Reference for OpenDJ directory server and bundled tools. The OpenDJ project offers open source LDAP directory services in Java.

Preface

This reference covers OpenDJ directory server configuration, tools bundled with OpenDJ directory server, and a number of other topics such as supported languages and standards.

1. Who Should Use this Reference

This reference is written for OpenDJ integrators and administrators.

For API specifications suitable for OpenDJ developers, see the appropriate Javadoc.

2. Formatting Conventions

Most examples in the documentation are created in GNU/Linux or Mac OS X operating environments. If distinctions are necessary between operating environments, examples are labeled with the operating environment name in parentheses. To avoid repetition file system directory names are often given only in UNIX format as in /path/to/server, even if the text applies to C:\path\to\server as well.

Absolute path names usually begin with the placeholder /path/to/. This path might translate to /opt/, C:\Program Files\, or somewhere else on your system.

Command-line, terminal sessions are formatted as follows:

$ echo $JAVA_HOME
/path/to/jdk

Command output is sometimes formatted for narrower, more readable output even though formatting parameters are not shown in the command.

Program listings are formatted as follows:

class Test {
    public static void main(String [] args)  {
        System.out.println("This is a program listing.");
    }
}

3. Accessing Documentation Online

ForgeRock publishes comprehensive documentation online:

  • The ForgeRock Knowledge Base offers a large and increasing number of up-to-date, practical articles that help you deploy and manage ForgeRock software.

    While many articles are visible to community members, ForgeRock customers have access to much more, including advanced information for customers using ForgeRock software in a mission-critical capacity.

  • ForgeRock product documentation, such as this document, aims to be technically accurate and complete with respect to the software documented. It is visible to everyone and covers all product features and examples of how to use them.

4. Using the ForgeRock.org Site

The ForgeRock.org site has links to source code for ForgeRock open source software, as well as links to the ForgeRock forums and technical blogs.

If you are a ForgeRock customer, raise a support ticket instead of using the forums. ForgeRock support professionals will get in touch to help you.

Tools Reference


You can find bundle tools under the folder where you installed OpenDJ directory server as listed in Section 2.2, "Command-Line Tools" in the Administration Guide.

Name

backendstat — gather OpenDJ backend debugging information

Synopsis

backendstat {subcommand} {options}

Description

This utility can be used to debug a backend.

Options

The backendstat command takes the following options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The backendstat command supports the following subcommands:

backendstat dump-index

Dump records from an index, decoding keys and values. Depending on index size, this subcommand can generate lots of output.

Options

The backendstat dump-index command takes the following options:

-n | --backendID {backendName}

The backend ID of the backend.

-b | --baseDN {baseDN}

The base DN within the backend.

-i | --indexName {indexName}

The name of the index.

-q | --statsOnly

Do not display backend data, just statistics.

Default: false

-K | --maxKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-k | --minKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-X | --maxHexKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-x | --minHexKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-S | --maxDataSize {maxDataSize}

Only show records whose data is no larger than the provided value.

Default: -1

-s | --minDataSize {minDataSize}

Only show records whose data is no smaller than the provided value.

Default: -1

-p | --skipDecode

Do not try to decode backend data to their appropriate types.

Default: false

backendstat dump-raw-db

Dump the raw records in hexadecimal format for a low-level database within the pluggable backend's storage engine. Depending on index size, this subcommand can generate lots of output.

Options

The backendstat dump-raw-db command takes the following options:

-n | --backendID {backendName}

The backend ID of the backend.

-d | --dbName {databaseName}

The raw database name.

-q | --statsOnly

Do not display backend data, just statistics.

Default: false

-K | --maxKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-k | --minKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-X | --maxHexKeyValue {maxKeyValue}

Only show records with keys that should be ordered before the provided value using the comparator for the database container.

-x | --minHexKeyValue {minKeyValue}

Only show records with keys that should be ordered after the provided value using the comparator for the database container.

-S | --maxDataSize {maxDataSize}

Only show records whose data is no larger than the provided value.

Default: -1

-s | --minDataSize {minDataSize}

Only show records whose data is no smaller than the provided value.

Default: -1

-l | --singleLine

Write hexadecimal data on a single line instead of pretty format.

Default: false

backendstat list-backends

List the pluggable backends.

backendstat list-base-dns

List the base DNs in a backend.

Options

The backendstat list-base-dns command takes the following options:

-n | --backendID {backendName}

The backend ID of the backend.

backendstat list-indexes

List the indexes associated with a pluggable backend. This subcommand may take a long time to complete depending on the size of the backend.

Options

The backendstat list-indexes command takes the following options:

-n | --backendID {backendName}

The backend ID of the backend.

-b | --baseDN {baseDN}

The base DN within the backend.

backendstat list-raw-dbs

List the low-level databases within a pluggable backend's storage engine. This subcommand may take a long time to complete depending on the size of the backend.

Options

The backendstat list-raw-dbs command takes the following options:

-n | --backendID {backendName}

The backend ID of the backend.

-u | --useSIUnits

Uses SI Units for printing sizes.

Default: false

backendstat show-index-status

Shows the status of indexes for a backend base DN. This subcommand can take a long time to complete, as it reads all indexes for all backends.

When you run the 'list-index-status' command, the result is a table, followed by a "Total", which is the total number of indexes, followed by a list of indexes with "Over index-entry-limit keys" to show the values for which the number of entries exceeded the index entry limit. The table has the following columns.

Index Name

Name of the index, which takes the form attr.type for attribute indexes, and vlv.name for VLV indexes. Some indexes are for OpenDJ directory server's internal use.

Example: givenName.caseIgnoreSubstringsMatch:6

Tree Name

Name of the backend tree, which reflects how OpenDJ directory server organizes the data in the database.

Example: /dc=example,dc=com/givenName.caseIgnoreSubstringsMatch:6

Index Valid

This is true for valid indexes. If this is false, the index might be degraded. Verify the index, and rebuild the index if necessary.

Record Count

Number of indexed keys. Use the backendstat dump-tree command to see how many entry IDs correspond to each key.

Over Index Entry Limit

Number of keys for which there are too many values to maintain an index, based on the index entry limit. This is recorded as - for VLV indexes.

In other words, with the default index entry limit of 4000, if every user in your large directory has an email address ending in @example.com, and a substring index with default substring length of 6 is maintained for mail, then OpenDJ directory server does not maintain indexes for keys corresponding to substrings in @example.com.

As a result, an LDAP search with the filter "(mail=*@example.com)" becomes an unindexed search even though a substring index exists for the mail attribute. By default OpenDJ directory server does not allow unindexed searches except by privileged users. This is usually exactly the behavior you want in order to prevent client applications from sending searches that return every user in the directory for example. Clients should refine their search filters instead.

95%, 90%, 85%

Number of keys for which the number of values is approaching the index entry limit, having at least the specified percentage. This is a measure of how full the entry ID lists are.

Options

The backendstat show-index-status command takes the following options:

-n | --backendID {backendName}

The backend ID of the backend.

-b | --baseDN {baseDN}

The base DN within the backend.

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example displays index information.

$ bin/backendstat dump-index  -n userRoot -b dc=example,dc=com -i id2childrencount 

    Key (len 2): 1#52
    Value (len 8): 1
    Key (len 2): 2#52
    Value (len 8): 500000
    Key (len 9): Total Children Count
    Value (len 8): 500001

    Total Records: 3
    Total / Average Key Size: 13 bytes / 4 bytes
    Total / Average Data Size: 24 bytes / 8 bytes

 

Name

backup — back up OpenDJ directory data

Synopsis

backup

Description

This utility can be used to back up one or more Directory Server backends.

Options

The backup command takes the following options:

Command options:

-a | --backUpAll

Back up all backends in the server.

Default: false

-A | --hash

Generate a hash of the backup contents.

Default: false

-B | --incrementalBaseID {backupID}

Backup ID of the source archive for an incremental backup.

-c | --compress

Compress the backup contents.

Default: false

-d | --backupDirectory {backupDir}

Path to the target directory for the backup file(s).

-i | --incremental

Perform an incremental backup rather than a full backup.

Default: false

-I | --backupID {backupID}

Use the provided identifier for the backup.

-n | --backendID {backendName}

Backend ID for the backend to archive.

-s | --signHash

Sign the hash of the backup contents.

Default: false

-y | --encrypt

Encrypt the backup contents.

Default: false

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

1

An error occurred.

Examples

The following example backs up all user data while the server is online.

$ backup -p 4444 -D "cn=Directory Manager" -w password \
 -a -d /path/to/opendj/bak -t 0
Backup task 20110613143801866 scheduled to start ...
 

The following example schedules back up of all user data every night at 2 AM when the server is online, and notifies diradmin@example.com when finished, or on error.

$ backup -p 4444 -D "cn=Directory Manager" -w password -a \
 -d /path/to/opendj/bak --recurringTask "00 02 * * *" \
 --completionNotify diradmin@example.com --errorNotify diradmin@example.com
Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
scheduled successfully
 

The following example backs up all user data while the server is offline.

$ stop-ds
Stopping Server...
...

$ backup --backupAll --backupDirectory /path/to/opendj/bak
... msg=The backup process completed successfully

$ start-ds
... The Directory Server has started successfully
 

Name

base64 — encode and decode base64 strings

Synopsis

base64 {subcommand} {options}

Description

This utility can be used to encode and decode information using base64.

Options

The base64 command takes the following options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The base64 command supports the following subcommands:

base64 decode

Decode base64-encoded information into raw data. When no options are specified, this subcommand reads from standard input and writes to standard output.

Options

The base64 decode command takes the following options:

-d | --encodedData {data}

The base64-encoded data to be decoded.

-f | --encodedDataFile {path}

The path to a file containing the base64-encoded data to be decoded.

-o | --toRawFile {path}

The path to a file to which the raw base64-decoded data should be written.

base64 encode

Encode raw data using base64. When no options are specified, this subcommand reads from standard input and writes to standard output.

Options

The base64 encode command takes the following options:

-d | --rawData {data}

The raw data to be base64 encoded.

-f | --rawDataFile {path}

The path to a file containing the raw data to be base64 encoded.

-o | --toEncodedFile {path}

The path to a file to which the base64-encoded data should be written.

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following command shows the changes from the external change log in human-readable format.

$ base64 decode -d YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UK\
LQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2V\
yLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW\
1lc3RhbXA6IDIwMTEwNjEzMDcxMjEwWgotCg==
add: description
description: A third change
-
replace: modifiersName
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
-
replace: modifyTimestamp
modifyTimestamp: 20110613071210Z
-
 

Name

control-panel — start the OpenDJ graphical admin interface

Synopsis

control-panel

Description

This utility can be used to display the Control Panel window which displays basic server information and allows to do some basic administration tasks on the server.

If no host name or port is provided, the tool will try to connect to the local server.

Options

The control-panel command takes the following options:

Command options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-r | --remote

Connect to a remote server.

Default: false

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-p | --port {port}

Directory server administration port number.

Default: 4444

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-X | --trustAll

Trust all server SSL certificates.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example starts the Control Panel on a remote host.

$ control-panel -r -h opendj.example.com -p 4444 &
 

Name

create-rc-script — script to manage OpenDJ as a service on UNIX

Synopsis

create-rc-script

Description

Create an RC script that may be used to start, stop, and restart the Directory Server on UNIX-based systems.

Options

The create-rc-script command takes the following options:

Command options:

-f | --outputFile {path}

The path to the output file to create.

-j | --javaHome {path}

The path to the Java installation that should be used to run the server.

-J | --javaArgs {args}

A set of arguments that should be passed to the JVM when running the server.

-u | --userName {userName}

The name of the user account under which the server should run.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example adds a script to start OpenDJ at boot time on a Debian-based system, and then updates the runlevel system to use the script.

$ sudo create-rc-script -f /etc/init.d/opendj -u opendj-user
$ sudo update-rc.d opendj
 

Name

dsconfig — manage OpenDJ directory server configuration

Synopsis

dsconfig {subcommand} {options}

Description

This utility can be used to define a base configuration for the Directory Server.

The dsconfig command is the primary command-line tool for viewing and editing OpenDJ configuration. When started without arguments, dsconfig prompts you for administration connection information, including the host name, administration port number, administrator bind DN and administrator password. The dsconfig command then connects securely to the directory server over the administration port. Once connected it presents you with a menu-driven interface to the server configuration.

When you pass connection information, subcommands, and additional options to dsconfig, the command runs in script mode and so is not interactive, though it can prompt you to ask whether to apply changes and whether to trust certificates (unless you use the --no-prompt and --trustAll options, respectively).

You can prepare dsconfig batch scripts by running the tool with the --commandFilePath option in interactive mode, then reading from the batch file with the --batchFilePath option in script mode. Batch files can be useful when you have many dsconfig commands to run and want to avoid starting the JVM for each command. Alternatively, you can read commands from standard input by using the --batch option.

The dsconfig command categorizes directory server configuration into components, also called managed objects. Actual components often inherit from a parent component type. For example, one component is a Connection Handler. An LDAP Connection Handler is a type of Connection Handler. You configure the LDAP Connection Handler component to specify how OpenDJ directory server handles LDAP connections coming from client applications.

Configuration components have properties. For example, the LDAP Connection Handler component has properties such as listen-port and allow-start-tls. You can set the component's listen-port property to 389 to use the default LDAP port number. You can set the component's allow-start-tls property to true to permit LDAP client applications to use StartTLS. Much of the configuration you do with dsconfig involves setting component properties.

Options

The dsconfig command takes the following options:

Command options:

--batch

Reads from standard input a set of commands to be executed.

Default: false

--commandFilePath {path}

The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.

--displayCommand

Display the equivalent non-interactive argument in the standard output when this command is run in interactive mode.

Default: false

--help-all

Display all subcommands.

Default: false

--help-core-server

Display subcommands relating to core server.

Default: false

--help-database

Display subcommands relating to caching and back-ends.

Default: false

--help-logging

Display subcommands relating to logging.

Default: false

--help-replication

Display subcommands relating to replication.

Default: false

--help-security

Display subcommands relating to authentication and authorization.

Default: false

--help-user-management

Display subcommands relating to user management.

Default: false

Configuration Options

--advanced

Allows the configuration of advanced components and properties.

Default: false

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-E | --reportAuthzID

Use the authorization identity control.

Default: false

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-F | --batchFilePath {batchFilePath}

Path to a batch file containing a set of commands to be executed.

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

-s | --script-friendly

Use script-friendly mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The dsconfig command provides many subcommands.

Subcommands let you create, list, and delete entire configuration components, and also let you get and set component properties. Subcommands therefore have names that reflect these five actions.

  • create-component

  • list-components

  • delete-component

  • get-component-prop

  • set-component-prop

Here, component names are names of managed object types. Subcommand component names are lower-case, hyphenated versions of the friendly names. When you act on an actual configuration component, you provide the name of the component as an option argument.

For example, the Log Publisher component has these corresponding subcommands.

  • create-log-publisher

  • list-log-publishers

  • delete-log-publisher

  • get-log-publisher-prop

  • set-log-publisher-prop

When you create or delete Log Publisher components and when you get and set their configuration properties, you provide the name of the actual log publisher, which you can find by using the list-log-publishers subcommand.

$ dsconfig \
 list-log-publishers \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll

Log Publisher                 : Type                   : enabled
------------------------------:------------------------:--------
File-Based Access Logger      : file-based-access      : true
File-Based Audit Logger       : file-based-audit       : false
File-Based Debug Logger       : file-based-debug       : false
File-Based Error Logger       : file-based-error       : true
File-Based HTTP Access Logger : file-based-http-access : false
Replication Repair Logger     : file-based-error       : true

$ dsconfig \
 get-log-publisher-prop \
 --publisher-name "File-Based Access Logger" \
 --property rotation-policy \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll
Property        : Value(s)
----------------:--------------------------------------------------------------
rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
                : Policy
 

Many subcommands let you set property values. Notice in the reference for the subcommands below that specific options are available for handling multi-valued properties. Whereas you can assign a single property value by using the --set option, you assign multiple values to a multi-valued property by using the --add option. You can reset the values of the multi-valued property by using the --reset option.

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Use the following options to view help for subcommands.

dsconfig --help-all

Display all subcommands

dsconfig --help-core-server

Display subcommands relating to core server

dsconfig --help-database

Display subcommands relating to caching and back-ends

dsconfig --help-logging

Display subcommands relating to logging

dsconfig --help-replication

Display subcommands relating to replication

dsconfig --help-security

Display subcommands relating to authentication and authorization

dsconfig --help-user-management

Display subcommands relating to user management

For help with individual subcommands, either use dsconfig subcommand --help, or start dsconfig in interactive mode, without specifying a subcommand.

To view all component properties, use the dsconfig list-properties command.

The dsconfig command supports the following subcommands:

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

Much of the OpenDJ Administration Guide consists of dsconfig examples with text in between. This section therefore remains short.

The following example starts dsconfig in interactive, menu-driven mode on the default port of the current host.

$ dsconfig -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password

>>>> OpenDJ configuration console main menu

What do you want to configure?

    1)   Access Control Handler               22)  Log Retention Policy
    2)   Access Log Filtering Criteria        23)  Log Rotation Policy
    3)   Account Status Notification Handler  24)  Matching Rule
    4)   Administration Connector             25)  Monitor Provider
    5)   Alert Handler                        26)  Password Generator
    6)   Attribute Syntax                     27)  Password Policy
    7)   Backend                              28)  Password Storage Scheme
    8)   Backend Index                        29)  Password Validator
    9)   Backend VLV Index                    30)  Plugin
    10)  Certificate Mapper                   31)  Plugin Root
    11)  Connection Handler                   32)  Replication Domain
    12)  Crypto Manager                       33)  Replication Server
    13)  Debug Target                         34)  Root DN
    14)  Entry Cache                          35)  Root DSE Backend
    15)  Extended Operation Handler           36)  SASL Mechanism Handler
    16)  External Changelog Domain            37)  Schema Provider
    17)  Global Configuration                 38)  Synchronization Provider
    18)  Group Implementation                 39)  Trust Manager Provider
    19)  Identity Mapper                      40)  Virtual Attribute
    20)  Key Manager Provider                 41)  Work Queue
    21)  Log Publisher

    q)   quit

Enter choice:
 

The following example demonstrates generating a batch file that corresponds to an interactive session enabling the debug log. The example then demonstrates using a modified batch file to disable the debug log.

$ dsconfig \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --commandFilePath ~/enable-debug-log.batch
 ...
$ cat ~/enable-debug-log.batch
# dsconfig session start date: 19/Oct/2011:08:52:22 +0000

# Session operation number: 1
# Operation date: 19/Oct/2011:08:55:06 +0000
dsconfig set-log-publisher-prop \
          --publisher-name File-Based\ Debug\ Logger \
          --set enabled:true \
          --hostname opendj.example.com \
          --port 4444 \
          --trustStorePath /path/to/opendj/config/admin-truststore \
          --bindDN cn=Directory\ Manager \
          --bindPassword ****** \
          --no-prompt

$ cp ~/enable-debug-log.batch ~/disable-debug-log.batch
$ vi ~/disable-debug-log.batch
$ cat ~/disable-debug-log.batch
set-log-publisher-prop \
          --publisher-name File-Based\ Debug\ Logger \
          --set enabled:false \
          --hostname opendj.example.com \
          --port 4444 \
          --trustStorePath /path/to/opendj/config/admin-truststore \
          --bindDN cn=Directory\ Manager \
          --bindPassword password \
          --no-prompt

$ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt
set-log-publisher-prop
--publisher-name
File-Based Debug Logger
--set
enabled:false
--hostname
opendj.example.com
--port
4444
--trustStorePath
/path/to/opendj/config/admin-truststore
--bindDN
cn=Directory Manager
--bindPassword
password
--no-prompt

$
 

Notice that the original command file looks like a shell script with the bind password value replaced by asterisks. To pass the content as a batch file to dsconfig, strip dsconfig itself, and include the bind password for the administrative user or replace that option with an alternative, such as reading the password from a file.


Name

dsjavaproperties — apply OpenDJ Java home and JVM settings

Synopsis

dsjavaproperties

Description

This utility can be used to change the java arguments and java home that are used by the different server commands.

Before launching the command, edit the properties file located in java.properties to specify the java arguments and java home. When you have edited the properties file, run this command for the changes to be taken into account.

Note that the changes will only apply to this server installation. No modifications will be made to your environment variables.

Options

The dsjavaproperties command takes the following options:

Utility input/output options:

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Files

This command depends on the content of the config/java.properties file.

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example demonstrates a successful run.

$ dsjavaproperties
The operation was successful.  The server commands will use the java arguments
 and java home specified in the properties file located in
 /path/to/opendj/config/java.properties
 

Name

dsreplication — manage OpenDJ directory data replication

Synopsis

dsreplication {subcommand} {options}

Description

This utility can be used to configure replication between servers so that the data of the servers is synchronized. For replication to work you must first enable replication using the 'enable' subcommand and then initialize the contents of one of the servers with the contents of the other using the 'initialize' subcommand.

Options

The dsreplication command takes the following options:

Command options:

-b | --baseDN {baseDN}

Base DN of the data to be replicated, initialized or for which we want to disable replication. Multiple base DNs can be provided by using this option multiple times.

--commandFilePath {path}

The full path to the file where the equivalent non-interactive commands will be written when this command is run in interactive mode.

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

--displayCommand

Display the equivalent non-interactive argument in the standard output when this command is run in interactive mode.

Default: false

-j | --adminPasswordFile {bindPasswordFile}

The file containing the password of the global administrator.

-w | --adminPassword {bindPassword}

The global administrator password.

Configuration Options

--advanced

Allows the configuration of advanced components and properties.

Default: false

LDAP connection options:

-I | --adminUID {adminUID}

User ID of the Global Administrator to use to bind to the server. For the 'enable' subcommand if no Global Administrator was defined previously for none of the server the Global Administrator will be created using the provided data.

Default: admin

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The dsreplication command supports the following subcommands:

dsreplication disable

Disables replication on the specified server for the provided base DN and removes references in the other servers with which it is replicating data.

Options

The dsreplication disable command takes the following options:

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

Default: 4444

-D | --bindDN {bindDN}

DN to use to bind to the server where we want to disable replication. This option must be used when no Global Administrator has been defined on the server or if the user does not want to remove references in the other replicated servers. The password provided for the Global Administrator will be used when specifying this option.

Default: cn=Directory Manager

--disableReplicationServer

Disable the replication server. The replication port and change log are disabled on the specified server.

Default: false

-a | --disableAll

Disable the replication configuration on the specified server. The contents of the server are no longer replicated and the replication server (changelog and replication port) is disabled if it is configured.

Default: false

dsreplication enable

Updates the configuration of the servers to replicate the data under the specified base DN. If one of the specified servers is already replicating the data under the base DN with other servers, executing this subcommand will update the configuration of all the servers (so it is sufficient to execute the command line once for each server we add to the replication topology).

Options

The dsreplication enable command takes the following options:

-h | --host1 {host}

Fully qualified host name or IP address of the first server whose contents will be replicated.

Default: localhost.localdomain

-p | --port1 {port}

Directory server administration port number of the first server whose contents will be replicated.

Default: 4444

-D | --bindDN1 {bindDN}

DN to use to bind to the first server whose contents will be replicated. If not specified the global administrator will be used to bind.

Default: cn=Directory Manager

--bindPassword1 {bindPassword}

Password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind.

--bindPasswordFile1 {bindPasswordFile}

File containing the password to use to bind to the first server whose contents will be replicated. If no bind DN was specified for the first server the password of the global administrator will be used to bind.

-r | --replicationPort1 {port}

Port that will be used by the replication mechanism in the first server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the first server.

Default: 8989

--secureReplication1

Specifies whether or not the communication through the replication port of the first server is encrypted or not. This option will only be taken into account the first time replication is configured on the first server.

Default: false

--noReplicationServer1

Do not configure a replication port or change log on the first server. The first server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure.

Default: false

--onlyReplicationServer1

Configure only a change log and replication port on the first server. The first server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers.

Default: false

-O | --host2 {host}

Fully qualified host name or IP address of the second server whose contents will be replicated.

Default: localhost.localdomain

--port2 {port}

Directory server administration port number of the second server whose contents will be replicated.

Default: 4444

--bindDN2 {bindDN}

DN to use to bind to the second server whose contents will be replicated. If not specified the global administrator will be used to bind.

Default: cn=Directory Manager

--bindPassword2 {bindPassword}

Password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind.

-F | --bindPasswordFile2 {bindPasswordFile}

File containing the password to use to bind to the second server whose contents will be replicated. If no bind DN was specified for the second server the password of the global administrator will be used to bind.

-R | --replicationPort2 {port}

Port that will be used by the replication mechanism in the second server to communicate with the other servers. You have to specify this option only if replication was not previously configured in the second server.

Default: 8989

--secureReplication2

Specifies whether or not the communication through the replication port of the second server is encrypted or not. This option will only be taken into account the first time replication is configured on the second server.

Default: false

--noReplicationServer2

Do not configure a replication port or change log on the second server. The second server will contain replicated data but will not contain a change log of modifications made to the replicated data. Note that each replicated topology must contain at least two servers with a change log to avoid a single point of failure.

Default: false

--onlyReplicationServer2

Configure only a change log and replication port on the second server. The second server will not contain replicated data, but will contain a change log of the modifications made to the replicated data on other servers.

Default: false

-S | --skipPortCheck

Skip the check to determine whether the specified replication ports are usable.

Default: false

--noSchemaReplication

Do not replicate the schema between the servers.

Default: false

--useSecondServerAsSchemaSource

Use the second server to initialize the schema of the first server. If this option nor option --noSchemaReplication are specified the schema of the first server will be used to initialize the schema of the second server.

Default: false

dsreplication initialize

Initialize the contents of the data under the specified base DN on the destination server with the contents on the source server. This operation is required after enabling replication in order replication to work ('initialize-all' can also be used for this purpose).

Options

The dsreplication initialize command takes the following options:

-h | --hostSource {host}

Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server.

Default: localhost.localdomain

-p | --portSource {port}

Directory server administration port number of the source server whose contents will be used to initialize the destination server.

Default: 4444

-O | --hostDestination {host}

Fully qualified host name or IP address of the destination server whose contents will be initialized.

Default: localhost.localdomain

--portDestination {port}

Directory server administration port number of the destination server whose contents will be initialized.

Default: 4444

dsreplication initialize-all

Initialize the contents of the data under the specified base DN on all the servers whose contents are being replicated with the contents on the specified server. This operation is required after enabling replication for replication to work ('initialize' applied to each server can also be used for this purpose).

Options

The dsreplication initialize-all command takes the following options:

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

Default: 4444

dsreplication post-external-initialization

This subcommand must be called after initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that have been initialized and you must provide the credentials of any of the servers that are being replicated. See the usage of the subcommand 'pre-external-initialization' for more information.

Options

The dsreplication post-external-initialization command takes the following options:

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

Default: 4444

dsreplication pre-external-initialization

This subcommand must be called before initializing the contents of all the replicated servers using the tool import-ldif or the binary copy method. You must specify the list of base DNs that will be initialized and you must provide the credentials of any of the servers that are being replicated. After calling this subcommand, initialize the contents of all the servers in the topology (use the same LDIF file/binary copy on each of the servers), then call the subcommand 'post-external-initialization'.

Options

The dsreplication pre-external-initialization command takes the following options:

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

Default: 4444

dsreplication purge-historical

Launches a purge processing of the historical informations stored in the user entries by replication. Since this processing may take a while, you must specify the maximum duration for this processing.

Options

The dsreplication purge-historical command takes the following options:

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

Default: 4444

--maximumDuration {maximum duration}

This argument specifies the maximum duration the purge processing must last expressed in seconds.

Default: 3600

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

dsreplication reset-change-number

Re-synchronizes the change-log changenumber on one server with the change-log changenumber of another.

Options

The dsreplication reset-change-number command takes the following options:

-h | --hostSource {host}

Fully qualified host name or IP address of the source server whose contents will be used to initialize the destination server.

Default: localhost.localdomain

-p | --portSource {port}

Directory server administration port number of the source server whose contents will be used to initialize the destination server.

Default: 4444

-O | --hostDestination {host}

Fully qualified host name or IP address of the destination server whose contents will be initialized.

Default: localhost.localdomain

--portDestination {port}

Directory server administration port number of the destination server whose contents will be initialized.

Default: 4444

--change-number {change number}

The change number to use as the basis for re-synchronization.

dsreplication status

Displays a list with the basic replication configuration of the base DNs of the servers defined in the registration information. If no base DNs are specified as parameter the information for all base DNs is displayed.

Options

The dsreplication status command takes the following options:

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-p | --port {port}

Directory server administration port number.

Default: 4444

-s | --script-friendly

Use script-friendly mode.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example enables and then initializes replication for a new replica on opendj2.example.com from an existing replica on opendj.example.com.

$ dsreplication enable -I admin -w password -X -n -b dc=example,dc=com \
 --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password --replicationPort1 8989 \
 --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password --replicationPort2 8989

Establishing connections ..... Done.
Checking registration information ..... Done.
Updating remote references on server opendj.example.com:4444 ..... Done.
Configuring Replication port on server opendj2.example.com:4444 ..... Done.
Updating replication configuration for baseDN dc=example,dc=com on server
 opendj.example.com:4444 ..... Done.
Updating replication configuration for baseDN dc=example,dc=com on server
 opendj2.example.com:4444 ..... Done.
Updating registration configuration on server
 opendj.example.com:4444 ..... Done.
Updating registration configuration on server
 opendj2.example.com:4444 ..... Done.
Updating replication configuration for baseDN cn=schema on server
 opendj.example.com:4444 ..... Done.
Updating replication configuration for baseDN cn=schema on server
 opendj2.example.com:4444 ..... Done.
Initializing registration information on server opendj2.example.com:4444 with
 the contents of server opendj.example.com:4444 ..... Done.
Initializing schema on server opendj2.example.com:4444 with the contents of
 server opendj.example.com:4444 ..... Done.

Replication has been successfully enabled.  Note that for replication to
 work you must initialize the contents of the base DN's that are being
  replicated (use dsreplication initialize to do so).

See
/var/.../opends-replication-7958637258600693490.log
for a detailed log of this operation.

$ dsreplication initialize-all -I admin -w password -X -n -b dc=example,dc=com \
 -h opendj.example.com -p 4444

Initializing base DN dc=example,dc=com with the contents from
 opendj.example.com:4444: 160 entries processed (100 % complete).
Base DN initialized successfully.

See
/var/.../opends-replication-5020375834904394170.log
for a detailed log of this operation.
 

Name

encode-password — encode a password with an OpenDJ storage scheme

Synopsis

encode-password

Description

This utility can be used to encode user passwords with a specified storage scheme, or to determine whether a given clear-text value matches a provided encoded password.

Options

The encode-password command takes the following options:

Command options:

-a | --authPasswordSyntax

Use the authentication password syntax rather than the user password syntax.

Default: false

-c | --clearPassword {clearPW}

Clear-text password to encode or to compare against an encoded password.

-e | --encodedPassword {encodedPW}

Encoded password to compare against the clear-text password.

-E | --encodedPasswordFile {file}

Encoded password file.

-f | --clearPasswordFile {file}

Clear-text password file.

-i | --interactivePassword

The password to encode or to compare against an encoded password is interactively asked to the user.

Default: false

-l | --listSchemes

List available password storage schemes.

Default: false

-r | --useCompareResultCode

Use the LDAP compare result as an exit code for the password comparison.

Default: false

-s | --storageScheme {scheme}

Scheme to use for the encoded password.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

5

The -r option was used, and the compare did not match.

6

The -r option was used, and the compare did match.

other

An error occurred.

Examples

The following example encodes a password, and also shows comparison of a password with the encoded value.

$ encode-password -l
3DES
AES
BASE64
BLOWFISH
CLEAR
CRYPT
MD5
RC4
SHA
SMD5
SSHA
SSHA256
SSHA384
SSHA512

$ encode-password -c secret12 -s CRYPT
Encoded Password:  "{CRYPT}ZulJ6Dy3TFnrE"

$ encode-password -c secret12 -s CRYPT -e "{CRYPT}ZulJ6Dy3TFnrE" -r
The provided clear-text and encoded passwords match

$ echo $?
6
 

Name

export-ldif — export OpenDJ directory data in LDIF

Synopsis

export-ldif

Description

This utility can be used to export data from a Directory Server backend in LDIF form.

Options

The export-ldif command takes the following options:

Command options:

-a | --appendToLDIF

Append an existing LDIF file rather than overwriting it.

Default: false

-b | --includeBranch {branchDN}

Base DN of a branch to include in the LDIF export.

-B | --excludeBranch {branchDN}

Base DN of a branch to exclude from the LDIF export.

-c | --compress

Compress the LDIF data as it is exported.

Default: false

-e | --excludeAttribute {attribute}

Attribute to exclude from the LDIF export.

-E | --excludeFilter {filter}

Filter to identify entries to exclude from the LDIF export.

-i | --includeAttribute {attribute}

Attribute to include in the LDIF export.

-I | --includeFilter {filter}

Filter to identify entries to include in the LDIF export.

-l | --ldifFile {ldifFile}

Path to the LDIF file to be written.

-n | --backendID {backendName}

Backend ID for the backend to export.

-O | --excludeOperational

Exclude operational attributes from the LDIF export.

Default: false

--wrapColumn {wrapColumn}

Column at which to wrap long lines (0 for no wrapping).

Default: 0

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example exports data to a file, Example.ldif, with the server offline.

$ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif
... category=BACKEND severity=INFORMATION ...
...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)
 

Name

import-ldif — import OpenDJ directory data from LDIF

Synopsis

import-ldif

Description

This utility can be used to import LDIF data into a Directory Server backend.

Options

The import-ldif command takes the following options:

Command options:

-A | --templateFile {templateFile}

Path to a MakeLDIF template to use to generate the import data.

-b | --includeBranch {branchDN}

Base DN of a branch to include in the LDIF import.

-B | --excludeBranch {branchDN}

Base DN of a branch to exclude from the LDIF import.

-c | --isCompressed

LDIF file is compressed.

Default: false

--countRejects

Count the number of entries rejected by the server and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).

Default: false

-e | --excludeAttribute {attribute}

Attribute to exclude from the LDIF import.

-E | --excludeFilter {filter}

Filter to identify entries to exclude from the LDIF import.

-F | --clearBackend

Remove all entries for all base DNs in the backend before importing.

Default: false

-i | --includeAttribute {attribute}

Attribute to include in the LDIF import.

-I | --includeFilter {filter}

Filter to identify entries to include in the LDIF import.

-l | --ldifFile {ldifFile}

Path to the LDIF file to be imported.

-n | --backendID {backendName}

Backend ID for the backend to import.

-O | --overwrite

Overwrite an existing rejects and/or skip file rather than appending to it.

Default: false

-R | --rejectFile {rejectFile}

Write rejected entries to the specified file.

-s | --randomSeed {seed}

Seed for the MakeLDIF random number generator.

Default: 0

-S | --skipSchemaValidation

Skip schema validation during the LDIF import.

Default: false

--skipDNValidation

Perform DN validation during later part of LDIF import.

Default: false

--skipFile {skipFile}

Write skipped entries to the specified file.

--threadCount {count}

Number of threads used to read LDIF file during import. Default value (0) equals: 2 x (number of CPUs).

Default: 0

--tmpdirectory {directory}

Path to temporary directory for index scratch files during LDIF import.

Default: import-tmp

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode (no output).

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example exports data to a file, Example.ldif, with the server offline.

$ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif
... category=BACKEND severity=INFORMATION ...
...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)
 

Name

ldapcompare — perform LDAP compare operations

Synopsis

ldapcompare 'attribute:value' "DN" ...

Description

This utility can be used to perform LDAP compare operations in the Directory Server.

Options

The ldapcompare command takes the following options:

Command options:

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-c | --continueOnError

Continue processing even if there are errors.

Default: false

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-f | --filename {file}

File containing the DNs of the entries to compare.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

-m | --useCompareResultCode

Use the LDAP compare result as an exit code for the LDAP compare operations.

Default: false

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

-h | --hostname {host}

Directory server hostname or IP address.

Default: localhost

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

Default: 389

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTLS

Use StartTLS to secure communication with the server.

Default: false

-r | --useSASLExternal

Use the SASL EXTERNAL authentication mechanism.

Default: false

--trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-V | --ldapVersion {version}

LDAP protocol version number.

Default: 3

-w | --bindPassword {bindPassword}

Password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSSL

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-i | --encoding {encoding}

Use the specified character set for command-line input.

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-s | --script-friendly

Use script-friendly mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

--version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

5

The -m option was used, and at least one of the LDAP compare operations did not match.

6

The -m option was used, and all the LDAP compare operations did match.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389
 

Examples

The following examples demonstrate comparing Babs Jensen's UID.

The following example uses a matching UID value.

$ ldapcompare -p 1389 uid:bjensen uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value bjensen in entry
uid=bjensen,ou=people,dc=example,dc=com
Compare operation returned true for entry
uid=bjensen,ou=people,dc=example,dc=com
 

The following example uses a UID value that does not match.

$ ldapcompare -p 1389 uid:beavis uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value beavis in entry
uid=bjensen,ou=people,dc=example,dc=com
Compare operation returned false for entry
uid=bjensen,ou=people,dc=example,dc=com
 

Name

ldapdelete — perform LDAP delete operations

Synopsis

ldapdelete "DN"

Description

This utility can be used to perform LDAP delete operations in the Directory Server.

Options

The ldapdelete command takes the following options:

Command options:

-c | --continueOnError

Continue processing even if there are errors.

Default: false

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-f | --filename {file}

File containing the DNs of the entries to delete.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

-x | --deleteSubtree

Delete the specified entry and all entries below it.

Default: false

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

-h | --hostname {host}

Directory server hostname or IP address.

Default: localhost

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

Default: 389

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTLS

Use StartTLS to secure communication with the server.

Default: false

-r | --useSASLExternal

Use the SASL EXTERNAL authentication mechanism.

Default: false

--trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-V | --ldapVersion {version}

LDAP protocol version number.

Default: 3

-w | --bindPassword {bindPassword}

Password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSSL

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-i | --encoding {encoding}

Use the specified character set for command-line input.

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

--version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389
 

Examples

The following command deletes a user entry from the directory.

$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password \
 uid=bjensen,ou=people,dc=example,dc=com
Processing DELETE request for uid=bjensen,ou=people,dc=example,dc=com
DELETE operation successful for DN uid=bjensen,ou=people,dc=example,dc=com
 

The following command deletes the ou=Groups entry and all entries underneath ou=Groups.

$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password -x \
 ou=groups,dc=example,dc=com
Processing DELETE request for ou=groups,dc=example,dc=com
DELETE operation successful for DN ou=groups,dc=example,dc=com
 

Name

ldapmodify — perform LDAP modify, add, delete, mod DN operations

Synopsis

ldapmodify

Description

This utility can be used to perform LDAP modify, add, delete, and modify DN operations in the Directory Server.

Options

The ldapmodify command takes the following options:

Command options:

-a | --defaultAdd

Treat records with no changetype as add operations.

Default: false

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-c | --continueOnError

Continue processing even if there are errors.

Default: false

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-f | --filename {file}

LDIF file containing the changes to apply.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

--postReadAttributes {attrList}

Use the LDAP ReadEntry post-read control.

--preReadAttributes {attrList}

Use the LDAP ReadEntry pre-read control.

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

-E | --reportAuthzID

Use the authorization identity control.

Default: false

-h | --hostname {host}

Directory server hostname or IP address.

Default: localhost

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

Default: 389

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTLS

Use StartTLS to secure communication with the server.

Default: false

-r | --useSASLExternal

Use the SASL EXTERNAL authentication mechanism.

Default: false

--trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-V | --ldapVersion {version}

LDAP protocol version number.

Default: 3

-w | --bindPassword {bindPassword}

Password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSSL

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-i | --encoding {encoding}

Use the specified character set for command-line input.

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-v | --verbose

Use verbose mode.

Default: false

General options:

--version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389
 

Examples

The following example demonstrates use of the command to add an entry to the directory.

$ cat newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
facsimileTelephoneNumber: +1 408 555 1213
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
givenName: New
cn: New User
cn: Real Name
telephoneNumber: +1 408 555 1212
sn: Jensen
roomNumber: 1234
homeDirectory: /home/newuser
uidNumber: 10389
mail: newuser@example.com
l: South Pole
ou: Product Development
ou: People
gidNumber: 10636

$ ldapmodify -p 1389 -a -f newuser.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

The following listing shows a UNIX shell script that adds a user entry.

#!/bin/sh
#
# Add a new user with the ldapmodify utility.
#

usage(){
        echo "Usage: $0 uid firstname lastname"
        exit 1
}
[[ $# -lt 3 ]] && usage

LDAPMODIFY=/path/to/opendj/bin/ldapmodify
HOST=opendj.example.com
PORT=1389
ADMIN=uid=kvaughan,ou=people,dc=example,dc=com
PWD=bribery

$LDAPMODIFY -h $HOST -p $PORT -D $ADMIN -w $PWD -a <<EOF
dn: uid=$1,ou=people,dc=example,dc=com
uid: $1
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: $2 $3
givenName: $2
sn: $3
mail: $1@example.com
EOF
 

The following example demonstrates adding a Description attribute to the new user's entry.

$ cat newdesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: description
description: A new user's entry

$ ldapmodify -p 1389 -f newdesc.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

The following example demonstrates changing the Description attribute for the new user's entry.

$ cat moddesc.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Another description

$ ldapmodify -p 1389 -f moddesc.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

The following example demonstrates deleting the new user's entry.

$ cat deluser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: delete

$ ldapmodify -p 1389 -f deluser.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com
 

Name

ldappasswordmodify — perform LDAP password modifications

Synopsis

ldappasswordmodify

Description

This utility can be used to perform LDAP password modify operations in the Directory Server.

Options

The ldappasswordmodify command takes the following options:

Command options:

-a | --authzID {authzID}

Authorization ID for the user entry whose password should be changed. The authorization ID is a string having either the prefix "dn:" followed by the user's distinguished name, or the prefix "u:" followed by a user identifier that depends on the identity mapping used to match the user identifier to an entry in the directory. Examples include "dn:uid=bjensen,ou=People,dc=example,dc=com", and, if we assume that "bjensen" is mapped to Barbara Jensen's entry, "u:bjensen".

-A | --provideDNForAuthzID

Use the bind DN as the authorization ID for the password modify operation.

Default: false

-c | --currentPassword {currentPassword}

Current password for the target user.

-C | --currentPasswordFile {file}

Path to a file containing the current password for the target user.

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

-n | --newPassword {newPassword}

New password to provide for the target user.

-N | --newPasswordFile {file}

Path to a file containing the new password to provide for the target user.

LDAP connection options:

--certNickname {nickname}

Nickname of certificate for SSL client authentication.

-D | --bindDN {bindDN}

DN to use to bind to the server.

-h | --hostname {host}

Address of the Directory Server system.

Default: 127.0.0.1

-j | --bindPasswordFile {bindPasswordFile}

Path to a file containing the password to use to bind to the server.

-K | --keyStorePath {keyStorePath}

Path to the key store to use when establishing SSL/TLS communication with the server.

-p | --port {port}

Port on which the Directory Server listens for LDAP client connections.

Default: 389

-P | --trustStorePath {trustStorePath}

Path to the trust store to use when establishing SSL/TLS communication with the server.

-q | --useStartTLS

Use StartTLS to secure the communication with the Directory Server.

Default: false

--trustStorePassword {trustStorePassword}

The PIN needed to access the contents of the trust store.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Path to a file containing the PIN needed to access the contents of the key store.

-U | --trustStorePasswordFile {path}

Path to a file containing the PIN needed to access the contents of the trust store.

-w | --bindPassword {bindPassword}

Password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

The PIN needed to access the contents of the key store.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSSL

Use SSL to secure the communication with the Directory Server.

Default: false

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389
 

Examples

The following example demonstrates a user changing their own password.

$ cat /tmp/currpwd.txt /tmp/newpwd.txt
bribery
secret12

$ ldappasswordmodify -p 1389 -C /tmp/currpwd.txt -N /tmp/newpwd.txt \
-A -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
The LDAP password modify operation was successful
 

Name

ldapsearch — perform LDAP search operations

Synopsis

ldapsearch [filter] [attributes ...]

Description

This utility can be used to perform LDAP search operations in the Directory Server.

Options

The ldapsearch command takes the following options:

Command options:

-a | --dereferencePolicy {dereferencePolicy}

Alias dereference policy ('never', 'always', 'search', or 'find').

Default: never

-A | --typesOnly

Only retrieve attribute names but not their values.

Default: false

--assertionFilter {filter}

Use the LDAP assertion control with the provided filter.

-b | --baseDN {baseDN}

Search base DN.

-c | --continueOnError

Continue processing even if there are errors.

Default: false

-C | --persistentSearch ps[:changetype[:changesonly[:entrychgcontrols]]]

Use the persistent search control.

A persistent search allows the client to continue receiving new results whenever changes are made to data that is in the scope of the search, thus using the search as a form of change notification.

The optional changetype setting defines the kinds of updates that result in notification. If you do not set the changetype, the default behavior is to send notifications for all updates.

add

Send notifications for LDAP add operations.

del, delete

Send notifications for LDAP delete operations.

mod, modify

Send notifications for LDAP modify operations.

moddn, modrdn, modifydn

Send notifications for LDAP modify DN (rename and move) operations.

all, any

Send notifications for all LDAP update operations.

The optional changesonly setting defines whether the server returns existing entries as well as changes.

true

Do not return existing entries, but instead only notifications about changes.

This is the default setting.

false

Also return existing entries.

The optional entrychgcontrols setting defines whether the server returns an Entry Change Notification control with each entry notification. The Entry Change Notification control provides additional information about the change that caused the entry to be returned by the search. In particular, it indicates the change type, the change number if available, and the previous DN if the change type was a modify DN operation.

true

Do request the Entry Change Notification control.

This is the default setting.

false

Do not request the Entry Change Notification control.

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

--countEntries

Count the number of entries returned by the server.

Default: false

-e | --getEffectiveRightsAttribute {attribute}

Specifies geteffectiverights control specific attribute list.

-f | --filename {file}

File containing a list of search filter strings.

-g | --getEffectiveRightsAuthzid {authzID}

Use geteffectiverights control with the provided authzid.

-G | --virtualListView {before:after:index:count | before:after:value}

Use the virtual list view control to retrieve the specified results page.

-J | --control {controloid[:criticality[:value|::b64value|:<filePath]]}

Use a request control with the provided information.

For some controloid values, you can replace object identifiers with user-friendly strings. The strings are listed here in lower case, but the case is not important. You can use camelCase if you prefer, for example.

accountusable, accountusability

Account Usability Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.8

authzid, authorizationidentity

Authorization Identity Request Control, Object Identifier: 2.16.840.1.113730.3.4.16

effectiverights, geteffectiverights

Get Effective Rights Request Control, Object Identifier: 1.3.6.1.4.1.42.2.27.9.5.2

managedsait

Manage DSAIT Request Control, Object Identifier: 2.16.840.1.113730.3.4.2

noop, no-op

No-Op Control, Object Identifier: 1.3.6.1.4.1.4203.1.10.2

pwpolicy, passwordpolicy

Password Policy Control, Object Identifier: 1.3.6.1.4.1.42.2.27.8.5.1

realattrsonly, realattributesonly

Real Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.17

subtreedelete, treedelete

Subtree Delete Request Control, Object Identifier: 1.2.840.113556.1.4.805

virtualattrsonly, virtualattributesonly

Virtual Attributes Only Request Control, Object Identifier: 2.16.840.1.113730.3.4.19

-l | --timeLimit {timeLimit}

Maximum length of time in seconds to allow for the search.

Default: 0

--matchedValuesFilter {filter}

Use the LDAP matched values control with the provided filter.

-n | --dry-run

Show what would be done but do not perform any operation.

Default: false

-s | --searchScope {searchScope}

Search scope ('base', 'one', 'sub', or 'subordinate'). Note: 'subordinate' is an LDAP extension that might not work with all LDAP servers.

Default: sub

-S | --sortOrder {sortOrder}

Sort the results using the provided sort order.

--simplePageSize {numEntries}

Use the simple paged results control with the given page size.

Default: 1000

--subEntries

Use subentries control to specify that subentries are visible and normal entries are not.

Default: false

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

-z | --sizeLimit {sizeLimit}

Maximum number of entries to return from the search.

Default: 0

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

-E | --reportAuthzID

Use the authorization identity control.

Default: false

-h | --hostname {host}

Directory server hostname or IP address.

Default: localhost

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server port number.

Default: 389

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-q | --useStartTLS

Use StartTLS to secure communication with the server.

Default: false

-r | --useSASLExternal

Use the SASL EXTERNAL authentication mechanism.

Default: false

--trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

--usePasswordPolicyControl

Use the password policy request control.

Default: false

-V | --ldapVersion {version}

LDAP protocol version number.

Default: 3

-w | --bindPassword {bindPassword}

Password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

-Z | --useSSL

Use SSL for secure communication with the server.

Default: false

Utility input/output options:

-i | --encoding {encoding}

Use the specified character set for command-line input.

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-T | --dontWrap

Do not wrap long lines.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

--version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Filters

The filter argument is a string representation of an LDAP search filter as in (cn=Babs Jensen), (&(objectClass=Person)(|(sn=Jensen)(cn=Babs J*))), or (cn:caseExactMatch:=Fred Flintstone).

Attributes

The optional attribute list specifies the attributes to return in the entries found by the search. In addition to identifying attributes by name such as cn sn mail and so forth, you can use the following notations, too.

*

Return all user attributes such as cn, sn, and mail.

+

Return all operational attributes such as etag and pwdPolicySubentry.

@objectclass

Return all attributes of the specified object class, where objectclass is one of the object classes on the entries returned by the search.

1.1

Return no attributes, only the DNs of matching entries.

Exit Codes

0

The command completed successfully.

ldap-error

An LDAP error occurred while processing the operation.

LDAP result codes are described in RFC 4511. Also see the additional information for details.

89

An error occurred while parsing the command-line arguments.

Files

You can use ~/.opendj/tools.properties to set the defaults for bind DN, host name, and port number as in the following example.

hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

ldapcompare.port=1389
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389
 

Examples

The following example searches for entries with UID containing jensen, returning only DNs and uid values.

$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid
dn: uid=ajensen,ou=People,dc=example,dc=com
uid: ajensen

dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen

dn: uid=gjensen,ou=People,dc=example,dc=com
uid: gjensen

dn: uid=jjensen,ou=People,dc=example,dc=com
uid: jjensen

dn: uid=kjensen,ou=People,dc=example,dc=com
uid: kjensen

dn: uid=rjensen,ou=People,dc=example,dc=com
uid: rjensen

dn: uid=tjensen,ou=People,dc=example,dc=com
uid: tjensen


Result Code:  0 (Success)
 

You can also use @objectclass notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the inetOrgPerson object class.

$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson
dn: uid=bjensen,ou=People,dc=example,dc=com
givenName: Barbara
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
cn: Barbara Jensen
cn: Babs Jensen
telephoneNumber: +1 408 555 1862
sn: Jensen
roomNumber: 0209
mail: bjensen@example.com
l: San Francisco
ou: Product Development
ou: People
facsimileTelephoneNumber: +1 408 555 1992
 

You can use + in the attribute list to return all operational attributes, as in the following example.

$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +
dn: uid=bjensen,ou=People,dc=example,dc=com
numSubordinates: 0
structuralObjectClass: inetOrgPerson
etag: 0000000073c29972
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=bjensen,ou=people,dc=example,dc=com
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c
 

Name

ldif-diff — compare small LDIF files

Synopsis

ldif-diff

Description

This utility can be used to compare two LDIF files and report the differences in LDIF format.

Options

The ldif-diff command takes the following options:

Command options:

-a | --ignoreAttrs {file}

File containing a list of attributes to ignore when computing the difference.

--checkSchema

Takes into account the syntax of the attributes as defined in the schema to make the value comparison. The provided LDIF files must be conform to the server schema.

Default: false

-e | --ignoreEntries {file}

File containing a list of entries (DN) to ignore when computing the difference.

-o | --outputLDIF {file}

File to which the output should be written.

-O | --overwriteExisting

Any existing output file should be overwritten rather than appending to it.

Default: false

-r | --useCompareResultCode

Use the LDAP compare result as an exit code for reporting differences between the two LDIF files.

Default: false

-s | --sourceLDIF {file}

LDIF file to use as the source data.

-S | --singleValueChanges

Each attribute-level change should be written as a separate modification per attribute value rather than one modification per entry.

Default: false

-t | --targetLDIF {file}

LDIF file to use as the target data.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

5

The -r option was used, and the compare did not match.

6

The -r option was used, and the compare did match.

other

An error occurred.

Examples

The following example demonstrates use of the command with two small LDIF files.

$ cat /path/to/newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: changeme

$ cat /path/to/neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: secret12
description: A new description.

$ ldif-diff -s /path/to/newuser.ldif -t /path/to/neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: secret12
-
delete: userPassword
userPassword: changeme
-
add: description
description: A new description.
 

Name

ldifmodify — apply LDIF changes to LDIF

Synopsis

ldifmodify

Description

This utility can be used to apply a set of modify, add, and delete operations against data in an LDIF file.

Options

The ldifmodify command takes the following options:

Command options:

-m | --changesLDIF {ldifFile}

LDIF file containing the changes to apply.

-s | --sourceLDIF {ldifFile}

LDIF file containing the data to be updated.

-t | --targetLDIF {ldifFile}

File to which the updated data should be written.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example demonstrates use of the command.

$ cat /path/to/newuser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: changeme

$ cat /path/to/newdiff.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: secret12
-
delete: userPassword
userPassword: changeme
-
add: description
description: A new description.

$ ldifmodify -s /path/to/newuser.ldif -m /path/to/newdiff.ldif -t neweruser.ldif

$ cat neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: top
cn: New User
sn: User
ou: People
mail: newuser@example.com
userPassword: secret12
description: A new description.
 

Name

ldifsearch — search LDIF with LDAP filters

Synopsis

ldifsearch [filter] [attributes ...]

Description

This utility can be used to perform search operations against data in an LDIF file.

Options

The ldifsearch command takes the following options:

Command options:

-b | --baseDN {baseDN}

The base DN for the search. Multiple base DNs may be specified by providing the option multiple times. If no base DN is provided, then the root DSE will be used.

Default:

-f | --filterFile {filterFile}

The path to the file containing the search filter(s) to use. If this is not provided, then the filter must be provided on the command line after all configuration options.

-l | --ldifFile {ldifFile}

LDIF file containing the data to search. Multiple files may be specified by providing the option multiple times. If no files are provided, the data will be read from standard input.

-o | --outputFile {outputFile}

The path to the output file to which the matching entries should be written. If this is not provided, then the data will be written to standard output.

-O | --overwriteExisting

Any existing output file should be overwritten rather than appending to it.

Default: false

-s | --searchScope {scope}

The scope for the search. It must be one of 'base', 'one', 'sub', or 'subordinate'. If it is not provided, then 'sub' will be used.

Default: sub

-t | --timeLimit {timeLimit}

Maximum length of time (in seconds) to spend processing.

Default: 0

-z | --sizeLimit {sizeLimit}

Maximum number of matching entries to return.

Default: 0

Utility input/output options:

-T | --dontWrap

Long lines should not be wrapped.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example demonstrates use of the command.

$ ldifsearch -b dc=example,dc=com /path/to/Example.ldif uid=bjensen
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
userpassword: hifalutin
facsimiletelephonenumber: +1 408 555 1992
givenname: Barbara
cn: Barbara Jensen
cn: Babs Jensen
telephonenumber: +1 408 555 1862
sn: Jensen
roomnumber: 0209
homeDirectory: /home/bjensen
mail: bjensen@example.com
l: San Francisco
ou: Product Development
ou: People
uidNumber: 1076
gidNumber: 1000
 

You can also use @objectclass notation in the attribute list to return the attributes of a particular object class. The following example shows how to return attributes of the posixAccount object class.

$ ldifsearch --ldifFile /path/to/Example.ldif \
 --baseDN dc=example,dc=com "(uid=bjensen)" @posixaccount
dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uid: bjensen
userpassword: hifalutin
cn: Barbara Jensen
cn: Babs Jensen
homeDirectory: /home/bjensen
uidNumber: 1076
gidNumber: 1000
 

Name

list-backends — list OpenDJ backends and base DNs

Synopsis

list-backends

Description

This utility can be used to list the backends and base DNs configured in the Directory Server.

Options

The list-backends command takes the following options:

Command options:

-b | --baseDN {baseDN}

Base DN for which to list the backend ID.

-n | --backendID {backendName}

Backend ID of the backend for which to list the base DNs.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example demonstrates a successful run.

$ list-backends
Backend ID         : Base DN
-------------------:----------------------
adminRoot          : cn=admin data
ads-truststore     : cn=ads-truststore
backup             : cn=backups
config             : cn=config
monitor            : cn=monitor
myCompanyRoot      : "dc=myCompany,dc=com"
myOrgRoot          : o=myOrg
schema             : cn=schema
tasks              : cn=tasks
userRoot           : "dc=example,dc=com"
 

Name

make-ldif — generate test LDIF

Synopsis

make-ldif

Description

This utility can be used to generate LDIF data based on a definition in a template file.

Options

The make-ldif command takes the following options:

Command options:

-o | --ldifFile {file}

The path to the LDIF file to be written.

-s | --randomSeed {seed}

The seed to use to initialize the random number generator.

Default: 0

-t | --templateFile {file}

The path to the template file with information about the LDIF data to generate.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example uses the default template to generate LDIF.

$ make-ldif -t ../config/MakeLDIF/example.template -o ../ldif/generated.ldif
Processed 1000 entries
Processed 2000 entries
...
Processed 10000 entries
LDIF processing complete.  10003 entries written
 

Name

make-ldif.template — template file for the make-ldif command

Synopsis

# Comment lines start with #.
#
# Notice that this synopsis includes blank lines after entries.
# In the same way you would use blank lines after entries in normal LDIF,
# leave empty lines after "entries" in template files.

# Optionally include classes that define custom tags.
# Custom tag classes extend org.opends.server.tools.makeldif.Tag and
# must be on the class path when you run make-ldif.
#
include custom.makeldif.tag.ClassName
...

# Optionally define constants used in the template.
# To reference constants later, put brackets around the name: [constant-name]
#
define constant-name=value
...

# Define branches by suffix DN, such as the following:
#
#  dc=example,dc=com
#  ou=People,dc=example,dc=com
#  ou=Groups,dc=example,dc=com
#
# make-ldif generates the necessary object class definitions and RDNs.
#
# A branch can have subordinateTemplates that define templates to use for
# the branch entry.
#
# A branch can have additional attributes generated on the branch entry. See
# the Description below for more information on specifying attribute values.
#
branch: suffix-dn
[subordinateTemplate: template-name:number
...]
[attribute: attr-value
...]

...

# Define entries using templates.
#
# A template can extend another template.
# A template defines the RDN attribute(s) used for generated entries.
# A template can have a subordinateTemplate that defines a template to use for
# the generated entries.
#
# A template then defines attributes. See the Description below for more
# information on specifying attribute values.
#
template: template-name
[extends: template-name]
rdnAttr: attribute[+attribute ...]
[subordinateTemplate: template-name:number]
[attribute: attr-value
...]

...

Description

Template files specify how to build LDIF. They allow you to define variables, insert random values from other files, and generally build arbitrarily large LDIF files for testing purposes. You pass template files to the make-ldif command when generating LDIF.

The Synopsis above shows the layout for a make-ldif template file. This section focuses on what you can do to specify entry attribute values, called attr-value in the Synopsis section.

Specifying Attribute Values

When specifying attribute values in make-ldif templates, you can use static text and constants that you have defined, enclosing names for constants in brackets, [myConstant]. You can use more than one constant per line, as in the following example.

description: Description for [org] under [suffix]

You can also use two kinds of tags when specifying attribute values. One kind of tag gets replaced with the value of another attribute in the generated entry. Such tags are delimited with braces, { }. For example, if your template includes definitions for first name and last name attributes:

givenName: <first>
sn: <last>

Then you can define a mail attribute that uses the values of both attributes, and an initials attribute that takes the first character of each.

mail: {givenName}.{sn}@[myDomain]
initials: {givenName:1}{sn:1}

The other kind of tag is delimited with < and >, as shown above in the example with <first> and <last>. Tag names are not case sensitive. Many tags can take arguments separated by colons, :, from the tag names within the tag.

Use backslashes to escape literal start tag characters (< [ {) as shown in the following example, and to escape literal end tag characters within tags (> ] }).

scimMail: \{"emails": \[\{"value": "{mail}", "type": "work", "primary": true}]}
xml: \<id>{uid}\</id>

OpenDJ supports the following tags.

<DN>

The DN tag gets replaced by the distinguished name of the current entry. An optional integer argument specifies the subcomponents of the DN to generate. For example, if the DN of the entry is uid=bjensen,ou=People,dc=example,dc=com <DN:1> gets replaced by uid=bjensen, and <DN:-2> gets replaced by dc=example,dc=com.

<File>

The File tag gets replaced by a line from a text file you specify. The File tag takes a required argument, the path to the text file, and an optional second argument, either random or sequential. For the file argument, either you specify an absolute path to the file such as <file:/path/to/myDescriptions>, or you specify a path relative to the /path/to/opendj/config/MakeLDIF/ directory such as <file:streets>. For the second argument, if you specify sequential then lines from the file are read in sequential order. Otherwise, lines from the file are read in random order.

<First>

The first name tag gets replaced by a random line from /path/to/opendj/config/MakeLDIF/first.names. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available.

<GUID>

The GUID tag gets replaced by a 128-bit, type 4 (random) universally unique identifier such as f47ac10b-58cc-4372-a567-0e02b2c3d479.

<IfAbsent>

The IfAbsent tag takes as its first argument the name of another attribute, and optionally as its second argument a value to use. This tag causes the attribute to be generated only if the named attribute is not present on the generated entry. Use this tag when you have used <Presence> to define another attribute that is not always present on generated entries.

<IfPresent>

The IfPresent takes as its first argument the name of another attribute, and optionally as its second argument a value to use. This tag causes the attribute to be generated only if the named attribute is also present on the generated entry. Use this tag when you have used <Presence> to define another attribute that is sometimes present on generated entries.

<Last>

The last name tag gets replaced by a random line from /path/to/opendj/config/MakeLDIF/last.names. Combinations of generated first and last names are unique, with integers appended to the name strings if not enough combinations are available.

<List>

The List tag gets replaced by one of the values from the list of arguments you provide. For example, <List:bronze:silver:gold> gets replaced with bronze, silver, or gold.

You can weight arguments to ensure some arguments are selected more often than others. For example, if you want two bronze for one silver and one gold, use <List:bronze;2:silver;1:gold;1>.

<ParentDN>

The ParentDN tag gets replaced by the distinguished name of the parent entry. For example, if the DN of the entry is uid=bjensen,ou=People,dc=example,dc=com, <ParentDN> gets replaced by ou=People,dc=example,dc=com.

<Presence>

The Presence tag takes a percent argument. It does not get replaced by a value itself, but instead results in the attribute being generated on the percentage of entries you specify in the argument. For example, description: <Presence:50>A description generates description: A description on half the entries.

<Random>

The Random tag lets you generate a variety of random numbers and strings. The Random tag has the following subtypes, which you include as arguments, that is <Random:subtype>.

  • alpha:length

  • alpha:minlength:maxlength

  • numeric:length

  • numeric:minvalue:maxvalue

  • numeric:minvalue:maxvalue:format, where format is a java.text.DecimalFormat pattern

  • alphanumeric:length

  • alphanumeric:minlength:maxlength

  • chars:characters:length

  • chars:characters:minlength:maxlength

  • hex:length

  • hex:minlength:maxlength

  • base64:length

  • base64:minlength:maxlength

  • month

  • month:maxlength

  • telephone, a telephone number starting with the country code +1

<RDN>

The RDN tag gets replaced with the RDN of the entry. Use this in the template after you have specified rdnAttr so that the RDN has already been generated when this tag is replaced.

An optional integer argument specifies the subcomponents of the RDN to generate.

<Sequential>

The Sequential tag gets replaced by a sequentially increasing generated integer. The first optional integer argument specifies the starting number. The second optional boolean argument specifies whether to start over when generating entries for a new parent entry. For example, <Sequential>:42:true starts counting from 42, and starts over when the parent entry changes from o=Engineering to o=Marketing.

<_DN>

The _DN tag gets replaced by the DN of the current entry with underscores in the place of commas.

<_ParentDN>

The _ParentDN tag gets replaced by the DN the parent entry with underscores in the place of commas.

Examples

The following example generates 10 organization units, each containing 50 entries.

define suffix=dc=example,dc=com
define maildomain=example.com
define numusers=50
define numorgs=10

branch: [suffix]

branch: ou=People,[suffix]
subordinateTemplate: orgunit:[numorgs]
description: This is the People container
telephoneNumber: +33 00010002

template: orgunit
subordinateTemplate: person:[numusers]
rdnAttr: ou
ou: Org-<sequential:0>
objectClass: top
objectClass: organizationalUnit
description: This is the {ou} organizational unit

template: person
rdnAttr: uid
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
givenName: <first>
sn: <last>
cn: {givenName} {sn}
initials: {givenName:1}<random:chars:ABCDEFGHIJKLMNOPQRSTUVWXYZ:1>{sn:1}
employeeNumber: <sequential:0>
uid: user.{employeeNumber}
mail: {uid}@[maildomain]
userPassword: password
telephoneNumber: <random:telephone>
homePhone: <random:telephone>
pager: <random:telephone>
mobile: <random:telephone>
street: <random:numeric:5> <file:streets> Street
l: <file:cities>
st: <file:states>
postalCode: <random:numeric:5>
postalAddress: {cn}${street}${l}, {st}  {postalCode}
description: This is the description for {cn}.

See Also

make-ldif(1), the OpenDJ directory server template file /path/to/opendj/config/MakeLDIF/example.template


Name

manage-account — manage state of OpenDJ server accounts

Synopsis

manage-account {subcommand} {options}

Description

This utility can be used to retrieve and manipulate the values of password policy state variables.

Options

The manage-account command takes the following options:

Command options:

-b | --targetDN {targetDN}

The DN of the user entry for which to get and set password policy state information.

LDAP connection options:

-D | --bindDN {bindDN}

The DN to use to bind to the server.

-h | --hostname {host}

Directory server hostname or IP address.

Default: 127.0.0.1

-j | --bindPasswordFile {bindPasswordFile}

The path to the file containing the bind password.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

The password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Subcommands

The manage-account command supports the following subcommands:

manage-account clear-account-is-disabled

Clear account disabled state information from the user account.

manage-account get-account-expiration-time

Display when the user account will expire.

manage-account get-account-is-disabled

Display information about whether the user account has been administratively disabled.

manage-account get-all

Display all password policy state information for the user.

manage-account get-authentication-failure-times

Display the authentication failure times for the user.

manage-account get-grace-login-use-times

Display the grace login use times for the user.

manage-account get-last-login-time

Display the time that the user last authenticated to the server.

manage-account get-password-changed-by-required-time

Display the required password change time with which the user last complied.

manage-account get-password-changed-time

Display the time that the user's password was last changed.

manage-account get-password-expiration-warned-time

Display the time that the user first received an expiration warning notice.

manage-account get-password-history

Display password history state values for the user.

manage-account get-password-is-reset

Display information about whether the user will be required to change his or her password on the next successful authentication.

manage-account get-password-policy-dn

Display the DN of the password policy for the user.

manage-account get-remaining-authentication-failure-count

Display the number of remaining authentication failures until the user's account is locked.

manage-account get-remaining-grace-login-count

Display the number of grace logins remaining for the user.

manage-account get-seconds-until-account-expiration

Display the length of time in seconds until the user account expires.

manage-account get-seconds-until-authentication-failure-unlock

Display the length of time in seconds until the authentication failure lockout expires.

manage-account get-seconds-until-idle-lockout

Display the length of time in seconds until user's account is locked because it has remained idle for too long.

manage-account get-seconds-until-password-expiration

Display length of time in seconds until the user's password expires.

manage-account get-seconds-until-password-expiration-warning

Display the length of time in seconds until the user should start receiving password expiration warning notices.

manage-account get-seconds-until-password-reset-lockout

Display the length of time in seconds until user's account is locked because the user failed to change the password in a timely manner after an administrative reset.

manage-account get-seconds-until-required-change-time

Display the length of time in seconds that the user has remaining to change his or her password before the account becomes locked due to the required change time.

manage-account set-account-is-disabled

Specify whether the user account has been administratively disabled.

Options

The manage-account set-account-is-disabled command takes the following options:

-O | --operationValue {true|false}

'true' to indicate that the account is disabled, or 'false' to indicate that it is not disabled.

Exit Codes

0

The command completed successfully.

89

An error occurred while parsing the command-line arguments.

Examples

For the following examples the directory admin user, Kirsten Vaughan, has ds-privilege-name: password-reset and the following ACI on ou=People,dc=example,dc=com.

(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
 version 3.0;acl "Admins can run amok"; allow(all) groupdn =
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
 

The following command locks a user account.

$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery set-account-is-disabled -O true \
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  true
 

The following command unlocks a user account.

$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery clear-account-is-disabled \
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  false
 

Name

manage-tasks — manage OpenDJ server administration tasks

Synopsis

manage-tasks

Description

This utility can be used to obtain a list of tasks scheduled to run within the Directory Server as well as information about individual tasks.

Options

The manage-tasks command takes the following options:

Command options:

-c | --cancel {taskID}

ID of a particular task to cancel.

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-i | --info {taskID}

ID of a particular task about which this tool will display information.

-s | --summary

Print a summary of tasks.

Default: false

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example demonstrates use of the command with a server that does daily backups at 2:00 AM.

$ manage-tasks -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
 -w password -s

  ID                                Type    Status
  ---------------------------------------------------------------
  example-backup                    Backup  Recurring
  example-backup-20110622020000000  Backup  Waiting on start time
 

Name

rebuild-index — rebuild index after configuration change

Synopsis

rebuild-index

Description

This utility can be used to rebuild index data within an indexed backend database.

Options

The rebuild-index command takes the following options:

Command options:

-b | --baseDN {baseDN}

Base DN of a backend supporting indexing. Rebuild is performed on indexes within the scope of the given base DN.

--clearDegradedState

Indicates that indexes do not need rebuilding because they are known to be empty and forcefully marks them as valid. This is an advanced option which must only be used in cases where a degraded index is known to be empty and does not therefore need rebuilding. This situation typically arises when an index is created for an attribute which has just been added to the schema.

Default: false

-i | --index {index}

Names of index(es) to rebuild. For an attribute index this is simply an attribute name. At least one index must be specified for rebuild. Cannot be used with the "--rebuildAll" option.

--rebuildAll

Rebuild all indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildDegraded" option.

Default: false

--rebuildDegraded

Rebuild all degraded indexes, including any DN2ID, DN2URI, VLV and extensible indexes. Cannot be used with the "-i" option or the "--rebuildAll" option.

Default: false

--tmpdirectory {directory}

Path to temporary directory for index scratch files during index rebuilding.

Default: import-tmp

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example schedules a task to start immediately that rebuilds the cn (common name) index.

$ rebuild-index -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
 -w password -b dc=example,dc=com -i cn -t 0
Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM
 

Name

restore — restore OpenDJ directory data backups

Synopsis

restore

Description

This utility can be used to restore a backup of a Directory Server backend.

Options

The restore command takes the following options:

Command options:

-d | --backupDirectory {backupDir}

Path to the directory containing the backup file(s).

-I | --backupID {backupID}

Backup ID of the backup to restore.

-l | --listBackups

List available backups in the backup directory.

Default: false

-n | --dry-run

Verify the contents of the backup but do not restore it.

Default: false

Task Backend Connection Options

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Task Scheduling Options

--completionNotify {emailAddress}

Email address of a recipient to be notified when the task completes. This option may be specified more than once.

--dependency {taskID}

ID of a task upon which this task depends. A task will not start execution until all its dependencies have completed execution.

--errorNotify {emailAddress}

Email address of a recipient to be notified if an error occurs when this task executes. This option may be specified more than once.

--failedDependencyAction {action}

Action this task will take should one if its dependent tasks fail. The value must be one of PROCESS,CANCEL,DISABLE. If not specified defaults to CANCEL.

--recurringTask {schedulePattern}

Indicates the task is recurring and will be scheduled according to the value argument expressed in crontab(5) compatible time/date pattern.

-t | --start {startTime}

Indicates the date/time at which this operation will start when scheduled as a server task expressed in YYYYMMDDhhmmssZ format for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the task to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example schedules a restore as a task to begin immediately while OpenDJ directory server is online.

$ restore -p 4444 -D "cn=Directory Manager" -w password
 -d /path/to/opendj/bak -I 20110613080032 -t 0
Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST
 

The following example restores data while OpenDJ is offline.

$ stop-ds
Stopping Server...
...

$ restore --backupDirectory /path/to/opendj/bak/userRoot \
 --listBackups
Backup ID:          20120928102414Z
Backup Date:        28/Sep/2012:12:24:17 +0200
Is Incremental:     false
Is Compressed:      false
Is Encrypted:       false
Has Unsigned Hash:  false
Has Signed Hash:    false
Dependent Upon:     none

$ restore --backupDirectory /path/to/opendj/bak/userRoot \
 --backupID 20120928102414Z
[28/Sep/2012:12:26:20 +0200] ... msg=Restored: 00000000.jdb (size 355179)

$ start-ds
[28/Sep/2012:12:27:29 +0200] ... The Directory Server has started successfully
 

Name

setup — install OpenDJ directory server

Synopsis

setup

Description

This utility can be used to setup the Directory Server.

Options

The setup command takes the following options:

Command options:

-a | --addBaseEntry

Indicates whether to create the base entry in the Directory Server database.

Default: false

--acceptLicense

Automatically accepts the product license (if present).

Default: false

--adminConnectorPort {port}

Port on which the Administration Connector should listen for communication.

Default: 4444

-b | --baseDN {baseDN}

Base DN for user information in the Directory Server. Multiple base DNs may be provided by using this option multiple times.

-d | --sampleData {numEntries}

Specifies that the database should be populated with the specified number of sample entries.

Default: 0

-D | --rootUserDN {rootUserDN}

DN for the initial root user for the Directory Server.

Default: cn=Directory Manager

--generateSelfSignedCertificate

Generate a self-signed certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

Default: false

-h | --hostname {host}

The fully-qualified directory server host name that will be used when generating self-signed certificates for LDAP SSL/StartTLS, the administration connector, and replication.

Default: localhost.localdomain

-i | --cli

Use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified.

Default: false

-j | --rootUserPasswordFile {rootUserPasswordFile}

Path to a file containing the password for the initial root user for the Directory Server.

-l | --ldifFile {ldifFile}

Path to an LDIF file containing data that should be added to the Directory Server database. Multiple LDIF files may be provided by using this option multiple times.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-O | --doNotStart

Do not start the server when the configuration is completed.

Default: false

-p | --ldapPort {port}

Port on which the Directory Server should listen for LDAP communication.

Default: 1389

-q | --enableStartTLS

Enable StartTLS to allow secure communication with the server using the LDAP port.

Default: false

-R | --rejectFile {rejectFile}

Write rejected entries to the specified file.

-S | --skipPortCheck

Skip the check to determine whether the specified ports are usable.

Default: false

--skipFile {skipFile}

Write skipped entries to the specified file.

-t | --backendType {backendType}

The type of the userRoot backend.

Default: Depends on the distribution

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate.

--useJavaKeystore {keyStorePath}

Path of a Java Key Store (JKS) containing a certificate to be used as the server certificate.

--useJCEKS {keyStorePath}

Path of a JCEKS containing a certificate to be used as the server certificate.

--usePkcs11Keystore

Use a certificate in a PKCS#11 token that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

Default: false

--usePkcs12keyStore {keyStorePath}

Path of a PKCS#12 key store containing the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-w | --rootUserPassword {rootUserPassword}

Password for the initial root user for the Directory Server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate (JKS, JCEKS, PKCS#12 or PKCS#11) as server certificate.

-x | --jmxPort {jmxPort}

Port on which the Directory Server should listen for JMX communication.

Default: 1689

-Z | --ldapsPort {port}

Port on which the Directory Server should listen for LDAPS communication. The LDAPS port will be configured and SSL will be enabled only if this argument is explicitly specified.

Default: 1636

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following command installs OpenDJ directory server, enabling StartTLS and importing 100 example entries without interaction.

$ /path/to/opendj/setup --cli -b dc=example,dc=com -d 100 \
 -D "cn=Directory Manager" -w password -h opendj.example.com -p 1389 \
 --generateSelfSignedCertificate --enableStartTLS -n

OpenDJ version
 Please wait while the setup program initializes...

See /var/.../opends-setup-484...561.log for a detailed log of this operation.

Configuring Directory Server ..... Done.
Configuring Certificates ..... Done.
Importing Automatically-Generated Data (100 Entries) ......... Done.
Starting Directory Server .......... Done.

To see basic server configuration status and configuration you can launch
 /path/to/opendj/bin/status
 

Name

start-ds — start OpenDJ directory server

Synopsis

start-ds

Description

This utility can be used to start the Directory Server, as well as to obtain the server version and other forms of general server information.

Options

The start-ds command takes the following options:

Command options:

-L | --useLastKnownGoodConfig

Attempt to start using the configuration that was in place at the last successful startup (if it is available) rather than using the current active configuration.

Default: false

-N | --nodetach

Do not detach from the terminal and continue running in the foreground. This option cannot be used with the -t, --timeout option.

Default: false

-s | --systemInfo

Display general system information.

Default: false

-t | --timeout {seconds}

Maximum time (in seconds) to wait before the command returns (the server continues the startup process, regardless). A value of '0' indicates an infinite timeout, which means that the command returns only when the server startup is completed. The default value is 60 seconds. This option cannot be used with the -N, --nodetach option.

Default: 200

Utility input/output options:

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following command starts the server without displaying information about the startup process.

$ start-ds -Q
 

Name

status — display basic OpenDJ server information

Synopsis

status {options}

Description

This utility can be used to display basic server information.

Options

The status command takes the following options:

Command options:

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

Default: cn=Directory Manager

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-r | --refresh {period}

When this argument is specified, the status command will display its contents periodically. Used to specify the period (in seconds) between two displays of the status.

-s | --script-friendly

Use script-friendly mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

$ status -D "cn=Directory Manager" -w password

          --- Server Status ---
Server Run Status:        Started
Open Connections:         1

          --- Server Details ---
Host Name:                localhost.localdomain
Administrative Users:     cn=Directory Manager
Installation Path:        /path/to/opendj
Version:                  OpenDJ version
Java Version:             version
Administration Connector: Port 4444 (LDAPS)

          --- Connection Handlers ---
Address:Port : Protocol    : State
-------------:-------------:---------
--           : LDIF        : Disabled
8989         : Replication : Enabled
0.0.0.0:161  : SNMP        : Disabled
0.0.0.0:636  : LDAPS       : Disabled
0.0.0.0:1389 : LDAP        : Enabled
0.0.0.0:1689 : JMX         : Disabled

          --- Data Sources ---
Base DN:                      dc=example,dc=com
Backend ID:                   userRoot
Entries:                      160
Replication:                  Enabled
Missing Changes:              0
Age of Oldest Missing Change: <not available>

Base DN:     dc=myCompany,dc=com
Backend ID:  myCompanyRoot
Entries:     3
Replication: Disabled

Base DN:     o=myOrg
Backend ID:  myOrgRoot
Entries:     3
Replication: Disabled
 

Name

stop-ds — stop OpenDJ directory server

Synopsis

stop-ds

Description

This utility can be used to request that the Directory Server stop running or perform a restart. When run without connection options, this utility sends a signal to the OpenDJ process to stop the server. When run with connection options, this utility connects to the OpenDJ administration port and creates a shutdown task to stop the server.

Options

The stop-ds command takes the following options:

Command options:

-r | --stopReason {stopReason}

Reason the server is being stopped or restarted.

-R | --restart

Attempt to automatically restart the server once it has stopped.

Default: false

-t | --stopTime {stopTime}

Indicates the date/time at which the shutdown operation will begin as a server task expressed in format YYYYMMDDhhmmssZ for UTC time or YYYYMMDDhhmmss for local time. A value of '0' will cause the shutdown to be scheduled for immediate execution. When this option is specified the operation will be scheduled to start at the specified time after which this utility will exit immediately.

-Y | --proxyAs {authzID}

Use the proxied authorization control with the given authorization ID.

LDAP connection options:

-D | --bindDN {bindDN}

DN to use to bind to the server.

-h | --hostname {host}

Directory server hostname or IP address.

Default: 127.0.0.1

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of certificate for SSL client authentication.

-o | --saslOption {name=value}

SASL bind options.

-p | --port {port}

Directory server administration port number.

Default: 4444

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following example restarts OpenDJ directory server.

$ stop-ds --restart
Stopping Server...

...The Directory Server has started successfully
 

Name

uninstall — remove OpenDJ directory server software

Synopsis

uninstall {options}

Description

This utility can be used to uninstall the Directory Server.

Options

The uninstall command takes the following options:

Command options:

-a | --remove-all

Remove all components of the server (this option is not compatible with the rest of remove options).

Default: false

-b | --backup-files

Remove backup files.

Default: false

-c | --configuration-files

Remove configuration files.

Default: false

--connectTimeout {timeout}

Maximum length of time (in milliseconds) that can be taken to establish a connection. Use '0' to specify no time out.

Default: 30000

-d | --databases

Remove database contents.

Default: false

-e | --ldif-files

Remove LDIF files.

Default: false

-f | --forceOnError

Specifies whether the uninstall should continue if there is an error updating references to this server in remote server instances or not. This option can only be used with the --no-prompt no prompt option.

Default: false

-i | --cli

Use the command line install. If not specified the graphical interface will be launched. The rest of the options (excluding help and version) will only be taken into account if this option is specified.

Default: false

-l | --server-libraries

Remove Server Libraries and Administrative Tools.

Default: false

-L | --log-files

Remove log files.

Default: false

LDAP connection options:

-h | --referencedHostName {host}

The name of this host (or IP address) as it is referenced in remote servers for replication.

Default: localhost.localdomain

-I | --adminUID {adminUID}

User ID of the Global Administrator to use to bind to the server.

Default: admin

-j | --bindPasswordFile {bindPasswordFile}

Bind password file.

-K | --keyStorePath {keyStorePath}

Certificate key store path.

-N | --certNickname {nickname}

Nickname of the certificate that the server should use when accepting SSL-based connections or performing StartTLS negotiation.

-o | --saslOption {name=value}

SASL bind options.

-P | --trustStorePath {trustStorePath}

Certificate trust store path.

-T | --trustStorePassword {trustStorePassword}

Certificate trust store PIN.

-u | --keyStorePasswordFile {keyStorePasswordFile}

Certificate key store PIN file. A PIN is required when you specify to use an existing certificate as server certificate.

-U | --trustStorePasswordFile {path}

Certificate trust store PIN file.

-w | --bindPassword {bindPassword}

Password to use to bind to the server. Use -w - to ensure that the command prompts for the password, rather than entering the password as a command argument.

-W | --keyStorePassword {keyStorePassword}

Certificate key store PIN. A PIN is required when you specify to use an existing certificate as server certificate.

-X | --trustAll

Trust all server SSL certificates.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

--noPropertiesFile

No properties file will be used to get default command line argument values.

Default: false

--propertiesFilePath {propertiesFilePath}

Path to the file containing default property values used for command line arguments.

-Q | --quiet

Use quiet mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Examples

The following command removes OpenDJ directory server without interaction.

$ /path/to/opendj/uninstall -a --cli -I admin -w password -n

Stopping Directory Server ..... Done.
Deleting Files under the Installation Path ..... Done.

The Uninstall Completed Successfully.
To complete the uninstallation, you must delete manually the following files
and directories:
/path/to/opendj/lib
See /var/.../opends-uninstall-3...0.log for a detailed log of this operation.

$ rm -rf /path/to/opendj
 

Name

upgrade — upgrade OpenDJ configuration and application data

Synopsis

upgrade {options}

Description

Upgrades OpenDJ configuration and application data so that it is compatible with the installed binaries.

This tool should be run immediately after upgrading the OpenDJ binaries and before restarting the server.

NOTE: this tool does not provide backup or restore capabilities. Therefore, it is the responsibility of the OpenDJ administrator to take necessary precautions before performing the upgrade.

This utility thus performs only part of the upgrade process, which includes the following phases for a single server.

  1. Get and unpack a newer version of OpenDJ directory server software.

  2. Stop the current OpenDJ directory server.

  3. Overwrite existing binary and script files with those of the newer version, and then run this utility before restarting OpenDJ.

  4. Start the upgraded OpenDJ directory server.

Important

This utility does not back up OpenDJ before you upgrade, nor does it restore OpenDJ if the utility fails. In order to revert a failed upgrade, make sure you back up OpenDJ directory server before you overwrite existing binary and script files.

By default this utility requests confirmation before making important configuration changes. You can use the --no-prompt option to run the command non-interactively.

When using the --no-prompt option, if this utility cannot complete because it requires confirmation for a potentially very long or critical task, then it exits with an error and a message about how to finish making the changes. You can add the --force option to force a non-interactive upgrade to continue in this case, also performing long running and critical tasks.

After upgrading, see the resulting upgrade.log file for a full list of operations performed.

Options

The upgrade command takes the following options:

Command options:

--acceptLicense

Automatically accepts the product license (if present).

Default: false

--force

Forces a non-interactive upgrade to continue even if it requires user interaction. In particular, long running or critical upgrade tasks, such as re-indexing, which require user confirmation will be skipped. This option may only be used with the 'no-prompt' option.

Default: false

--ignoreErrors

Ignores any errors which occur during the upgrade. This option should be used with caution and may be useful in automated deployments where potential errors are known in advance and resolved after the upgrade has completed.

Default: false

Utility input/output options:

-n | --no-prompt

Use non-interactive mode. If data in the command is missing, the user is not prompted and the tool will fail.

Default: false

-Q | --quiet

Use quiet mode.

Default: false

-v | --verbose

Use verbose mode.

Default: false

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

2

The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task.

See the error message or the log for details.

other

An error occurred.

See the OpenDJ Installation Guide for an example upgrade process for OpenDJ directory server installed from the cross-platform (.zip) delivery.

Native packages (.deb, .rpm) perform more of the upgrade process, stopping OpenDJ if it is running, overwriting older files with newer files, running this utility, and starting OpenDJ if it was running when you upgraded the package(s).


Name

verify-index — check index for consistency or errors

Synopsis

verify-index

Description

This utility can be used to ensure that index data is consistent within an indexed backend database.

Options

The verify-index command takes the following options:

Command options:

-b | --baseDN {baseDN}

Base DN of a backend supporting indexing. Verification is performed on indexes within the scope of the given base DN.

-c | --clean

Specifies that a single index should be verified to ensure it is clean. An index is clean if each index value references only entries containing that value. Only one index at a time may be verified in this way.

Default: false

--countErrors

Count the number of errors found during the verification and return that value as the exit code (values > 255 will be reduced to 255 due to exit code restrictions).

Default: false

-i | --index {index}

Name of an index to be verified. For an attribute index this is simply an attribute name. Multiple indexes may be verified for completeness, or all indexes if no indexes are specified. An index is complete if each index value references all entries containing that value.

General options:

-V | --version

Display Directory Server version information.

Default: false

-H | --help

Display this usage information.

Default: false

Exit Codes

0

The command completed successfully.

1

The command was run in non-interactive mode, but could not complete because confirmation was required to run a long or critical task.

See the error message or the log for details.

0-255

The number of errors in the index, as indicated for the --countErrors option.

Examples

The following example shows how to verify the sn (surname) index for completeness and for errors. The messages shown are for a backend of type pdb. The output is similar for other backend types:

$ verify-index -b dc=example,dc=com -i sn --clean --countErrors
[20/05/2015:14:24:18 +0200] category=...PDBStorage seq=0 severity=INFO
 msg=The PDB storage for backend 'userRoot' initialized
 to use 57528 buffers of 16384 bytes (total 920448kb)
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=1 severity=INFO
 msg=Checked 478 records and found 0 error(s) in 0 seconds
 (average rate 3594.0/sec)
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=2 severity=FINE
 msg=Number of records referencing more than one entry: 224
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=3 severity=FINE
 msg=Number of records that exceed the entry limit: 0
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=4 severity=FINE
 msg=Average number of entries referenced is 2.00/record
[20/05/2015:14:24:18 +0200] category=...pluggable.VerifyJob seq=5 severity=FINE
 msg=Maximum number of entries referenced by any record is 32
  

Name

windows-service — register OpenDJ as a Windows Service

Synopsis

windows-service {options}

Description

This utility can be used to run OpenDJ directory server as a Windows Service.

Service Options

-c, --cleanupService serviceName

Disable the service and clean up the windows registry information associated with the provided service name

-d, --disableService

Disable the server as a Windows service and stop the server

-e, --enableService

Enable the server as a Windows service

-s, --serviceState

Provide information about the state of the server as a Windows service

General Options

-V, --version

Display version information

-?, -H, --help

Display usage information

Exit Codes

0

The command completed successfully.

> 0

An error occurred.

Example

The following command registers OpenDJ directory server as a Windows Service.

C:\path\to\opendj\bat> windows-service.bat --enableService
  

After running this command, you can manage the service using Windows administration tools.

dsconfig Subcommands Reference


This section covers dsconfig subcommands.

Name

dsconfig create-access-log-filtering-criteria — Creates Access Log Filtering Criteria

Synopsis

dsconfig create-access-log-filtering-criteria {options}

Description

Creates Access Log Filtering Criteria.

Options

The dsconfig create-access-log-filtering-criteria command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:

access-log-filtering-criteria

Default {name}: Access Log Filtering Criteria

Enabled by default: false

See "Access Log Filtering Criteria" for the properties of this Access Log Filtering Criteria type.

--criteria-name {name}

The name of the new Access Log Filtering Criteria.

Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:

access-log-filtering-criteria

Default {name}: Access Log Filtering Criteria

Enabled by default: false

See "Access Log Filtering Criteria" for the properties of this Access Log Filtering Criteria type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the --criteria-name {name} option.

Access Log Filtering Criteria

Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:

connection-client-address-equal-to
Description

Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

None

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-client-address-not-equal-to
Description

Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

None

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-port-equal-to
Description

Filters log records associated with connections to any of the specified listener port numbers.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-protocol-equal-to
Description

Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".

Default Value

None

Allowed Values

The protocol name as reported in the access log.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-record-type
Description

Filters log records based on their type.

Default Value

None

Allowed Values
abandon

Abandon operations

add

Add operations

bind

Bind operations

compare

Compare operations

connect

Client connections

delete

Delete operations

disconnect

Client disconnections

extended

Extended operations

modify

Modify operations

rename

Rename operations

search

Search operations

unbind

Unbind operations

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

request-target-dn-equal-to
Description

Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

request-target-dn-not-equal-to
Description

Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-etime-greater-than
Description

Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-etime-less-than
Description

Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-result-code-equal-to
Description

Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-result-code-not-equal-to
Description

Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

search-response-is-indexed
Description

Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

search-response-nentries-greater-than
Description

Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

search-response-nentries-less-than
Description

Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-dn-equal-to
Description

Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-dn-not-equal-to
Description

Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard ** replaces one or more RDN components (as in uid=dmiller,**,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-is-member-of
Description

Filters log records associated with users which are members of at least one of the specified groups.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-is-not-member-of
Description

Filters log records associated with users which are not members of any of the specified groups.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-account-status-notification-handler — Creates Account Status Notification Handlers

Synopsis

dsconfig create-account-status-notification-handler {options}

Description

Creates Account Status Notification Handlers.

Options

The dsconfig create-account-status-notification-handler command takes the following options:

--handler-name {name}

The name of the new Account Status Notification Handler.

Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Account Status Notification Handler types:

error-log-account-status-notification-handler

Default {name}: Error Log Account Status Notification Handler

Enabled by default: true

See "Error Log Account Status Notification Handler" for the properties of this Account Status Notification Handler type.

smtp-account-status-notification-handler

Default {name}: SMTP Account Status Notification Handler

Enabled by default: true

See "SMTP Account Status Notification Handler" for the properties of this Account Status Notification Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Account Status Notification Handler which should be created. The value for TYPE can be one of: custom | error-log | smtp.

Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Account Status Notification Handler types:

error-log-account-status-notification-handler

Default {type}: Error Log Account Status Notification Handler

Enabled by default: true

See "Error Log Account Status Notification Handler" for the properties of this Account Status Notification Handler type.

smtp-account-status-notification-handler

Default {type}: SMTP Account Status Notification Handler

Enabled by default: true

See "SMTP Account Status Notification Handler" for the properties of this Account Status Notification Handler type.

Error Log Account Status Notification Handler

Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:

account-status-notification-type
Description

Indicates which types of event can trigger an account status notification.

Default Value

None

Allowed Values
account-disabled

Generate a notification whenever a user account has been disabled by an administrator.

account-enabled

Generate a notification whenever a user account has been enabled by an administrator.

account-expired

Generate a notification whenever a user authentication has failed because the account has expired.

account-idle-locked

Generate a notification whenever a user account has been locked because it was idle for too long.

account-permanently-locked

Generate a notification whenever a user account has been permanently locked after too many failed attempts.

account-reset-locked

Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.

account-temporarily-locked

Generate a notification whenever a user account has been temporarily locked after too many failed attempts.

account-unlocked

Generate a notification whenever a user account has been unlocked by an administrator.

password-changed

Generate a notification whenever a user changes his/her own password.

password-expired

Generate a notification whenever a user authentication has failed because the password has expired.

password-expiring

Generate a notification whenever a password expiration warning is encountered for a user password for the first time.

password-reset

Generate a notification whenever a user's password is reset by an administrator.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.

Default Value

org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

SMTP Account Status Notification Handler

Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:

email-address-attribute-type
Description

Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.

Default Value

If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.

Default Value

org.opends.server.extensions.SMTPAccountStatusNotificationHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

message-subject
Description

Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

message-template-file
Description

Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

recipient-address
Description

Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.

Default Value

If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

send-email-as-html
Description

Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

send-message-without-end-user-address
Description

Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

sender-address
Description

Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-alert-handler — Creates Alert Handlers

Synopsis

dsconfig create-alert-handler {options}

Description

Creates Alert Handlers.

Options

The dsconfig create-alert-handler command takes the following options:

--handler-name {name}

The name of the new Alert Handler.

Alert Handler properties depend on the Alert Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Alert Handler types:

jmx-alert-handler

Default {name}: JMX Alert Handler

Enabled by default: true

See "JMX Alert Handler" for the properties of this Alert Handler type.

smtp-alert-handler

Default {name}: SMTP Alert Handler

Enabled by default: true

See "SMTP Alert Handler" for the properties of this Alert Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Alert Handler properties depend on the Alert Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Alert Handler which should be created. The value for TYPE can be one of: custom | jmx | smtp.

Alert Handler properties depend on the Alert Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Alert Handler types:

jmx-alert-handler

Default {type}: JMX Alert Handler

Enabled by default: true

See "JMX Alert Handler" for the properties of this Alert Handler type.

smtp-alert-handler

Default {type}: SMTP Alert Handler

Enabled by default: true

See "SMTP Alert Handler" for the properties of this Alert Handler type.

JMX Alert Handler

Alert Handlers of type jmx-alert-handler have the following properties:

disabled-alert-type
Description

Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.

Default Value

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Alert Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled-alert-type
Description

Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.

Default Value

All alerts with types not included in the set of disabled alert types are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.

Default Value

org.opends.server.extensions.JMXAlertHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Alert Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

SMTP Alert Handler

Alert Handlers of type smtp-alert-handler have the following properties:

disabled-alert-type
Description

Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.

Default Value

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Alert Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled-alert-type
Description

Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.

Default Value

All alerts with types not included in the set of disabled alert types are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.

Default Value

org.opends.server.extensions.SMTPAlertHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Alert Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

message-body
Description

Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

message-subject
Description

Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

recipient-address
Description

Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

sender-address
Description

Specifies the email address to use as the sender for messages generated by this alert handler.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-attribute-syntax — Creates Attribute Syntaxes

Synopsis

dsconfig create-attribute-syntax {options}

Description

Creates Attribute Syntaxes.

Options

The dsconfig create-attribute-syntax command takes the following options:

--syntax-name {name}

The name of the new Attribute Syntax.

Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Attribute Syntax types:

attribute-type-description-attribute-syntax

Default {name}: Attribute Type Description Attribute Syntax

Enabled by default: true

See "Attribute Type Description Attribute Syntax" for the properties of this Attribute Syntax type.

certificate-attribute-syntax

Default {name}: Certificate Attribute Syntax

Enabled by default: true

See "Certificate Attribute Syntax" for the properties of this Attribute Syntax type.

country-string-attribute-syntax

Default {name}: Country String Attribute Syntax

Enabled by default: true

See "Country String Attribute Syntax" for the properties of this Attribute Syntax type.

directory-string-attribute-syntax

Default {name}: Directory String Attribute Syntax

Enabled by default: true

See "Directory String Attribute Syntax" for the properties of this Attribute Syntax type.

jpeg-attribute-syntax

Default {name}: JPEG Attribute Syntax

Enabled by default: true

See "JPEG Attribute Syntax" for the properties of this Attribute Syntax type.

telephone-number-attribute-syntax

Default {name}: Telephone Number Attribute Syntax

Enabled by default: true

See "Telephone Number Attribute Syntax" for the properties of this Attribute Syntax type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Attribute Syntax properties depend on the Attribute Syntax type, which depends on the --syntax-name {name} option.

-t | --type {type}

The type of Attribute Syntax which should be created (Default: generic). The value for TYPE can be one of: attribute-type-description | certificate | country-string | directory-string | generic | jpeg | telephone-number.

Attribute Syntax properties depend on the Attribute Syntax type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Attribute Syntax types:

attribute-type-description-attribute-syntax

Default {type}: Attribute Type Description Attribute Syntax

Enabled by default: true

See "Attribute Type Description Attribute Syntax" for the properties of this Attribute Syntax type.

certificate-attribute-syntax

Default {type}: Certificate Attribute Syntax

Enabled by default: true

See "Certificate Attribute Syntax" for the properties of this Attribute Syntax type.

country-string-attribute-syntax

Default {type}: Country String Attribute Syntax

Enabled by default: true

See "Country String Attribute Syntax" for the properties of this Attribute Syntax type.

directory-string-attribute-syntax

Default {type}: Directory String Attribute Syntax

Enabled by default: true

See "Directory String Attribute Syntax" for the properties of this Attribute Syntax type.

jpeg-attribute-syntax

Default {type}: JPEG Attribute Syntax

Enabled by default: true

See "JPEG Attribute Syntax" for the properties of this Attribute Syntax type.

telephone-number-attribute-syntax

Default {type}: Telephone Number Attribute Syntax

Enabled by default: true

See "Telephone Number Attribute Syntax" for the properties of this Attribute Syntax type.

Attribute Type Description Attribute Syntax

Attribute Syntaxes of type attribute-type-description-attribute-syntax have the following properties:

enabled
Description

Indicates whether the Attribute Syntax is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Attribute Type Description Attribute Syntax implementation.

Default Value

org.opends.server.schema.AttributeTypeSyntax

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax

Multi-valued

No

Required

Yes

Admin Action Required

The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

Yes

strip-syntax-min-upper-bound
Description

Indicates whether the suggested minimum upper bound appended to an attribute's syntax OID in it's schema definition Attribute Type Description is stripped off. When retrieving the server's schema, some APIs (JNDI) fail in their syntax lookup methods, because they do not parse this value correctly. This configuration option allows the server to be configured to provide schema definitions these APIs can parse correctly.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Certificate Attribute Syntax

Attribute Syntaxes of type certificate-attribute-syntax have the following properties:

enabled
Description

Indicates whether the Attribute Syntax is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Certificate Attribute Syntax implementation.

Default Value

org.opends.server.schema.CertificateSyntax

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax

Multi-valued

No

Required

Yes

Admin Action Required

The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

Yes

strict-format
Description

Indicates whether or not X.509 Certificate values are required to strictly comply with the standard definition for this syntax. When set to false, certificates will not be validated and, as a result any sequence of bytes will be acceptable.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Country String Attribute Syntax

Attribute Syntaxes of type country-string-attribute-syntax have the following properties:

enabled
Description

Indicates whether the Attribute Syntax is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Country String Attribute Syntax implementation.

Default Value

org.opends.server.schema.CountryStringSyntax

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax

Multi-valued

No

Required

Yes

Admin Action Required

The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

Yes

strict-format
Description

Indicates whether or not country code values are required to strictly comply with the standard definition for this syntax. When set to false, country codes will not be validated and, as a result any string containing 2 characters will be acceptable.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Directory String Attribute Syntax

Attribute Syntaxes of type directory-string-attribute-syntax have the following properties:

allow-zero-length-values
Description

Indicates whether zero-length (that is, an empty string) values are allowed. This is technically not allowed by the revised LDAPv3 specification, but some environments may require it for backward compatibility with servers that do allow it.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Attribute Syntax is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Directory String Attribute Syntax implementation.

Default Value

org.opends.server.schema.DirectoryStringSyntax

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax

Multi-valued

No

Required

Yes

Admin Action Required

The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

Yes

JPEG Attribute Syntax

Attribute Syntaxes of type jpeg-attribute-syntax have the following properties:

enabled
Description

Indicates whether the Attribute Syntax is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the JPEG Attribute Syntax implementation.

Default Value

org.opends.server.schema.JPEGSyntax

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax

Multi-valued

No

Required

Yes

Admin Action Required

The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

Yes

strict-format
Description

Indicates whether to require JPEG values to strictly comply with the standard definition for this syntax.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Telephone Number Attribute Syntax

Attribute Syntaxes of type telephone-number-attribute-syntax have the following properties:

enabled
Description

Indicates whether the Attribute Syntax is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Telephone Number Attribute Syntax implementation.

Default Value

org.opends.server.schema.TelephoneNumberSyntax

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AttributeSyntax

Multi-valued

No

Required

Yes

Admin Action Required

The Attribute Syntax must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

Yes

strict-format
Description

Indicates whether to require telephone number values to strictly comply with the standard definition for this syntax.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-backend — Creates Backends

Synopsis

dsconfig create-backend {options}

Description

Creates Backends.

Options

The dsconfig create-backend command takes the following options:

--backend-name {STRING}

The name of the new Backend which will also be used as the value of the "backend-id" property: Specifies a name to identify the associated backend.

Backend properties depend on the Backend type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following Backend types:

backup-backend

Default {STRING}: Backup Backend

Enabled by default: true

See "Backup Backend" for the properties of this Backend type.

config-file-handler-backend

Default {STRING}: Config File Handler Backend

Enabled by default: true

See "Config File Handler Backend" for the properties of this Backend type.

je-backend

Default {STRING}: JE Backend

Enabled by default: true

See "JE Backend" for the properties of this Backend type.

ldif-backend

Default {STRING}: LDIF Backend

Enabled by default: true

See "LDIF Backend" for the properties of this Backend type.

memory-backend

Default {STRING}: Memory Backend

Enabled by default: true

See "Memory Backend" for the properties of this Backend type.

monitor-backend

Default {STRING}: Monitor Backend

Enabled by default: true

See "Monitor Backend" for the properties of this Backend type.

null-backend

Default {STRING}: Null Backend

Enabled by default: true

See "Null Backend" for the properties of this Backend type.

pdb-backend

Default {STRING}: PDB Backend

Enabled by default: true

See "PDB Backend" for the properties of this Backend type.

schema-backend

Default {STRING}: Schema Backend

Enabled by default: true

See "Schema Backend" for the properties of this Backend type.

task-backend

Default {STRING}: Task Backend

Enabled by default: true

See "Task Backend" for the properties of this Backend type.

trust-store-backend

Default {STRING}: Trust Store Backend

Enabled by default: true

See "Trust Store Backend" for the properties of this Backend type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Backend properties depend on the Backend type, which depends on the --backend-name {STRING} option.

-t | --type {type}

The type of Backend which should be created. The value for TYPE can be one of: backup | config-file-handler | custom | je | ldif | memory | monitor | null | pdb | schema | task | trust-store.

Backend properties depend on the Backend type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Backend types:

backup-backend

Default {type}: Backup Backend

Enabled by default: true

See "Backup Backend" for the properties of this Backend type.

config-file-handler-backend

Default {type}: Config File Handler Backend

Enabled by default: true

See "Config File Handler Backend" for the properties of this Backend type.

je-backend

Default {type}: JE Backend

Enabled by default: true

See "JE Backend" for the properties of this Backend type.

ldif-backend

Default {type}: LDIF Backend

Enabled by default: true

See "LDIF Backend" for the properties of this Backend type.

memory-backend

Default {type}: Memory Backend

Enabled by default: true

See "Memory Backend" for the properties of this Backend type.

monitor-backend

Default {type}: Monitor Backend

Enabled by default: true

See "Monitor Backend" for the properties of this Backend type.

null-backend

Default {type}: Null Backend

Enabled by default: true

See "Null Backend" for the properties of this Backend type.

pdb-backend

Default {type}: PDB Backend

Enabled by default: true

See "PDB Backend" for the properties of this Backend type.

schema-backend

Default {type}: Schema Backend

Enabled by default: true

See "Schema Backend" for the properties of this Backend type.

task-backend

Default {type}: Task Backend

Enabled by default: true

See "Task Backend" for the properties of this Backend type.

trust-store-backend

Default {type}: Trust Store Backend

Enabled by default: true

See "Trust Store Backend" for the properties of this Backend type.

Backup Backend

Backends of type backup-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

backup-directory
Description

Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.BackupBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

disabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Config File Handler Backend

Backends of type config-file-handler-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.extensions.ConfigFileHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

JE Backend

Backends of type je-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

compact-encoding
Description

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

No

Read-only

No

db-cache-percent
Description

Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.

Default Value

50

Allowed Values

An integer value. Lower value is 1. Upper value is 90.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-cache-size
Description

The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.

Default Value

0 MB

Allowed Values

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-checkpointer-bytes-interval
Description

Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.

Default Value

500mb

Allowed Values

Upper value is 9223372036854775807.

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-checkpointer-wakeup-interval
Description

Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.

Default Value

30s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 seconds.Upper limit is 4294 seconds.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-cleaner-min-utilization
Description

Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.

Default Value

50

Allowed Values

An integer value. Lower value is 0. Upper value is 90.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-directory
Description

Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

Default Value

db

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

db-directory-permissions
Description

Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.

Default Value

700

Allowed Values

Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-core-threads
Description

Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

Default Value

1

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-keep-alive
Description

The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

Default Value

600s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 seconds.Upper limit is 86400 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-lru-only
Description

Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-max-threads
Description

Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

Default Value

10

Allowed Values

An integer value. Lower value is 1. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-nodes-per-scan
Description

Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.

Default Value

10

Allowed Values

An integer value. Lower value is 1. Upper value is 1000.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-log-file-max
Description

Specifies the maximum size for a database log file.

Default Value

100mb

Allowed Values

Lower value is 1000000.Upper value is 4294967296.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-log-filecache-size
Description

Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.

Default Value

100

Allowed Values

An integer value. Lower value is 3. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-logging-file-handler-on
Description

Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-logging-level
Description

Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.

Default Value

CONFIG

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-num-cleaner-threads
Description

Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-num-lock-tables
Description

Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1. Upper value is 32767.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-run-cleaner
Description

Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-txn-no-sync
Description

Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-txn-write-no-sync
Description

Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-full-threshold
Description

Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.

Default Value

100 megabytes

Allowed Values

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-low-threshold
Description

Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.

Default Value

200 megabytes

Allowed Values

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

entries-compressed
Description

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

Advanced Property

No

Read-only

No

index-filter-analyzer-enabled
Description

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-filter-analyzer-max-filters
Description

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

Default Value

25

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.jeb.JEBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

je-property
Description

Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

preload-time-limit
Description

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

Default Value

0s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

LDIF Backend

Backends of type ldif-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

is-private-backend
Description

Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.LDIFBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ldif-file
Description

Specifies the path to the LDIF file containing the data for this backend.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Memory Backend

Backends of type memory-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.MemoryBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Monitor Backend

Backends of type monitor-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.MonitorBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

disabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Null Backend

Backends of type null-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.NullBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

PDB Backend

Backends of type pdb-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

compact-encoding
Description

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

No

Read-only

No

db-cache-percent
Description

Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.

Default Value

50

Allowed Values

An integer value. Lower value is 1. Upper value is 90.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-cache-size
Description

The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.

Default Value

0 MB

Allowed Values

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-checkpointer-wakeup-interval
Description

Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.

Default Value

15s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 10 seconds.Upper limit is 3600 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-directory
Description

Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

Default Value

db

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

db-directory-permissions
Description

Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.

Default Value

700

Allowed Values

Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-txn-no-sync
Description

Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-full-threshold
Description

Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.

Default Value

100 megabytes

Allowed Values

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-low-threshold
Description

Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.

Default Value

200 megabytes

Allowed Values

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

entries-compressed
Description

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

If any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

Advanced Property

No

Read-only

No

index-filter-analyzer-enabled
Description

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-filter-analyzer-max-filters
Description

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

Default Value

25

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.pdb.PDBBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

preload-time-limit
Description

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

Default Value

0s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Schema Backend

Backends of type schema-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.SchemaBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

schema-entry-dn
Description

Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.

Default Value

cn=schema

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

show-all-attributes
Description

Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Task Backend

Backends of type task-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.task.TaskBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

notification-sender-address
Description

Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.

Default Value

The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

task-backing-file
Description

Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

task-retention-time
Description

Specifies the length of time that task entries should be retained after processing on the associated task has been completed.

Default Value

24 hours

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Trust Store Backend

Backends of type trust-store-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

No administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.TrustStoreBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

trust-store-file
Description

Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.

Default Value

config/ads-truststore

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

trust-store-pin
Description

Specifies the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-type
Description

Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.

Default Value

The JVM default value is used.

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect the next time that the key manager is accessed.

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-backend-index — Creates Backend Indexes

Synopsis

dsconfig create-backend-index {options}

Description

Creates Backend Indexes.

Options

The dsconfig create-backend-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Backend Index types:

backend-index

Default {name}: Backend Index

Enabled by default: false

See "Backend Index" for the properties of this Backend Index type.

--index-name {OID}

The name of the new Backend Index which will also be used as the value of the "attribute" property: Specifies the name of the attribute for which the index is to be maintained.

Backend Index properties depend on the Backend Index type, which depends on the {OID} you provide.

By default, OpenDJ directory server supports the following Backend Index types:

backend-index

Default {OID}: Backend Index

Enabled by default: false

See "Backend Index" for the properties of this Backend Index type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Backend Index properties depend on the Backend Index type, which depends on the --index-name {OID} option.

Backend Index

Backend Indexes of type backend-index have the following properties:

attribute
Description

Specifies the name of the attribute for which the index is to be maintained.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

index-entry-limit
Description

Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.

Advanced Property

No

Read-only

No

index-extensible-matching-rule
Description

The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.

Default Value

No extensible matching rules will be indexed.

Allowed Values

A Locale or an OID.

Multi-valued

Yes

Required

No

Admin Action Required

The index must be rebuilt before it will reflect the new value.

Advanced Property

No

Read-only

No

index-type
Description

Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.

Default Value

None

Allowed Values
approximate

This index type is used to improve the efficiency of searches using approximate matching search filters.

equality

This index type is used to improve the efficiency of searches using equality search filters.

extensible

This index type is used to improve the efficiency of searches using extensible matching search filters.

ordering

This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.

presence

This index type is used to improve the efficiency of searches using the presence search filters.

substring

This index type is used to improve the efficiency of searches using substring search filters.

Multi-valued

Yes

Required

Yes

Admin Action Required

If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.

Advanced Property

No

Read-only

No

substring-length
Description

The length of substrings in a substring index.

Default Value

6

Allowed Values

An integer value. Lower value is 3.

Multi-valued

No

Required

No

Admin Action Required

The index must be rebuilt before it will reflect the new value.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-backend-vlv-index — Creates Backend VLV Indexes

Synopsis

dsconfig create-backend-vlv-index {options}

Description

Creates Backend VLV Indexes.

Options

The dsconfig create-backend-vlv-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Backend VLV Index types:

backend-vlv-index

Default {name}: Backend VLV Index

Enabled by default: false

See "Backend VLV Index" for the properties of this Backend VLV Index type.

--index-name {STRING}

The name of the new Backend VLV Index which will also be used as the value of the "name" property: Specifies a unique name for this VLV index.

Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following Backend VLV Index types:

backend-vlv-index

Default {STRING}: Backend VLV Index

Enabled by default: false

See "Backend VLV Index" for the properties of this Backend VLV Index type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Backend VLV Index properties depend on the Backend VLV Index type, which depends on the --index-name {STRING} option.

Backend VLV Index

Backend VLV Indexes of type backend-vlv-index have the following properties:

base-dn
Description

Specifies the base DN used in the search query that is being indexed.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

filter
Description

Specifies the LDAP filter used in the query that is being indexed.

Default Value

None

Allowed Values

A valid LDAP search filter.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

name
Description

Specifies a unique name for this VLV index.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

The VLV index name cannot be altered after the index is created.

Advanced Property

No

Read-only

Yes

scope
Description

Specifies the LDAP scope of the query that is being indexed.

Default Value

None

Allowed Values
base-object

Search the base object only.

single-level

Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree

Search the entire subtree below the base object but do not include the base object itself.

whole-subtree

Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

sort-order
Description

Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.

Default Value

None

Allowed Values

Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No


Name

dsconfig create-certificate-mapper — Creates Certificate Mappers

Synopsis

dsconfig create-certificate-mapper {options}

Description

Creates Certificate Mappers.

Options

The dsconfig create-certificate-mapper command takes the following options:

--mapper-name {name}

The name of the new Certificate Mapper.

Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Certificate Mapper types:

fingerprint-certificate-mapper

Default {name}: Fingerprint Certificate Mapper

Enabled by default: true

See "Fingerprint Certificate Mapper" for the properties of this Certificate Mapper type.

subject-attribute-to-user-attribute-certificate-mapper

Default {name}: Subject Attribute To User Attribute Certificate Mapper

Enabled by default: true

See "Subject Attribute To User Attribute Certificate Mapper" for the properties of this Certificate Mapper type.

subject-dn-to-user-attribute-certificate-mapper

Default {name}: Subject DN To User Attribute Certificate Mapper

Enabled by default: true

See "Subject DN To User Attribute Certificate Mapper" for the properties of this Certificate Mapper type.

subject-equals-dn-certificate-mapper

Default {name}: Subject Equals DN Certificate Mapper

Enabled by default: true

See "Subject Equals DN Certificate Mapper" for the properties of this Certificate Mapper type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Certificate Mapper properties depend on the Certificate Mapper type, which depends on the --mapper-name {name} option.

-t | --type {type}

The type of Certificate Mapper which should be created. The value for TYPE can be one of: custom | fingerprint | subject-attribute-to-user-attribute | subject-dn-to-user-attribute | subject-equals-dn.

Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Certificate Mapper types:

fingerprint-certificate-mapper

Default {type}: Fingerprint Certificate Mapper

Enabled by default: true

See "Fingerprint Certificate Mapper" for the properties of this Certificate Mapper type.

subject-attribute-to-user-attribute-certificate-mapper

Default {type}: Subject Attribute To User Attribute Certificate Mapper

Enabled by default: true

See "Subject Attribute To User Attribute Certificate Mapper" for the properties of this Certificate Mapper type.

subject-dn-to-user-attribute-certificate-mapper

Default {type}: Subject DN To User Attribute Certificate Mapper

Enabled by default: true

See "Subject DN To User Attribute Certificate Mapper" for the properties of this Certificate Mapper type.

subject-equals-dn-certificate-mapper

Default {type}: Subject Equals DN Certificate Mapper

Enabled by default: true

See "Subject Equals DN Certificate Mapper" for the properties of this Certificate Mapper type.

Fingerprint Certificate Mapper

Certificate Mappers of type fingerprint-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

fingerprint-algorithm
Description

Specifies the name of the digest algorithm to compute the fingerprint of client certificates.

Default Value

None

Allowed Values
md5

Use the MD5 digest algorithm to compute certificate fingerprints.

sha1

Use the SHA-1 digest algorithm to compute certificate fingerprints.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

fingerprint-attribute
Description

Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.

Default Value

org.opends.server.extensions.FingerprintCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

user-base-dn
Description

Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.

Default Value

The server performs the search in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Subject Attribute To User Attribute Certificate Mapper

Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.

Default Value

org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

subject-attribute-mapping
Description

Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

user-base-dn
Description

Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.

Default Value

The server will perform the search in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Subject DN To User Attribute Certificate Mapper

Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.

Default Value

org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

subject-attribute
Description

Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

user-base-dn
Description

Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.

Default Value

The server will perform the search in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Subject Equals DN Certificate Mapper

Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.

Default Value

org.opends.server.extensions.SubjectEqualsDNCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-connection-handler — Creates Connection Handlers

Synopsis

dsconfig create-connection-handler {options}

Description

Creates Connection Handlers.

Options

The dsconfig create-connection-handler command takes the following options:

--handler-name {name}

The name of the new Connection Handler.

Connection Handler properties depend on the Connection Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Connection Handler types:

http-connection-handler

Default {name}: HTTP Connection Handler

Enabled by default: true

See "HTTP Connection Handler" for the properties of this Connection Handler type.

jmx-connection-handler

Default {name}: JMX Connection Handler

Enabled by default: true

See "JMX Connection Handler" for the properties of this Connection Handler type.

ldap-connection-handler

Default {name}: LDAP Connection Handler

Enabled by default: true

See "LDAP Connection Handler" for the properties of this Connection Handler type.

ldif-connection-handler

Default {name}: LDIF Connection Handler

Enabled by default: true

See "LDIF Connection Handler" for the properties of this Connection Handler type.

snmp-connection-handler

Default {name}: SNMP Connection Handler

Enabled by default: true

See "SNMP Connection Handler" for the properties of this Connection Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Connection Handler properties depend on the Connection Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Connection Handler which should be created. The value for TYPE can be one of: custom | http | jmx | ldap | ldif | snmp.

Connection Handler properties depend on the Connection Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Connection Handler types:

http-connection-handler

Default {type}: HTTP Connection Handler

Enabled by default: true

See "HTTP Connection Handler" for the properties of this Connection Handler type.

jmx-connection-handler

Default {type}: JMX Connection Handler

Enabled by default: true

See "JMX Connection Handler" for the properties of this Connection Handler type.

ldap-connection-handler

Default {type}: LDAP Connection Handler

Enabled by default: true

See "LDAP Connection Handler" for the properties of this Connection Handler type.

ldif-connection-handler

Default {type}: LDIF Connection Handler

Enabled by default: true

See "LDIF Connection Handler" for the properties of this Connection Handler type.

snmp-connection-handler

Default {type}: SNMP Connection Handler

Enabled by default: true

See "SNMP Connection Handler" for the properties of this Connection Handler type.

HTTP Connection Handler

Connection Handlers of type http-connection-handler have the following properties:

accept-backlog
Description

Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.

Default Value

128

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-tcp-reuse-address
Description

Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

authentication-required
Description

Specifies whether only authenticated requests can be processed by the HTTP Connection Handler. If true, only authenticated requests will be processed by the HTTP Connection Handler. If false, both authenticated requests and unauthenticated requests will be processed. All requests are subject to ACI limitations and unauthenticated requests are subject to server limits like maximum number of entries returned. Note that setting ds-cfg-reject-unauthenticated-requests to true will override the current setting.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

buffer-size
Description

Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.

Default Value

4096 bytes

Allowed Values

Lower value is 1.Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

config-file
Description

Specifies the name of the configuration file for the HTTP Connection Handler.

Default Value

config/http-config.json

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.

Default Value

org.opends.server.protocols.http.HTTPConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

keep-stats
Description

Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this HTTP Connection Handler .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

Advanced Property

No

Read-only

No

listen-address
Description

Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

listen-port
Description

Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

max-blocked-write-time-limit
Description

Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.

Default Value

2 minutes

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-concurrent-ops-per-connection
Description

Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-request-size
Description

Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.

Default Value

5 megabytes

Allowed Values

Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

num-request-handlers
Description

Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ssl-cert-nickname
Description

Specifies the nicknames (also called the aliases) of the certificates that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when an RSA, a DSA, and an ECC based server certificate is used in parallel. This is only applicable when the HTTP Connection Handler is configured to use SSL.

Default Value

Let the server decide.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-cipher-suite
Description

Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.

Default Value

Uses the default set of SSL cipher suites provided by the server's JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

ssl-client-auth-policy
Description

Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.

Default Value

optional

Allowed Values
disabled

Clients must not provide their own certificates when performing SSL negotiation.

optional

Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.

required

Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-protocol
Description

Specifies the names of the SSL protocols that are allowed for use in SSL communication.

Default Value

Uses the default set of SSL protocols provided by the server's JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used with the HTTP Connection Handler .

Default Value

None

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-tcp-keep-alive
Description

Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

use-tcp-no-delay
Description

Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

JMX Connection Handler

Connection Handlers of type jmx-connection-handler have the following properties:

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.

Default Value

org.opends.server.protocols.jmx.JmxConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this JMX Connection Handler .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

Advanced Property

No

Read-only

No

listen-address
Description

Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

No

Read-only

No

listen-port
Description

Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

rmi-port
Description

Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 65535.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-cert-nickname
Description

Specifies the nicknames (also called the aliases) of the certificates that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when an RSA, a DSA, and an ECC based server certificate is used in parallel. This is only applicable when the JMX Connection Handler is configured to use SSL.

Default Value

Let the server decide.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

LDAP Connection Handler

Connection Handlers of type ldap-connection-handler have the following properties:

accept-backlog
Description

Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.

Default Value

128

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-ldap-v2
Description

Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-start-tls
Description

Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-tcp-reuse-address
Description

Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

buffer-size
Description

Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.

Default Value

4096 bytes

Allowed Values

Lower value is 1.Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.

Default Value

org.opends.server.protocols.ldap.LDAPConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

keep-stats
Description

Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this LDAP Connection Handler .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

Advanced Property

No

Read-only

No

listen-address
Description

Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

listen-port
Description

Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

max-blocked-write-time-limit
Description

Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.

Default Value

2 minutes

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-request-size
Description

Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.

Default Value

5 megabytes

Allowed Values

Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

num-request-handlers
Description

Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

send-rejection-notice
Description

Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ssl-cert-nickname
Description

Specifies the nicknames (also called the aliases) of the certificates that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when an RSA, a DSA, and an ECC based server certificate is used in parallel. This is only applicable when the LDAP Connection Handler is configured to use SSL.

Default Value

Let the server decide.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-cipher-suite
Description

Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.

Default Value

Uses the default set of SSL cipher suites provided by the server's JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

ssl-client-auth-policy
Description

Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.

Default Value

optional

Allowed Values
disabled

Clients must not provide their own certificates when performing SSL negotiation.

optional

Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.

required

Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-protocol
Description

Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.

Default Value

Uses the default set of SSL protocols provided by the server's JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used with the LDAP Connection Handler .

Default Value

None

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-tcp-keep-alive
Description

Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

use-tcp-no-delay
Description

Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

LDIF Connection Handler

Connection Handlers of type ldif-connection-handler have the following properties:

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.

Default Value

org.opends.server.protocols.LDIFConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ldif-directory
Description

Specifies the path to the directory in which the LDIF files should be placed.

Default Value

config/auto-process-ldif

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

poll-interval
Description

Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.

Default Value

5 seconds

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

SNMP Connection Handler

Connection Handlers of type snmp-connection-handler have the following properties:

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

allowed-manager
Description

Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.

Default Value

*

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

allowed-user
Description

Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.

Default Value

*

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

community
Description

Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.

Default Value

OpenDJ

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Changes to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.

Default Value

org.opends.server.snmp.SNMPConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

listen-address
Description

Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

Yes

Required

No

Admin Action Required

Restart the server

Advanced Property

No

Read-only

Yes

listen-port
Description

Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

opendmk-jarfile
Description

Indicates the OpenDMK runtime jar file location

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

registered-mbean
Description

Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

security-agent-file
Description

Specifies the USM security configuration to receive authenticated only SNMP requests.

Default Value

config/snmp/security/opendj-snmp.security

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

security-level
Description

Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.

Default Value

authnopriv

Allowed Values
authnopriv

Authentication activated with no privacy.

authpriv

Authentication with privacy activated.

noauthnopriv

No security mechanisms activated.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

trap-port
Description

Specifies the port to use to send SNMP Traps.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

traps-community
Description

Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.

Default Value

OpenDJ

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

traps-destination
Description

Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.

Default Value

If the list is empty, V1 traps are sent to "localhost".

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No


Name

dsconfig create-debug-target — Creates Debug Targets

Synopsis

dsconfig create-debug-target {options}

Description

Creates Debug Targets.

Options

The dsconfig create-debug-target command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Debug Target types:

debug-target

Default {name}: Debug Target

Enabled by default: true

See "Debug Target" for the properties of this Debug Target type.

--target-name {STRING}

The name of the new Debug Target which will also be used as the value of the "debug-scope" property: Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).

Debug Target properties depend on the Debug Target type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following Debug Target types:

debug-target

Default {STRING}: Debug Target

Enabled by default: true

See "Debug Target" for the properties of this Debug Target type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Debug Target properties depend on the Debug Target type, which depends on the --target-name {STRING} option.

Debug Target

Debug Targets of type debug-target have the following properties:

debug-exceptions-only
Description

Indicates whether only logs with exception should be logged.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

debug-scope
Description

Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).

Default Value

None

Allowed Values

The fully-qualified OpenDJ Java package, class, or method name.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

enabled
Description

Indicates whether the Debug Target is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

include-throwable-cause
Description

Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

omit-method-entry-arguments
Description

Specifies the property to indicate whether to include method arguments in debug messages.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

omit-method-return-value
Description

Specifies the property to indicate whether to include the return value in debug messages.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

throwable-stack-frames
Description

Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.

Default Value

0

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-entry-cache — Creates Entry Caches

Synopsis

dsconfig create-entry-cache {options}

Description

Creates Entry Caches.

Options

The dsconfig create-entry-cache command takes the following options:

--cache-name {name}

The name of the new Entry Cache.

Entry Cache properties depend on the Entry Cache type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Entry Cache types:

fifo-entry-cache

Default {name}: FIFO Entry Cache

Enabled by default: true

See "FIFO Entry Cache" for the properties of this Entry Cache type.

soft-reference-entry-cache

Default {name}: Soft Reference Entry Cache

Enabled by default: true

See "Soft Reference Entry Cache" for the properties of this Entry Cache type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Entry Cache properties depend on the Entry Cache type, which depends on the --cache-name {name} option.

-t | --type {type}

The type of Entry Cache which should be created. The value for TYPE can be one of: custom | fifo | soft-reference.

Entry Cache properties depend on the Entry Cache type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Entry Cache types:

fifo-entry-cache

Default {type}: FIFO Entry Cache

Enabled by default: true

See "FIFO Entry Cache" for the properties of this Entry Cache type.

soft-reference-entry-cache

Default {type}: Soft Reference Entry Cache

Enabled by default: true

See "Soft Reference Entry Cache" for the properties of this Entry Cache type.

FIFO Entry Cache

Entry Caches of type fifo-entry-cache have the following properties:

cache-level
Description

Specifies the cache level in the cache order if more than one instance of the cache is configured.

Default Value

None

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Entry Cache is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

exclude-filter
Description

The set of filters that define the entries that should be excluded from the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

include-filter
Description

The set of filters that define the entries that should be included in the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.

Default Value

org.opends.server.extensions.FIFOEntryCache

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.EntryCache

Multi-valued

No

Required

Yes

Admin Action Required

The Entry Cache must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

lock-timeout
Description

Specifies the length of time to wait while attempting to acquire a read or write lock.

Default Value

2000.0ms

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-entries
Description

Specifies the maximum number of entries that we will allow in the cache.

Default Value

2147483647

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-memory-percent
Description

Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.

Default Value

90

Allowed Values

An integer value. Lower value is 1. Upper value is 100.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Soft Reference Entry Cache

Entry Caches of type soft-reference-entry-cache have the following properties:

cache-level
Description

Specifies the cache level in the cache order if more than one instance of the cache is configured.

Default Value

None

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Entry Cache is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

exclude-filter
Description

The set of filters that define the entries that should be excluded from the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

include-filter
Description

The set of filters that define the entries that should be included in the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.

Default Value

org.opends.server.extensions.SoftReferenceEntryCache

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.EntryCache

Multi-valued

No

Required

Yes

Admin Action Required

The Entry Cache must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

lock-timeout
Description

Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.

Default Value

3000ms

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-extended-operation-handler — Creates Extended Operation Handlers

Synopsis

dsconfig create-extended-operation-handler {options}

Description

Creates Extended Operation Handlers.

Options

The dsconfig create-extended-operation-handler command takes the following options:

--handler-name {name}

The name of the new Extended Operation Handler.

Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Extended Operation Handler types:

cancel-extended-operation-handler

Default {name}: Cancel Extended Operation Handler

Enabled by default: true

See "Cancel Extended Operation Handler" for the properties of this Extended Operation Handler type.

get-connection-id-extended-operation-handler

Default {name}: Get Connection Id Extended Operation Handler

Enabled by default: true

See "Get Connection Id Extended Operation Handler" for the properties of this Extended Operation Handler type.

get-symmetric-key-extended-operation-handler

Default {name}: Get Symmetric Key Extended Operation Handler

Enabled by default: true

See "Get Symmetric Key Extended Operation Handler" for the properties of this Extended Operation Handler type.

password-modify-extended-operation-handler

Default {name}: Password Modify Extended Operation Handler

Enabled by default: true

See "Password Modify Extended Operation Handler" for the properties of this Extended Operation Handler type.

password-policy-state-extended-operation-handler

Default {name}: Password Policy State Extended Operation Handler

Enabled by default: true

See "Password Policy State Extended Operation Handler" for the properties of this Extended Operation Handler type.

start-tls-extended-operation-handler

Default {name}: Start TLS Extended Operation Handler

Enabled by default: true

See "Start TLS Extended Operation Handler" for the properties of this Extended Operation Handler type.

who-am-i-extended-operation-handler

Default {name}: Who Am I Extended Operation Handler

Enabled by default: true

See "Who Am I Extended Operation Handler" for the properties of this Extended Operation Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Extended Operation Handler which should be created. The value for TYPE can be one of: cancel | custom | get-connection-id | get-symmetric-key | password-modify | password-policy-state | start-tls | who-am-i.

Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Extended Operation Handler types:

cancel-extended-operation-handler

Default {type}: Cancel Extended Operation Handler

Enabled by default: true

See "Cancel Extended Operation Handler" for the properties of this Extended Operation Handler type.

get-connection-id-extended-operation-handler

Default {type}: Get Connection Id Extended Operation Handler

Enabled by default: true

See "Get Connection Id Extended Operation Handler" for the properties of this Extended Operation Handler type.

get-symmetric-key-extended-operation-handler

Default {type}: Get Symmetric Key Extended Operation Handler

Enabled by default: true

See "Get Symmetric Key Extended Operation Handler" for the properties of this Extended Operation Handler type.

password-modify-extended-operation-handler

Default {type}: Password Modify Extended Operation Handler

Enabled by default: true

See "Password Modify Extended Operation Handler" for the properties of this Extended Operation Handler type.

password-policy-state-extended-operation-handler

Default {type}: Password Policy State Extended Operation Handler

Enabled by default: true

See "Password Policy State Extended Operation Handler" for the properties of this Extended Operation Handler type.

start-tls-extended-operation-handler

Default {type}: Start TLS Extended Operation Handler

Enabled by default: true

See "Start TLS Extended Operation Handler" for the properties of this Extended Operation Handler type.

who-am-i-extended-operation-handler

Default {type}: Who Am I Extended Operation Handler

Enabled by default: true

See "Who Am I Extended Operation Handler" for the properties of this Extended Operation Handler type.

Cancel Extended Operation Handler

Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.CancelExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Get Connection Id Extended Operation Handler

Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.GetConnectionIDExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Get Symmetric Key Extended Operation Handler

Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.

Default Value

org.opends.server.crypto.GetSymmetricKeyExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Modify Extended Operation Handler

Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.PasswordModifyExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Policy State Extended Operation Handler

Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.PasswordPolicyStateExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Start TLS Extended Operation Handler

Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.StartTLSExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Who Am I Extended Operation Handler

Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.WhoAmIExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-group-implementation — Creates Group Implementations

Synopsis

dsconfig create-group-implementation {options}

Description

Creates Group Implementations.

Options

The dsconfig create-group-implementation command takes the following options:

--implementation-name {name}

The name of the new Group Implementation.

Group Implementation properties depend on the Group Implementation type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Group Implementation types:

dynamic-group-implementation

Default {name}: Dynamic Group Implementation

Enabled by default: true

See "Dynamic Group Implementation" for the properties of this Group Implementation type.

static-group-implementation

Default {name}: Static Group Implementation

Enabled by default: true

See "Static Group Implementation" for the properties of this Group Implementation type.

virtual-static-group-implementation

Default {name}: Virtual Static Group Implementation

Enabled by default: true

See "Virtual Static Group Implementation" for the properties of this Group Implementation type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Group Implementation properties depend on the Group Implementation type, which depends on the --implementation-name {name} option.

-t | --type {type}

The type of Group Implementation which should be created. The value for TYPE can be one of: custom | dynamic | static | virtual-static.

Group Implementation properties depend on the Group Implementation type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Group Implementation types:

dynamic-group-implementation

Default {type}: Dynamic Group Implementation

Enabled by default: true

See "Dynamic Group Implementation" for the properties of this Group Implementation type.

static-group-implementation

Default {type}: Static Group Implementation

Enabled by default: true

See "Static Group Implementation" for the properties of this Group Implementation type.

virtual-static-group-implementation

Default {type}: Virtual Static Group Implementation

Enabled by default: true

See "Virtual Static Group Implementation" for the properties of this Group Implementation type.

Dynamic Group Implementation

Group Implementations of type dynamic-group-implementation have the following properties:

enabled
Description

Indicates whether the Group Implementation is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.

Default Value

org.opends.server.extensions.DynamicGroup

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The Group Implementation must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Static Group Implementation

Group Implementations of type static-group-implementation have the following properties:

enabled
Description

Indicates whether the Group Implementation is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.

Default Value

org.opends.server.extensions.StaticGroup

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The Group Implementation must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Virtual Static Group Implementation

Group Implementations of type virtual-static-group-implementation have the following properties:

enabled
Description

Indicates whether the Group Implementation is enabled.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.

Default Value

org.opends.server.extensions.VirtualStaticGroup

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The Group Implementation must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-identity-mapper — Creates Identity Mappers

Synopsis

dsconfig create-identity-mapper {options}

Description

Creates Identity Mappers.

Options

The dsconfig create-identity-mapper command takes the following options:

--mapper-name {name}

The name of the new Identity Mapper.

Identity Mapper properties depend on the Identity Mapper type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Identity Mapper types:

exact-match-identity-mapper

Default {name}: Exact Match Identity Mapper

Enabled by default: true

See "Exact Match Identity Mapper" for the properties of this Identity Mapper type.

regular-expression-identity-mapper

Default {name}: Regular Expression Identity Mapper

Enabled by default: true

See "Regular Expression Identity Mapper" for the properties of this Identity Mapper type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Identity Mapper properties depend on the Identity Mapper type, which depends on the --mapper-name {name} option.

-t | --type {type}

The type of Identity Mapper which should be created. The value for TYPE can be one of: custom | exact-match | regular-expression.

Identity Mapper properties depend on the Identity Mapper type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Identity Mapper types:

exact-match-identity-mapper

Default {type}: Exact Match Identity Mapper

Enabled by default: true

See "Exact Match Identity Mapper" for the properties of this Identity Mapper type.

regular-expression-identity-mapper

Default {type}: Regular Expression Identity Mapper

Enabled by default: true

See "Regular Expression Identity Mapper" for the properties of this Identity Mapper type.

Exact Match Identity Mapper

Identity Mappers of type exact-match-identity-mapper have the following properties:

enabled
Description

Indicates whether the Identity Mapper is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.

Default Value

org.opends.server.extensions.ExactMatchIdentityMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

match-attribute
Description

Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.

Default Value

uid

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

match-base-dn
Description

Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.

Default Value

The server searches below all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Regular Expression Identity Mapper

Identity Mappers of type regular-expression-identity-mapper have the following properties:

enabled
Description

Indicates whether the Identity Mapper is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.

Default Value

org.opends.server.extensions.RegularExpressionIdentityMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

match-attribute
Description

Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.

Default Value

uid

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

match-base-dn
Description

Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.

Default Value

The server searches below all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

match-pattern
Description

Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.

Default Value

None

Allowed Values

Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

replace-pattern
Description

Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.

Default Value

The replace pattern will be the empty string.

Allowed Values

Any valid replacement string that is allowed by the javax.util.regex.Matcher class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-key-manager-provider — Creates Key Manager Providers

Synopsis

dsconfig create-key-manager-provider {options}

Description

Creates Key Manager Providers.

Options

The dsconfig create-key-manager-provider command takes the following options:

--provider-name {name}

The name of the new Key Manager Provider.

Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Key Manager Provider types:

file-based-key-manager-provider

Default {name}: File Based Key Manager Provider

Enabled by default: true

See "File Based Key Manager Provider" for the properties of this Key Manager Provider type.

pkcs11-key-manager-provider

Default {name}: PKCS11 Key Manager Provider

Enabled by default: true

See "PKCS11 Key Manager Provider" for the properties of this Key Manager Provider type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Key Manager Provider properties depend on the Key Manager Provider type, which depends on the --provider-name {name} option.

-t | --type {type}

The type of Key Manager Provider which should be created. The value for TYPE can be one of: custom | file-based | pkcs11.

Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Key Manager Provider types:

file-based-key-manager-provider

Default {type}: File Based Key Manager Provider

Enabled by default: true

See "File Based Key Manager Provider" for the properties of this Key Manager Provider type.

pkcs11-key-manager-provider

Default {type}: PKCS11 Key Manager Provider

Enabled by default: true

See "PKCS11 Key Manager Provider" for the properties of this Key Manager Provider type.

File Based Key Manager Provider

Key Manager Providers of type file-based-key-manager-provider have the following properties:

enabled
Description

Indicates whether the Key Manager Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.

Default Value

org.opends.server.extensions.FileBasedKeyManagerProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider

Multi-valued

No

Required

Yes

Admin Action Required

The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-file
Description

Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

key-store-pin
Description

Specifies the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined Java property.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-type
Description

Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.

Default Value

None

Allowed Values

Any key store format supported by the Java runtime environment.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

PKCS11 Key Manager Provider

Key Manager Providers of type pkcs11-key-manager-provider have the following properties:

enabled
Description

Indicates whether the Key Manager Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.

Default Value

org.opends.server.extensions.PKCS11KeyManagerProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider

Multi-valued

No

Required

Yes

Admin Action Required

The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-pin
Description

Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined Java property.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No


Name

dsconfig create-log-publisher — Creates Log Publishers

Synopsis

dsconfig create-log-publisher {options}

Description

Creates Log Publishers.

Options

The dsconfig create-log-publisher command takes the following options:

--publisher-name {name}

The name of the new Log Publisher.

Log Publisher properties depend on the Log Publisher type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Log Publisher types:

csv-file-access-log-publisher

Default {name}: Csv File Access Log Publisher

Enabled by default: true

See "Csv File Access Log Publisher" for the properties of this Log Publisher type.

csv-file-http-access-log-publisher

Default {name}: Csv File HTTP Access Log Publisher

Enabled by default: true

See "Csv File HTTP Access Log Publisher" for the properties of this Log Publisher type.

external-access-log-publisher

Default {name}: External Access Log Publisher

Enabled by default: true

See "External Access Log Publisher" for the properties of this Log Publisher type.

external-http-access-log-publisher

Default {name}: External HTTP Access Log Publisher

Enabled by default: true

See "External HTTP Access Log Publisher" for the properties of this Log Publisher type.

file-based-access-log-publisher

Default {name}: File Based Access Log Publisher

Enabled by default: true

See "File Based Access Log Publisher" for the properties of this Log Publisher type.

file-based-audit-log-publisher

Default {name}: File Based Audit Log Publisher

Enabled by default: true

See "File Based Audit Log Publisher" for the properties of this Log Publisher type.

file-based-debug-log-publisher

Default {name}: File Based Debug Log Publisher

Enabled by default: true

See "File Based Debug Log Publisher" for the properties of this Log Publisher type.

file-based-error-log-publisher

Default {name}: File Based Error Log Publisher

Enabled by default: true

See "File Based Error Log Publisher" for the properties of this Log Publisher type.

file-based-http-access-log-publisher

Default {name}: File Based HTTP Access Log Publisher

Enabled by default: true

See "File Based HTTP Access Log Publisher" for the properties of this Log Publisher type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Log Publisher properties depend on the Log Publisher type, which depends on the --publisher-name {name} option.

-t | --type {type}

The type of Log Publisher which should be created. The value for TYPE can be one of: csv-file-access | csv-file-http-access | custom-access | custom-debug | custom-error | custom-http-access | external-access | external-http-access | file-based-access | file-based-audit | file-based-debug | file-based-error | file-based-http-access.

Log Publisher properties depend on the Log Publisher type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Log Publisher types:

csv-file-access-log-publisher

Default {type}: Csv File Access Log Publisher

Enabled by default: true

See "Csv File Access Log Publisher" for the properties of this Log Publisher type.

csv-file-http-access-log-publisher

Default {type}: Csv File HTTP Access Log Publisher

Enabled by default: true

See "Csv File HTTP Access Log Publisher" for the properties of this Log Publisher type.

external-access-log-publisher

Default {type}: External Access Log Publisher

Enabled by default: true

See "External Access Log Publisher" for the properties of this Log Publisher type.

external-http-access-log-publisher

Default {type}: External HTTP Access Log Publisher

Enabled by default: true

See "External HTTP Access Log Publisher" for the properties of this Log Publisher type.

file-based-access-log-publisher

Default {type}: File Based Access Log Publisher

Enabled by default: true

See "File Based Access Log Publisher" for the properties of this Log Publisher type.

file-based-audit-log-publisher

Default {type}: File Based Audit Log Publisher

Enabled by default: true

See "File Based Audit Log Publisher" for the properties of this Log Publisher type.

file-based-debug-log-publisher

Default {type}: File Based Debug Log Publisher

Enabled by default: true

See "File Based Debug Log Publisher" for the properties of this Log Publisher type.

file-based-error-log-publisher

Default {type}: File Based Error Log Publisher

Enabled by default: true

See "File Based Error Log Publisher" for the properties of this Log Publisher type.

file-based-http-access-log-publisher

Default {type}: File Based HTTP Access Log Publisher

Enabled by default: true

See "File Based HTTP Access Log Publisher" for the properties of this Log Publisher type.

Csv File Access Log Publisher

Log Publishers of type csv-file-access-log-publisher have the following properties:

asynchronous
Description

Indicates whether the Csv File Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-delimiter-char
Description

The delimiter character to use when writing in CSV format.

Default Value

,

Allowed Values

The delimiter character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

csv-eol-symbols
Description

The string that marks the end of a line.

Default Value

Use the platform specific end of line character sequence.

Allowed Values

The string that marks the end of a line.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-quote-char
Description

The character to append and prepend to a CSV field when writing in CSV format.

Default Value

"

Allowed Values

The quote character to use when writting in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CsvFileAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-file
Description

Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the Csv File Access Log Publisher is accessed.

Advanced Property

No

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-directory
Description

The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.

Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

retention-policy
Description

The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

signature-time-interval
Description

Specifies the interval at which to sign the log file when the tamper-evident option is enabled.

Default Value

3s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

tamper-evident
Description

Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Csv File HTTP Access Log Publisher

Log Publishers of type csv-file-http-access-log-publisher have the following properties:

asynchronous
Description

Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-delimiter-char
Description

The delimiter character to use when writing in CSV format.

Default Value

,

Allowed Values

The delimiter character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

csv-eol-symbols
Description

The string that marks the end of a line.

Default Value

Use the platform specific end of line character sequence.

Allowed Values

The string that marks the end of a line.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-quote-char
Description

The character to append and prepend to a CSV field when writing in CSV format.

Default Value

"

Allowed Values

The quote character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-file
Description

Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Changes to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.

Advanced Property

No

Read-only

No

log-directory
Description

The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.

Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

retention-policy
Description

The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

signature-time-interval
Description

Specifies the interval at which to sign the log file when secure option is enabled.

Default Value

3s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

tamper-evident
Description

Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

External Access Log Publisher

Log Publishers of type external-access-log-publisher have the following properties:

config-file
Description

The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.

Default Value

org.opends.server.loggers.ExternalAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

External HTTP Access Log Publisher

Log Publishers of type external-http-access-log-publisher have the following properties:

config-file
Description

The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Access Log Publisher

Log Publishers of type file-based-access-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.

Default Value

org.opends.server.loggers.TextAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Access Log Publisher.

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

log-format
Description

Specifies how log records should be formatted and written to the access log.

Default Value

multi-line

Allowed Values
combined

Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).

multi-line

Outputs separate log records for operation requests and responses.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-record-time-format
Description

Specifies the format string that is used to generate log record timestamps.

Default Value

dd/MMM/yyyy:HH:mm:ss Z

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Audit Log Publisher

Log Publishers of type file-based-audit-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Audit Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.

Default Value

org.opends.server.loggers.TextAuditLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Audit Log Publisher.

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Debug Log Publisher

Log Publishers of type file-based-debug-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Debug Log Publisher will publish records asynchronously.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

default-debug-exceptions-only
Description

Indicates whether only logs with exception should be logged.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-include-throwable-cause
Description

Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-omit-method-entry-arguments
Description

Indicates whether to include method arguments in debug messages logged by default.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-omit-method-return-value
Description

Indicates whether to include the return value in debug messages logged by default.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-throwable-stack-frames
Description

Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.

Default Value

2147483647

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.

Default Value

org.opends.server.loggers.TextDebugLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Debug Log Publisher .

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Error Log Publisher

Log Publishers of type file-based-error-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Error Log Publisher will publish records asynchronously.

Default Value

false

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

default-severity
Description

Specifies the default severity levels for the logger.

Default Value

error

warning

Allowed Values
all

Messages of all severity levels are logged.

debug

The error log severity that is used for messages that provide debugging information triggered during processing.

error

The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.

info

The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.

none

No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.

notice

The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).

warning

The error log severity that is used for messages that provide information about warnings triggered during processing.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.

Default Value

org.opends.server.loggers.TextErrorLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Error Log Publisher .

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

override-severity
Description

Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.

Default Value

All messages with the default severity levels are logged.

Allowed Values

A string in the form category=severity1,severity2...

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files will never be cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based HTTP Access Log Publisher

Log Publishers of type file-based-http-access-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true

false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.TextHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

log-format
Description

Specifies how log records should be formatted and written to the HTTP access log.

Default Value

cs-host c-ip cs-username x-datetime cs-method cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id

Allowed Values

A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-record-time-format
Description

Specifies the format string that is used to generate log record timestamps.

Default Value

dd/MMM/yyyy:HH:mm:ss Z

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-log-retention-policy — Creates Log Retention Policies

Synopsis

dsconfig create-log-retention-policy {options}

Description

Creates Log Retention Policies.

Options

The dsconfig create-log-retention-policy command takes the following options:

--policy-name {name}

The name of the new Log Retention Policy.

Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Log Retention Policy types:

file-count-log-retention-policy

Default {name}: File Count Log Retention Policy

Enabled by default: false

See "File Count Log Retention Policy" for the properties of this Log Retention Policy type.

free-disk-space-log-retention-policy

Default {name}: Free Disk Space Log Retention Policy

Enabled by default: false

See "Free Disk Space Log Retention Policy" for the properties of this Log Retention Policy type.

size-limit-log-retention-policy

Default {name}: Size Limit Log Retention Policy

Enabled by default: false

See "Size Limit Log Retention Policy" for the properties of this Log Retention Policy type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Log Retention Policy properties depend on the Log Retention Policy type, which depends on the --policy-name {name} option.

-t | --type {type}

The type of Log Retention Policy which should be created. The value for TYPE can be one of: custom | file-count | free-disk-space | size-limit.

Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Log Retention Policy types:

file-count-log-retention-policy

Default {type}: File Count Log Retention Policy

Enabled by default: false

See "File Count Log Retention Policy" for the properties of this Log Retention Policy type.

free-disk-space-log-retention-policy

Default {type}: Free Disk Space Log Retention Policy

Enabled by default: false

See "Free Disk Space Log Retention Policy" for the properties of this Log Retention Policy type.

size-limit-log-retention-policy

Default {type}: Size Limit Log Retention Policy

Enabled by default: false

See "Size Limit Log Retention Policy" for the properties of this Log Retention Policy type.

File Count Log Retention Policy

Log Retention Policies of type file-count-log-retention-policy have the following properties:

java-class
Description

Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.

Default Value

org.opends.server.loggers.FileNumberRetentionPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

number-of-files
Description

Specifies the number of archived log files to retain before the oldest ones are cleaned.

Default Value

None

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Free Disk Space Log Retention Policy

Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:

free-disk-space
Description

Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.

Default Value

None

Allowed Values

Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.

Default Value

org.opends.server.loggers.FreeDiskSpaceRetentionPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Size Limit Log Retention Policy

Log Retention Policies of type size-limit-log-retention-policy have the following properties:

disk-space-used
Description

Specifies the maximum total disk space used by the log files.

Default Value

None

Allowed Values

Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.

Default Value

org.opends.server.loggers.SizeBasedRetentionPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No


Name

dsconfig create-log-rotation-policy — Creates Log Rotation Policies

Synopsis

dsconfig create-log-rotation-policy {options}

Description

Creates Log Rotation Policies.

Options

The dsconfig create-log-rotation-policy command takes the following options:

--policy-name {name}

The name of the new Log Rotation Policy.

Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Log Rotation Policy types:

fixed-time-log-rotation-policy

Default {name}: Fixed Time Log Rotation Policy

Enabled by default: false

See "Fixed Time Log Rotation Policy" for the properties of this Log Rotation Policy type.

size-limit-log-rotation-policy

Default {name}: Size Limit Log Rotation Policy

Enabled by default: false

See "Size Limit Log Rotation Policy" for the properties of this Log Rotation Policy type.

time-limit-log-rotation-policy

Default {name}: Time Limit Log Rotation Policy

Enabled by default: false

See "Time Limit Log Rotation Policy" for the properties of this Log Rotation Policy type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the --policy-name {name} option.

-t | --type {type}

The type of Log Rotation Policy which should be created. The value for TYPE can be one of: custom | fixed-time | size-limit | time-limit.

Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Log Rotation Policy types:

fixed-time-log-rotation-policy

Default {type}: Fixed Time Log Rotation Policy

Enabled by default: false

See "Fixed Time Log Rotation Policy" for the properties of this Log Rotation Policy type.

size-limit-log-rotation-policy

Default {type}: Size Limit Log Rotation Policy

Enabled by default: false

See "Size Limit Log Rotation Policy" for the properties of this Log Rotation Policy type.

time-limit-log-rotation-policy

Default {type}: Time Limit Log Rotation Policy

Enabled by default: false

See "Time Limit Log Rotation Policy" for the properties of this Log Rotation Policy type.

Fixed Time Log Rotation Policy

Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.

Default Value

org.opends.server.loggers.FixedTimeRotationPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

time-of-day
Description

Specifies the time of day at which log rotation should occur.

Default Value

None

Allowed Values

24 hour time of day in HHmm format.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Size Limit Log Rotation Policy

Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:

file-size-limit
Description

Specifies the maximum size that a log file can reach before it is rotated.

Default Value

None

Allowed Values

Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.

Default Value

org.opends.server.loggers.SizeBasedRotationPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Time Limit Log Rotation Policy

Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.

Default Value

org.opends.server.loggers.TimeLimitRotationPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

rotation-interval
Description

Specifies the time interval between rotations.

Default Value

None

Allowed Values

Some property values take a time duration. Durations are expressed as numbers followed by units. For example 1 s means one second, and 2 w means two weeks. Some durations have minimum granularity or maximum units, so you cannot necessary specify every duration in milliseconds or weeks for example. Some durations allow you to use a special value to mean unlimited. Units are specified as follows.

  • ms: milliseconds

  • s: seconds

  • m: minutes

  • h: hours

  • d: days

  • w: weeks

Lower limit is 1 milliseconds.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-matching-rule — Creates Matching Rules

Synopsis

dsconfig create-matching-rule {options}

Description

Creates Matching Rules.

Options

The dsconfig create-matching-rule command takes the following options:

--rule-name {name}

The name of the new Matching Rule.

Matching Rule properties depend on the Matching Rule type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Matching Rule types:

collation-matching-rule

Default {name}: Collation Matching Rule

Enabled by default: true

See "Collation Matching Rule" for the properties of this Matching Rule type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Matching Rule properties depend on the Matching Rule type, which depends on the --rule-name {name} option.

-t | --type {type}

The type of Matching Rule which should be created (Default: generic). The value for TYPE can be one of: collation | generic.

Matching Rule properties depend on the Matching Rule type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Matching Rule types:

collation-matching-rule

Default {type}: Collation Matching Rule

Enabled by default: true

See "Collation Matching Rule" for the properties of this Matching Rule type.

Collation Matching Rule

Matching Rules of type collation-matching-rule have the following properties:

collation
Description

the set of supported locales Collation must be specified using the syntax: LOCALE:OID

Default Value

None

Allowed Values

A Locale followed by a ":" and an OID.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Matching Rule is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Collation Matching Rule implementation.

Default Value

org.opends.server.schema.CollationMatchingRuleFactory

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MatchingRuleFactory

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

matching-rule-type
Description

the types of matching rules that should be supported for each locale

Default Value

None

Allowed Values
equality

Specifies if equality type collation matching rule needs to be created for each locale.

greater-than

Specifies if greater-than type collation matching rule needs to be created for each locale.

greater-than-or-equal-to

Specifies if greater-than-or-equal-to type collation matching rule needs to be created for each locale.

less-than

Specifies if less-than type collation matching rule needs to be created for each locale.

less-than-or-equal-to

Specifies if less-than-or-equal-to type collation matching rule needs to be created for each locale.

substring

Specifies if substring type collation matching rule needs to be created for each locale.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No


Name

dsconfig create-monitor-provider — Creates Monitor Providers

Synopsis

dsconfig create-monitor-provider {options}

Description

Creates Monitor Providers.

Options

The dsconfig create-monitor-provider command takes the following options:

--provider-name {name}

The name of the new Monitor Provider.

Monitor Provider properties depend on the Monitor Provider type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Monitor Provider types:

client-connection-monitor-provider

Default {name}: Client Connection Monitor Provider

Enabled by default: true

See "Client Connection Monitor Provider" for the properties of this Monitor Provider type.

entry-cache-monitor-provider

Default {name}: Entry Cache Monitor Provider

Enabled by default: true

See "Entry Cache Monitor Provider" for the properties of this Monitor Provider type.

memory-usage-monitor-provider

Default {name}: Memory Usage Monitor Provider

Enabled by default: true

See "Memory Usage Monitor Provider" for the properties of this Monitor Provider type.

stack-trace-monitor-provider

Default {name}: Stack Trace Monitor Provider

Enabled by default: true

See "Stack Trace Monitor Provider" for the properties of this Monitor Provider type.

system-info-monitor-provider

Default {name}: System Info Monitor Provider

Enabled by default: true

See "System Info Monitor Provider" for the properties of this Monitor Provider type.

version-monitor-provider

Default {name}: Version Monitor Provider

Enabled by default: true

See "Version Monitor Provider" for the properties of this Monitor Provider type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Monitor Provider properties depend on the Monitor Provider type, which depends on the --provider-name {name} option.

-t | --type {type}

The type of Monitor Provider which should be created. The value for TYPE can be one of: client-connection | custom | entry-cache | memory-usage | stack-trace | system-info | version.

Monitor Provider properties depend on the Monitor Provider type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Monitor Provider types:

client-connection-monitor-provider

Default {type}: Client Connection Monitor Provider

Enabled by default: true

See "Client Connection Monitor Provider" for the properties of this Monitor Provider type.

entry-cache-monitor-provider

Default {type}: Entry Cache Monitor Provider

Enabled by default: true

See "Entry Cache Monitor Provider" for the properties of this Monitor Provider type.

memory-usage-monitor-provider

Default {type}: Memory Usage Monitor Provider

Enabled by default: true

See "Memory Usage Monitor Provider" for the properties of this Monitor Provider type.

stack-trace-monitor-provider

Default {type}: Stack Trace Monitor Provider

Enabled by default: true

See "Stack Trace Monitor Provider" for the properties of this Monitor Provider type.

system-info-monitor-provider

Default {type}: System Info Monitor Provider

Enabled by default: true

See "System Info Monitor Provider" for the properties of this Monitor Provider type.

version-monitor-provider

Default {type}: Version Monitor Provider

Enabled by default: true

See "Version Monitor Provider" for the properties of this Monitor Provider type.

Client Connection Monitor Provider

Monitor Providers of type client-connection-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.

Default Value

org.opends.server.monitors.ClientConnectionMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Entry Cache Monitor Provider

Monitor Providers of type entry-cache-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.

Default Value

org.opends.server.monitors.EntryCacheMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Memory Usage Monitor Provider

Monitor Providers of type memory-usage-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.

Default Value

org.opends.server.monitors.MemoryUsageMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Stack Trace Monitor Provider

Monitor Providers of type stack-trace-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.

Default Value

org.opends.server.monitors.StackTraceMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

System Info Monitor Provider

Monitor Providers of type system-info-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true

false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.

Default Value

org.opends.server.monitors.SystemInfoMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Version Monitor Provider

Monitor Providers of type version-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Va