dsconfig Subcommands Reference

Filters log records associated with connections which match at least one of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

None

An IP address mask

Yes

No

None

No

No

Filters log records associated with connections which do not match any of the specified client host names or address masks. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

None

An IP address mask

Yes

No

None

No

No

Filters log records associated with connections to any of the specified listener port numbers.

None

An integer value. Lower value is 1. Upper value is 65535.

Yes

No

None

No

No

Filters log records associated with connections which match any of the specified protocols. Typical values include "ldap", "ldaps", or "jmx".

None

The protocol name as reported in the access log.

Yes

No

None

No

No

Filters log records based on their type.

None

Abandon operations

Add operations

Bind operations

Compare operations

Client connections

Delete operations

Client disconnections

Extended operations

Modify operations

Rename operations

Search operations

Unbind operations

Yes

No

None

No

No

Filters operation log records associated with operations which target entries matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

None

A String

Yes

No

None

No

No

Filters operation log records associated with operations which target entries matching none of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

None

A String

Yes

No

None

No

No

Filters operation response log records associated with operations which took longer than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

An integer value. Lower value is 0.

No

No

None

No

No

Filters operation response log records associated with operations which took less than the specified number of milli-seconds to complete. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

An integer value. Lower value is 0.

No

No

None

No

No

Filters operation response log records associated with operations which include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

An integer value. Lower value is 0.

Yes

No

None

No

No

Filters operation response log records associated with operations which do not include any of the specified result codes. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

An integer value. Lower value is 0.

Yes

No

None

No

No

Filters search operation response log records associated with searches which were either indexed or unindexed. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

true false

No

No

None

No

No

Filters search operation response log records associated with searches which returned more than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

An integer value. Lower value is 0.

No

No

None

No

No

Filters search operation response log records associated with searches which returned less than the specified number of entries. It is recommended to only use this criteria in conjunction with the "combined" output mode of the access logger, since this filter criteria is only applied to response log messages.

None

An integer value. Lower value is 0.

No

No

None

No

No

Filters log records associated with users matching at least one of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

None

A String

Yes

No

None

No

No

Filters log records associated with users which do not match any of the specified DN patterns. Valid DN filters are strings composed of zero or more wildcards. A double wildcard replaces one or more RDN components (as in uid=dmiller,,dc=example,dc=com). A simple wildcard * replaces either a whole RDN, or a whole type, or a value substring (as in uid=bj*,ou=people,dc=example,dc=com).

None

A String

Yes

No

None

No

No

Filters log records associated with users which are members of at least one of the specified groups.

None

A valid DN.

Yes

No

None

No

No

Filters log records associated with users which are not members of any of the specified groups.

None

A valid DN.

Yes

No

None

No

No

Indicates which types of event can trigger an account status notification.

None

Generate a notification whenever a user account has been disabled by an administrator.

Generate a notification whenever a user account has been enabled by an administrator.

Generate a notification whenever a user authentication has failed because the account has expired.

Generate a notification whenever a user account has been locked because it was idle for too long.

Generate a notification whenever a user account has been permanently locked after too many failed attempts.

Generate a notification whenever a user account has been locked, because the password had been reset by an administrator but not changed by the user within the required interval.

Generate a notification whenever a user account has been temporarily locked after too many failed attempts.

Generate a notification whenever a user account has been unlocked by an administrator.

Generate a notification whenever a user changes his/her own password.

Generate a notification whenever a user authentication has failed because the password has expired.

Generate a notification whenever a password expiration warning is encountered for a user password for the first time.

Generate a notification whenever a user’s password is reset by an administrator.

Yes

Yes

None

No

No

Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the Error Log Account Status Notification Handler implementation.

org.opends.server.extensions.ErrorLogAccountStatusNotificationHandler

A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler

No

Yes

The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies which attribute in the user's entries may be used to obtain the email address when notifying the end user. You can specify more than one email address as separate values. In this case, the OpenDJ server sends a notification to all email addresses identified.

If no email address attribute types are specified, then no attempt is made to send email notification messages to end users. Only those users specified in the set of additional recipient addresses are sent the notification messages.

The name of an attribute type defined in the server schema.

Yes

No

None

No

No

Indicates whether the Account Status Notification Handler is enabled. Only enabled handlers are invoked whenever a related event occurs in the server.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the SMTP Account Status Notification Handler implementation.

org.opends.server.extensions.SMTPAccountStatusNotificationHandler

A Java class that implements or extends the class(es): org.opends.server.api.AccountStatusNotificationHandler

No

Yes

The Account Status Notification Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the subject that should be used for email messages generated by this account status notification handler. The values for this property should begin with the name of an account status notification type followed by a colon and the subject that should be used for the associated notification message. If an email message is generated for an account status notification type for which no subject is defined, then that message is given a generic subject.

None

A String

Yes

Yes

None

No

No

Specifies the path to the file containing the message template to generate the email notification messages. The values for this property should begin with the name of an account status notification type followed by a colon and the path to the template file that should be used for that notification type. If an account status notification has a notification type that is not associated with a message template file, then no email message is generated for that notification.

None

A String

Yes

Yes

None

No

No

Specifies an email address to which notification messages are sent, either instead of or in addition to the end user for whom the notification has been generated. This may be used to ensure that server administrators also receive a copy of any notification messages that are generated.

If no additional recipient addresses are specified, then only the end users that are the subjects of the account status notifications receive the notification messages.

A String

Yes

No

None

No

No

Indicates whether an email notification message should be sent as HTML. If this value is true, email notification messages are marked as text/html. Otherwise outgoing email messages are assumed to be plaintext and marked as text/plain.

false

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether an email notification message should be generated and sent to the set of notification recipients even if the user entry does not contain any values for any of the email address attributes (that is, in cases when it is not be possible to notify the end user). This is only applicable if both one or more email address attribute types and one or more additional recipient addresses are specified.

true

true false

No

Yes

None

Yes (Use --advanced in interactive mode.)

No

Specifies the email address from which the message is sent. Note that this does not necessarily have to be a legitimate email address.

None

A String

No

Yes

None

No

No

Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

A String

Yes

No

None

No

No

Indicates whether the Alert Handler is enabled.

None

true false

No

Yes

None

No

No

Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.

All alerts with types not included in the set of disabled alert types are allowed.

A String

Yes

No

None

No

No

Specifies the fully-qualified name of the Java class that provides the JMX Alert Handler implementation.

org.opends.server.extensions.JMXAlertHandler

A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler

No

Yes

The Alert Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the names of the alert types that are disabled for this alert handler. If there are any values for this attribute, then no alerts with any of the specified types are allowed. If there are no values for this attribute, then only alerts with a type included in the set of enabled alert types are allowed, or if there are no values for the enabled alert types option, then all alert types are allowed.

If there is a set of enabled alert types, then only alerts with one of those types are allowed. Otherwise, all alerts are allowed.

A String

Yes

No

None

No

No

Indicates whether the Alert Handler is enabled.

None

true false

No

Yes

None

No

No

Specifies the names of the alert types that are enabled for this alert handler. If there are any values for this attribute, then only alerts with one of the specified types are allowed (unless they are also included in the disabled alert types). If there are no values for this attribute, then any alert with a type not included in the list of disabled alert types is allowed.

All alerts with types not included in the set of disabled alert types are allowed.

A String

Yes

No

None

No

No

Specifies the fully-qualified name of the Java class that provides the SMTP Alert Handler implementation.

org.opends.server.extensions.SMTPAlertHandler

A Java class that implements or extends the class(es): org.opends.server.api.AlertHandler

No

Yes

The Alert Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the body that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.

None

A String

No

Yes

None

No

No

Specifies the subject that should be used for email messages generated by this alert handler. The token "%%%%alert-type%%%%" is dynamically replaced with the alert type string. The token "%%%%alert-id%%%%" is dynamically replaced with the alert ID value. The token "%%%%alert-message%%%%" is dynamically replaced with the alert message. The token "\n" is replaced with an end-of-line marker.

None

A String

No

Yes

None

No

No

Specifies an email address to which the messages should be sent. Multiple values may be provided if there should be more than one recipient.

None

A String

Yes

Yes

None

No

No

Specifies the email address to use as the sender for messages generated by this alert handler.

None

A String

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the path to a backup directory containing one or more backups for a particular backend. This is a multivalued property. Each value may specify a different backup directory if desired (one for each backend for which backups are taken). Values may be either absolute paths or paths that are relative to the base of the OpenDJ directory server installation.

None

A String

Yes

Yes

None

No

No

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.BackupBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

disabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

Yes (Use --advanced in interactive mode.)

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Specifies the key length in bits for the preferred cipher.

128

An integer value. Lower value is 0.

No

No

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

No

No

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

AES/CBC/PKCS5Padding

A String

No

No

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

No

No

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

true

true false

No

No

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

No

No

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

false

true false

No

No

None

No

No

Specifies the keyspace name The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

ldap_opendj

A String

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

false

true false

No

No

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Yes (Use --advanced in interactive mode.)

No

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Use only heap memory.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

4000

An integer value. Lower value is 0. Upper value is 2147483647.

No

No

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

No

No

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

false

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

25

An integer value. Lower value is 1.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.cassandra.Backend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

0s

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Specifies the key length in bits for the preferred cipher.

128

An integer value. Lower value is 0.

No

No

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

No

No

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

AES/CBC/PKCS5Padding

A String

No

No

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

No

No

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

true

true false

No

No

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

No

No

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

false

true false

No

No

None

No

No

Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.

50

An integer value. Lower value is 1. Upper value is 90.

No

No

None

No

No

The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.

0 MB

No

No

None

No

No

Specifies the maximum number of bytes that may be written to the database before it is forced to perform a checkpoint. This can be used to bound the recovery time that may be required if the database environment is opened without having been properly closed. If this property is set to a non-zero value, the checkpointer wakeup interval is not used. To use time-based checkpointing, set this property to zero.

500mb

Upper value is 9223372036854775807.

No

No

Restart the server

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum length of time that may pass between checkpoints. Note that this is only used if the value of the checkpointer bytes interval is zero.

30s

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 seconds.Upper limit is 4294 seconds.

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the occupancy percentage for "live" data in this backend's database. When the amount of "live" data in the database drops below this value, cleaners will act to increase the occupancy percentage by compacting the database.

50

An integer value. Lower value is 0. Upper value is 90.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the path to the filesystem directory that is used to hold the Berkeley DB Java Edition database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

db

A String

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

No

No

Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.

700

Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).

No

No

Restart the server

Yes (Use --advanced in interactive mode.)

No

Specifies the core number of threads in the eviction thread pool. Specifies the core number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

1

An integer value. Lower value is 0. Upper value is 2147483647.

No

No

None

Yes (Use --advanced in interactive mode.)

No

The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. The duration that excess threads in the eviction thread pool will stay idle. After this period, idle threads will terminate. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

600s

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 1 seconds.Upper limit is 86400 seconds.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether the database should evict existing data from the cache based on an LRU policy (where the least recently used information will be evicted first). If set to "false", then the eviction keeps internal nodes of the underlying Btree in the cache over leaf nodes, even if the leaf nodes have been accessed more recently. This may be a better configuration for databases in which only a very small portion of the data is cached.

false

true false

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum number of threads in the eviction thread pool. Specifies the maximum number of threads in the eviction thread pool. These threads help keep memory usage within cache bounds, offloading work from application threads. db-evictor-core-threads, db-evictor-max-threads and db-evictor-keep-alive are used to configure the core, max and keepalive attributes for the eviction thread pool.

10

An integer value. Lower value is 1. Upper value is 2147483647.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the number of Btree nodes that should be evicted from the cache in a single pass if it is determined that it is necessary to free existing data in order to make room for new information. Changes to this property do not take effect until the backend is restarted. It is recommended that you also change this property when you set db-evictor-lru-only to false. This setting controls the number of Btree nodes that are considered, or sampled, each time a node is evicted. A setting of 10 often produces good results, but this may vary from application to application. The larger the nodes per scan, the more accurate the algorithm. However, don't set it too high. When considering larger numbers of nodes for each eviction, the evictor may delay the completion of a given database operation, which impacts the response time of the application thread. In JE 4.1 and later, setting this value too high in an application that is largely CPU bound can reduce the effectiveness of cache eviction. It's best to start with the default value, and increase it gradually to see if it is beneficial for your application.

10

An integer value. Lower value is 1. Upper value is 1000.

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum size for a database log file.

100mb

Lower value is 1000000.Upper value is 4294967296.

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the size of the file handle cache. The file handle cache is used to keep as much opened log files as possible. When the cache is smaller than the number of logs, the database needs to close some handles and open log files it needs, resulting in less optimal performances. Ideally, the size of the cache should be higher than the number of files contained in the database. Make sure the OS number of open files per process is also tuned appropriately.

100

An integer value. Lower value is 3. Upper value is 2147483647.

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Indicates whether the database should maintain a je.info file in the same directory as the database log directory. This file contains information about the internal processing performed by the underlying database.

true

true false

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the log level that should be used by the database when it is writing information into the je.info file. The database trace logging level is (in increasing order of verbosity) chosen from: OFF, SEVERE, WARNING, INFO, CONFIG, FINE, FINER, FINEST, ALL.

CONFIG

A String

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the number of threads that the backend should maintain to keep the database log files at or near the desired utilization. In environments with high write throughput, multiple cleaner threads may be required to maintain the desired utilization.

Let the server decide.

An integer value. Lower value is 1.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the number of lock tables that are used by the underlying database. This can be particularly important to help improve scalability by avoiding contention on systems with large numbers of CPUs. The value of this configuration property should be set to a prime number that is less than or equal to the number of worker threads configured for use in the server.

Let the server decide.

An integer value. Lower value is 1. Upper value is 32767.

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Indicates whether the cleaner threads should be enabled to compact the database. The cleaner threads are used to periodically compact the database when it reaches a percentage of occupancy lower than the amount specified by the db-cleaner-min-utilization property. They identify database files with a low percentage of live data, and relocate their remaining live data to the end of the log.

true

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).

false

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether the database should synchronously flush data as it is written to disk. If this value is set to "false", then all data written to disk is synchronously flushed to persistent storage and thereby providing full durability. If it is set to "true", then data may be cached for a period of time by the underlying operating system before actually being written to disk. This may improve performance, but could cause the most recent changes to be lost in the event of an underlying OS or hardware failure (but not in the case that the OpenDJ directory server or the JVM exits abnormally).

true

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.

100 megabytes

No

No

None

Yes (Use --advanced in interactive mode.)

No

Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.

200 megabytes

No

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

false

true false

No

No

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Yes (Use --advanced in interactive mode.)

No

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Use only heap memory.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

4000

An integer value. Lower value is 0. Upper value is 2147483647.

No

No

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

No

No

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

false

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

25

An integer value. Lower value is 1.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.jeb.JEBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the database and environment properties for the Berkeley DB Java Edition database serving the data for this backend. Any Berkeley DB Java Edition property can be specified using the following form: property-name=property-value. Refer to OpenDJ documentation for further information on related properties, their implications, and range values. The definitive identification of all the property parameters is available in the example.properties file of Berkeley DB Java Edition distribution.

None

A String

Yes

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

0s

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Indicates whether the backend should be considered a private backend, which indicates that it is used for storing operational data rather than user-defined information.

false

true false

No

No

The Backend must be disabled and re-enabled for changes to this setting to take effect

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.LDIFBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the path to the LDIF file containing the data for this backend.

None

A String

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

No

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.MemoryBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.MonitorBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

disabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.NullBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Specifies the key length in bits for the preferred cipher.

128

An integer value. Lower value is 0.

No

No

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

No

No

Specifies the cipher for the directory server. The syntax is "algorithm/mode/padding". The full transformation is required: specifying only an algorithm and allowing the cipher provider to supply the default mode and padding is not supported, because there is no guarantee these default values are the same among different implementations. Some cipher algorithms, including RC4 and ARCFOUR, do not have a mode or padding, and hence must be specified using NONE for the mode field and NoPadding for the padding field. For example, RC4/NONE/NoPadding.

AES/CBC/PKCS5Padding

A String

No

No

NoneChanges to this property take effect immediately but only affect cryptographic operations performed after the change.

No

No

Indicates whether the backend should use a compact form when encoding entries by compressing the attribute descriptions and object class sets. Note that this property applies only to the entries themselves and does not impact the index data.

true

true false

No

No

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

No

No

Indicates whether the backend should make entries in database files readable only by Directory Server. Confidentiality is achieved by enrypting entries before writing them to the underlying storage. Entry encryption will protect data on disk from unauthorised parties reading the files; for complete protection, also set confidentiality for sensitive attributes indexes. The property cannot be set to false if some of the indexes have confidentiality set to true.

false

true false

No

No

None

No

No

Specifies the percentage of JVM memory to allocate to the database cache. Specifies the percentage of memory available to the JVM that should be used for caching database contents. Note that this is only used if the value of the db-cache-size property is set to "0 MB". Otherwise, the value of that property is used instead to control the cache size configuration.

50

An integer value. Lower value is 1. Upper value is 90.

No

No

None

No

No

The amount of JVM memory to allocate to the database cache. Specifies the amount of memory that should be used for caching database contents. A value of "0 MB" indicates that the db-cache-percent property should be used instead to specify the cache size.

0 MB

No

No

None

No

No

Specifies the maximum length of time that may pass between checkpoints. This setting controls the elapsed time between attempts to write a checkpoint to the journal. A longer interval allows more updates to accumulate in buffers before they are required to be written to disk, but also potentially causes recovery from an abrupt termination (crash) to take more time.

15s

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 10 seconds.Upper limit is 3600 seconds.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the path to the filesystem directory that is used to hold the Persistit database files containing the data for this backend. The path may be either an absolute path or a path relative to the directory containing the base of the OpenDJ directory server installation. The path may be any valid directory path in which the server has appropriate permissions to read and write files and has sufficient space to hold the database contents.

db

A String

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

No

No

Specifies the permissions that should be applied to the directory containing the server database files. They should be expressed as three-digit octal values, which is the traditional representation for UNIX file permissions. The three digits represent the permissions that are available for the directory's owner, group members, and other users (in that order), and each digit is the octal representation of the read, write, and execute bits. Note that this only impacts permissions on the database directory and not on the files written into that directory. On UNIX systems, the user's umask controls permissions given to the database files.

700

Any octal value between 700 and 777 (the owner must always have read, write, and execute permissions on the directory).

No

No

Restart the server

Yes (Use --advanced in interactive mode.)

No

Indicates whether database writes should be primarily written to an internal buffer but not immediately written to disk. Setting the value of this configuration attribute to "true" may improve write performance but could cause the most recent changes to be lost if the OpenDJ directory server or the underlying JVM exits abnormally, or if an OS or hardware failure occurs (a behavior similar to running with transaction durability disabled in the Sun Java System Directory Server).

true

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

Full disk threshold to limit database updates When the available free space on the disk used by this database instance falls below the value specified, no updates are permitted and the server returns an UNWILLING_TO_PERFORM error. Updates are allowed again as soon as free space rises above the threshold.

100 megabytes

No

No

None

Yes (Use --advanced in interactive mode.)

No

Low disk threshold to limit database updates Specifies the "low" free space on the disk. When the available free space on the disk used by this database instance falls below the value specified, protocol updates on this database are permitted only by a user with the BYPASS_LOCKDOWN privilege.

200 megabytes

No

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Indicates whether the backend should attempt to compress entries before storing them in the database. Note that this property applies only to the entries themselves and does not impact the index data. Further, the effectiveness of the compression is based on the type of data contained in the entry.

false

true false

No

No

NoneChanges to this setting take effect only for writes that occur after the change is made. It is not retroactively applied to existing data.

Yes (Use --advanced in interactive mode.)

No

Specifies the amount of off-heap memory dedicated to the online operation (import-ldif, rebuild-index).

Use only heap memory.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum number of entries that is allowed to match a given index key before that particular index key is no longer maintained. This property is analogous to the ALL IDs threshold in the Sun Java System Directory Server. Note that this is the default limit for the backend, and it may be overridden on a per-attribute basis.A value of 0 means there is no limit.

4000

An integer value. Lower value is 0. Upper value is 2147483647.

No

No

NoneIf any index keys have already reached this limit, indexes need to be rebuilt before they are allowed to use the new limit.

No

No

Indicates whether to gather statistical information about the search filters processed by the directory server while evaluating the usage of indexes. Analyzing indexes requires gathering search filter usage patterns from user requests, especially for values as specified in the filters and subsequently looking the status of those values into the index files. When a search requests is processed, internal or user generated, a first phase uses indexes to find potential entries to be returned. Depending on the search filter, if the index of one of the specified attributes matches too many entries (exceeds the index entry limit), the search becomes non-indexed. In any case, all entries thus gathered (or the entire DIT) are matched against the filter for actually returning the search result.

false

true false

No

No

None

Yes (Use --advanced in interactive mode.)

No

The maximum number of search filter statistics to keep. When the maximum number of search filter is reached, the least used one will be deleted.

25

An integer value. Lower value is 1.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.pdb.PDBBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the length of time that the backend is allowed to spend "pre-loading" data when it is initialized. The pre-load process is used to pre-populate the database cache, so that it can be more quickly available when the server is processing requests. A duration of zero means there is no pre-load.

0s

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.Upper limit is 2147483647 milliseconds.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.SchemaBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Defines the base DNs of the subtrees in which the schema information is published in addition to the value included in the base-dn property. The value provided in the base-dn property is the only one that appears in the subschemaSubentry operational attribute of the server's root DSE (which is necessary because that is a single-valued attribute) and as a virtual attribute in other entries. The schema-entry-dn attribute may be used to make the schema information available in other locations to accommodate certain client applications that have been hard-coded to expect the schema to reside in a specific location.

cn=schema

A valid DN.

Yes

No

None

Yes (Use --advanced in interactive mode.)

No

Indicates whether to treat all attributes in the schema entry as if they were user attributes regardless of their configuration. This may provide compatibility with some applications that expect schema attributes like attributeTypes and objectClasses to be included by default even if they are not requested. Note that the ldapSyntaxes attribute is always treated as operational in order to avoid problems with attempts to modify the schema over protocol.

None

true false

No

Yes

None

No

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.task.TaskBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the email address to use as the sender (that is, the "From:" address) address for notification mail messages generated when a task completes execution.

The default sender address used is "opendj-task-notification@" followed by the canonical address of the system on which the server is running.

A String

No

No

None

No

No

Specifies the path to the backing file for storing information about the tasks configured in the server. It may be either an absolute path or a relative path to the base of the OpenDJ directory server instance.

None

A String

No

Yes

None

No

No

Specifies the length of time that task entries should be retained after processing on the associated task has been completed.

24 hours

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 seconds.

No

No

None

No

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies a name to identify the associated backend. The name must be unique among all backends in the server. The backend ID may not be altered after the backend is created in the server.

None

A String

No

Yes

None

No

Yes

Specifies the base DN(s) for the data that the backend handles. A single backend may be responsible for one or more base DNs. Note that no two backends may have the same base DN although one backend may have a base DN that is below a base DN provided by another backend (similar to the use of sub-suffixes in the Sun Java System Directory Server). If any of the base DNs is subordinate to a base DN for another backend, then all base DNs for that backend must be subordinate to that same base DN.

None

A valid DN.

Yes

Yes

NoneNo administrative action is required by default although some action may be required on a per-backend basis before the new base DN may be used.

No

No

Indicates whether the backend is enabled in the server. If a backend is not enabled, then its contents are not accessible when processing operations.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the backend implementation.

org.opends.server.backends.TrustStoreBackend

A Java class that implements or extends the class(es): org.opends.server.api.Backend

No

Yes

The Backend must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the path to the file that stores the trust information. It may be an absolute path, or a path that is relative to the OpenDJ instance root.

config/ads-truststore

A String

No

Yes

None

No

No

Specifies the clear-text PIN needed to access the Trust Store Backend .

None

A String

No

No

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

No

No

Specifies the name of the environment variable that contains the clear-text PIN needed to access the Trust Store Backend .

None

A String

No

No

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

No

No

Specifies the path to the text file whose only contents should be a single line containing the clear-text PIN needed to access the Trust Store Backend .

None

A String

No

No

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

No

No

Specifies the name of the Java property that contains the clear-text PIN needed to access the Trust Store Backend .

None

A String

No

No

NoneChanges to this property will take effect the next time that the Trust Store Backend is accessed.

No

No

Specifies the format for the data in the key store file. Valid values should always include 'JKS' and 'PKCS12', but different implementations may allow other values as well.

The JVM default value is used.

A String

No

No

NoneChanges to this property take effect the next time that the key manager is accessed.

No

No

Specifies the behavior that the backend should use when processing write operations.

enabled

Causes all write attempts to fail.

Allows write operations to be performed in that backend (if the requested operation is valid, the user has permission to perform the operation, the backend supports that type of write operation, and the global writability-mode property is also enabled).

Causes external write attempts to fail but allows writes by replication and internal operations.

No

Yes

None

No

No

Specifies the name of the attribute for which the index is to be maintained.

None

The name of an attribute type defined in the server schema.

No

Yes

None

No

Yes

Specifies whether contents of the index should be confidential. Setting the flag to true will hash keys for equality type indexes using SHA-1 and encrypt the list of entries matching a substring key for substring indexes.

false

true false

No

No

If the index for the attribute must be protected for security purposes and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate. The property cannot be set on a backend for which confidentiality is not enabled.

No

No

Specifies the maximum number of entries that are allowed to match a given index key before that particular index key is no longer maintained. This is analogous to the ALL IDs threshold in the Sun Java System Directory Server. If this is specified, its value overrides the JE backend-wide configuration. For no limit, use 0 for the value.

4000

An integer value. Lower value is 0. Upper value is 2147483647.

No

No

If any index keys have already reached this limit, indexes must be rebuilt before they will be allowed to use the new limit.

No

No

The extensible matching rule in an extensible index. An extensible matching rule must be specified using either LOCALE or OID of the matching rule.

No extensible matching rules will be indexed.

A Locale or an OID.

Yes

No

The index must be rebuilt before it will reflect the new value.

No

No

Specifies the type(s) of indexing that should be performed for the associated attribute. For equality, presence, and substring index types, the associated attribute type must have a corresponding matching rule.

None

This index type is used to improve the efficiency of searches using approximate matching search filters.

This index type is used to improve the efficiency of searches using equality search filters.

This index type is used to improve the efficiency of searches using extensible matching search filters.

This index type is used to improve the efficiency of searches using "greater than or equal to" or "less then or equal to" search filters.

This index type is used to improve the efficiency of searches using the presence search filters.

This index type is used to improve the efficiency of searches using substring search filters.

Yes

Yes

If any new index types are added for an attribute, and values for that attribute already exist in the database, the index must be rebuilt before it will be accurate.

No

No

The length of substrings in a substring index.

6

An integer value. Lower value is 3.

No

No

The index must be rebuilt before it will reflect the new value.

Yes (Use --advanced in interactive mode.)

No

Specifies the base DN used in the search query that is being indexed.

None

A valid DN.

No

Yes

The index must be rebuilt after modifying this property.

No

No

Specifies the LDAP filter used in the query that is being indexed.

None

A valid LDAP search filter.

No

Yes

The index must be rebuilt after modifying this property.

No

No

Specifies a unique name for this VLV index.

None

A String

No

Yes

NoneThe VLV index name cannot be altered after the index is created.

No

Yes

Specifies the LDAP scope of the query that is being indexed.

None

Search the base object only.

Search the immediate children of the base object but do not include any of their descendants or the base object itself.

Search the entire subtree below the base object but do not include the base object itself.

Search the base object and the entire subtree below the base object.

No

Yes

The index must be rebuilt after modifying this property.

No

No

Specifies the names of the attributes that are used to sort the entries for the query being indexed. Multiple attributes can be used to determine the sort order by listing the attribute names from highest to lowest precedence. Optionally, + or - can be prefixed to the attribute name to sort the attribute in ascending order or descending order respectively.

None

Valid attribute types defined in the schema, separated by a space and optionally prefixed by + or -.

No

Yes

The index must be rebuilt after modifying this property.

No

No

Indicates whether the Certificate Mapper is enabled.

None

true false

No

Yes

None

No

No

Specifies the name of the digest algorithm to compute the fingerprint of client certificates.

None

Use the MD5 digest algorithm to compute certificate fingerprints.

Use the SHA-1 digest algorithm to compute certificate fingerprints.

No

Yes

None

No

No

Specifies the attribute in which to look for the fingerprint. Values of the fingerprint attribute should exactly match the MD5 or SHA1 representation of the certificate fingerprint.

None

The name of an attribute type defined in the server schema.

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the Fingerprint Certificate Mapper implementation.

org.opends.server.extensions.FingerprintCertificateMapper

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

No

Yes

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the set of base DNs below which to search for users. The base DNs are used when performing searches to map the client certificates to a user entry.

The server performs the search in all public naming contexts.

A valid DN.

Yes

No

None

No

No

Indicates whether the Certificate Mapper is enabled.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the Subject Attribute To User Attribute Certificate Mapper implementation.

org.opends.server.extensions.SubjectAttributeToUserAttributeCertificateMapper

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

No

Yes

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies a mapping between certificate attributes and user attributes. Each value should be in the form "certattr:userattr" where certattr is the name of the attribute in the certificate subject and userattr is the name of the corresponding attribute in user entries. There may be multiple mappings defined, and when performing the mapping values for all attributes present in the certificate subject that have mappings defined must be present in the corresponding user entries.

None

A String

Yes

Yes

None

No

No

Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.

The server will perform the search in all public naming contexts.

A valid DN.

Yes

No

None

No

No

Indicates whether the Certificate Mapper is enabled.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the Subject DN To User Attribute Certificate Mapper implementation.

org.opends.server.extensions.SubjectDNToUserAttributeCertificateMapper

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

No

Yes

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the name or OID of the attribute whose value should exactly match the certificate subject DN.

None

The name of an attribute type defined in the server schema.

No

Yes

None

No

No

Specifies the base DNs that should be used when performing searches to map the client certificate to a user entry.

The server will perform the search in all public naming contexts.

A valid DN.

Yes

No

None

No

No

Indicates whether the Certificate Mapper is enabled.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the Subject Equals DN Certificate Mapper implementation.

org.opends.server.extensions.SubjectEqualsDNCertificateMapper

A Java class that implements or extends the class(es): org.opends.server.api.CertificateMapper

No

Yes

The Certificate Mapper must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum number of pending connection attempts that are allowed to queue up in the accept backlog before the server starts rejecting new connection attempts. This is primarily an issue for cases in which a large number of connections are established to the server in a very short period of time (for example, a benchmark utility that creates a large number of client threads that each have their own connection to the server) and the connection handler is unable to keep up with the rate at which the new connections are established.

128

An integer value. Lower value is 1.

No

No

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Indicates whether the HTTP Connection Handler should reuse socket descriptors. If enabled, the SO_REUSEADDR socket option is used on the server listen socket to potentially allow the reuse of socket descriptors for clients in a TIME_WAIT state. This may help the server avoid temporarily running out of socket descriptors in cases in which a very large number of short-lived connections have been established from the same client system.

true

true false

No

No

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Specifies a set of host names or address masks that determine the clients that are allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask.

All clients with addresses that do not match an address on the deny list are allowed. If there is no deny list, then all clients are allowed.

An IP address mask

Yes

No

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

No

No

Specifies the size in bytes of the HTTP response message write buffer. This property specifies write buffer size allocated by the server for each client connection and used to buffer HTTP response messages data when writing.

4096 bytes

Lower value is 1.Upper value is 2147483647.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies a set of host names or address masks that determine the clients that are not allowed to establish connections to this Connection Handler. Valid values include a host name, a fully qualified domain name, a domain name, an IP address, or a subnetwork with subnetwork mask. If both allowed and denied client masks are defined and a client connection matches one or more masks in both lists, then the connection is denied. If only a denied list is specified, then any client not matching a mask in that list is allowed.

If an allow list is specified, then only clients with addresses on the allow list are allowed. Otherwise, all clients are allowed.

An IP address mask

Yes

No

NoneChanges to this property take effect immediately and do not interfere with connections that may have already been established.

No

No

Indicates whether the Connection Handler is enabled.

None

true false

No

Yes

None

No

No

Specifies the fully-qualified name of the Java class that provides the HTTP Connection Handler implementation.

org.opends.server.protocols.http.HTTPConnectionHandler

A Java class that implements or extends the class(es): org.opends.server.api.ConnectionHandler

No

Yes

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

Yes (Use --advanced in interactive mode.)

No

Indicates whether the HTTP Connection Handler should keep statistics. If enabled, the HTTP Connection Handler maintains statistics about the number and types of operations requested over HTTP and the amount of data sent and received.

true

true false

No

No

None

No

No

Specifies the name of the key manager that should be used with this HTTP Connection Handler .

None

The DN of any Key Manager Provider. The referenced key manager provider must be enabled when the HTTP Connection Handler is enabled and configured to use SSL.

No

No

NoneChanges to this property take effect immediately, but only for subsequent attempts to access the key manager provider for associated client connections.

No

No

Specifies the address or set of addresses on which this HTTP Connection Handler should listen for connections from HTTP clients. Multiple addresses may be provided as separate values for this attribute. If no values are provided, then the HTTP Connection Handler listens on all interfaces.

0.0.0.0

An IP address

Yes

No

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

No

No

Specifies the port number on which the HTTP Connection Handler will listen for connections from clients. Only a single port number may be provided.

None

An integer value. Lower value is 1. Upper value is 65535.

No

Yes

The Connection Handler must be disabled and re-enabled for changes to this setting to take effect

No

No

Specifies the maximum length of time that attempts to write data to HTTP clients should be allowed to block. If an attempt to write data to a client takes longer than this length of time, then the client connection is terminated.

2 minutes

<xinclude:include href="itemizedlist-duration.xml" /> Lower limit is 0 milliseconds.

No

No

None

Yes (Use --advanced in interactive mode.)

No

Specifies the maximum number of internal operations that each HTTP client connection can execute concurrently. This property allow to limit the impact that each HTTP request can have on the whole server by limiting the number of internal operations that each HTTP request can execute concurrently. A value of 0 means that no limit is enforced.

Let the server decide.

An integer value. Lower value is 0.

No

No

None

No

No

Specifies the size in bytes of the largest HTTP request message that will be allowed by the HTTP Connection Handler. This can help prevent denial-of-service attacks by clients that indicate they send extremely large requests to the server causing it to attempt to allocate large amounts of memory.

5 megabytes

Upper value is 2147483647.

No

No

None

Yes (Use --advanced in interactive mode.)

No