Directory Services 7.2.5

Global Configuration

The Global Configuration contains properties that affect the overall operation of the OpenDJ.

Dependencies

Global Configurations depend on the following objects:

Global Configuration properties

You can use configuration expressions to set property values at startup time. For details, see Property value substitution.

Basic Properties Advanced Properties

advertised-listen-address
allowed-client
bind-with-dn-requires-password
default-password-policy
denied-client
disabled-privilege
etime-resolution
group-id
group-id-failover-order
idle-time-limit
je-backend-shared-cache-enabled
listen-address
max-allowed-client-connections
max-psearches
proxied-authorization-identity-mapper
proxy-protocol-allowed-client
proxy-protocol-enabled
restricted-client
restricted-client-connection-limit
return-bind-error-messages
save-config-on-successful-startup
server-id
size-limit
subordinate-base-dn
time-limit
unauthenticated-requests-policy
writability-mode

add-missing-rdn-attributes
allow-attribute-name-exceptions
allowed-task
check-schema
invalid-attribute-syntax-behavior
max-candidate-set-size
max-internal-buffer-size
notify-abandoned-operations
single-structural-objectclass-behavior
trust-transaction-ids

Basic properties

Use the --advanced option to access advanced properties.

advertised-listen-address

Synopsis

The advertised address(es) which clients should use for connecting to this Global Configuration.

Description

Multiple addresses may be provided as separate values for this attribute. The meta-address 0.0.0.0 is not permitted.

Default value

None

Allowed values

A hostname or an IP address.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

allowed-client

Synopsis

A set of clients who will be allowed to establish connections to this Global Configuration.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. Specifying a value for this property in a connection handler will override any value set in the global configuration.

Default value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed values

An IP address mask.

Multi-valued

Yes

Required

No

Admin action required

None

Changes to this property take effect immediately and do not interfere with established connections.

Advanced

No

Read-only

No

bind-with-dn-requires-password

Synopsis

Indicates whether the directory server should reject any simple bind request that contains a DN but no password.

Description

Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password.

Default value

true

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

default-password-policy

Synopsis

Specifies the name of the password policy that is in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute).

Description

In addition, the default password policy will be used for providing default parameters for sub-entry based password policies when not provided or supported by the sub-entry itself. This property must reference a password policy and no other type of authentication policy.

Default value

None

Allowed values

The name of an existing password-policy.

Multi-valued

No

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

denied-client

Synopsis

A set of clients who are not allowed to establish connections to this Global Configuration.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed. Specifying a value for this property in a connection handler will override any value set in the global configuration.

Default value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed values

An IP address mask.

Multi-valued

Yes

Required

No

Admin action required

None

Changes to this property take effect immediately and do not interfere with established connections.

Advanced

No

Read-only

No

disabled-privilege

Synopsis

Specifies the name of a privilege that should not be evaluated by the server.

Description

If a privilege is disabled, then it is assumed that all clients (including unauthenticated clients) have that privilege.

Default value

If no values are defined, then the server enforces all privileges.

Allowed values

  • backend-backup: Allows the user to request that the server process backup or backup purge tasks.

  • backend-restore: Allows the user to request that the server process restore tasks.

  • bypass-acl: Allows the associated user to bypass access control checks performed by the server.

  • bypass-lockdown: Allows the associated user to bypass server lockdown mode.

  • cancel-request: Allows the user to cancel operations in progress on other client connections.

  • changelog-read: The privilege that provides the ability to perform read operations on the changelog

  • config-read: Allows the associated user to read the server configuration.

  • config-write: Allows the associated user to update the server configuration. The config-read privilege is also required.

  • data-sync: Allows the user to participate in data synchronization.

  • disconnect-client: Allows the user to terminate other client connections.

  • jmx-notify: Allows the associated user to subscribe to receive JMX notifications.

  • jmx-read: Allows the associated user to perform JMX read operations.

  • jmx-write: Allows the associated user to perform JMX write operations.

  • ldif-export: Allows the user to request that the server process LDIF export tasks.

  • ldif-import: Allows the user to request that the server process LDIF import tasks.

  • modify-acl: Allows the associated user to modify the server’s access control configuration.

  • monitor-read: Allows the user to read the server monitoring information.

  • password-reset: Allows the user to reset user passwords.

  • privilege-change: Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users.

  • proxied-auth: Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity.

  • server-lockdown: Allows the user to place and bring the server of lockdown mode.

  • server-restart: Allows the user to request that the server perform an in-core restart.

  • server-shutdown: Allows the user to request that the server shut down.

  • subentry-write: Allows the associated user to perform LDAP subentry write operations.

  • unindexed-search: Allows the user to request that the server process a search that cannot be optimized using server indexes.

  • update-schema: Allows the user to make changes to the server schema.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

No

Read-only

No

etime-resolution

Synopsis

Specifies the resolution to use for operation elapsed processing time (etime) measurements.

Default value

milliseconds

Allowed values

  • milliseconds: Use millisecond resolution.

  • nanoseconds: Use nanosecond resolution.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

group-id

Synopsis

Specifies the unique identifier of the group in which the directory server belongs.

Description

Directory servers are typically grouped according to their physical location, such as a rack or data center. Servers will prefer connecting to other servers within the same group.

Default value

default

Allowed values

The group unique identifier is composed of any character except comma.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

group-id-failover-order

Synopsis

Comma separated list of group-ids, highest priority first, controlling how the server successively fail over between groups.

Description

Servers pertaining to the group ID of the current server are first tried. If none respond, then servers pertaining to the first group ID in the list are tried. If none respond, then servers pertaining to the second group ID in the list are tried, etc. Finally, when no servers from the listed groups respond, then all the remaining servers are considered.

Default value

Fail-over to any available group

Allowed values

A string.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

idle-time-limit

Synopsis

Specifies the maximum length of time that a client connection may remain established since its last completed operation.

Description

A value of "0 seconds" indicates that no idle time limit is enforced.

Default value

0 seconds

Allowed values

Lower limit: 0 milliseconds.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

je-backend-shared-cache-enabled

Synopsis

Indicates whether all the JE backends should share the same cache.

Description

When enabled, all the JE backends share the same cache. JE backends will make better use of memory: the cache will use around at most 75% of the JVM Old Gen size. Note that when this setting is enabled, it overrides all db-cache-percent and db-cache-size settings. Note also that cache misses in one backend could cause cached data for other backends to be evicted. When disabled, each JE backend will have its own cache sized according to their options db-cache-percent/db-cache-size.

Default value

true

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

Restart the server for changes to take effect.

Advanced

No

Read-only

No

listen-address

Synopsis

The network interface(s) on which this Global Configuration should listen for incoming client connections.

Description

Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the directory server will listen on all interfaces.

Default value

0.0.0.0

Allowed values

A hostname or an IP address.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

No

Read-only

No

max-allowed-client-connections

Synopsis

Specifies the maximum number of client connections that may be established at any given time

Description

A value of 0 indicates that unlimited client connection is allowed.

Default value

0

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

max-psearches

Synopsis

Defines the maximum number of concurrent persistent searches that can be performed on directory server

Description

The persistent search mechanism provides an active channel through which entries that change, and information about the changes that occur, can be communicated. Because each persistent search operation consumes resources, limiting the number of simultaneous persistent searches keeps the performance impact minimal. A value of -1 indicates that there is no limit on the persistent searches.

Default value

-1

Allowed values

An integer.

Use "-1" or "unlimited" to indicate no limit.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

proxied-authorization-identity-mapper

Synopsis

Specifies the name of the identity mapper(s) to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry.

Default value

None

Allowed values

The name of an existing identity-mapper.

The referenced identity mapper(s) must be enabled.

Multi-valued

Yes

Required

Yes

Admin action required

None

Advanced

No

Read-only

No

proxy-protocol-allowed-client

Synopsis

When the proxy protocol is enabled, this property represents the set of clients who will be allowed to establish connections to this Global Configuration and will be required to use proxy protocol.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. Specifying a value for this property in a connection handler will override any value set in the global configuration.

Default value

If the proxy protocol is enabled then only clients with addresses matching an address on the proxy-protocol-allowed-client list and using proxy protocol are allowed.

Allowed values

An IP address mask.

Multi-valued

Yes

Required

No

Admin action required

None

Changes to this property take effect immediately and do not interfere with established connections.

Advanced

No

Read-only

No

proxy-protocol-enabled

Synopsis

Indicates whether the proxy protocol is enabled.

Description

If enabled, the Global Configuration makes the server use proxy protocol for connections with a source IP address matching an address in the proxy-protocol-allowed-client list.

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

restricted-client

Synopsis

A set of clients who will be limited to the maximum number of connections specified by the "restricted-client-connection-limit" property.

Description

Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. Specifying a value for this property in a connection handler will override any value set in the global configuration.

Default value

No restrictions are imposed on the number of connections a client can open.

Allowed values

An IP address mask.

Multi-valued

Yes

Required

No

Admin action required

None

Changes to this property take effect immediately and do not interfere with established connections.

Advanced

No

Read-only

No

restricted-client-connection-limit

Synopsis

Specifies the maximum number of connections a restricted client can open at the same time to this Global Configuration.

Description

Once Directory Server accepts the specified number of connections from a client specified in restricted-client, any additional connection will be rejected. The number of connections is maintained by IP address. Specifying a value for this property in a connection handler will override any value set in the global configuration.

Default value

100

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Changes to this property take effect immediately and do not interfere with established connections.

Advanced

No

Read-only

No

return-bind-error-messages

Synopsis

Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure.

Description

Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages appears only in the server’s access log.

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

save-config-on-successful-startup

Synopsis

Indicates whether the directory server should save a copy of its configuration whenever the startup process completes successfully.

Description

This ensures that the server provides a "last known good" configuration, which can be used as a reference (or copied into the active config) if the server fails to start with the current "active" configuration.

Default value

true

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

server-id

Synopsis

Specifies a unique identifier for the directory server which will identify the server within a replication topology.

Description

Each directory server within the same replication topology must have a different server identifier. If no server identifier is specified then one must be provided in each replication server and replication domain configuration.

Default value

Specified per replication server and domain.

Allowed values

An alphanumeric string, may also contain underscore and hyphen characters

Multi-valued

No

Required

Yes

Admin action required

Restart the server for changes to take effect.

Advanced

No

Read-only

No

size-limit

Synopsis

Specifies the maximum number of entries that can be returned to the client during a single search operation.

Description

A value of 0 indicates that no size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute.

Default value

1000

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

subordinate-base-dn

Synopsis

Specifies the set of base DNs used for singleLevel, wholeSubtree, and subordinateSubtree searches based at the root DSE.

Default value

The set of all user-defined suffixes is used.

Allowed values

A valid DN.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

No

Read-only

No

time-limit

Synopsis

Specifies the maximum length of time that should be spent processing a single search operation.

Description

A value of 0 seconds indicates that no time limit is enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute.

Default value

60 seconds

Allowed values

Lower limit: 0 seconds.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

unauthenticated-requests-policy

Synopsis

Controls how the directory server should handle requests received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication.

Default value

allow

Allowed values

  • allow: Allows all unauthenticated requests, subject to privileges and ACIs.

  • allow-discovery: Disallows all unauthenticated requests except for Bind and StartTLS requests, and base object searches of the root DSE. Use this setting in order to support service discovery and keep-alive requests which typically target the root DSE.

  • reject: Disallows all unauthenticated requests except for Bind and StartTLS requests.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

writability-mode

Synopsis

Specifies the kinds of write operations the directory server can process.

Default value

enabled

Allowed values

  • disabled: The directory server rejects all write operations that are requested of it, regardless of their origin.

  • enabled: The directory server attempts to process all write operations that are requested of it, regardless of their origin.

  • internal-only: The directory server attempts to process write operations requested as internal operations or through synchronization, but rejects any such operations requested from external clients.

Multi-valued

No

Required

No

Admin action required

None

Advanced

No

Read-only

No

Advanced properties

Use the --advanced option to access advanced properties.

add-missing-rdn-attributes

Synopsis

Indicates whether the directory server should automatically add any attribute values contained in the entry’s RDN into that entry when processing an add request.

Default value

true

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

allow-attribute-name-exceptions

Synopsis

Indicates whether the directory server should allow underscores in attribute names and allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards).

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

allowed-task

Synopsis

Specifies the fully-qualified name of a Java class that may be invoked in the server.

Description

Any attempt to invoke a task not included in the list of allowed tasks is rejected.

Default value

If no values are defined, then the server does not allow any tasks to be invoked.

Allowed values

A string.

Multi-valued

Yes

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

check-schema

Synopsis

Indicates whether schema enforcement is active.

Description

When schema enforcement is activated, the directory server ensures that all operations result in entries are valid according to the defined server schema. It is strongly recommended that this option be left enabled to prevent the inadvertent addition of invalid data into the server.

Default value

true

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

invalid-attribute-syntax-behavior

Synopsis

Specifies how the directory server should handle operations whenever an attribute value violates the associated attribute syntax.

Default value

reject

Allowed values

  • accept: The directory server silently accepts attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected.

  • reject: The directory server rejects attribute values that are invalid according to their associated syntax.

  • warn: The directory server accepts attribute values that are invalid according to their associated syntax, but also logs a warning message to the error log. Matching operations targeting those values may not behave as expected.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

max-candidate-set-size

Synopsis

Controls the maximum amount of memory that may be used when processing search requests. The value corresponds to the maximum number of candidate entries that the directory server may maintain in memory when querying attribute indexes.

Description

Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-max-candidate-set-size operational attribute. A value of 0 indicates that no maximum size for a candidate set is enforced.

Default value

100000

Allowed values

An integer.

Lower limit: 0.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

max-internal-buffer-size

Synopsis

The threshold capacity beyond which internal cached buffers used for encoding and decoding entries and protocol messages will be trimmed after use.

Description

Individual buffers may grow very large when encoding and decoding large entries and protocol messages and should be reduced in size when they are no longer needed. This setting specifies the threshold at which a buffer is determined to have grown too big and should be trimmed down after use.

Default value

32 KB

Allowed values

Uses size syntax.

Lower limit: 512.

Upper limit: 1000000000.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

notify-abandoned-operations

Synopsis

Indicates whether the directory server should send a response to any operation that is interrupted via an abandon request.

Description

The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request.

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

single-structural-objectclass-behavior

Synopsis

Specifies how the directory server should handle operations an entry does not contain a structural object class or contains multiple structural classes.

Default value

reject

Allowed values

  • accept: The directory server silently accepts entries that do not contain exactly one structural object class. Certain schema features that depend on the entry’s structural class may not behave as expected.

  • reject: The directory server rejects entries that do not contain exactly one structural object class.

  • warn: The directory server accepts entries that do not contain exactly one structural object class, but also logs a warning message to the error log. Certain schema features that depend on the entry’s structural class may not behave as expected.

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

trust-transaction-ids

Synopsis

Indicates whether the directory server should trust the transaction ids that may be received from requests, either through a LDAP control or through a HTTP header.

Description

When enabled, the transaction IDs are created when the requests do not include one, then are logged; in addition, the server will add a sub-transaction ID control to all forwarded requests. When disabled, the incoming transaction IDs are discarded and new ones are created.

Default value

false

Allowed values

true

false

Multi-valued

No

Required

No

Admin action required

None

Advanced

Yes

Read-only

No

Copyright © 2010-2024 ForgeRock, all rights reserved.