Show Table of Contents
Chapter 4. Plug-in Implemented Server Functionality Reference
This chapter contains reference information on Red Hat Directory Server plug-ins.
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree
cn=plugins,cn=config.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginPath: libsyntax-plugin nsslapd-pluginInitfunc: tel_init nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an
ldapsearch on the cn=config subtree.
All plug-ins are instances of the
nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry, as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=config objectclass:top objectclass:nsSlapdPlugin objectclass:extensibleObject
4.1. Server Plug-in Functionality Reference
The following tables provide a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading. These tables assist in weighing plug-in performance gains and costs and choose the optimal settings for the deployment. The Further Information section cross-references further reading, where this is available.
4.1.1. 7-bit Check Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | NS7bitAtt |
| DN of Configuration Entry | cn=7-bit check,cn=plugins,cn=config |
| Description | Checks certain attributes are 7-bit clean |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur. |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information | If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off. |
4.1.2. ACL Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | acl |
| DN of Configuration Entry | cn=ACL Plugin,cn=plugins,cn=config |
| Description | ACL access check plug-in |
| Type | accesscontrol |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. |
| Further Information | See the "Managing Access Control" chapter in the Red Hat Directory Server Administration Guide. |
4.1.3. ACL Preoperation Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | acl |
| DN of Configuration Entry | cn=ACL preoperation,cn=plugins,cn=config |
| Description | ACL access check plug-in |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server. |
| Further Information | See the "Managing Access Control" chapter in the Red Hat Directory Server Administration Guide. |
4.1.4. Account Policy Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=Account Policy Plugin,cn=plugins,cn=config |
| Description | Defines a policy to lock user accounts after a certain expiration period or inactivity period. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | A pointer to a configuration entry which contains the global account policy settings. |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information | This plug-in configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the acctPolicySubentry object class. These configuration entries can then be applied to users or roles through classes of service. |
4.1.5. Account Usability Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | acctusability |
| DN of Configuration Entry | cn=Account Usability Plugin,cn=plugins,cn=config |
| Description | Checks the authentication status, or usability, of an account without actually authenticating as the given user |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Dependencies | Database |
| Performance-Related Information | None |
4.1.6. AD DN Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | addn |
| DN of Configuration Entry | cn=addn,cn=plugins,cn=config |
| Description | Enables the usage of Active Directory-formatted user names, such as user_name and user_name@domain, for bind operations. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | addn_default_domain: Sets the default domain that is automatically appended to user names without domain. |
| Dependencies | None |
| Performance-Related Information | None |
4.1.7. Attribute Uniqueness Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | NSUniqueAttr |
| DN of Configuration Entry | cn=Attribute Uniqueness,cn=plugins,cn=config |
| Description | Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN".... However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName". This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute. |
| Dependencies | Database |
| Performance-Related Information |
Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes. See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide for more information about the Attribute Uniqueness Plug-in.
The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance.
|
| Further Information | See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide. |
4.1.8. Auto Membership Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | Auto Membership |
| DN of Configuration Entry | cn=Auto Membership,cn=plugins,cn=config |
| Description | Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group. |
| Dependencies | Database |
| Performance-Related Information | None. |
| Further Information | See the "Automatically Adding Entries to Specified Groups" section in the Red Hat Directory Server Administration Guide. |
4.1.9. Binary Syntax Plug-in
Warning
Binary syntax is deprecated. Use Octet String syntax instead.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | bin-syntax |
| DN of Configuration Entry | cn=Binary Syntax,cn=plugins,cn=config |
| Description | Syntax for handling binary data. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
4.1.10. Bit String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | bitstring-syntax |
| DN of Configuration Entry | cn=Bit String Syntax,cn=plugins,cn=config |
| Description | Supports bit string syntax values and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.11. Bitwise Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | bitwise |
| DN of Configuration Entry | cn=Bitwise Plugin,cn=plugins,cn=config |
| Description | Matching rule for performing bitwise operations against the LDAP server |
| Type | matchingrule |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | See the "Finding Directory Entries" chapter in the Administration Guide for performing searches using bitwise filters. |
4.1.12. Boolean Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | boolean-syntax |
| DN of Configuration Entry | cn=Boolean Syntax,cn=plugins,cn=config |
| Description | Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.13. Case Exact String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | ces-syntax |
| DN of Configuration Entry | cn=Case Exact String Syntax,cn=plugins,cn=config |
| Description | Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This is not a case-exact syntax; this plug-in provides case-sensitive matching rules for different string syntaxes. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
4.1.14. Case Ignore String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | directorystring-syntax |
| DN of Configuration Entry | cn=Case Ignore String Syntax,cn=plugins,cn=config |
| Description | Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This is not a case-insensitive syntax; this plug-in provides case-sensitive matching rules for different string syntaxes. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
4.1.15. Chaining Database Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | chaining database |
| DN of Configuration Entry | cn=Chaining database,cn=plugins,cn=config |
| Description | Enables back end databases to be linked |
| Type | database |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | There are many performance related tuning parameters involved with the chaining database. See the "Maintaining Database Links" section in the Red Hat Directory Server Administration Guide. |
| Further Information | A chaining database is also known as a database link. Database links are described in the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide. |
4.1.16. Class of Service Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | cos | |||
| DN of Configuration Entry | cn=Class of Service,cn=plugins,cn=config | |||
| Description | Allows for sharing of attributes between entries | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | on | |||
| Configurable Arguments | None | |||
| Dependencies |
| |||
| Performance-Related Information | Do not modify the configuration of this plug-in. Leave this plug-in running at all times. | |||
| Further Information | See the "Managing Dynamic Attributes" chapter in the Red Hat Directory Server Administration Guide. |
4.1.17. Content Synchronization Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | content-sync-plugin |
| DN of Configuration Entry | cn=Content Synchronization,cn=plugins,cn=config |
| Description | Enables support for the SyncRepl protocol in Directory Server according to RFC 4533. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | Retro Changelog Plug-in |
| Performance-Related Information | If you know which back end or subtree clients access to synchronize data, limit the scope of the Retro Changelog plug-in accordingly. |
| Further Information | See the corresponding sections in the Red Hat Directory Administration Guide. |
4.1.18. Country String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | countrystring-syntax |
| DN of Configuration Entry | cn=Country String Syntax,cn=plugins,cn=config |
| Description | Supports country naming syntax values and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.19. Delivery Method Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | delivery-syntax |
| DN of Configuration Entry | cn=Delivery Method Syntax,cn=plugins,cn=config |
| Description | Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.20. deref Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | Dereference |
| DN of Configuration Entry | cn=deref,cn=plugins,cn=config |
| Description | For dereference controls in directory searches |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | See the "Finding Directory Entries" chapter in the Administration Guide for performing searches using dereference controls. |
4.1.21. Distinguished Name Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | dn-syntax |
| DN of Configuration Entry | cn=Distinguished Name Syntax,cn=plugins,cn=config |
| Description | Supports DN value syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.22. Distributed Numeric Assignment Plug-in
| Plug-in Information | Description |
|---|---|
| Plug-in ID | Distributed Numeric Assignment |
| Configuration Entry DN | cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config |
| Description | Distributed Numeric Assignment plugin |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | |
| Dependencies | Database |
| Performance-Related Information | None |
| Further Information |
4.1.23. Enhanced Guide Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | enhancedguide-syntax |
| DN of Configuration Entry | cn=Enhanced Guide Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.24. Facsimile Telephone Number Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | facsimile-syntax |
| DN of Configuration Entry | cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for fax numbers; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.25. Fax Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | fax-syntax |
| DN of Configuration Entry | cn=Fax Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for storing images of faxed objects; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.26. Generalized Time Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | time-syntax |
| DN of Configuration Entry | cn=Generalized Time Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for dealing with dates, times and time zones; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
The Generalized Time String consists of a four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second, and a time zone indication. Red Hat strongly recommends using the Z time zone indication, which indicates Greenwich Mean Time.
See also RFC 4517.
|
4.1.27. Guide Syntax Plug-in
Warning
This syntax is deprecated. Use Enhanced Guide syntax instead.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | guide-syntax |
| DN of Configuration Entry | cn=Guide Syntax,cn=plugins,cn=config |
| Description | Syntax for creating complex criteria, based on attributes and filters, to build searches |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | This syntax is obsolete. The Enhanced Guide Syntax should be used instead. |
4.1.28. HTTP Client Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | http-client |
| DN of Configuration Entry | cn=HTTP Client,cn=plugins,cn=config |
| Description | HTTP client plug-in |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | |
| Further Information |
4.1.29. Integer Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | int-syntax |
| DN of Configuration Entry | cn=Integer Syntax,cn=plugins,cn=config |
| Description | Supports integer syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.30. Internationalization Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | orderingrule |
| DN of Configuration Entry | cn=Internationalization Plugin,cn=plugins,cn=config |
| Description | Enables internationalized strings to be ordered in the directory |
| Type | matchingrule |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | The Internationalization Plug-in has one argument, which must not be modified, which specifies the location of the /etc/dirsrv/config/slapd-collations.conf file. This file stores the collation orders and locales used by the Internationalization Plug-in. |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | See the "Internationalization" appendix and the section on "Searching an Internationalized Directory" in the "Finding Directory Entries" appendix in the Red Hat Directory Server Administration Guide. |
4.1.31. JPEG Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | jpeg-syntax |
| DN of Configuration Entry | cn=JPEG Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for JPEG image data; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.32. ldbm database Plug-in
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Plug-in ID | ldbm-backend | ||
| DN of Configuration Entry | cn=ldbm database,cn=plugins,cn=config | ||
| Description | Implements local databases | ||
| Type | database | ||
| Configurable Options | |||
| Default Setting | on | ||
| Configurable Arguments | None | ||
| Dependencies |
| ||
| Performance-Related Information | See Section 4.4, “Database Plug-in Attributes” for further information on database configuration. | ||
| Further Information | See the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide. |
4.1.33. Linked Attributes Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | Linked Attributes | |||
| DN of Configuration Entry | cn=Linked Attributes,cn=plugins,cn=config | |||
| Description | Container entry for linked-managed attribute configuration entries. Each configuration entry under the container links one attribute to another, so that when one entry is updated (such as a manager entry), then any entry associated with that entry (such as a custom directReports attribute) are automatically updated with a user-specified corresponding attribute. | |||
| Type | preoperation | |||
| Configurable Options | on | off | |||
| Default Setting | off | |||
| Configurable Arguments | None for the main plug-in entry. Each plug-in instance has three possible attributes:
| |||
| Dependencies | Database | |||
| Performance-Related Information | Any attribute set in linkType must only allow values in a DN format. Any attribute set in managedType must be multi-valued. | |||
| Further Information | See the "Managing Attributes" chapter in the Red Hat Directory Server Administration Guide and Section 4.11, “Linked Attributes Plug-in Attributes”. |
4.1.34. Managed Entries Plug-in
| Plug-in Information | Description | ||||
|---|---|---|---|---|---|
| Plug-in ID | Managed Entries | ||||
| Configuration Entry DN | cn=Managed Entries,cn=plugins,cn=config | ||||
| Description | Container entry for automatically generated directory entries. Each configuration entry defines a target subtree and a template entry. When a matching entry in the target subtree is created, then the plug-in automatically creates a new, related entry based on the template. | ||||
| Type | preoperation | ||||
| Configurable Options | on | off | ||||
| Default Setting | off | ||||
| Configurable Arguments | None for the main plug-in entry. Each plug-in instance has four possible attributes:
| ||||
| Dependencies | Database | ||||
| Performance-Related Information | None | ||||
| Further Information |
4.1.35. MemberOf Plug-in
| Plug-in Information | Description | ||
|---|---|---|---|
| Plug-in ID | memberOf | ||
| Configuration Entry DN | cn=MemberOf Plugin,cn=plugins,cn=config | ||
| Description | Manages the memberOf attribute on user entries, based on the member attributes in the group entry. | ||
| Type | postoperation | ||
| Configurable Options | on | off | ||
| Default Setting | off | ||
| Configurable Arguments |
| ||
| Dependencies | Database | ||
| Performance-Related Information | None | ||
| Further Information |
4.1.36. Multi-master Replication Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | replication-multimaster | |||
| DN of Configuration Entry | cn=Multimaster Replication plugin,cn=plugins,cn=config | |||
| Description | Enables replication between two current Directory Servers | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | on | |||
| Configurable Arguments | None | |||
| Dependencies |
| |||
| Performance-Related Information | ||||
| Further Information | Turn this plug-in off if one server will never replicate. See the "Managing Replication" chapter in the Red Hat Directory Server Administration Guide. |
4.1.37. Name and Optional UID Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | nameoptuid-syntax |
| DN of Configuration Entry | cn=Name And Optional UID Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules to store and search for a DN with an optional unique ID; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
The optional UID is used to distinguish between entries which may have identical DNs or naming attributes.
See also RFC 4517.
|
4.1.38. Numeric String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | numstr-syntax |
| DN of Configuration Entry | cn=Numeric String Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for strings of numbers and spaces; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.39. Octet String Syntax Plug-in
Note
Use the Octet String syntax instead of Binary, which is deprecated.
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | octetstring-syntax |
| DN of Configuration Entry | cn=Octet String Syntax,cn=plugins,cn=config |
| Description | Supports octet string syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.40. OID Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | oid-syntax |
| DN of Configuration Entry | cn=OID Syntax,cn=plugins,cn=config |
| Description | Supports object identifier (OID) syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.41. PAM Pass Through Auth Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | pam_passthruauth |
| DN of Configuration Entry | cn=PAM Pass Through Auth,cn=plugins,cn=config |
| Description | Enables pass-through authentication for PAM, meaning that a PAM service can use the Directory Server as its user authentication store. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | |
| Further Information | See the "Using PAM Pass-through Authentication" section in the Red Hat Directory Server Administration Guide. |
4.1.42. Pass Through Authentication Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | passthruauth |
| DN of Configuration Entry | cn=Pass Through Authentication,cn=plugins,cn=config |
| Description | Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests. |
| Type | preoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | ldap://example.com:389/o=example |
| Dependencies | Database |
| Performance-Related Information | Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See the "Using Pass-through Authentication" chapter in the Red Hat Directory Server Administration Guide. |
| Further Information | See the "Using the Pass-through Authentication Plug-in" chapter in the Red Hat Directory Server Administration Guide. |
4.1.43. Password Storage Schemes
Directory Server implements the password storage schemes as plug-ins. However, the
cn=Password Storage Schemes,cn=plugins,cn=config entry itself is just a container, not a plug-in entry. All password storage scheme plug-ins are stored as a subentry of this container.
To display all password storage schemes plug-ins, enter:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
-b "cn=Password Storage Schemes,cn=plugins,cn=config" -s sub "(objectclass=*)" dnWarning
Red Hat recommends not disabling the password scheme plug-ins nor to change the configurations of the plug-ins to prevent unpredictable authentication behavior.
Strong Password Storage Schemes
Red Hat recommends using only the following strong password storage schemes (strongest first):
PBKDF2_SHA256The password-based key derivation function 2 (PBKDF2) was designed to expend resources to counter brute force attacks. PBKDF2 supports a variable number of iterations to apply the hashing algorithm. Higher iterations improve security but require more hardware resources. In Directory Server, thePBKDF2_SHA256scheme is implemented using 30,000 iterations to apply the SHA256 algorithm. This value is hard-coded and will be increased in future versions of Directory Server without requiring interaction by an administrator.Note
The network security service (NSS) database in Red Hat Enterprise Linux 6 does not support PBKDF2. Therefore you cannot use this password scheme in a replication topology with Directory Server 9.SSHA512(default)The salted secure hashing algorithm (SSHA) implements an enhanced version of the secure hashing algorithm (SHA), that uses a randomly generated salt to increase the security of the hashed password.SSHA512implements the hashing algorithm using 512 bits.
Weak Password Storage Schemes
Besides the recommended strong password storage schemes, Directory Server supports the following weak schemes for backward compatibility:
AES
| CLEAR
| CRYPT
|
CRYPT-MD5
| CRYPT-SHA256
| CRYPT-SHA512
|
DES
| MD5
| NS-MTA-MD5
|
SHA
| SHA256
| SHA384
|
SHA512
| SMD5
| SSHA
|
SSHA256
| SSHA384
| |
[a]
Directory Server only supports authentication using this scheme. You can no longer use it to encrypt passwords.
[b]
160 bit
| ||
Important
Only continue using a weak scheme over a short time frame, as it increases security risks.
4.1.44. Posix Winsync API Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | posix-winsync-plugin |
| DN of Configuration Entry | cn=Posix Winsync API,cn=plugins,cn=config |
| Description | Enables and configures Windows synchronization for Posix attributes set on Active Directory user and group entries. |
| Type | preoperation |
| Configurable Arguments |
|
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | database |
4.1.45. Postal Address String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | postaladdress-syntax |
| DN of Configuration Entry | cn=Postal Address Syntax,cn=plugins,cn=config |
| Description | Supports postal address syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.46. Printable String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | printablestring-syntax |
| DN of Configuration Entry | cn=Printable String Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and matching rules for alphanumeric and select punctuation strings (for strings which conform to printable strings as defined in RFC 4517). |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.47. Referential Integrity Postoperation Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | referint |
| DN of Configuration Entry | cn=Referential Integrity Postoperation,cn=plugins,cn=config |
| Description | Enables the server to ensure referential integrity |
| Type | postoperation |
| Configurable Options | All configuration and on | off |
| Default Setting | off |
| Configurable Arguments | When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the member, uniquemember, owner, and seeAlso attributes immediately after a delete or rename operation. The plug-in can be configured to perform integrity checks on all other attributes. For details, see the corresponding section in the Directory Server Administration Guide. |
| Dependencies | Database |
| Performance-Related Information | The Referential Integrity Plug-in should be enabled only on one master in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality. |
| Further Information | See the "Managing Indexes" chapter for information about how to index attributes used for referential integrity checking and the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide. |
4.1.48. Retro Changelog Plug-in
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Plug-in ID | retrocl | ||
| DN of Configuration Entry | cn=Retro Changelog Plugin,cn=plugins,cn=config | ||
| Description | Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the cn=changelog suffix to clients, so that clients can use this suffix with or without persistent search for simple sync applications. | ||
| Type | object | ||
| Configurable Options | on | off | ||
| Default Setting | off | ||
| Configurable Arguments | See Section 4.16, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in. | ||
| Dependencies |
| ||
| Performance-Related Information | May slow down Directory Server update performance. | ||
| Further Information | See the "Managing Replication" chapter in the Red Hat Directory Server Administration Guide. |
4.1.49. Roles Plug-in
| Plug-in Parameter | Description | |||
|---|---|---|---|---|
| Plug-in ID | roles | |||
| DN of Configuration Entry | cn=Roles Plugin,cn=plugins,cn=config | |||
| Description | Enables the use of roles in the Directory Server | |||
| Type | object | |||
| Configurable Options | on | off | |||
| Default Setting | on | |||
| Configurable Arguments | None | |||
| Dependencies |
| |||
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | |||
| Further Information | See the "Advanced Entry Management" chapter in the Red Hat Directory Server Administration Guide. |
4.1.50. RootDN Access Control Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | rootdn-access-control |
| DN of Configuration Entry | cn=RootDN Access Control,cn=plugins,cn=config |
| Description | Enables and configures access controls to use for the root DN entry. |
| Type | internalpreoperation |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Attributes |
|
| Dependencies | None |
| Further Information | See the "Access Control" sections in the Red Hat Directory Server Administration Guide. |
4.1.51. Schema Reload Plug-in
| Plug-in Information | Description |
|---|---|
| Plug-in ID | schemareload |
| Configuration Entry DN | cn=Schema Reload,cn=plugins,cn=config |
| Description | Task plug-in to reload schema files |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information |
4.1.52. Space Insensitive String Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=Space Insensitive String Syntax,cn=plugins,cn=config |
| Description | Syntax for handling space-insensitive values |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information |
This plug-in enables the Directory Server to support space and case insensitive values. This allows applications to search the directory using entries with ASCII space characters.
For example, a search or compare operation that uses
jOHN Doe will match entries that contain johndoe, john doe, and John Doe if the attribute's schema has been configured to use the space insensitive syntax.
For more information about finding directory entries, see the "Finding Directory Entries" chapter in the Red Hat Directory Server Administration Guide.
|
4.1.53. State Change Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | statechange |
| DN of Configuration Entry | cn=State Change Plugin,cn=plugins,cn=config |
| Description | Enables state-change-notification service |
| Type | postoperation |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information |
4.1.54. Syntax Validation Task Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=Syntax Validation Task,cn=plugins,cn=config |
| Description | Enables syntax validation for attribute values |
| Type | object |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | |
| Further Information | This plug-in implements syntax validation tasks. The actual process that carries out syntax validation is performed by each specific syntax plug-in. |
4.1.55. Telephone Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | tele-syntax |
| DN of Configuration Entry | cn=Telephone Syntax,cn=plugins,cn=config |
| Description | Supports telephone number syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.56. Teletex Terminal Identifier Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | teletextermid-syntax |
| DN of Configuration Entry | cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config |
| Description | Supports international telephone number syntaxes and related matching rules from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.57. Telex Number Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | telex-syntax |
| DN of Configuration Entry | cn=Telex Number Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for the telex number, country code, and answerback code of a telex terminal; from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.58. URI Syntax Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | none |
| DN of Configuration Entry | cn=URI Syntax,cn=plugins,cn=config |
| Description | Supports syntaxes and related matching rules for unique resource identifiers (URIs), including unique resource locators (URLs); from RFC 4517. |
| Type | syntax |
| Configurable Options | on | off |
| Default Setting | on |
| Configurable Arguments | None |
| Dependencies | None |
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. |
| Further Information | RFC 4517 |
4.1.59. USN Plug-in
| Plug-in Parameter | Description |
|---|---|
| Plug-in ID | USN |
| DN of Configuration Entry | cn=USN,cn=plugins,cn=config |
| Description | Sets an update sequence number (USN) on an entry, for every entry in the directory, whenever there is a modification, including adding and deleting entries and modifying attribute values. |
| Type | object |
| Configurable Options | on | off |
| Default Setting | off |
| Configurable Arguments | None |
| Dependencies | Database |
| Performance-Related Information | For replication, it is recommended that the entryUSN configuration attribute be excluded using fractional replication. |
| Further Information |
4.1.60. Views Plug-in
| Plug-in Parameter | Description | ||
|---|---|---|---|
| Plug-in ID | views | ||
| DN of Configuration Entry | cn=Views,cn=plugins,cn=config | ||
| Description | Enables the use of views in the Directory Server databases. | ||
| Type | object | ||
| Configurable Options | on | off | ||
| Default Setting | on | ||
| Configurable Arguments | None | ||
| Dependencies |
| ||
| Performance-Related Information | Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times. | ||
| Further Information |