Red Hat Training

A Red Hat training course is available for Red Hat Directory Server

1.9. Using Directory Server Plug-ins

Directory Server has a number of default plug-ins which configure core Directory Server functions, such as replication, classes of service, and even attribute syntaxes. Core plug-ins are enabled and completely configured by default.
Other default plug-ins extend the functionality of the Directory Server by providing consistent, but user-defined, behaviors, as with DNA, attribute uniqueness, and attribute linking. These plug-ins are available, but not all are enabled or configured by default.
Using plug-ins also allows the Directory Server to be easily extended, so customers can write and deploy their own server plug-ins to perform whatever directory operations they need for their specific deployment.
For further details, see:

1.9.1. Enabling Plug-ins Dynamically

Directory Server supports dynamic plug-ins that can be enabled without restarting the Directory Server. Allowing for dynamically enabled plug-ins makes server administration significantly easier. By using dynamic plug-ins, you can avoid restarting the server multiple times to install and configure the plug-ins. This makes deploying software applications for the Directory Server much faster.
Each plug-in can be enabled or disabled by switching the value of the nsslapd-pluginEnabled attribute. For example:
# ldapmodify -x -D 'cn=Directory Manager' -W
dn: cn=Plug-in_name,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on
Restarting the Directory Server when plug-ins are reconfigured is not required if you specify the nsslapd-dynamic-plugins switch under the cn=config entry. To enable the dynamic plug-in feature, set the nsslapd-dynamic-plugins attribute to on:
dn: cn=config
nsslapd-dynamic-plugins: on
To disable the dynamic plug-in feature, set the nsslapd-dynamic-plugins attribute to off:
dn: cn=config
nsslapd-dynamic-plugins: off
By default, nsslapd-dynamic-plugins is set to off.

1.9.2. Enabling Plug-ins Enabling Plug-ins in the Command Line

To disable or enable a plug-in through the command line, use the ldapmodify utility to edit the value of the nsslapd-pluginEnabled attribute. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h -x

dn: cn=ACL Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginEnabled
nsslapd-pluginEnabled: on Enabling Plug-ins in the Directory Server Console

To enable and disable plug-ins using the Directory Server Console:
  1. In the Directory Server Console, select the Configuration tab.
  2. Double-click the Plugins folder in the navigation tree.
  3. Select the plug-in from the Plugins list.
  4. To disable the plug-in, clear the Enabled check box. To enable the plug-in, check this check box.
  5. Click Save.
  6. Restart the Directory Server.
    # systemctl restart dirsrv@instance


When a plug-in is disabled, all of the details about the plug-in — such as its version and its vendor — are not displayed in the Directory Server Console; all details fields show NONE.
Once a plug-in is enabled, those details will not be displayed in the Console until the Directory Server is restarted (loading the new plug-in configuration) and the Directory Server Console is refreshed.

1.9.3. Configuring Plug-ins

In Directory Server 9 and earlier, you configured plug-ins using the nsslapd-pluginarg* attributes. Directory Server 10 added support for specific configuration attributes for certain plug-ins.


If both the plug-in-specific configuration attributes and the deprecated nsslapd-pluginarg* attributes are set in a plug-in's configuration, Directory Server only uses settings in plug-in-specific attributes.
The following two examples use the same settings for the Referential Integrity plug-in but using the different configuration options:

Example 1.1. Plug-in Configuration using Configuration Attributes

referint-update-delay: 0
referint-logfile: /var/log/dirsrv/slapd-localhost/referint
referint-logchanges: 0
referint-membership-attr: member
referint-membership-attr: uniquemember
referint-membership-attr: owner
referint-membership-attr: seeAlso


Red Hat recommends using only the configuration plug-in-specific attributes. For plug-in-specific attributes, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.

Example 1.2. Plug-in Configuration using Plug-in Argument Attributes (Deprecated)

nsslapd-pluginarg0: 0
nsslapd-pluginarg1: /var/log/dirsrv/slapd-localhost/referint
nsslapd-pluginarg2: 0
nsslapd-pluginarg3: member
nsslapd-pluginarg4: uniquemember
nsslapd-pluginarg5: owner
nsslapd-pluginarg6: seeAlso Configuring Plug-ins using the Command Line

To use the ldapmodify utility to configure settings of a plug-in:
  1. Identify the distinguished name (DN) of the plug-in's configuration. For details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
  2. Set the new value. For example, to set the update delay of the Referential Integrity plug-in to 0:
    # ldapmodify -D "cn=Directory Manager" -W -p 389 -h -x
    dn: cn=referential integrity postoperation,cn=plugins,cn=config
    changetype: modify
    replace: referint-update-delay
    referint-update-delay: 0
  3. Restart the Directory Server instance:
    # systemctl restart dirsrv@instance_name Configuring Plug-ins using the Console

To use the Directory Server Console to configure settings of a plug-in:
  1. Start the Directory Server Console and log in using the cn=Directory Manager user name.
  2. On the Servers and Applications tab, navigate to administration_domain_namehost_nameServer GroupDirectory Server (instance_name), and click Open.
  3. Navigate to Plug-ins and select the plug-in to configure.
  4. Click the Advanced button in the right panel.


    Red Hat recommends to configure the plug-in using the Property Editor, which uses the plug-in-specific attributes.
  5. Set the plug-in-specific attributes.
  6. Click OK to close the Property Editor.

1.9.4. Setting the Plug-in Precedence

The plug-in precedence is the priority it has in the execution order of plug-ins. For pre- and post-operation plug-ins, this allows one plug-in to be executed and complete before the next plug-in is initiated, which lets the second plug-in take advantage of the first plug-in's results.
Plug-in precedence is configured in the nsslapd-pluginPrecedence attribute on the plug-in's configuration entry. This attribute has a value of 1 (highest priority) to 99 (lowest priority). If the attribute is not set, it has a default value of 50.


Do not set the plug-in precedence for the default Directory Server plug-ins unless told to do so by Red Hat support. The plug-in precedence attribute is primarily to govern the behavior of custom plug-ins, not to change the behavior of the core Directory Server plug-ins.
The nsslapd-pluginPrecedence attribute is set using the ldapmodify command. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h -x

dn: cn=My Example Plugin,cn=plugins,cn=config
changetype: modify
replace: nsslapd-pluginPrecedence
nsslapd-pluginPrecedence: 1