Attributes

 

This information describes the Directory Server attributes that are used to configure the ibmslapd.conf file.

 

cn

Description

This is the X.500 common Name attribute, which contains a name of an object.

Syntax

Directory string

Maximum Length

256

Value

Multi-valued

 

ibm-slapdACIMechanism

Description

Determines which ACL model the server uses. (Supported only on i5/OS and OS/400 as of v3.2, ignored on other platforms.)

  • 1.3.18.0.2.26.1 = IBM SecureWay v3.1 ACL model

  • 1.3.18.0.2.26.2 = IBM SecureWay v3.2 ACL model

Default

1.3.18.0.2.26.2 = IBM SecureWay v3.2 ACL model

Syntax

Directory string

Maximum Length

256

Value

Multi-valued.

 

ibm-slapdACLAccess

Description

Controls whether access to ACLs is enabled. If set to TRUE, access to ACLs is enabled. If set to FALSE, access to ACLs is disabled.

Default

TRUE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdACLCache

Description

Controls whether or not the server caches ACL information.

  • If set to TRUE, the server caches ACL information.

  • If set to FALSE, the server does not cache ACL information.

Default

TRUE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdACLCacheSize

Description

Maximum number of entries to keep in the ACL Cache.

Default

25000

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdAdminDN

Description

The administrator bind DN for Directory Server.

Default

cn=root

Syntax

DN

Maximum Length

Unlimited

Value

Single-valued

 

ibm-slapdAdminGroupEnabled

Description

Specifies whether the Administrative Group is currently enabled. If set to TRUE, the server will allow users in the administrative group to log in.

Default

FALSE

Syntax

Boolean

Maximum Length

128

Value

Single-valued

 

ibm-slapdAdminPW

Description

The administrator bind Password for Directory Server.

Default

secret

Syntax

Binary

Maximum Length

128

Value

Single-valued

 

ibm-slapdAllowAnon

Description

Specifies if anonymous binds are allowed.

Default

True

Syntax

Boolean

Maximum Length

128

Value

Single-valued

 

ibm-slapdAllReapingThreshold

Description

Specifies a number of connections to maintain in the server before connection management is activated.

Default

1200

Syntax

Directory string with case-exact matching.

Maximum Length

1024

Value

Single-valued

 

ibm-slapdAnonReapingThreshold

Description

Specifies a number of connections to maintain in the server before connection management of anonymous connections is activated.

Default

0

Syntax

Directory string with case-exact matching.

Maximum Length

1024

Value

Single-valued

 

ibm-slapdBoundReapingThreshold

Description

Specifies a number of connections to maintain in the server before connection management of anonymous and bound connections is activated.

Default

1100

Syntax

Directory string with case-exact matching.

Maximum Length

1024

Value

Single-valued

 

ibm-slapdBulkloadErrors

Description

File path or device on ibmslapd host machine to which bulkload error messages will be written.

Default

/var/bulkload.log

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdCachedAttribute

Description

Contains the names of the attributes to be cached in the attribute cache, one attribute name per value.

Default

None

Syntax

Directory string

Maximum Length

256

Value

Multi-valued

 

ibm-slapdCachedAttributeAutoAdjust

Description

Controls whether the server will automatically adjust the attribute caches at configured time intervals defined in ibm-slapdCachedAttributeAutoAdjustTime and ibm-slapdCachedAttributeAutoAdjustTimeInterval.

Default

FALSE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdCachedAttributeAutoAdjustTime

Description

When ibm-slapdCachedAttributeAutoAdjust is set to TRUE, controls the time at which the server begins to adjust attribute caches automatically. 
Minimum = T000000
Maximum = T235959

Default

T000000

Syntax

Military time

Maximum Length

7

Value

Single-valued

 

ibm-slapdCachedAttributeAutoAdjustTimeInterval

Description

When ibm-slapdCachedAttributeAutoAdjust is set to TRUE, controls the time interval between automatic adjustments of the attribute cache. 
Minimum = 1
Maximum = 24

Default

2

Syntax

Integer

Maximum Length

2

Value

Single-valued

 

ibm-slapdCachedAttributeSize

Description

Amount of memory, in bytes, that can be used by the attribute cache. A value of 0 indicates not use an attribute cache.

Default

0

Syntax

Integer

Maximum Length

11

Value

Single-valued.

 

ibm-slapdChangeLogMaxEntries

Description

This attribute is used by a change log plug-in to specify the maximum number of change log entries allowed in the RDBM database. Each change log has its own changeLogMaxEntries attribute. 
Minimum = 0 (unlimited)
Maximum = 2,147,483,647 (32-bit, signed integer)

Default

0

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdCLIErrors

Description

File path or device on ibmslapd host machine to which CLI error messages will be written.

Default

/var/db2cli.log

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdConcurrentRW

Description

Setting this to TRUE allows searches to proceed simultaneously with updates. It allows for 'dirty reads', that is, results that might not be consistent with the committed state of the database. Attention: This attribute is deprecated.

Default

FALSE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdDB2CP

Description

Specifies the code page of the directory database. 1208 is the code page for UTF-8 databases.

Syntax

Directory string with case-exact matching

Maximum Length

11

Value

Single-valued

 

ibm-slapdDBAlias

Description

The DB2 database alias.

Syntax

Directory string with case-exact matching

Maximum Length

8

Value

Single-valued

 

ibm-slapdDbConnections

Description

Specify the number of DB2 connections the server will dedicate to the DB2 backend. The value must be between 5 & 50 (inclusive).

ODBCCONS environment variable overrides the value of this directive. If ibm-slapdDbConnections (or ODBCCONS) is less than 5 or greater than 50, the server will use 5 or 50 respectively. 1 additional connection will be created for replication (even if no replication is defined). 2 additional connections will be created for the change log (if change log is enabled).

Default

15

Syntax

Integer

Maximum Length

50

Value

Single-valued

 

ibm-slapdDbInstance

Description

Specifies the DB2 database instance for this backend.

Default

ldapdb2

Syntax

Directory string with case-exact matching

Maximum Length

8

Value

Single-valued

All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance, ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.

 

ibm-slapdDbLocation

Description

The file system path where the backend database is located.

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdDbName

Description

Specifies the DB2 database name for this backend.

Default

ldapdb2

Syntax

Directory string with case-exact matching

Maximum Length

8

Value

Single-valued

 

ibm-slapdDbUserID

Description

Specifies the user name with which to bind to the DB2 database for this backend.

Default

ldapdb2

Syntax

Directory string with case-exact matching

Maximum Length

8

Value

Single-valued

All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.

 

ibm-slapdDerefAliases

Description

Maximum alias dereferencing level on search requests, regardless of any derefAliases that may have been specified on the client requests. Allowed values are never, find, search and always.

Default

always

Syntax

Directory string

Maximum Length

6

Value

Single-valued

 

ibm-slapdDbUserPW

Description

Specifies the user password with which to bind to the DB2 database for this backend. The password can be plain text or imask encrypted.

Default

ldapdb2

Syntax

Binary

Maximum Length

128

Value

Single-valued

All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance, ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.

 

ibm-slapdDigestAdminUser

Description

Specifies the Digest MD5 User Name of the LDAP administrator or administrative group member. Used when MD5 Digest authentication is used to authenticate an administrator.

Default

None

Syntax

Directory string

Maximum Length

512

Value

Single-valued

 

ibm-slapdDigestAttr

Description

Overrides the default DIGEST-MD5 username attribute. The name of the attribute to use for DIGEST-MD5 SASL bind username lookup. If the value is not specified, the server uses uid.

Default

If not specified, the server uses uid.

Syntax

Directory string.

Maximum Length

64

Value

Single-valued

 

ibm-slapdDigestRealm

Description

Overrides the default DIGEST-MD5 realm. A string that can enable users to know which username and password to use, in case they might have different ones for different servers. Conceptually, it is the name of a collection of accounts that might include the users account. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be registered_users@gotham.news.example.com. If the attribute is not specified, the server uses the fully qualified hostname of the server.

Default

The fully qualified hostname of the server

Syntax

Directory string.

Maximum Length

1024

Value

Single-valued

 

ibm-slapdEnableEventNotification

Description

Specifies whether to enable Event Notification. It must be set to either TRUE or FALSE.

If set to FALSE, the server rejects all client requests to register event notifications with the extended result LDAP_UNWILLING_TO_PERFORM.

Default

TRUE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdEntryCacheSize

Description

Maximum number of entries to keep in the entry cache.

Default

25000

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdErrorLog

Description

Specifies the file path or device on the Directory Server machine to which error messages are written.

Default

/var/ibmslapd.log

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdESizeThreshold

Description

Specifies the number of work items on the work queue before the Emergency thread is activated.

Default

50

Syntax

Integer

Maximum Length

1024

Value

Single-valued

 

ibm-slapdEThreadActivate

Description

Specifies which conditions will activate the Emergency Thread. Must be set to one of the following values:

S

Size only

T

Time only

SOT

Size or time

SAT

Size and time

Default

SAT

Syntax

String

Maximum Length

1024

Value

Single-valued

 

ibm-slapdEThreadEnable

Description

Specifies if the Emergency Thread is active.

Default

True

Syntax

Boolean

Maximum Length

1024

Value

Single-valued

 

ibm-slapdETimeThreshold

Description

Specifies the amount of time in minutes between items removed from the work queue before the Emergency thread is activated.

Default

5

Syntax

Integer

Maximum Length

1024

Value

Single-valued

 

ibm-slapdFilterCacheBypassLimit

Description

Search filters that match more than this number of entries will not be added to the Search Filter cache. Because the list of entry IDs that matched the filter are included in this cache, this setting helps to limit memory use. A value of 0 indicates no limit.

Default

100

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdFilterCacheSize

Description

Specifies the maximum number of entries to keep in the Search Filter Cache.

Default

25000

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdIdleTimeOut

Description

Maximum time to keep an LDAP connection open when there is no activity on the connection. The idle time for an LDAP connection is the time (in seconds) between the last activity on the connection and the current time. If the connection has expired, based on the idle time being greater than the value of this attribute, the LDAP server will clean up and end the LDAP connection, making it available for other incoming requests.

Default

300

Syntax

Integer

Length

11

Count

Single

Usage

Directory operation

User Modify

Yes

Access Class

Critical

Required

No

 

ibm-slapdIncludeSchema

Description

Specifies a file path on the Directory Server server machine containing schema definitions.

Default

  • /etc/V3.system.at

  • /etc/V3.system.oc

  • /etc/V3.config.at

  • /etc/V3.config.oc

  • /etc/V3.ibm.at

  • /etc/V3.ibm.oc

  • /etc/V3.user.at

  • /etc/V3.user.oc

  • /etc/V3.ldapsyntaxes

  • /etc/V3.matchingrules

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Multi-valued

 

ibm-slapdKrbAdminDN

Description

Specifies the Kerberos ID of the LDAP administrator (for example, ibm-kn=admin1@realm1). Used when Kerberos authentication is used to authenticate the administrator when logged onto the Server Administration interface. This might be specified instead of or in addition to adminDN and adminPW.

Default

No preset default is defined.

Syntax

Directory string with case-exact matching

Maximum Length

128

Value

Single-valued

 

ibm-slapdKrbEnable

Description

Specifies whether the server supports Kerberos. It must be either TRUE or FALSE.

Default

TRUE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdKrbIdentityMap

Description

Specifies whether to use Kerberos identity mapping. It must be set to either TRUE or FALSE. If set to TRUE, when a client is authenticated with a Kerberos ID, the server searches for all local users with matching Kerberos credentials, and adds those user DNs to the bind credentials of the connection. This allows ACLs based on LDAP user DNs to still be usable with Kerberos.

Default

FALSE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdKrbKeyTab

Description

Specifies the LDAP server Kerberos keytab file. This file contains the LDAP server private key, that is associated with its Kerberos account. This file is to be protected (like the server SSL key database file).

Default

No preset default is defined.

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdKrbRealm

Description

Specifies the Kerberos realm of the LDAP server. It is used to publish the ldapservicename attribute in the root DSE. Note that an LDAP server can serve as the repository of account information for multiple KDCs (and realms), but the LDAP server, as a kerberized server, can only be a member of a single realm.

Default

No preset default is defined.

Syntax

Directory string with case-insensitive matching

Maximum Length

256

Value

Single-valued

 

ibm-slapdLanguageTagsEnabled

Description

Whether or not the server should allow language tags. The value read from the ibmslapd.conf file for this attribute is FALSE, but, can be set to TRUE.

Default

FALSE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdLdapCrlHost

Description

Specifies the host name of the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter is needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation.

Default

No preset default is defined.

Syntax

Directory string with case-insensitive matching

Maximum Length

256

Value

Single-valued

 

ibm-slapdLdapCrlPassword

Description

Specifies the password that server-side SSL uses to bind to the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter might be needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation.

If the LDAP server holding the CRLs permits unauthenticated access to the CRLs (that is, anonymous access), then ibm-slapdLdapCrlPassword is not required.

Default

No preset default is defined.

Syntax

Binary

Maximum Length

128

Value

Single-valued

 

ibm-slapdLdapCrlPort

Description

Specifies the port used to connect to the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter is needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation. (IP ports are unsigned, 16-bit integers in the range 1 - 65535)

Default

No preset default is defined.

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdLdapCrlUser

Description

Specifies the bindDN that the server-side SSL uses to bind to the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter might be needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation.

If the LDAP server holding the CRLs permits unauthenticated access to the CRLs (that is, anonymous access), then ibm-slapdLdapCrlUser is not required.

Default

No preset default is defined.

Syntax

DN

Maximum Length

1000

Value

Single-valued

 

ibm-slapdMasterDN

Description

Specifies the bind DN of master server. The value must match the replicaBindDN in the replicaObject defined for the master server. When Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must specify the DN representation of the Kerberos ID (for example, ibm-kn=freddy@realm1). When Kerberos is used, MasterServerPW is ignored.

Default

No preset default is defined.

Syntax

DN

Maximum Length

1000

Value

Single-valued

 

ibm-slapdMasterPW

Description

Specifies the bind password of master replica server. The value must match replicaBindDN in the replicaObject defined for the master server. When Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must specify the DN representation of the Kerberos ID (for example, ibm-kn=freddy@realm1). When Kerberos is used, MasterServerPW is ignored.

Default

No preset default is defined.

Syntax

Binary

Maximum Length

128

Value

Single-valued

 

ibm-slapdMasterReferral

Description

Specifies the URL of the master replica server. For example: 
ldap://master.us.ibm.com
For security set to SSL only: 
 ldaps://master.us.ibm.com:636
For security set to none and using a nonstandard port: 
ldap://master.us.ibm.com:1389

Default

none

Syntax

Directory string with case-insensitive matching

Maximum Length

256

Value

Single-valued

 

ibm-slapdMaxEventsPerConnection

Description

Specifies the maximum number of event notifications which can be registered per connection. 
Minimum = 0 (unlimited)
Maximum = 2,147,483,647

Default

100

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdMaxEventsTotal

Description

Specifies the maximum total number of event notifications which can be registered for all connections. 
Minimum = 0 (unlimited)
Maximum = 2,147,483,647

Default

0

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdMaxNumOfTransactions

Description

Specifies the maximum number of transactions per server. 
Minimum = 0 (unlimited)
Maximum = 2,147,483,647

Default

20

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdMaxOpPerTransaction

Description

Specifies the maximum number of operations per transaction. 
Minimum = 0 (unlimited)
Maximum = 2,147,483,647

Default

5

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdMaxPendingChangesDisplayed

Description

Maximum number of pending changes to be displayed.

Default

200

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdMaxTimeLimitOfTransactions

Description

Specifies the maximum timeout value of a pending transaction in seconds. 
Minimum = 0 (unlimited)
Maximum = 2,147,483,647

Default

300

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdPagedResAllowNonAdmin

Description

Whether or not the server should allow non-Administrator bind for paged results requests on a search request. If the value read from the ibmslapd.conf file is FALSE, the server will process only those client requests submitted by a user with Administrator authority. If a client requests paged results for a search operation, does not have Administrator authority, and the value read from the ibmslapd.conf file for this attribute is FALSE, the server will return to the client with return code insufficientAccessRights; no searching or paging will be performed.

Default

FALSE

Syntax

Boolean

Length

5

Count

Single

Usage

directoryOperation

User Modify

Yes

Access Class

critical

Objectclass

ibm-slapdRdbmBackend

Required

No

 

ibm-slapdPagedResLmt

Description

Maximum number of outstanding paged results search requests allowed active simultaneously. Range = 0.... If a client requests a paged results operation, and a maximum number of outstanding paged results are currently active, then the server will return to the client with return code of busy; no searching or paging will be performed.

Default

3

Syntax

Integer

Length

11

Count

Single

Usage

directoryOperation

User Modify

Yes

Access Class

critical

Required

No

Objectclass

ibm-slapdRdbmBackend

 

ibm-slapdPageSizeLmt

Description

Maximum number of entries to return from search for an individual page when paged results control is specified, regardless of any pagesize that might have been specified on the client search request. Range = 0.... If a client has passed a page size, then the smaller value of the client value and the value read from ibmslapd.conf will be used.

Default

50

Syntax

Integer

Length

11

Count

Single

Usage

directoryOperation

User Modify

Yes

Access Class

critical

Required

No

Objectclass

ibm-slapdRdbmBackend

 

ibm-slapdPlugin

Description

A plugin is a dynamically loaded library which extends the capabilities of the server. An ibm-slapdPlugin attribute specifies to the server how to load and initialize a plug-in library. The syntax is: 
keyword filename init_function [args...]

The syntax is slightly different for each platform because of library naming conventions.

Most plug-ins are optional, but the RDBM backend plug-in is required for all RDBM backends.

Default

database /bin/libback-rdbm.dll rdbm_backend_init

Syntax

Directory string with case-exact matching

Maximum Length

2000

Value

Multi-valued

 

ibm-slapdPort

Description

Specifies the TCP/IP port used for non-SSL connections. It cannot have the same value as ibm-slapdSecurePort. (IP ports are unsigned, 16-bit integers in the range 1 - 65535.)

Default

389

Syntax

Integer

Maximum Length

5

Value

Single-valued

 

ibm-slapdPWEncryption

Description

Specifies the encoding mechanism for the user passwords before they are stored in the directory. It must be specified as none, imask, crypt, or sha (use the keyword sha in order to get SHA-1 encoding). The value must be set to none for the SASL cram-md5 bind to succeed.

Default

none

Syntax

Directory string with case-insensitive matching

Maximum Length

5

Value

Single-valued

 

ibm-slapdReadOnly

Description

This attribute is normally applied to only the Directory backend. It specifies whether the backend can be written to. It must be specified as either TRUE or FALSE. It defaults to FALSE if unspecified. If set to TRUE, the server returns LDAP_UNWILLING_TO_PERFORM (0x35) in response to any client request which changes data in the readOnly database.

Default

FALSE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdReferral

Description

Specifies the referral LDAP URL to pass back when the local suffixes do not match the request. It is used for superior referral (that is, the suffix is not within the naming context of the server).

Default

No preset default is defined.

Syntax

Directory string with case-exact matching

Maximum Length

32700

Value

Multi-valued

 

ibm-slapdReplDbConns

Description

Maximum number of database connections for use by replication.

Default

4

Syntax

Integer

Maximum Length

11

Value

Single-valued

 

ibm-slapdReplicaSubtree

Description

Identifies the DN of a replicated subtree

Syntax

DN

Maximum Length

1000

Value

Single-valued

 

ibm-slapdSchemaAdditions

Description

The ibm-slapdSchemaAdditions attribute is used to identify explicitly which file holds new schema entries. This is set by default to be /etc/V3.modifiedschema. If this attribute is not defined, the server reverts to using the last ibm-slapdIncludeSchema file as in previous releases. Before Version 3.2, the last includeSchema entry in slapd.conf was the file to which any new schema entries were added by the server if it received an add request from a client. Normally the last includeSchema is the V3.modifiedschema file, which is an empty file installed just for this purpose.

The name modified is misleading, for it only stores new entries. Changes to existing schema entries are made in their original files.

Default

/etc/V3.modifiedschema

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdSchemaCheck

Description

Specifies the schema checking mechanism for the add/modify/delete operation. It must be specified as V2, V3, or V3_lenient.

  • V2 - Retain v2 and v2.1 checking. Recommended for migration purpose.

  • V3 - Perform v3 checking.

  • V3_lenient - Not all parent object classes are needed. Only the immediate object class is needed when adding entries.

Default

V3_lenient

Syntax

Directory string with case-insensitive matching

Maximum Length

10

Value

Single-valued

 

ibm-slapdSecurePort

Description

Specifies the TCP/IP port used for SSL connections. It cannot have the same value as ibm-slapdPort. (IP ports are unsigned, 16-bit integers in the range 1 - 65535.)

Default

636

Syntax

Integer

Maximum Length

5

Value

Single-valued

 

ibm-slapdSecurity

Description

Enables SSL and TLS connections. Must be none, SSL, SSLOnly, TLS, or SSLTLS.

  • none - The server listens on the nonsecure port only.

  • SSL - The server listens on both the SSL and the non-SSL ports. The secure port is the only means of using a secure connection.

  • SSLOnly - The server listens on the SSL port only.

  • TLS - The server only listens on the nonsecure port. The StartTLS extended operation is the only means of using a secure connection.

  • SSLTLS - The server listens on both the default and secure ports. The StartTLS extended operation can be used to get a secure connection over the default port, or the client can use the secure port directly. Sending a StartTLS over the secure port will return the message LDAP_OPERATIONS_ERROR.

Default

none

Syntax

Directory string with case-insensitive matching

Maximum Length

7

Value

Single-valued

 

ibm-slapdServerId

Description

Identifies the server for use in replication.

Syntax

IA5 String with case-sensitive matching

Maximum Length

240

Value

Single-valued

 

ibm-slapdSetenv

Description

The server runs putenv() for all values of ibm-slapdSetenv at startup to change the server runtime environment. Shell variables (like %PATH% or $LANG) are not expanded.

Default

No preset default is defined.

Syntax

Directory string with case-exact matching

Maximum Length

2000

Value

Multi-valued

 

ibm-slapdSizeLimit

Description

Specifies the maximum number of entries to return from search, regardless of any size limit that might have been specified on the client search request (Range = 0...). If a client has passed a limit, then the smaller value of the client values and the value read from ibmslapd.conf are used. If a client has not passed a limit and has bound as admin DN, the limit is considered unlimited. If the client has not passed a limit and has not bound as admin DN, then the limit is that which was read from the ibmslapd.conf file. 0 = unlimited.

Default

500

Syntax

Integer

Maximum Length

12

Value

Single-valued

 

ibm-slapdSortKeyLimit

Description

The maximum number of sort conditions (keys) that can be specified on a single search request. Range = 0.... If a client has passed a search request with more sort keys than the limit allows, and the sorted search control criticality is FALSE, then the server will honor the value read from the ibmslapd.conf file and ignore any sort keys encountered after the limit has been reached - searching and sorting will be performed. If a client has passed a search request with more keys than the limit allows, and the sorted search control criticality is TRUE, then the server will return to the client with a return code of adminLimitExceeded - no searching or sorting will be performed.

Default

3

Syntax

cis

Length

11

Count

Single

Usage

directoryOperation

User Modify

Yes

Access Class

critical

Objectclass

ibm-slapdRdbmBackend

Required

No

 

ibm-slapdSortSrchAllowNonAdmin

Description

Whether or not the server should allow non-Administrator bind for sort on a search request. If the value read from the ibmslapd.conf file is FALSE, the server will process only those client requests submitted by a user with Administrator authority. If a client requests sort for a search operation, does not have Administrator authority, and the value read from the ibmslapd.conf file for this attribute is FALSE, the server will return to the client with return code insufficientAccessRights - no searching or sorting will be performed.

Default

FALSE

Syntax

Boolean

Length

5

Count

Single

Usage

directoryOperation

User Modify

Yes

Access Class

critical

Objectclass

ibm-slapdRdbmBackend

Required

No

 

ibm-slapdSslAuth

Description

Specifies the authentication type for the ssl connection, either serverauth or serverclientauth.

  • serverauth - supports server authentication at the client. This is the default.

  • serverclientauth - supports both server and client authentication.

Default

serverauth

Syntax

Directory string with case-insensitive matching

Maximum Length

16

Value

Single-valued

 

ibm-slapdSslCertificate

Description

Specifies the label that identifies the server Personal Certificate in the key database file. This label is specified when the server private key and certificate are created with the gsk4ikm application. If ibm-slapdSslCertificate is not defined, the default private key, as defined in the key database file, is used by the LDAP server for SSL connections.

Default

No preset default is defined.

Syntax

Directory string with case-exact matching

Maximum Length

128

Value

Single-valued

 

ibm-slapdSslCipherSpec

Specifies the method of SSL encryption for clients accessing the server. Must be set to one of the following:

Attribute
Table 1. Methods of SSL encryption
Encryption level
TripleDES-168 Triple DES encryption with a 168-bit key and a SHA-1 MAC
DES-56 DES encryption with a 56-bit key and a SHA-1 MAC
RC4-128-SHA RC4 encryption with a 128-bit key and a SHA-1 MAC
RC4-128-MD5 RC4 encryption with a 128-bit key and a MD5 MAC
RC2-40-MD5 RC4 encryption with a 40-bit key and a MD5 MAC
RC4-40-MD5 RC4 encryption with a 40-bit key and a MD5 MAC
AES AES encryption

Syntax

IA5 String

Maximum Length

30

 

ibm-slapdSslKeyDatabase

Description

Specifies the file path to the LDAP server SSL key database file. This key database file is used for handling SSL connections from LDAP clients, as well as for creating secure SSL connections to replica LDAP servers.

Default

/etc/key.kdb

Syntax

Directory string with case-exact matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdSslKeyDatabasePW

Description

Specifies the password associated with the LDAP server SSL key database file, as specified on the ibm-slapdSslKeyDatabase parameter. If the LDAP server key database file has an associated password stash file, then the ibm-slapdSslKeyDatabasePW parameter can be omitted, or set to none.

The password stash file must be located in the same directory as the key database file and it must have the same file name as the key database file, but with an extension of .sth instead of .kdb.

Default

none

Syntax

Binary

Maximum Length

128

Value

Single-valued

 

ibm-slapdSslKeyRingFile

Description

Path to the LDAP server's SSL key database file. This key database file is used for handling SSL connections from LDAP clients, as well as for creating secure SSL connections to replica LDAP servers.

Default

key.kdb

Syntax

Directory String with case-sensitive matching

Maximum Length

1024

Value

Single-valued

 

ibm-slapdSuffix

Description

Specifies a naming context to be stored in this backend.

This has the same name as the object class.

Default

No preset default is defined.

Syntax

DN

Maximum Length

1000

Value

Multi-valued

 

ibm-slapdSupportedWebAdmVersion

Description

This attribute defines the earliest version of the Web administration tool that supports this server of cn=configuration.

Default

Syntax

Directory String

Maximum Length

Value

Single-valued

 

ibm-slapdSysLogLevel

Description

Specifies the level at which debugging and operation statistics are logged in the slapd.errors file. It must be specified as l, m, or h.

  • h - high (provides the most information)

  • m - medium (the default)

  • l - low (provides the least information)

Default

m

Syntax

Directory string with case-insensitive matching

Maximum Length

1

Value

Single-valued

 

ibm-slapdTimeLimit

Description

Specifies the maximum number of seconds to spend on a search request, regardless of any time limit that might have been specified on the client request. If a client has passed a limit, then the smaller value of the client values and the value read from ibmslapd.conf are used. If a client has not passed a limit and has bound as admin DN, the limit is considered unlimited. If the client has not passed a limit and has not bound as admin DN, then the limit is that which was read from the ibmslapd.conf file. 0 = unlimited.

Default

900

Syntax

Integer

Maximum Length

Value

Single-valued

 

ibm-slapdTransactionEnable

Description

If the transaction plugin is loaded but ibm-slapdTransactionEnable is set to FALSE, the server rejects all StartTransaction requests with the response LDAP_UNWILLING_TO_PERFORM.

Default

TRUE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdUseProcessIdPw

Description

If set to TRUE, the server ignores the ibm-slapdDbUserID and the ibm-slapdDbUserPW attributes and uses its own process credentials to authenticate to DB2.

Default

FALSE

Syntax

Boolean

Maximum Length

5

Value

Single-valued

 

ibm-slapdVersion

Description

IBM Slapd version Number

Default

Syntax

Directory String with case-sensitive matching

Maximum Length

Value

Single-valued

 

ibm-slapdWriteTimeout

Description

Specifies a timeout value in seconds for blocked writes. When the time limit is reached the connection will be dropped.

Default

120

Syntax

Integer

Maximum Length

1024

Value

Single-valued

 

objectClass

Description

The values of the objectClass attribute describe the kind of object which an entry represents.

Syntax

Directory string

Maximum Length

128

Value

Multi-valued

 

Parent topic:

Directory Server configuration schema