The Global Configuration contains properties that affect the overall operation of the Directory Server.
The following components have a direct aggregation relation from Global Configurations:
The properties supported by this managed object are as follows:
| Property Group | Instance Configuration |
| Description | Specifies a name that may be used to uniquely identify this Directory Server instance among other instances in the environment. The instance name is used as a server's topology identifier. It must be unique across servers in a topology and cannot be changed once it is set. A good heuristic to use while choosing the instance name is to include as much information as possible about the server that is known not to change over the lifetime of the installation, such as its location and server type, and to include a monotonically increasing serial number if more than one server of a particular type needs to co-exist in a topology, e.g., Austin Server 1. Hostnames and ports may also be used to identify the server, but be aware that the instance name will not change if the machine name changes. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Instance Configuration |
| Description | Specifies the location for this Directory Server. Operations performed which involve communication with other servers may prefer servers in the same location to help ensure low-latency responses. |
| Default Value | None |
| Allowed Values | The DN of any Location. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted. This modification must also be made to the Server Instance representing this server in the topology registry. This will ensure that topology-related operations involving communication with other servers prefer servers in the same location as this server. For example, when replication data is initialized on this server using a topology file, then another server in the same location as this server will be used, if available. |
| Property Group | Instance Configuration |
| Description | When this property is set, changes made to this server using the console or dsconfig can be automatically applied to all servers in the specified server group. This property references the name of a server group in the topology registry. The dsconfig command line utility is used to create, modify, and delete server groups. The special built-in server group 'all-servers' can be used to refer to all registered servers. This Directory Server must be a member of the selected group. Furthermore, all servers in the specified group should have the same value for this property. |
| Default Value | Since no value is specified, configuration changes made at this server are not automatically applied to other servers. |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Security Configuration |
| Description | Indicates whether the server should encrypt backups by default. If this is true, and if a backup-encryption-settings-definition-id value is specified, then that encryption settings definition will be used to generate the encryption key for the backup. If this is true, and if a backup-encryption-settings-definition-id value is not specified, then the server will first try to use the preferred encryption settings definition to generate the encryption key. If the server is not configured with any encryption settings definitions, then an internal key that is shared among instances in the topology will be used. Regardless of whether this property is true or false, the default behavior can be overridden in the backup command-line tool. Providing the --encrypt argument will always cause the backup to be encrypted, even if this property has a value of false. Providing the --doNotEncrypt argument will always cause the backup to be unencrypted, even if this property has a value of true. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
backup-encryption-settings-definition-id
| Property Group | Security Configuration |
| Description | The unique identifier for the encryption settings definition to use to generate the encryption key for encrypted backups by default. If this property is given a value, then a definition with that ID must exist in the server's encryption settings database. Use the 'encryption-settings list' command to obtain a list of the available encryption settings definitions, and 'encryption-settings create' to create a new one. If this property is not given a value but the server is configured with at least one encryption settings definition, then the preferred definition will be used. If no encryption settings definitions are available, then the server will use an internal key shared among servers in the topology. Regardless of whether a value is configured for this property, it can be overridden in the backup command-line tool. Providing one of the --promptForEncryptionPassphrase or --encryptionPassphraseFile arguments will cause the encryption key to be generated from the provided passphrase, while providing the --encryptionSettingsDefinitionID argument will cause the key to be generated from the specified encryption settings definition. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
encrypt-ldif-exports-by-default
| Property Group | Security Configuration |
| Description | Indicates whether the server should encrypt LDIF exports by default. If this is true, and if an ldif-export-encryption-settings-definition-id value is specified, then that encryption settings definition will be used to generate the encryption key for the export. If this is true, and if an ldif-export-encryption-settings-definition-id value is not specified, then the server will first try to use the preferred encryption settings definition to generate the encryption key. If the server is not configured with any encryption settings definitions, then an internal key that is shared among instances in the topology will be used. Regardless of whether this property is true or false, the default behavior can be overridden in the export-ldif command-line tool. Providing the --encryptLDIF argument will always cause the export to be encrypted, even if this property has a value of false. Providing the --doNotEncryptLDIF argument will always cause the export to be unencrypted, even if this property has a value of true. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
ldif-export-encryption-settings-definition-id
| Property Group | Security Configuration |
| Description | The unique identifier for the encryption settings definition to use to generate the encryption key for encrypted LDIF exports by default. If this property is given a value, then a definition with that ID must exist in the server's encryption settings database. Use the 'encryption-settings list' command to obtain a list of the available encryption settings definitions, and 'encryption-settings create' to create a new one. If this property is not given a value but the server is configured with at least one encryption settings definition, then the preferred definition will be used. If no encryption settings definitions are available, then the server will use an internal key shared among servers in the topology. Regardless of whether a value is configured for this property, it can be overridden in the export-ldif command-line tool. Providing one of the --promptForEncryptionPassphrase or --encryptionPassphraseFile arguments will cause the encryption key to be generated from the provided passphrase, while providing the --encryptionSettingsDefinitionID argument will cause the key to be generated from the specified encryption settings definition. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
automatically-compress-encrypted-ldif-exports
| Property Group | Security Configuration |
| Description | Indicates whether to automatically compress LDIF exports that are also encrypted. If this is true, then any LDIF export that is encrypted (whether explicitly via the --encryptLDIF command-line argument or implicitly via the encrypt-ldif-exports-by-default configuration property) will also be gzip-compressed, without the need for the --compress command-line argument. If this is false, then encrypted LDIF exports will not automatically be compressed, but they may still be manually compressed using the --compress command-line argument. This setting has no effect on LDIF exports that are not encrypted. It also does not have any effect on the command-line arguments needed when performing an LDIF import because the import process will automatically detect whether the LDIF file is encrypted and/or compressed. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
redact-sensitive-values-in-config-logs
| Property Group | Security Configuration |
| Description | Indicates whether the values of sensitive configuration properties should be redacted when logging configuration changes, including in the configuration audit log, the error log, and the server.out log file. If sensitive configuration property values should be redacted, then the value for those properties will be replaced with "***REDACTED***" in log messages, which will ensure that the values are not exposed, but may interfere with the ability to replay the configuration audit log. If sensitive configuration property values should not be redacted, then an obscured representation of the value will be recorded that does not directly reveal the actual value for the property, but can be used as an alternative to the clear-text value to achieve the same result when replaying the configuration audit log. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Security Configuration |
| Description | Indicates whether the Directory Server should reject any LDAP request (other than StartTLS) received from a client that is not using an encrypted connection. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-insecure-request-criteria
| Property Group | Security Configuration |
| Description | A set of criteria that may be used to match LDAP requests that may be permitted over an insecure connection even if reject-insecure-requests is true. Note that some types of requests will always be permitted, including StartTLS and start administrative session requests. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
reject-unauthenticated-requests
| Property Group | Security Configuration |
| Description | Indicates whether the Directory Server should reject any LDAP request (other than bind or StartTLS requests) received from a client that has not yet been authenticated, whose last authentication attempt was unsuccessful, or whose last authentication attempt used anonymous authentication. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-unauthenticated-request-criteria
| Property Group | Security Configuration |
| Description | A set of criteria that may be used to match LDAP requests that may be permitted over an unauthenticated connection even if reject-unauthenticated-requests is true. Note that some types of requests will always be permitted, including bind, StartTLS, and start administrative session requests. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
bind-with-dn-requires-password
| Property Group | Security Configuration |
| Description | Indicates whether the Directory Server should reject any simple bind request that contains a DN but no password. Although such bind requests are technically allowed by the LDAPv3 specification (and should be treated as anonymous simple authentication), they may introduce security problems in applications that do not verify that the client actually provided a password. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Security Configuration |
| Description | Specifies the name of the password policy that is in effect for users whose entries do not specify an alternate password policy (either via a real or virtual attribute). |
| Default Value | Default Password Policy |
| Allowed Values | The DN of any Password Policy. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
proxied-authorization-identity-mapper
| Property Group | Security Configuration |
| Description | Specifies the name of the identity mapper to map authorization ID values (using the "u:" form) provided in the proxied authorization control to the corresponding user entry. |
| Default Value | Exact Match |
| Allowed Values | The DN of any Identity Mapper. The referenced identity mapper must be enabled. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Security Configuration |
| Description | Indicates whether the digest should always be verified whenever an entry containing a digest is decoded. If this is "true", then if a digest exists, it will always be verified. Otherwise, the digest will be written when encoding entries but ignored when decoding entries but may still be available for other verification processing. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | Specifies the maximum number of entries that the Directory Server should return to clients by default when processing a search operation. A value of 0 indicates that no size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-size-limit operational attribute. If the unauthenticated-size-limit property is assigned a value, then the size-limit property will only apply to authenticated clients, and the unauthenticated-size-limit value will be used for unauthenticated clients. If no value is set for the unauthenticated-size-limit property, then the size-limit value will apply to both authenticated and unauthenticated clients. If a search operation would return more entries than allowed by the size limit in effect for that operation, the server will return up to that maximum number of entries, and will then return a search result done message with a "size limit exceeded" (integer value 4) result code. |
| Default Value | 1000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | The size limit value that will apply for connections from unauthenticated clients. If this is not specified, then the value of the size-limit property will be applied for both authenticated and unauthenticated connections. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | Specifies the maximum length of time that the Directory Server should be allowed to spend processing a search operation. A value of 0 seconds indicates that no time limit is enforced. Note that this is the default server-wide time limit, but it may be overridden on a per-user basis using the ds-rlim-time-limit operational attribute. If the unauthenticated-time-limit property is assigned a value, then the time-limit property will only apply to authenticated clients, and the unauthenticated-time-limit value will be used for unauthenticated clients. If no value is set for the unauthenticated-time-limit property, then the time-limit value will apply to both authenticated and unauthenticated clients. If a search operation cannot be completed within the time limit in effect for that operation, the server will return any matching entries identified within that time limit, and will then return a search result done message with a "time limit exceeded" (integer value 3) result code. |
| Default Value | 60 seconds |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | The time limit value that will apply for connections from unauthenticated clients. If this is not specified, then the value of the time-limit property will be applied for both authenticated and unauthenticated connections. |
| Default Value | None |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | Specifies the maximum length of time that a client connection may remain established since its last completed operation. A value of "0 seconds" indicates that no idle time limit is enforced. Note that this is the default server-wide idle time limit, but it may be overridden on a per-user basis using the ds-rlim-idle-time-limit operational attribute. If the unauthenticated-idle-time-limit property is assigned a value, then the idle-time-limit property will only apply to authenticated clients, and the unauthenticated-idle-time-limit value will be used for unauthenticated clients. If no value is set for the unauthenticated-idle-time-limit property, then the idle-time-limit value will apply to both authenticated and unauthenticated clients. |
| Default Value | 0 seconds |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
unauthenticated-idle-time-limit
| Property Group | Resource Limits |
| Description | The idle-time-limit limit value that will apply for connections from unauthenticated clients. If this is not specified, then the value of the idle-time-limit property will be applied for both authenticated and unauthenticated connections. |
| Default Value | None |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | Specifies the maximum number of entries that the Directory Server should "look through" in the course of processing a search request. This includes any entry that the server must examine in the course of processing the request, regardless of whether it actually matches the search criteria. A value of 0 indicates that no lookthrough limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-lookthrough-limit operational attribute. If the unauthenticated-lookthrough-limit property is assigned a value, then the lookthrough-limit property will only apply to authenticated clients, and the unauthenticated-lookthrough-limit value will be used for unauthenticated clients. If no value is set for the unauthenticated-lookthrough-limit property, then the lookthrough-limit value will apply to both authenticated and unauthenticated clients. If a search operation would require examining more entries than allowed by the lookthrough limit in effect for that operation, the server may or may not return any matching entries identified before the limit is reached, and will then return a search result done message with an "administrative limit exceeded" (integer value 11) result code. |
| Default Value | 5000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
unauthenticated-lookthrough-limit
| Property Group | Resource Limits |
| Description | The lookthrough limit value that will apply for connections from unauthenticated clients. If this is not specified, then the value of the lookthrough-limit property will be applied for both authenticated and unauthenticated connections. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Resource Limits |
| Description | Specifies the maximum number of entries that may be directly joined with any individual search result entry. A value of 0 indicates that no LDAP join size limit is enforced. Note that this is the default server-wide limit, but it may be overridden on a per-user basis using the ds-rlim-ldap-join-size-limit operational attribute. The LDAP join size limit will also be restricted by the search operation size limit (i.e., the maximum number of search result entries that may be returned for the operation). If a search result entry would be joined with more entries than allowed by the LDAP join size limit, then the join result control will have a "size limit exceeded" (integer value 4) result code, and may or may not include any matching entries identified before the size limit was reached. |
| Default Value | 10000 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections
| Property Group | Resource Limits |
| Description | Specifies the maximum number of LDAP client connections which may be established to this Directory Server at the same time. If the maximum number of concurrent LDAP connections for this Directory Server has been reached, then any subsequent connection attempts will be rejected until an existing client connection has been closed. A value of zero indicates that no limit will be imposed on the number of concurrent connections that may be established to this Directory Server. |
| Default Value | 0 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections-per-ip-address
| Property Group | Resource Limits |
| Description | Specifies the maximum number of LDAP client connections originating from the same IP address which may be established to this Directory Server at the same time. If the maximum number of concurrent LDAP connections from the same client address has been reached, then any subsequent connection attempts from that client will be rejected until an existing connection from that same address has been closed. A value of zero indicates that no limit will be imposed on the number of concurrent connections from the same client address. |
| Default Value | 0 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-connections-per-bind-dn
| Property Group | Resource Limits |
| Description | Specifies the maximum number of LDAP client connections which may be established to this Directory Server at the same time and authenticated as the same user. If the maximum number of concurrent LDAP connections authenticated as the same user has been reached, then any subsequent attempts to authenticate as that user will cause the associated client connection to be terminated. New connection attempts from that client will be rejected until an existing connection from that same address has been closed. A value of zero indicates that no limit will be imposed on the number of concurrent connections from the same client address. |
| Default Value | 0 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-concurrent-unindexed-searches
| Property Group | Resource Limits |
| Description | Specifies the maximum number of unindexed searches that may be in progress in this backend at any given time. Any unindexed searches requested while the maximum number of unindexed searches are already being processed will be rejected. A value of zero indicates that no limit will be enforced. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-attributes-per-add-request
| Property Group | Resource Limits |
| Description | Specifies the maximum number of attributes that may be included in an add request. This property does not impose any limit on the number of values that an attribute may have. This limit can help prevent denial-of-service attacks from clients that may attempt to send very large or complex requests to the server in an attempt to consume memory or processing resources. It may be increased if there is a legitimate need to create entries with very large numbers of attributes. |
| Default Value | 1000 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-modifications-per-modify-request
| Property Group | Resource Limits |
| Description | Specifies the maximum number of modifications that may be included in a modify request. This property does not impose any limit on the number of attribute values that a modification may have. This limit can help prevent denial-of-service attacks from clients that may attempt to send very large or complex requests to the server in an attempt to consume memory or processing resources. It may be increased if there is a legitimate need to send modify requests with very large numbers of modifications. |
| Default Value | 1000 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
attributes-modifiable-with-ignore-no-user-modification-request-control
| Property Group | Schema Compliance |
| Description | Specifies the operational attribute types that are defined in the schema with the NO-USER-MODIFICATION constraint that the server will allow to be altered if the associated request contains the ignore NO-USER-MODIFICATION request control. |
| Default Value | None |
| Allowed Values | creatorsName - Allow creatorsName modifications. createTimestamp - Allow createTimestamp modifications. modifiersName - Allow modifiersName modifications. modifyTimestamp - Allow modifyTimestamp modifications. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-server-out-log-file-size
| Property Group | Error Handling |
| Description | The maximum allowed size that the server.out log file will be allowed to have. If a write would cause the file to exceed this size, then the current file will be rotated out of place and a new empty file will be created and the message written to it. Any existing log file will automatically be rotated when the server is started, regardless of its size. |
| Default Value | 100 MB |
| Allowed Values | A positive integer representing a size. Lower limit is 1048576. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-server-out-log-file-count
| Property Group | Error Handling |
| Description | The maximum number of server.out log files (including the current active log file) that should be retained. When rotating the log file, if the total number of files exceeds this count, then the oldest file(s) will be removed so that the total number of log files is within this limit. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 2. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
startup-error-logger-output-location
| Property Group | Error Handling |
| Description | Specifies how the server should handle error log messages (which may include errors, warnings, and notices) generated during startup. All of these messages will be written to all configured error loggers, but they may also be written to other locations (like standard output, standard error, or the server.out log file) so that they are displayed on the console when the server is starting. |
| Default Value | standard-error-and-server-out-file |
| Allowed Values | standard-output - Error log messages generated during startup should be written to the JVM's original standard output stream. When operating in no-detach mode, these messages will go only to the console and not to the server.out file. When not running in no-detach mode, anything written to the standard output stream automatically ends up in the server.out file, so messages will be both written to the console and appear in the server.out file. standard-error - Error log messages generated during startup should be written to the JVM's original standard error stream. When operating in no-detach mode, these messages will go only to the console and not to the server.out file. When not running in no-detach mode, anything written to the standard error stream automatically ends up in the server.out file, so messages will be both written to the console and appear in the server.out file. server-out-file - Error log messages generated during startup should be written to the server.out file. When operating in no-detach mode, these messages will not be written to the console but will only appear in the server.out file. When not running in no-detach mode, anything written to the server.out file during startup (and only during startup) will also be displayed to the console. standard-output-and-server-out-file - Error log messages generated during startup should be written to both the JVM's original standard output stream and the server.out file. The same behavior should be observed regardless of whether the server is operating in no-detach mode. standard-error-and-server-out-file - Error log messages generated during startup should be written to both the JVM's original standard error stream and the server.out file. The same behavior should be observed regardless of whether the server is operating in no-detach mode. disabled - The startup error logger should be disabled. Error messages generated during startup will appear in all other configured loggers, but will not be written to the JVM's standard output or standard error stream or to the server.out file (unless written by another error logger). |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Error Handling |
| Description | Indicates whether responses for failed bind operations should include a message string providing the reason for the authentication failure. Note that these messages may include information that could potentially be used by an attacker. If this option is disabled, then these messages only appear in the server's access log. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Data Configuration |
| Description | Specifies the kinds of write operations the Directory Server can process. |
| Default Value | enabled |
| Allowed Values | enabled - The Directory Server attempts to process all write operations that are requested of it, regardless of their origin. disabled - The Directory Server rejects all write operations that are requested of it, regardless of their origin. internal-only - The Directory Server attempts to process write operations requested as internal operations or through replication, but rejects any such operations requested from external clients. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
database-on-virtualized-or-network-storage
| Property Group | Data Configuration |
| Description | This setting provides data integrity options when the Directory Server is installed with a database on a network storage device. A storage device may be accessed directly by a physical server, or indirectly through a virtual machine running on a hypervisor. Enabling this setting will apply changes to all Local DB Backends, the LDAP Changelog Backend, and the replication changelog database. The setting applies in these configurations:
If the database is stored on a local physical disk this option should not be used. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | See the Directory Server documentation for information about how to safely apply this setting. |
| Property Group | Replication Configuration |
| Description | The name of the replication set assigned to this Directory Server. Restricted domains are only replicated within instances using the same replication set name. This setting is typically used in entry-balanced deployments with the Directory Proxy Server, where the entries under the same base DN are distributed across multiple backend sets. Replication can provide high availability to each backend set, but replication must not propagate updates from one backend set to another. This setting should mirror the backend set configuration in the Directory Proxy Server. |
| Default Value | None |
| Allowed Values | A string |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted. This modification must also be made to the Server Instance representing this server in the topology registry. This ensures that the most up-to-date information is used by topology-related tools. |
startup-min-replication-backlog-count
| Property Group | Replication Configuration |
| Description | The number of outstanding changes any replica can have before the Directory Server will start accepting connections. The Directory Server may never accept connections if this setting is too low. If you are unsure which value to use, you can use the number of expected updates within a five second interval. In a replicated environment, continuous updates can be received from many servers, and the Directory Server may have some outstanding changes all the time. If a Directory Server has outstanding changes and starts accepting connections too soon, applications may receive stale data that cause them to make inappropriate choices or make updates that later create unnecessary conflicts. This setting allows you to control the decision as to when a server should be considered as caught up. The Directory Server gathers all the replica backlogs and checks them against this threshold. If any replica backlog is too large, the Directory Server will wait until all the backlogs are sufficiently small. Additionally, the local replication updates pending in the Directory Server must drop below this threshold as well. When all replica and local update backlogs are below the value in this setting, the Directory Server will start accepting connections. A value of 'unlimited' will cause the server to startup without delay and with an outstanding backlog of changes to be processed. |
| Default Value | 5000 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
replication-backlog-count-alert-threshold
| Property Group | Replication Configuration |
| Description | An alert is sent when the number of outstanding replication changes for the Directory Server has exceeded this threshold for longer than the replication backlog duration alert threshold. |
| Default Value | 10000 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
replication-backlog-duration-alert-threshold
| Property Group | Replication Configuration |
| Description | An alert is sent when the number of outstanding replication changes for the Directory Server has exceeded the replication backlog count alert threshold for longer than this duration. |
| Default Value | 1m |
| Allowed Values | A duration. Maximum unit is "hours". Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Replication Configuration |
| Description | Specifies the size limit for historical information. Historical information, which is used for replication conflict resolution, is stored in the operational attribute ds-sync-hist. This property can be used to limit the size of that attribute. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | SMTP Configuration |
| Description | Specifies the set of servers that will be used to send email messages. The order in which the servers are listed indicates the order in which the Directory Server will attempt to use them in the course of sending a message. The first attempt will always go to the server at the top of the list, and servers further down the list will only be used if none of the servers listed above it were able to successfully send the message. |
| Default Value | If no values are defined, then the server cannot send email via SMTP. |
| Allowed Values | The DN of any SMTP External Server. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
| Property Group | Other Configuration |
| Description | Specifies the maximum amount of time the shutdown of Directory Server may take. Directory Server can usually shutdown in a short amount of time. If the shutdown was received while long running database operations are active, then instances that are busy or that have large database backends may require more time to stop. Stopping these operations prematurely may result in a significantly longer startup time. To avoid a potentially long time required for a subsequent startup, increase the maximum time allowed for shutdown to complete. |
| Default Value | 5 minutes |
| Allowed Values | A duration. Lower limit is 60 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | If systemd is used to manage Directory Server then make sure the "TimeoutStopSec" parameter in the service file is longer than this value. |
| Property Group | Other Configuration |
| Description | Specifies criteria for identifying specific applications that access the server to enable tracking throughput and latency of LDAP operations issued by an application. This property allows individual applications to be identified in the server by connection criteria. The name of the connection criteria configuration object is used within the server as the name of the application. The list of criteria is ordered, so the first criteria that a connection matches will be used to identify the application. Unidentified Directory Application will be used for connections that do not match any of the criteria. Defining per-application connection criteria here is used primarily to track throughput and latency of LDAP operations on a per-application basis, but other configuration changes are necessary to take advantage of this. The separate-monitor-entry-per-tracked-application setting on the Processing Time Histogram Plugin configuration object must be set to expose per-application monitoring information under cn=monitor. The per-application-ldap-stats and included-ldap-application settings on the Periodic Stats Logger Plugin can also be set to log per-application statistics to a csv file on a periodic basis. Consult the product documentation for more details on configuring the Directory Server to track LDAP statistics on a per application basis. |
| Default Value | None |
| Allowed Values | The DN of any Connection Criteria. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
force-as-master-for-mirrored-data (Advanced Property)
| Property Group | Instance Configuration |
| Description | Indicates whether this server should be forced to assume the master role if no other suitable server is found to act as master or if multiple masters are detected. A master is only needed when changes are made to mirrored data, i.e. data specific to the topology itself and cluster-wide configuration data. To ensure data consistency, changes to mirrored data are automatically routed to a single master server. This server is typically chosen dynamically, but this requires a majority of servers to be visible to the master. This avoids having multiple masters when there is a network partition, which could lead to data inconsistency. This flag exists to provide a fail-safe for the case when no suitable master is found for the mirrored data or if each server in the topology has a different view of which server is its current master. Having no master is bad because it indicates that there is no server in the topology that can reach a quorum majority of servers and is usually indicative of network problems which should be addressed immediately. Having multiple masters is bad because it can result in divergent changes requiring manual merging and possibly conflict resolution. This flag should be set to true on exactly one of the servers in the entire topology in exceptional situations such as prolonged network partitions. If it is set to true on more than one server and a situation arises that causes more than one server to be forced as master, then a critical alarm will be raised and all masters will once again be made non-masters. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | When set to true, this server will forcibly be assigned the role of master if no suitable master is found or multiple masters are detected in the topology. This flag must be set to true on exactly one server in the topology, but it is important to set it if updates to mirrored data need to be supported while no master could be selected because a majority of servers is not available. In other words, without a master the topology will become read-only and all updates rejected. The server on which this flag is set should be chosen with care. A server that is in a highly-available data center with redundant networks would make an ideal candidate to force as master if necessary. |
encrypt-data (Advanced Property)
| Property Group | Security Configuration |
| Description | Indicates whether the Directory Server should encrypt the data that it stores in all components that support it. This may include certain types of backends (including local DB and large attribute backends), the LDAP changelog, and the replication server database. If data encryption is to be enabled, then the server must have a preferred encryption settings definition. The set of available encryption settings definitions may be managed using the encryption-settings tool. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | Note that enabling and/or disabling data encryption in a server that has existing data will not cause that data to be automatically encrypted or decrypted. That is, existing encrypted data will remain encrypted, and existing unencrypted entries will remain unencrypted, until those entries are updated causing them to be rewritten. Unencrypted indexes will remain unencrypted until the data is re-imported using the export-ldif and import-ldif commands. See the Directory Server documentation for information about how to safely apply the new encryption settings for all existing data. |
encryption-settings-cipher-stream-provider (Advanced Property)
| Property Group | Security Configuration |
| Description | Specifies the cipher stream provider that should be used to protect the contents of the encryption settings database. |
| Default Value | If no cipher stream provider is configured, then a default provider will be used which has a hard-coded key. |
| Allowed Values | The DN of any Cipher Stream Provider. The referenced cipher stream provider must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | If you are changing the active cipher stream provider to be a wait-for-passphrase provider, then administrative tools like dsconfig and the web administration console may appear to hang when applying the configuration change. This is because the server is actively waiting for the encryption settings database passphrase to be provided, which you should do by running "encryption-settings supply-passphrase". You will also need to do this whenever the server is started. |
sensitive-attribute (Advanced Property)
| Property Group | Security Configuration |
| Description | Provides the ability to indicate that some attributes should be considered sensitive and additional protection should be in place when interacting with those attributes. Sensitive attributes may also be configured in client connection policies so that instead of applying globally, the sensitive attribute configuration will only be applied to clients associated with those client connection policies. Any sensitive attribute referenced in the global configuration will automatically apply across all client connection policies except those that specifically exclude it using the exclude-global-sensitive-attribute property. |
| Default Value | None |
| Allowed Values | The DN of any Sensitive Attribute. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
disabled-privilege (Advanced Property)
| Property Group | Security Configuration |
| Description | Specifies the name of a privilege that should not be evaluated by the server. If a privilege is disabled, then it is assumed that all clients (including unauthenticated clients) have that privilege. |
| Default Value | If no values are defined, then the server enforces all privileges. |
| Allowed Values | audit-data-security - Allows the associated user to execute data security auditing tasks. bypass-acl - Allows the associated user to bypass all access control checks performed by the server for any type of operation. bypass-read-acl - Allows the associated user to bypass access control checks performed by the server for bind, compare, and search operations. Access control evaluation may still be enforced for other types of operations. modify-acl - Allows the associated user to modify the server's access control configuration. config-read - Allows the associated user to read the server configuration. config-write - Allows the associated user to update the server configuration. The config-read privilege is also required. jmx-read - Allows the associated user to perform JMX read operations. jmx-write - Allows the associated user to perform JMX write operations. jmx-notify - Allows the associated user to subscribe to receive JMX notifications. ldif-import - Allows the user to request that the server process LDIF import tasks. ldif-export - Allows the user to request that the server process LDIF export tasks. backend-backup - Allows the user to request that the server process backup tasks. backend-restore - Allows the user to request that the server process restore tasks. server-shutdown - Allows the user to request that the server shut down. server-restart - Allows the user to request that the server perform an in-core restart. proxied-auth - Allows the user to use the proxied authorization control, or to perform a bind that specifies an alternate authorization identity. disconnect-client - Allows the user to terminate other client connections. password-reset - Allows the user to reset user passwords. update-schema - Allows the user to make changes to the server schema. privilege-change - Allows the user to make changes to the set of defined root privileges, as well as to grant and revoke privileges for users. unindexed-search - Allows the user to request that the server process a search that cannot be optimized using server indexes. unindexed-search-with-control - Allows the user to request that the server process a search that cannot be optimized using server indexes but includes the permit unindexed search request control. bypass-pw-policy - Allows the associated user to bypass password policy processing performed by the server. lockdown-mode - Allows the associated user to request that the server enter or leave lockdown mode, or to perform operations while the server is in lockdown mode. stream-values - Allows the associated user to perform a stream values extended operation to obtain all entry DNs and/or all values for one or more attributes for a specified portion of the DIT. third-party-task - Allows the associated user to invoke tasks created by third-party developers. use-admin-session - Allows the associated user to use an administrative session to request that operations be processed using a dedicated pool of worker threads. soft-delete-read - Allows the associated user access to soft-deleted entries. metrics-read - Allows the associated user access to data in the metrics backend. manage-topology - Allows the associated user to manage the set of server instances that are part of a topology. permit-get-password-policy-state-issues - Allows the associated user to issue a bind request that includes the get password policy state issues request control. The bind request must also include the retain identity request control. permit-proxied-mschapv2-details - Allows the associated user to issue a bind request that includes the proxied MS-CHAPv2 details request control. The bind request must also include the retain identity request control. permit-externally-processed-authentication - Allows the associated user to issue a SASL bind request using the UNBOUNDID-EXTERNALLY-PROCESSED-AUTHENTICATION mechanism. permit-export-reversible-passwords - Allows the associated user to invoke an extended operation that can cause the server to export passwords stored with a reversible scheme. permit-forwarding-client-connection-policy - Allows the associated user to request that an operation be processed using a specified client connection policy. exec-task - Allows the associated user to schedule an exec task. collect-support-data - Allows the requester to invoke the collect-support-data tool via an administrative task or an extended operation. file-servlet-access - Allows the requester to access the content exposed by file servlet instances that require this privilege. permit-replace-certificate-request - Allows the requester to issue requests to manage server listener or inter-server certificates. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
maximum-user-data-password-policies-to-cache (Advanced Property)
| Property Group | Security Configuration |
| Description | Specifies the maximum number of password policies that are defined in the user data (that is, outside of the configuration) that the server should cache in memory for faster access. A value of zero indicates that the server should not cache any user data password policies. |
| Default Value | 500 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-insecure-tls-protocol (Advanced Property)
| Property Group | Security Configuration |
| Description | Specifies a set of TLS protocols that will be permitted for use in the server even though there may be known vulnerabilities that could cause their use to be unsafe in some conditions. Enabling support for insecure TLS protocols is discouraged, and is generally recommended only as a short-term measure to permit legacy clients to interact with the server until they can be updated to support more secure communication protocols. |
| Default Value | No known-insecure TLS protocols will be allowed by default. |
| Allowed Values | sslv3 - Allow TLS communication secured with SSLv3. There are known vulnerabilities that can allow a network attacker to compute the plaintext of an SSLv3-encrypted session, as described at http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allow-insecure-local-jmx-connections (Advanced Property)
| Property Group | Security Configuration |
| Description | Indicates that processes attaching to this server's local JVM are allowed to access internal data through JMX without the authentication requirements that remote JMX connections are subject to. Please review and understand the data that this option will expose (such as cn=monitor) to client applications to ensure there are no security concerns. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
default-internal-operation-client-connection-policy (Advanced Property)
| Property Group | Security Configuration |
| Description | Specifies the client connection policy that will be used by default for internal operations. If no value is specified, a private internal client connection policy will be used which includes access to all local backends but will not have knowledge of subtree views not associated with local backends (e.g., those which may be used to access backend servers in the Directory Proxy Server). |
| Default Value | None |
| Allowed Values | The DN of any Client Connection Policy. The referenced client connection policy must be enabled. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
background-thread-for-each-persistent-search (Advanced Property)
| Property Group | Resource Limits |
| Description | Indicates whether the server should use a separate background thread for each persistent search. Using a background thread for each persistent search can help reduce the chance that an persistent search client that has stopped consuming results could block a thread the Directory Server is using to process the associated change. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | Changes to this configuration property will only take effect for new persistent searches requested after the change. Persistent searches that are already active will not be affected. |
allow-attribute-name-exceptions (Advanced Property)
| Property Group | Schema Compliance |
| Description | Indicates whether the Directory Server should allow underscores in attribute names and allow attribute names to begin with numeric digits (both of which are violations of the LDAP standards). |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
invalid-attribute-syntax-behavior (Advanced Property)
| Property Group | Schema Compliance |
| Description | Specifies how the Directory Server should handle operations whenever an attribute value violates the associated attribute syntax. |
| Default Value | reject |
| Allowed Values | accept - The Directory Server silently accepts attribute values that are invalid according to their associated syntax. Matching operations targeting those values may not behave as expected. reject - The Directory Server rejects attribute values that are invalid according to their associated syntax. warn - The Directory Server accepts attribute values that are invalid according to their associated syntax, but also logs a warning message to the error log. Matching operations targeting those values may not behave as expected. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | DEPRECATION NOTE: The wholesale option to allow attribute values to violate their associated syntax has been deprecated. This is a very broad option and permits inadvertent corruption of the data over time.
If you are trying to import legacy data with syntax violations, or if you have applications that may attempt to store values that violate the associated attribute syntax, then the recommended options to address this are as follows:
* Update the legacy data so that all attribute values conform to the associated syntax, and update any applications that are known to try to store invalid values.
* Modify the server schema to specify an alternate syntax for the attribute types for which there are known syntax violations. If there are indexes defined for any of the updated attribute types, then those indexes must be rebuilt. This option is only recommended for custom schema elements that are not shipped with the server.
* Use the permit-syntax-violations-for-attribute property to specify the attribute types for which the server should allow non-compliant values. The permit-syntax-violations-for-attribute property should only be used if neither of the above options are possible, and you should be aware that the server may behave in unexpected ways when interacting with values that do not fit the constraints expected by the associated attribute syntax or matching rules.
|
permit-syntax-violations-for-attribute (Advanced Property)
| Property Group | Schema Compliance |
| Description | Specifies a set of attribute types for which the server will permit values that do not conform to the associated attribute syntax. Note that while this option may allow the server to accept values that would normally be rejected because they violate syntax constraints, the server may behave in unexpected ways if it attempts to interact with values that do not conform to the constraints expected by the associated attribute syntax or matching rules. If you have existing data that contains attribute syntax violations, or if you have applications that may try to store malformed data, then it is recommended that you update the data and any applications to be in compliance with the existing definitions, or that you update the schema definitions to specify an alternate syntax for the affected attribute types. The permit-syntax-violations-for-attribute property should only be used as a last resort when neither of the alternatives can be used. |
| Default Value | None |
| Allowed Values | The name or OID of an attribute type defined in the server schema. |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
single-structural-objectclass-behavior (Advanced Property)
| Property Group | Schema Compliance |
| Description | Specifies how the Directory Server should handle operations for an entry does not contain a structural object class, or for an entry that contains multiple structural classes. |
| Default Value | reject |
| Allowed Values | accept - The Directory Server silently accepts entries that do not contain exactly one structural object class. Certain schema features that depend on the entry's structural class may not behave as expected. reject - The Directory Server rejects entries that do not contain exactly one structural object class. warn - The Directory Server accepts entries that do not contain exactly one structural object class, but also logs a warning message to the error log. Certain schema features that depend on the entry's structural class may not behave as expected. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
exit-on-jvm-error (Advanced Property)
| Property Group | Error Handling |
| Description | Indicates whether the Directory Server should be shut down if a severe error is raised (e.g., an out of memory error) which may prevent the JVM from continuing to run properly. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
server-error-result-code (Advanced Property)
| Property Group | Error Handling |
| Description | Specifies the numeric value of the result code when request processing fails due to an internal server error. |
| Default Value | 80 |
| Allowed Values | An integer value. Lower limit is 0. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
result-code-map (Advanced Property)
| Property Group | Error Handling |
| Description | Specifies a result code map that should be used for clients that do not have a map associated with their client connection policy. If the associated client connection policy has a result code map, then that map will be used instead. If no map is associated either with the client connection policy or the global configuration, then an internal default will be used. |
| Default Value | None |
| Allowed Values | The DN of any Result Code Map. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
notify-abandoned-operations (Advanced Property)
| Property Group | Error Handling |
| Description | Indicates whether the Directory Server should send a response to any operation that is interrupted via an abandon request. The LDAP specification states that abandoned operations should not receive any response, but this may cause problems with client applications that always expect to receive a response to each request. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
duplicate-error-log-limit (Advanced Property)
| Property Group | Error Handling |
| Description | Specifies the maximum number of duplicate error log messages that should be logged in the time window specified by the duplicate-error-log-time-limit property. This property works in conjunction with duplicate-error-log-time-limit to prevent duplicate log messages from filling up the error log. For instance, a misbehaving client might cause the server to generate many duplicate error log messages because each operation it sends is malformed. With the default value of 5 duplicates every 10 seconds, a specific log message will appear at most 6 times in any 10 second window -- once for the original message plus five more duplicates. After this limit is reached, the server will keep track of the number of additional duplicate messages logged during this interval. If when the time limit expires, this count is greater than zero, it will log an additional message including the original message and the number of additional times it was suppressed. A value of "unlimited" implies that the server should not suppress any duplicate messages. The number of duplicate messages is reset each time the server restarts. See also the duplicate-alert-limit property which serves the same purpose for administrative alerts. |
| Default Value | 200 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
duplicate-error-log-time-limit (Advanced Property)
| Property Group | Error Handling |
| Description | Specifies the length of time that must expire before duplicate log messages above the duplicate-error-log-limit threshold are logged again to the error log. This property works in conjunction with duplicate-error-log-limit to prevent duplicate log messages from filling up the error log. See the description of that property for more details. See also the duplicate-alert-time-limit property which serves the same purpose for administrative alerts. |
| Default Value | 5 minutes |
| Allowed Values | A duration. Maximum unit is "hours". Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
duplicate-alert-limit (Advanced Property)
| Property Group | Error Handling |
| Description | Specifies the maximum number of duplicate alert messages that should be sent via the administrative alert framework in the time window specified by the duplicate-alert-time-limit property. This property works in conjunction with duplicate-alert-time-limit to prevent duplicate alert messages from overloading an email server or filling up an administrator's inbox. For instance, a series of duplicate alerts might be sent by the logging framework if the file system fills up -- each audit log message will fail to be written and an alert will be generated. With this duplicate suppression enabled, only the first few alert messages will be sent. With the default value of 20 duplicates every 1 hour, a specific alert message will be sent at most 21 times in any 1 hour period -- once for the original message plus twenty more duplicates. After this limit is reached, the server will keep track of the number of additional duplicate alert messages during this interval. If when the time limit expires, this count is greater than zero, it will send an additional alert message including the original message and the number of additional times it was suppressed. A value of "unlimited" implies that the server should not suppress any duplicate messages. The number of duplicate messages is reset each time the server restarts. See also the duplicate-error-log-limit property which serves the same purpose for messages written to the error log. |
| Default Value | 10 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
duplicate-alert-time-limit (Advanced Property)
| Property Group | Error Handling |
| Description | Specifies the length of time that must expire before duplicate messages are sent via the administrative alert framework. This property works in conjunction with duplicate-alert-limit to prevent duplicate alert messages from being sent too frequently. See the description of that property for more details. See also the duplicate-error-log-time-limit property which serves the same purpose for messages written to the error log. |
| Default Value | 10 minutes |
| Allowed Values | A duration. Maximum unit is "hours". Lower limit is 1 seconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
use-shared-database-cache-across-all-local-db-backends (Advanced Property)
| Property Group | Data Configuration |
| Description | Indicates whether the server should use a common database cache that is shared across all local DB backends instead of maintaining a separate cache for each backend. If this is true, then the server will maintain a single database cache that is shared across all local DB backends, and the shared-local-db-backend-database-cache-percent property must be set to specify how much of the JVM heap should be used for the cache. If this is false, then each backend will maintain its own separate cache. If enabled, the cache will only be shared across local DB backends. It will not be used to cache replication changes, LDAP changelog records, or data from any other database or backend types. Changes to this property will only take effect after a server restart. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
shared-local-db-backend-database-cache-percent (Advanced Property)
| Property Group | Data Configuration |
| Description | Specifies the percentage of the JVM memory to allocate to the database cache that is shared across all local DB backends. You must be careful to not oversubscribe available JVM memory. You must ensure that an adequate amount of memory is still available for other data that the server needs to retain in memory during processing, as well as for JVM garbage collection processing. When updating an existing installation to use a shared database cache, a simple option may be to use the sum of the database cache percentages assigned to each of the local DB backends. For a new installation, the default cache size assigned to the userRoot backend during setup would be a good guideline to use. This property must be set if use-shared-local-db-backend-database-cache is true. It will be ignored if that property is false, and each backend will use its own cache with a size defined in the configuration for that backend. Changes to this property will only take effect after a server restart. |
| Default Value | None |
| Allowed Values | An integer value. Lower limit is 1. Upper limit is 90 . |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
unrecoverable-database-error-mode (Advanced Property)
| Property Group | Data Configuration |
| Description | Specifies the action which should be taken for any database that experiences an unrecoverable error. Action applies to local database backends and the replication recent changes database. |
| Default Value | enter-lockdown-mode |
| Allowed Values | enter-lockdown-mode - Enters lockdown mode if any local database experiences an unrecoverable error. Administrative action will be required to initiate a database recovery or restore if the database is unrepairable. The server automatically attempts to exit lockdown mode on server restart. raise-unavailable-alarm - Raises an unavailable alarm if any local database experiences an unrecoverable error. Administrative action will be required to initiate a database recovery or restore if the database is unrepairable. Subsequent attempts to interact with the database environment will result in additional errors. initiate-server-shutdown - Server will initiate server shutdown if any local database experiences an unrecoverable error. In some cases this may be preferable to entering lockdown mode as the server will become unavailable over the network to applications and external traffic controllers like load-balancers. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
auto-name-with-entry-uuid-connection-criteria (Advanced Property)
| Property Group | Data Configuration |
| Description | Connection criteria that may be used to identify clients whose add requests should use entryUUID as the naming attribute. If both the auto-name-with-entry-uuid-connection-criteria and auto-name-with-entry-uuid-request-criteria properties are given values, then any add request that matches the request criteria received on a connection that matches this connection criteria will be treated as if it had included the name with entryUUID request control. If only the auto-name-with-entry-uuid-connection-criteria property is given a value, then any add request received on a connection that matches this connection criteria will be treated as if it had included the name with entryUUID request control. Regardless of whether an auto-name-with-entry-uuid-request-criteria value is specified, if an auto-name-with-entry-uuid-connection-criteria value is provided, then the server will not automatically use entryUUID as the naming attribute for any request received on a connection that does not match the connection criteria. |
| Default Value | None |
| Allowed Values | The DN of any Connection Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
auto-name-with-entry-uuid-request-criteria (Advanced Property)
| Property Group | Data Configuration |
| Description | Request criteria that may be used to identify add requests that should use entryUUID as the naming attribute. If both the auto-name-with-entry-uuid-connection-criteria and auto-name-with-entry-uuid-request-criteria properties are given values, then any add request that matches this request criteria received on a connection that matches the connection criteria will be treated as if it had included the name with entryUUID request control. If only the auto-name-with-entry-uuid-request-criteria property is given a value, then any add request that matches this request criteria will be treated as if it had included the name with entryUUID request control. Regardless of whether an auto-name-with-entry-uuid-connection-criteria value is specified, if an auto-name-with-entry-uuid-request-criteria value is provided, then the server will not automatically use entryUUID as the naming attribute for any request that does not match the request criteria. |
| Default Value | None |
| Allowed Values | The DN of any Request Criteria. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
soft-delete-policy (Advanced Property)
| Property Group | Data Configuration |
| Description | Specifies the soft delete policy that will be used by default for delete operations. Soft delete operations introduce the ability to control the server behavior of the delete operation. Instead of performing a permanent delete of an entry, deleted entries can be retained as soft deleted entries by their entryUUID values and are available for undelete at a later time. In addition to a soft delete policy enabling soft deletes, delete operations sent to the server must have the soft delete request control present with sufficient access privileges to access the soft delete request control. If no policy value is specified, the soft delete policy will effectively operate as disabled. |
| Default Value | None |
| Allowed Values | The DN of any Soft Delete Policy. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
subtree-accessibility-alert-time-limit (Advanced Property)
| Property Group | Data Configuration |
| Description | Specifies the length of time that a subtree may remain hidden or read-only before an administrative alert is sent. |
| Default Value | 1 hours |
| Allowed Values | A duration. Maximum unit is "hours". Lower limit is 1 minutes. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
warn-for-backends-with-multiple-base-dns (Advanced Property)
| Property Group | Data Configuration |
| Description | Indicates whether the server should issue a warning when enabling a backend that contains multiple base DNs. While the server currently supports backends that are configured to host multiple base DNs, this may introduce complications when used in conjunction with features like replication (e.g., online initialization via binary copy is not permitted for backends with multiple base DNs). It is recommended that the server be configured with only a single base DN per backend. The ability to configure a backend with multiple base DNs may be removed at some point in the future. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
forced-gc-prime-duration (Advanced Property)
| Property Group | Data Configuration |
| Description | Specifies the minimum length of time required for backend or request processor initialization that will trigger the server to force an explicit garbage collection. A value of "0 seconds" indicates that the server should never invoke an explicit garbage collection regardless of the length of time required to initialize the server backends. Invoking an explicit garbage collection after backend or request processor priming has completed may allow the server to exhibit better and more consistent behavior after startup because information stored in the tenured generation will be organized in a more compact manner. |
| Default Value | 10 seconds |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
replication-assurance-source-timeout-suspend-duration (Advanced Property)
| Property Group | Replication Configuration |
| Description | The amount of time a replication assurance source (i.e. a peer Directory Server) will be suspended from assurance requirements on this Directory Server if it experiences an assurance timeout. While suspended, the source will be excluded from assurance requirements for all operations originating on this Directory Server. This avoids the situation of repeated timeouts caused by degraded or offline servers. Once a source is suspended, it must 1) experience no timeouts for the configured duration, and 2) complete at least one assurance successfully (i.e. this Directory Server receives an update acknowledgement message from it within the timeout window) to be removed from suspension. Any subsequent timeouts will restart the suspension period for the source. Setting this to a lower value will ensure that assurance sources will be included sooner in the assurance requirements of this Directory Server after they have experienced a timeout, but increases the likelihood that they will cause subsequent timeouts. Conversely, a higher value will decrease the chance for additional timeouts, at the cost of having such sources excluded from replication assurance for a longer period of time. |
| Default Value | 10s |
| Allowed Values | A duration. Lower limit is 10 milliseconds. Upper limit is 3600000 milliseconds. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
replication-assurance-source-backlog-fast-start-threshold (Advanced Property)
| Property Group | Replication Configuration |
| Description | The maximum number of replication backlog updates a replication assurance source (i.e. a peer Directory Server) can have and be immediately recognized as an available assurance source by this Directory Server. If a source connects to this server with more than the configured threshold backlog updates, it will be excluded from assurance requirements for all operations originating from this Directory Server until it completes at least one assurance successfully (i.e. this Directory Server receives an update acknowledgement message from it within the timeout window). Setting this to a lower value will decrease the chance that sources will experience an assurance timeout when connecting to this Directory Server as a consequence of backlog processing, but it will also make it less likely that such sources will be immediately included in assurance requirements (i.e. fast-started). A higher value makes it easier for sources to be immediately included, but increases the chance that they will experience an initial backlog related assurance timeout. |
| Default Value | 1000 |
| Allowed Values | An integer value. Lower limit is 0. A value of "-1" or "unlimited" for no limit. |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | None. Modification requires no further action |
allow-inherited-replication-of-subordinate-backends (Advanced Property)
| Property Group | Replication Configuration |
| Description | Allow replication to be inherited by subordinate/child backends. When this option is set, enabling replication on a backend also enables replication on subordinate backends. For example, if the server has a backend at dc=example,dc=com and another at ou=people,dc=example,dc=com, enabling replication at dc=example,dc=com will also enable it at ou=people,dc=example,dc=com. This option supports legacy topologies. New installations should not enable this option. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | Yes |
| Admin Action Required | When this value is changed to false on a server that is relying on inherited replication, replication of subordinate backends will stop, which could result in lost changes. Note that this option is only present to support legacy topologies. New installations should not enable this option. |
replication-purge-obsolete-replicas (Advanced Property)
| Property Group | Replication Configuration |
| Description | Indicates whether state about obsolete replicas is automatically purged. To ensure that all changes are fully replicated, replication keeps some state for every replica that has ever been part of the topology. In topologies where many servers have come and gone over time, the accumulation of state from obsolete replicas can lead to minor inefficiencies in replication. This specifically impacts the volume of network traffic to exchange current state between servers. Setting this property to true will have this server automatically purge this state information for replicas that have been outside of the topology for twice the configured replication-purge-delay. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
max-smtp-connection-count (Advanced Property)
| Property Group | SMTP Configuration |
| Description | The maximum number of SMTP connections that will be maintained for delivering email messages. |
| Default Value | 5 |
| Allowed Values | An integer value. Lower limit is 1. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
max-smtp-connection-age (Advanced Property)
| Property Group | SMTP Configuration |
| Description | The maximum length of time that a connection to an SMTP server should be considered valid. |
| Default Value | Connections will not automatically be closed after a set period of time. |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
smtp-connection-health-check-interval (Advanced Property)
| Property Group | SMTP Configuration |
| Description | The length of time between checks to ensure that available SMTP connections are still valid. |
| Default Value | 60s |
| Allowed Values | A duration. Lower limit is 0 milliseconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
allowed-task (Advanced Property)
| Property Group | Other Configuration |
| Description | Specifies the fully-qualified name of a Java class that may be invoked in the server. Any attempt to invoke a task not included in the list of allowed tasks is rejected. |
| Default Value | If no values are defined, then the server does not allow any tasks to be invoked. |
| Allowed Values | A string |
| Multi-Valued | Yes |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
enable-sub-operation-timer (Advanced Property)
| Property Group | Other Configuration |
| Description | Indicates whether the Directory Server should attempt to record information about the length of time required to process various phases of an operation. Enabling this feature may impact performance, but could make it easier to identify potential bottlenecks in operation processing. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
network-address-cache-ttl (Advanced Property)
| Property Group | Other Configuration |
| Description | Specifies the length of time that the Directory Server should cache the IP addresses associated with the names of systems with which it interacts. It may be desirable to alter this value if you expect to change the IP address(es) associated with the names of systems referenced by the Directory Server and you want the server to be able to recognize those changes quickly. Restarting the Directory Server would also allow it to recognize address changes. A value of "0 seconds" should be used to indicate that no caching should be performed. |
| Default Value | 3600 seconds |
| Allowed Values | A duration. Lower limit is 0 seconds. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
network-address-outage-cache-enabled (Advanced Property)
| Property Group | Other Configuration |
| Description | Specifies whether the Directory Server should cache the last valid IP addresses associated with the names of systems with which it interacts with when the domain name service returns an unknown host exception. Java may return an unknown host exception when there is unexpected interruption in domain name service so this setting protects the Directory Server from temporary DNS server outages if previous results have been cached. It may not be desirable to alter this value if you want to protect the Directory Server from unexpected interruptions in domain name services. |
| Default Value | true |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jmx-value-behavior (Advanced Property)
| Property Group | Other Configuration |
| Description | Specifies how a Java type is chosen for monitor attributes exposed as JMX attribute values. With the default setting, the Directory Server infers an appropriate Java type from the LDAP attribute type and value. The type is determined dynamically and in theory could change from one invocation to the next. For example, an attribute could be a Long in one call and then a Float in the next. Integer syntax values are returned as Long, Boolean syntax as Boolean, and GeneralizedTime syntax as Date. String syntax values that can be parsed as floating point numbers are returned as Float, and values that can be parsed as integers are returned as Long. In all other cases, values are returned as String. |
| Default Value | inferred |
| Allowed Values | inferred - The Directory Server infers an appropriate Java type (e.g. Boolean, Long, Float, Date, or String) from the LDAP attribute type and value. string - The Directory Server returns all values as String. |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | None. Modification requires no further action |
jmx-use-legacy-mbean-names (Advanced Property)
| Property Group | Other Configuration |
| Description | When set to true, the server will use its original, non-standard JMX MBean names for the monitoring MBeans. These include RDN keys of "Rdn1" and "Rdn2" instead of the recommended "type" and "name" keys. This should option should only be enabled for installations that have monitoring infrastructure that depends on the old keys. |
| Default Value | false |
| Allowed Values | true false |
| Multi-Valued | No |
| Required | No |
| Admin Action Required | The Directory Server must be restarted for changes to this setting to take effect. In order for this modification to take effect the server must be restarted |
To view the Global Configuration configuration:
dsconfig get-global-configuration-prop
[--tab-delimited]
[--script-friendly]
[--property {propertyName}] ...
To update the Global Configuration configuration:
dsconfig set-global-configuration-prop
(--set|--add|--remove) {propertyName}:{propertyValue}
[(--set|--add|--remove) {propertyName}:{propertyValue}] ...