DOKK / manpages / debian 12 / python3-lib389 / dsconf.8.en
dsconf(8) System Manager's Manual dsconf(8)

dsconf

dsconf [-h] [-v] [-D BINDDN] [-w BINDPW] [-W] [-y PWDFILE] [-b BASEDN] [-Z] [-j] instance {backend,backup,chaining,config,directory_manager,monitor,plugin,pwpolicy,localpwp,replication,repl,repl-agmt,repl-winsync-agmt,repl-tasks,sasl,security,schema,repl-conflict} ...

The name of the instance or its LDAP URL, such as
ldap://server.example.com:389

Sub-commands

Manage database suffixes and backends
Manage online backups
Manage database chaining and database links
Manage the server configuration
Manage the Directory Manager account
Monitor the state of the instance
Manage plug-ins available on the server
Manage the global password policy settings
Manage the local user and subtree password policies
Manage replication for a suffix
Manage replication agreements
Manage Winsync agreements
Manage replication tasks
Manage SASL mappings
Manage security settings
Manage the directory schema
Manage replication conflicts

usage: dsconf instance backend [-h]
{suffix,index,vlv-index,attr-encrypt,config,monitor,import,export,create,delete,get-tree,compact-db}
...

Sub-commands

Manage backend suffixes
Manage backend indexes
Manage VLV searches and indexes
Manage encrypted attribute settings
Manage the global database configuration settings
Displays global database or suffix monitoring information
Online import of a suffix
Online export of a suffix
Create a backend database
Delete a backend database
Display the suffix tree
Compact the database and the replication changelog

usage: dsconf instance backend suffix [-h]
{list,get,get-dn,get-sub-suffixes,set}
...

Sub-commands

List active backends and suffixes
Display the suffix entry
Display the DN of a backend
Display sub-suffixes
Set configuration settings for a specific backend

usage: dsconf instance backend suffix list [-h] [--suffix]
[--skip-subsuffixes]

Displays the suffixes without backend name

Displays the list of suffixes without sub-suffixes

usage: dsconf instance backend suffix get [-h] [selector]

The backend database name to search for

usage: dsconf instance backend suffix get-dn [-h] [dn]

The DN to the database entry in cn=ldbm database,cn=plugins,cn=config

usage: dsconf instance backend suffix get-sub-suffixes [-h] [--suffix] be_name

The backend name or suffix

Displays the list of suffixes without backend name

usage: dsconf instance backend suffix set [-h] [--enable-readonly]
[--disable-readonly]
[--enable-orphan] [--disable-orphan]
[--require-index] [--ignore-index]
[--add-referral ADD_REFERRAL]
[--del-referral DEL_REFERRAL]
[--enable] [--disable]
[--cache-size CACHE_SIZE]
[--cache-memsize CACHE_MEMSIZE]
[--dncache-memsize DNCACHE_MEMSIZE]
[--state STATE]
be_name

The backend name or suffix

Enables read-only mode for the backend database

Disables read-only mode for the backend database

Disconnect a subsuffix from its parent suffix.

Let the subsuffix be connected to its parent suffix.

Allows only indexed searches

Allows all searches even if they are unindexed

Adds an LDAP referral to the backend

Removes an LDAP referral from the backend

Enables the backend database

Disables the backend database

Sets the maximum number of entries to keep in the entry cache

Sets the maximum size in bytes that the entry cache can grow to

Sets the maximum size in bytes that the DN cache can grow to

Changes the backend state to: "database", "disabled", "referral", or "referral
on update"

usage: dsconf instance backend index [-h]
{add,set,get,list,delete,reindex} ...

Sub-commands

Add an index
Update an index
Display an index entry
Display the index
Delete an index
Re-index the database for a single index or all indexes

usage: dsconf instance backend index add [-h] --index-type INDEX_TYPE
[--matching-rule MATCHING_RULE]
[--reindex] --attr ATTR
be_name

The backend name or suffix

Sets the indexing type (eq, sub, pres, or approx)

Sets the matching rule for the index

Re-indexes the database after adding a new index

Sets the attribute name to index

usage: dsconf instance backend index set [-h] --attr ATTR
[--add-type ADD_TYPE]
[--del-type DEL_TYPE]
[--add-mr ADD_MR] [--del-mr DEL_MR]
[--reindex]
be_name

The backend name or suffix

Sets the indexed attribute to update

Adds an index type to the index (eq, sub, pres, or approx)

Removes an index type from the index: (eq, sub, pres, or approx)

Adds a matching-rule to the index

Removes a matching-rule from the index

Re-indexes the database after editing the index

usage: dsconf instance backend index get [-h] --attr ATTR be_name

The backend name or suffix

Sets the index name to display

usage: dsconf instance backend index list [-h] [--just-names] be_name

The backend name or suffix

Displays only the names of indexed attributes

usage: dsconf instance backend index delete [-h] [--attr ATTR] be_name

The backend name or suffix

Sets the name of the attribute to delete from the index

usage: dsconf instance backend index reindex [-h] [--attr ATTR] [--wait]
be_name

The backend name or suffix

Sets the name of the attribute to re-index. Omit this argument to re-index all
attributes

Waits for the index task to complete and reports the status

usage: dsconf instance backend vlv-index [-h]
{list,get,add-search,edit-search,del-search,add-index,del-index,reindex}
...

Sub-commands

List VLV search and index entries
Display a VLV search and indexes
Add a VLV search entry. The search entry is the parent entry of the VLV index entries, and it specifies the search parameters that are used to match entries for those indexes.
Update a VLV search and index
Delete VLV search & index
Create a VLV index under a VLV search entry (parent entry). The VLV index specifies the attributes to sort
Delete a VLV index under a VLV search entry (parent entry)
Index/re-index the VLV database index

usage: dsconf instance backend vlv-index list [-h] [--just-names] be_name

The backend name of the VLV index

Displays only the names of VLV search entries

usage: dsconf instance backend vlv-index get [-h] [--name NAME] be_name

The backend name of the VLV index

Displays the VLV search entry and its index entries

usage: dsconf instance backend vlv-index add-search [-h] --name NAME
--search-base SEARCH_BASE
--search-scope
SEARCH_SCOPE
--search-filter
SEARCH_FILTER
be_name

The backend name of the VLV index

Sets the name of the VLV search entry

Sets the VLV search base

Sets the VLV search scope: 0 (base search), 1 (one-level search), or 2
(subtree search)

Sets the VLV search filter

usage: dsconf instance backend vlv-index edit-search [-h] --name NAME
[--search-base SEARCH_BASE]
[--search-scope SEARCH_SCOPE]
[--search-filter SEARCH_FILTER]
[--reindex]
be_name

The backend name of the VLV index to update

Sets the name of the VLV index

Sets the VLV search base

Sets the VLV search scope: 0 (base search), 1 (one-level search), or 2
(subtree search)

Sets the VLV search filter

Re-indexes all VLV database indexes

usage: dsconf instance backend vlv-index del-search [-h] --name NAME be_name

The backend name of the VLV index

Sets the name of the VLV search index

usage: dsconf instance backend vlv-index add-index [-h] --parent-name
PARENT_NAME --index-name
INDEX_NAME --sort SORT
[--index-it]
be_name

The backend name of the VLV index

Sets the name or "cn" attribute of the parent VLV search entry

Sets the name of the new VLV index

Sets a space-separated list of attributes to sort for this VLV index

Creates the database index for this VLV index definition

usage: dsconf instance backend vlv-index del-index [-h] --parent-name
PARENT_NAME
[--index-name INDEX_NAME]
[--sort SORT]
be_name

The backend name of the VLV index

Sets the name or "cn" attribute value of the parent VLV search entry

Sets the name of the VLV index to delete

Delete a VLV index that has this vlvsort value

usage: dsconf instance backend vlv-index reindex [-h]
[--index-name INDEX_NAME]
--parent-name PARENT_NAME
be_name

The backend name of the VLV index

Sets the name of the VLV index entry to re-index. If not set, all indexes are
re-indexed

Sets the name or "cn" attribute value of the parent VLV search entry

usage: dsconf instance backend attr-encrypt [-h] [--list] [--just-names]
[--add-attr ADD_ATTR]
[--del-attr DEL_ATTR]
be_name

The backend name or suffix

Lists all encrypted attributes in the backend

List only the names of the encrypted attributes when used with --list

Enables encryption for the specified attribute

Disables encryption for the specified attribute

usage: dsconf instance backend config [-h] {get,set} ...

Sub-commands

Display the global database configuration
Set the global database configuration

usage: dsconf instance backend config get [-h]

usage: dsconf instance backend config set [-h]
[--lookthroughlimit LOOKTHROUGHLIMIT]
[--mode MODE]
[--idlistscanlimit IDLISTSCANLIMIT]
[--directory DIRECTORY]
[--dbcachesize DBCACHESIZE]
[--logdirectory LOGDIRECTORY]
[--txn-wait TXN_WAIT]
[--checkpoint-interval CHECKPOINT_INTERVAL]
[--compactdb-interval COMPACTDB_INTERVAL]
[--compactdb-time COMPACTDB_TIME]
[--txn-batch-val TXN_BATCH_VAL]
[--txn-batch-min TXN_BATCH_MIN]
[--txn-batch-max TXN_BATCH_MAX]
[--logbufsize LOGBUFSIZE]
[--locks LOCKS]
[--locks-monitoring-enabled LOCKS_MONITORING_ENABLED]
[--locks-monitoring-threshold LOCKS_MONITORING_THRESHOLD]
[--locks-monitoring-pause LOCKS_MONITORING_PAUSE]
[--import-cache-autosize IMPORT_CACHE_AUTOSIZE]
[--cache-autosize CACHE_AUTOSIZE]
[--cache-autosize-split CACHE_AUTOSIZE_SPLIT]
[--import-cachesize IMPORT_CACHESIZE]
[--exclude-from-export EXCLUDE_FROM_EXPORT]
[--pagedlookthroughlimit PAGEDLOOKTHROUGHLIMIT]
[--pagedidlistscanlimit PAGEDIDLISTSCANLIMIT]
[--rangelookthroughlimit RANGELOOKTHROUGHLIMIT]
[--backend-opt-level BACKEND_OPT_LEVEL]
[--deadlock-policy DEADLOCK_POLICY]
[--db-home-directory DB_HOME_DIRECTORY]
[--db-lib DB_LIB]

Specifies the maximum number of entries that the server will check when
examining candidate entries in response to a search request

Specifies the permissions used for newly created index files

Specifies the number of entry IDs that are searched during a search operation

Specifies absolute path to database instance

Specifies the database index cache size in bytes

Specifies the path to the directory that contains the database transaction
logs

Sets whether the server should should wait if there are no db locks available

Sets the amount of time in seconds after which the server sends a checkpoint
entry to the database transaction log

Sets the interval in seconds when the database is compacted

Sets the time (HH:MM format) of day when to compact the database after the
"compactdb interval" has been reached

Specifies how many transactions will be batched before being committed

Controls when transactions should be flushed earliest, independently of the
batch count. Requires that txn-batch-val is set

Controls when transactions should be flushed latest, independently of the
batch count. Requires that txn-batch-val is set)

Specifies the transaction log information buffer size

Sets the maximum number of database locks

Enables or disables monitoring of DB locks when the value crosses the
percentage set with "--locks-monitoring-threshold"

Sets the DB lock exhaustion threshold in percentage (valid range is 70-90).
When the threshold is reached, all searches are aborted until the number of
active locks decreases below the configured threshold and/or the administrator
increases the number of database locks (nsslapd-db-locks). This threshold is a
safeguard against DB corruption which might be caused by locks exhaustion.

Sets the DB lock monitoring value in milliseconds for the amount of time that
the monitoring thread spends waiting between checks.

Enables or disables to automatically set the size of the import cache to be
used during the import process of LDIF files

Sets the percentage of free memory that is used in total for the database and
entry cache. "0" disables this feature.

Sets the percentage of RAM that is used for the database cache. The remaining
percentage is used for the entry cache

Sets the size in bytes of the database cache used in the import process.

List of attributes to not include during database export operations

Specifies the maximum number of entries that the server will check when
examining candidate entries for a search which uses the simple paged results
control

Specifies the number of entry IDs that are searched, specifically, for a
search operation using the simple paged results control.

Specifies the maximum number of entries that the server will check when
examining candidate entries in response to a range search request.

Sets the backend optimization level for write performance (0, 1, 2, or 4).
WARNING: This parameter can trigger experimental code.

Adjusts the backend database deadlock policy (Advanced setting)

Sets the directory for the database mmapped files (Advanced setting)

Sets which db lib is used. Valid values are: bdb or mdb

usage: dsconf instance backend monitor [-h] [--suffix SUFFIX]

Displays monitoring information only for the specified suffix

usage: dsconf instance backend import [-h] [-c CHUNKS_SIZE] [-E]
[-g GEN_UNIQ_ID] [-O]
[-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
[-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
[be_name] [ldifs ...]

The backend name or the root suffix

Specifies the filename of the input LDIF files. Multiple files are imported in
the specified order.

The number of chunks to have during the import operation

Encrypt attributes configured in the database for encryption

Generate a unique id. Set "none" for no unique ID to be generated and
"deterministic" for the generated unique ID to be name-based. By default, a
time-based unique ID is generated. When using the deterministic generation to
have a name-based unique ID, it is also possible to specify the namespace for
the server to use. namespaceId is a string of characters in the format
00-xxxxxxxx-xxxxxxxx-xxxxxxxx-xxxxxxxx.

Creates only the core database attribute indexes

Specifies the suffixes or the subtrees to be included

Specifies the suffixes to be excluded

usage: dsconf instance backend export [-h] [-l LDIF] [-C] [-E] [-m] [-N] [-r]
[-u] [-U]
[-s INCLUDE_SUFFIXES [INCLUDE_SUFFIXES ...]]
[-x EXCLUDE_SUFFIXES [EXCLUDE_SUFFIXES ...]]
be_names [be_names ...]

The backend names or the root suffixes

Sets the filename of the output LDIF file. Separate multiple file names with
spaces.

Uses only the main database file

Decrypts encrypted data during export. This option is used only if database
encryption is enabled.

Sets minimal base-64 encoding

Suppresses printing the sequence numbers

Exports the data with information required to initialize a replica

Omits exporting the unique ID

Disables folding the output

Specifies the suffixes or the subtrees to be included

Specifies the suffixes to be excluded

usage: dsconf instance backend create [-h] [--parent-suffix PARENT_SUFFIX]
--suffix SUFFIX --be-name BE_NAME
[--create-entries] [--create-suffix]

Sets the parent suffix only if this backend is a sub-suffix

Sets the database suffix DN

Sets the database backend name"

Adds sample entries to the database

Creates the suffix object entry in the database. Only suffixes using the 'dc',

usage: dsconf instance backend delete [-h] be_name

The backend name or suffix

usage: dsconf instance backend get-tree [-h]

usage: dsconf instance backend compact-db [-h] [--only-changelog]

Compacts only the replication change log

usage: dsconf instance backup [-h] {create,restore} ...

Sub-commands

Creates a backup of the database
Restores a database from a backup

usage: dsconf instance backup create [-h] [-t DB_TYPE] [archive]

Sets the directory where to store the backup files. Format: instance_name-
year_month_date_hour_minutes_seconds. Default: /var/lib/dirsrv/slapd-
instance/bak/

Sets the database type. Default: ldbm database

usage: dsconf instance backup restore [-h] [-t DB_TYPE] archive

Set the directory that contains the backup files

Sets the database type. Default: ldbm database

usage: dsconf instance chaining [-h]
{config-get,config-set,config-get-def,config-set-def,link-create,link-get,link-set,link-delete,monitor,link-list}
...

Sub-commands

Display the chaining controls and server component lists
Set the chaining controls and server component lists
Display the default creation parameters for new database links
Set the default creation parameters for new database links
Create a database link to a remote server
Displays chaining database links
Edit a database link to a remote server
Delete a database link
Display monitor information for a database chaining link
List database links

usage: dsconf instance chaining config-get [-h] [--avail-controls]
[--avail-comps]

Lists available chaining controls

Lists available chaining plugin components

usage: dsconf instance chaining config-set [-h] [--add-control ADD_CONTROL]
[--del-control DEL_CONTROL]
[--add-comp ADD_COMP]
[--del-comp DEL_COMP]

Adds a transmitted control OID

Deletes a transmitted control OID

Adds a chaining component

Deletes a chaining component

usage: dsconf instance chaining config-get-def [-h]

usage: dsconf instance chaining config-set-def [-h]
[--conn-bind-limit CONN_BIND_LIMIT]
[--conn-op-limit CONN_OP_LIMIT]
[--abandon-check-interval ABANDON_CHECK_INTERVAL]
[--bind-limit BIND_LIMIT]
[--op-limit OP_LIMIT]
[--proxied-auth PROXIED_AUTH]
[--conn-lifetime CONN_LIFETIME]
[--bind-timeout BIND_TIMEOUT]
[--return-ref RETURN_REF]
[--check-aci CHECK_ACI]
[--bind-attempts BIND_ATTEMPTS]
[--size-limit SIZE_LIMIT]
[--time-limit TIME_LIMIT]
[--hop-limit HOP_LIMIT]
[--response-delay RESPONSE_DELAY]
[--test-response-delay TEST_RESPONSE_DELAY]
[--use-starttls USE_STARTTLS]

Sets the maximum number of BIND connections the database link establishes with
the remote server

Sets the maximum number of LDAP connections the database link establishes with
the remote server

Sets the number of seconds that pass before the server checks for abandoned
operations

Sets the maximum number of concurrent bind operations per TCP connection

Sets the maximum number of concurrent operations allowed

Enables or disables proxied authorization. If set to "off", the server
executes bind for chained operations as the user set in the
nsMultiplexorBindDn attribute.

Specifies connection lifetime in seconds. "0" keeps the connection open
forever.

Sets the amount of time in seconds before a bind attempt times out

Enables or disables whether referrals are returned by scoped searches

Enables or disables whether the server evaluates ACIs on the database link as
well as the remote data server

Sets the number of times the server tries to bind to the remote server

Sets the maximum number of entries to return from a search operation

Sets the maximum number of seconds allowed for an operation

Sets the maximum number of times a database is allowed to chain. That is the
number of times a request can be forwarded from one database link to another.

Sets the maximum amount of time it can take a remote server to respond to an
LDAP operation request made by a database link before an error is suspected

Sets the duration of the test issued by the database link to check whether the
remote server is responding

Configured that database links use StartTLS if set to "on"

usage: dsconf instance chaining link-create [-h]
[--conn-bind-limit CONN_BIND_LIMIT]
[--conn-op-limit CONN_OP_LIMIT]
[--abandon-check-interval ABANDON_CHECK_INTERVAL]
[--bind-limit BIND_LIMIT]
[--op-limit OP_LIMIT]
[--proxied-auth PROXIED_AUTH]
[--conn-lifetime CONN_LIFETIME]
[--bind-timeout BIND_TIMEOUT]
[--return-ref RETURN_REF]
[--check-aci CHECK_ACI]
[--bind-attempts BIND_ATTEMPTS]
[--size-limit SIZE_LIMIT]
[--time-limit TIME_LIMIT]
[--hop-limit HOP_LIMIT]
[--response-delay RESPONSE_DELAY]
[--test-response-delay TEST_RESPONSE_DELAY]
[--use-starttls USE_STARTTLS]
--suffix SUFFIX --server-url
SERVER_URL --bind-mech BIND_MECH
--bind-dn BIND_DN --bind-pw
BIND_PW
CHAIN_NAME

The name of the database link

Sets the maximum number of BIND connections the database link establishes with
the remote server

Sets the maximum number of LDAP connections the database link establishes with
the remote server

Sets the number of seconds that pass before the server checks for abandoned
operations

Sets the maximum number of concurrent bind operations per TCP connection

Sets the maximum number of concurrent operations allowed

Enables or disables proxied authorization. If set to "off", the server
executes bind for chained operations as the user set in the
nsMultiplexorBindDn attribute.

Specifies connection lifetime in seconds. "0" keeps the connection open
forever.

Sets the amount of time in seconds before a bind attempt times out

Enables or disables whether referrals are returned by scoped searches

Enables or disables whether the server evaluates ACIs on the database link as
well as the remote data server

Sets the number of times the server tries to bind to the remote server

Sets the maximum number of entries to return from a search operation

Sets the maximum number of seconds allowed for an operation

Sets the maximum number of times a database is allowed to chain. That is the
number of times a request can be forwarded from one database link to another.

Sets the maximum amount of time it can take a remote server to respond to an
LDAP operation request made by a database link before an error is suspected

Sets the duration of the test issued by the database link to check whether the
remote server is responding

Configured that database links use StartTLS if set to "on"

Sets the suffix managed by the database link

Sets the LDAP/LDAPS URL to the remote server

Sets the authentication method to use to authenticate to the remote server.
Valid values: "SIMPLE" (default), "EXTERNAL", "DIGEST-MD5", or "GSSAPI"

Sets the DN of the administrative entry used to communicate with the remote
server

Sets the password of the administrative user

usage: dsconf instance chaining link-get [-h] CHAIN_NAME

The chaining link name or suffix to retrieve

usage: dsconf instance chaining link-set [-h]
[--conn-bind-limit CONN_BIND_LIMIT]
[--conn-op-limit CONN_OP_LIMIT]
[--abandon-check-interval ABANDON_CHECK_INTERVAL]
[--bind-limit BIND_LIMIT]
[--op-limit OP_LIMIT]
[--proxied-auth PROXIED_AUTH]
[--conn-lifetime CONN_LIFETIME]
[--bind-timeout BIND_TIMEOUT]
[--return-ref RETURN_REF]
[--check-aci CHECK_ACI]
[--bind-attempts BIND_ATTEMPTS]
[--size-limit SIZE_LIMIT]
[--time-limit TIME_LIMIT]
[--hop-limit HOP_LIMIT]
[--response-delay RESPONSE_DELAY]
[--test-response-delay TEST_RESPONSE_DELAY]
[--use-starttls USE_STARTTLS]
[--suffix SUFFIX]
[--server-url SERVER_URL]
[--bind-mech BIND_MECH]
[--bind-dn BIND_DN]
[--bind-pw BIND_PW]
CHAIN_NAME

The name of the database link

Sets the maximum number of BIND connections the database link establishes with
the remote server

Sets the maximum number of LDAP connections the database link establishes with
the remote server

Sets the number of seconds that pass before the server checks for abandoned
operations

Sets the maximum number of concurrent bind operations per TCP connection

Sets the maximum number of concurrent operations allowed

Enables or disables proxied authorization. If set to "off", the server
executes bind for chained operations as the user set in the
nsMultiplexorBindDn attribute.

Specifies connection lifetime in seconds. "0" keeps the connection open
forever.

Sets the amount of time in seconds before a bind attempt times out

Enables or disables whether referrals are returned by scoped searches

Enables or disables whether the server evaluates ACIs on the database link as
well as the remote data server

Sets the number of times the server tries to bind to the remote server

Sets the maximum number of entries to return from a search operation

Sets the maximum number of seconds allowed for an operation

Sets the maximum number of times a database is allowed to chain. That is the
number of times a request can be forwarded from one database link to another.

Sets the maximum amount of time it can take a remote server to respond to an
LDAP operation request made by a database link before an error is suspected

Sets the duration of the test issued by the database link to check whether the
remote server is responding

Configured that database links use StartTLS if set to "on"

Sets the suffix managed by the database link

Sets the LDAP/LDAPS URL to the remote server

Sets the authentication method to use to authenticate to the remote server:
Valid values: "SIMPLE" (default), "EXTERNAL", "DIGEST-MD5", or "GSSAPI"

Sets the DN of the administrative entry used to communicate with the remote
server

Sets the password of the administrative user

usage: dsconf instance chaining link-delete [-h] CHAIN_NAME

The name of the database link

usage: dsconf instance chaining monitor [-h] CHAIN_NAME

The name of the database link

usage: dsconf instance chaining link-list [-h]

usage: dsconf instance config [-h] {get,add,replace,delete} ...

Sub-commands

get
Add attribute value to configuration
Replace attribute value in configuration
Delete attribute value in configuration

usage: dsconf instance config get [-h] [attrs ...]

Configuration attribute(s) to get

usage: dsconf instance config add [-h] [attr ...]

Configuration attribute to add

usage: dsconf instance config replace [-h] [attr ...]

Configuration attribute to replace

usage: dsconf instance config delete [-h] [attr ...]

Configuration attribute to delete

usage: dsconf instance directory_manager [-h] {password_change} ...

Sub-commands

Changes the password of the Directory Manager account

usage: dsconf instance directory_manager password_change [-h]

usage: dsconf instance monitor [-h]
{server,dbmon,ldbm,backend,snmp,chaining,disk}
...

Sub-commands

Displays the server statistics, connections, and operations
Monitor all database statistics in a single report
Monitor the LDBM statistics, such as dbcache
Monitor the behavior of a backend database
Displays the SNMP statistics
Monitor database chaining statistics
Displays the disk space statistics. All values are in bytes.

usage: dsconf instance monitor server [-h]

usage: dsconf instance monitor dbmon [-h] [-b BACKENDS] [-x]

Specifies a list of space-separated backends to monitor. Default is all
backends.

Shows index stats for each backend

usage: dsconf instance monitor ldbm [-h]

usage: dsconf instance monitor backend [-h] [backend]

The optional name of the backend to monitor

usage: dsconf instance monitor snmp [-h]

usage: dsconf instance monitor chaining [-h] [backend]

The optional name of the chaining backend to monitor

usage: dsconf instance monitor disk [-h]

usage: dsconf instance plugin [-h]
{memberof,automember,referential-integrity,root-dn,usn,account-policy,attr-uniq,dna,linked-attr,managed-entries,pass-through-auth,retro-changelog,posix-winsync,contentsync,entryuuid,list,show,set}
...

Sub-commands

Manage and configure MemberOf plugin
Manage and configure Automembership plugin
Manage and configure Referential Integrity Postoperation plugin
Manage and configure RootDN Access Control plugin
Manage and configure USN plugin
Manage and configure Account Policy plugin
Manage and configure Attribute Uniqueness plugin
Manage and configure DNA plugin
Manage and configure Linked Attributes plugin
Manage and configure Managed Entries Plugin
Manage and configure Pass-Through Authentication plugins (URLs and PAM)
Manage and configure Retro Changelog plugin
Manage and configure the Posix Winsync API plugin
Manage and configure Content Sync Plugin (aka syncrepl)
Manage and configure EntryUUID plugin
List current configured (enabled and disabled) plugins
Show the plugin data
Edit the plugin settings

usage: dsconf instance plugin memberof [-h]
{show,enable,disable,status,set,config-entry,fixup,fixup-status}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings
Manage the config entry
Run the fix-up task for memberOf plugin
Check the status of a fix-up task

usage: dsconf instance plugin memberof show [-h]

usage: dsconf instance plugin memberof enable [-h]

usage: dsconf instance plugin memberof disable [-h]

usage: dsconf instance plugin memberof status [-h]

usage: dsconf instance plugin memberof set [-h] [--attr ATTR]
[--groupattr GROUPATTR [GROUPATTR ...]]
[--allbackends {on,off}]
[--skipnested {on,off}]
[--scope SCOPE [SCOPE ...]]
[--exclude EXCLUDE [EXCLUDE ...]]
[--autoaddoc AUTOADDOC]
[--config-entry CONFIG_ENTRY]

Specifies the attribute in the user entry for the Directory Server to manage
to reflect group membership (memberOfAttr)

Specifies the attribute in the group entry to use to identify the DNs of group
members (memberOfGroupAttr)

Specifies whether to search the local suffix for user entries on all available
suffixes (memberOfAllBackends)

Specifies whether to skip nested groups or not (memberOfSkipNested)

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to
work on (memberOfEntryScope)

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to
exclude (memberOfEntryScopeExcludeSubtree)

If an entry does not have an object class that allows the memberOf attribute
then the memberOf plugin will automatically add the object class listed in the
memberOfAutoAddOC parameter

The value to set as nsslapd-pluginConfigArea

usage: dsconf instance plugin memberof config-entry [-h]
{add,set,show,delete} ...

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry

usage: dsconf instance plugin memberof config-entry add [-h] [--attr ATTR]
[--groupattr GROUPATTR [GROUPATTR ...]]
[--allbackends {on,off}]
[--skipnested {on,off}]
[--scope SCOPE [SCOPE ...]]
[--exclude EXCLUDE [EXCLUDE ...]]
[--autoaddoc AUTOADDOC]
DN

The config entry full DN

Specifies the attribute in the user entry for the Directory Server to manage
to reflect group membership (memberOfAttr)

Specifies the attribute in the group entry to use to identify the DNs of group
members (memberOfGroupAttr)

Specifies whether to search the local suffix for user entries on all available
suffixes (memberOfAllBackends)

Specifies whether to skip nested groups or not (memberOfSkipNested)

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to
work on (memberOfEntryScope)

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to
exclude (memberOfEntryScopeExcludeSubtree)

If an entry does not have an object class that allows the memberOf attribute
then the memberOf plugin will automatically add the object class listed in the
memberOfAutoAddOC parameter

usage: dsconf instance plugin memberof config-entry set [-h] [--attr ATTR]
[--groupattr GROUPATTR [GROUPATTR ...]]
[--allbackends {on,off}]
[--skipnested {on,off}]
[--scope SCOPE [SCOPE ...]]
[--exclude EXCLUDE [EXCLUDE ...]]
[--autoaddoc AUTOADDOC]
DN

The config entry full DN

Specifies the attribute in the user entry for the Directory Server to manage
to reflect group membership (memberOfAttr)

Specifies the attribute in the group entry to use to identify the DNs of group
members (memberOfGroupAttr)

Specifies whether to search the local suffix for user entries on all available
suffixes (memberOfAllBackends)

Specifies whether to skip nested groups or not (memberOfSkipNested)

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to
work on (memberOfEntryScope)

Specifies backends or multiple-nested suffixes for the MemberOf plug-in to
exclude (memberOfEntryScopeExcludeSubtree)

If an entry does not have an object class that allows the memberOf attribute
then the memberOf plugin will automatically add the object class listed in the
memberOfAutoAddOC parameter

usage: dsconf instance plugin memberof config-entry show [-h] DN

The config entry full DN

usage: dsconf instance plugin memberof config-entry delete [-h] DN

The config entry full DN

usage: dsconf instance plugin memberof fixup [-h] [-f FILTER] [--wait] DN

Base DN that contains entries to fix up

Filter for entries to fix up. If omitted, all entries with objectclass
inetuser/inetadmin/nsmemberof under the specified base will have their
memberOf attribute regenerated.

Wait for the task to finish, this could take a long time

usage: dsconf instance plugin memberof fixup-status [-h] [--dn DN]
[--show-log] [--watch]

The task entry's DN

Display the task log

Watch the task's status and wait for it to finish

usage: dsconf instance plugin automember [-h]
{show,enable,disable,status,list,definition,fixup,fixup-status,abort-fixup}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
List Automembership definitions or regex rules.
Manage Automembership definition.
Run a rebuild membership task.
Check the status of a fix-up task
Abort the rebuild membership task.

usage: dsconf instance plugin automember show [-h]

usage: dsconf instance plugin automember enable [-h]

usage: dsconf instance plugin automember disable [-h]

usage: dsconf instance plugin automember status [-h]

usage: dsconf instance plugin automember list [-h] {definitions,regexes} ...

Sub-commands

Lists Automembership definitions.
List Automembership regex rules.

usage: dsconf instance plugin automember list definitions [-h]

usage: dsconf instance plugin automember list regexes [-h] DEFNAME

The definition entry CN

usage: dsconf instance plugin automember definition [-h]
DEFNAME
{add,set,delete,show,regex}
...

The definition entry CN.

Sub-commands

Creates Automembership definition.
Edits Automembership definition.
Removes Automembership definition.
Displays Automembership definition.
Manage Automembership regex rules.

usage: dsconf instance plugin automember definition DEFNAME add
[-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
--scope SCOPE --filter FILTER

Specifies the name of the member attribute in the group entry and the
attribute in the object entry that supplies the member attribute value, in the
format group_member_attr:entry_attr (autoMemberGroupingAttr)

Sets default or fallback group to add the entry to as a member attribute in
group entry (autoMemberDefaultGroup)

Sets the subtree DN to search for entries (autoMemberScope)

Sets a standard LDAP search filter to use to search for matching entries
(autoMemberFilter)

usage: dsconf instance plugin automember definition DEFNAME set
[-h] --grouping-attr GROUPING_ATTR [--default-group DEFAULT_GROUP]
--scope SCOPE --filter FILTER

Specifies the name of the member attribute in the group entry and the
attribute in the object entry that supplies the member attribute value, in the
format group_member_attr:entry_attr (autoMemberGroupingAttr)

Sets default or fallback group to add the entry to as a member attribute in
group entry (autoMemberDefaultGroup)

Sets the subtree DN to search for entries (autoMemberScope)

Sets a standard LDAP search filter to use to search for matching entries
(autoMemberFilter)

usage: dsconf instance plugin automember definition DEFNAME delete [-h]

usage: dsconf instance plugin automember definition DEFNAME show [-h]

usage: dsconf instance plugin automember definition DEFNAME regex
[-h] REGEXNAME {add,set,delete,show} ...

The regex entry CN

Sub-commands

Creates Automembership regex.
Edits Automembership regex.
Removes Automembership regex.
Displays Automembership regex.

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME add
[-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
[--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP

Sets a single regular expression to use to identify entries to exclude
(autoMemberExclusiveRegex)

Sets a single regular expression to use to identify entries to include
(autoMemberInclusiveRegex)

Sets which group to add the entry to as a member, if it meets the regular
expression conditions (autoMemberTargetGroup)

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME set
[-h] [--exclusive EXCLUSIVE [EXCLUSIVE ...]]
[--inclusive INCLUSIVE [INCLUSIVE ...]] --target-group TARGET_GROUP

Sets a single regular expression to use to identify entries to exclude
(autoMemberExclusiveRegex)

Sets a single regular expression to use to identify entries to include
(autoMemberInclusiveRegex)

Sets which group to add the entry to as a member, if it meets the regular
expression conditions (autoMemberTargetGroup)

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME delete
[-h]

usage: dsconf instance plugin automember definition DEFNAME regex REGEXNAME show
[-h]

usage: dsconf instance plugin automember fixup [-h] -f FILTER -s
{sub,base,one} [--wait]
DN

Base DN that contains entries to fix up

Sets the LDAP filter for entries to fix up

Sets the LDAP search scope for entries to fix up

Wait for the task to finish, this could take a long time

usage: dsconf instance plugin automember fixup-status [-h] [--dn DN]
[--show-log] [--watch]

The task entry's DN

Display the task log

Watch the task's status and wait for it to finish

usage: dsconf instance plugin automember abort-fixup [-h]

usage: dsconf instance plugin referential-integrity [-h]
{show,enable,disable,status,set,config-entry}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings
Manage the config entry

usage: dsconf instance plugin referential-integrity show [-h]

usage: dsconf instance plugin referential-integrity enable [-h]

usage: dsconf instance plugin referential-integrity disable [-h]

usage: dsconf instance plugin referential-integrity status [-h]

usage: dsconf instance plugin referential-integrity set [-h]
[--update-delay UPDATE_DELAY]
[--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
[--entry-scope ENTRY_SCOPE]
[--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
[--container-scope CONTAINER_SCOPE]
[--log-file LOG_FILE]
[--config-entry CONFIG_ENTRY]

Sets the update interval. Special values: 0 - The check is performed
immediately, -1 - No check is performed (referint-update-delay)

Specifies attributes to check for and update (referint-membership-attr)

Defines the subtree in which the plug-in looks for the delete or rename
operations of a user entry (nsslapd-pluginEntryScope)

Defines the subtree in which the plug-in ignores any operations for deleting
or renaming a user (nsslapd-pluginExcludeEntryScope)

Specifies which branch the plug-in searches for the groups to which the user
belongs. It only updates groups that are under the specified container branch,
and leaves all other groups not updated (nsslapd-pluginContainerScope)

Specifies a path to the Referential integrity logfile.For example:
/var/log/dirsrv/slapd-YOUR_INSTANCE/referint

The value to set as nsslapd-pluginConfigArea

usage: dsconf instance plugin referential-integrity config-entry
[-h] {add,set,show,delete} ...

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry

usage: dsconf instance plugin referential-integrity config-entry add
[-h] [--update-delay UPDATE_DELAY]
[--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
[--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
[--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
DN

The config entry full DN

Sets the update interval. Special values: 0 - The check is performed
immediately, -1 - No check is performed (referint-update-delay)

Specifies attributes to check for and update (referint-membership-attr)

Defines the subtree in which the plug-in looks for the delete or rename
operations of a user entry (nsslapd-pluginEntryScope)

Defines the subtree in which the plug-in ignores any operations for deleting
or renaming a user (nsslapd-pluginExcludeEntryScope)

Specifies which branch the plug-in searches for the groups to which the user
belongs. It only updates groups that are under the specified container branch,
and leaves all other groups not updated (nsslapd-pluginContainerScope)

Specifies a path to the Referential integrity logfile.For example:
/var/log/dirsrv/slapd-YOUR_INSTANCE/referint

usage: dsconf instance plugin referential-integrity config-entry set
[-h] [--update-delay UPDATE_DELAY]
[--membership-attr MEMBERSHIP_ATTR [MEMBERSHIP_ATTR ...]]
[--entry-scope ENTRY_SCOPE] [--exclude-entry-scope EXCLUDE_ENTRY_SCOPE]
[--container-scope CONTAINER_SCOPE] [--log-file LOG_FILE]
DN

The config entry full DN

Sets the update interval. Special values: 0 - The check is performed
immediately, -1 - No check is performed (referint-update-delay)

Specifies attributes to check for and update (referint-membership-attr)

Defines the subtree in which the plug-in looks for the delete or rename
operations of a user entry (nsslapd-pluginEntryScope)

Defines the subtree in which the plug-in ignores any operations for deleting
or renaming a user (nsslapd-pluginExcludeEntryScope)

Specifies which branch the plug-in searches for the groups to which the user
belongs. It only updates groups that are under the specified container branch,
and leaves all other groups not updated (nsslapd-pluginContainerScope)

Specifies a path to the Referential integrity logfile.For example:
/var/log/dirsrv/slapd-YOUR_INSTANCE/referint

usage: dsconf instance plugin referential-integrity config-entry show [-h] DN

The config entry full DN

usage: dsconf instance plugin referential-integrity config-entry delete
[-h] DN

The config entry full DN

usage: dsconf instance plugin root-dn [-h]
{show,enable,disable,status,set} ...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings

usage: dsconf instance plugin root-dn show [-h]

usage: dsconf instance plugin root-dn enable [-h]

usage: dsconf instance plugin root-dn disable [-h]

usage: dsconf instance plugin root-dn status [-h]

usage: dsconf instance plugin root-dn set [-h]
[--allow-host ALLOW_HOST [ALLOW_HOST ...]]
[--deny-host DENY_HOST [DENY_HOST ...]]
[--allow-ip ALLOW_IP [ALLOW_IP ...]]
[--deny-ip DENY_IP [DENY_IP ...]]
[--open-time OPEN_TIME]
[--close-time CLOSE_TIME]
[--days-allowed DAYS_ALLOWED]

Sets what hosts, by fully-qualified domain name, the root user is allowed to
use to access Directory Server. Any hosts not listed are implicitly denied
(rootdn-allow-host)

Sets what hosts, by fully-qualified domain name, the root user is not allowed
to use to access Directory Server. Any hosts not listed are implicitly allowed
(rootdn-deny-host). If a host address is listed in both the rootdn-allow-host
and rootdn-deny-host attributes, it is denied access.

Sets what IP addresses, either IPv4 or IPv6, for machines the root user is
allowed to use to access Directory Server. Any IP addresses not listed are
implicitly denied (rootdn-allow-ip)

Sets what IP addresses, either IPv4 or IPv6, for machines the root user is not
allowed to use to access Directory Server. Any IP addresses not listed are
implicitly allowed (rootdn-deny-ip). If an IP address is listed in both the
rootdn-allow-ip and rootdn-deny-ip attributes, it is denied access.

Sets part of a time period or range when the root user is allowed to access
Directory Server. This sets when the time-based access begins (rootdn-open-
time)

Sets part of a time period or range when the root user is allowed to access
Directory Server. This sets when the time-based access ends (rootdn-close-
time)

Sets a comma-separated list of what days the root user is allowed to use to
access Directory Server. Any days listed are implicitly denied (rootdn-days-
allowed)

usage: dsconf instance plugin usn [-h]
{show,enable,disable,status,global,cleanup}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Get or manage global USN mode (nsslapd-entryusn-global)
Runs the USN tombstone cleanup task

usage: dsconf instance plugin usn show [-h]

usage: dsconf instance plugin usn enable [-h]

usage: dsconf instance plugin usn disable [-h]

usage: dsconf instance plugin usn status [-h]

usage: dsconf instance plugin usn global [-h] {on,off} ...

Sub-commands

Enables USN global mode
Disables USN global mode

usage: dsconf instance plugin usn global on [-h]

usage: dsconf instance plugin usn global off [-h]

usage: dsconf instance plugin usn cleanup [-h] (-s SUFFIX | -n BACKEND)
[-m MAX_USN]

Sets the suffix or subtree in Directory Server to run the cleanup operation
against. If the suffix is not specified, then the back end must be specified
(suffix).

Sets the Directory Server instance back end, or database, to run the cleanup
operation against. If the back end is not specified, then the suffix must be
specified. Backend instance in which USN tombstone entries (backend)

Sets the highest USN value to delete when removing tombstone entries
(max_usn_to_delete)

usage: dsconf instance plugin account-policy [-h]
{show,enable,disable,status,set,config-entry}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings
Manage the config entry

usage: dsconf instance plugin account-policy show [-h]

usage: dsconf instance plugin account-policy enable [-h]

usage: dsconf instance plugin account-policy disable [-h]

usage: dsconf instance plugin account-policy status [-h]

usage: dsconf instance plugin account-policy set [-h]
[--config-entry CONFIG_ENTRY]

Sets the nsslapd-pluginConfigArea attribute

usage: dsconf instance plugin account-policy config-entry [-h]
{add,set,show,delete}
...

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry

usage: dsconf instance plugin account-policy config-entry add
[-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
[--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
[--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
[--state-attr STATE_ATTR]
DN

The full DN of the config entry

Sets that every entry records its last login time (alwaysRecordLogin)

Provides a backup attribute for the server to reference to evaluate the
expiration time (altStateAttrName)

Specifies the attribute to store the time of the last successful login in this
attribute in the users directory entry (alwaysRecordLoginAttr)

Specifies the attribute within the policy to use for the account inactivation
limit (limitAttrName)

Specifies the attribute to identify which entries are account policy
configuration entries (specAttrName)

Specifies the primary time attribute used to evaluate an account policy
(stateAttrName)

usage: dsconf instance plugin account-policy config-entry set
[-h] [--always-record-login {yes,no}] [--alt-state-attr ALT_STATE_ATTR]
[--always-record-login-attr ALWAYS_RECORD_LOGIN_ATTR]
[--limit-attr LIMIT_ATTR] [--spec-attr SPEC_ATTR]
[--state-attr STATE_ATTR]
DN

The full DN of the config entry

Sets that every entry records its last login time (alwaysRecordLogin)

Provides a backup attribute for the server to reference to evaluate the
expiration time (altStateAttrName)

Specifies the attribute to store the time of the last successful login in this
attribute in the users directory entry (alwaysRecordLoginAttr)

Specifies the attribute within the policy to use for the account inactivation
limit (limitAttrName)

Specifies the attribute to identify which entries are account policy
configuration entries (specAttrName)

Specifies the primary time attribute used to evaluate an account policy
(stateAttrName)

usage: dsconf instance plugin account-policy config-entry show [-h] DN

The full DN of the config entry

usage: dsconf instance plugin account-policy config-entry delete [-h] DN

The full DN of the config entry

usage: dsconf instance plugin attr-uniq [-h]
{list,add,set,show,delete,enable,disable,status}
...

Sub-commands

Lists available plugin configs
Add the config entry
Edit the config entry
Display the config entry
Delete the config entry
enable plugin
disable plugin
display plugin status

usage: dsconf instance plugin attr-uniq list [-h]

usage: dsconf instance plugin attr-uniq add [-h] [--enabled {on,off}]
[--attr-name ATTR_NAME [ATTR_NAME ...]]
[--subtree SUBTREE [SUBTREE ...]]
[--across-all-subtrees {on,off}]
[--top-entry-oc TOP_ENTRY_OC]
[--subtree-entries-oc SUBTREE_ENTRIES_OC]
NAME

NAME
The name of the plug-in configuration record. (cn) You can use any string, but
"attribute_name Attribute Uniqueness" is recommended.

Identifies whether or not the config is enabled.

Sets the name of the attribute whose values must be unique. This attribute is
multi-valued. (uniqueness-attribute-name)

Sets the DN under which the plug-in checks for uniqueness of the attributes
value. This attribute is multi-valued (uniqueness-subtrees)

If enabled (on), the plug-in checks that the attribute is unique across all
subtrees set. If you set the attribute to off, uniqueness is only enforced
within the subtree of the updated entry (uniqueness-across-all-subtrees)

Verifies that the value of the attribute set in uniqueness-attribute-name is
unique in this subtree (uniqueness-top-entry-oc)

Verifies if an attribute is unique, if the entry contains the object class set
in this parameter (uniqueness-subtree-entries-oc)

usage: dsconf instance plugin attr-uniq set [-h] [--enabled {on,off}]
[--attr-name ATTR_NAME [ATTR_NAME ...]]
[--subtree SUBTREE [SUBTREE ...]]
[--across-all-subtrees {on,off}]
[--top-entry-oc TOP_ENTRY_OC]
[--subtree-entries-oc SUBTREE_ENTRIES_OC]
NAME

NAME
The name of the plug-in configuration record. (cn) You can use any string, but
"attribute_name Attribute Uniqueness" is recommended.

Identifies whether or not the config is enabled.

Sets the name of the attribute whose values must be unique. This attribute is
multi-valued. (uniqueness-attribute-name)

Sets the DN under which the plug-in checks for uniqueness of the attributes
value. This attribute is multi-valued (uniqueness-subtrees)

If enabled (on), the plug-in checks that the attribute is unique across all
subtrees set. If you set the attribute to off, uniqueness is only enforced
within the subtree of the updated entry (uniqueness-across-all-subtrees)

Verifies that the value of the attribute set in uniqueness-attribute-name is
unique in this subtree (uniqueness-top-entry-oc)

Verifies if an attribute is unique, if the entry contains the object class set
in this parameter (uniqueness-subtree-entries-oc)

usage: dsconf instance plugin attr-uniq show [-h] NAME

NAME
The name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq delete [-h] NAME

NAME
The name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq enable [-h] NAME

NAME
The name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq disable [-h] NAME

NAME
The name of the plug-in configuration record

usage: dsconf instance plugin attr-uniq status [-h] NAME

NAME
The name of the plug-in configuration record

usage: dsconf instance plugin dna [-h]
{show,enable,disable,status,list,config} ...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
List available plugin configs
Manage plugin configs

usage: dsconf instance plugin dna show [-h]

usage: dsconf instance plugin dna enable [-h]

usage: dsconf instance plugin dna disable [-h]

usage: dsconf instance plugin dna status [-h]

usage: dsconf instance plugin dna list [-h] {configs,shared-configs} ...

Sub-commands

List main DNA plugin config entries
List DNA plugin shared config entries

usage: dsconf instance plugin dna list configs [-h]

usage: dsconf instance plugin dna list shared-configs [-h] BASEDN

The search DN

usage: dsconf instance plugin dna config [-h]
NAME
{add,set,show,delete,shared-config-entry}
...

NAME
The DNA configuration name

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry
Manage the shared config entry

usage: dsconf instance plugin dna config NAME add [-h]
[--type TYPE [TYPE ...]]
[--prefix PREFIX]
[--next-value NEXT_VALUE]
[--max-value MAX_VALUE]
[--interval INTERVAL]
[--magic-regen MAGIC_REGEN]
[--filter FILTER]
[--scope SCOPE]
[--remote-bind-dn REMOTE_BIND_DN]
[--remote-bind-cred REMOTE_BIND_CRED]
[--shared-config-entry SHARED_CONFIG_ENTRY]
[--threshold THRESHOLD]
[--next-range NEXT_RANGE]
[--range-request-timeout RANGE_REQUEST_TIMEOUT]

Sets which attributes have unique numbers being generated for them (dnaType)

Defines a prefix that can be prepended to the generated number values for the
attribute (dnaPrefix)

Sets the next available number which can be assigned (dnaNextValue)

Sets the maximum value that can be assigned for the range (dnaMaxValue)

Sets an interval to use to increment through numbers in a range (dnaInterval)

Sets a user-defined value that instructs the plug-in to assign a new value for
the entry (dnaMagicRegen)

Sets an LDAP filter to use to search for and identify the entries to which to
apply the distributed numeric assignment range (dnaFilter)

Sets the base DN to search for entries to which to apply the distributed
numeric assignment (dnaScope)

Specifies the Replication Manager DN (dnaRemoteBindDN)

Specifies the Replication Manager's password (dnaRemoteBindCred)

Defines a shared identity that the servers can use to transfer ranges to one
another (dnaSharedCfgDN)

Sets a threshold of remaining available numbers in the range. When the server
hits the threshold, it sends a request for a new range (dnaThreshold)

Defines the next range to use when the current range is exhausted
(dnaNextRange)

Sets a timeout period, in seconds, for range requests so that the server does
not stall waiting on a new range from one server and can request a range from
a new server (dnaRangeRequestTimeout)

usage: dsconf instance plugin dna config NAME set [-h]
[--type TYPE [TYPE ...]]
[--prefix PREFIX]
[--next-value NEXT_VALUE]
[--max-value MAX_VALUE]
[--interval INTERVAL]
[--magic-regen MAGIC_REGEN]
[--filter FILTER]
[--scope SCOPE]
[--remote-bind-dn REMOTE_BIND_DN]
[--remote-bind-cred REMOTE_BIND_CRED]
[--shared-config-entry SHARED_CONFIG_ENTRY]
[--threshold THRESHOLD]
[--next-range NEXT_RANGE]
[--range-request-timeout RANGE_REQUEST_TIMEOUT]

Sets which attributes have unique numbers being generated for them (dnaType)

Defines a prefix that can be prepended to the generated number values for the
attribute (dnaPrefix)

Sets the next available number which can be assigned (dnaNextValue)

Sets the maximum value that can be assigned for the range (dnaMaxValue)

Sets an interval to use to increment through numbers in a range (dnaInterval)

Sets a user-defined value that instructs the plug-in to assign a new value for
the entry (dnaMagicRegen)

Sets an LDAP filter to use to search for and identify the entries to which to
apply the distributed numeric assignment range (dnaFilter)

Sets the base DN to search for entries to which to apply the distributed
numeric assignment (dnaScope)

Specifies the Replication Manager DN (dnaRemoteBindDN)

Specifies the Replication Manager's password (dnaRemoteBindCred)

Defines a shared identity that the servers can use to transfer ranges to one
another (dnaSharedCfgDN)

Sets a threshold of remaining available numbers in the range. When the server
hits the threshold, it sends a request for a new range (dnaThreshold)

Defines the next range to use when the current range is exhausted
(dnaNextRange)

Sets a timeout period, in seconds, for range requests so that the server does
not stall waiting on a new range from one server and can request a range from
a new server (dnaRangeRequestTimeout)

usage: dsconf instance plugin dna config NAME show [-h]

usage: dsconf instance plugin dna config NAME delete [-h]

usage: dsconf instance plugin dna config NAME shared-config-entry
[-h] SHARED_CFG {set,show,delete} ...

Use HOSTNAME:PORT for this argument to identify the host name and port of a
server in a shared range, as part of the DNA range configuration for that
specific host in multi-supplier replication. (dnaHostname+dnaPortNum)

Sub-commands

Edit the shared config entry
Display the shared config entry
Delete the shared config entry

usage: dsconf instance plugin dna config NAME shared-config-entry SHARED_CFG set
[-h] [--remote-bind-method REMOTE_BIND_METHOD]
[--remote-conn-protocol REMOTE_CONN_PROTOCOL]

Specifies the remote bind method "SIMPLE", "SSL" (for SSL client auth),
"SASL/GSSAPI", or "SASL/DIGEST-MD5" (dnaRemoteBindMethod)

Specifies the remote connection protocol "LDAP", or "TLS"
(dnaRemoteConnProtocol)

usage: dsconf instance plugin dna config NAME shared-config-entry SHARED_CFG show
[-h]

usage: dsconf instance plugin dna config NAME shared-config-entry SHARED_CFG delete
[-h]

usage: dsconf instance plugin linked-attr [-h]
{show,enable,disable,status,fixup,fixup-status,list,config}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Run the fix-up task for linked attributes plugin
Check the status of a fix-up task
List available plugin configs
Manage plugin configs

usage: dsconf instance plugin linked-attr show [-h]

usage: dsconf instance plugin linked-attr enable [-h]

usage: dsconf instance plugin linked-attr disable [-h]

usage: dsconf instance plugin linked-attr status [-h]

usage: dsconf instance plugin linked-attr fixup [-h] [-l LINKDN] [--wait]

Sets the base DN that contains entries to fix up

Wait for the task to finish, this could take a long time

usage: dsconf instance plugin linked-attr fixup-status [-h] [--dn DN]
[--show-log] [--watch]

The task entry's DN

Display the task log

Watch the task's status and wait for it to finish

usage: dsconf instance plugin linked-attr list [-h]

usage: dsconf instance plugin linked-attr config [-h]
NAME {add,set,show,delete}
...

NAME
The Linked Attributes configuration name

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry

usage: dsconf instance plugin linked-attr config NAME add [-h]
[--link-type LINK_TYPE]
[--managed-type MANAGED_TYPE]
[--link-scope LINK_SCOPE]

Sets the attribute that is managed manually by administrators (linkType)

Sets the attribute that is created dynamically by the plugin (managedType)

Sets the scope that restricts the plugin to a specific part of the directory
tree (linkScope)

usage: dsconf instance plugin linked-attr config NAME set [-h]
[--link-type LINK_TYPE]
[--managed-type MANAGED_TYPE]
[--link-scope LINK_SCOPE]

Sets the attribute that is managed manually by administrators (linkType)

Sets the attribute that is created dynamically by the plugin (managedType)

Sets the scope that restricts the plugin to a specific part of the directory
tree (linkScope)

usage: dsconf instance plugin linked-attr config NAME show [-h]

usage: dsconf instance plugin linked-attr config NAME delete [-h]

usage: dsconf instance plugin managed-entries [-h]
{show,enable,disable,status,set,list,config,template}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings
List Managed Entries Plugin configs and templates
Handle Managed Entries Plugin configs
Handle Managed Entries Plugin templates

usage: dsconf instance plugin managed-entries show [-h]

usage: dsconf instance plugin managed-entries enable [-h]

usage: dsconf instance plugin managed-entries disable [-h]

usage: dsconf instance plugin managed-entries status [-h]

usage: dsconf instance plugin managed-entries set [-h]
[--config-area CONFIG_AREA]

Sets the value of the nsslapd-pluginConfigArea attribute

usage: dsconf instance plugin managed-entries list [-h]
{configs,templates} ...

Sub-commands

List Managed Entries Plugin configs (list config-area if specified in the main plugin entry)
List Managed Entries Plugin templates in the directory

usage: dsconf instance plugin managed-entries list configs [-h]

usage: dsconf instance plugin managed-entries list templates [-h] [BASEDN]

The base DN where to search the templates

usage: dsconf instance plugin managed-entries config [-h]
NAME
{add,set,show,delete} ...

NAME
The config entry CN

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry

usage: dsconf instance plugin managed-entries config NAME add
[-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
[--managed-template MANAGED_TEMPLATE]

Sets the scope of the search to use to see which entries the plug-in monitors
(originScope)

Sets the search filter to use to search for and identify the entries within
the subtree which require a managed entry (originFilter)

Sets the subtree under which to create the managed entries (managedBase)

Identifies the template entry to use to create the managed entry
(managedTemplate)

usage: dsconf instance plugin managed-entries config NAME set
[-h] [--scope SCOPE] [--filter FILTER] [--managed-base MANAGED_BASE]
[--managed-template MANAGED_TEMPLATE]

Sets the scope of the search to use to see which entries the plug-in monitors
(originScope)

Sets the search filter to use to search for and identify the entries within
the subtree which require a managed entry (originFilter)

Sets the subtree under which to create the managed entries (managedBase)

Identifies the template entry to use to create the managed entry
(managedTemplate)

usage: dsconf instance plugin managed-entries config NAME show [-h]

usage: dsconf instance plugin managed-entries config NAME delete [-h]

usage: dsconf instance plugin managed-entries template [-h]
DN
{add,set,show,delete}
...

The template entry DN.

Sub-commands

Add the template entry
Edit the template entry
Display the template entry
Delete the template entry

usage: dsconf instance plugin managed-entries template DN add
[-h] [--rdn-attr RDN_ATTR]
[--static-attr STATIC_ATTR [STATIC_ATTR ...]]
[--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]

Sets which attribute to use as the naming attribute in the automatically-
generated entry (mepRDNAttr)

Sets an attribute with a defined value that must be added to the
automatically-generated entry (mepStaticAttr)

Sets attributes in the Managed Entries template entry which must exist in the
generated entry (mepMappedAttr)

usage: dsconf instance plugin managed-entries template DN set
[-h] [--rdn-attr RDN_ATTR]
[--static-attr STATIC_ATTR [STATIC_ATTR ...]]
[--mapped-attr MAPPED_ATTR [MAPPED_ATTR ...]]

Sets which attribute to use as the naming attribute in the automatically-
generated entry (mepRDNAttr)

Sets an attribute with a defined value that must be added to the
automatically-generated entry (mepStaticAttr)

Sets attributes in the Managed Entries template entry which must exist in the
generated entry (mepMappedAttr)

usage: dsconf instance plugin managed-entries template DN show [-h]

usage: dsconf instance plugin managed-entries template DN delete [-h]

usage: dsconf instance plugin pass-through-auth [-h]
{show,enable,disable,status,list,url,pam-config}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
List pass-though plugin URLs or PAM configurations
Manage PTA URL configurations
Manage PAM PTA configurations.

usage: dsconf instance plugin pass-through-auth show [-h]

usage: dsconf instance plugin pass-through-auth enable [-h]

usage: dsconf instance plugin pass-through-auth disable [-h]

usage: dsconf instance plugin pass-through-auth status [-h]

usage: dsconf instance plugin pass-through-auth list [-h]
{urls,pam-configs} ...

Sub-commands

Lists URLs
Lists PAM configurations

usage: dsconf instance plugin pass-through-auth list urls [-h]

usage: dsconf instance plugin pass-through-auth list pam-configs [-h]

usage: dsconf instance plugin pass-through-auth url [-h]
{add,modify,delete} ...

Sub-commands

Add the config entry
Edit the config entry
Delete the config entry

usage: dsconf instance plugin pass-through-auth url add [-h] URL

The full LDAP URL in format "ldap|ldaps://authDS/subtree
maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional
parameter is specified the rest should be specified too

usage: dsconf instance plugin pass-through-auth url modify [-h]
OLD_URL NEW_URL

The full LDAP URL you get from the "list" command

Sets the full LDAP URL in format "ldap|ldaps://authDS/subtree
maxconns,maxops,timeout,ldver,connlifetime,startTLS". If one optional
parameter is specified the rest should be specified too.

usage: dsconf instance plugin pass-through-auth url delete [-h] URL

The full LDAP URL you get from the "list" command

usage: dsconf instance plugin pass-through-auth pam-config [-h]
NAME
{add,set,show,delete}
...

NAME
The PAM PTA configuration name

Sub-commands

Add the config entry
Edit the config entry
Display the config entry
Delete the config entry

usage: dsconf instance plugin pass-through-auth pam-config NAME add
[-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
[--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
[--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
[--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
[--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]

Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)

Sets a suffix to include for PAM authentication (pamIncludeSuffix)

Identifies how to handle missing include or exclude suffixes
(pamMissingSuffix)

Sets an LDAP filter to use to identify specific entries within the included
suffixes for which to use PAM pass-through authentication (pamFilter)

Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)

Sets the method to use to map the LDAP bind DN to a PAM identity
(pamIDMapMethod)

Sets whether to fallback to regular LDAP authentication if PAM authentication
fails (pamFallback)

Requires secure TLS connection for PAM authentication (pamSecure)

Contains the service name to pass to PAM (pamService)

usage: dsconf instance plugin pass-through-auth pam-config NAME set
[-h] [--exclude-suffix EXCLUDE_SUFFIX [EXCLUDE_SUFFIX ...]]
[--include-suffix INCLUDE_SUFFIX [INCLUDE_SUFFIX ...]]
[--missing-suffix {ERROR,ALLOW,IGNORE,delete,}] [--filter FILTER]
[--id-attr ID_ATTR] [--id_map_method ID_MAP_METHOD]
[--fallback {TRUE,FALSE}] [--secure {TRUE,FALSE}] [--service SERVICE]

Specifies a suffix to exclude from PAM authentication (pamExcludeSuffix)

Sets a suffix to include for PAM authentication (pamIncludeSuffix)

Identifies how to handle missing include or exclude suffixes
(pamMissingSuffix)

Sets an LDAP filter to use to identify specific entries within the included
suffixes for which to use PAM pass-through authentication (pamFilter)

Contains the attribute name which is used to hold the PAM user ID (pamIDAttr)

Sets the method to use to map the LDAP bind DN to a PAM identity
(pamIDMapMethod)

Sets whether to fallback to regular LDAP authentication if PAM authentication
fails (pamFallback)

Requires secure TLS connection for PAM authentication (pamSecure)

Contains the service name to pass to PAM (pamService)

usage: dsconf instance plugin pass-through-auth pam-config NAME show [-h]

usage: dsconf instance plugin pass-through-auth pam-config NAME delete [-h]

usage: dsconf instance plugin retro-changelog [-h]
{show,enable,disable,status,set,add,del}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin
Add attributes to the plugin
Delete an attribute from plugin scope

usage: dsconf instance plugin retro-changelog show [-h]

usage: dsconf instance plugin retro-changelog enable [-h]

usage: dsconf instance plugin retro-changelog disable [-h]

usage: dsconf instance plugin retro-changelog status [-h]

usage: dsconf instance plugin retro-changelog set [-h]
[--is-replicated {TRUE,FALSE}]
[--attribute ATTRIBUTE]
[--directory DIRECTORY]
[--max-age MAX_AGE]
[--trim-interval TRIM_INTERVAL]
[--exclude-suffix [EXCLUDE_SUFFIX ...]]
[--exclude-attrs [EXCLUDE_ATTRS ...]]

Sets a flag to indicate on a change in the changelog whether the change is
newly made on that server or whether it was replicated over from another
server (isReplicated)

Specifies another Directory Server attribute which must be included in the
retro changelog entries (nsslapd-attribute)

Specifies the name of the directory in which the changelog database is created
the first time the plug-in is run

Specifies the maximum age of any entry in the changelog. Used to trim the
changelog (nsslapd-changelogmaxage)

Specifies the suffix which will be excluded from the scope of the plugin
(nsslapd-exclude-suffix)

Specifies the attributes which will be excluded from the scope of the plugin
(nsslapd-exclude-attrs)

usage: dsconf instance plugin retro-changelog add [-h]
[--is-replicated {TRUE,FALSE}]
[--attribute ATTRIBUTE]
[--directory DIRECTORY]
[--max-age MAX_AGE]
[--trim-interval TRIM_INTERVAL]
[--exclude-suffix [EXCLUDE_SUFFIX ...]]
[--exclude-attrs [EXCLUDE_ATTRS ...]]

Sets a flag to indicate on a change in the changelog whether the change is
newly made on that server or whether it was replicated over from another
server (isReplicated)

Specifies another Directory Server attribute which must be included in the
retro changelog entries (nsslapd-attribute)

Specifies the name of the directory in which the changelog database is created
the first time the plug-in is run

Specifies the maximum age of any entry in the changelog. Used to trim the
changelog (nsslapd-changelogmaxage)

Specifies the suffix which will be excluded from the scope of the plugin
(nsslapd-exclude-suffix)

Specifies the attributes which will be excluded from the scope of the plugin
(nsslapd-exclude-attrs)

usage: dsconf instance plugin retro-changelog del [-h]
[--is-replicated {TRUE,FALSE}]
[--attribute ATTRIBUTE]
[--directory DIRECTORY]
[--max-age MAX_AGE]
[--trim-interval TRIM_INTERVAL]
[--exclude-suffix [EXCLUDE_SUFFIX ...]]
[--exclude-attrs [EXCLUDE_ATTRS ...]]

Sets a flag to indicate on a change in the changelog whether the change is
newly made on that server or whether it was replicated over from another
server (isReplicated)

Specifies another Directory Server attribute which must be included in the
retro changelog entries (nsslapd-attribute)

Specifies the name of the directory in which the changelog database is created
the first time the plug-in is run

Specifies the maximum age of any entry in the changelog. Used to trim the
changelog (nsslapd-changelogmaxage)

Specifies the suffix which will be excluded from the scope of the plugin
(nsslapd-exclude-suffix)

Specifies the attributes which will be excluded from the scope of the plugin
(nsslapd-exclude-attrs)

usage: dsconf instance plugin posix-winsync [-h]
{show,enable,disable,status,set,fixup}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings
Run the memberOf fix-up task to correct mismatched member and uniquemember values for synced users

usage: dsconf instance plugin posix-winsync show [-h]

usage: dsconf instance plugin posix-winsync enable [-h]

usage: dsconf instance plugin posix-winsync disable [-h]

usage: dsconf instance plugin posix-winsync status [-h]

usage: dsconf instance plugin posix-winsync set [-h]
[--create-memberof-task {true,false}]
[--lower-case-uid {true,false}]
[--map-member-uid {true,false}]
[--map-nested-grouping {true,false}]
[--ms-sfu-schema {true,false}]

Sets whether to run the memberUID fix-up task immediately after a sync run in
order to update group memberships for synced users
(posixWinsyncCreateMemberOfTask)

Sets whether to store (and, if necessary, convert) the UID value in the
memberUID attribute in lower case.(posixWinsyncLowerCaseUID)

Sets whether to map the memberUID attribute in an Active Directory group to
the uniqueMember attribute in a Directory Server group
(posixWinsyncMapMemberUID)

Manages if nested groups are updated when memberUID attributes in an Active
Directory POSIX group change (posixWinsyncMapNestedGrouping)

Sets whether to the older Microsoft System Services for Unix 3.0 (msSFU30)
schema when syncing Posix attributes from Active Directory
(posixWinsyncMsSFUSchema)

usage: dsconf instance plugin posix-winsync fixup [-h] [-f FILTER] DN

Set the base DN that contains entries to fix up

Filter for entries to fix up. If omitted, all entries with objectclass
inetuser/inetadmin/nsmemberof under the specified base will have their
memberOf attribute regenerated.

usage: dsconf instance plugin contentsync [-h]
{show,enable,disable,status,set,add}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Edit the plugin settings
Add attributes to the plugin

usage: dsconf instance plugin contentsync show [-h]

usage: dsconf instance plugin contentsync enable [-h]

usage: dsconf instance plugin contentsync disable [-h]

usage: dsconf instance plugin contentsync status [-h]

usage: dsconf instance plugin contentsync set [-h] [--allow-openldap {on,off}]

Allows openldap servers to act as read only consumers of this server via
syncrepl

usage: dsconf instance plugin contentsync add [-h] [--allow-openldap {on,off}]

Allows openldap servers to act as read only consumers of this server via
syncrepl

usage: dsconf instance plugin entryuuid [-h]
{show,enable,disable,status,fixup,fixup-status}
...

Sub-commands

Displays the plugin configuration
Enables the plugin
Disables the plugin
Displays the plugin status
Run the fix-up task for EntryUUID plugin
Check the status of a fix-up task

usage: dsconf instance plugin entryuuid show [-h]

usage: dsconf instance plugin entryuuid enable [-h]

usage: dsconf instance plugin entryuuid disable [-h]

usage: dsconf instance plugin entryuuid status [-h]

usage: dsconf instance plugin entryuuid fixup [-h] [-f FILTER] [--wait] DN

Base DN that contains entries to fix up

Filter for entries to fix up. If omitted, all entries under base DNwill have
their EntryUUID attribute regenerated if not present.

Wait for the task to finish, this could take a long time

usage: dsconf instance plugin entryuuid fixup-status [-h] [--dn DN]
[--show-log] [--watch]

The task entry's DN

Display the task log

Watch the task's status and wait for it to finish

usage: dsconf instance plugin list [-h]

usage: dsconf instance plugin show [-h] [selector]

The plugin to search for

usage: dsconf instance plugin set [-h] [--type TYPE] [--enabled {on,off}]
[--path PATH] [--initfunc INITFUNC]
[--id ID] [--vendor VENDOR]
[--version VERSION]
[--description DESCRIPTION]
[--depends-on-type DEPENDS_ON_TYPE]
[--depends-on-named DEPENDS_ON_NAMED]
[--precedence PRECEDENCE]
[selector]

The plugin to edit

The type of plugin.

Identifies whether or not the plugin is enabled.

The plugin library name (without the library suffix).

An initialization function of the plugin.

The plugin ID.

The vendor of plugin.

The version of plugin.

The description of the plugin.

All plug-ins with a type value which matches one of the values in the
following valid range will be started by the server prior to this plug-in.

The plug-in name matching one of the following values will be started by the
server prior to this plug-in

The priority it has in the execution order of plug-ins

usage: dsconf instance pwpolicy [-h] {get,set} ...

Sub-commands

Get the global password policy entry
Set an attribute in a global password policy

usage: dsconf instance pwpolicy get [-h]

usage: dsconf instance pwpolicy set [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
[--pwptprmaxuse PWPTPRMAXUSE]
[--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
[--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
[--pwdlocal PWDLOCAL]
[--pwdisglobal PWDISGLOBAL]
[--pwdallowhash PWDALLOWHASH]
[--pwpinheritglobal PWPINHERITGLOBAL]

The password storage scheme

Allow users to change their passwords

Users must change their password after it was reset by an administrator

To enable password history set this to "on", otherwise "off"

The number of passwords to keep in history

The DN of an entry or a group of account that can bypass password policy
constraints

Set to "on" to track the time the password was last changed

Send an expiring warning if password expires within this time (in seconds)

Set to "on" to enable password expiration

The password expiration time in seconds

The number of seconds that must pass before a user can change their password

The number of allowed logins after the password has expired

Set to "on" to always send the expiring control regardless of the warning
period

Set to "on" to enable account lockout

Set to "on" to allow an account to become unlocked after the lockout duration

The number of seconds an account stays locked out

The maximum number of allowed failed password attempts before the account gets
locked

The number of seconds to wait before reducing the failed login count on an
account

Set to "on" to enable password syntax checking

The minimum number of characters required in a password

The minimum number of digit/number characters in a password

The minimum number of alpha characters required in a password

The minimum number of uppercase characters required in a password

The minimum number of lowercase characters required in a password

The minimum number of special characters required in a password

The minimum number of 8-bit characters required in a password

The maximum number of times the same character can appear sequentially in the
password

Set to "on" to reject passwords that are palindromes

The maximum number of allowed monotonic character sequences in a password

The maximum number of allowed monotonic character sequences that can be
duplicated in a password

The maximum number of sequential characters from the same character class that
is allowed in a password

The minimum number of syntax category checks

Sets the smallest attribute value length that is used for trivial/user words
checking. This also impacts "--pwduserattrs"

A space-separated list of words that can not be in a password

A space-separated list of attributes whose values can not appear in the
password (See "--pwdmintokenlen")

Set to "on" to enforce CrackLib dictionary checking

Filesystem path to specific/custom CrackLib dictionary files

Number of times a reset password can be used for authentication

Number of seconds after which a reset password expires

Number of seconds to wait before using a reset password to authenticated

Set to "on" to enable fine-grained (subtree/user-level) password policies

Set to "on" to enable password policy state attributes to be replicated

Set to "on" to allow adding prehashed passwords

Set to "on" to allow local policies to inherit the global policy

usage: dsconf instance localpwp [-h]
{list,get,set,remove,adduser,addsubtree} ...

Sub-commands

List all the local password policies
Get local password policy entry
Set an attribute in a local password policy
Remove a local password policy
Add new user password policy
Add new subtree password policy

usage: dsconf instance localpwp list [-h] [DN]

Suffix to search for local password policies

usage: dsconf instance localpwp get [-h] DN

Get the local policy for this entry DN

usage: dsconf instance localpwp set [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
[--pwptprmaxuse PWPTPRMAXUSE]
[--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
[--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
DN

Set the local policy for this entry DN

The password storage scheme

Allow users to change their passwords

Users must change their password after it was reset by an administrator

To enable password history set this to "on", otherwise "off"

The number of passwords to keep in history

The DN of an entry or a group of account that can bypass password policy
constraints

Set to "on" to track the time the password was last changed

Send an expiring warning if password expires within this time (in seconds)

Set to "on" to enable password expiration

The password expiration time in seconds

The number of seconds that must pass before a user can change their password

The number of allowed logins after the password has expired

Set to "on" to always send the expiring control regardless of the warning
period

Set to "on" to enable account lockout

Set to "on" to allow an account to become unlocked after the lockout duration

The number of seconds an account stays locked out

The maximum number of allowed failed password attempts before the account gets
locked

The number of seconds to wait before reducing the failed login count on an
account

Set to "on" to enable password syntax checking

The minimum number of characters required in a password

The minimum number of digit/number characters in a password

The minimum number of alpha characters required in a password

The minimum number of uppercase characters required in a password

The minimum number of lowercase characters required in a password

The minimum number of special characters required in a password

The minimum number of 8-bit characters required in a password

The maximum number of times the same character can appear sequentially in the
password

Set to "on" to reject passwords that are palindromes

The maximum number of allowed monotonic character sequences in a password

The maximum number of allowed monotonic character sequences that can be
duplicated in a password

The maximum number of sequential characters from the same character class that
is allowed in a password

The minimum number of syntax category checks

Sets the smallest attribute value length that is used for trivial/user words
checking. This also impacts "--pwduserattrs"

A space-separated list of words that can not be in a password

A space-separated list of attributes whose values can not appear in the
password (See "--pwdmintokenlen")

Set to "on" to enforce CrackLib dictionary checking

Filesystem path to specific/custom CrackLib dictionary files

Number of times a reset password can be used for authentication

Number of seconds after which a reset password expires

Number of seconds to wait before using a reset password to authenticated

usage: dsconf instance localpwp remove [-h] DN

Remove local policy for this entry DN

usage: dsconf instance localpwp adduser [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
[--pwptprmaxuse PWPTPRMAXUSE]
[--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
[--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
DN

Add/replace the local password policy for this entry DN

The password storage scheme

Allow users to change their passwords

Users must change their password after it was reset by an administrator

To enable password history set this to "on", otherwise "off"

The number of passwords to keep in history

The DN of an entry or a group of account that can bypass password policy
constraints

Set to "on" to track the time the password was last changed

Send an expiring warning if password expires within this time (in seconds)

Set to "on" to enable password expiration

The password expiration time in seconds

The number of seconds that must pass before a user can change their password

The number of allowed logins after the password has expired

Set to "on" to always send the expiring control regardless of the warning
period

Set to "on" to enable account lockout

Set to "on" to allow an account to become unlocked after the lockout duration

The number of seconds an account stays locked out

The maximum number of allowed failed password attempts before the account gets
locked

The number of seconds to wait before reducing the failed login count on an
account

Set to "on" to enable password syntax checking

The minimum number of characters required in a password

The minimum number of digit/number characters in a password

The minimum number of alpha characters required in a password

The minimum number of uppercase characters required in a password

The minimum number of lowercase characters required in a password

The minimum number of special characters required in a password

The minimum number of 8-bit characters required in a password

The maximum number of times the same character can appear sequentially in the
password

Set to "on" to reject passwords that are palindromes

The maximum number of allowed monotonic character sequences in a password

The maximum number of allowed monotonic character sequences that can be
duplicated in a password

The maximum number of sequential characters from the same character class that
is allowed in a password

The minimum number of syntax category checks

Sets the smallest attribute value length that is used for trivial/user words
checking. This also impacts "--pwduserattrs"

A space-separated list of words that can not be in a password

A space-separated list of attributes whose values can not appear in the
password (See "--pwdmintokenlen")

Set to "on" to enforce CrackLib dictionary checking

Filesystem path to specific/custom CrackLib dictionary files

Number of times a reset password can be used for authentication

Number of seconds after which a reset password expires

Number of seconds to wait before using a reset password to authenticated

usage: dsconf instance localpwp addsubtree [-h] [--pwdscheme PWDSCHEME]
[--pwdchange PWDCHANGE]
[--pwdmustchange PWDMUSTCHANGE]
[--pwdhistory PWDHISTORY]
[--pwdhistorycount PWDHISTORYCOUNT]
[--pwdadmin PWDADMIN]
[--pwdtrack PWDTRACK]
[--pwdwarning PWDWARNING]
[--pwdexpire PWDEXPIRE]
[--pwdmaxage PWDMAXAGE]
[--pwdminage PWDMINAGE]
[--pwdgracelimit PWDGRACELIMIT]
[--pwdsendexpiring PWDSENDEXPIRING]
[--pwdlockout PWDLOCKOUT]
[--pwdunlock PWDUNLOCK]
[--pwdlockoutduration PWDLOCKOUTDURATION]
[--pwdmaxfailures PWDMAXFAILURES]
[--pwdresetfailcount PWDRESETFAILCOUNT]
[--pwdchecksyntax PWDCHECKSYNTAX]
[--pwdminlen PWDMINLEN]
[--pwdmindigits PWDMINDIGITS]
[--pwdminalphas PWDMINALPHAS]
[--pwdminuppers PWDMINUPPERS]
[--pwdminlowers PWDMINLOWERS]
[--pwdminspecials PWDMINSPECIALS]
[--pwdmin8bits PWDMIN8BITS]
[--pwdmaxrepeats PWDMAXREPEATS]
[--pwdpalindrome PWDPALINDROME]
[--pwdmaxseq PWDMAXSEQ]
[--pwdmaxseqsets PWDMAXSEQSETS]
[--pwdmaxclasschars PWDMAXCLASSCHARS]
[--pwdmincatagories PWDMINCATAGORIES]
[--pwdmintokenlen PWDMINTOKENLEN]
[--pwdbadwords PWDBADWORDS]
[--pwduserattrs PWDUSERATTRS]
[--pwddictcheck PWDDICTCHECK]
[--pwddictpath PWDDICTPATH]
[--pwptprmaxuse PWPTPRMAXUSE]
[--pwptprdelayexpireat PWPTPRDELAYEXPIREAT]
[--pwptprdelayvalidfrom PWPTPRDELAYVALIDFROM]
DN

Add/replace the subtree policy for this entry DN

The password storage scheme

Allow users to change their passwords

Users must change their password after it was reset by an administrator

To enable password history set this to "on", otherwise "off"

The number of passwords to keep in history

The DN of an entry or a group of account that can bypass password policy
constraints

Set to "on" to track the time the password was last changed

Send an expiring warning if password expires within this time (in seconds)

Set to "on" to enable password expiration

The password expiration time in seconds

The number of seconds that must pass before a user can change their password

The number of allowed logins after the password has expired

Set to "on" to always send the expiring control regardless of the warning
period

Set to "on" to enable account lockout

Set to "on" to allow an account to become unlocked after the lockout duration

The number of seconds an account stays locked out

The maximum number of allowed failed password attempts before the account gets
locked

The number of seconds to wait before reducing the failed login count on an
account

Set to "on" to enable password syntax checking

The minimum number of characters required in a password

The minimum number of digit/number characters in a password

The minimum number of alpha characters required in a password

The minimum number of uppercase characters required in a password

The minimum number of lowercase characters required in a password

The minimum number of special characters required in a password

The minimum number of 8-bit characters required in a password

The maximum number of times the same character can appear sequentially in the
password

Set to "on" to reject passwords that are palindromes

The maximum number of allowed monotonic character sequences in a password

The maximum number of allowed monotonic character sequences that can be
duplicated in a password

The maximum number of sequential characters from the same character class that
is allowed in a password

The minimum number of syntax category checks

Sets the smallest attribute value length that is used for trivial/user words
checking. This also impacts "--pwduserattrs"

A space-separated list of words that can not be in a password

A space-separated list of attributes whose values can not appear in the
password (See "--pwdmintokenlen")

Set to "on" to enforce CrackLib dictionary checking

Filesystem path to specific/custom CrackLib dictionary files

Number of times a reset password can be used for authentication

Number of seconds after which a reset password expires

Number of seconds to wait before using a reset password to authenticated

usage: dsconf instance replication [-h]
{enable,disable,get-ruv,list,status,winsync-status,promote,create-manager,delete-manager,demote,get,set-changelog,get-changelog,export-changelog,import-changelog,set,monitor}
...

Sub-commands

Enable replication for a suffix
Disable replication for a suffix
Display the database RUV entry for a suffix
Lists all the replicated suffixes
Display the current status of all the replication agreements
Display the current status of all the replication agreements
Promote a replica to a hub or supplier
Create a replication manager entry
Delete a replication manager entry
Demote replica to a hub or consumer
Display the replication configuration
Set replication changelog attributes
Display replication changelog attributes
Export the Directory Server replication changelog to an LDIF file
Restore/import Directory Server replication change log from an LDIF file. This is typically used when managing changelog encryption
Set an attribute in the replication configuration
Display the full replication topology report

usage: dsconf instance replication enable [-h] --suffix SUFFIX --role ROLE
[--replica-id REPLICA_ID]
[--bind-group-dn BIND_GROUP_DN]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]

Sets the DN of the suffix to be enabled for replication

Sets the replication role: "supplier", "hub", or "consumer"

Sets the replication identifier for a "supplier". Values range from 1 - 65534

Sets a group entry DN containing members that are "bind/supplier" DNs

Sets the bind or supplier DN that can make replication updates

Sets the password for replication manager (--bind-dn). This will create the
manager entry if a value is set

usage: dsconf instance replication disable [-h] --suffix SUFFIX

Sets the DN of the suffix to have replication disabled

usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX

Sets the DN of the replicated suffix

usage: dsconf instance replication list [-h]

usage: dsconf instance replication status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]

Sets the DN of the replication suffix

Sets the DN to use to authenticate to the consumer

Sets the password for the bind DN

usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]

Sets the DN of the replication suffix

Sets the DN to use to authenticate to the consumer

Sets the password of the bind DN

usage: dsconf instance replication promote [-h] --suffix SUFFIX --newrole
NEWROLE [--replica-id REPLICA_ID]
[--bind-group-dn BIND_GROUP_DN]
[--bind-dn BIND_DN]

Sets the DN of the replication suffix to promote

Sets the new replica role to "hub" or "supplier"

Sets the replication identifier for a "supplier". Values range from 1 - 65534

Sets a group entry DN containing members that are "bind/supplier" DNs

Sets the bind or supplier DN that can make replication updates

usage: dsconf instance replication create-manager [-h] [--name NAME]
[--passwd PASSWD]
[--suffix SUFFIX]

Sets the name of the new replication manager entry.For example, if the name is
"replication manager" then the new manager entry's DN would be "cn=replication
manager,cn=config".

Sets the password for replication manager. If not provided, you will be
prompted for the password

The DN of the replication suffix whose replication configuration you want to
add this new manager to (OPTIONAL)

usage: dsconf instance replication delete-manager [-h] [--name NAME]
[--suffix SUFFIX]

Sets the name of the replication manager entry under cn=config:
"cn=NAME,cn=config"

Sets the DN of the replication suffix whose replication configuration you want
to remove this manager from (OPTIONAL)

usage: dsconf instance replication demote [-h] --suffix SUFFIX --newrole
NEWROLE

Sets the DN of the replication suffix

Sets the new replication role to "hub", or "consumer"

usage: dsconf instance replication get [-h] --suffix SUFFIX

Sets the suffix DN for the replication configuration to display

usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
[--max-entries MAX_ENTRIES]
[--max-age MAX_AGE]
[--trim-interval TRIM_INTERVAL]
[--encrypt]
[--disable-encrypt]

Sets the suffix that uses the changelog

Sets the maximum number of entries to get in the replication changelog

Set the maximum age of a replication changelog entry

Sets the interval to check if the replication changelog can be trimmed

Sets the replication changelog to use encryption. You must export and import
the changelog after setting this.

Sets the replication changelog to not use encryption. You must export and
import the changelog after setting this.

usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX

Sets the suffix that uses the changelog

usage: dsconf instance replication export-changelog [-h] {to-ldif,default} ...

Sub-commands

Sets the LDIF file name. This is typically used for setting up changelog encryption
Export the replication changelog to the server's default LDIF directory

usage: dsconf instance replication export-changelog to-ldif
[-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r REPLICA_ROOT

Enables to export and interpret CSN only. This option can be used with or
without -i option. The LDIF file that is generated can not be imported and is
only used for debugging purposes.

Decodes the base64 values in each changelog entry. The LDIF file that is
generated can not be imported and is only used for debugging purposes.

Preserves generated LDIF "files.done" files in changelog directory.

Decodes changes in an LDIF file. Use this option if you already have a
changelog LDIF file, but the changes in that file are encoded.

Sets the path name for the final result

Specifies the replica root whose changelog you want to export

usage: dsconf instance replication export-changelog default
[-h] -r REPLICA_ROOT

Specifies the replica root whose changelog you want to export

usage: dsconf instance replication import-changelog [-h]
{from-ldif,default} ...

Sub-commands

Restore/import a specific single LDIF file
Import the default changelog LDIF file created by the server

usage: dsconf instance replication import-changelog from-ldif
[-h] -r REPLICA_ROOT LDIF_PATH

The path of the changelog LDIF file

Specifies the replica root whose changelog you want to import

usage: dsconf instance replication import-changelog default
[-h] -r REPLICA_ROOT

Specifies the replica root whose changelog you want to import

usage: dsconf instance replication set [-h] --suffix SUFFIX
[--repl-add-bind-dn REPL_ADD_BIND_DN]
[--repl-del-bind-dn REPL_DEL_BIND_DN]
[--repl-add-ref REPL_ADD_REF]
[--repl-del-ref REPL_DEL_REF]
[--repl-purge-delay REPL_PURGE_DELAY]
[--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL]
[--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING]
[--repl-bind-group REPL_BIND_GROUP]
[--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL]
[--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT]
[--repl-backoff-max REPL_BACKOFF_MAX]
[--repl-backoff-min REPL_BACKOFF_MIN]
[--repl-release-timeout REPL_RELEASE_TIMEOUT]
[--repl-keepalive-update-interval REPL_KEEPALIVE_UPDATE_INTERVAL]

Sets the DN of the replication suffix

Adds a bind (supplier) DN

Removes a bind (supplier) DN

Adds a replication referral (for consumers only)

Removes a replication referral (for conusmers only)

Sets the replication purge delay

Sets the interval in seconds to check for tombstones that can be purged

Enables or disables improving the tombstone purging performance

Sets a group entry DN containing members that are "bind/supplier" DNs

Sets an interval in seconds to check if the bind group has been updated

Sets a timeout in seconds on how long to wait before stopping replication when
the server is under load

The maximum time in seconds a replication agreement should stay in a backoff
state while waiting to acquire the consumer. Default is 300 seconds

The starting time in seconds a replication agreement should stay in a backoff
state while waiting to acquire the consumer. Default is 3 seconds

A timeout in seconds a replication supplier should send updates before it
yields its replication session

Interval in seconds for how often the server will apply an internal update to
keep the RUV from getting stale. The default is 1 hour (3600 seconds)

usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
[-a [ALIASES ...]]

Sets the connection values for monitoring other not connected topologies. The
format: 'host:port:binddn:bindpwd'. You can use regex for host and port. You
can set bindpwd to * and it will be requested at the runtime or you can
include the path to the password file in square brackets - [~/pwd.txt]

Enables displaying an alias instead of host:port, if an alias is assigned to a
host:port combination. The format: alias=host:port

usage: dsconf instance replication [-h]
{enable,disable,get-ruv,list,status,winsync-status,promote,create-manager,delete-manager,demote,get,set-changelog,get-changelog,export-changelog,import-changelog,set,monitor}
...

Sub-commands

Enable replication for a suffix
Disable replication for a suffix
Display the database RUV entry for a suffix
Lists all the replicated suffixes
Display the current status of all the replication agreements
Display the current status of all the replication agreements
Promote a replica to a hub or supplier
Create a replication manager entry
Delete a replication manager entry
Demote replica to a hub or consumer
Display the replication configuration
Set replication changelog attributes
Display replication changelog attributes
Export the Directory Server replication changelog to an LDIF file
Restore/import Directory Server replication change log from an LDIF file. This is typically used when managing changelog encryption
Set an attribute in the replication configuration
Display the full replication topology report

usage: dsconf instance replication enable [-h] --suffix SUFFIX --role ROLE
[--replica-id REPLICA_ID]
[--bind-group-dn BIND_GROUP_DN]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]

Sets the DN of the suffix to be enabled for replication

Sets the replication role: "supplier", "hub", or "consumer"

Sets the replication identifier for a "supplier". Values range from 1 - 65534

Sets a group entry DN containing members that are "bind/supplier" DNs

Sets the bind or supplier DN that can make replication updates

Sets the password for replication manager (--bind-dn). This will create the
manager entry if a value is set

usage: dsconf instance replication disable [-h] --suffix SUFFIX

Sets the DN of the suffix to have replication disabled

usage: dsconf instance replication get-ruv [-h] --suffix SUFFIX

Sets the DN of the replicated suffix

usage: dsconf instance replication list [-h]

usage: dsconf instance replication status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]

Sets the DN of the replication suffix

Sets the DN to use to authenticate to the consumer

Sets the password for the bind DN

usage: dsconf instance replication winsync-status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]

Sets the DN of the replication suffix

Sets the DN to use to authenticate to the consumer

Sets the password of the bind DN

usage: dsconf instance replication promote [-h] --suffix SUFFIX --newrole
NEWROLE [--replica-id REPLICA_ID]
[--bind-group-dn BIND_GROUP_DN]
[--bind-dn BIND_DN]

Sets the DN of the replication suffix to promote

Sets the new replica role to "hub" or "supplier"

Sets the replication identifier for a "supplier". Values range from 1 - 65534

Sets a group entry DN containing members that are "bind/supplier" DNs

Sets the bind or supplier DN that can make replication updates

usage: dsconf instance replication create-manager [-h] [--name NAME]
[--passwd PASSWD]
[--suffix SUFFIX]

Sets the name of the new replication manager entry.For example, if the name is
"replication manager" then the new manager entry's DN would be "cn=replication
manager,cn=config".

Sets the password for replication manager. If not provided, you will be
prompted for the password

The DN of the replication suffix whose replication configuration you want to
add this new manager to (OPTIONAL)

usage: dsconf instance replication delete-manager [-h] [--name NAME]
[--suffix SUFFIX]

Sets the name of the replication manager entry under cn=config:
"cn=NAME,cn=config"

Sets the DN of the replication suffix whose replication configuration you want
to remove this manager from (OPTIONAL)

usage: dsconf instance replication demote [-h] --suffix SUFFIX --newrole
NEWROLE

Sets the DN of the replication suffix

Sets the new replication role to "hub", or "consumer"

usage: dsconf instance replication get [-h] --suffix SUFFIX

Sets the suffix DN for the replication configuration to display

usage: dsconf instance replication set-changelog [-h] --suffix SUFFIX
[--max-entries MAX_ENTRIES]
[--max-age MAX_AGE]
[--trim-interval TRIM_INTERVAL]
[--encrypt]
[--disable-encrypt]

Sets the suffix that uses the changelog

Sets the maximum number of entries to get in the replication changelog

Set the maximum age of a replication changelog entry

Sets the interval to check if the replication changelog can be trimmed

Sets the replication changelog to use encryption. You must export and import
the changelog after setting this.

Sets the replication changelog to not use encryption. You must export and
import the changelog after setting this.

usage: dsconf instance replication get-changelog [-h] --suffix SUFFIX

Sets the suffix that uses the changelog

usage: dsconf instance replication export-changelog [-h] {to-ldif,default} ...

Sub-commands

Sets the LDIF file name. This is typically used for setting up changelog encryption
Export the replication changelog to the server's default LDIF directory

usage: dsconf instance replication export-changelog to-ldif
[-h] [-c] [-d] [-l] [-i CHANGELOG_LDIF] -o OUTPUT_FILE -r REPLICA_ROOT

Enables to export and interpret CSN only. This option can be used with or
without -i option. The LDIF file that is generated can not be imported and is
only used for debugging purposes.

Decodes the base64 values in each changelog entry. The LDIF file that is
generated can not be imported and is only used for debugging purposes.

Preserves generated LDIF "files.done" files in changelog directory.

Decodes changes in an LDIF file. Use this option if you already have a
changelog LDIF file, but the changes in that file are encoded.

Sets the path name for the final result

Specifies the replica root whose changelog you want to export

usage: dsconf instance replication export-changelog default
[-h] -r REPLICA_ROOT

Specifies the replica root whose changelog you want to export

usage: dsconf instance replication import-changelog [-h]
{from-ldif,default} ...

Sub-commands

Restore/import a specific single LDIF file
Import the default changelog LDIF file created by the server

usage: dsconf instance replication import-changelog from-ldif
[-h] -r REPLICA_ROOT LDIF_PATH

The path of the changelog LDIF file

Specifies the replica root whose changelog you want to import

usage: dsconf instance replication import-changelog default
[-h] -r REPLICA_ROOT

Specifies the replica root whose changelog you want to import

usage: dsconf instance replication set [-h] --suffix SUFFIX
[--repl-add-bind-dn REPL_ADD_BIND_DN]
[--repl-del-bind-dn REPL_DEL_BIND_DN]
[--repl-add-ref REPL_ADD_REF]
[--repl-del-ref REPL_DEL_REF]
[--repl-purge-delay REPL_PURGE_DELAY]
[--repl-tombstone-purge-interval REPL_TOMBSTONE_PURGE_INTERVAL]
[--repl-fast-tombstone-purging REPL_FAST_TOMBSTONE_PURGING]
[--repl-bind-group REPL_BIND_GROUP]
[--repl-bind-group-interval REPL_BIND_GROUP_INTERVAL]
[--repl-protocol-timeout REPL_PROTOCOL_TIMEOUT]
[--repl-backoff-max REPL_BACKOFF_MAX]
[--repl-backoff-min REPL_BACKOFF_MIN]
[--repl-release-timeout REPL_RELEASE_TIMEOUT]
[--repl-keepalive-update-interval REPL_KEEPALIVE_UPDATE_INTERVAL]

Sets the DN of the replication suffix

Adds a bind (supplier) DN

Removes a bind (supplier) DN

Adds a replication referral (for consumers only)

Removes a replication referral (for conusmers only)

Sets the replication purge delay

Sets the interval in seconds to check for tombstones that can be purged

Enables or disables improving the tombstone purging performance

Sets a group entry DN containing members that are "bind/supplier" DNs

Sets an interval in seconds to check if the bind group has been updated

Sets a timeout in seconds on how long to wait before stopping replication when
the server is under load

The maximum time in seconds a replication agreement should stay in a backoff
state while waiting to acquire the consumer. Default is 300 seconds

The starting time in seconds a replication agreement should stay in a backoff
state while waiting to acquire the consumer. Default is 3 seconds

A timeout in seconds a replication supplier should send updates before it
yields its replication session

Interval in seconds for how often the server will apply an internal update to
keep the RUV from getting stale. The default is 1 hour (3600 seconds)

usage: dsconf instance replication monitor [-h] [-c [CONNECTIONS ...]]
[-a [ALIASES ...]]

Sets the connection values for monitoring other not connected topologies. The
format: 'host:port:binddn:bindpwd'. You can use regex for host and port. You
can set bindpwd to * and it will be requested at the runtime or you can
include the path to the password file in square brackets - [~/pwd.txt]

Enables displaying an alias instead of host:port, if an alias is assigned to a
host:port combination. The format: alias=host:port

usage: dsconf instance repl-agmt [-h]
{list,enable,disable,init,init-status,poke,status,delete,create,set,get}
...

Sub-commands

List all replication agreements
Enable replication agreement
Disable replication agreement
Initialize replication agreement
Check the agreement initialization status
Trigger replication to send updates now
Displays the current status of the replication agreement
Delete replication agreement
Initialize replication agreement
Set an attribute in the replication agreement
Get replication configuration

usage: dsconf instance repl-agmt list [-h] --suffix SUFFIX [--entry ENTRY]

Sets the DN of the suffix to look up replication agreements for

Returns the entire entry for each agreement

usage: dsconf instance repl-agmt enable [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-agmt disable [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-agmt init [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-agmt init-status [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-agmt poke [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-agmt status [-h] --suffix SUFFIX
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

Sets the DN to use to authenticate to the consumer

Sets the password for the bind DN

usage: dsconf instance repl-agmt delete [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-agmt create [-h] --suffix SUFFIX --host HOST
--port PORT --conn-protocol
CONN_PROTOCOL [--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
--bind-method BIND_METHOD
[--frac-list FRAC_LIST]
[--frac-list-total FRAC_LIST_TOTAL]
[--strip-list STRIP_LIST]
[--schedule SCHEDULE]
[--conn-timeout CONN_TIMEOUT]
[--protocol-timeout PROTOCOL_TIMEOUT]
[--wait-async-results WAIT_ASYNC_RESULTS]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
[--flow-control-window FLOW_CONTROL_WINDOW]
[--flow-control-pause FLOW_CONTROL_PAUSE]
[--bootstrap-bind-dn BOOTSTRAP_BIND_DN]
[--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD]
[--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL]
[--bootstrap-bind-method BOOTSTRAP_BIND_METHOD]
[--init]
AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

Sets the hostname of the remote replica

Sets the port number of the remote replica

Sets the replication connection protocol: LDAP, LDAPS, or StartTLS

Sets the bind DN the agreement uses to authenticate to the replica

Sets the credentials for the bind DN

Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or
"SASL/GSSAPI"

Sets the list of attributes to NOT replicate to the consumer during
incremental updates

Sets the list of attributes to NOT replicate during a total initialization

Sets a list of attributes that are removed from updates only if the event
would otherwise be empty. Typically this is set to "modifiersname" and
"modifytimestmap"

Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday -
Saturday).

Sets the timeout used for replication connections

Sets a timeout in seconds on how long to wait before stopping replication when
the server is under load

Sets the amount of time in milliseconds the server waits if the consumer is
not ready before resending data

Sets the amount of time in seconds a supplier should wait after a consumer
sends back a busy response before making another attempt to acquire access.

Sets the amount of time in seconds a supplier should wait between update
sessions.

Sets the maximum number of entries and updates sent by a supplier, which are
not acknowledged by the consumer.

Sets the time in milliseconds to pause after reaching the number of entries
and updates set in "--flow-control-window"

Sets an optional bind DN the agreement can use to bootstrap initialization
when bind groups are being used

Sets the bootstrap credentials for the bind DN

Sets the replication bootstrap connection protocol: LDAP, LDAPS, or StartTLS

Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"

Initializes the agreement after creating it

usage: dsconf instance repl-agmt set [-h] --suffix SUFFIX [--host HOST]
[--port PORT]
[--conn-protocol CONN_PROTOCOL]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
[--bind-method BIND_METHOD]
[--frac-list FRAC_LIST]
[--frac-list-total FRAC_LIST_TOTAL]
[--strip-list STRIP_LIST]
[--schedule SCHEDULE]
[--conn-timeout CONN_TIMEOUT]
[--protocol-timeout PROTOCOL_TIMEOUT]
[--wait-async-results WAIT_ASYNC_RESULTS]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
[--flow-control-window FLOW_CONTROL_WINDOW]
[--flow-control-pause FLOW_CONTROL_PAUSE]
[--bootstrap-bind-dn BOOTSTRAP_BIND_DN]
[--bootstrap-bind-passwd BOOTSTRAP_BIND_PASSWD]
[--bootstrap-conn-protocol BOOTSTRAP_CONN_PROTOCOL]
[--bootstrap-bind-method BOOTSTRAP_BIND_METHOD]
AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

Sets the hostname of the remote replica

Sets the port number of the remote replica

Sets the replication connection protocol: LDAP, LDAPS, or StartTLS

Sets the Bind DN the agreement uses to authenticate to the replica

Sets the credentials for the bind DN

Sets the bind method: "SIMPLE", "SSLCLIENTAUTH", "SASL/DIGEST", or
"SASL/GSSAPI"

Sets a list of attributes to NOT replicate to the consumer during incremental
updates

Sets a list of attributes to NOT replicate during a total initialization

Sets a list of attributes that are removed from updates only if the event
would otherwise be empty. Typically this is set to "modifiersname" and
"modifytimestmap"

Sets the replication update schedule: 'HHMM-HHMM DDDDDDD' D = 0-6 (Sunday -
Saturday).

Sets the timeout used for replication connections

Sets a timeout in seconds on how long to wait before stopping replication when
the server is under load

Sets the amount of time in milliseconds the server waits if the consumer is
not ready before resending data

Sets the amount of time in seconds a supplier should wait after a consumer
sends back a busy response before making another attempt to acquire access.

Sets the amount of time in seconds a supplier should wait between update
sessions.

Sets the maximum number of entries and updates sent by a supplier, which are
not acknowledged by the consumer.

Sets the time in milliseconds to pause after reaching the number of entries
and updates set in "--flow-control-window"

Sets an optional bind DN the agreement can use to bootstrap initialization
when bind groups are being used

sets the bootstrap credentials for the bind DN

Sets the replication bootstrap connection protocol: LDAP, LDAPS, or StartTLS

Sets the bind method: "SIMPLE", or "SSLCLIENTAUTH"

usage: dsconf instance repl-agmt get [-h] --suffix SUFFIX AGMT_NAME

The suffix DN for which to display the replication configuration

Sets the DN of the replication suffix

usage: dsconf instance repl-winsync-agmt [-h]
{list,enable,disable,init,init-status,poke,status,delete,create,set,get}
...

Sub-commands

List all the replication winsync agreements
Enable replication winsync agreement
Disable replication winsync agreement
Initialize replication winsync agreement
Check the agreement initialization status
Trigger replication to send updates now
Display the current status of the replication agreement
Delete replication winsync agreement
Initialize replication winsync agreement
Set an attribute in the replication winsync agreement
Display replication configuration

usage: dsconf instance repl-winsync-agmt list [-h] --suffix SUFFIX

Sets the DN of the suffix to look up replication winsync agreements

usage: dsconf instance repl-winsync-agmt enable [-h] --suffix SUFFIX AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt disable [-h] --suffix SUFFIX
AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt init [-h] --suffix SUFFIX AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt init-status [-h] --suffix SUFFIX
AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-winsync-agmt poke [-h] --suffix SUFFIX AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt status [-h] --suffix SUFFIX AGMT_NAME

The name of the replication agreement

Sets the DN of the replication suffix

usage: dsconf instance repl-winsync-agmt delete [-h] --suffix SUFFIX AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

usage: dsconf instance repl-winsync-agmt create [-h] --suffix SUFFIX --host
HOST --port PORT
--conn-protocol CONN_PROTOCOL
--bind-dn BIND_DN
--bind-passwd BIND_PASSWD
[--frac-list FRAC_LIST]
[--schedule SCHEDULE]
--win-subtree WIN_SUBTREE
--ds-subtree DS_SUBTREE
--win-domain WIN_DOMAIN
[--sync-users SYNC_USERS]
[--sync-groups SYNC_GROUPS]
[--sync-interval SYNC_INTERVAL]
[--one-way-sync ONE_WAY_SYNC]
[--move-action MOVE_ACTION]
[--win-filter WIN_FILTER]
[--ds-filter DS_FILTER]
[--subtree-pair SUBTREE_PAIR]
[--conn-timeout CONN_TIMEOUT]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
[--flatten-tree] [--init]
AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

Sets the hostname of the AD server

Sets the port number of the AD server

Sets the replication winsync connection protocol: LDAP, LDAPS, or StartTLS

Sets the bind DN the agreement uses to authenticate to the AD Server

Sets the credentials for the Bind DN

Sets a list of attributes to NOT replicate to the consumer during incremental
updates

Sets the replication update schedule

Sets the suffix of the AD Server

Sets the Directory Server suffix

Sets the AD Domain

Synchronizes users between AD and DS

Synchronizes groups between AD and DS

Sets the interval that DS checks AD for changes in entries

Sets which direction to perform synchronization: "toWindows", or
"fromWindows\,. By default sync occurs in both directions.

Sets instructions on how to handle moved or deleted entries: "none", "unsync",
or "delete"

Sets a custom filter for finding users in AD Server

Sets a custom filter for finding AD users in DS

Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>

Sets the timeout used for replicaton connections

Sets the amount of time in seconds a supplier should wait after a consumer
sends back a busy response before making another attempt to acquire access

Sets the amount of time in seconds a supplier should wait between update
sessions

By default, the tree structure of AD is preserved into 389. This MAY cause
replication to fail in some cases, as you may need to create missing OU's to
recreate the same treestructure. This setting when enabled, removes the tree
structure of AD and flattens all entries into the ds-subtree. This does NOT
affect or change the tree structure of the AD directory.

Initializes the agreement after creating it

usage: dsconf instance repl-winsync-agmt set [-h] [--suffix SUFFIX]
[--host HOST] [--port PORT]
[--conn-protocol CONN_PROTOCOL]
[--bind-dn BIND_DN]
[--bind-passwd BIND_PASSWD]
[--frac-list FRAC_LIST]
[--schedule SCHEDULE]
[--win-subtree WIN_SUBTREE]
[--ds-subtree DS_SUBTREE]
[--win-domain WIN_DOMAIN]
[--sync-users SYNC_USERS]
[--sync-groups SYNC_GROUPS]
[--sync-interval SYNC_INTERVAL]
[--one-way-sync ONE_WAY_SYNC]
[--move-action MOVE_ACTION]
[--win-filter WIN_FILTER]
[--ds-filter DS_FILTER]
[--subtree-pair SUBTREE_PAIR]
[--conn-timeout CONN_TIMEOUT]
[--busy-wait-time BUSY_WAIT_TIME]
[--session-pause-time SESSION_PAUSE_TIME]
AGMT_NAME

The name of the replication winsync agreement

Sets the DN of the replication winsync suffix

Sets the hostname of the AD server

Sets the port number of the AD server

Sets the replication winsync connection protocol: LDAP, LDAPS, or StartTLS

Sets the bind DN the agreement uses to authenticate to the AD Server

Sets the credentials for the Bind DN

Sets a list of attributes to NOT replicate to the consumer during incremental
updates

Sets the replication update schedule

Sets the suffix of the AD Server

Sets the Directory Server suffix

Sets the AD Domain

Synchronizes users between AD and DS

Synchronizes groups between AD and DS

Sets the interval that DS checks AD for changes in entries

Sets which direction to perform synchronization: "toWindows", or
"fromWindows". By default sync occurs in both directions.

Sets instructions on how to handle moved or deleted entries: "none", "unsync",
or "delete"

Sets a custom filter for finding users in AD Server

Sets a custom filter for finding AD users in DS

Sets the subtree pair: <DS_SUBTREE>:<WINDOWS_SUBTREE>

Sets the timeout used for replicaton connections

Sets the amount of time in seconds a supplier should wait after a consumer
sends back a busy response before making another attempt to acquire access

Sets the amount of time in seconds a supplier should wait between update
sessions

usage: dsconf instance repl-winsync-agmt get [-h] --suffix SUFFIX AGMT_NAME

The suffix DN for the replication configuration to display

Sets the DN of the replication suffix

usage: dsconf instance repl-tasks [-h]
{cleanallruv,list-cleanruv-tasks,abort-cleanallruv,list-abortruv-tasks}
...

Sub-commands

Cleanup old/removed replica IDs
List all the running CleanAllRUV tasks
Abort cleanallruv tasks
List all the running CleanAllRUV abort tasks

usage: dsconf instance repl-tasks cleanallruv [-h] --suffix SUFFIX
--replica-id REPLICA_ID
[--force-cleaning]

Sets the Directory Server suffix

Sets the replica ID to remove/clean

Ignores errors and make a best attempt to clean all replicas

usage: dsconf instance repl-tasks list-cleanruv-tasks [-h] [--suffix SUFFIX]

Lists only tasks for the specified suffix

usage: dsconf instance repl-tasks abort-cleanallruv [-h] --suffix SUFFIX
--replica-id REPLICA_ID
[--certify]

Sets the Directory Server suffix

Sets the replica ID of the cleaning task to abort

Enforces that the abort task completed on all replicas

usage: dsconf instance repl-tasks list-abortruv-tasks [-h] [--suffix SUFFIX]

Lists only tasks for the specified suffix

usage: dsconf instance sasl [-h]
{list,get-mechs,get-available-mechs,get,create,delete}
...

Sub-commands

Display available SASL mappings
Display the SASL mechanisms that the server will accept
Display the SASL mechanisms that are available to the server
Displays SASL mappings
Create a SASL mapping
Deletes the SASL object

usage: dsconf instance sasl list [-h] [--details]

Displays each SASL mapping in detail

usage: dsconf instance sasl get-mechs [-h]

usage: dsconf instance sasl get-available-mechs [-h]

usage: dsconf instance sasl get [-h] [selector]

The SASL mapping name to display

usage: dsconf instance sasl create [-h] [--cn [CN]]
[--nsSaslMapRegexString [NSSASLMAPREGEXSTRING]]
[--nsSaslMapBaseDNTemplate [NSSASLMAPBASEDNTEMPLATE]]
[--nsSaslMapFilterTemplate [NSSASLMAPFILTERTEMPLATE]]
[--nsSaslMapPriority [NSSASLMAPPRIORITY]]

Value of cn

Value of nsSaslMapRegexString

Value of nsSaslMapBaseDNTemplate

Value of nsSaslMapFilterTemplate

Value of nsSaslMapPriority

usage: dsconf instance sasl delete [-h] map_name

The SASL mapping name ("cn" value)

usage: dsconf instance security [-h]
{set,get,enable,disable,disable_plain_port,certificate,ca-certificate,rsa,ciphers}
...

Sub-commands

Set general security options
Display general security options
Enable security
Disable security
Disables the plain text LDAP port, allowing only LDAPS to function
Manage TLS certificates
Manage TLS certificate authorities
Query and update RSA security options
Manage secure ciphers

usage: dsconf instance security set [-h] [--security SECURITY]
[--listen-host LISTEN_HOST]
[--secure-port SECURE_PORT]
[--tls-client-auth TLS_CLIENT_AUTH]
[--tls-client-renegotiation TLS_CLIENT_RENEGOTIATION]
[--require-secure-authentication REQUIRE_SECURE_AUTHENTICATION]
[--check-hostname CHECK_HOSTNAME]
[--verify-cert-chain-on-startup VERIFY_CERT_CHAIN_ON_STARTUP]
[--session-timeout SESSION_TIMEOUT]
[--tls-protocol-min TLS_PROTOCOL_MIN]
[--tls-protocol-max TLS_PROTOCOL_MAX]
[--allow-insecure-ciphers ALLOW_INSECURE_CIPHERS]
[--allow-weak-dh-param ALLOW_WEAK_DH_PARAM]
[--cipher-pref CIPHER_PREF]

Use this command for setting security related options located in cn=config and cn=encryption,cn=config.

To enable/disable security you can use enable and disable commands instead.

Enables or disables security (nsslapd-security)

Sets the host or IP address to listen on for LDAPS (nsslapd-securelistenhost)

Sets the port for LDAPS to listen on (nsslapd-securePort)

Configures client authentication requirement (nsSSLClientAuth)

Allows client TLS renegotiation (nsTLSAllowClientRenegotiation)

Configures whether binds over LDAPS, StartTLS, or SASL are required (nsslapd-
require-secure-binds)

Checks the subject of remote certificate against the hostname (nsslapd-ssl-
check-hostname)

Validates the server certificate during startup (nsslapd-validate-cert)

Sets the secure session timeout (nsSSLSessionTimeout)

Sets the minimal allowed secure protocol version (sslVersionMin)

Sets the maximal allowed secure protocol version (sslVersionMax)

Allows weak ciphers for legacy use (allowWeakCipher)

Allows short DH params for legacy use (allowWeakDHParam)

Directly sets the nsSSL3Ciphers attribute. It is a comma-separated list of
cipher names (prefixed with + or -), optionally including +all or -all. The
attribute may optionally be prefixed by keyword "default". Please refer to
documentation of the attribute for a more detailed description.
(nsSSL3Ciphers)

usage: dsconf instance security get [-h]

usage: dsconf instance security enable [-h] [--cert-name CERT_NAME]

If missing, create security database, then turn on security functionality. Please note this is usually not enough for TLS connections to work - proper setup of CA and server certificate is necessary.

Sets the name of the certificate the server should use

usage: dsconf instance security disable [-h]

Turn off security functionality. The rest of the configuration will be left untouched.

usage: dsconf instance security disable_plain_port [-h]

usage: dsconf instance security certificate [-h]
{add,set-trust-flags,del,get,list}
...

Sub-commands

Add a server certificate
Set the Trust flags
Delete a certificate
Display a server certificate's information
List the server certificates

usage: dsconf instance security certificate add [-h] --file FILE --name NAME
[--primary-cert]

Add a server certificate to the NSS database

Sets the file name of the certificate

Sets the name/nickname of the certificate

Sets this certificate as the server's certificate

usage: dsconf instance security certificate set-trust-flags
[-h] --flags FLAGS name

Change the trust flags of a server certificate

The name/nickname of the certificate

Sets the trust flags for the server certificate

usage: dsconf instance security certificate del [-h] name

Delete a certificate from the NSS database

The name/nickname of the certificate

usage: dsconf instance security certificate get [-h] name

Displays detailed information about a certificate, such as trust attributes, expiration dates, Subject and Issuer DNs

Set the name/nickname of the certificate

usage: dsconf instance security certificate list [-h]

Lists the server certificates in the NSS database

usage: dsconf instance security ca-certificate [-h]
{add,set-trust-flags,del,get,list}
...

Sub-commands

Add a Certificate Authority
Set the Trust flags
Delete a certificate
Displays a Certificate Authority's information
List the Certificate Authorities

usage: dsconf instance security ca-certificate add [-h] --file FILE --name
NAME [NAME ...]

Add a Certificate Authority to the NSS database

Sets the file name of the CA certificate

Sets the name/nickname of the CA certificate, if adding a PEM bundle then
specify multiple names one for each certificate, otherwise a number increment
will be added to the previous name.

usage: dsconf instance security ca-certificate set-trust-flags
[-h] --flags FLAGS name

Change the trust attributes of a CA certificate. Certificate Authorities typically use "CT,,"

The name/nickname of the CA certificate

Sets the trust flags for the CA certificate

usage: dsconf instance security ca-certificate del [-h] name

Delete a CA certificate from the NSS database

The name/nickname of the CA certificate

usage: dsconf instance security ca-certificate get [-h] name

Get detailed information about a CA certificate, like trust attributes, expiration dates, Subject and Issuer DN

The name/nickname of the CA certificate

usage: dsconf instance security ca-certificate list [-h]

List the CA certificates in the NSS database

usage: dsconf instance security rsa [-h] {set,get,enable,disable} ...

Sub-commands

Set RSA security options
Get RSA security options
Enable RSA
Disable RSA

usage: dsconf instance security rsa set [-h]
[--tls-allow-rsa-certificates TLS_ALLOW_RSA_CERTIFICATES]
[--nss-cert-name NSS_CERT_NAME]
[--nss-token NSS_TOKEN]

Use this command for setting RSA (private key) related options located in cn=RSA,cn=encryption,cn=config.

To enable/disable RSA you can use enable and disable commands instead.

Activates the use of RSA certificates (nsSSLActivation)

Sets the server certificate name in NSS DB (nsSSLPersonalitySSL)

Sets the security token name (module of NSS DB) (nsSSLToken)

usage: dsconf instance security rsa get [-h]

usage: dsconf instance security rsa enable [-h]

usage: dsconf instance security rsa disable [-h]

usage: dsconf instance security ciphers [-h] {enable,disable,get,set,list} ...

Sub-commands

Enable ciphers
Disable ciphers
Get ciphers attribute
Set ciphers attribute
List ciphers

usage: dsconf instance security ciphers enable [-h] cipher [cipher ...]

Use this command to enable specific ciphers.

usage: dsconf instance security ciphers disable [-h] cipher [cipher ...]

Use this command to disable specific ciphers.

usage: dsconf instance security ciphers get [-h]

Use this command to get contents of nsSSL3Ciphers attribute.

usage: dsconf instance security ciphers set [-h] cipher-string

Use this command to directly set nsSSL3Ciphers attribute. It is a comma separated list of cipher names (prefixed with + or -), optionally including +all or -all. The attribute may optionally be set to keyword default. Please refer to documentation of the attribute for a more detailed description.

usage: dsconf instance security ciphers list [-h]
[--enabled | --supported | --disabled]

List secure ciphers. Without arguments, list ciphers as configured in nsSSL3Ciphers attribute.

Lists only enabled ciphers

Lists only supported ciphers

Lists only supported ciphers but without enabled ciphers

usage: dsconf instance schema [-h]
{list,attributetypes,objectclasses,matchingrules,reload,validate-syntax,import-openldap-file}
...

Sub-commands

List all schema objects on this system
Work with attribute types on this system
Work with objectClasses on this system
Work with matching rules on this system
Dynamically reload schema while server is running
Run a task to check every modification to attributes to make sure that the new value has the required syntax for that attribute type
Import an openldap formatted dynamic schema ldifs. These will contain values like olcAttributeTypes and olcObjectClasses.

usage: dsconf instance schema list [-h]

usage: dsconf instance schema attributetypes [-h]
{get_syntaxes,list,query,add,replace,remove}
...

Sub-commands

List all available attribute type syntaxes
List available attribute types on this system
Query an attribute to determine object classes that may or must take it
Add an attribute type to this system
Replace an attribute type on this system
Remove an attribute type on this system

usage: dsconf instance schema attributetypes get_syntaxes [-h]

usage: dsconf instance schema attributetypes list [-h]

usage: dsconf instance schema attributetypes query [-h] [name]

Attribute type to query

usage: dsconf instance schema attributetypes add [-h] [--oid OID]
[--desc DESC]
[--x-origin X_ORIGIN]
[--aliases ALIASES [ALIASES ...]]
[--single-value]
[--multi-value]
[--no-user-mod] [--user-mod]
[--equality EQUALITY [EQUALITY ...]]
[--substr SUBSTR [SUBSTR ...]]
[--ordering ORDERING [ORDERING ...]]
[--usage USAGE] [--sup SUP]
--syntax SYNTAX
name

NAME of the object

OID assigned to the object

Description text(DESC) of the object

Provides information about where the attribute type is defined

Additional NAMEs of the object.

True if the matching rule must have only one valueOnly one of the flags this
or --multi-value should be specified

True if the matching rule may have multiple values (default)Only one of the
flags this or --single-value should be specified

True if the attribute is not modifiable by a client applicationOnly one of the
flags this or --user-mod should be specified

True if the attribute is modifiable by a client application (default)Only one
of the flags this or --no-user-mode should be specified

NAME or OID of the matching rules used for checkingwhether attribute values
are equal

NAME or OID of the matching rules used for checkingwhether an attribute value
contains another value

NAME or OID of the matching rules used for checkingwhether attribute values
are lesser - equal than

The flag indicates how the attribute type is to be used. Choose from the list:
userApplications (default), directoryOperation, distributedOperation,
dSAOperation

The NAME or OID of attribute type this attribute type is derived from

OID of the LDAP syntax assigned to the attribute

usage: dsconf instance schema attributetypes replace [-h] [--oid OID]
[--desc DESC]
[--x-origin X_ORIGIN]
[--aliases ALIASES [ALIASES ...]]
[--single-value]
[--multi-value]
[--no-user-mod]
[--user-mod]
[--equality EQUALITY [EQUALITY ...]]
[--substr SUBSTR [SUBSTR ...]]
[--ordering ORDERING [ORDERING ...]]
[--usage USAGE]
[--sup SUP]
[--syntax SYNTAX]
name

NAME of the object

OID assigned to the object

Description text(DESC) of the object

Provides information about where the attribute type is defined

Additional NAMEs of the object.

True if the matching rule must have only one valueOnly one of the flags this
or --multi-value should be specified

True if the matching rule may have multiple values (default)Only one of the
flags this or --single-value should be specified

True if the attribute is not modifiable by a client applicationOnly one of the
flags this or --user-mod should be specified

True if the attribute is modifiable by a client application (default)Only one
of the flags this or --no-user-mode should be specified

NAME or OID of the matching rules used for checkingwhether attribute values
are equal

NAME or OID of the matching rules used for checkingwhether an attribute value
contains another value

NAME or OID of the matching rules used for checkingwhether attribute values
are lesser - equal than

The flag indicates how the attribute type is to be used. Choose from the list:
userApplications (default), directoryOperation, distributedOperation,
dSAOperation

The NAME or OID of attribute type this attribute type is derived from

OID of the LDAP syntax assigned to the attribute

usage: dsconf instance schema attributetypes remove [-h] name

NAME of the object

usage: dsconf instance schema objectclasses [-h]
{list,query,add,replace,remove}
...

Sub-commands

List available objectClasses on this system
Query an objectClass
Add an objectClass to this system
Replace an objectClass on this system
Remove an objectClass on this system

usage: dsconf instance schema objectclasses list [-h]

usage: dsconf instance schema objectclasses query [-h] [name]

ObjectClass to query

usage: dsconf instance schema objectclasses add [-h] [--oid OID] [--desc DESC]
[--x-origin X_ORIGIN]
[--must MUST [MUST ...]]
[--may MAY [MAY ...]]
[--kind KIND]
[--sup SUP [SUP ...]]
name

NAME of the object

OID assigned to the object

Description text(DESC) of the object

Provides information about where the attribute type is defined

NAMEs or OIDs of all attributes an entry of the object must have

NAMEs or OIDs of additional attributes an entry of the object may have

Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY

NAME or OIDs of object classes this object is derived from

usage: dsconf instance schema objectclasses replace [-h] [--oid OID]
[--desc DESC]
[--x-origin X_ORIGIN]
[--must MUST [MUST ...]]
[--may MAY [MAY ...]]
[--kind KIND]
[--sup SUP [SUP ...]]
name

NAME of the object

OID assigned to the object

Description text(DESC) of the object

Provides information about where the attribute type is defined

NAMEs or OIDs of all attributes an entry of the object must have

NAMEs or OIDs of additional attributes an entry of the object may have

Kind of an object. STRUCTURAL (default), ABSTRACT, AUXILIARY

NAME or OIDs of object classes this object is derived from

usage: dsconf instance schema objectclasses remove [-h] name

NAME of the object

usage: dsconf instance schema matchingrules [-h] {list,query} ...

Sub-commands

List available matching rules on this system
Query a matching rule

usage: dsconf instance schema matchingrules list [-h]

usage: dsconf instance schema matchingrules query [-h] [name]

Matching rule to query

usage: dsconf instance schema reload [-h] [-d SCHEMADIR] [--wait]

directory where schema files are located

Wait for the reload task to complete

usage: dsconf instance schema validate-syntax [-h] [-f FILTER] DN

Base DN that contains entries to validate

Filter for entries to validate. If omitted, all entries with filter
"(objectclass=*)" are validated

usage: dsconf instance schema import-openldap-file [-h] [--confirm]
schema_file

Path to the openldap dynamic schema ldif to import

Confirm that you want to apply these schema migration actions to the 389-ds
instance. By default no actions are taken.

usage: dsconf instance repl-conflict [-h]
{list,compare,delete,swap,convert,list-glue,delete-glue,convert-glue}
...

Sub-commands

List conflict entries
Compare the conflict entry with its valid counterpart
Delete a conflict entry
Replace the valid entry with the conflict entry
Convert the conflict entry to a valid entry, while keeping the original valid entry counterpart. This requires that the converted conflict entry have a new RDN value. For example: "cn=my_new_rdn_value".
List replication glue entries
Delete the glue entry and its child entries
Convert the glue entry into a regular entry

usage: dsconf instance repl-conflict list [-h] suffix

Sets the backend name, or suffix, to look for conflict entries

usage: dsconf instance repl-conflict compare [-h] DN

The DN of the conflict entry

usage: dsconf instance repl-conflict delete [-h] DN

The DN of the conflict entry

usage: dsconf instance repl-conflict swap [-h] DN

The DN of the conflict entry

usage: dsconf instance repl-conflict convert [-h] --new-rdn NEW_RDN DN

The DN of the conflict entry

Sets the new RDN for the converted conflict entry. For example:
"cn=my_new_rdn_value"

usage: dsconf instance repl-conflict list-glue [-h] suffix

The backend name, or suffix, to look for glue entries

usage: dsconf instance repl-conflict delete-glue [-h] DN

The DN of the glue entry

usage: dsconf instance repl-conflict convert-glue [-h] DN

The DN of the glue entry

Display verbose operation tracing during command execution

The account to bind as for executing operations

Password for the bind DN

Prompt for password of the bind DN

Specifies a file containing the password of the bind DN

Base DN (root naming context) of the instance to manage

Connect with StartTLS

Return result in JSON object

lib389 was written by Red Hat Inc., and William Brown <389-devel@lists.fedoraproject.org>.

The latest version of lib389 may be downloaded from http://www.port389.org/docs/389ds/FAQ/upstream-test-framework.html

Manual