dsconfig Subcommands Reference

This section covers dsconfig subcommands.

dsconfig create-access-log-filtering-criteria(1)

Name

dsconfig create-access-log-filtering-criteria - Creates Access Log Filtering Criteria

Synopsis

dsconfig create-access-log-filtering-criteria {options}

Description

Creates Access Log Filtering Criteria.

Options

The dsconfig create-access-log-filtering-criteria command takes the following options:

--publisher-name {name}

The name of the Access Log Publisher.

Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:

access-log-filtering-criteria

Default {name}: Access Log Filtering Criteria

Enabled by default: false

See Access Log Filtering Criteria for the properties of this Access Log Filtering Criteria type.

--criteria-name {name}

The name of the new Access Log Filtering Criteria.

Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Access Log Filtering Criteria types:

access-log-filtering-criteria

Default {name}: Access Log Filtering Criteria

Enabled by default: false

See Access Log Filtering Criteria for the properties of this Access Log Filtering Criteria type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Access Log Filtering Criteria properties depend on the Access Log Filtering Criteria type, which depends on the --criteria-name {name} option.

Access Log Filtering Criteria

Access Log Filtering Criteria of type access-log-filtering-criteria have the following properties:

connection-client-address-equal-to
Description

Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

None

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-client-address-not-equal-to
Description

Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

None

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-port-equal-to
Description

Filters log records associated with connections to any of the specified listener port numbers.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-protocol-equal-to
Description

Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".

Default Value

None

Allowed Values

The protocol name as reported in the access log.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-record-type
Description

Filters log records based on their type.

Default Value

None

Allowed Values
abandon

Abandon operations

add

Add operations

bind

Bind operations

compare

Compare operations

connect

Client connections

delete

Delete operations

disconnect

Client disconnections

extended

Extended operations

modify

Modify operations

rename

Rename operations

search

Search operations

unbind

Unbind operations

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

request-target-dn-equal-to
Description

Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

request-target-dn-not-equal-to
Description

Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-etime-greater-than
Description

Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-etime-less-than
Description

Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-result-code-equal-to
Description

Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

response-result-code-not-equal-to
Description

Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

search-response-is-indexed
Description

Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

search-response-nentries-greater-than
Description

Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

search-response-nentries-less-than
Description

Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-dn-equal-to
Description

Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-dn-not-equal-to
Description

Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-is-member-of
Description

Filters log records associated with users which are members of at least one of the specified groups.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

user-is-not-member-of
Description

Filters log records associated with users which are not members of any of the specified groups.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-account-status-notification-handler(1)

Name

dsconfig create-account-status-notification-handler - Creates Account Status Notification Handlers

Synopsis

dsconfig create-account-status-notification-handler {options}

Description

Creates Account Status Notification Handlers.

Options

The dsconfig create-account-status-notification-handler command takes the following options:

--handler-name {name}

The name of the new Account Status Notification Handler.

Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Account Status Notification Handler types:

error-log-account-status-notification-handler

Default {name}: Error Log Account Status Notification Handler

Enabled by default: true

See Error Log Account Status Notification Handler for the properties of this Account Status Notification Handler type.

smtp-account-status-notification-handler

Default {name}: SMTP Account Status Notification Handler

Enabled by default: true

See SMTP Account Status Notification Handler for the properties of this Account Status Notification Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Account Status Notification Handler which should be created. The value for TYPE can be one of: custom | error-log | smtp.

Account Status Notification Handler properties depend on the Account Status Notification Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Account Status Notification Handler types:

error-log-account-status-notification-handler

Default {type}: Error Log Account Status Notification Handler

Enabled by default: true

See Error Log Account Status Notification Handler for the properties of this Account Status Notification Handler type.

smtp-account-status-notification-handler

Default {type}: SMTP Account Status Notification Handler

Enabled by default: true

See SMTP Account Status Notification Handler for the properties of this Account Status Notification Handler type.

Error Log Account Status Notification Handler

Account Status Notification Handlers of type error-log-account-status-notification-handler have the following properties:

account-status-notification-type
Description

Indicates which types of event can trigger an account status notification.

Default Value

None

Allowed Values
account-disabled

Generate a notification whenever a user account has been disabled by an administrator.

account-enabled

Generate a notification whenever a user account has been enabled by an administrator.

account-expired

Generate a notification whenever a user authentication has failed because the account has expired.

account-idle-locked

Generate a notification whenever a user account has been locked because it was idle for too long.

account-permanently-locked

Generate a notification whenever a user account has been permanently locked after too many failed attempts.

account-reset-locked

Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.

account-temporarily-locked

Generate a notification whenever a user account has been temporarily locked after too many failed attempts.

account-unlocked

Generate a notification whenever a user account has been unlocked by an administrator.

password-changed

Generate a notification whenever a user changes his/her own password.

password-expired

Generate a notification whenever a user authentication has failed because the password has expired.

password-expiring

Generate a notification whenever a password expiration warning is encountered for a user password for the first time.

password-reset

Generate a notification whenever a user’s password is reset by an administrator.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.

Default Value

org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

SMTP Account Status Notification Handler

Account Status Notification Handlers of type smtp-account-status-notification-handler have the following properties:

email-address-attribute-type
Description

Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.

Default Value

If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.

Default Value

org.opends.server.extensions.SMTPAccountStatusNotificationHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

message-subject
Description

Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

message-template-file
Description

Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

recipient-address
Description

Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.

Default Value

If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

send-email-as-html
Description

Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

send-message-without-end-user-address
Description

Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

sender-address
Description

Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-alert-handler(1)

Name

dsconfig create-alert-handler - Creates Alert Handlers

Synopsis

dsconfig create-alert-handler {options}

Description

Creates Alert Handlers.

Options

The dsconfig create-alert-handler command takes the following options:

--handler-name {name}

The name of the new Alert Handler.

Alert Handler properties depend on the Alert Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Alert Handler types:

jmx-alert-handler

Default {name}: JMX Alert Handler

Enabled by default: true

See JMX Alert Handler for the properties of this Alert Handler type.

smtp-alert-handler

Default {name}: SMTP Alert Handler

Enabled by default: true

See SMTP Alert Handler for the properties of this Alert Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Alert Handler properties depend on the Alert Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Alert Handler which should be created. The value for TYPE can be one of: custom | jmx | smtp.

Alert Handler properties depend on the Alert Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Alert Handler types:

jmx-alert-handler

Default {type}: JMX Alert Handler

Enabled by default: true

See JMX Alert Handler for the properties of this Alert Handler type.

smtp-alert-handler

Default {type}: SMTP Alert Handler

Enabled by default: true

See SMTP Alert Handler for the properties of this Alert Handler type.

JMX Alert Handler

Alert Handlers of type jmx-alert-handler have the following properties:

disabled-alert-type
Description

Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.

Default Value

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Alert Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled-alert-type
Description

Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.

Default Value

All alerts with types not included in the set of disabled alert types are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.

Default Value

org.opends.server.extensions.JMXAlertHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Alert Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

SMTP Alert Handler

Alert Handlers of type smtp-alert-handler have the following properties:

disabled-alert-type
Description

Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.

Default Value

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Alert Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled-alert-type
Description

Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.

Default Value

All alerts with types not included in the set of disabled alert types are allowed.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.

Default Value

org.opends.server.extensions.SMTPAlertHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Alert Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

message-body
Description

Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

message-subject
Description

Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

recipient-address
Description

Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

sender-address
Description

Specifies the email address to use as the sender for messages generated by this alert handler.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-backend(1)

Name

dsconfig create-backend - Creates Backends

Synopsis

dsconfig create-backend {options}

Description

Creates Backends.

Options

The dsconfig create-backend command takes the following options:

--backend-name {STRING}

The name of the new Backend which will also be used as the value of the "backend-id" property: Specifies a name to identify the associated backend.

Backend properties depend on the Backend type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following Backend types:

backup-backend

Default {STRING}: Backup Backend

Enabled by default: true

See Backup Backend for the properties of this Backend type.

cas-backend

Default {STRING}: CAS Backend

Enabled by default: true

See CAS Backend for the properties of this Backend type.

jdbc-backend

Default {STRING}: JDBC Backend

Enabled by default: true

See JDBC Backend for the properties of this Backend type.

je-backend

Default {STRING}: JE Backend

Enabled by default: true

See JE Backend for the properties of this Backend type.

ldif-backend

Default {STRING}: LDIF Backend

Enabled by default: true

See LDIF Backend for the properties of this Backend type.

memory-backend

Default {STRING}: Memory Backend

Enabled by default: true

See Memory Backend for the properties of this Backend type.

monitor-backend

Default {STRING}: Monitor Backend

Enabled by default: true

See Monitor Backend for the properties of this Backend type.

null-backend

Default {STRING}: Null Backend

Enabled by default: true

See Null Backend for the properties of this Backend type.

pdb-backend

Default {STRING}: PDB Backend

Enabled by default: true

See PDB Backend for the properties of this Backend type.

schema-backend

Default {STRING}: Schema Backend

Enabled by default: true

See Schema Backend for the properties of this Backend type.

task-backend

Default {STRING}: Task Backend

Enabled by default: true

See Task Backend for the properties of this Backend type.

trust-store-backend

Default {STRING}: Trust Store Backend

Enabled by default: true

See Trust Store Backend for the properties of this Backend type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Backend properties depend on the Backend type, which depends on the --backend-name {STRING} option.

-t | --type {type}

The type of Backend which should be created. The value for TYPE can be one of: backup | cas | custom | custom-local | jdbc | je | ldif | memory | monitor | null | pdb | schema | task | trust-store.

Backend properties depend on the Backend type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Backend types:

backup-backend

Default {type}: Backup Backend

Enabled by default: true

See Backup Backend for the properties of this Backend type.

cas-backend

Default {type}: CAS Backend

Enabled by default: true

See CAS Backend for the properties of this Backend type.

jdbc-backend

Default {type}: JDBC Backend

Enabled by default: true

See JDBC Backend for the properties of this Backend type.

je-backend

Default {type}: JE Backend

Enabled by default: true

See JE Backend for the properties of this Backend type.

ldif-backend

Default {type}: LDIF Backend

Enabled by default: true

See LDIF Backend for the properties of this Backend type.

memory-backend

Default {type}: Memory Backend

Enabled by default: true

See Memory Backend for the properties of this Backend type.

monitor-backend

Default {type}: Monitor Backend

Enabled by default: true

See Monitor Backend for the properties of this Backend type.

null-backend

Default {type}: Null Backend

Enabled by default: true

See Null Backend for the properties of this Backend type.

pdb-backend

Default {type}: PDB Backend

Enabled by default: true

See PDB Backend for the properties of this Backend type.

schema-backend

Default {type}: Schema Backend

Enabled by default: true

See Schema Backend for the properties of this Backend type.

task-backend

Default {type}: Task Backend

Enabled by default: true

See Task Backend for the properties of this Backend type.

trust-store-backend

Default {type}: Trust Store Backend

Enabled by default: true

See Trust Store Backend for the properties of this Backend type.

Backup Backend

Backends of type backup-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

backup-directory
Description

Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.BackupBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

disabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

CAS Backend

Backends of type cas-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

cipher-key-length
Description

Specifies the key length in bits for the preferred cipher.

Default Value

128

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

cipher-transformation
Description

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

Default Value

AES/CBC/PKCS5Padding

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

compact-encoding
Description

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

No

Read-only

No

confidentiality-enabled
Description

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-directory
Description

Specifies the keyspace name The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

Default Value

ldap_opendj

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

entries-compressed
Description

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

import-offheap-memory-size
Description

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Default Value

Use only heap memory.

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

Advanced Property

No

Read-only

No

index-filter-analyzer-enabled
Description

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-filter-analyzer-max-filters
Description

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

Default Value

25

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.cassandra.Backend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

preload-time-limit
Description

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

Default Value

0s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

JDBC Backend

Backends of type jdbc-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

cipher-key-length
Description

Specifies the key length in bits for the preferred cipher.

Default Value

128

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

cipher-transformation
Description

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

Default Value

AES/CBC/PKCS5Padding

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

compact-encoding
Description

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

No

Read-only

No

confidentiality-enabled
Description

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-directory
Description

Specifies the connection string jdbc:postgresql://localhost/test

Default Value

jdbc:postgresql://localhost/test

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

entries-compressed
Description

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

import-offheap-memory-size
Description

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Default Value

Use only heap memory.

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

Advanced Property

No

Read-only

No

index-filter-analyzer-enabled
Description

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-filter-analyzer-max-filters
Description

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

Default Value

25

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.jdbc.Backend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

preload-time-limit
Description

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

Default Value

0s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

JE Backend

Backends of type je-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

cipher-key-length
Description

Specifies the key length in bits for the preferred cipher.

Default Value

128

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

cipher-transformation
Description

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

Default Value

AES/CBC/PKCS5Padding

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

compact-encoding
Description

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

No

Read-only

No

confidentiality-enabled
Description

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-cache-percent
Description

Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.

Default Value

50

Allowed Values

An integer value. Lower value is 1. Upper value is 90.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-cache-size
Description

The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.

Default Value

0 MB

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-checkpointer-bytes-interval
Description

Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.

Default Value

500mb

Allowed Values

Upper value is 9223372036854775807.

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-checkpointer-wakeup-interval
Description

Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.

Default Value

30s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 seconds.Upper limit is 4294 seconds.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-cleaner-min-utilization
Description

Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.

Default Value

50

Allowed Values

An integer value. Lower value is 0. Upper value is 90.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-directory
Description

Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

Default Value

db

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

db-directory-permissions
Description

Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.

Default Value

700

Allowed Values

Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-core-threads
Description

Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

Default Value

1

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-keep-alive
Description

The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

Default Value

600s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 seconds.Upper limit is 86400 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-lru-only
Description

Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-max-threads
Description

Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

Default Value

10

Allowed Values

An integer value. Lower value is 1. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-evictor-nodes-per-scan
Description

Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.

Default Value

10

Allowed Values

An integer value. Lower value is 1. Upper value is 1000.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-log-file-max
Description

Specifies the maximum size for a database log file.

Default Value

100mb

Allowed Values

Lower value is 1000000.Upper value is 4294967296.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-log-filecache-size
Description

Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.

Default Value

100

Allowed Values

An integer value. Lower value is 3. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-logging-file-handler-on
Description

Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-logging-level
Description

Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.

Default Value

CONFIG

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-num-cleaner-threads
Description

Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-num-lock-tables
Description

Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1. Upper value is 32767.

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-run-cleaner
Description

Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-txn-no-sync
Description

Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-txn-write-no-sync
Description

Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-full-threshold
Description

Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.

Default Value

100 megabytes

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-low-threshold
Description

Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.

Default Value

200 megabytes

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

entries-compressed
Description

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

import-offheap-memory-size
Description

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Default Value

Use only heap memory.

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

Advanced Property

No

Read-only

No

index-filter-analyzer-enabled
Description

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-filter-analyzer-max-filters
Description

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

Default Value

25

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.jeb.JEBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

je-property
Description

Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

preload-time-limit
Description

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

Default Value

0s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

LDIF Backend

Backends of type ldif-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

is-private-backend
Description

Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.LDIFBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ldif-file
Description

Specifies the path to the LDIF file containing the data for this backend.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Memory Backend

Backends of type memory-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.MemoryBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Monitor Backend

Backends of type monitor-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.MonitorBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

disabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Null Backend

Backends of type null-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.NullBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

PDB Backend

Backends of type pdb-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

cipher-key-length
Description

Specifies the key length in bits for the preferred cipher.

Default Value

128

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

cipher-transformation
Description

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

Default Value

AES/CBC/PKCS5Padding

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

Advanced Property

No

Read-only

No

compact-encoding
Description

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

No

Read-only

No

confidentiality-enabled
Description

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-cache-percent
Description

Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.

Default Value

50

Allowed Values

An integer value. Lower value is 1. Upper value is 90.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-cache-size
Description

The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.

Default Value

0 MB

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

db-checkpointer-wakeup-interval
Description

Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.

Default Value

15s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 10 seconds.Upper limit is 3600 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-directory
Description

Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

Default Value

db

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

db-directory-permissions
Description

Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.

Default Value

700

Allowed Values

Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

db-txn-no-sync
Description

Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-full-threshold
Description

Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.

Default Value

100 megabytes

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

disk-low-threshold
Description

Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.

Default Value

200 megabytes

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

entries-compressed
Description

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

import-offheap-memory-size
Description

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Default Value

Use only heap memory.

Allowed Values
Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

Advanced Property

No

Read-only

No

index-filter-analyzer-enabled
Description

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

index-filter-analyzer-max-filters
Description

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

Default Value

25

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.pdb.PDBBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

preload-time-limit
Description

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

Default Value

0s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Schema Backend

Backends of type schema-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.SchemaBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

schema-entry-dn
Description

Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.

Default Value

cn=schema

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

show-all-attributes
Description

Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Task Backend

Backends of type task-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.task.TaskBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

notification-sender-address
Description

Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.

Default Value

The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

task-backing-file
Description

Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

task-retention-time
Description

Specifies the length of time that task entries should be retained after processing on the associated task has been completed.

Default Value

24 hours

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Trust Store Backend

Backends of type trust-store-backend have the following properties:

backend-id
Description

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

base-dn
Description

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

Yes

Admin Action Required

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the backend implementation.

Default Value

org.opends.server.backends.TrustStoreBackend

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Backend

Multi-valued

No

Required

Yes

Admin Action Required

The Backend must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

trust-store-file
Description

Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.

Default Value

config/ads-truststore

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

trust-store-pin
Description

Specifies the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

Advanced Property

No

Read-only

No

trust-store-type
Description

Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.

Default Value

The JVM default value is used.

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect the next time that the key manager is accessed.

Advanced Property

No

Read-only

No

writability-mode
Description

Specifies the behavior that the backend should use when processing write operations.

Default Value

enabled

Allowed Values
disabled

Causes all write attempts to fail.

enabled

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

internal-only

Causes external write attempts to fail but allows writes by replication and internal operations.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-backend-index(1)

Name

dsconfig create-backend-index - Creates Backend Indexes

Synopsis

dsconfig create-backend-index {options}

Description

Creates Backend Indexes.

Options

The dsconfig create-backend-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

Backend Index properties depend on the Backend Index type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Backend Index types:

backend-index

Default {name}: Backend Index

Enabled by default: false

See Backend Index for the properties of this Backend Index type.

--index-name {OID}

The name of the new Backend Index which will also be used as the value of the "attribute" property: Specifies the name of the attribute for which the index is to be maintained.

Backend Index properties depend on the Backend Index type, which depends on the {OID} you provide.

By default, OpenDJ directory server supports the following Backend Index types:

backend-index

Default {OID}: Backend Index

Enabled by default: false

See Backend Index for the properties of this Backend Index type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Backend Index properties depend on the Backend Index type, which depends on the --index-name {OID} option.

Backend Index

Backend Indexes of type backend-index have the following properties:

attribute
Description

Specifies the name of the attribute for which the index is to be maintained.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

confidentiality-enabled
Description

Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.

Advanced Property

No

Read-only

No

index-entry-limit
Description

Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.

Default Value

4000

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.

Advanced Property

No

Read-only

No

index-extensible-matching-rule
Description

The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.

Default Value

No extensible matching rules will be indexed.

Allowed Values

A Locale or an OID.

Multi-valued

Yes

Required

No

Admin Action Required

The index must be rebuilt before it will reflect the new value.

Advanced Property

No

Read-only

No

index-type
Description

Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.

Default Value

None

Allowed Values
approximate

This index type is used to improve the efficiency of searches using approximate matching search filters.

equality

This index type is used to improve the efficiency of searches using equality search filters.

extensible

This index type is used to improve the efficiency of searches using extensible matching search filters.

ordering

This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.

presence

This index type is used to improve the efficiency of searches using the presence search filters.

substring

This index type is used to improve the efficiency of searches using substring search filters.

Multi-valued

Yes

Required

Yes

Admin Action Required

If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.

Advanced Property

No

Read-only

No

substring-length
Description

The length of substrings in a substring index.

Default Value

6

Allowed Values

An integer value. Lower value is 3.

Multi-valued

No

Required

No

Admin Action Required

The index must be rebuilt before it will reflect the new value.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-backend-vlv-index(1)

Name

dsconfig create-backend-vlv-index - Creates Backend VLV Indexes

Synopsis

dsconfig create-backend-vlv-index {options}

Description

Creates Backend VLV Indexes.

Options

The dsconfig create-backend-vlv-index command takes the following options:

--backend-name {name}

The name of the Pluggable Backend.

Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Backend VLV Index types:

backend-vlv-index

Default {name}: Backend VLV Index

Enabled by default: false

See Backend VLV Index for the properties of this Backend VLV Index type.

--index-name {STRING}

The name of the new Backend VLV Index which will also be used as the value of the "name" property: Specifies a unique name for this VLV index.

Backend VLV Index properties depend on the Backend VLV Index type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following Backend VLV Index types:

backend-vlv-index

Default {STRING}: Backend VLV Index

Enabled by default: false

See Backend VLV Index for the properties of this Backend VLV Index type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Backend VLV Index properties depend on the Backend VLV Index type, which depends on the --index-name {STRING} option.

Backend VLV Index

Backend VLV Indexes of type backend-vlv-index have the following properties:

base-dn
Description

Specifies the base DN used in the search query that is being indexed.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

filter
Description

Specifies the LDAP filter used in the query that is being indexed.

Default Value

None

Allowed Values

A valid LDAP search filter.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

name
Description

Specifies a unique name for this VLV index.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

NoneThe VLV index name cannot be altered after the index is created.

Advanced Property

No

Read-only

Yes

scope
Description

Specifies the LDAP scope of the query that is being indexed.

Default Value

None

Allowed Values
base-object

Search the base object only.

single-level

Search the immediate children of the base object but do not include any of their descendants or the base object itself.

subordinate-subtree

Search the entire subtree below the base object but do not include the base object itself.

whole-subtree

Search the base object and the entire subtree below the base object.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

sort-order
Description

Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.

Default Value

None

Allowed Values

Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.

Multi-valued

No

Required

Yes

Admin Action Required

The index must be rebuilt after modifying this property.

Advanced Property

No

Read-only

No

dsconfig create-certificate-mapper(1)

Name

dsconfig create-certificate-mapper - Creates Certificate Mappers

Synopsis

dsconfig create-certificate-mapper {options}

Description

Creates Certificate Mappers.

Options

The dsconfig create-certificate-mapper command takes the following options:

--mapper-name {name}

The name of the new Certificate Mapper.

Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Certificate Mapper types:

fingerprint-certificate-mapper

Default {name}: Fingerprint Certificate Mapper

Enabled by default: true

See Fingerprint Certificate Mapper for the properties of this Certificate Mapper type.

subject-attribute-to-user-attribute-certificate-mapper

Default {name}: Subject Attribute To User Attribute Certificate Mapper

Enabled by default: true

See Subject Attribute To User Attribute Certificate Mapper for the properties of this Certificate Mapper type.

subject-dn-to-user-attribute-certificate-mapper

Default {name}: Subject DN To User Attribute Certificate Mapper

Enabled by default: true

See Subject DN To User Attribute Certificate Mapper for the properties of this Certificate Mapper type.

subject-equals-dn-certificate-mapper

Default {name}: Subject Equals DN Certificate Mapper

Enabled by default: true

See Subject Equals DN Certificate Mapper for the properties of this Certificate Mapper type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Certificate Mapper properties depend on the Certificate Mapper type, which depends on the --mapper-name {name} option.

-t | --type {type}

The type of Certificate Mapper which should be created. The value for TYPE can be one of: custom | fingerprint | subject-attribute-to-user-attribute | subject-dn-to-user-attribute | subject-equals-dn.

Certificate Mapper properties depend on the Certificate Mapper type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Certificate Mapper types:

fingerprint-certificate-mapper

Default {type}: Fingerprint Certificate Mapper

Enabled by default: true

See Fingerprint Certificate Mapper for the properties of this Certificate Mapper type.

subject-attribute-to-user-attribute-certificate-mapper

Default {type}: Subject Attribute To User Attribute Certificate Mapper

Enabled by default: true

See Subject Attribute To User Attribute Certificate Mapper for the properties of this Certificate Mapper type.

subject-dn-to-user-attribute-certificate-mapper

Default {type}: Subject DN To User Attribute Certificate Mapper

Enabled by default: true

See Subject DN To User Attribute Certificate Mapper for the properties of this Certificate Mapper type.

subject-equals-dn-certificate-mapper

Default {type}: Subject Equals DN Certificate Mapper

Enabled by default: true

See Subject Equals DN Certificate Mapper for the properties of this Certificate Mapper type.

Fingerprint Certificate Mapper

Certificate Mappers of type fingerprint-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

fingerprint-algorithm
Description

Specifies the name of the digest algorithm to compute the fingerprint of client certificates.

Default Value

None

Allowed Values
md5

Use the MD5 digest algorithm to compute certificate fingerprints.

sha1

Use the SHA-1 digest algorithm to compute certificate fingerprints.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

fingerprint-attribute
Description

Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.

Default Value

org.opends.server.extensions.FingerprintCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

user-base-dn
Description

Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.

Default Value

The server performs the search in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Subject Attribute To User Attribute Certificate Mapper

Certificate Mappers of type subject-attribute-to-user-attribute-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.

Default Value

org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

subject-attribute-mapping
Description

Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

user-base-dn
Description

Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.

Default Value

The server will perform the search in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Subject DN To User Attribute Certificate Mapper

Certificate Mappers of type subject-dn-to-user-attribute-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.

Default Value

org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

subject-attribute
Description

Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

user-base-dn
Description

Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.

Default Value

The server will perform the search in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Subject Equals DN Certificate Mapper

Certificate Mappers of type subject-equals-dn-certificate-mapper have the following properties:

enabled
Description

Indicates whether the Certificate Mapper is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.

Default Value

org.opends.server.extensions.SubjectEqualsDNCertificateMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-connection-handler(1)

Name

dsconfig create-connection-handler - Creates Connection Handlers

Synopsis

dsconfig create-connection-handler {options}

Description

Creates Connection Handlers.

Options

The dsconfig create-connection-handler command takes the following options:

--handler-name {name}

The name of the new Connection Handler.

Connection Handler properties depend on the Connection Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Connection Handler types:

http-connection-handler

Default {name}: HTTP Connection Handler

Enabled by default: true

See HTTP Connection Handler for the properties of this Connection Handler type.

jmx-connection-handler

Default {name}: JMX Connection Handler

Enabled by default: true

See JMX Connection Handler for the properties of this Connection Handler type.

ldap-connection-handler

Default {name}: LDAP Connection Handler

Enabled by default: true

See LDAP Connection Handler for the properties of this Connection Handler type.

ldif-connection-handler

Default {name}: LDIF Connection Handler

Enabled by default: true

See LDIF Connection Handler for the properties of this Connection Handler type.

snmp-connection-handler

Default {name}: SNMP Connection Handler

Enabled by default: true

See SNMP Connection Handler for the properties of this Connection Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Connection Handler properties depend on the Connection Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Connection Handler which should be created. The value for TYPE can be one of: custom | http | jmx | ldap | ldif | snmp.

Connection Handler properties depend on the Connection Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Connection Handler types:

http-connection-handler

Default {type}: HTTP Connection Handler

Enabled by default: true

See HTTP Connection Handler for the properties of this Connection Handler type.

jmx-connection-handler

Default {type}: JMX Connection Handler

Enabled by default: true

See JMX Connection Handler for the properties of this Connection Handler type.

ldap-connection-handler

Default {type}: LDAP Connection Handler

Enabled by default: true

See LDAP Connection Handler for the properties of this Connection Handler type.

ldif-connection-handler

Default {type}: LDIF Connection Handler

Enabled by default: true

See LDIF Connection Handler for the properties of this Connection Handler type.

snmp-connection-handler

Default {type}: SNMP Connection Handler

Enabled by default: true

See SNMP Connection Handler for the properties of this Connection Handler type.

HTTP Connection Handler

Connection Handlers of type http-connection-handler have the following properties:

accept-backlog
Description

Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.

Default Value

128

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-tcp-reuse-address
Description

Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

buffer-size
Description

Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.

Default Value

4096 bytes

Allowed Values

Lower value is 1.Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.

Default Value

org.opends.server.protocols.http.HTTPConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

keep-stats
Description

Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this HTTP Connection Handler .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

Advanced Property

No

Read-only

No

listen-address
Description

Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

listen-port
Description

Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

max-blocked-write-time-limit
Description

Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.

Default Value

2 minutes

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-concurrent-ops-per-connection
Description

Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-request-size
Description

Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.

Default Value

5 megabytes

Allowed Values

Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

num-request-handlers
Description

Specifies the number of request handlers that are used to read requests from clients. The HTTP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ssl-cert-nickname
Description

Specifies the nicknames (also called the aliases) of the keys or key pairs that the HTTP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the HTTP Connection Handler is configured to use SSL.

Default Value

Let the server decide.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-cipher-suite
Description

Specifies the names of the SSL cipher suites that are allowed for use in SSL communication.

Default Value

Uses the default set of SSL cipher suites provided by the server’s JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

ssl-client-auth-policy
Description

Specifies the policy that the HTTP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.

Default Value

optional

Allowed Values
disabled

Clients must not provide their own certificates when performing SSL negotiation.

optional

Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.

required

Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-protocol
Description

Specifies the names of the SSL protocols that are allowed for use in SSL communication.

Default Value

Uses the default set of SSL protocols provided by the server’s JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used with the HTTP Connection Handler .

Default Value

Use the trust manager provided by the JVM.

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the HTTP Connection Handler should use SSL. If enabled, the HTTP Connection Handler will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-tcp-keep-alive
Description

Indicates whether the HTTP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

use-tcp-no-delay
Description

Indicates whether the HTTP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

JMX Connection Handler

Connection Handlers of type jmx-connection-handler have the following properties:

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the JMX Connection Handler implementation.

Default Value

org.opends.server.protocols.jmx.JmxConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this JMX Connection Handler .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the JMX Connection Handler is enabled and configured to use SSL.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

Advanced Property

No

Read-only

No

listen-address
Description

Specifies the address on which this JMX Connection Handler should listen for connections from JMX clients. If no value is provided, then the JMX Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

No

Required

No

Admin Action Required

Restart the server

Advanced Property

No

Read-only

No

listen-port
Description

Specifies the port number on which the JMX Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

rmi-port
Description

Specifies the port number on which the JMX RMI service will listen for connections from clients. A value of 0 indicates the service to choose a port of its own. If the value provided is different than 0, the value will be used as the RMI port. Otherwise, the RMI service will choose a port of its own.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 65535.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-cert-nickname
Description

Specifies the nicknames (also called the aliases) of the keys or key pairs that the JMX Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the JMX Connection Handler is configured to use SSL.

Default Value

Let the server decide.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the JMX Connection Handler should use SSL. If enabled, the JMX Connection Handler will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

LDAP Connection Handler

Connection Handlers of type ldap-connection-handler have the following properties:

accept-backlog
Description

Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.

Default Value

128

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-ldap-v2
Description

Indicates whether connections from LDAPv2 clients are allowed. If LDAPv2 clients are allowed, then only a minimal degree of special support are provided for them to ensure that LDAPv3-specific protocol elements (for example, Configuration Guide 25 controls, extended response messages, intermediate response messages, referrals) are not sent to an LDAPv2 client.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-start-tls
Description

Indicates whether clients are allowed to use StartTLS. If enabled, the LDAP Connection Handler allows clients to use the StartTLS extended operation to initiate secure communication over an otherwise insecure channel. Note that this is only allowed if the LDAP Connection Handler is not configured to use SSL, and if the server is configured with a valid key manager provider and a valid trust manager provider.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-tcp-reuse-address
Description

Indicates whether the LDAP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

buffer-size
Description

Specifies the size in bytes of the LDAP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer LDAP response messages data when writing.

Default Value

4096 bytes

Allowed Values

Lower value is 1.Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the LDAP Connection Handler implementation.

Default Value

org.opends.server.protocols.ldap.LDAPConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

keep-stats
Description

Indicates whether the LDAP Connection Handler should keep statistics. If enabled, the LDAP Connection Handler maintains statistics about the number and types of operations requested over LDAP and the amount of data sent and received.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this LDAP Connection Handler .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

Advanced Property

No

Read-only

No

listen-address
Description

Specifies the address or set of addresses on which this LDAP Connection Handler should listen for connections from LDAP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the LDAP Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

listen-port
Description

Specifies the port number on which the LDAP Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

max-blocked-write-time-limit
Description

Specifies the maximum length of time that attempts to write data to LDAP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.

Default Value

2 minutes

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-request-size
Description

Specifies the size in bytes of the largest LDAP request message that will be allowed by this LDAP Connection handler. This property is analogous to the maxBERSize configuration attribute of the Sun Java System Directory Server. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.

Default Value

5 megabytes

Allowed Values

Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

num-request-handlers
Description

Specifies the number of request handlers that are used to read requests from clients. The LDAP Connection Handler uses one thread to accept new connections from clients, but uses one or more additional threads to read requests from existing client connections. This ensures that new requests are read efficiently and that the connection handler itself does not become a bottleneck when the server is under heavy load from many clients at the same time.

Default Value

Let the server decide.

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

send-rejection-notice
Description

Indicates whether the LDAP Connection Handler should send a notice of disconnection extended response message to the client if a new connection is rejected for some reason. The extended response message may provide an explanation indicating the reason that the connection was rejected.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ssl-cert-nickname
Description

Specifies the nicknames (also called the aliases) of the keys or key pairs that the LDAP Connection Handler should use when performing SSL communication. The property can be used multiple times (referencing different nicknames) when server certificates with different public key algorithms are used in parallel (for example, RSA, DSA, and ECC-based algorithms). When a nickname refers to an asymmetric (public/private) key pair, the nickname for the public key certificate and associated private key entry must match exactly. A single nickname is used to retrieve both the public key and the private key. This is only applicable when the LDAP Connection Handler is configured to use SSL.

Default Value

Let the server decide.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-cipher-suite
Description

Specifies the names of the SSL cipher suites that are allowed for use in SSL or StartTLS communication.

Default Value

Uses the default set of SSL cipher suites provided by the server’s JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but will only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

ssl-client-auth-policy
Description

Specifies the policy that the LDAP Connection Handler should use regarding client SSL certificates. Clients can use the SASL EXTERNAL mechanism only if the policy is set to "optional" or "required". This is only applicable if clients are allowed to use SSL.

Default Value

optional

Allowed Values
disabled

Clients must not provide their own certificates when performing SSL negotiation.

optional

Clients are requested to provide their own certificates when performing SSL negotiation. The connection is nevertheless accepted if the client does not provide a certificate.

required

Clients are required to provide their own certificates when performing SSL negotiation and are refused access if they do not provide a certificate.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

ssl-protocol
Description

Specifies the names of the SSL protocols that are allowed for use in SSL or StartTLS communication.

Default Value

Uses the default set of SSL protocols provided by the server’s JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but only impact new SSL/TLS-based sessions created after the change.

Advanced Property

No

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used with the LDAP Connection Handler .

Default Value

Use the trust manager provided by the JVM.

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when the LDAP Connection Handler is enabled and configured to use SSL or StartTLS.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent attempts to access the trust manager provider for associated client connections.

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the LDAP Connection Handler should use SSL. If enabled, the LDAP Connection Handler will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-tcp-keep-alive
Description

Indicates whether the LDAP Connection Handler should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

use-tcp-no-delay
Description

Indicates whether the LDAP Connection Handler should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

LDIF Connection Handler

Connection Handlers of type ldif-connection-handler have the following properties:

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the LDIF Connection Handler implementation.

Default Value

org.opends.server.protocols.LDIFConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ldif-directory
Description

Specifies the path to the directory in which the LDIF files should be placed.

Default Value

config/auto-process-ldif

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

poll-interval
Description

Specifies how frequently the LDIF connection handler should check the LDIF directory to determine whether a new LDIF file has been added.

Default Value

5 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

SNMP Connection Handler

Connection Handlers of type snmp-connection-handler have the following properties:

allowed-client
Description

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

Default Value

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

allowed-manager
Description

Specifies the hosts of the managers to be granted the access rights. This property is required for SNMP v1 and v2 security configuration. An asterisk (*) opens access to all managers.

Default Value

*

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

allowed-user
Description

Specifies the users to be granted the access rights. This property is required for SNMP v3 security configuration. An asterisk (*) opens access to all users.

Default Value

*

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

community
Description

Specifies the v1,v2 community or the v3 context name allowed to access the MIB 2605 monitoring information or the USM MIB. The mapping between "community" and "context name" is set.

Default Value

OpenDJ

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

denied-client
Description

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

Default Value

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

Allowed Values

An IP address mask

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Connection Handler is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SNMP Connection Handler implementation.

Default Value

org.opends.server.snmp.SNMPConnectionHandler

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

listen-address
Description

Specifies the address or set of addresses on which this SNMP Connection Handler should listen for connections from SNMP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the SNMP Connection Handler listens on all interfaces.

Default Value

0.0.0.0

Allowed Values

An IP address

Multi-valued

Yes

Required

No

Admin Action Required

Restart the server

Advanced Property

No

Read-only

Yes

listen-port
Description

Specifies the port number on which the SNMP Connection Handler will listen for connections from clients. Only a single port number may be provided.

Default Value

None

Allowed Values

An integer value. Lower value is 1. Upper value is 65535.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

opendmk-jarfile
Description

Indicates the OpenDMK runtime jar file location

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

registered-mbean
Description

Indicates whether the SNMP objects have to be registered in the directory server MBeanServer or not allowing to access SNMP Objects with RMI connector if enabled.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

security-agent-file
Description

Specifies the USM security configuration to receive authenticated only SNMP requests.

Default Value

config/snmp/security/opendj-snmp.security

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

security-level
Description

Specifies the type of security level : NoAuthNoPriv : No security mechanisms activated, AuthNoPriv : Authentication activated with no privacy, AuthPriv : Authentication with privacy activated. This property is required for SNMP V3 security configuration.

Default Value

authnopriv

Allowed Values
authnopriv

Authentication activated with no privacy.

authpriv

Authentication with privacy activated.

noauthnopriv

No security mechanisms activated.

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

trap-port
Description

Specifies the port to use to send SNMP Traps.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

Yes

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

traps-community
Description

Specifies the community string that must be included in the traps sent to define managers (trap-destinations). This property is used in the context of SNMP v1, v2 and v3.

Default Value

OpenDJ

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

traps-destination
Description

Specifies the hosts to which V1 traps will be sent. V1 Traps are sent to every host listed. If this list is empty, V1 traps are sent to "localhost". Each host in the list must be identifed by its name or complete IP Addess.

Default Value

If the list is empty, V1 traps are sent to "localhost".

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

dsconfig create-debug-target(1)

Name

dsconfig create-debug-target - Creates Debug Targets

Synopsis

dsconfig create-debug-target {options}

Description

Creates Debug Targets.

Options

The dsconfig create-debug-target command takes the following options:

--publisher-name {name}

The name of the Debug Log Publisher.

Debug Target properties depend on the Debug Target type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Debug Target types:

debug-target

Default {name}: Debug Target

Enabled by default: true

See Debug Target for the properties of this Debug Target type.

--target-name {STRING}

The name of the new Debug Target which will also be used as the value of the "debug-scope" property: Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).

Debug Target properties depend on the Debug Target type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following Debug Target types:

debug-target

Default {STRING}: Debug Target

Enabled by default: true

See Debug Target for the properties of this Debug Target type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Debug Target properties depend on the Debug Target type, which depends on the --target-name {STRING} option.

Debug Target

Debug Targets of type debug-target have the following properties:

debug-exceptions-only
Description

Indicates whether only logs with exception should be logged.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

debug-scope
Description

Specifies the fully-qualified OpenDJ Java package, class, or method affected by the settings in this target definition. Use the number character (#) to separate the class name and the method name (that is, org.opends.server.core.DirectoryServer#startUp).

Default Value

None

Allowed Values

The fully-qualified OpenDJ Java package, class, or method name.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

enabled
Description

Indicates whether the Debug Target is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

include-throwable-cause
Description

Specifies the property to indicate whether to include the cause of exceptions in exception thrown and caught messages.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

omit-method-entry-arguments
Description

Specifies the property to indicate whether to include method arguments in debug messages.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

omit-method-return-value
Description

Specifies the property to indicate whether to include the return value in debug messages.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

throwable-stack-frames
Description

Specifies the property to indicate the number of stack frames to include in the stack trace for method entry and exception thrown messages.

Default Value

0

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-entry-cache(1)

Name

dsconfig create-entry-cache - Creates Entry Caches

Synopsis

dsconfig create-entry-cache {options}

Description

Creates Entry Caches.

Options

The dsconfig create-entry-cache command takes the following options:

--cache-name {name}

The name of the new Entry Cache.

Entry Cache properties depend on the Entry Cache type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Entry Cache types:

fifo-entry-cache

Default {name}: FIFO Entry Cache

Enabled by default: true

See FIFO Entry Cache for the properties of this Entry Cache type.

soft-reference-entry-cache

Default {name}: Soft Reference Entry Cache

Enabled by default: true

See Soft Reference Entry Cache for the properties of this Entry Cache type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Entry Cache properties depend on the Entry Cache type, which depends on the --cache-name {name} option.

-t | --type {type}

The type of Entry Cache which should be created. The value for TYPE can be one of: custom | fifo | soft-reference.

Entry Cache properties depend on the Entry Cache type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Entry Cache types:

fifo-entry-cache

Default {type}: FIFO Entry Cache

Enabled by default: true

See FIFO Entry Cache for the properties of this Entry Cache type.

soft-reference-entry-cache

Default {type}: Soft Reference Entry Cache

Enabled by default: true

See Soft Reference Entry Cache for the properties of this Entry Cache type.

FIFO Entry Cache

Entry Caches of type fifo-entry-cache have the following properties:

cache-level
Description

Specifies the cache level in the cache order if more than one instance of the cache is configured.

Default Value

None

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Entry Cache is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

exclude-filter
Description

The set of filters that define the entries that should be excluded from the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

include-filter
Description

The set of filters that define the entries that should be included in the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the FIFO Entry Cache implementation.

Default Value

org.opends.server.extensions.FIFOEntryCache

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.EntryCache

Multi-valued

No

Required

Yes

Admin Action Required

The Entry Cache must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

lock-timeout
Description

Specifies the length of time to wait while attempting to acquire a read or write lock.

Default Value

2000.0ms

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-entries
Description

Specifies the maximum number of entries that we will allow in the cache.

Default Value

2147483647

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-memory-percent
Description

Specifies the maximum percentage of JVM memory used by the server before the entry caches stops caching and begins purging itself. Very low settings such as 10 or 20 (percent) can prevent this entry cache from having enough space to hold any of the entries to cache, making it appear that the server is ignoring or skipping the entry cache entirely.

Default Value

90

Allowed Values

An integer value. Lower value is 1. Upper value is 100.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Soft Reference Entry Cache

Entry Caches of type soft-reference-entry-cache have the following properties:

cache-level
Description

Specifies the cache level in the cache order if more than one instance of the cache is configured.

Default Value

None

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Entry Cache is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

exclude-filter
Description

The set of filters that define the entries that should be excluded from the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

include-filter
Description

The set of filters that define the entries that should be included in the cache.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Soft Reference Entry Cache implementation.

Default Value

org.opends.server.extensions.SoftReferenceEntryCache

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.EntryCache

Multi-valued

No

Required

Yes

Admin Action Required

The Entry Cache must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

lock-timeout
Description

Specifies the length of time in milliseconds to wait while attempting to acquire a read or write lock.

Default Value

3000ms

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> A value of "-1" or "unlimited" for no limit. Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-extended-operation-handler(1)

Name

dsconfig create-extended-operation-handler - Creates Extended Operation Handlers

Synopsis

dsconfig create-extended-operation-handler {options}

Description

Creates Extended Operation Handlers.

Options

The dsconfig create-extended-operation-handler command takes the following options:

--handler-name {name}

The name of the new Extended Operation Handler.

Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Extended Operation Handler types:

cancel-extended-operation-handler

Default {name}: Cancel Extended Operation Handler

Enabled by default: true

See Cancel Extended Operation Handler for the properties of this Extended Operation Handler type.

get-connection-id-extended-operation-handler

Default {name}: Get Connection Id Extended Operation Handler

Enabled by default: true

See Get Connection Id Extended Operation Handler for the properties of this Extended Operation Handler type.

get-symmetric-key-extended-operation-handler

Default {name}: Get Symmetric Key Extended Operation Handler

Enabled by default: true

See Get Symmetric Key Extended Operation Handler for the properties of this Extended Operation Handler type.

password-modify-extended-operation-handler

Default {name}: Password Modify Extended Operation Handler

Enabled by default: true

See Password Modify Extended Operation Handler for the properties of this Extended Operation Handler type.

password-policy-state-extended-operation-handler

Default {name}: Password Policy State Extended Operation Handler

Enabled by default: true

See Password Policy State Extended Operation Handler for the properties of this Extended Operation Handler type.

start-tls-extended-operation-handler

Default {name}: Start TLS Extended Operation Handler

Enabled by default: true

See Start TLS Extended Operation Handler for the properties of this Extended Operation Handler type.

who-am-i-extended-operation-handler

Default {name}: Who Am I Extended Operation Handler

Enabled by default: true

See Who Am I Extended Operation Handler for the properties of this Extended Operation Handler type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the --handler-name {name} option.

-t | --type {type}

The type of Extended Operation Handler which should be created. The value for TYPE can be one of: cancel | custom | get-connection-id | get-symmetric-key | password-modify | password-policy-state | start-tls | who-am-i.

Extended Operation Handler properties depend on the Extended Operation Handler type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Extended Operation Handler types:

cancel-extended-operation-handler

Default {type}: Cancel Extended Operation Handler

Enabled by default: true

See Cancel Extended Operation Handler for the properties of this Extended Operation Handler type.

get-connection-id-extended-operation-handler

Default {type}: Get Connection Id Extended Operation Handler

Enabled by default: true

See Get Connection Id Extended Operation Handler for the properties of this Extended Operation Handler type.

get-symmetric-key-extended-operation-handler

Default {type}: Get Symmetric Key Extended Operation Handler

Enabled by default: true

See Get Symmetric Key Extended Operation Handler for the properties of this Extended Operation Handler type.

password-modify-extended-operation-handler

Default {type}: Password Modify Extended Operation Handler

Enabled by default: true

See Password Modify Extended Operation Handler for the properties of this Extended Operation Handler type.

password-policy-state-extended-operation-handler

Default {type}: Password Policy State Extended Operation Handler

Enabled by default: true

See Password Policy State Extended Operation Handler for the properties of this Extended Operation Handler type.

start-tls-extended-operation-handler

Default {type}: Start TLS Extended Operation Handler

Enabled by default: true

See Start TLS Extended Operation Handler for the properties of this Extended Operation Handler type.

who-am-i-extended-operation-handler

Default {type}: Who Am I Extended Operation Handler

Enabled by default: true

See Who Am I Extended Operation Handler for the properties of this Extended Operation Handler type.

Cancel Extended Operation Handler

Extended Operation Handlers of type cancel-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Cancel Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.CancelExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Get Connection Id Extended Operation Handler

Extended Operation Handlers of type get-connection-id-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Get Connection Id Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.GetConnectionIDExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Get Symmetric Key Extended Operation Handler

Extended Operation Handlers of type get-symmetric-key-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Get Symmetric Key Extended Operation Handler implementation.

Default Value

org.opends.server.crypto.GetSymmetricKeyExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Modify Extended Operation Handler

Extended Operation Handlers of type password-modify-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

Specifies the name of the identity mapper that should be used in conjunction with the password modify extended operation. This property is used to identify a user based on an authorization ID in the 'u:' form. Changes to this property take effect immediately.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the Password Modify Extended Operation Handler is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Password Modify Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.PasswordModifyExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Policy State Extended Operation Handler

Extended Operation Handlers of type password-policy-state-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Password Policy State Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.PasswordPolicyStateExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Start TLS Extended Operation Handler

Extended Operation Handlers of type start-tls-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Start TLS Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.StartTLSExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Who Am I Extended Operation Handler

Extended Operation Handlers of type who-am-i-extended-operation-handler have the following properties:

enabled
Description

Indicates whether the Extended Operation Handler is enabled (that is, whether the types of extended operations are allowed in the server).

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Who Am I Extended Operation Handler implementation.

Default Value

org.opends.server.extensions.WhoAmIExtendedOperation

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.ExtendedOperationHandler

Multi-valued

No

Required

Yes

Admin Action Required

The Extended Operation Handler must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-group-implementation(1)

Name

dsconfig create-group-implementation - Creates Group Implementations

Synopsis

dsconfig create-group-implementation {options}

Description

Creates Group Implementations.

Options

The dsconfig create-group-implementation command takes the following options:

--implementation-name {name}

The name of the new Group Implementation.

Group Implementation properties depend on the Group Implementation type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Group Implementation types:

dynamic-group-implementation

Default {name}: Dynamic Group Implementation

Enabled by default: true

See Dynamic Group Implementation for the properties of this Group Implementation type.

static-group-implementation

Default {name}: Static Group Implementation

Enabled by default: true

See Static Group Implementation for the properties of this Group Implementation type.

virtual-static-group-implementation

Default {name}: Virtual Static Group Implementation

Enabled by default: true

See Virtual Static Group Implementation for the properties of this Group Implementation type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Group Implementation properties depend on the Group Implementation type, which depends on the --implementation-name {name} option.

-t | --type {type}

The type of Group Implementation which should be created. The value for TYPE can be one of: custom | dynamic | static | virtual-static.

Group Implementation properties depend on the Group Implementation type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Group Implementation types:

dynamic-group-implementation

Default {type}: Dynamic Group Implementation

Enabled by default: true

See Dynamic Group Implementation for the properties of this Group Implementation type.

static-group-implementation

Default {type}: Static Group Implementation

Enabled by default: true

See Static Group Implementation for the properties of this Group Implementation type.

virtual-static-group-implementation

Default {type}: Virtual Static Group Implementation

Enabled by default: true

See Virtual Static Group Implementation for the properties of this Group Implementation type.

Dynamic Group Implementation

Group Implementations of type dynamic-group-implementation have the following properties:

enabled
Description

Indicates whether the Group Implementation is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Dynamic Group Implementation implementation.

Default Value

org.opends.server.extensions.DynamicGroup

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The Group Implementation must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Static Group Implementation

Group Implementations of type static-group-implementation have the following properties:

enabled
Description

Indicates whether the Group Implementation is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Static Group Implementation implementation.

Default Value

org.opends.server.extensions.StaticGroup

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The Group Implementation must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Virtual Static Group Implementation

Group Implementations of type virtual-static-group-implementation have the following properties:

enabled
Description

Indicates whether the Group Implementation is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Virtual Static Group Implementation implementation.

Default Value

org.opends.server.extensions.VirtualStaticGroup

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.Group

Multi-valued

No

Required

Yes

Admin Action Required

The Group Implementation must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-http-authorization-mechanism(1)

Name

dsconfig create-http-authorization-mechanism - Creates HTTP Authorization Mechanisms

Synopsis

dsconfig create-http-authorization-mechanism {options}

Description

Creates HTTP Authorization Mechanisms.

Options

The dsconfig create-http-authorization-mechanism command takes the following options:

--mechanism-name {name}

The name of the new HTTP Authorization Mechanism.

HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:

http-anonymous-authorization-mechanism

Default {name}: HTTP Anonymous Authorization Mechanism

Enabled by default: true

See HTTP Anonymous Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-basic-authorization-mechanism

Default {name}: HTTP Basic Authorization Mechanism

Enabled by default: true

See HTTP Basic Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-cts-authorization-mechanism

Default {name}: HTTP Oauth2 Cts Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 Cts Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-file-authorization-mechanism

Default {name}: HTTP Oauth2 File Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 File Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-openam-authorization-mechanism

Default {name}: HTTP Oauth2 Openam Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 Openam Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-token-introspection-authorization-mechanism

Default {name}: HTTP Oauth2 Token Introspection Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 Token Introspection Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the --mechanism-name {name} option.

-t | --type {type}

The type of HTTP Authorization Mechanism which should be created. The value for TYPE can be one of: http-anonymous-authorization-mechanism | http-basic-authorization-mechanism | http-oauth2-cts-authorization-mechanism | http-oauth2-file-authorization-mechanism | http-oauth2-openam-authorization-mechanism | http-oauth2-token-introspection-authorization-mechanism.

HTTP Authorization Mechanism properties depend on the HTTP Authorization Mechanism type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following HTTP Authorization Mechanism types:

http-anonymous-authorization-mechanism

Default {type}: HTTP Anonymous Authorization Mechanism

Enabled by default: true

See HTTP Anonymous Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-basic-authorization-mechanism

Default {type}: HTTP Basic Authorization Mechanism

Enabled by default: true

See HTTP Basic Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-cts-authorization-mechanism

Default {type}: HTTP Oauth2 Cts Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 Cts Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-file-authorization-mechanism

Default {type}: HTTP Oauth2 File Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 File Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-openam-authorization-mechanism

Default {type}: HTTP Oauth2 Openam Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 Openam Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

http-oauth2-token-introspection-authorization-mechanism

Default {type}: HTTP Oauth2 Token Introspection Authorization Mechanism

Enabled by default: true

See HTTP Oauth2 Token Introspection Authorization Mechanism for the properties of this HTTP Authorization Mechanism type.

HTTP Anonymous Authorization Mechanism

HTTP Authorization Mechanisms of type http-anonymous-authorization-mechanism have the following properties:

enabled
Description

Indicates whether the HTTP Authorization Mechanism is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Anonymous Authorization Mechanism implementation.

Default Value

org.opends.server.protocols.http.authz.HttpAnonymousAuthorizationMechanism

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

user-dn
Description

The authorization DN which will be used for performing anonymous operations.

Default Value

By default, operations will be performed using an anonymously bound connection.

Allowed Values

A valid DN.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

HTTP Basic Authorization Mechanism

HTTP Authorization Mechanisms of type http-basic-authorization-mechanism have the following properties:

alt-authentication-enabled
Description

Specifies whether user credentials may be provided using alternative headers to the standard 'Authorize' header.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

alt-password-header
Description

Alternate HTTP headers to get the user's password from.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

alt-username-header
Description

Alternate HTTP headers to get the user's name from.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the HTTP Authorization Mechanism is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

> Specifies the name of the identity mapper used to get the user's entry corresponding to the user-id provided in the HTTP authentication header.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Basic Authorization Mechanism is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Basic Authorization Mechanism implementation.

Default Value

org.opends.server.protocols.http.authz.HttpBasicAuthorizationMechanism

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

HTTP Oauth2 Cts Authorization Mechanism

HTTP Authorization Mechanisms of type http-oauth2-cts-authorization-mechanism have the following properties:

access-token-cache-enabled
Description

Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

access-token-cache-expiration
Description

Token cache expiration

Default Value

None

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

authzid-json-pointer
Description

Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

base-dn
Description

The base DN of the Core Token Service where access token are stored. (example: ou=famrecords,ou=openam-session,ou=tokens,dc=example,dc=com)

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the HTTP Authorization Mechanism is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Cts Authorization Mechanism implementation.

Default Value

org.opends.server.protocols.http.authz.HttpOAuth2CtsAuthorizationMechanism

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

required-scope
Description

Scopes required to grant access to the service.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

HTTP Oauth2 File Authorization Mechanism

HTTP Authorization Mechanisms of type http-oauth2-file-authorization-mechanism have the following properties:

access-token-cache-enabled
Description

Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

access-token-cache-expiration
Description

Token cache expiration

Default Value

None

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

access-token-directory
Description

Directory containing token files. File names must be equal to the token strings. The file content must a JSON object with the following attributes: 'scope', 'expireTime' and all the field(s) needed to resolve the authzIdTemplate.

Default Value

oauth2-demo/

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

authzid-json-pointer
Description

Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the HTTP Authorization Mechanism is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 File Authorization Mechanism implementation.

Default Value

org.opends.server.protocols.http.authz.HttpOAuth2FileAuthorizationMechanism

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

required-scope
Description

Scopes required to grant access to the service.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

HTTP Oauth2 Openam Authorization Mechanism

HTTP Authorization Mechanisms of type http-oauth2-openam-authorization-mechanism have the following properties:

access-token-cache-enabled
Description

Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

access-token-cache-expiration
Description

Token cache expiration

Default Value

None

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

authzid-json-pointer
Description

Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the HTTP Authorization Mechanism is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Openam Authorization Mechanism implementation.

Default Value

org.opends.server.protocols.http.authz.HttpOAuth2OpenAmAuthorizationMechanism

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this HTTP Oauth2 Openam Authorization Mechanism .

Default Value

By default the system key manager(s) will be used.

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent requests to the authorization server.

Advanced Property

No

Read-only

No

required-scope
Description

Scopes required to grant access to the service.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

token-info-url
Description

Defines the OpenAM endpoint URL where the access-token resolution request should be sent.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.

Default Value

By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only impact subsequent SSL connection negotiations.

Advanced Property

No

Read-only

No

HTTP Oauth2 Token Introspection Authorization Mechanism

HTTP Authorization Mechanisms of type http-oauth2-token-introspection-authorization-mechanism have the following properties:

access-token-cache-enabled
Description

Indicates whether the HTTP Oauth2 Authorization Mechanism is enabled for use.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

access-token-cache-expiration
Description

Token cache expiration

Default Value

None

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

authzid-json-pointer
Description

Specifies the JSON pointer to the value to use as Authorization ID. The JSON pointer is applied to the resolved access token JSON document. (example: /uid)

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

client-id
Description

Client's ID to use during the HTTP basic authentication against the authorization server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

client-secret
Description

Client's secret to use during the HTTP basic authentication against the authorization server.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the HTTP Authorization Mechanism is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

identity-mapper
Description

> Specifies the name of the identity mapper to use in conjunction with the authzid-json-pointer to get the user corresponding to the acccess-token.

Default Value

None

Allowed Values

The DN of any Identity Mapper. The referenced identity mapper must be enabled when the HTTP Oauth2 Authorization Mechanism is enabled.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the HTTP Oauth2 Token Introspection Authorization Mechanism implementation.

Default Value

org.opends.server.protocols.http.authz.HttpOAuth2TokenIntrospectionAuthorizationMechanism

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.protocols.http.authz.HttpAuthorizationMechanism

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-manager-provider
Description

Specifies the name of the key manager that should be used with this HTTP Oauth2 Token Introspection Authorization Mechanism .

Default Value

None

Allowed Values

The DN of any Key Manager Provider. The referenced key manager provider must be enabled.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only for subsequent requests to the authorization server.

Advanced Property

No

Read-only

No

required-scope
Description

Scopes required to grant access to the service.

Default Value

None

Allowed Values

A String

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

token-introspection-url
Description

Defines the token introspection endpoint URL where the access-token resolution request should be sent. (example: http://example.com/introspect)

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used when negotiating SSL connections with the remote authorization server.

Default Value

By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only impact subsequent SSL connection negotiations.

Advanced Property

No

Read-only

No

dsconfig create-http-endpoint(1)

Name

dsconfig create-http-endpoint - Creates HTTP Endpoints

Synopsis

dsconfig create-http-endpoint {options}

Description

Creates HTTP Endpoints.

Options

The dsconfig create-http-endpoint command takes the following options:

--endpoint-name {STRING}

The name of the new HTTP Endpoint which will also be used as the value of the "base-path" property: All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.

HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {STRING} you provide.

By default, OpenDJ directory server supports the following HTTP Endpoint types:

admin-endpoint

Default {STRING}: Admin Endpoint

Enabled by default: true

See Admin Endpoint for the properties of this HTTP Endpoint type.

rest2ldap-endpoint

Default {STRING}: Rest2ldap Endpoint

Enabled by default: true

See Rest2ldap Endpoint for the properties of this HTTP Endpoint type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the --endpoint-name {STRING} option.

-t | --type {type}

The type of HTTP Endpoint which should be created (Default: generic). The value for TYPE can be one of: admin-endpoint | generic | rest2ldap-endpoint.

HTTP Endpoint properties depend on the HTTP Endpoint type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following HTTP Endpoint types:

admin-endpoint

Default {type}: Admin Endpoint

Enabled by default: true

See Admin Endpoint for the properties of this HTTP Endpoint type.

rest2ldap-endpoint

Default {type}: Rest2ldap Endpoint

Enabled by default: true

See Rest2ldap Endpoint for the properties of this HTTP Endpoint type.

Admin Endpoint

HTTP Endpoints of type admin-endpoint have the following properties:

authorization-mechanism
Description

The HTTP authorization mechanisms supported by this HTTP Endpoint.

Default Value

None

Allowed Values

The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

base-path
Description

All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

enabled
Description

Indicates whether the HTTP Endpoint is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Admin Endpoint implementation.

Default Value

org.opends.server.protocols.http.rest2ldap.AdminEndpoint

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Rest2ldap Endpoint

HTTP Endpoints of type rest2ldap-endpoint have the following properties:

authorization-mechanism
Description

The HTTP authorization mechanisms supported by this HTTP Endpoint.

Default Value

None

Allowed Values

The DN of any HTTP Authorization Mechanism. The referenced authorization mechanism must be enabled when the HTTP Endpoint is enabled.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

base-path
Description

All HTTP requests matching the base path or subordinate to it will be routed to the HTTP endpoint unless a more specific HTTP endpoint is found.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

Yes

config-directory
Description

The directory containing the Rest2Ldap configuration file(s) for this specific endpoint. The directory must be readable by the server and may contain multiple configuration files, one for each supported version of the REST endpoint. If a relative path is used then it will be resolved against the server's instance directory.

Default Value

None

Allowed Values

A directory that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the HTTP Endpoint is enabled.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Rest2ldap Endpoint implementation.

Default Value

org.opends.server.protocols.http.rest2ldap.Rest2LdapEndpoint

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.HttpEndpoint

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-identity-mapper(1)

Name

dsconfig create-identity-mapper - Creates Identity Mappers

Synopsis

dsconfig create-identity-mapper {options}

Description

Creates Identity Mappers.

Options

The dsconfig create-identity-mapper command takes the following options:

--mapper-name {name}

The name of the new Identity Mapper.

Identity Mapper properties depend on the Identity Mapper type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Identity Mapper types:

exact-match-identity-mapper

Default {name}: Exact Match Identity Mapper

Enabled by default: true

See Exact Match Identity Mapper for the properties of this Identity Mapper type.

regular-expression-identity-mapper

Default {name}: Regular Expression Identity Mapper

Enabled by default: true

See Regular Expression Identity Mapper for the properties of this Identity Mapper type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Identity Mapper properties depend on the Identity Mapper type, which depends on the --mapper-name {name} option.

-t | --type {type}

The type of Identity Mapper which should be created. The value for TYPE can be one of: custom | exact-match | regular-expression.

Identity Mapper properties depend on the Identity Mapper type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Identity Mapper types:

exact-match-identity-mapper

Default {type}: Exact Match Identity Mapper

Enabled by default: true

See Exact Match Identity Mapper for the properties of this Identity Mapper type.

regular-expression-identity-mapper

Default {type}: Regular Expression Identity Mapper

Enabled by default: true

See Regular Expression Identity Mapper for the properties of this Identity Mapper type.

Exact Match Identity Mapper

Identity Mappers of type exact-match-identity-mapper have the following properties:

enabled
Description

Indicates whether the Identity Mapper is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Exact Match Identity Mapper implementation.

Default Value

org.opends.server.extensions.ExactMatchIdentityMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

match-attribute
Description

Specifies the attribute whose value should exactly match the ID string provided to this identity mapper. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry. The internal search performed includes a logical OR across all of these values.

Default Value

uid

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

match-base-dn
Description

Specifies the set of base DNs below which to search for users. The base DNs will be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all specified base DNs.

Default Value

The server searches below all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Regular Expression Identity Mapper

Identity Mappers of type regular-expression-identity-mapper have the following properties:

enabled
Description

Indicates whether the Identity Mapper is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Regular Expression Identity Mapper implementation.

Default Value

org.opends.server.extensions.RegularExpressionIdentityMapper

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.IdentityMapper

Multi-valued

No

Required

Yes

Admin Action Required

The Identity Mapper must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

match-attribute
Description

Specifies the name or OID of the attribute whose value should match the provided identifier string after it has been processed by the associated regular expression. All values must refer to the name or OID of an attribute type defined in the directory server schema. If multiple attributes or OIDs are provided, at least one of those attributes must contain the provided ID string value in exactly one entry.

Default Value

uid

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

match-base-dn
Description

Specifies the base DN(s) that should be used when performing searches to map the provided ID string to a user entry. If multiple values are given, searches are performed below all the specified base DNs.

Default Value

The server searches below all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

match-pattern
Description

Specifies the regular expression pattern that is used to identify portions of the ID string that will be replaced. Any portion of the ID string that matches this pattern is replaced in accordance with the provided replace pattern (or is removed if no replace pattern is specified). If multiple substrings within the given ID string match this pattern, all occurrences are replaced. If no part of the given ID string matches this pattern, the ID string is not altered. Exactly one match pattern value must be provided, and it must be a valid regular expression as described in the API documentation for the java.util.regex.Pattern class, including support for capturing groups.

Default Value

None

Allowed Values

Any valid regular expression pattern which is supported by the javax.util.regex.Pattern class (see http://download.oracle.com/docs/cd/E17409_01/javase/6/docs/api/java/util/regex/Pattern.html for documentation about this class for Java SE 6).

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

replace-pattern
Description

Specifies the replacement pattern that should be used for substrings in the ID string that match the provided regular expression pattern. If no replacement pattern is provided, then any matching portions of the ID string will be removed (i.e., replaced with an empty string). The replacement pattern may include a string from a capturing group by using a dollar sign ($) followed by an integer value that indicates which capturing group should be used.

Default Value

The replace pattern will be the empty string.

Allowed Values

Any valid replacement string that is allowed by the javax.util.regex.Matcher class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-key-manager-provider(1)

Name

dsconfig create-key-manager-provider - Creates Key Manager Providers

Synopsis

dsconfig create-key-manager-provider {options}

Description

Creates Key Manager Providers.

Options

The dsconfig create-key-manager-provider command takes the following options:

--provider-name {name}

The name of the new Key Manager Provider.

Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Key Manager Provider types:

file-based-key-manager-provider

Default {name}: File Based Key Manager Provider

Enabled by default: true

See File Based Key Manager Provider for the properties of this Key Manager Provider type.

ldap-key-manager-provider

Default {name}: LDAP Key Manager Provider

Enabled by default: true

See LDAP Key Manager Provider for the properties of this Key Manager Provider type.

pkcs11-key-manager-provider

Default {name}: PKCS11 Key Manager Provider

Enabled by default: true

See PKCS11 Key Manager Provider for the properties of this Key Manager Provider type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Key Manager Provider properties depend on the Key Manager Provider type, which depends on the --provider-name {name} option.

-t | --type {type}

The type of Key Manager Provider which should be created. The value for TYPE can be one of: custom | file-based | ldap | pkcs11.

Key Manager Provider properties depend on the Key Manager Provider type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Key Manager Provider types:

file-based-key-manager-provider

Default {type}: File Based Key Manager Provider

Enabled by default: true

See File Based Key Manager Provider for the properties of this Key Manager Provider type.

ldap-key-manager-provider

Default {type}: LDAP Key Manager Provider

Enabled by default: true

See LDAP Key Manager Provider for the properties of this Key Manager Provider type.

pkcs11-key-manager-provider

Default {type}: PKCS11 Key Manager Provider

Enabled by default: true

See PKCS11 Key Manager Provider for the properties of this Key Manager Provider type.

File Based Key Manager Provider

Key Manager Providers of type file-based-key-manager-provider have the following properties:

enabled
Description

Indicates whether the Key Manager Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Key Manager Provider implementation.

Default Value

org.opends.server.extensions.FileBasedKeyManagerProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider

Multi-valued

No

Required

Yes

Admin Action Required

The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-file
Description

Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key manager is accessed.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

key-store-pin
Description

Specifies the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the File Based Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined Java property.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the File Based Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-type
Description

Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well. If no value is provided, the JVM-default value is used. Changes to this configuration attribute will take effect the next time that the key manager is accessed.

Default Value

None

Allowed Values

Any key store format supported by the Java runtime environment.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

LDAP Key Manager Provider

Key Manager Providers of type ldap-key-manager-provider have the following properties:

base-dn
Description

The base DN beneath which LDAP key store entries are located.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Key Manager Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the LDAP Key Manager Provider implementation.

Default Value

org.opends.server.extensions.LDAPKeyManagerProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider

Multi-valued

No

Required

Yes

Admin Action Required

The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-pin
Description

Specifies the clear-text PIN needed to access the LDAP Key Manager Provider .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the LDAP Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the LDAP Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the LDAP Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the LDAP Key Manager Provider .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the LDAP Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the LDAP Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined Java property.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the LDAP Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

PKCS11 Key Manager Provider

Key Manager Providers of type pkcs11-key-manager-provider have the following properties:

enabled
Description

Indicates whether the Key Manager Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the PKCS11 Key Manager Provider implementation.

Default Value

org.opends.server.extensions.PKCS11KeyManagerProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.KeyManagerProvider

Multi-valued

No

Required

Yes

Admin Action Required

The Key Manager Provider must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-pin
Description

Specifies the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-environment-variable
Description

Specifies the name of the environment variable that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined environment variable that contains the clear-text PIN required to access the contents of the key store.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

key-store-pin-property
Description

Specifies the name of the Java property that contains the clear-text PIN needed to access the PKCS11 Key Manager Provider .

Default Value

None

Allowed Values

The name of a defined Java property.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the PKCS11 Key Manager Provider is accessed.

Advanced Property

No

Read-only

No

dsconfig create-log-publisher(1)

Name

dsconfig create-log-publisher - Creates Log Publishers

Synopsis

dsconfig create-log-publisher {options}

Description

Creates Log Publishers.

Options

The dsconfig create-log-publisher command takes the following options:

--publisher-name {name}

The name of the new Log Publisher.

Log Publisher properties depend on the Log Publisher type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Log Publisher types:

csv-file-access-log-publisher

Default {name}: Csv File Access Log Publisher

Enabled by default: true

See Csv File Access Log Publisher for the properties of this Log Publisher type.

csv-file-http-access-log-publisher

Default {name}: Csv File HTTP Access Log Publisher

Enabled by default: true

See Csv File HTTP Access Log Publisher for the properties of this Log Publisher type.

external-access-log-publisher

Default {name}: External Access Log Publisher

Enabled by default: true

See External Access Log Publisher for the properties of this Log Publisher type.

external-http-access-log-publisher

Default {name}: External HTTP Access Log Publisher

Enabled by default: true

See External HTTP Access Log Publisher for the properties of this Log Publisher type.

file-based-access-log-publisher

Default {name}: File Based Access Log Publisher

Enabled by default: true

See File Based Access Log Publisher for the properties of this Log Publisher type.

file-based-audit-log-publisher

Default {name}: File Based Audit Log Publisher

Enabled by default: true

See File Based Audit Log Publisher for the properties of this Log Publisher type.

file-based-debug-log-publisher

Default {name}: File Based Debug Log Publisher

Enabled by default: true

See File Based Debug Log Publisher for the properties of this Log Publisher type.

file-based-error-log-publisher

Default {name}: File Based Error Log Publisher

Enabled by default: true

See File Based Error Log Publisher for the properties of this Log Publisher type.

file-based-http-access-log-publisher

Default {name}: File Based HTTP Access Log Publisher

Enabled by default: true

See File Based HTTP Access Log Publisher for the properties of this Log Publisher type.

json-file-access-log-publisher

Default {name}: Json File Access Log Publisher

Enabled by default: true

See Json File Access Log Publisher for the properties of this Log Publisher type.

json-file-http-access-log-publisher

Default {name}: Json File HTTP Access Log Publisher

Enabled by default: true

See Json File HTTP Access Log Publisher for the properties of this Log Publisher type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Log Publisher properties depend on the Log Publisher type, which depends on the --publisher-name {name} option.

-t | --type {type}

The type of Log Publisher which should be created. The value for TYPE can be one of: csv-file-access | csv-file-http-access | custom-access | custom-debug | custom-error | custom-http-access | external-access | external-http-access | file-based-access | file-based-audit | file-based-debug | file-based-error | file-based-http-access | json-file-access | json-file-http-access.

Log Publisher properties depend on the Log Publisher type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Log Publisher types:

csv-file-access-log-publisher

Default {type}: Csv File Access Log Publisher

Enabled by default: true

See Csv File Access Log Publisher for the properties of this Log Publisher type.

csv-file-http-access-log-publisher

Default {type}: Csv File HTTP Access Log Publisher

Enabled by default: true

See Csv File HTTP Access Log Publisher for the properties of this Log Publisher type.

external-access-log-publisher

Default {type}: External Access Log Publisher

Enabled by default: true

See External Access Log Publisher for the properties of this Log Publisher type.

external-http-access-log-publisher

Default {type}: External HTTP Access Log Publisher

Enabled by default: true

See External HTTP Access Log Publisher for the properties of this Log Publisher type.

file-based-access-log-publisher

Default {type}: File Based Access Log Publisher

Enabled by default: true

See File Based Access Log Publisher for the properties of this Log Publisher type.

file-based-audit-log-publisher

Default {type}: File Based Audit Log Publisher

Enabled by default: true

See File Based Audit Log Publisher for the properties of this Log Publisher type.

file-based-debug-log-publisher

Default {type}: File Based Debug Log Publisher

Enabled by default: true

See File Based Debug Log Publisher for the properties of this Log Publisher type.

file-based-error-log-publisher

Default {type}: File Based Error Log Publisher

Enabled by default: true

See File Based Error Log Publisher for the properties of this Log Publisher type.

file-based-http-access-log-publisher

Default {type}: File Based HTTP Access Log Publisher

Enabled by default: true

See File Based HTTP Access Log Publisher for the properties of this Log Publisher type.

json-file-access-log-publisher

Default {type}: Json File Access Log Publisher

Enabled by default: true

See Json File Access Log Publisher for the properties of this Log Publisher type.

json-file-http-access-log-publisher

Default {type}: Json File HTTP Access Log Publisher

Enabled by default: true

See Json File HTTP Access Log Publisher for the properties of this Log Publisher type.

Csv File Access Log Publisher

Log Publishers of type csv-file-access-log-publisher have the following properties:

asynchronous
Description

Indicates whether the Csv File Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-delimiter-char
Description

The delimiter character to use when writing in CSV format.

Default Value

,

Allowed Values

The delimiter character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

csv-eol-symbols
Description

The string that marks the end of a line.

Default Value

Use the platform specific end of line character sequence.

Allowed Values

The string that marks the end of a line.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-quote-char
Description

The character to append and prepend to a CSV field when writing in CSV format.

Default Value

"

Allowed Values

The quote character to use when writting in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the Csv File Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CsvFileAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-file
Description

Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File Access Log Publisher .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the Csv File Access Log Publisher is accessed.

Advanced Property

No

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-directory
Description

The directory to use for the log files generated by the Csv File Access Log Publisher. The path to the directory is relative to the server root.

Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

retention-policy
Description

The retention policy to use for the Csv File Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the Csv File Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

signature-time-interval
Description

Specifies the interval at which to sign the log file when the tamper-evident option is enabled.

Default Value

3s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

tamper-evident
Description

Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Csv File HTTP Access Log Publisher

Log Publishers of type csv-file-http-access-log-publisher have the following properties:

asynchronous
Description

Indicates whether the Csv File HTTP Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-delimiter-char
Description

The delimiter character to use when writing in CSV format.

Default Value

,

Allowed Values

The delimiter character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

csv-eol-symbols
Description

The string that marks the end of a line.

Default Value

Use the platform specific end of line character sequence.

Allowed Values

The string that marks the end of a line.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

csv-quote-char
Description

The character to append and prepend to a CSV field when writing in CSV format.

Default Value

"

Allowed Values

The quote character to use when writing in CSV format.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the Csv File HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

key-store-file
Description

Specifies the path to the file that contains the private key information. This may be an absolute path, or a path that is relative to the OpenDJ instance root. Changes to this property will take effect the next time that the key store is accessed.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

key-store-pin-file
Description

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Csv File HTTP Access Log Publisher .

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property will take effect the next time that the Csv File HTTP Access Log Publisher is accessed.

Advanced Property

No

Read-only

No

log-directory
Description

The directory to use for the log files generated by the Csv File HTTP Access Log Publisher. The path to the directory is relative to the server root.

Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

retention-policy
Description

The retention policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the Csv File HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

signature-time-interval
Description

Specifies the interval at which to sign the log file when secure option is enabled.

Default Value

3s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

tamper-evident
Description

Specifies whether the log should be signed in order to detect tampering. Every log record will be signed, making it possible to verify that the log has not been tampered with. This feature has a significative impact on performance of the server.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

External Access Log Publisher

Log Publishers of type external-access-log-publisher have the following properties:

config-file
Description

The JSON configuration file that defines the External Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the External Access Log Publisher implementation.

Default Value

org.opends.server.loggers.ExternalAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

External HTTP Access Log Publisher

Log Publishers of type external-http-access-log-publisher have the following properties:

config-file
Description

The JSON configuration file that defines the External HTTP Access Log Publisher. The content of the JSON configuration file depends on the type of external audit event handler. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the External HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Access Log Publisher

Log Publishers of type file-based-access-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Access Log Publisher implementation.

Default Value

org.opends.server.loggers.TextAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Access Log Publisher. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Access Log Publisher.

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

log-format
Description

Specifies how log records should be formatted and written to the access log.

Default Value

multi-line

Allowed Values
combined

Combine log records for operation requests and responses into a single record. This format should be used when log records are to be filtered based on response criteria (e.g. result code).

multi-line

Outputs separate log records for operation requests and responses.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-record-time-format
Description

Specifies the format string that is used to generate log record timestamps.

Default Value

dd/MMM/yyyy:HH:mm:ss Z

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Audit Log Publisher

Log Publishers of type file-based-audit-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Audit Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Audit Log Publisher implementation.

Default Value

org.opends.server.loggers.TextAuditLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Audit Log Publisher. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Audit Log Publisher.

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Audit Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Audit Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Debug Log Publisher

Log Publishers of type file-based-debug-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Debug Log Publisher will publish records asynchronously.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

default-debug-exceptions-only
Description

Indicates whether only logs with exception should be logged.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-include-throwable-cause
Description

Indicates whether to include the cause of exceptions in exception thrown and caught messages logged by default.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-omit-method-entry-arguments
Description

Indicates whether to include method arguments in debug messages logged by default.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-omit-method-return-value
Description

Indicates whether to include the return value in debug messages logged by default.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-throwable-stack-frames
Description

Indicates the number of stack frames to include in the stack trace for method entry and exception thrown messages.

Default Value

2147483647

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Debug Log Publisher implementation.

Default Value

org.opends.server.loggers.TextDebugLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Debug Log Publisher . The path to the file is relative to the server root.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Debug Log Publisher .

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Debug Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Debug Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based Error Log Publisher

Log Publishers of type file-based-error-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based Error Log Publisher will publish records asynchronously.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer will be flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

default-severity
Description

Specifies the default severity levels for the logger.

Default Value

error warning

Allowed Values
all

Messages of all severity levels are logged.

debug

The error log severity that is used for messages that provide debugging information triggered during processing.

error

The error log severity that is used for messages that provide information about errors which may force the server to shut down or operate in a significantly degraded state.

info

The error log severity that is used for messages that provide information about significant events within the server that are not warnings or errors.

none

No messages of any severity are logged by default. This value is intended to be used in conjunction with the override-severity property to define an error logger that will publish no error message beside the errors of a given category.

notice

The error log severity that is used for the most important informational messages (i.e., information that should almost always be logged but is not associated with a warning or error condition).

warning

The error log severity that is used for messages that provide information about warnings triggered during processing.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based Error Log Publisher implementation.

Default Value

org.opends.server.loggers.TextErrorLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based Error Log Publisher . The path to the file is relative to the server root.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based Error Log Publisher .

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

override-severity
Description

Specifies the override severity levels for the logger based on the category of the messages. Each override severity level should include the category and the severity levels to log for that category, for example, core=error,info,warning. Valid categories are: core, extensions, protocol, config, log, util, schema, plugin, jeb, backend, tools, task, access-control, admin, sync, version, quicksetup, admin-tool, dsconfig, user-defined. Valid severities are: all, error, info, warning, notice, debug.

Default Value

All messages with the default severity levels are logged.

Allowed Values

A string in the form category=severity1,severity2…​

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based Error Log Publisher . When multiple policies are used, log files will be cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files will never be cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based Error Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

File Based HTTP Access Log Publisher

Log Publishers of type file-based-http-access-log-publisher have the following properties:

append
Description

Specifies whether to append to existing log files.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

asynchronous
Description

Indicates whether the File Based HTTP Access Log Publisher will publish records asynchronously.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

auto-flush
Description

Specifies whether to flush the writer after every log record. If the asynchronous writes option is used, the writer is flushed after all the log records in the queue are written.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

buffer-size
Description

Specifies the log file buffer size.

Default Value

64kb

Allowed Values

Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the File Based HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.TextHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

The file name to use for the log files generated by the File Based HTTP Access Log Publisher. The path to the file is relative to the server root.

Default Value

None

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

log-file-permissions
Description

The UNIX permissions of the log files created by this File Based HTTP Access Log Publisher.

Default Value

640

Allowed Values

A valid UNIX mode string. The mode string must contain three digits between zero and seven.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

log-format
Description

Specifies how log records should be formatted and written to the HTTP access log.

Default Value

cs-host c-ip cs-username x-datetime cs-method cs-uri-stem cs-uri-query cs-version sc-status cs(User-Agent) x-connection-id x-etime x-transaction-id

Allowed Values

A space separated list of fields describing the extended log format to be used for logging HTTP accesses. Available values are listed on the W3C working draft http://www.w3.org/TR/WD-logfile.html and Microsoft website http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/676400bc-8969-4aa7-851a-9319490a9bbb.mspx?mfr=true OpenDJ supports the following standard fields: "c-ip", "c-port", "cs-host", "cs-method", "cs-uri", "cs-uri-stem", "cs-uri-query", "cs(User-Agent)", "cs-username", "cs-version", "s-computername", "s-ip", "s-port", "sc-status". OpenDJ supports the following application specific field extensions: "x-connection-id" displays the internal connection ID assigned to the HTTP client connection, "x-datetime" displays the completion date and time for the logged HTTP request and its ouput is controlled by the "ds-cfg-log-record-time-format" property, "x-etime" displays the total execution time for the logged HTTP request, "x-transaction-id" displays the transaction id associated to a request

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-record-time-format
Description

Specifies the format string that is used to generate log record timestamps.

Default Value

dd/MMM/yyyy:HH:mm:ss Z

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

queue-size
Description

The maximum number of log records that can be stored in the asynchronous queue.

Default Value

5000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

retention-policy
Description

The retention policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the File Based HTTP Access Log Publisher . When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

time-interval
Description

Specifies the interval at which to check whether the log files need to be rotated.

Default Value

5s

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Json File Access Log Publisher

Log Publishers of type json-file-access-log-publisher have the following properties:

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

filtering-policy
Description

Specifies how filtering criteria should be applied to log records.

Default Value

no-filtering

Allowed Values
exclusive

Records must not match any of the filtering criteria in order to be logged.

inclusive

Records must match at least one of the filtering criteria in order to be logged.

no-filtering

No filtering will be performed, and all records will be logged.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the Json File Access Log Publisher implementation.

Default Value

org.opends.server.loggers.JsonFileAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-control-oids
Description

Specifies whether control OIDs will be included in operation log records.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

log-directory
Description

The directory to use for the log files generated by the Json File Access Log Publisher. The path to the directory is relative to the server root.

Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

retention-policy
Description

The retention policy to use for the Json File Access Log Publisher. When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the Json File Access Log Publisher. When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

suppress-internal-operations
Description

Indicates whether internal operations (for example, operations that are initiated by plugins) should be logged along with the operations that are requested by users.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

suppress-synchronization-operations
Description

Indicates whether access messages that are generated by synchronization operations should be suppressed.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Json File HTTP Access Log Publisher

Log Publishers of type json-file-http-access-log-publisher have the following properties:

enabled
Description

Indicates whether the Log Publisher is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

The fully-qualified name of the Java class that provides the Json File HTTP Access Log Publisher implementation.

Default Value

org.opends.server.loggers.CommonAuditHTTPAccessLogPublisher

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.LogPublisher

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-directory
Description

The directory to use for the log files generated by the Json File HTTP Access Log Publisher. The path to the directory is relative to the server root.

Default Value

logs

Allowed Values

A path to an existing directory that is readable and writable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

The Log Publisher must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

retention-policy
Description

The retention policy to use for the Json File HTTP Access Log Publisher. When multiple policies are used, log files are cleaned when any of the policy's conditions are met.

Default Value

No retention policy is used and log files are never cleaned.

Allowed Values

The DN of any Log Retention Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rotation-policy
Description

The rotation policy to use for the Json File HTTP Access Log Publisher. When multiple policies are used, rotation will occur if any policy's conditions are met.

Default Value

No rotation policy is used and log rotation will not occur.

Allowed Values

The DN of any Log Rotation Policy.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-log-retention-policy(1)

Name

dsconfig create-log-retention-policy - Creates Log Retention Policies

Synopsis

dsconfig create-log-retention-policy {options}

Description

Creates Log Retention Policies.

Options

The dsconfig create-log-retention-policy command takes the following options:

--policy-name {name}

The name of the new Log Retention Policy.

Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Log Retention Policy types:

file-count-log-retention-policy

Default {name}: File Count Log Retention Policy

Enabled by default: false

See File Count Log Retention Policy for the properties of this Log Retention Policy type.

free-disk-space-log-retention-policy

Default {name}: Free Disk Space Log Retention Policy

Enabled by default: false

See Free Disk Space Log Retention Policy for the properties of this Log Retention Policy type.

size-limit-log-retention-policy

Default {name}: Size Limit Log Retention Policy

Enabled by default: false

See Size Limit Log Retention Policy for the properties of this Log Retention Policy type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Log Retention Policy properties depend on the Log Retention Policy type, which depends on the --policy-name {name} option.

-t | --type {type}

The type of Log Retention Policy which should be created. The value for TYPE can be one of: custom | file-count | free-disk-space | size-limit.

Log Retention Policy properties depend on the Log Retention Policy type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Log Retention Policy types:

file-count-log-retention-policy

Default {type}: File Count Log Retention Policy

Enabled by default: false

See File Count Log Retention Policy for the properties of this Log Retention Policy type.

free-disk-space-log-retention-policy

Default {type}: Free Disk Space Log Retention Policy

Enabled by default: false

See Free Disk Space Log Retention Policy for the properties of this Log Retention Policy type.

size-limit-log-retention-policy

Default {type}: Size Limit Log Retention Policy

Enabled by default: false

See Size Limit Log Retention Policy for the properties of this Log Retention Policy type.

File Count Log Retention Policy

Log Retention Policies of type file-count-log-retention-policy have the following properties:

java-class
Description

Specifies the fully-qualified name of the Java class that provides the File Count Log Retention Policy implementation.

Default Value

org.opends.server.loggers.FileNumberRetentionPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

number-of-files
Description

Specifies the number of archived log files to retain before the oldest ones are cleaned.

Default Value

None

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Free Disk Space Log Retention Policy

Log Retention Policies of type free-disk-space-log-retention-policy have the following properties:

free-disk-space
Description

Specifies the minimum amount of free disk space that should be available on the file system on which the archived log files are stored.

Default Value

None

Allowed Values

Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Free Disk Space Log Retention Policy implementation.

Default Value

org.opends.server.loggers.FreeDiskSpaceRetentionPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Size Limit Log Retention Policy

Log Retention Policies of type size-limit-log-retention-policy have the following properties:

disk-space-used
Description

Specifies the maximum total disk space used by the log files.

Default Value

None

Allowed Values

Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Size Limit Log Retention Policy implementation.

Default Value

org.opends.server.loggers.SizeBasedRetentionPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RetentionPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-log-rotation-policy(1)

Name

dsconfig create-log-rotation-policy - Creates Log Rotation Policies

Synopsis

dsconfig create-log-rotation-policy {options}

Description

Creates Log Rotation Policies.

Options

The dsconfig create-log-rotation-policy command takes the following options:

--policy-name {name}

The name of the new Log Rotation Policy.

Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Log Rotation Policy types:

fixed-time-log-rotation-policy

Default {name}: Fixed Time Log Rotation Policy

Enabled by default: false

See Fixed Time Log Rotation Policy for the properties of this Log Rotation Policy type.

size-limit-log-rotation-policy

Default {name}: Size Limit Log Rotation Policy

Enabled by default: false

See Size Limit Log Rotation Policy for the properties of this Log Rotation Policy type.

time-limit-log-rotation-policy

Default {name}: Time Limit Log Rotation Policy

Enabled by default: false

See Time Limit Log Rotation Policy for the properties of this Log Rotation Policy type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the --policy-name {name} option.

-t | --type {type}

The type of Log Rotation Policy which should be created. The value for TYPE can be one of: custom | fixed-time | size-limit | time-limit.

Log Rotation Policy properties depend on the Log Rotation Policy type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Log Rotation Policy types:

fixed-time-log-rotation-policy

Default {type}: Fixed Time Log Rotation Policy

Enabled by default: false

See Fixed Time Log Rotation Policy for the properties of this Log Rotation Policy type.

size-limit-log-rotation-policy

Default {type}: Size Limit Log Rotation Policy

Enabled by default: false

See Size Limit Log Rotation Policy for the properties of this Log Rotation Policy type.

time-limit-log-rotation-policy

Default {type}: Time Limit Log Rotation Policy

Enabled by default: false

See Time Limit Log Rotation Policy for the properties of this Log Rotation Policy type.

Fixed Time Log Rotation Policy

Log Rotation Policies of type fixed-time-log-rotation-policy have the following properties:

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Fixed Time Log Rotation Policy implementation.

Default Value

org.opends.server.loggers.FixedTimeRotationPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

time-of-day
Description

Specifies the time of day at which log rotation should occur.

Default Value

None

Allowed Values

24 hour time of day in HHmm format.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Size Limit Log Rotation Policy

Log Rotation Policies of type size-limit-log-rotation-policy have the following properties:

file-size-limit
Description

Specifies the maximum size that a log file can reach before it is rotated.

Default Value

None

Allowed Values

Lower value is 1.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Size Limit Log Rotation Policy implementation.

Default Value

org.opends.server.loggers.SizeBasedRotationPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Time Limit Log Rotation Policy

Log Rotation Policies of type time-limit-log-rotation-policy have the following properties:

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Time Limit Log Rotation Policy implementation.

Default Value

org.opends.server.loggers.TimeLimitRotationPolicy

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.loggers.RotationPolicy

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

rotation-interval
Description

Specifies the time interval between rotations.

Default Value

None

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-monitor-provider(1)

Name

dsconfig create-monitor-provider - Creates Monitor Providers

Synopsis

dsconfig create-monitor-provider {options}

Description

Creates Monitor Providers.

Options

The dsconfig create-monitor-provider command takes the following options:

--provider-name {name}

The name of the new Monitor Provider.

Monitor Provider properties depend on the Monitor Provider type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Monitor Provider types:

client-connection-monitor-provider

Default {name}: Client Connection Monitor Provider

Enabled by default: true

See Client Connection Monitor Provider for the properties of this Monitor Provider type.

entry-cache-monitor-provider

Default {name}: Entry Cache Monitor Provider

Enabled by default: true

See Entry Cache Monitor Provider for the properties of this Monitor Provider type.

memory-usage-monitor-provider

Default {name}: Memory Usage Monitor Provider

Enabled by default: true

See Memory Usage Monitor Provider for the properties of this Monitor Provider type.

stack-trace-monitor-provider

Default {name}: Stack Trace Monitor Provider

Enabled by default: true

See Stack Trace Monitor Provider for the properties of this Monitor Provider type.

system-info-monitor-provider

Default {name}: System Info Monitor Provider

Enabled by default: true

See System Info Monitor Provider for the properties of this Monitor Provider type.

version-monitor-provider

Default {name}: Version Monitor Provider

Enabled by default: true

See Version Monitor Provider for the properties of this Monitor Provider type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Monitor Provider properties depend on the Monitor Provider type, which depends on the --provider-name {name} option.

-t | --type {type}

The type of Monitor Provider which should be created. The value for TYPE can be one of: client-connection | custom | entry-cache | memory-usage | stack-trace | system-info | version.

Monitor Provider properties depend on the Monitor Provider type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Monitor Provider types:

client-connection-monitor-provider

Default {type}: Client Connection Monitor Provider

Enabled by default: true

See Client Connection Monitor Provider for the properties of this Monitor Provider type.

entry-cache-monitor-provider

Default {type}: Entry Cache Monitor Provider

Enabled by default: true

See Entry Cache Monitor Provider for the properties of this Monitor Provider type.

memory-usage-monitor-provider

Default {type}: Memory Usage Monitor Provider

Enabled by default: true

See Memory Usage Monitor Provider for the properties of this Monitor Provider type.

stack-trace-monitor-provider

Default {type}: Stack Trace Monitor Provider

Enabled by default: true

See Stack Trace Monitor Provider for the properties of this Monitor Provider type.

system-info-monitor-provider

Default {type}: System Info Monitor Provider

Enabled by default: true

See System Info Monitor Provider for the properties of this Monitor Provider type.

version-monitor-provider

Default {type}: Version Monitor Provider

Enabled by default: true

See Version Monitor Provider for the properties of this Monitor Provider type.

Client Connection Monitor Provider

Monitor Providers of type client-connection-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Client Connection Monitor Provider implementation.

Default Value

org.opends.server.monitors.ClientConnectionMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Entry Cache Monitor Provider

Monitor Providers of type entry-cache-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Entry Cache Monitor Provider implementation.

Default Value

org.opends.server.monitors.EntryCacheMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Memory Usage Monitor Provider

Monitor Providers of type memory-usage-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Memory Usage Monitor Provider implementation.

Default Value

org.opends.server.monitors.MemoryUsageMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Stack Trace Monitor Provider

Monitor Providers of type stack-trace-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Stack Trace Monitor Provider implementation.

Default Value

org.opends.server.monitors.StackTraceMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

System Info Monitor Provider

Monitor Providers of type system-info-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the System Info Monitor Provider implementation.

Default Value

org.opends.server.monitors.SystemInfoMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Version Monitor Provider

Monitor Providers of type version-monitor-provider have the following properties:

enabled
Description

Indicates whether the Monitor Provider is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Version Monitor Provider implementation.

Default Value

org.opends.server.monitors.VersionMonitorProvider

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.MonitorProvider

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-password-generator(1)

Name

dsconfig create-password-generator - Creates Password Generators

Synopsis

dsconfig create-password-generator {options}

Description

Creates Password Generators.

Options

The dsconfig create-password-generator command takes the following options:

--generator-name {name}

The name of the new Password Generator.

Password Generator properties depend on the Password Generator type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Password Generator types:

random-password-generator

Default {name}: Random Password Generator

Enabled by default: true

See Random Password Generator for the properties of this Password Generator type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Password Generator properties depend on the Password Generator type, which depends on the --generator-name {name} option.

-t | --type {type}

The type of Password Generator which should be created. The value for TYPE can be one of: custom | random.

Password Generator properties depend on the Password Generator type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Password Generator types:

random-password-generator

Default {type}: Random Password Generator

Enabled by default: true

See Random Password Generator for the properties of this Password Generator type.

Random Password Generator

Password Generators of type random-password-generator have the following properties:

enabled
Description

Indicates whether the Password Generator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Random Password Generator implementation.

Default Value

org.opends.server.extensions.RandomPasswordGenerator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordGenerator

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

password-character-set
Description

Specifies one or more named character sets. This is a multi-valued property, with each value defining a different character set. The format of the character set is the name of the set followed by a colon and the characters that are in that set. For example, the value "alpha:abcdefghijklmnopqrstuvwxyz" defines a character set named "alpha" containing all of the lower-case ASCII alphabetic characters.

Default Value

None

Allowed Values

A character set name (consisting of ASCII letters) followed by a colon and the set of characters that are included in that character set.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

password-format
Description

Specifies the format to use for the generated password. The value is a comma-delimited list of elements in which each of those elements is comprised of the name of a character set defined in the password-character-set property, a colon, and the number of characters to include from that set. For example, a value of "alpha:3,numeric:2,alpha:3" generates an 8-character password in which the first three characters are from the "alpha" set, the next two are from the "numeric" set, and the final three are from the "alpha" set.

Default Value

None

Allowed Values

A comma-delimited list whose elements comprise a valid character set name, a colon, and a positive integer indicating the number of characters from that set to be included.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-password-policy(1)

Name

dsconfig create-password-policy - Creates Authentication Policies

Synopsis

dsconfig create-password-policy {options}

Description

Creates Authentication Policies.

Options

The dsconfig create-password-policy command takes the following options:

--policy-name {name}

The name of the new Authentication Policy.

Authentication Policy properties depend on the Authentication Policy type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Authentication Policy types:

ldap-pass-through-authentication-policy

Default {name}: LDAP Pass Through Authentication Policy

Enabled by default: false

See LDAP Pass Through Authentication Policy for the properties of this Authentication Policy type.

password-policy

Default {name}: Password Policy

Enabled by default: false

See Password Policy for the properties of this Authentication Policy type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Authentication Policy properties depend on the Authentication Policy type, which depends on the --policy-name {name} option.

-t | --type {type}

The type of Authentication Policy which should be created. The value for TYPE can be one of: ldap-pass-through | password-policy.

Authentication Policy properties depend on the Authentication Policy type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Authentication Policy types:

ldap-pass-through-authentication-policy

Default {type}: LDAP Pass Through Authentication Policy

Enabled by default: false

See LDAP Pass Through Authentication Policy for the properties of this Authentication Policy type.

password-policy

Default {type}: Password Policy

Enabled by default: false

See Password Policy for the properties of this Authentication Policy type.

LDAP Pass Through Authentication Policy

Authentication Policies of type ldap-pass-through-authentication-policy have the following properties:

cached-password-storage-scheme
Description

Specifies the name of a password storage scheme which should be used for encoding cached passwords. Changing the password storage scheme will cause all existing cached passwords to be discarded.

Default Value

None

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

cached-password-ttl
Description

Specifies the maximum length of time that a locally cached password may be used for authentication before it is refreshed from the remote LDAP service. This property represents a cache timeout. Increasing the timeout period decreases the frequency that bind operations are delegated to the remote LDAP service, but increases the risk of users authenticating using stale passwords. Note that authentication attempts which fail because the provided password does not match the locally cached password will always be retried against the remote LDAP service.

Default Value

8 hours

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

connection-timeout
Description

Specifies the timeout used when connecting to remote LDAP directory servers, performing SSL negotiation, and for individual search and bind requests. If the timeout expires then the current operation will be aborted and retried against another LDAP server if one is available.

Default Value

3 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class which provides the LDAP Pass Through Authentication Policy implementation.

Default Value

org.opends.server.extensions.LDAPPassThroughAuthenticationPolicyFactory

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory

Multi-valued

No

Required

Yes

Admin Action Required

The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

mapped-attribute
Description

Specifies one or more attributes in the user's entry whose value(s) will determine the bind DN used when authenticating to the remote LDAP directory service. This property is mandatory when using the "mapped-bind" or "mapped-search" mapping policies. At least one value must be provided. All values must refer to the name or OID of an attribute type defined in the directory server schema. At least one of the named attributes must exist in a user's local entry in order for authentication to proceed. When multiple attributes or values are found in the user's entry then the behavior is determined by the mapping policy.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-base-dn
Description

Specifies the set of base DNs below which to search for users in the remote LDAP directory service. This property is mandatory when using the "mapped-search" mapping policy. If multiple values are given, searches are performed below all specified base DNs.

Default Value

None

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-dn
Description

Specifies the bind DN which should be used to perform user searches in the remote LDAP directory service.

Default Value

Searches will be performed anonymously.

Allowed Values

A valid DN.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password
Description

Specifies the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password-environment-variable
Description

Specifies the name of an environment variable containing the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password-file
Description

Specifies the name of a file containing the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-bind-password-property
Description

Specifies the name of a Java property containing the bind password which should be used to perform user searches in the remote LDAP directory service.

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapped-search-filter-template
Description

If defined, overrides the filter used when searching for the user, substituting %s with the value of the local entry's "mapped-attribute". The filter-template may include ZERO or ONE %s substitutions. If multiple mapped-attributes are configured, multiple renditions of this template will be aggregated into one larger filter using an OR (|) operator. An example use-case for this property would be to use a different attribute type on the mapped search. For example, mapped-attribute could be set to "uid" and filter-template to "(samAccountName=%s)". You can also use the filter to restrict search results. For example: "(&(uid=%s)(objectclass=student))"

Default Value

None

Allowed Values

A String

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

mapping-policy
Description

Specifies the mapping algorithm for obtaining the bind DN from the user's entry.

Default Value

unmapped

Allowed Values
mapped-bind

Bind to the remote LDAP directory service using a DN obtained from an attribute in the user’s entry. This policy will check each attribute named in the "mapped-attribute" property. If more than one attribute or value is present then the first one will be used.

mapped-search

Bind to the remote LDAP directory service using the DN of an entry obtained using a search against the remote LDAP directory service. The search filter will comprise of an equality matching filter whose attribute type is the "mapped-attribute" property, and whose assertion value is the attribute value obtained from the user’s entry. If more than one attribute or value is present then the filter will be composed of multiple equality filters combined using a logical OR (union).

unmapped

Bind to the remote LDAP directory service using the DN of the user’s entry in this directory server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

primary-remote-ldap-server
Description

Specifies the primary list of remote LDAP servers which should be used for pass through authentication. If more than one LDAP server is specified then operations may be distributed across them. If all of the primary LDAP servers are unavailable then operations will fail-over to the set of secondary LDAP servers, if defined.

Default Value

None

Allowed Values

A host name followed by a ":" and a port number.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

secondary-remote-ldap-server
Description

Specifies the secondary list of remote LDAP servers which should be used for pass through authentication in the event that the primary LDAP servers are unavailable. If more than one LDAP server is specified then operations may be distributed across them. Operations will be rerouted to the primary LDAP servers as soon as they are determined to be available.

Default Value

No secondary LDAP servers.

Allowed Values

A host name followed by a ":" and a port number.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

source-address
Description

If specified, the server will bind to the address before connecting to the remote server. The address must be one assigned to an existing network interface.

Default Value

Let the server decide.

Allowed Values

An IP address

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

ssl-cipher-suite
Description

Specifies the names of the SSL cipher suites that are allowed for use in SSL based LDAP connections.

Default Value

Uses the default set of SSL cipher suites provided by the server’s JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but will only impact new SSL LDAP connections created after the change.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

ssl-protocol
Description

Specifies the names of the SSL protocols which are allowed for use in SSL based LDAP connections.

Default Value

Uses the default set of SSL protocols provided by the server’s JVM.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

NoneChanges to this property take effect immediately but will only impact new SSL LDAP connections created after the change.

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

trust-manager-provider
Description

Specifies the name of the trust manager that should be used when negotiating SSL connections with remote LDAP directory servers.

Default Value

By default, no trust manager is specified indicating that only certificates signed by the authorities associated with this JVM will be accepted.

Allowed Values

The DN of any Trust Manager Provider. The referenced trust manager provider must be enabled when SSL is enabled.

Multi-valued

No

Required

No

Admin Action Required

NoneChanges to this property take effect immediately, but only impact subsequent SSL connection negotiations.

Advanced Property

No

Read-only

No

use-password-caching
Description

Indicates whether passwords should be cached locally within the user's entry.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

use-ssl
Description

Indicates whether the LDAP Pass Through Authentication Policy should use SSL. If enabled, the LDAP Pass Through Authentication Policy will use SSL to encrypt communication with the clients.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

use-tcp-keep-alive
Description

Indicates whether LDAP connections should use TCP keep-alive. If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP keepalive messages should periodically be sent to the client to verify that the associated connection is still valid. This may also help prevent cases in which intermediate network hardware could silently drop an otherwise idle client connection, provided that the keepalive interval configured in the underlying operating system is smaller than the timeout enforced by the network hardware.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

use-tcp-no-delay
Description

Indicates whether LDAP connections should use TCP no-delay. If enabled, the TCP_NODELAY socket option is used to ensure that response messages to the client are sent immediately rather than potentially waiting to determine whether additional response messages can be sent in the same packet. In most cases, using the TCP_NODELAY socket option provides better performance and lower response times, but disabling it may help for some cases in which the server sends a large number of entries to a client in response to a search request.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Policy

Authentication Policies of type password-policy have the following properties:

account-status-notification-handler
Description

Specifies the names of the account status notification handlers that are used with the associated password storage scheme.

Default Value

None

Allowed Values

The DN of any Account Status Notification Handler. The referenced account status notification handlers must be enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-expired-password-changes
Description

Indicates whether a user whose password is expired is still allowed to change that password using the password modify extended operation.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

allow-multiple-password-values
Description

Indicates whether user entries can have multiple distinct values for the password attribute. This is potentially dangerous because many mechanisms used to change the password do not work well with such a configuration. If multiple password values are allowed, then any of them can be used to authenticate, and they are all subject to the same policy constraints.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-pre-encoded-passwords
Description

Indicates whether users can change their passwords by providing a pre-encoded value. This can cause a security risk because the clear-text version of the password is not known and therefore validation checks cannot be applied to it.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

allow-user-password-changes
Description

Indicates whether users can change their own passwords. This check is made in addition to access control evaluation. Both must allow the password change for it to occur.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-password-storage-scheme
Description

Specifies the names of the password storage schemes that are used to encode clear-text passwords for this password policy.

Default Value

None

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

deprecated-password-storage-scheme
Description

Specifies the names of the password storage schemes that are considered deprecated for this password policy. If a user with this password policy authenticates to the server and his/her password is encoded with a deprecated scheme, those values are removed and replaced with values encoded using the default password storage scheme(s).

Default Value

None

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

expire-passwords-without-warning
Description

Indicates whether the directory server allows a user's password to expire even if that user has never seen an expiration warning notification. If this property is true, accounts always expire when the expiration time arrives. If this property is false or disabled, the user always receives at least one warning notification, and the password expiration is set to the warning time plus the warning interval.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

force-change-on-add
Description

Indicates whether users are forced to change their passwords upon first authenticating to the directory server after their account has been created.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

force-change-on-reset
Description

Indicates whether users are forced to change their passwords if they are reset by an administrator. For this purpose, anyone with permission to change a given user's password other than that user is considered an administrator.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

grace-login-count
Description

Specifies the number of grace logins that a user is allowed after the account has expired to allow that user to choose a new password. A value of 0 indicates that no grace logins are allowed.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

idle-lockout-interval
Description

Specifies the maximum length of time that an account may remain idle (that is, the associated user does not authenticate to the server) before that user is locked out. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that idle accounts are not automatically locked out. This feature is available only if the last login time is maintained.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class which provides the Password Policy implementation.

Default Value

org.opends.server.core.PasswordPolicyFactory

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.AuthenticationPolicyFactory

Multi-valued

No

Required

Yes

Admin Action Required

The Authentication Policy must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

last-login-time-attribute
Description

Specifies the name or OID of the attribute type that is used to hold the last login time for users with the associated password policy. This attribute type must be defined in the directory server schema and must either be defined as an operational attribute or must be allowed by the set of objectClasses for all users with the associated password policy.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

last-login-time-format
Description

Specifies the format string that is used to generate the last login time value for users with the associated password policy. This format string conforms to the syntax described in the API documentation for the java.text.SimpleDateFormat class.

Default Value

None

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

lockout-duration
Description

Specifies the length of time that an account is locked after too many authentication failures. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the account must remain locked until an administrator resets the password.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

lockout-failure-count
Description

Specifies the maximum number of authentication failures that a user is allowed before the account is locked out. A value of 0 indicates that accounts are never locked out due to failed attempts.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

lockout-failure-expiration-interval
Description

Specifies the length of time before an authentication failure is no longer counted against a user for the purposes of account lockout. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds indicates that the authentication failures must never expire. The failure count is always cleared upon a successful authentication.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-password-age
Description

Specifies the maximum length of time that a user can continue using the same password before it must be changed (that is, the password expiration interval). The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables password expiration.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

max-password-reset-age
Description

Specifies the maximum length of time that users have to change passwords after they have been reset by an administrator before they become locked. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables this feature.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

min-password-age
Description

Specifies the minimum length of time after a password change before the user is allowed to change the password again. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. This setting can be used to prevent users from changing their passwords repeatedly over a short period of time to flush an old password from the history so that it can be re-used.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-attribute
Description

Specifies the attribute type used to hold user passwords. This attribute type must be defined in the server schema, and it must have either the user password or auth password syntax.

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

password-change-requires-current-password
Description

Indicates whether user password changes must use the password modify extended operation and must include the user's current password before the change is allowed.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-expiration-warning-interval
Description

Specifies the maximum length of time before a user's password actually expires that the server begins to include warning notifications in bind responses for that user. The value of this attribute is an integer followed by a unit of seconds, minutes, hours, days, or weeks. A value of 0 seconds disables the warning interval.

Default Value

5 days

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-generator
Description

Specifies the name of the password generator that is used with the associated password policy. This is used in conjunction with the password modify extended operation to generate a new password for a user when none was provided in the request.

Default Value

None

Allowed Values

The DN of any Password Generator. The referenced password generator must be enabled.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-history-count
Description

Specifies the maximum number of former passwords to maintain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero indicates that either no password history is to be maintained (if the password history duration has a value of zero seconds), or that there is no maximum number of passwords to maintain in the history (if the password history duration has a value greater than zero seconds).

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-history-duration
Description

Specifies the maximum length of time that passwords remain in the password history. When choosing a new password, the proposed password is checked to ensure that it does not match the current password, nor any other password in the history list. A value of zero seconds indicates that either no password history is to be maintained (if the password history count has a value of zero), or that there is no maximum duration for passwords in the history (if the password history count has a value greater than zero).

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.Upper limit is 2147483647 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

password-validator
Description

Specifies the names of the password validators that are used with the associated password storage scheme. The password validators are invoked when a user attempts to provide a new password, to determine whether the new password is acceptable.

Default Value

None

Allowed Values

The DN of any Password Validator. The referenced password validators must be enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

previous-last-login-time-format
Description

Specifies the format string(s) that might have been used with the last login time at any point in the past for users associated with the password policy. These values are used to make it possible to parse previous values, but are not used to set new values. The format strings conform to the syntax described in the API documentation for the java.text.SimpleDateFormat class.

Default Value

None

Allowed Values

Any valid format string that can be used with the java.text.SimpleDateFormat class.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

require-change-by-time
Description

Specifies the time by which all users with the associated password policy must change their passwords. The value is expressed in a generalized time format. If this time is equal to the current time or is in the past, then all users are required to change their passwords immediately. The behavior of the server in this mode is identical to the behavior observed when users are forced to change their passwords after an administrative reset.

Default Value

None

Allowed Values

A valid timestamp in generalized time form (for example, a value of "20070409185811Z" indicates a value of April 9, 2007 at 6:58:11 pm GMT).

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

require-secure-authentication
Description

Indicates whether users with the associated password policy are required to authenticate in a secure manner. This might mean either using a secure communication channel between the client and the server, or using a SASL mechanism that does not expose the credentials.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

require-secure-password-changes
Description

Indicates whether users with the associated password policy are required to change their password in a secure manner that does not expose the credentials.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

skip-validation-for-administrators
Description

Indicates whether passwords set by administrators are allowed to bypass the password validation process that is required for user password changes.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

state-update-failure-policy
Description

Specifies how the server deals with the inability to update password policy state information during an authentication attempt. In particular, this property can be used to control whether an otherwise successful bind operation fails if a failure occurs while attempting to update password policy state information (for example, to clear a record of previous authentication failures or to update the last login time). It can also be used to control whether to reject a bind request if it is known ahead of time that it will not be possible to update the authentication failure times in the event of an unsuccessful bind attempt (for example, if the backend writability mode is disabled).

Default Value

reactive

Allowed Values
ignore

If a bind attempt would otherwise be successful, then do not reject it if a problem occurs while attempting to update the password policy state information for the user.

proactive

Proactively reject any bind attempt if it is known ahead of time that it would not be possible to update the user’s password policy state information.

reactive

Even if a bind attempt would otherwise be successful, reject it if a problem occurs while attempting to update the password policy state information for the user.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-password-storage-scheme(1)

Name

dsconfig create-password-storage-scheme - Creates Password Storage Schemes

Synopsis

dsconfig create-password-storage-scheme {options}

Description

Creates Password Storage Schemes.

Options

The dsconfig create-password-storage-scheme command takes the following options:

--scheme-name {name}

The name of the new Password Storage Scheme.

Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Password Storage Scheme types:

aes-password-storage-scheme

Default {name}: AES Password Storage Scheme

Enabled by default: true

See AES Password Storage Scheme for the properties of this Password Storage Scheme type.

base64-password-storage-scheme

Default {name}: Base64 Password Storage Scheme

Enabled by default: true

See Base64 Password Storage Scheme for the properties of this Password Storage Scheme type.

bcrypt-password-storage-scheme

Default {name}: Bcrypt Password Storage Scheme

Enabled by default: true

See Bcrypt Password Storage Scheme for the properties of this Password Storage Scheme type.

blowfish-password-storage-scheme

Default {name}: Blowfish Password Storage Scheme

Enabled by default: true

See Blowfish Password Storage Scheme for the properties of this Password Storage Scheme type.

clear-password-storage-scheme

Default {name}: Clear Password Storage Scheme

Enabled by default: true

See Clear Password Storage Scheme for the properties of this Password Storage Scheme type.

crypt-password-storage-scheme

Default {name}: Crypt Password Storage Scheme

Enabled by default: true

See Crypt Password Storage Scheme for the properties of this Password Storage Scheme type.

md5-password-storage-scheme

Default {name}: MD5 Password Storage Scheme

Enabled by default: true

See MD5 Password Storage Scheme for the properties of this Password Storage Scheme type.

pbkdf2-hmac-sha256-password-storage-scheme

Default {name}: PBKDF2 Hmac SHA256 Password Storage Scheme

Enabled by default: true

See PBKDF2 Hmac SHA256 Password Storage Scheme for the properties of this Password Storage Scheme type.

pbkdf2-hmac-sha512-password-storage-scheme

Default {name}: PBKDF2 Hmac SHA512 Password Storage Scheme

Enabled by default: true

See PBKDF2 Hmac SHA512 Password Storage Scheme for the properties of this Password Storage Scheme type.

pkcs5s2-password-storage-scheme

Default {name}: PKCS5S2 Password Storage Scheme

Enabled by default: true

See PKCS5S2 Password Storage Scheme for the properties of this Password Storage Scheme type.

rc4-password-storage-scheme

Default {name}: RC4 Password Storage Scheme

Enabled by default: true

See RC4 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-md5-password-storage-scheme

Default {name}: Salted MD5 Password Storage Scheme

Enabled by default: true

See Salted MD5 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha1-password-storage-scheme

Default {name}: Salted SHA1 Password Storage Scheme

Enabled by default: true

See Salted SHA1 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha256-password-storage-scheme

Default {name}: Salted SHA256 Password Storage Scheme

Enabled by default: true

See Salted SHA256 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha384-password-storage-scheme

Default {name}: Salted SHA384 Password Storage Scheme

Enabled by default: true

See Salted SHA384 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha512-password-storage-scheme

Default {name}: Salted SHA512 Password Storage Scheme

Enabled by default: true

See Salted SHA512 Password Storage Scheme for the properties of this Password Storage Scheme type.

sha1-password-storage-scheme

Default {name}: SHA1 Password Storage Scheme

Enabled by default: true

See SHA1 Password Storage Scheme for the properties of this Password Storage Scheme type.

triple-des-password-storage-scheme

Default {name}: Triple DES Password Storage Scheme

Enabled by default: true

See Triple DES Password Storage Scheme for the properties of this Password Storage Scheme type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the --scheme-name {name} option.

-t | --type {type}

The type of Password Storage Scheme which should be created. The value for TYPE can be one of: aes | base64 | bcrypt | blowfish | clear | crypt | custom | md5 | pbkdf2 | pbkdf2-hmac-sha256 | pbkdf2-hmac-sha512 | pkcs5s2 | rc4 | salted-md5 | salted-sha1 | salted-sha256 | salted-sha384 | salted-sha512 | sha1 | triple-des.

Password Storage Scheme properties depend on the Password Storage Scheme type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Password Storage Scheme types:

aes-password-storage-scheme

Default {type}: AES Password Storage Scheme

Enabled by default: true

See AES Password Storage Scheme for the properties of this Password Storage Scheme type.

base64-password-storage-scheme

Default {type}: Base64 Password Storage Scheme

Enabled by default: true

See Base64 Password Storage Scheme for the properties of this Password Storage Scheme type.

bcrypt-password-storage-scheme

Default {type}: Bcrypt Password Storage Scheme

Enabled by default: true

See Bcrypt Password Storage Scheme for the properties of this Password Storage Scheme type.

blowfish-password-storage-scheme

Default {type}: Blowfish Password Storage Scheme

Enabled by default: true

See Blowfish Password Storage Scheme for the properties of this Password Storage Scheme type.

clear-password-storage-scheme

Default {type}: Clear Password Storage Scheme

Enabled by default: true

See Clear Password Storage Scheme for the properties of this Password Storage Scheme type.

crypt-password-storage-scheme

Default {type}: Crypt Password Storage Scheme

Enabled by default: true

See Crypt Password Storage Scheme for the properties of this Password Storage Scheme type.

md5-password-storage-scheme

Default {type}: MD5 Password Storage Scheme

Enabled by default: true

See MD5 Password Storage Scheme for the properties of this Password Storage Scheme type.

pbkdf2-hmac-sha256-password-storage-scheme

Default {type}: PBKDF2 Hmac SHA256 Password Storage Scheme

Enabled by default: true

See PBKDF2 Hmac SHA256 Password Storage Scheme for the properties of this Password Storage Scheme type.

pbkdf2-hmac-sha512-password-storage-scheme

Default {type}: PBKDF2 Hmac SHA512 Password Storage Scheme

Enabled by default: true

See PBKDF2 Hmac SHA512 Password Storage Scheme for the properties of this Password Storage Scheme type.

pkcs5s2-password-storage-scheme

Default {type}: PKCS5S2 Password Storage Scheme

Enabled by default: true

See PKCS5S2 Password Storage Scheme for the properties of this Password Storage Scheme type.

rc4-password-storage-scheme

Default {type}: RC4 Password Storage Scheme

Enabled by default: true

See RC4 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-md5-password-storage-scheme

Default {type}: Salted MD5 Password Storage Scheme

Enabled by default: true

See Salted MD5 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha1-password-storage-scheme

Default {type}: Salted SHA1 Password Storage Scheme

Enabled by default: true

See Salted SHA1 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha256-password-storage-scheme

Default {type}: Salted SHA256 Password Storage Scheme

Enabled by default: true

See Salted SHA256 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha384-password-storage-scheme

Default {type}: Salted SHA384 Password Storage Scheme

Enabled by default: true

See Salted SHA384 Password Storage Scheme for the properties of this Password Storage Scheme type.

salted-sha512-password-storage-scheme

Default {type}: Salted SHA512 Password Storage Scheme

Enabled by default: true

See Salted SHA512 Password Storage Scheme for the properties of this Password Storage Scheme type.

sha1-password-storage-scheme

Default {type}: SHA1 Password Storage Scheme

Enabled by default: true

See SHA1 Password Storage Scheme for the properties of this Password Storage Scheme type.

triple-des-password-storage-scheme

Default {type}: Triple DES Password Storage Scheme

Enabled by default: true

See Triple DES Password Storage Scheme for the properties of this Password Storage Scheme type.

AES Password Storage Scheme

Password Storage Schemes of type aes-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the AES Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.AESPasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Base64 Password Storage Scheme

Password Storage Schemes of type base64-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Base64 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.Base64PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Bcrypt Password Storage Scheme

Password Storage Schemes of type bcrypt-password-storage-scheme have the following properties:

bcrypt-cost
Description

The cost parameter specifies a key expansion iteration count as a power of two. A default value of 12 (2^12 iterations) is considered in 2016 as a reasonable balance between responsiveness and security for regular users.

Default Value

12

Allowed Values

An integer value. Lower value is 1. Upper value is 30.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Bcrypt Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.BcryptPasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Blowfish Password Storage Scheme

Password Storage Schemes of type blowfish-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Blowfish Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.BlowfishPasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Clear Password Storage Scheme

Password Storage Schemes of type clear-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Clear Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.ClearPasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Crypt Password Storage Scheme

Password Storage Schemes of type crypt-password-storage-scheme have the following properties:

crypt-password-storage-encryption-algorithm
Description

Specifies the algorithm to use to encrypt new passwords. Select the crypt algorithm to use to encrypt new passwords. The value can either be "unix", which means the password is encrypted with the weak Unix crypt algorithm, or "md5" which means the password is encrypted with the BSD MD5 algorithm and has a $1$ prefix, or "sha256" which means the password is encrypted with the SHA256 algorithm and has a $5$ prefix, or "sha512" which means the password is encrypted with the SHA512 algorithm and has a $6$ prefix.

Default Value

unix

Allowed Values
md5

New passwords are encrypted with the BSD MD5 algorithm.

sha256

New passwords are encrypted with the Unix crypt SHA256 algorithm.

sha512

New passwords are encrypted with the Unix crypt SHA512 algorithm.

unix

New passwords are encrypted with the Unix crypt algorithm. Passwords are truncated at 8 characters and the top bit of each character is ignored.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Crypt Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.CryptPasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

MD5 Password Storage Scheme

Password Storage Schemes of type md5-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the MD5 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.MD5PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

PBKDF2 Hmac SHA256 Password Storage Scheme

Password Storage Schemes of type pbkdf2-hmac-sha256-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the PBKDF2 Hmac SHA256 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.PBKDF2HmacSHA256PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

pbkdf2-iterations
Description

The number of algorithm iterations to make. NIST recommends at least 1000.

Default Value

10000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

PBKDF2 Hmac SHA512 Password Storage Scheme

Password Storage Schemes of type pbkdf2-hmac-sha512-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the PBKDF2 Hmac SHA512 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.PBKDF2HmacSHA512PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

pbkdf2-iterations
Description

The number of algorithm iterations to make. NIST recommends at least 1000.

Default Value

10000

Allowed Values

An integer value. Lower value is 1.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

PKCS5S2 Password Storage Scheme

Password Storage Schemes of type pkcs5s2-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the PKCS5S2 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.PKCS5S2PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

RC4 Password Storage Scheme

Password Storage Schemes of type rc4-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the RC4 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.RC4PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Salted MD5 Password Storage Scheme

Password Storage Schemes of type salted-md5-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Salted MD5 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.SaltedMD5PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Salted SHA1 Password Storage Scheme

Password Storage Schemes of type salted-sha1-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Salted SHA1 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.SaltedSHA1PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Salted SHA256 Password Storage Scheme

Password Storage Schemes of type salted-sha256-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Salted SHA256 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.SaltedSHA256PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Salted SHA384 Password Storage Scheme

Password Storage Schemes of type salted-sha384-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Salted SHA384 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.SaltedSHA384PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Salted SHA512 Password Storage Scheme

Password Storage Schemes of type salted-sha512-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Salted SHA512 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.SaltedSHA512PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

SHA1 Password Storage Scheme

Password Storage Schemes of type sha1-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the SHA1 Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.SHA1PasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Triple DES Password Storage Scheme

Password Storage Schemes of type triple-des-password-storage-scheme have the following properties:

enabled
Description

Indicates whether the Password Storage Scheme is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the Triple DES Password Storage Scheme implementation.

Default Value

org.opends.server.extensions.TripleDESPasswordStorageScheme

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordStorageScheme

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

dsconfig create-password-validator(1)

Name

dsconfig create-password-validator - Creates Password Validators

Synopsis

dsconfig create-password-validator {options}

Description

Creates Password Validators.

Options

The dsconfig create-password-validator command takes the following options:

--validator-name {name}

The name of the new Password Validator.

Password Validator properties depend on the Password Validator type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Password Validator types:

attribute-value-password-validator

Default {name}: Attribute Value Password Validator

Enabled by default: true

See Attribute Value Password Validator for the properties of this Password Validator type.

character-set-password-validator

Default {name}: Character Set Password Validator

Enabled by default: true

See Character Set Password Validator for the properties of this Password Validator type.

dictionary-password-validator

Default {name}: Dictionary Password Validator

Enabled by default: true

See Dictionary Password Validator for the properties of this Password Validator type.

length-based-password-validator

Default {name}: Length Based Password Validator

Enabled by default: true

See Length Based Password Validator for the properties of this Password Validator type.

repeated-characters-password-validator

Default {name}: Repeated Characters Password Validator

Enabled by default: true

See Repeated Characters Password Validator for the properties of this Password Validator type.

similarity-based-password-validator

Default {name}: Similarity Based Password Validator

Enabled by default: true

See Similarity Based Password Validator for the properties of this Password Validator type.

unique-characters-password-validator

Default {name}: Unique Characters Password Validator

Enabled by default: true

See Unique Characters Password Validator for the properties of this Password Validator type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Password Validator properties depend on the Password Validator type, which depends on the --validator-name {name} option.

-t | --type {type}

The type of Password Validator which should be created. The value for TYPE can be one of: attribute-value | character-set | custom | dictionary | length-based | repeated-characters | similarity-based | unique-characters.

Password Validator properties depend on the Password Validator type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Password Validator types:

attribute-value-password-validator

Default {type}: Attribute Value Password Validator

Enabled by default: true

See Attribute Value Password Validator for the properties of this Password Validator type.

character-set-password-validator

Default {type}: Character Set Password Validator

Enabled by default: true

See Character Set Password Validator for the properties of this Password Validator type.

dictionary-password-validator

Default {type}: Dictionary Password Validator

Enabled by default: true

See Dictionary Password Validator for the properties of this Password Validator type.

length-based-password-validator

Default {type}: Length Based Password Validator

Enabled by default: true

See Length Based Password Validator for the properties of this Password Validator type.

repeated-characters-password-validator

Default {type}: Repeated Characters Password Validator

Enabled by default: true

See Repeated Characters Password Validator for the properties of this Password Validator type.

similarity-based-password-validator

Default {type}: Similarity Based Password Validator

Enabled by default: true

See Similarity Based Password Validator for the properties of this Password Validator type.

unique-characters-password-validator

Default {type}: Unique Characters Password Validator

Enabled by default: true

See Unique Characters Password Validator for the properties of this Password Validator type.

Attribute Value Password Validator

Password Validators of type attribute-value-password-validator have the following properties:

check-substrings
Description

Indicates whether this password validator is to match portions of the password string against attribute values. If "false" then only match the entire password against attribute values otherwise ("true") check whether the password contains attribute values.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.AttributeValuePasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

match-attribute
Description

Specifies the name(s) of the attribute(s) whose values should be checked to determine whether they match the provided password. If no values are provided, then the server checks if the proposed password matches the value of any attribute in the user's entry.

Default Value

All attributes in the user entry will be checked.

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

min-substring-length
Description

Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.

Default Value

5

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

test-reversed-password
Description

Indicates whether this password validator should test the reversed value of the provided password as well as the order in which it was given.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Character Set Password Validator

Password Validators of type character-set-password-validator have the following properties:

allow-unclassified-characters
Description

Indicates whether this password validator allows passwords to contain characters outside of any of the user-defined character sets and ranges. If this is "false", then only those characters in the user-defined character sets and ranges may be used in passwords. Any password containing a character not included in any character set or range will be rejected.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

character-set
Description

Specifies a character set containing characters that a password may contain and a value indicating the minimum number of characters required from that set. Each value must be an integer (indicating the minimum required characters from the set which may be zero, indicating that the character set is optional) followed by a colon and the characters to include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz" indicates that a user password must contain at least three characters from the set of lowercase ASCII letters). Multiple character sets can be defined in separate values, although no character can appear in more than one character set.

Default Value

If no sets are specified, the validator only uses the defined character ranges.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

character-set-ranges
Description

Specifies a character range containing characters that a password may contain and a value indicating the minimum number of characters required from that range. Each value must be an integer (indicating the minimum required characters from the range which may be zero, indicating that the character range is optional) followed by a colon and one or more range specifications. A range specification is 3 characters: the first character allowed, a minus, and the last character allowed. For example, "3:A-Za-z0-9". The ranges in each value should not overlap, and the characters in each range specification should be ordered.

Default Value

If no ranges are specified, the validator only uses the defined character sets.

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.CharacterSetPasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

min-character-sets
Description

Specifies the minimum number of character sets and ranges that a password must contain. This property should only be used in conjunction with optional character sets and ranges (those requiring zero characters). Its value must include any mandatory character sets and ranges (those requiring greater than zero characters). This is useful in situations where a password must contain characters from mandatory character sets and ranges, and characters from at least N optional character sets and ranges. For example, it is quite common to require that a password contains at least one non-alphanumeric character as well as characters from two alphanumeric character sets (lower-case, upper-case, digits). In this case, this property should be set to 3.

Default Value

The password must contain characters from each of the mandatory character sets and ranges and, if there are optional character sets and ranges, at least one character from one of the optional character sets and ranges.

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Dictionary Password Validator

Password Validators of type dictionary-password-validator have the following properties:

case-sensitive-validation
Description

Indicates whether this password validator is to treat password characters in a case-sensitive manner. If it is set to true, then the validator rejects a password only if it appears in the dictionary with exactly the same capitalization as provided by the user.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

check-substrings
Description

Indicates whether this password validator is to match portions of the password string against dictionary words. If "false" then only match the entire password against words otherwise ("true") check whether the password contains words.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

dictionary-file
Description

Specifies the path to the file containing a list of words that cannot be used as passwords. It should be formatted with one word per line. The value can be an absolute path or a path that is relative to the OpenDJ instance root.

Default Value

For Unix and Linux systems: config/wordlist.txt. For Windows systems: config\wordlist.txt

Allowed Values

The path to any text file contained on the system that is readable by the server.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.DictionaryPasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

min-substring-length
Description

Indicates the minimal length of the substring within the password in case substring checking is enabled. If "check-substrings" option is set to true, then this parameter defines the length of the smallest word which should be used for substring matching. Use with caution because values below 3 might disqualify valid passwords.

Default Value

5

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

test-reversed-password
Description

Indicates whether this password validator is to test the reversed value of the provided password as well as the order in which it was given. For example, if the user provides a new password of "password" and this configuration attribute is set to true, then the value "drowssap" is also tested against attribute values in the user's entry.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Length Based Password Validator

Password Validators of type length-based-password-validator have the following properties:

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.LengthBasedPasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-password-length
Description

Specifies the maximum number of characters that can be included in a proposed password. A value of zero indicates that there will be no upper bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.

Default Value

0

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

min-password-length
Description

Specifies the minimum number of characters that must be included in a proposed password. A value of zero indicates that there will be no lower bound enforced. If both minimum and maximum lengths are defined, then the minimum length must be less than or equal to the maximum length.

Default Value

6

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Repeated Characters Password Validator

Password Validators of type repeated-characters-password-validator have the following properties:

case-sensitive-validation
Description

Indicates whether this password validator should treat password characters in a case-sensitive manner. If the value of this property is false, the validator ignores any differences in capitalization when looking for consecutive characters in the password. If the value is true, the validator considers a character to be repeating only if all consecutive occurrences use the same capitalization.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.RepeatedCharactersPasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

max-consecutive-length
Description

Specifies the maximum number of times that any character can appear consecutively in a password value. A value of zero indicates that no maximum limit is enforced.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Similarity Based Password Validator

Password Validators of type similarity-based-password-validator have the following properties:

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.SimilarityBasedPasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

min-password-difference
Description

Specifies the minimum difference of new and old password. A value of zero indicates that no difference between passwords is acceptable.

Default Value

None

Allowed Values

An integer value. Lower value is 0. Upper value is 2147483647.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

Unique Characters Password Validator

Password Validators of type unique-characters-password-validator have the following properties:

case-sensitive-validation
Description

Indicates whether this password validator should treat password characters in a case-sensitive manner. A value of true indicates that the validator does not consider a capital letter to be the same as its lower-case counterpart. A value of false indicates that the validator ignores differences in capitalization when looking at the number of unique characters in the password.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the password validator is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the password validator implementation.

Default Value

org.opends.server.extensions.UniqueCharactersPasswordValidator

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.PasswordValidator

Multi-valued

No

Required

Yes

Admin Action Required

The Password Validator must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

min-unique-characters
Description

Specifies the minimum number of unique characters that a password will be allowed to contain. A value of zero indicates that no minimum value is enforced.

Default Value

None

Allowed Values

An integer value. Lower value is 0.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

dsconfig create-plugin(1)

Name

dsconfig create-plugin - Creates Plugins

Synopsis

dsconfig create-plugin {options}

Description

Creates Plugins.

Options

The dsconfig create-plugin command takes the following options:

--plugin-name {name}

The name of the new Plugin.

Plugin properties depend on the Plugin type, which depends on the {name} you provide.

By default, OpenDJ directory server supports the following Plugin types:

attribute-cleanup-plugin

Default {name}: Attribute Cleanup Plugin

Enabled by default: true

See Attribute Cleanup Plugin for the properties of this Plugin type.

change-number-control-plugin

Default {name}: Change Number Control Plugin

Enabled by default: true

See Change Number Control Plugin for the properties of this Plugin type.

entry-uuid-plugin

Default {name}: Entry UUID Plugin

Enabled by default: true

See Entry UUID Plugin for the properties of this Plugin type.

fractional-ldif-import-plugin

Default {name}: Fractional LDIF Import Plugin

Enabled by default: true

See Fractional LDIF Import Plugin for the properties of this Plugin type.

last-mod-plugin

Default {name}: Last Mod Plugin

Enabled by default: true

See Last Mod Plugin for the properties of this Plugin type.

ldap-attribute-description-list-plugin

Default {name}: LDAP Attribute Description List Plugin

Enabled by default: true

See LDAP Attribute Description List Plugin for the properties of this Plugin type.

password-policy-import-plugin

Default {name}: Password Policy Import Plugin

Enabled by default: true

See Password Policy Import Plugin for the properties of this Plugin type.

profiler-plugin

Default {name}: Profiler Plugin

Enabled by default: true

See Profiler Plugin for the properties of this Plugin type.

referential-integrity-plugin

Default {name}: Referential Integrity Plugin

Enabled by default: true

See Referential Integrity Plugin for the properties of this Plugin type.

samba-password-plugin

Default {name}: Samba Password Plugin

Enabled by default: true

See Samba Password Plugin for the properties of this Plugin type.

seven-bit-clean-plugin

Default {name}: Seven Bit Clean Plugin

Enabled by default: true

See Seven Bit Clean Plugin for the properties of this Plugin type.

unique-attribute-plugin

Default {name}: Unique Attribute Plugin

Enabled by default: true

See Unique Attribute Plugin for the properties of this Plugin type.

--set {PROP:VALUE}

Assigns a value to a property where PROP is the name of the property and VALUE is the single value to be assigned. Specify the same property multiple times in order to assign more than one value to it.

Plugin properties depend on the Plugin type, which depends on the --plugin-name {name} option.

-t | --type {type}

The type of Plugin which should be created. The value for TYPE can be one of: attribute-cleanup | change-number-control | custom | entry-uuid | fractional-ldif-import | last-mod | ldap-attribute-description-list | password-policy-import | profiler | referential-integrity | samba-password | seven-bit-clean | unique-attribute.

Plugin properties depend on the Plugin type, which depends on the {type} you provide.

By default, OpenDJ directory server supports the following Plugin types:

attribute-cleanup-plugin

Default {type}: Attribute Cleanup Plugin

Enabled by default: true

See Attribute Cleanup Plugin for the properties of this Plugin type.

change-number-control-plugin

Default {type}: Change Number Control Plugin

Enabled by default: true

See Change Number Control Plugin for the properties of this Plugin type.

entry-uuid-plugin

Default {type}: Entry UUID Plugin

Enabled by default: true

See Entry UUID Plugin for the properties of this Plugin type.

fractional-ldif-import-plugin

Default {type}: Fractional LDIF Import Plugin

Enabled by default: true

See Fractional LDIF Import Plugin for the properties of this Plugin type.

last-mod-plugin

Default {type}: Last Mod Plugin

Enabled by default: true

See Last Mod Plugin for the properties of this Plugin type.

ldap-attribute-description-list-plugin

Default {type}: LDAP Attribute Description List Plugin

Enabled by default: true

See LDAP Attribute Description List Plugin for the properties of this Plugin type.

password-policy-import-plugin

Default {type}: Password Policy Import Plugin

Enabled by default: true

See Password Policy Import Plugin for the properties of this Plugin type.

profiler-plugin

Default {type}: Profiler Plugin

Enabled by default: true

See Profiler Plugin for the properties of this Plugin type.

referential-integrity-plugin

Default {type}: Referential Integrity Plugin

Enabled by default: true

See Referential Integrity Plugin for the properties of this Plugin type.

samba-password-plugin

Default {type}: Samba Password Plugin

Enabled by default: true

See Samba Password Plugin for the properties of this Plugin type.

seven-bit-clean-plugin

Default {type}: Seven Bit Clean Plugin

Enabled by default: true

See Seven Bit Clean Plugin for the properties of this Plugin type.

unique-attribute-plugin

Default {type}: Unique Attribute Plugin

Enabled by default: true

See Unique Attribute Plugin for the properties of this Plugin type.

Attribute Cleanup Plugin

Plugins of type attribute-cleanup-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.AttributeCleanupPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

preparseadd preparsemodify

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

remove-inbound-attributes
Description

A list of attributes which should be removed from incoming add or modify requests.

Default Value

No attributes will be removed

Allowed Values

A String

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

rename-inbound-attributes
Description

A list of attributes which should be renamed in incoming add or modify requests.

Default Value

No attributes will be renamed

Allowed Values

An attribute name mapping.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Change Number Control Plugin

Plugins of type change-number-control-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.ChangeNumberControlPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

postOperationAdd postOperationDelete postOperationModify postOperationModifyDN

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Entry UUID Plugin

Plugins of type entry-uuid-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.EntryUUIDPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

ldifimport preoperationadd

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Fractional LDIF Import Plugin

Plugins of type fractional-ldif-import-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

None

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

None

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

No

Read-only

No

Last Mod Plugin

Plugins of type last-mod-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.LastModPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

preoperationadd preoperationmodify preoperationmodifydn

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

LDAP Attribute Description List Plugin

Plugins of type ldap-attribute-description-list-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.LDAPADListPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

preparsesearch

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Password Policy Import Plugin

Plugins of type password-policy-import-plugin have the following properties:

default-auth-password-storage-scheme
Description

Specifies the names of password storage schemes that to be used for encoding passwords contained in attributes with the auth password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy should be used to govern them.

Default Value

If the default password policy uses an attribute with the auth password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes auth password values using the "SHA1" scheme.

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import plug-in is enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

default-user-password-storage-scheme
Description

Specifies the names of the password storage schemes to be used for encoding passwords contained in attributes with the user password syntax for entries that do not include the ds-pwp-password-policy-dn attribute specifying which password policy is to be used to govern them.

Default Value

If the default password policy uses the attribute with the user password syntax, then the server uses the default password storage schemes for that password policy. Otherwise, it encodes user password values using the "SSHA" scheme.

Allowed Values

The DN of any Password Storage Scheme. The referenced password storage schemes must be enabled when the Password Policy Import Plugin is enabled.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.PasswordPolicyImportPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

ldifimport

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

Profiler Plugin

Plugins of type profiler-plugin have the following properties:

enable-profiling-on-startup
Description

Indicates whether the profiler plug-in is to start collecting data automatically when the directory server is started. This property is read only when the server is started, and any changes take effect on the next restart. This property is typically set to "false" unless startup profiling is required, because otherwise the volume of data that can be collected can cause the server to run out of memory if it is not turned off in a timely manner.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.profiler.ProfilerPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

startup

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

profile-action
Description

Specifies the action that should be taken by the profiler. A value of "start" causes the profiler thread to start collecting data if it is not already active. A value of "stop" causes the profiler thread to stop collecting data and write it to disk, and a value of "cancel" causes the profiler thread to stop collecting data and discard anything that has been captured. These operations occur immediately.

Default Value

none

Allowed Values
cancel

Stop collecting profile data and discard what has been captured.

none

Do not take any action.

start

Start collecting profile data.

stop

Stop collecting profile data and write what has been captured to a file in the profile directory.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

profile-directory
Description

Specifies the path to the directory where profile information is to be written. This path may be either an absolute path or a path that is relative to the root of the OpenDJ directory server instance. The directory must exist and the directory server must have permission to create new files in it.

Default Value

None

Allowed Values

The path to any directory that exists on the filesystem and that can be read and written by the server user.

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

profile-sample-interval
Description

Specifies the sample interval in milliseconds to be used when capturing profiling information in the server. When capturing data, the profiler thread sleeps for this length of time between calls to obtain traces for all threads running in the JVM.

Default Value

None

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 milliseconds.Upper limit is 2147483647 milliseconds.

Multi-valued

No

Required

Yes

Admin Action Required

NoneChanges to this configuration attribute take effect the next time the profiler is started.

Advanced Property

No

Read-only

No

Referential Integrity Plugin

Plugins of type referential-integrity-plugin have the following properties:

attribute-type
Description

Specifies the attribute types for which referential integrity is to be maintained. At least one attribute type must be specified, and the syntax of any attributes must be either a distinguished name (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID (1.3.6.1.4.1.1466.115.121.1.34).

Default Value

None

Allowed Values

The name of an attribute type defined in the server schema.

Multi-valued

Yes

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

base-dn
Description

Specifies the base DN that limits the scope within which referential integrity is maintained.

Default Value

Referential integrity is maintained in all public naming contexts.

Allowed Values

A valid DN.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

check-references
Description

Specifies whether reference attributes must refer to existing entries. When this property is set to true, this plugin will ensure that any new references added as part of an add or modify operation point to existing entries, and that the referenced entries match the filter criteria for the referencing attribute, if specified.

Default Value

false

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

check-references-filter-criteria
Description

Specifies additional filter criteria which will be enforced when checking references. If a reference attribute has filter criteria defined then this plugin will ensure that any new references added as part of an add or modify operation refer to an existing entry which matches the specified filter.

Default Value

None

Allowed Values

An attribute-filter mapping.

Multi-valued

Yes

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

check-references-scope-criteria
Description

Specifies whether referenced entries must reside within the same naming context as the entry containing the reference. The reference scope will only be enforced when reference checking is enabled.

Default Value

global

Allowed Values
global

References may refer to existing entries located anywhere in the Directory.

naming-context

References must refer to existing entries located within the same naming context.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.ReferentialIntegrityPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

log-file
Description

Specifies the log file location where the update records are written when the plug-in is in background-mode processing. The default location is the logs directory of the server instance, using the file name "referint".

Default Value

logs/referint

Allowed Values

A path to an existing file that is readable by the server.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

postoperationdelete postoperationmodifydn subordinatemodifydn subordinatedelete preoperationadd preoperationmodify

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked after completing the core bind processing but before sending the response to the client.

postoperationcompare

Invoked after completing the core compare processing but before sending the response to the client.

postoperationdelete

Invoked after completing the core delete processing but before sending the response to the client.

postoperationextended

Invoked after completing the core extended processing but before sending the response to the client.

postoperationmodify

Invoked after completing the core modify processing but before sending the response to the client.

postoperationmodifydn

Invoked after completing the core modify DN processing but before sending the response to the client.

postoperationsearch

Invoked after completing the core search processing but before sending the response to the client.

postoperationunbind

Invoked after completing the unbind processing.

postresponseadd

Invoked after sending the add response to the client.

postresponsebind

Invoked after sending the bind response to the client.

postresponsecompare

Invoked after sending the compare response to the client.

postresponsedelete

Invoked after sending the delete response to the client.

postresponseextended

Invoked after sending the extended response to the client.

postresponsemodify

Invoked after sending the modify response to the client.

postresponsemodifydn

Invoked after sending the modify DN response to the client.

postresponsesearch

Invoked after sending the search result done message to the client.

postsynchronizationadd

Invoked after completing post-synchronization processing for an add operation.

postsynchronizationdelete

Invoked after completing post-synchronization processing for a delete operation.

postsynchronizationmodify

Invoked after completing post-synchronization processing for a modify operation.

postsynchronizationmodifydn

Invoked after completing post-synchronization processing for a modify DN operation.

preoperationadd

Invoked prior to performing the core add processing.

preoperationbind

Invoked prior to performing the core bind processing.

preoperationcompare

Invoked prior to performing the core compare processing.

preoperationdelete

Invoked prior to performing the core delete processing.

preoperationextended

Invoked prior to performing the core extended processing.

preoperationmodify

Invoked prior to performing the core modify processing.

preoperationmodifydn

Invoked prior to performing the core modify DN processing.

preoperationsearch

Invoked prior to performing the core search processing.

preparseabandon

Invoked prior to parsing an abandon request.

preparseadd

Invoked prior to parsing an add request.

preparsebind

Invoked prior to parsing a bind request.

preparsecompare

Invoked prior to parsing a compare request.

preparsedelete

Invoked prior to parsing a delete request.

preparseextended

Invoked prior to parsing an extended request.

preparsemodify

Invoked prior to parsing a modify request.

preparsemodifydn

Invoked prior to parsing a modify DN request.

preparsesearch

Invoked prior to parsing a search request.

preparseunbind

Invoked prior to parsing an unbind request.

searchresultentry

Invoked before sending a search result entry to the client.

searchresultreference

Invoked before sending a search result reference to the client.

shutdown

Invoked during a graceful directory server shutdown.

startup

Invoked during the directory server startup process.

subordinatedelete

Invoked in the course of deleting a subordinate entry of a delete operation.

subordinatemodifydn

Invoked in the course of moving or renaming an entry subordinate to the target of a modify DN operation.

Multi-valued

Yes

Required

Yes

Admin Action Required

The Plugin must be disabled and re-enabled for changes to this setting to take effect

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

update-interval
Description

Specifies the interval in seconds when referential integrity updates are made. If this value is 0, then the updates are made synchronously in the foreground.

Default Value

0 seconds

Allowed Values

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

No

Read-only

No

Samba Password Plugin

Plugins of type samba-password-plugin have the following properties:

enabled
Description

Indicates whether the plug-in is enabled for use.

Default Value

None

Allowed Values

true false

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

invoke-for-internal-operations
Description

Indicates whether the plug-in should be invoked for internal operations. Any plug-in that can be invoked for internal operations must ensure that it does not create any new internal operatons that can cause the same plug-in to be re-invoked.

Default Value

true

Allowed Values

true false

Multi-valued

No

Required

No

Admin Action Required

None

Advanced Property

Yes (Use --advanced in interactive mode.)

Read-only

No

java-class
Description

Specifies the fully-qualified name of the Java class that provides the plug-in implementation.

Default Value

org.opends.server.plugins.SambaPasswordPlugin

Allowed Values

A Java class that implements or extends the class(es): org.opends.server.api.plugin.DirectoryServerPlugin

Multi-valued

No

Required

Yes

Admin Action Required

None

Advanced Property

No

Read-only

No

plugin-type
Description

Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked.

Default Value

preoperationmodify postoperationextended

Allowed Values
intermediateresponse

Invoked before sending an intermediate repsonse message to the client.

ldifexport

Invoked for each operation to be written during an LDIF export.

ldifimport

Invoked for each entry read during an LDIF import.

ldifimportbegin

Invoked at the beginning of an LDIF import session.

ldifimportend

Invoked at the end of an LDIF import session.

postconnect

Invoked whenever a new connection is established to the server.

postdisconnect

Invoked whenever an existing connection is terminated (by either the client or the server).

postoperationabandon

Invoked after completing the abandon processing.

postoperationadd

Invoked after completing the core add processing but before sending the response to the client.

postoperationbind

Invoked afte