Attributes
This information describes the Directory Server attributes that are used to configure the ibmslapd.conf file.
- cn
- ibm-slapdACIMechanism
- ibm-slapdACLAccess
- ibm-slapdACLCache
- ibm-slapdACLCacheSize
- ibm-slapdAdminDN
- ibm-slapdAdminGroupEnabled
- ibm-slapdAdminPW
- ibm-slapdAllowAnon
- ibm-slapdAllReapingThreshold
- ibm-slapdAnonReapingThreshold
- ibm-slapdBoundReapingThreshold
- ibm-slapdBulkloadErrors
- ibm-slapdCachedAttribute
- ibm-slapdCachedAttributeAutoAdjust
- ibm-slapdCachedAttributeAutoAdjustTime
- ibm-slapdCachedAttributeAutoAdjustTimeInterval
- ibm-slapdCachedAttributeSize
- ibm-slapdChangeLogMaxEntries
- ibm-slapdCLIErrors
- ibm-slapdConcurrentRW
- ibm-slapdDB2CP
- ibm-slapdDBAlias
- ibm-slapdDbConnections
- ibm-slapdDbInstance
- ibm-slapdDbLocation
- ibm-slapdDbName
- ibm-slapdDbUserID
- ibm-slapdDbUserPW
- ibm-slapdDerefAliases
- ibm-slapdDigestAdminUser
- ibm-slapdDigestAttr
- ibm-slapdDigestRealm
- ibm-slapdEnableEventNotification
- ibm-slapdEntryCacheSize
- ibm-slapdErrorLog
- ibm-slapdESizeThreshold
- ibm-slapdEThreadActivate
- ibm-slapdEThreadEnable
- ibm-slapdETimeThreshold
- ibm-slapdFilterCacheBypassLimit
- ibm-slapdFilterCacheSize
- ibm-slapdIdleTimeOut
- ibm-slapdIncludeSchema
- ibm-slapdKrbAdminDN
- ibm-slapdKrbEnable
- ibm-slapdKrbIdentityMap
- ibm-slapdKrbKeyTab
- ibm-slapdKrbRealm
- ibm-slapdLanguageTagsEnabled
- ibm-slapdLdapCrlHost
- ibm-slapdLdapCrlPassword
- ibm-slapdLdapCrlPort
- ibm-slapdLdapCrlUser
- ibm-slapdMasterDN
- ibm-slapdMasterPW
- ibm-slapdMasterReferral
- ibm-slapdMaxEventsPerConnection
- ibm-slapdMaxEventsTotal
- ibm-slapdMaxNumOfTransactions
- ibm-slapdMaxOpPerTransaction
- ibm-slapdMaxPendingChangesDisplayed
- ibm-slapdMaxTimeLimitOfTransactions
- ibm-slapdPagedResAllowNonAdmin
- ibm-slapdPagedResLmt
- ibm-slapdPageSizeLmt
- ibm-slapdPlugin
- ibm-slapdPort
- ibm-slapdPwEncryption
- ibm-slapdReadOnly
- ibm-slapdReferral
- ibm-slapdReplDbConns
- ibm-slapdReplicaSubtree
- ibm-slapdSchemaAdditions
- ibm-slapdSchemaCheck
- ibm-slapdSecurePort
- ibm-slapdSecurity
- ibm-slapdServerId
- ibm-slapdSetenv
- ibm-slapdSizeLimit
- ibm-slapdSortKeyLimit
- ibm-slapdSortSrchAllowNonAdmin
- ibm-slapdSslAuth
- ibm-slapdSslCertificate
- ibm-slapdSslCipherSpec
- ibm-slapdSslKeyDatabase
- ibm-slapdSslKeyDatabasePW
- ibm-slapdSslKeyRingFile
- ibm-slapdSuffix
- ibm-slapdSupportedWebAdmVersion
- ibm-slapdSysLogLevel
- ibm-slapdTimeLimit
- ibm-slapdTransactionEnable
- ibm-slapdUseProcessIdPw
- ibm-slapdVersion
- ibm-slapdWriteTimeout
- objectClass
cn
- Description
- This is the X.500 common Name attribute, which contains a name of an object.
- Syntax
- Directory string
- Maximum Length
- 256
- Value
- Multi-valued
ibm-slapdACIMechanism
- Description
- Determines which ACL model the server uses. (Supported only on i5/OS and OS/400 as of v3.2, ignored on other platforms.)
- 1.3.18.0.2.26.1 = IBM SecureWay v3.1 ACL model
- 1.3.18.0.2.26.2 = IBM SecureWay v3.2 ACL model
- Default
- 1.3.18.0.2.26.2 = IBM SecureWay v3.2 ACL model
- Syntax
- Directory string
- Maximum Length
- 256
- Value
- Multi-valued.
ibm-slapdACLAccess
- Description
- Controls whether access to ACLs is enabled. If set to TRUE, access to ACLs is enabled. If set to FALSE, access to ACLs is disabled.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdACLCache
- Description
- Controls whether or not the server caches ACL information.
- If set to TRUE, the server caches ACL information.
- If set to FALSE, the server does not cache ACL information.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdACLCacheSize
- Description
- Maximum number of entries to keep in the ACL Cache.
- Default
- 25000
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdAdminDN
- Description
- The administrator bind DN for Directory Server.
- Default
- cn=root
- Syntax
- DN
- Maximum Length
- Unlimited
- Value
- Single-valued
ibm-slapdAdminGroupEnabled
- Description
- Specifies whether the Administrative Group is currently enabled. If set to TRUE, the server will allow users in the administrative group to log in.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdAdminPW
- Description
- The administrator bind Password for Directory Server.
- Default
- secret
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdAllowAnon
- Description
- Specifies if anonymous binds are allowed.
- Default
- True
- Syntax
- Boolean
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdAllReapingThreshold
- Description
- Specifies a number of connections to maintain in the server before connection management is activated.
- Default
- 1200
- Syntax
- Directory string with case-exact matching.
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdAnonReapingThreshold
- Description
- Specifies a number of connections to maintain in the server before connection management of anonymous connections is activated.
- Default
- 0
- Syntax
- Directory string with case-exact matching.
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdBoundReapingThreshold
- Description
- Specifies a number of connections to maintain in the server before connection management of anonymous and bound connections is activated.
- Default
- 1100
- Syntax
- Directory string with case-exact matching.
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdBulkloadErrors
- Description
- File path or device on ibmslapd host machine to which bulkload error messages will be written.
- Default
- /var/bulkload.log
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdCachedAttribute
- Description
- Contains the names of the attributes to be cached in the attribute cache, one attribute name per value.
- Default
- None
- Syntax
- Directory string
- Maximum Length
- 256
- Value
- Multi-valued
ibm-slapdCachedAttributeAutoAdjust
- Description
- Controls whether the server will automatically adjust the attribute caches at configured time intervals defined in ibm-slapdCachedAttributeAutoAdjustTime and ibm-slapdCachedAttributeAutoAdjustTimeInterval.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdCachedAttributeAutoAdjustTime
- Description
- When ibm-slapdCachedAttributeAutoAdjust is set to TRUE, controls the time at which the server begins to adjust attribute caches automatically.
Minimum = T000000 Maximum = T235959
- Default
- T000000
- Syntax
- Military time
- Maximum Length
- 7
- Value
- Single-valued
ibm-slapdCachedAttributeAutoAdjustTimeInterval
- Description
- When ibm-slapdCachedAttributeAutoAdjust is set to TRUE, controls the time interval between automatic adjustments of the attribute cache.
Minimum = 1 Maximum = 24
- Default
- 2
- Syntax
- Integer
- Maximum Length
- 2
- Value
- Single-valued
ibm-slapdCachedAttributeSize
- Description
- Amount of memory, in bytes, that can be used by the attribute cache. A value of 0 indicates not use an attribute cache.
- Default
- 0
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued.
ibm-slapdChangeLogMaxEntries
- Description
- This attribute is used by a change log plug-in to specify the maximum number of change log entries allowed in the RDBM database. Each change log has its own changeLogMaxEntries attribute.
Minimum = 0 (unlimited) Maximum = 2,147,483,647 (32-bit, signed integer)
- Default
- 0
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdCLIErrors
- Description
- File path or device on ibmslapd host machine to which CLI error messages will be written.
- Default
- /var/db2cli.log
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdConcurrentRW
- Description
- Setting this to TRUE allows searches to proceed simultaneously with updates. It allows for 'dirty reads', that is, results that might not be consistent with the committed state of the database. Attention: This attribute is deprecated.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdDB2CP
- Description
- Specifies the code page of the directory database. 1208 is the code page for UTF-8 databases.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdDBAlias
- Description
- The DB2 database alias.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
ibm-slapdDbConnections
- Description
- Specify the number of DB2 connections the server will dedicate to the DB2 backend. The value must be between 5 & 50 (inclusive).
ODBCCONS environment variable overrides the value of this directive. If ibm-slapdDbConnections (or ODBCCONS) is less than 5 or greater than 50, the server will use 5 or 50 respectively. 1 additional connection will be created for replication (even if no replication is defined). 2 additional connections will be created for the change log (if change log is enabled).
- Default
- 15
- Syntax
- Integer
- Maximum Length
- 50
- Value
- Single-valued
ibm-slapdDbInstance
- Description
- Specifies the DB2 database instance for this backend.
- Default
- ldapdb2
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance, ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.
ibm-slapdDbLocation
- Description
- The file system path where the backend database is located.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdDbName
- Description
- Specifies the DB2 database name for this backend.
- Default
- ldapdb2
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
ibm-slapdDbUserID
- Description
- Specifies the user name with which to bind to the DB2 database for this backend.
- Default
- ldapdb2
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 8
- Value
- Single-valued
All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.
ibm-slapdDerefAliases
- Description
- Maximum alias dereferencing level on search requests, regardless of any derefAliases that may have been specified on the client requests. Allowed values are never, find, search and always.
- Default
- always
- Syntax
- Directory string
- Maximum Length
- 6
- Value
- Single-valued
ibm-slapdDbUserPW
- Description
- Specifies the user password with which to bind to the DB2 database for this backend. The password can be plain text or imask encrypted.
- Default
- ldapdb2
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
All ibm-slapdRdbmBackend objects must use the same ibm-slapdDbInstance, ibm-slapdDbUserID, ibm-slapdDbUserPW and DB2 character set.
ibm-slapdDigestAdminUser
- Description
- Specifies the Digest MD5 User Name of the LDAP administrator or administrative group member. Used when MD5 Digest authentication is used to authenticate an administrator.
- Default
- None
- Syntax
- Directory string
- Maximum Length
- 512
- Value
- Single-valued
ibm-slapdDigestAttr
- Description
- Overrides the default DIGEST-MD5 username attribute. The name of the attribute to use for DIGEST-MD5 SASL bind username lookup. If the value is not specified, the server uses uid.
- Default
- If not specified, the server uses uid.
- Syntax
- Directory string.
- Maximum Length
- 64
- Value
- Single-valued
ibm-slapdDigestRealm
- Description
- Overrides the default DIGEST-MD5 realm. A string that can enable users to know which username and password to use, in case they might have different ones for different servers. Conceptually, it is the name of a collection of accounts that might include the users account. This string should contain at least the name of the host performing the authentication and might additionally indicate the collection of users who might have access. An example might be registered_users@gotham.news.example.com. If the attribute is not specified, the server uses the fully qualified hostname of the server.
- Default
- The fully qualified hostname of the server
- Syntax
- Directory string.
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdEnableEventNotification
- Description
- Specifies whether to enable Event Notification. It must be set to either TRUE or FALSE.
If set to FALSE, the server rejects all client requests to register event notifications with the extended result LDAP_UNWILLING_TO_PERFORM.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdEntryCacheSize
- Description
- Maximum number of entries to keep in the entry cache.
- Default
- 25000
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdErrorLog
- Description
- Specifies the file path or device on the Directory Server machine to which error messages are written.
- Default
- /var/ibmslapd.log
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdESizeThreshold
- Description
- Specifies the number of work items on the work queue before the Emergency thread is activated.
- Default
- 50
- Syntax
- Integer
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdEThreadActivate
- Description
- Specifies which conditions will activate the Emergency Thread. Must be set to one of the following values:
- S
- Size only
- T
- Time only
- SOT
- Size or time
- SAT
- Size and time
- Default
- SAT
- Syntax
- String
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdEThreadEnable
- Description
- Specifies if the Emergency Thread is active.
- Default
- True
- Syntax
- Boolean
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdETimeThreshold
- Description
- Specifies the amount of time in minutes between items removed from the work queue before the Emergency thread is activated.
- Default
- 5
- Syntax
- Integer
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdFilterCacheBypassLimit
- Description
- Search filters that match more than this number of entries will not be added to the Search Filter cache. Because the list of entry IDs that matched the filter are included in this cache, this setting helps to limit memory use. A value of 0 indicates no limit.
- Default
- 100
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdFilterCacheSize
- Description
- Specifies the maximum number of entries to keep in the Search Filter Cache.
- Default
- 25000
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdIdleTimeOut
- Description
- Maximum time to keep an LDAP connection open when there is no activity on the connection. The idle time for an LDAP connection is the time (in seconds) between the last activity on the connection and the current time. If the connection has expired, based on the idle time being greater than the value of this attribute, the LDAP server will clean up and end the LDAP connection, making it available for other incoming requests.
- Default
- 300
- Syntax
- Integer
- Length
- 11
- Count
- Single
- Usage
- Directory operation
- User Modify
- Yes
- Access Class
- Critical
- Required
- No
ibm-slapdIncludeSchema
- Description
- Specifies a file path on the Directory Server server machine containing schema definitions.
- Default
- /etc/V3.system.at
- /etc/V3.system.oc
- /etc/V3.config.at
- /etc/V3.config.oc
- /etc/V3.ibm.at
- /etc/V3.ibm.oc
- /etc/V3.user.at
- /etc/V3.user.oc
- /etc/V3.ldapsyntaxes
- /etc/V3.matchingrules
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Multi-valued
ibm-slapdKrbAdminDN
- Description
- Specifies the Kerberos ID of the LDAP administrator (for example, ibm-kn=admin1@realm1). Used when Kerberos authentication is used to authenticate the administrator when logged onto the Server Administration interface. This might be specified instead of or in addition to adminDN and adminPW.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdKrbEnable
- Description
- Specifies whether the server supports Kerberos. It must be either TRUE or FALSE.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdKrbIdentityMap
- Description
- Specifies whether to use Kerberos identity mapping. It must be set to either TRUE or FALSE. If set to TRUE, when a client is authenticated with a Kerberos ID, the server searches for all local users with matching Kerberos credentials, and adds those user DNs to the bind credentials of the connection. This allows ACLs based on LDAP user DNs to still be usable with Kerberos.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdKrbKeyTab
- Description
- Specifies the LDAP server Kerberos keytab file. This file contains the LDAP server private key, that is associated with its Kerberos account. This file is to be protected (like the server SSL key database file).
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdKrbRealm
- Description
- Specifies the Kerberos realm of the LDAP server. It is used to publish the ldapservicename attribute in the root DSE. Note that an LDAP server can serve as the repository of account information for multiple KDCs (and realms), but the LDAP server, as a kerberized server, can only be a member of a single realm.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 256
- Value
- Single-valued
ibm-slapdLanguageTagsEnabled
- Description
- Whether or not the server should allow language tags. The value read from the ibmslapd.conf file for this attribute is FALSE, but, can be set to TRUE.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdLdapCrlHost
- Description
- Specifies the host name of the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter is needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 256
- Value
- Single-valued
ibm-slapdLdapCrlPassword
- Description
- Specifies the password that server-side SSL uses to bind to the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter might be needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation.
If the LDAP server holding the CRLs permits unauthenticated access to the CRLs (that is, anonymous access), then ibm-slapdLdapCrlPassword is not required.
- Default
- No preset default is defined.
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdLdapCrlPort
- Description
- Specifies the port used to connect to the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter is needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation. (IP ports are unsigned, 16-bit integers in the range 1 - 65535)
- Default
- No preset default is defined.
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdLdapCrlUser
- Description
- Specifies the bindDN that the server-side SSL uses to bind to the LDAP server that contains the Certificate Revocation Lists (CRLs) for validating client x.509v3 certificates. This parameter might be needed when ibm-slapdSslAuth=serverclientauth and the client certificates have been issued for CRL validation.
If the LDAP server holding the CRLs permits unauthenticated access to the CRLs (that is, anonymous access), then ibm-slapdLdapCrlUser is not required.
- Default
- No preset default is defined.
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Single-valued
ibm-slapdMasterDN
- Description
- Specifies the bind DN of master server. The value must match the replicaBindDN in the replicaObject defined for the master server. When Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must specify the DN representation of the Kerberos ID (for example, ibm-kn=freddy@realm1). When Kerberos is used, MasterServerPW is ignored.
- Default
- No preset default is defined.
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Single-valued
ibm-slapdMasterPW
- Description
- Specifies the bind password of master replica server. The value must match replicaBindDN in the replicaObject defined for the master server. When Kerberos is used to authenticate to the replica, ibm-slapdMasterDN must specify the DN representation of the Kerberos ID (for example, ibm-kn=freddy@realm1). When Kerberos is used, MasterServerPW is ignored.
- Default
- No preset default is defined.
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdMasterReferral
- Description
- Specifies the URL of the master replica server. For example:
ldap://master.us.ibm.comFor security set to SSL only:ldaps://master.us.ibm.com:636For security set to none and using a nonstandard port:ldap://master.us.ibm.com:1389
- Default
- none
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 256
- Value
- Single-valued
ibm-slapdMaxEventsPerConnection
- Description
- Specifies the maximum number of event notifications which can be registered per connection.
Minimum = 0 (unlimited) Maximum = 2,147,483,647
- Default
- 100
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdMaxEventsTotal
- Description
- Specifies the maximum total number of event notifications which can be registered for all connections.
Minimum = 0 (unlimited) Maximum = 2,147,483,647
- Default
- 0
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdMaxNumOfTransactions
- Description
- Specifies the maximum number of transactions per server.
Minimum = 0 (unlimited) Maximum = 2,147,483,647
- Default
- 20
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdMaxOpPerTransaction
- Description
- Specifies the maximum number of operations per transaction.
Minimum = 0 (unlimited) Maximum = 2,147,483,647
- Default
- 5
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdMaxPendingChangesDisplayed
- Description
- Maximum number of pending changes to be displayed.
- Default
- 200
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdMaxTimeLimitOfTransactions
- Description
- Specifies the maximum timeout value of a pending transaction in seconds.
Minimum = 0 (unlimited) Maximum = 2,147,483,647
- Default
- 300
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdPagedResAllowNonAdmin
- Description
- Whether or not the server should allow non-Administrator bind for paged results requests on a search request. If the value read from the ibmslapd.conf file is FALSE, the server will process only those client requests submitted by a user with Administrator authority. If a client requests paged results for a search operation, does not have Administrator authority, and the value read from the ibmslapd.conf file for this attribute is FALSE, the server will return to the client with return code insufficientAccessRights; no searching or paging will be performed.
- Default
- FALSE
- Syntax
- Boolean
- Length
- 5
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Objectclass
- ibm-slapdRdbmBackend
- Required
- No
ibm-slapdPagedResLmt
- Description
- Maximum number of outstanding paged results search requests allowed active simultaneously. Range = 0.... If a client requests a paged results operation, and a maximum number of outstanding paged results are currently active, then the server will return to the client with return code of busy; no searching or paging will be performed.
- Default
- 3
- Syntax
- Integer
- Length
- 11
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Required
- No
- Objectclass
- ibm-slapdRdbmBackend
ibm-slapdPageSizeLmt
- Description
- Maximum number of entries to return from search for an individual page when paged results control is specified, regardless of any pagesize that might have been specified on the client search request. Range = 0.... If a client has passed a page size, then the smaller value of the client value and the value read from ibmslapd.conf will be used.
- Default
- 50
- Syntax
- Integer
- Length
- 11
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Required
- No
- Objectclass
- ibm-slapdRdbmBackend
ibm-slapdPlugin
- Description
- A plugin is a dynamically loaded library which extends the capabilities of the server. An ibm-slapdPlugin attribute specifies to the server how to load and initialize a plug-in library. The syntax is:
keyword filename init_function [args...]The syntax is slightly different for each platform because of library naming conventions.
Most plug-ins are optional, but the RDBM backend plug-in is required for all RDBM backends.
- Default
- database /bin/libback-rdbm.dll rdbm_backend_init
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 2000
- Value
- Multi-valued
ibm-slapdPort
- Description
- Specifies the TCP/IP port used for non-SSL connections. It cannot have the same value as ibm-slapdSecurePort. (IP ports are unsigned, 16-bit integers in the range 1 - 65535.)
- Default
- 389
- Syntax
- Integer
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdPWEncryption
- Description
- Specifies the encoding mechanism for the user passwords before they are stored in the directory. It must be specified as none, imask, crypt, or sha (use the keyword sha in order to get SHA-1 encoding). The value must be set to none for the SASL cram-md5 bind to succeed.
- Default
- none
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdReadOnly
- Description
- This attribute is normally applied to only the Directory backend. It specifies whether the backend can be written to. It must be specified as either TRUE or FALSE. It defaults to FALSE if unspecified. If set to TRUE, the server returns LDAP_UNWILLING_TO_PERFORM (0x35) in response to any client request which changes data in the readOnly database.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdReferral
- Description
- Specifies the referral LDAP URL to pass back when the local suffixes do not match the request. It is used for superior referral (that is, the suffix is not within the naming context of the server).
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 32700
- Value
- Multi-valued
ibm-slapdReplDbConns
- Description
- Maximum number of database connections for use by replication.
- Default
- 4
- Syntax
- Integer
- Maximum Length
- 11
- Value
- Single-valued
ibm-slapdReplicaSubtree
- Description
- Identifies the DN of a replicated subtree
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Single-valued
ibm-slapdSchemaAdditions
- Description
- The ibm-slapdSchemaAdditions attribute is used to identify explicitly which file holds new schema entries. This is set by default to be /etc/V3.modifiedschema. If this attribute is not defined, the server reverts to using the last ibm-slapdIncludeSchema file as in previous releases. Before Version 3.2, the last includeSchema entry in slapd.conf was the file to which any new schema entries were added by the server if it received an add request from a client. Normally the last includeSchema is the V3.modifiedschema file, which is an empty file installed just for this purpose.
The name modified is misleading, for it only stores new entries. Changes to existing schema entries are made in their original files.
- Default
- /etc/V3.modifiedschema
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdSchemaCheck
- Description
- Specifies the schema checking mechanism for the add/modify/delete operation. It must be specified as V2, V3, or V3_lenient.
- V2 - Retain v2 and v2.1 checking. Recommended for migration purpose.
- V3 - Perform v3 checking.
- V3_lenient - Not all parent object classes are needed. Only the immediate object class is needed when adding entries.
- Default
- V3_lenient
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 10
- Value
- Single-valued
ibm-slapdSecurePort
- Description
- Specifies the TCP/IP port used for SSL connections. It cannot have the same value as ibm-slapdPort. (IP ports are unsigned, 16-bit integers in the range 1 - 65535.)
- Default
- 636
- Syntax
- Integer
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdSecurity
- Description
- Enables SSL and TLS connections. Must be none, SSL, SSLOnly, TLS, or SSLTLS.
- none - The server listens on the nonsecure port only.
- SSL - The server listens on both the SSL and the non-SSL ports. The secure port is the only means of using a secure connection.
- SSLOnly - The server listens on the SSL port only.
- TLS - The server only listens on the nonsecure port. The StartTLS extended operation is the only means of using a secure connection.
- SSLTLS - The server listens on both the default and secure ports. The StartTLS extended operation can be used to get a secure connection over the default port, or the client can use the secure port directly. Sending a StartTLS over the secure port will return the message LDAP_OPERATIONS_ERROR.
- Default
- none
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 7
- Value
- Single-valued
ibm-slapdServerId
- Description
- Identifies the server for use in replication.
- Syntax
- IA5 String with case-sensitive matching
- Maximum Length
- 240
- Value
- Single-valued
ibm-slapdSetenv
- Description
- The server runs putenv() for all values of ibm-slapdSetenv at startup to change the server runtime environment. Shell variables (like %PATH% or $LANG) are not expanded.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 2000
- Value
- Multi-valued
ibm-slapdSizeLimit
- Description
- Specifies the maximum number of entries to return from search, regardless of any size limit that might have been specified on the client search request (Range = 0...). If a client has passed a limit, then the smaller value of the client values and the value read from ibmslapd.conf are used. If a client has not passed a limit and has bound as admin DN, the limit is considered unlimited. If the client has not passed a limit and has not bound as admin DN, then the limit is that which was read from the ibmslapd.conf file. 0 = unlimited.
- Default
- 500
- Syntax
- Integer
- Maximum Length
- 12
- Value
- Single-valued
ibm-slapdSortKeyLimit
- Description
- The maximum number of sort conditions (keys) that can be specified on a single search request. Range = 0.... If a client has passed a search request with more sort keys than the limit allows, and the sorted search control criticality is FALSE, then the server will honor the value read from the ibmslapd.conf file and ignore any sort keys encountered after the limit has been reached - searching and sorting will be performed. If a client has passed a search request with more keys than the limit allows, and the sorted search control criticality is TRUE, then the server will return to the client with a return code of adminLimitExceeded - no searching or sorting will be performed.
- Default
- 3
- Syntax
- cis
- Length
- 11
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Objectclass
- ibm-slapdRdbmBackend
- Required
- No
ibm-slapdSortSrchAllowNonAdmin
- Description
- Whether or not the server should allow non-Administrator bind for sort on a search request. If the value read from the ibmslapd.conf file is FALSE, the server will process only those client requests submitted by a user with Administrator authority. If a client requests sort for a search operation, does not have Administrator authority, and the value read from the ibmslapd.conf file for this attribute is FALSE, the server will return to the client with return code insufficientAccessRights - no searching or sorting will be performed.
- Default
- FALSE
- Syntax
- Boolean
- Length
- 5
- Count
- Single
- Usage
- directoryOperation
- User Modify
- Yes
- Access Class
- critical
- Objectclass
- ibm-slapdRdbmBackend
- Required
- No
ibm-slapdSslAuth
- Description
- Specifies the authentication type for the ssl connection, either serverauth or serverclientauth.
- serverauth - supports server authentication at the client. This is the default.
- serverclientauth - supports both server and client authentication.
- Default
- serverauth
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 16
- Value
- Single-valued
ibm-slapdSslCertificate
- Description
- Specifies the label that identifies the server Personal Certificate in the key database file. This label is specified when the server private key and certificate are created with the gsk4ikm application. If ibm-slapdSslCertificate is not defined, the default private key, as defined in the key database file, is used by the LDAP server for SSL connections.
- Default
- No preset default is defined.
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdSslCipherSpec
Specifies the method of SSL encryption for clients accessing the server. Must be set to one of the following:
Table 1. Methods of SSL encryption Attribute Encryption level TripleDES-168 Triple DES encryption with a 168-bit key and a SHA-1 MAC DES-56 DES encryption with a 56-bit key and a SHA-1 MAC RC4-128-SHA RC4 encryption with a 128-bit key and a SHA-1 MAC RC4-128-MD5 RC4 encryption with a 128-bit key and a MD5 MAC RC2-40-MD5 RC4 encryption with a 40-bit key and a MD5 MAC RC4-40-MD5 RC4 encryption with a 40-bit key and a MD5 MAC AES AES encryption
- Syntax
- IA5 String
- Maximum Length
- 30
ibm-slapdSslKeyDatabase
- Description
- Specifies the file path to the LDAP server SSL key database file. This key database file is used for handling SSL connections from LDAP clients, as well as for creating secure SSL connections to replica LDAP servers.
- Default
- /etc/key.kdb
- Syntax
- Directory string with case-exact matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdSslKeyDatabasePW
- Description
- Specifies the password associated with the LDAP server SSL key database file, as specified on the ibm-slapdSslKeyDatabase parameter. If the LDAP server key database file has an associated password stash file, then the ibm-slapdSslKeyDatabasePW parameter can be omitted, or set to none.
The password stash file must be located in the same directory as the key database file and it must have the same file name as the key database file, but with an extension of .sth instead of .kdb.
- Default
- none
- Syntax
- Binary
- Maximum Length
- 128
- Value
- Single-valued
ibm-slapdSslKeyRingFile
- Description
- Path to the LDAP server's SSL key database file. This key database file is used for handling SSL connections from LDAP clients, as well as for creating secure SSL connections to replica LDAP servers.
- Default
- key.kdb
- Syntax
- Directory String with case-sensitive matching
- Maximum Length
- 1024
- Value
- Single-valued
ibm-slapdSuffix
- Description
- Specifies a naming context to be stored in this backend.
This has the same name as the object class.
- Default
- No preset default is defined.
- Syntax
- DN
- Maximum Length
- 1000
- Value
- Multi-valued
ibm-slapdSupportedWebAdmVersion
- Description
- This attribute defines the earliest version of the Web administration tool that supports this server of cn=configuration.
- Default
- Syntax
- Directory String
- Maximum Length
- Value
- Single-valued
ibm-slapdSysLogLevel
- Description
- Specifies the level at which debugging and operation statistics are logged in the slapd.errors file. It must be specified as l, m, or h.
- h - high (provides the most information)
- m - medium (the default)
- l - low (provides the least information)
- Default
- m
- Syntax
- Directory string with case-insensitive matching
- Maximum Length
- 1
- Value
- Single-valued
ibm-slapdTimeLimit
- Description
- Specifies the maximum number of seconds to spend on a search request, regardless of any time limit that might have been specified on the client request. If a client has passed a limit, then the smaller value of the client values and the value read from ibmslapd.conf are used. If a client has not passed a limit and has bound as admin DN, the limit is considered unlimited. If the client has not passed a limit and has not bound as admin DN, then the limit is that which was read from the ibmslapd.conf file. 0 = unlimited.
- Default
- 900
- Syntax
- Integer
- Maximum Length
- Value
- Single-valued
ibm-slapdTransactionEnable
- Description
- If the transaction plugin is loaded but ibm-slapdTransactionEnable is set to FALSE, the server rejects all StartTransaction requests with the response LDAP_UNWILLING_TO_PERFORM.
- Default
- TRUE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdUseProcessIdPw
- Description
- If set to TRUE, the server ignores the ibm-slapdDbUserID and the ibm-slapdDbUserPW attributes and uses its own process credentials to authenticate to DB2.
- Default
- FALSE
- Syntax
- Boolean
- Maximum Length
- 5
- Value
- Single-valued
ibm-slapdVersion
- Description
- IBM Slapd version Number
- Default
- Syntax
- Directory String with case-sensitive matching
- Maximum Length
- Value
- Single-valued
ibm-slapdWriteTimeout
- Description
- Specifies a timeout value in seconds for blocked writes. When the time limit is reached the connection will be dropped.
- Default
- 120
- Syntax
- Integer
- Maximum Length
- 1024
- Value
- Single-valued
objectClass
- Description
- The values of the objectClass attribute describe the kind of object which an entry represents.
- Syntax
- Directory string
- Maximum Length
- 128
- Value
- Multi-valued
Parent topic:
Directory Server configuration schema