Show Table of Contents
1.9. Using Directory Server Plug-ins
Directory Server has a number of default plug-ins which configure core Directory Server functions, such as replication, classes of service, and even attribute syntaxes. Core plug-ins are enabled and completely configured by default.
Other default plug-ins extend the functionality of the Directory Server by providing consistent, but user-defined, behaviors, as with DNA, attribute uniqueness, and attribute linking. These plug-ins are available, but not all are enabled or configured by default.
Using plug-ins also allows the Directory Server to be easily extended, so customers can write and deploy their own server plug-ins to perform whatever directory operations they need for their specific deployment.
For further details, see:
- The Plug-in Implemented Server Functionality Reference section in the Red Hat Directory Server Configuration, Command, and File Reference
1.9.1. Enabling Plug-ins Dynamically
Directory Server supports dynamic plug-ins that can be enabled without restarting the Directory Server. Allowing for dynamically enabled plug-ins makes server administration significantly easier. By using dynamic plug-ins, you can avoid restarting the server multiple times to install and configure the plug-ins. This makes deploying software applications for the Directory Server much faster.
Each plug-in can be enabled or disabled by switching the value of the
nsslapd-pluginEnabled attribute. For example:
# ldapmodify -x -D 'cn=Directory Manager' -W dn: cn=Plug-in_name,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
Restarting the Directory Server when plug-ins are reconfigured is not required if you specify the
nsslapd-dynamic-plugins switch under the cn=config entry. To enable the dynamic plug-in feature, set the nsslapd-dynamic-plugins attribute to on:
dn: cn=config nsslapd-dynamic-plugins: on
To disable the dynamic plug-in feature, set the
nsslapd-dynamic-plugins attribute to off:
dn: cn=config nsslapd-dynamic-plugins: off
By default,
nsslapd-dynamic-plugins is set to off.
1.9.2. Enabling Plug-ins
1.9.2.1. Enabling Plug-ins in the Command Line
To disable or enable a plug-in through the command line, use the
ldapmodify utility to edit the value of the nsslapd-pluginEnabled attribute. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=ACL Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: on
1.9.2.2. Enabling Plug-ins in the Directory Server Console
To enable and disable plug-ins using the Directory Server Console:
- In the Directory Server Console, select the Configuration tab.
- Double-click the Plugins folder in the navigation tree.
- Select the plug-in from the Plugins list.
- To disable the plug-in, clear the Enabled check box. To enable the plug-in, check this check box.
- Click .
- Restart the Directory Server.
# systemctl restart dirsrv@instance
Note
When a plug-in is disabled, all of the details about the plug-in — such as its version and its vendor — are not displayed in the Directory Server Console; all details fields show
NONE.
Once a plug-in is enabled, those details will not be displayed in the Console until the Directory Server is restarted (loading the new plug-in configuration) and the Directory Server Console is refreshed.
1.9.3. Configuring Plug-ins
In Directory Server 9 and earlier, you configured plug-ins using the
nsslapd-pluginarg* attributes. Directory Server 10 added support for specific configuration attributes for certain plug-ins.
Important
If both the plug-in-specific configuration attributes and the deprecated
nsslapd-pluginarg* attributes are set in a plug-in's configuration, Directory Server only uses settings in plug-in-specific attributes.
The following two examples use the same settings for the
Referential Integrity plug-in but using the different configuration options:
Example 1.1. Plug-in Configuration using Configuration Attributes
referint-update-delay: 0 referint-logfile: /var/log/dirsrv/slapd-localhost/referint referint-logchanges: 0 referint-membership-attr: member referint-membership-attr: uniquemember referint-membership-attr: owner referint-membership-attr: seeAlso
Note
Red Hat recommends using only the configuration plug-in-specific attributes. For plug-in-specific attributes, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
Example 1.2. Plug-in Configuration using Plug-in Argument Attributes (Deprecated)
nsslapd-pluginarg0: 0 nsslapd-pluginarg1: /var/log/dirsrv/slapd-localhost/referint nsslapd-pluginarg2: 0 nsslapd-pluginarg3: member nsslapd-pluginarg4: uniquemember nsslapd-pluginarg5: owner nsslapd-pluginarg6: seeAlso
1.9.3.1. Configuring Plug-ins using the Command Line
To use the
ldapmodify utility to configure settings of a plug-in:
- Identify the distinguished name (DN) of the plug-in's configuration. For details, see the corresponding section in the Red Hat Directory Server Configuration, Command, and File Reference.
- Set the new value. For example, to set the update delay of the
Referential Integrityplug-in to0:# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=referential integrity postoperation,cn=plugins,cn=config changetype: modify replace: referint-update-delay referint-update-delay: 0
- Restart the Directory Server instance:
# systemctl restart dirsrv@instance_name
1.9.3.2. Configuring Plug-ins using the Console
To use the Directory Server Console to configure settings of a plug-in:
- Start the Directory Server Console and log in using the
cn=Directory Manageruser name.For details, see Section E.2.2, “Opening the Administration Server Console”. - On the Servers and Applications tab, navigate to → → → , and click .
- Navigate to and select the plug-in to configure.
- Click the button in the right panel.
Note
Red Hat recommends to configure the plug-in using the Property Editor, which uses the plug-in-specific attributes. - Set the plug-in-specific attributes.
- Click to close the Property Editor.
- Restart Directory Server. For details, see Section 1.5.2, “Restarting and Stopping the Administration Server Service Using the Console”.
1.9.4. Setting the Plug-in Precedence
The plug-in precedence is the priority it has in the execution order of plug-ins. For pre- and post-operation plug-ins, this allows one plug-in to be executed and complete before the next plug-in is initiated, which lets the second plug-in take advantage of the first plug-in's results.
Plug-in precedence is configured in the
nsslapd-pluginPrecedence attribute on the plug-in's configuration entry. This attribute has a value of 1 (highest priority) to 99 (lowest priority). If the attribute is not set, it has a default value of 50.
Important
Do not set the plug-in precedence for the default Directory Server plug-ins unless told to do so by Red Hat support. The plug-in precedence attribute is primarily to govern the behavior of custom plug-ins, not to change the behavior of the core Directory Server plug-ins.
The
nsslapd-pluginPrecedence attribute is set using the ldapmodify command. For example:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=My Example Plugin,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginPrecedence nsslapd-pluginPrecedence: 1
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.