

The Sequential tag is replaced by a sequentially increasing generated integer. The first optional integer argument specifies the starting number. The second optional boolean argument specifies whether to start over when generating entries for a new parent entry. For example, <Sequential>:42:true starts counting from 42, and starts over when the parent entry changes from o=Engineering to o=Marketing.

<_DN>

The _DN tag is replaced by the DN of the current entry with underscores in the place of commas.

<_ParentDN>

The _ParentDN tag is replaced by the DN the parent entry with underscores in the place of commas.

Examples

The following example generates 10 organization units, each containing 50 entries. Add it next to the supporting files, such as first.names and last.names needed to generate the output:

define suffix=dc=example,dc=com
define maildomain=example.com
define numusers=50
define numorgs=10

branch: [suffix]
objectClass: top
objectClass: domain

branch: ou=People,[suffix]
objectClass: top
objectClass: organizationalUnit
subordinateTemplate: orgunit:[numorgs]
description: This is the People container
telephoneNumber: +33 00010002

template: orgunit
subordinateTemplate: person:[numusers]
rdnAttr: ou
ou: Org-<sequential:0>
objectClass: top
objectClass: organizationalUnit
description: This is the {ou} organizational unit

template: person
rdnAttr: uid
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: <first>
sn: <last>
cn: {givenName} {sn}
initials: {givenName:1}<random:chars:ABCDEFGHIJKLMNOPQRSTUVWXYZ:1>{sn:1}
employeeNumber: <sequential:0>
uid: user.{employeeNumber}
mail: {uid}@[maildomain]
userPassword: password
telephoneNumber: <random:telephone>
homePhone: <random:telephone>
pager: <random:telephone>
mobile: <random:telephone>
street: <random:numeric:5> <file:streets> Street
l: <file:cities>
st: <file:states>
postalCode: <random:numeric:5>
postalAddress: {cn}${street}${l}, {st}  {postalCode}
description: This is the description for {cn}.

Name

manage-account — manage state of OpenDJ server accounts

Synopsis

manage-account {subcommand} {options}

Description

This utility can be used to retrieve and manipulate the values of password policy state variables.

Options

The manage-account command takes the following options:

Command options:

-b | --targetDn {targetDN}: The DN of the user entry for which to get and set password policy state information.

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The manage-account command supports the following subcommands:

manage-account clear-account-is-disabled

Clear account disabled state information from the user account.

manage-account get-account-expiration-time

Display when the user account will expire.

manage-account get-account-is-disabled

Display information about whether the user account has been administratively disabled.

manage-account get-all

Display all password policy state information for the user.

manage-account get-authentication-failure-times

Display the authentication failure times for the user.

manage-account get-password-changed-by-required-time

Display the required password change time with which the user last complied.

manage-account get-password-changed-time

Display the time that the user's password was last changed.

manage-account get-password-expiration-warned-time

Display the time that the user first received an expiration warning notice.

manage-account get-password-history

Display password history state values for the user.

manage-account get-password-is-reset

Display information about whether the user will be required to change his or her password on the next successful authentication.

manage-account get-password-policy-dn

Display the DN of the password policy for the user.

manage-account get-remaining-authentication-failure-count

Display the number of remaining authentication failures until the user's account is locked.

manage-account get-seconds-until-account-expiration

Display the length of time in seconds until the user account expires.

manage-account get-seconds-until-authentication-failure-unlock

Display the length of time in seconds until the authentication failure lockout expires.

manage-account get-seconds-until-idle-lockout

Display the length of time in seconds until user's account is locked because it has remained idle for too long.

manage-account get-seconds-until-password-expiration

Display length of time in seconds until the user's password expires.

manage-account get-seconds-until-password-expiration-warning

Display the length of time in seconds until the user should start receiving password expiration warning notices.

manage-account get-seconds-until-password-reset-lockout

Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset.

manage-account get-seconds-until-required-change-time

Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time.

manage-account set-account-is-disabled

Specify whether the user account has been administratively disabled.

Options

The manage-account set-account-is-disabled command takes the following options:

-O | --operationValue {true|false}: 'true' to indicate that the account is disabled, or 'false' to indicate that it is not disabled.

Exit Codes

0: The command completed successfully.
89: An error occurred while parsing the command-line arguments.

Examples

For the following examples the directory admin user, Kirsten Vaughan, has ds-privilege-name: password-reset and the following ACI on ou=People,dc=example,dc=com.

(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
 version 3.0;acl "Admins can run amok"; allow(all) groupdn =
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)

The following command disables a user account:

$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery set-account-is-disabled -O true \
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  true

The following command enables a disabled user account:

$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery clear-account-is-disabled \
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  false

Name

manage-tasks — manage server administration tasks

Synopsis

manage-tasks {options}

Description

This utility can be used to obtain a list of tasks scheduled to run within the Directory Server as well as information about individual tasks.

Options

The manage-tasks command takes the following options:

Command options:

-c | --cancel {taskID}

ID of a particular task to cancel.

-i | --info {taskID}

ID of a particular task about which this tool will display information.

-s | --summary

Print a summary of tasks.

Default: false

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example demonstrates use of the command with a server that does daily backups at 2:00 AM.

$ manage-tasks -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
 -w password -s

  ID                                Type    Status
  ---------------------------------------------------------------
  example-backup                    Backup  Recurring
  example-backup-20110622020000000  Backup  Waiting on start time

Name

modrate — measure modification throughput and response time

Synopsis

modrate {options} [(attribute:value template string) ...]

Description

This utility can be used to measure modify throughput and response time of a directory service using user-defined modifications.

Example:

modrate -p 1389 -D 'cn=directory manager' -w password \

-F -c 4 -t 4 -b 'uid=user.{1},ou=people,dc=example,dc=com' \

-g 'rand(0,2000)' -g 'randstr(16)' 'description:{2}'

Before trying the example, import 2000 randomly generated users.

When you do not use the -f option to keep connections open and rebind on the connections, the tool can exhaust its available ports, causing the tool to crash. You can work around this problem on test systems by changing TCP settings on the system.

For example, on Linux systems, set the following parameters in the /etc/sysctl.conf file:

net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

The parameter net.ipv4.tcp_fin_timeout sets the length of time in seconds to wait for a final FIN packet before forcing a close of the socket. The default is 60 (seconds).

The parameter net.ipv4.tcp_tw_recycle enables fast recycling of TIME_WAIT sockets. The default is 0 (false). Enabling this can cause Network Address Translation (NAT) issues.

The parameter net.ipv4.tcp_tw_reuse enables reuse of TIME_WAIT sockets for new connections. The default is 0 (false).

These settings are recommended only for testing, and not for production systems.

After making the changes to /etc/sysctl.conf, reload the configuration with the sysctl command:

# sysctl -p

Options

The modrate command takes the following options:

Command options:

-b | --targetDn {targetDN}

Target entry DN template string.

-B | --warmUpDuration {warmUpDuration}

Warm up duration in seconds.

Default: 0

-c | --numConnections {numConnections}

Number of connections.

Default: 1

-d | --maxDuration {maxDuration}

Maximum duration in seconds, 0 for unlimited.

Default: 0

-e | --percentile {percentile}

Calculate max response time for a percentile of operations.

-f | --keepConnectionsOpen

Keep connections open.

Default: false

-F | --noRebind

Keep connections open and do not rebind.

Default: false

-g | --argument {generator function or static string}

Argument used to evaluate the Java style template strings in program parameters (ie. Base DN, Search Filter). The set of all arguments provided form the the argument list in order. Besides static string arguments, they can be generated per iteration with the following functions:

"inc({filename})" Consecutive, incremental line from file

"inc({min},{max})" Consecutive, incremental number

"rand({filename})" Random line from file

"rand({min},{max})" Random number

"randstr({length},_charSet_)" Random string of specified length and optionally from characters in the charSet string. A range of character can be specified with [start-end] charSet notation. If no charSet is specified, the default charSet of [A-Z][a-z][0-9] will be used.

-i | --statInterval {statInterval}

Display results each specified number of seconds.

Default: 5

-m | --maxIterations {maxIterations}

Max iterations, 0 for unlimited.

Default: 0

-M | --targetThroughput {targetThroughput}

Target average throughput to achieve.

Default: 0

-S | --scriptFriendly

Use script-friendly mode.

Default: false

-t | --numConcurrentRequests {numConcurrentRequests}

Number of concurrent requests per connection.

Default: 1

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
89: An error occurred while parsing the command-line arguments.

Examples

The following example demonstrates testing directory performance by using the modrate command to write random 16-character description values to all entries in a sample file:

$ grep ^uid: /path/to/Example.ldif | sed -e "s/uid: //" > names.txt
$ modrate -p 1389 -D "cn=Directory Manager" -w password  -A -F -c 4 -t 4 \
 -b "uid=%s,ou=people,dc=example,dc=com" -g "rand(names.txt)" \
 -g "randstr(16)" 'description:%2$s'
--------------------------------------------------------------------------
     Throughput                            Response Time
   (ops/second)                           (milliseconds)
recent  average  recent  average  99.9%  99.99%  99.999%  err/sec  req/res
--------------------------------------------------------------------------
1085.9   1088.5  993.849  993.849  2135.220  2510.361  2510.361  0.0  2.3
2086.7   1648.8  1963.980  1683.038  3015.025  3078.628  3215.050  0.0  1.0
3097.3   2092.6  1332.930  1524.278  2940.131  3024.811  3215.050  0.0  1.0
3848.3   2501.4  1045.000  1352.583  2902.235  3015.863  3215.050  0.0  1.0
3641.2   2717.4  1106.157  1290.003  2901.379  3015.597  3215.050  0.0  1.0
3759.4   2883.0  1065.732  1243.534  2900.400  3015.501  3215.050  0.0  1.0
^C

Name

rebuild-index — rebuild index after configuration change

Synopsis

rebuild-index {options}

Description

This utility can be used to rebuild index data within an indexed backend database.

Options

The rebuild-index command takes the following options:

Command options:

-b | --baseDn {baseDN}

Base DN of a backend supporting indexing. Rebuild is performed on indexes within the scope of the given base DN.

--clearDegradedState

Indicates that indexes do not need rebuilding because they are known to be empty and forcefully marks them as valid. This is an advanced option which must only be used in cases where a degraded index is known to be empty and does not therefore need rebuilding. This situation typically arises when an index is created for an attribute which has just been added to the schema.

Default: false

-i | --index {index}

Names of index(es) to rebuild. For an attribute index this is simply an attribute name. At least one index must be specified for rebuild. Cannot be used with the "--rebuildAll" option.

--offline

Indicates that the command must be run in offline mode.

Default: false

--rebuildAll

Rebuild all indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildDegraded" option.

Default: false

--rebuildDegraded

Rebuild all degraded indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildAll" option.

Default: false

--tmpDirectory {directory}

Path to temporary directory for index scratch files during index rebuilding.

Default: import-tmp

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

The schedule pattern for a recurring task supports only the following crontab features:

Time and Date Fields

Field	Allowed Values
minute	0-59
hour	0-23
day of month	1-31
month	1-12 (or names)
day of week	0-7 (0 or 7 is Sunday, or use names)

A field can contain an asterisk, *. An asterisk stands for first-last.

Fields can include ranges of numbers. A range is two numbers separated by a hyphen, and is inclusive. For example, 8-10 for an "hour" field means execution at hours 8, 9, and 10.

Fields can include lists. A list is a set of numbers or ranges separated by commas. For example, 4,8-10 for an "hour" field means execution at hours 4, 8, 9, and 10.

When using names for in "month" or "day of week" fields, use the first three letters of the particular month or day of the week. Case does not matter. Ranges and lists of names are not supported.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example schedules a task to start immediately that rebuilds the cn (common name) index.

$ rebuild-index -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
 -w password -b dc=example,dc=com -i cn -t 0
Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM

Name

restore — restore directory data backups

Synopsis

restore {options}

Description

This utility can be used to restore a backup of a Directory Server backend.

Options

The restore command takes the following options:

Command options:

-d | --backupDirectory {backupDir}

Path to the directory containing the backup file(s).

-I | --backupId {backupID}

Backup ID of the backup to restore.

-l | --listBackups

List available backups in the backup directory.

Default: false

-n | --dry-run

Verify the contents of the backup but do not restore it.

Default: false

--offline

Indicates that the command must be run in offline mode.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

The schedule pattern for a recurring task supports only the following crontab features:

Time and Date Fields

Field	Allowed Values
minute	0-59
hour	0-23
day of month	1-31
month	1-12 (or names)
day of week	0-7 (0 or 7 is Sunday, or use names)

A field can contain an asterisk, *. An asterisk stands for first-last.

Fields can include ranges of numbers. A range is two numbers separated by a hyphen, and is inclusive. For example, 8-10 for an "hour" field means execution at hours 8, 9, and 10.

Fields can include lists. A list is a set of numbers or ranges separated by commas. For example, 4,8-10 for an "hour" field means execution at hours 4, 8, 9, and 10.

When using names for in "month" or "day of week" fields, use the first three letters of the particular month or day of the week. Case does not matter. Ranges and lists of names are not supported.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

--no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example schedules a restore as a task to begin immediately while OpenDJ directory server is online.

$ restore -p 4444 -D "cn=Directory Manager" -w password
 -d /path/to/opendj/bak -I 20110613080032 -t 0
Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST

The following example restores data while OpenDJ is offline.

$ stop-ds
Stopping Server...
...

$ restore --backupDirectory /path/to/opendj/bak/userRoot \
 --listBackups
Backup ID:          20120928102414Z
Backup Date:        28/Sep/2012:12:24:17 +0200
Is Incremental:     false
Is Compressed:      false
Is Encrypted:       false
Has Unsigned Hash:  false
Has Signed Hash:    false
Dependent Upon:     none

$ restore --backupDirectory /path/to/opendj/bak/userRoot \
 --backupID 20120928102414Z
[28/Sep/2012:12:26:20 +0200] ... msg=Restored: 00000000.jdb (size 355179)

$ start-ds
[28/Sep/2012:12:27:29 +0200] ... The Directory Server has started successfully

Name

searchrate — measure search throughput and response time

Synopsis

searchrate {options} [filter template string] [attributes ...]

Description

This utility can be used to measure search throughput and response time of a directory service using user-defined searches.

Example:

searchrate -p 1389 -D 'cn=directory manager' -w password \

-F -c 4 -t 4 -b 'dc=example,dc=com' -g 'rand(0,2000)' '(uid=user.{})'

Before trying the example, import 2000 randomly generated users.

When you do not use the -f option to keep connections open and rebind on the connections, the tool can exhaust its available ports, causing the tool to crash. You can work around this problem on test systems by changing TCP settings on the system.

For example, on Linux systems, set the following parameters in the /etc/sysctl.conf file:

net.ipv4.tcp_fin_timeout = 30
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_tw_reuse = 1

The parameter net.ipv4.tcp_fin_timeout sets the length of time in seconds to wait for a final FIN packet before forcing a close of the socket. The default is 60 (seconds).

The parameter net.ipv4.tcp_tw_recycle enables fast recycling of TIME_WAIT sockets. The default is 0 (false). Enabling this can cause Network Address Translation (NAT) issues.

The parameter net.ipv4.tcp_tw_reuse enables reuse of TIME_WAIT sockets for new connections. The default is 0 (false).

These settings are recommended only for testing, and not for production systems.

After making the changes to /etc/sysctl.conf, reload the configuration with the sysctl command:

# sysctl -p

Options

The searchrate command takes the following options:

Command options:

-a | --dereferencePolicy {dereferencePolicy}

Alias dereference policy ('never', 'always', 'search', or 'find').

Default: never

-b | --baseDn {baseDN}

Base DN template string.

-B | --warmUpDuration {warmUpDuration}

Warm up duration in seconds.

Default: 0

-c | --numConnections {numConnections}

Number of connections.

Default: 1

-d | --maxDuration {maxDuration}

Maximum duration in seconds, 0 for unlimited.

Default: 0

-e | --percentile {percentile}

Calculate max response time for a percentile of operations.

-f | --keepConnectionsOpen

Keep connections open.

Default: false

-F | --noRebind

Keep connections open and do not rebind.

Default: false

-g | --argument {generator function or static string}

Argument used to evaluate the Java style template strings in program parameters (ie. Base DN, Search Filter). The set of all arguments provided form the the argument list in order. Besides static string arguments, they can be generated per iteration with the following functions:

"inc({filename})" Consecutive, incremental line from file

"inc({min},{max})" Consecutive, incremental number

"rand({filename})" Random line from file

"rand({min},{max})" Random number

"randstr({length},_charSet_)" Random string of specified length and optionally from characters in the charSet string. A range of character can be specified with [start-end] charSet notation. If no charSet is specified, the default charSet of [A-Z][a-z][0-9] will be used.

-i | --statInterval {statInterval}

Display results each specified number of seconds.

Default: 5

-m | --maxIterations {maxIterations}

Max iterations, 0 for unlimited.

Default: 0

-M | --targetThroughput {targetThroughput}

Target average throughput to achieve.

Default: 0

-s | --searchScope {searchScope}

Search scope ('base', 'one', 'sub', or 'subordinates'). Note: 'subordinates' is an LDAP extension that might not work with all LDAP servers.

Default: sub

-S | --scriptFriendly

Use script-friendly mode.

Default: false

-t | --numConcurrentRequests {numConcurrentRequests}

Number of concurrent requests per connection.

Default: 1

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default:

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTls

Use StartTLS to secure communication with the server.

Default: false

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSsl

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
89: An error occurred while parsing the command-line arguments.

Examples

The following example demonstrates measuring search performance:

$ grep ^uid: /path/to/Example.ldif | sed -e "s/uid: //" > names.txt
$ searchrate -p 1389 -b dc=example,dc=com -A -F -c 4 -t 4 \
 -g "rand(names.txt)" "(uid=%s)"
-------------------------------------------------------------------------------
     Throughput                            Response Time
   (ops/second)                           (milliseconds)
recent  average  recent  average  99.9%  99.99%  99.999%  err/sec  Entries/Srch
-------------------------------------------------------------------------------
1475.9   1475.9   0.423    0.423  6.938  126.236 126.236      0.0           1.0
2596.5   2038.4   0.254    0.315  6.866  12.980  126.236      0.0           1.0
3210.7   2428.2   0.205    0.267  5.733  11.710  126.236      0.0           1.0
3080.5   2591.0   0.215    0.252  5.733  10.541  126.236      0.0           1.0
3236.9   2720.1   0.203    0.240  5.258  10.514  126.236      0.0           1.0
3181.1   2796.8   0.207    0.234  5.258  10.384  126.236      0.0           1.0
3202.5   2854.8   0.206    0.229  4.825  10.384  126.236      0.0           1.0
^C

Name

setup — install OpenDJ server

Synopsis

setup {subcommand} {options}

Description

This utility can be used to install an OpenDJ instance either as a directory server, a replication server or a proxy server.

Options

The setup command takes the following options:

Command options:

--acceptLicense

Automatically accepts the product license (if present).

Default: false

--adminConnectorPort {port}

Port on which the Administration Connector should listen for communication.

-D | --rootUserDn {rootUserDN}

DN for the initial root user for the Directory Server.

Default: cn=Directory Manager

--instancePath {path}

Path were the instance should be set up.

Default: /tmp

-j | --rootUserPasswordFile {rootUserPasswordFile}

Path to a file containing the password for the initial root user for the Directory Server.

--monitorUserDn {monitorUserDn}

DN of the default user allowed to query monitoring information.

Default: uid=Monitor

--monitorUserPassword {monitorUserPassword}

Password of the default user allowed to query monitoring information.

--monitorUserPasswordFile {monitorUserPasswordFile}

Path to a file containing the password for the default user allowed to query monitoring information.

-N | --certNickname {nickname}

Nickname of a keystore entry containing a certificate that the server should use when negotiating secure connections using StartTLS or SSL. Multiple keystore entries may be provided by using this option multiple times.

-O | --doNotStart

Do not start the server when the configuration is completed.

Default: false

--productionMode

Harden default configuration for production use.

Default: false

-Q | --quiet

Use quiet mode.

Default: false

-S | --skipPortCheck

Skip the check to determine whether the specified ports are usable.

Default: false

-u | --keyStorePasswordFile {keyStorePasswordFile}

Path to a file containing the keystore password. The keystore password is required when you specify an existing file-based keystore (JKS, JCEKS, PKCS#12).

--useJavaKeyStore {keyStorePath}

Path of a JKS keystore containing the certificate(s) that the server should use when negotiating secure connections using StartTLS or SSL.

--useJceKeyStore {keyStorePath}

Path of a JCEKS keystore containing the certificate(s) that the server should use when negotiating secure connections using StartTLS or SSL.

--usePkcs11KeyStore

Use certificate(s) in a PKCS#11 token that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

Default: false

--usePkcs12KeyStore {keyStorePath}

Path of a PKCS#12 keystore containing the certificate(s) that the server should use when negotiating secure connections using StartTLS or SSL.

-w | --rootUserPassword {rootUserPassword}

Password for the initial root user for the Directory Server.

-W | --keyStorePassword {keyStorePassword}

Keystore cleartext password. The keystore password is required when you specify an existing file-based keystore (JKS, JCEKS, PKCS#12).

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The setup command supports the following subcommands:

setup directory-server

Install an OpenDJ directory server instance. See "setup directory-server --help" for specific options.

Options

The setup directory-server command takes the following options:

-q | --enableStartTls

Enable StartTLS to allow secure communication with the server using the LDAP port.

Default: false

-p | --ldapPort {port}

Port on which the Directory Server should listen for LDAP communication.

-Z | --ldapsPort {port}

Port on which the Directory Server should listen for LDAPS communication. The LDAPS port will be configured and SSL will be enabled only if this argument is explicitly specified.

-a | --addBaseEntry

Indicates whether to create the base entry in the Directory Server database.

Default: false

-b | --baseDn {baseDN}

Base DN for user information in the Directory Server. Multiple base DNs may be provided by using this option multiple times.

-l | --ldifFile {ldifFile}

Path to an LDIF file containing data that should be added to the Directory Server database. Multiple LDIF files may be provided by using this option multiple times.

-R | --rejectFile {rejectFile}

Write rejected entries to the specified file.

-d | --sampleData {numEntries}

Specifies that the database should be populated with the specified number of sample entries.

--skipFile {skipFile}

Write skipped entries to the specified file.

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

--httpPort {port}

Port on which the server should listen for HTTP communication.

--httpsPort {port}

Port on which the server should listen for HTTPS communication.

setup proxy-server

Install an OpenDJ proxy server instance. There are two ways to specify the servers to be contacted by the proxy. They can either be listed exhaustively or retrieved from an existing replication topology. See "setup proxy-server --help" for specific options.

Options

The setup proxy-server command takes the following options:

-q | --enableStartTls

Enable StartTLS to allow secure communication with the server using the LDAP port.

Default: false

-p | --ldapPort {port}

Port on which the Directory Server should listen for LDAP communication.

-Z | --ldapsPort {port}

Port on which the Directory Server should listen for LDAPS communication. The LDAPS port will be configured and SSL will be enabled only if this argument is explicitly specified.

--usePkcs12TrustStore {trustStorePath}

Use existing PKCS12 truststore file to trust the remote server certificates.

--useJceTrustStore {trustStorePath}

Use existing JCEKS truststore file to trust the remote server certificates.

--useJavaTrustStore {trustStorePath}

Use existing JKS truststore file to trust the remote server certificates.

--useJvmTrustStore

Use the JVM truststore for validating remote server certificates.

Default: false

-X | --trustAll

Trust all server SSL certificates.

Default: false

-T | --trustStorePassword {trustStorePassword}

Truststore cleartext password.

-U | --trustStorePasswordFile {path}

Path to a file containing the truststore password.

--loadBalancingAlgorithm {algorithm}

Algorithm to use to load balance between servers. Available algorithms are 'affinity, least-requests'.

Default: affinity

--staticPrimaryServer {host:port}

Static server to contact when available before contacting secondary servers. Multiple servers may be provided by using this option multiple times.

--proxyUserBindDn {proxyBindDN}

The bind DN for forwarding LDAP requests to remote servers. This bind DN must be present on all the remote servers.

Default: cn=proxy

--proxyUserBindPassword {proxyBindPassword}

Password associated with the proxy bind DN. The bind password must be the same on all the remote servers.

--proxyUserBindPasswordFile {proxyBindPasswordFile}

Path to a file containing the password associated with the proxy bind DN. The bind password must be the same on all the remote servers.

--replicationBindDn {bindDN}

The bind DN for periodically reading replication server configurations. The bind DN must be present on all replication servers and directory servers, it must be able to read the server configuration.

--replicationBindPassword {bindPassword}

The bind password for periodically reading replication server configurations. The bind password must be the same on all replication and directory servers.

--replicationBindPasswordFile {bindPasswordFile}

Path to a file containing the bind password for periodically reading replication server configurations. The bind password must be the same on all replication and directory servers.

--replicationPreferredGroupId {domainGroupIDNumber}

Replication domain group ID number of directory server replicas to contact when available before contacting other replicas. If this option is not specified then all replicas will be treated the same.

--replicationServer {host:port}

Replication server to contact periodically in order to discover backend servers. Multiple replication servers may be provided by using this option multiple times.

--baseDn {baseDN}

Base DN for user information in the Proxy Server. Multiple base DNs may be provided by using this option multiple times. If no base DNs are defined then the proxy will forward requests to all public naming contexts of the remote servers.

--staticSecondaryServer {host:port}

Static server to contact when all primary servers are unavailable. Multiple servers may be provided by using this option multiple times.

--proxyUsingSsl

Use SSL to secure communications with remote servers.

Default: false

--proxyUsingStartTls

Use Start TLS to secure communication with remote servers.

Default: false

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

--httpPort {port}

Port on which the server should listen for HTTP communication.

--httpsPort {port}

Port on which the server should listen for HTTPS communication.

setup replication-server

Install OpenDJ as a standalone replication server. The server can be the first of a new replication topology (default behavior) or it can join an existing topology. See "setup replication-server --help" for specific options.

Options

The setup replication-server command takes the following options:

--usePkcs12TrustStore {trustStorePath}

Use existing PKCS12 truststore file to trust certificates from other replication servers in the topology.

--useJceTrustStore {trustStorePath}

Use existing JCEKS truststore file to trust certificates from other replication servers in the topology.

--useJavaTrustStore {trustStorePath}

Use existing JKS truststore file to trust certificates from other replication servers in the topology.

--useJvmTrustStore

Use the JVM truststore to trust certificates from other replication servers in the topology.

Default: false

-X | --trustAll

Trust all server SSL certificates.

Default: false

-T | --trustStorePassword {trustStorePassword}

Truststore cleartext password.

-U | --trustStorePasswordFile {path}

Path to a file containing the truststore password.

--replicationServer {host:port}

Replication server in the topology to be joined. This server must be online during setup. To bind to the remote server, this server uses the global administrator account for the topology. The global administrator account must have ID 'admin', and must use the same password as the root user password for this server.

--replicationPort {port}

Port used for replication protocol communications with other servers.

--secureReplication

Specifies whether the communication through the replication port should be secured. This option is enforced if the --productionMode option is used.

Default: false

-b | --baseDn {baseDN}

Base DN(s) of the data to be replicated. Multiple base DNs can be provided by using this option multiple times. Leave this option empty to replicate all available base DNs in the topology.

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

--httpPort {port}

Port on which the server should listen for HTTP communication.

--httpsPort {port}

Port on which the server should listen for HTTPS communication.

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following command installs OpenDJ directory server, enabling StartTLS and importing 100 example entries without interaction.

$ /path/to/opendj/setup directory-server --adminConnectorPort 4444 -b dc=example,dc=com -d 100 \
 -D "cn=Directory Manager" -w password -h opendj.example.com -p 1389 \
 --enableStartTLS


Validating parameters..... Done
Configuring certificates..... Done
Configuring server..... Done
Importing automatically-generated data (100 entries)......... Done
Starting directory server............... Done

To see basic server status and configuration, you can launch
/path/to/opendj/bin/status

Name

start-ds — start OpenDJ server

Synopsis

start-ds {options}

Description

This utility can be used to start the Directory Server, as well as to obtain the server version and other forms of general server information.

Options

The start-ds command takes the following options:

Command options:

-L | --useLastKnownGoodConfig

Attempt to start using the configuration that was in place at the last successful startup (if it is available) rather than using the current active configuration.

Default: false

-N | --noDetach

Do not detach from the terminal and continue running in the foreground. This option cannot be used with the -t, --timeout option.

Default: false

-s | --systemInfo

Display general system information.

Default: false

-t | --timeout {seconds}

Maximum time (in seconds) to wait before the command returns (the server continues the startup process, regardless). A value of '0' indicates an infinite timeout, which means that the command returns only when the server startup is completed. The default value is 60 seconds. This option cannot be used with the -N, --nodetach option.

Default: 200

Utility input/output options:

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following command starts the server without displaying information about the startup process.

$ start-ds -Q

Name

status — display basic OpenDJ server information

Synopsis

status {options}

Description

This utility can be used to display basic server information.

Options

The status command takes the following options:

Command options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

LDAP connection options:

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-r | --refresh {period}

When this argument is specified, the status command will display its contents periodically. Used to specify the period (in seconds) between two displays of the status.

-s | --script-friendly

Use script-friendly mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

$ status -D "cn=Directory Manager" -w password

          --- Server Status ---
Server Run Status:        Started
Open Connections:         1

          --- Server Details ---
Host Name:                localhost.localdomain
Administrative Users:     cn=Directory Manager
Installation Path:        /path/to/opendj
Version:                  OpenDJ version
Java Version:             version
Administration Connector: Port 4444 (LDAPS)

          --- Connection Handlers ---
Address:Port : Protocol    : State
-------------:-------------:---------
--           : LDIF        : Disabled
8989         : Replication : Enabled
0.0.0.0:161  : SNMP        : Disabled
0.0.0.0:636  : LDAPS       : Disabled
0.0.0.0:1389 : LDAP        : Enabled
0.0.0.0:1689 : JMX         : Disabled

          --- Data Sources ---
Base DN:                      dc=example,dc=com
Backend ID:                   userRoot
Entries:                      160
Replication:                  Enabled
Missing Changes:              0
Age of Oldest Missing Change: <not available>

Base DN:     dc=myCompany,dc=com
Backend ID:  myCompanyRoot
Entries:     3
Replication: Disabled

Base DN:     o=myOrg
Backend ID:  myOrgRoot
Entries:     3
Replication: Disabled

Name

stop-ds — stop OpenDJ server

Synopsis

stop-ds {options}

Description

This utility can be used to request that the Directory Server stop running or perform a restart. When run without explicit connection options, this utility sends a signal to the OpenDJ process to stop the server. When run with explicit connection options, this utility connects to the OpenDJ administration port and creates a shutdown task to stop the server.

Options

The stop-ds command takes the following options:

Command options:

-r | --stopReason {stopReason}

Reason the server is being stopped or restarted.

-R | --restart

Attempt to automatically restart the server once it has stopped.

Default: false

-t | --stopTime {stopTime}

Indicates the date/time at which the shutdown operation will begin as a server task expressed in format YYYYMMDDhhmmssZ for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the shutdown to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

LDAP connection options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDn {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzId

Use the authorization identity control.

Default: false

-h | --hostname {host}

Fully-qualified server host name or IP address.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Examples

The following example restarts OpenDJ directory server.

$ stop-ds --restart
Stopping Server...

...The Directory Server has started successfully

Name

upgrade — upgrade OpenDJ configuration and application data

Synopsis

upgrade {options}

Description

Upgrades OpenDJ configuration and application data so that it is compatible with the installed binaries.

This tool should be run immediately after upgrading the OpenDJ binaries and before restarting the server.

NOTE: this tool does not provide backup or restore capabilities. Therefore, it is the responsibility of the OpenDJ administrator to take necessary precautions before performing the upgrade.

This utility thus performs only part of the upgrade process, which includes the following phases for a single server.

Get and unpack a newer version of OpenDJ directory server software.
Stop the current OpenDJ directory server.
Overwrite existing binary and script files with those of the newer version, and then run this utility before restarting OpenDJ.
Start the upgraded OpenDJ directory server.

Important

This utility does not back up OpenDJ before you upgrade, nor does it restore OpenDJ if the utility fails. In order to revert a failed upgrade, make sure you back up OpenDJ directory server before you overwrite existing binary and script files.

By default this utility requests confirmation before making important configuration changes. You can use the --no-prompt option to run the command non-interactively.

When using the --no-prompt option, if this utility cannot complete because it requires confirmation for a potentially very long or critical task, then it exits with an error and a message about how to finish making the changes. You can add the --force option to force a non-interactive upgrade to continue in this case, also performing long running and critical tasks.

After upgrading, see the resulting upgrade.log file for a full list of operations performed.

Options

The upgrade command takes the following options:

Command options:

--acceptLicense

Automatically accepts the product license (if present).

Default: false

--force

Forces a non-interactive upgrade to continue even if it requires user interaction. In particular, long running or critical upgrade tasks, such as re-indexing, which require user confirmation will be skipped. This option may only be used with the 'no-prompt' option.

Default: false

--ignoreErrors

Ignores any errors which occur during the upgrade. This option should be used with caution and may be useful in automated deployments where potential errors are known in advance and resolved after the upgrade has completed.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

-Q | --quiet

Use quiet mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

2

The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task.

See the error message or the log for details.

other

An error occurred.

See the OpenDJ Installation Guide for an example upgrade process for OpenDJ directory server installed from the cross-platform (.zip) delivery.

Native packages (.deb, .rpm) perform more of the upgrade process, stopping OpenDJ if it is running, overwriting older files with newer files, running this utility, and starting OpenDJ if it was running when you upgraded the package(s).

Name

verify-index — check index for consistency or errors

Synopsis

verify-index {options}

Description

This utility can be used to ensure that index data is consistent within an indexed backend database.

Options

The verify-index command takes the following options:

Command options:

-b | --baseDn {baseDN}

Base DN of a backend supporting indexing. Verification is performed on indexes within the scope of the given base DN.

-c | --clean

Specifies that a single index should be verified to ensure it is clean. An index is clean if each index value references only entries containing that value. Only one index at a time may be verified in this way.

Default: false

--countErrors

Count the number of errors found during the verification and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).

Default: false

-i | --index {index}

Name of an index to be verified. For an attribute index this is simply an attribute name. Multiple indexes may be verified for completeness, or all indexes if no indexes are specified. An index is complete if each index value references all entries containing that value.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

1

The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task.

See the error message or the log for details.

0-255

The number of errors in the index, as indicated for the --countErrors option.

Examples

The following example shows how to verify the sn (surname) index for completeness and for errors:

$ verify-index -b dc=example,dc=com -i sn --clean --countErrors
[20/05/2015:14:24:18 +0200] category=...JEStorage seq=0 severity=INFO
 msg=The JE storage for backend 'userRoot' initialized
 to use 57528 buffers of 16384 bytes (total 920448kb)
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=1 severity=INFO
 msg=Checked 478 records and found 0 error(s) in 0 seconds
 (average rate 3594.0/sec)
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=2 severity=FINE
 msg=Number of records referencing more than one entry: 224
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=3 severity=FINE
 msg=Number of records that exceed the entry limit: 0
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=4 severity=FINE
 msg=Average number of entries referenced is 2.00/record
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=5 severity=FINE
 msg=Maximum number of entries referenced by any record is 32

Name

windows-service — register OpenDJ as a Windows Service

Synopsis

windows-service {options}

Description

This utility can be used to run OpenDJ directory server as a Windows Service.

Service Options

-c, --cleanupService serviceName: Disable the service and clean up the windows registry information associated with the provided service name
-d, --disableService: Disable the server as a Windows service and stop the server
-e, --enableService: Enable the server as a Windows service
-s, --serviceState: Provide information about the state of the server as a Windows service

General Options

-V, --version: Display version information
-?, -H, --help: Display usage information

Exit Codes

0: The command completed successfully.
> 0: An error occurred.

Example

The following command registers OpenDJ directory server as a Windows Service.

C:\path\to\opendj\bat> windows-service.bat --enableService

After running this command, you can manage the service using Windows administration tools.

Glossary

Abandon operation

LDAP operation to stop processing of a request in progress, after which the server drops the connection without a reply to the client application.

Access control

Control to grant or to deny access to a resource.

Access control instruction (ACI)

Instruction added as a directory entry attribute for fine-grained control over what a given user or group member is authorized to do in terms of LDAP operations and access to user data.

ACIs are implemented independently from privileges, which apply to administrative operations.

Index

F

File layout, File Layout

H

HTTP, REST to LDAP Configuration

I

Installed files, File Layout

L

Language subtypes, Directory Support For Locales and Language Subtypes

Languages, DS Languages

LDAP

Result codes, LDAP Result Codes

LDAP controls

Account usability, LDAP Controls
Assertion, LDAP Controls
Authorization identity, LDAP Controls
Entry change notification, LDAP Controls
Get effective rights, LDAP Controls
Manage DSAIT, LDAP Controls
Matched values, LDAP Controls
No-op, LDAP Controls
Password expired, LDAP Controls
Password expiring, LDAP Controls
Password policy, LDAP Controls
Permissive modify, LDAP Controls
Persistent search, LDAP Controls
Post-read, LDAP Controls
Pre-read, LDAP Controls
Proxied authorization, LDAP Controls
Public changelog exchange, LDAP Controls
Server-side sort, LDAP Controls
Simple paged results, LDAP Controls
Subentries, LDAP Controls
Subtree delete, LDAP Controls
Transaction ID, LDAP Controls
Virtual list view (browsing), LDAP Controls

LDAP extended operations

Cancel, LDAP Extended Operations
Get Connection ID, LDAP Extended Operations
Password modify, LDAP Extended Operations
Password policy state, LDAP Extended Operations
StartTLS, LDAP Extended Operations
What am I?, LDAP Extended Operations

LDIF

Specification, Standards, RFCs, and Internet-Drafts

Locales, Directory Support For Locales and Language Subtypes

P

Port numbers, Ports Used

R

REST, REST to LDAP Configuration

S

Supported standards

DSMLv2, Standards, RFCs, and Internet-Drafts
FIPS 180-1, Standards, RFCs, and Internet-Drafts
FIPS 180-2, Standards, RFCs, and Internet-Drafts
JSON, Standards, RFCs, and Internet-Drafts
RFC 1274, Standards, RFCs, and Internet-Drafts
RFC 1321, Standards, RFCs, and Internet-Drafts
RFC 1777, Standards, RFCs, and Internet-Drafts
RFC 1778, Standards, RFCs, and Internet-Drafts
RFC 1779, Standards, RFCs, and Internet-Drafts
RFC 2079, Standards, RFCs, and Internet-Drafts
RFC 2222, Standards, RFCs, and Internet-Drafts
RFC 2246, Standards, RFCs, and Internet-Drafts
RFC 2247, Standards, RFCs, and Internet-Drafts
RFC 2251, Standards, RFCs, and Internet-Drafts
RFC 2252, Standards, RFCs, and Internet-Drafts
RFC 2253, Standards, RFCs, and Internet-Drafts
RFC 2254, Standards, RFCs, and Internet-Drafts
RFC 2255, Standards, RFCs, and Internet-Drafts
RFC 2256, Standards, RFCs, and Internet-Drafts
RFC 2307, Standards, RFCs, and Internet-Drafts
RFC 2377, Standards, RFCs, and Internet-Drafts
RFC 2696, Standards, RFCs, and Internet-Drafts
RFC 2713, Standards, RFCs, and Internet-Drafts
RFC 2714, Standards, RFCs, and Internet-Drafts
RFC 2739, Standards, RFCs, and Internet-Drafts
RFC 2798, Standards, RFCs, and Internet-Drafts
RFC 2829, Standards, RFCs, and Internet-Drafts
RFC 2830, Standards, RFCs, and Internet-Drafts
RFC 2849, Standards, RFCs, and Internet-Drafts
RFC 2891, Standards, RFCs, and Internet-Drafts
RFC 2926, Standards, RFCs, and Internet-Drafts
RFC 3045, Standards, RFCs, and Internet-Drafts
RFC 3062, Standards, RFCs, and Internet-Drafts
RFC 3112, Standards, RFCs, and Internet-Drafts
RFC 3296, Standards, RFCs, and Internet-Drafts
RFC 3377, Standards, RFCs, and Internet-Drafts
RFC 3383, Standards, RFCs, and Internet-Drafts
RFC 3546, Standards, RFCs, and Internet-Drafts
RFC 3671, Standards, RFCs, and Internet-Drafts
RFC 3672, Standards, RFCs, and Internet-Drafts
RFC 3673, Standards, RFCs, and Internet-Drafts
RFC 3674, Standards, RFCs, and Internet-Drafts
RFC 3712, Standards, RFCs, and Internet-Drafts
RFC 3771, Standards, RFCs, and Internet-Drafts
RFC 3829, Standards, RFCs, and Internet-Drafts
RFC 3876, Standards, RFCs, and Internet-Drafts
RFC 3909, Standards, RFCs, and Internet-Drafts
RFC 4346, Standards, RFCs, and Internet-Drafts
RFC 4370, Standards, RFCs, and Internet-Drafts
RFC 4403, Standards, RFCs, and Internet-Drafts
RFC 4422, Standards, RFCs, and Internet-Drafts
RFC 4505, Standards, RFCs, and Internet-Drafts
RFC 4510, Standards, RFCs, and Internet-Drafts
RFC 4511, Standards, RFCs, and Internet-Drafts
RFC 4512, Standards, RFCs, and Internet-Drafts
RFC 4513, Standards, RFCs, and Internet-Drafts
RFC 4514, Standards, RFCs, and Internet-Drafts
RFC 4515, Standards, RFCs, and Internet-Drafts
RFC 4516, Standards, RFCs, and Internet-Drafts
RFC 4517, Standards, RFCs, and Internet-Drafts
RFC 4518, Standards, RFCs, and Internet-Drafts
RFC 4519, Standards, RFCs, and Internet-Drafts
RFC 4523, Standards, RFCs, and Internet-Drafts
RFC 4524, Standards, RFCs, and Internet-Drafts
RFC 4525, Standards, RFCs, and Internet-Drafts
RFC 4526, Standards, RFCs, and Internet-Drafts
RFC 4527, Standards, RFCs, and Internet-Drafts
RFC 4528, Standards, RFCs, and Internet-Drafts
RFC 4529, Standards, RFCs, and Internet-Drafts
RFC 4530, Standards, RFCs, and Internet-Drafts
RFC 4532, Standards, RFCs, and Internet-Drafts
RFC 4616, Standards, RFCs, and Internet-Drafts
RFC 4634, Standards, RFCs, and Internet-Drafts
RFC 4752, Standards, RFCs, and Internet-Drafts
RFC 4876, Standards, RFCs, and Internet-Drafts
RFC 5020, Standards, RFCs, and Internet-Drafts
SCIM Core Schema 1.0, Standards, RFCs, and Internet-Drafts

Preface

Chapter 1. REST to LDAP Configuration

1.1. Gateway Configuration File

Caution

1.2. Gateway REST2LDAP Configuration File

1.3. Mapping Configuration File

Chapter 2. Request Handling

2.1. Requests to Servers

2.2. Requests to Gateways

Chapter 3. LDAP Result Codes

Chapter 4. File Layout

Chapter 5. Ports Used

Chapter 6. Standards, RFCs, and Internet-Drafts

Chapter 7. LDAP Controls

Chapter 8. LDAP Extended Operations

Chapter 9. Localization

9.1. DS Languages

Note

9.2. Directory Support For Locales and Language Subtypes

Chapter 10. Monitoring Metrics

10.1. Metric Types

10.2. LDAP Metrics

10.3. Prometheus Metrics

Tools Reference

Name

Synopsis

Description

Options

Exit Codes

Examples

Name

Synopsis

Description

Options

Exit Codes

Examples

Name

Synopsis

Description

Options

Subcommands

backendstat dump-index

Options

backendstat dump-raw-db

Options

backendstat list-backends

backendstat list-base-dns

Options

backendstat list-indexes

Options

backendstat list-raw-dbs

Options

backendstat show-index-status

Options

Exit Codes

Examples

Name

Synopsis

Description

Options

Exit Codes

Examples

Name

Synopsis

Description

Options

Subcommands

base64 decode

Options

base64 encode

Options

Exit Codes

Examples

Name

Synopsis

Description

Options

Exit Codes

Examples

Name