Chapter 4. Plug-in Implemented Server Functionality Reference

This chapter contains reference information on Red Hat Directory Server plug-ins.

The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config.

dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: libsyntax-plugin
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on

Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.

All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry, as shown in the following example:

dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:nsSlapdPlugin
objectclass:extensibleObject

4.1. Server Plug-in Functionality Reference

The following tables provide a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading. These tables assist in weighing plug-in performance gains and costs and choose the optimal settings for the deployment. The Further Information section cross-references further reading, where this is available.

4.1.1. 7-bit Check Plug-in

Plug-in Parameter	Description
Plug-in ID	NS7bitAtt
DN of Configuration Entry	cn=7-bit check,cn=plugins,cn=config
Description	Checks certain attributes are 7-bit clean
Type	preoperation
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	List of attributes (`uid mail userpassword`) followed by "," and then suffixes on which the check is to occur.
Dependencies	Database
Performance-Related Information	None
Further Information	If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.

4.1.2. ACL Plug-in

Plug-in Parameter	Description
Plug-in ID	acl
DN of Configuration Entry	cn=ACL Plugin,cn=plugins,cn=config
Description	ACL access check plug-in
Type	accesscontrol
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	Database
Performance-Related Information	Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.
Further Information	See the "Managing Access Control" chapter in the Red Hat Directory Server Administration Guide.

4.1.3. ACL Preoperation Plug-in

Plug-in Parameter	Description
Plug-in ID	acl
DN of Configuration Entry	cn=ACL preoperation,cn=plugins,cn=config
Description	ACL access check plug-in
Type	preoperation
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	Database
Performance-Related Information	Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.
Further Information	See the "Managing Access Control" chapter in the Red Hat Directory Server Administration Guide.

4.1.4. Account Policy Plug-in

Plug-in Parameter	Description
Plug-in ID	none
DN of Configuration Entry	cn=Account Policy Plugin,cn=plugins,cn=config
Description	Defines a policy to lock user accounts after a certain expiration period or inactivity period.
Type	object
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	A pointer to a configuration entry which contains the global account policy settings.
Dependencies	Database
Performance-Related Information	None
Further Information	This plug-in configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the `acctPolicySubentry` object class. These configuration entries can then be applied to users or roles through classes of service.

4.1.5. Account Usability Plug-in

Plug-in Parameter	Description
Plug-in ID	acctusability
DN of Configuration Entry	cn=Account Usability Plugin,cn=plugins,cn=config
Description	Checks the authentication status, or usability, of an account without actually authenticating as the given user
Type	preoperation
Configurable Options	on \| off
Default Setting	on
Dependencies	Database
Performance-Related Information	None

4.1.6. AD DN Plug-in

Plug-in Parameter	Description
Plug-in ID	addn
DN of Configuration Entry	cn=addn,cn=plugins,cn=config
Description	Enables the usage of Active Directory-formatted user names, such as `user_name` and `user_name@domain`, for bind operations.
Type	preoperation
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	`addn_default_domain`: Sets the default domain that is automatically appended to user names without domain.
Dependencies	None
Performance-Related Information	None

4.1.7. Attribute Uniqueness Plug-in

Plug-in Parameter	Description
Plug-in ID	NSUniqueAttr
DN of Configuration Entry	cn=Attribute Uniqueness,cn=plugins,cn=config
Description	Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique.
Type	preoperation
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	To check for UID attribute uniqueness in all listed subtrees, enter `uid "DN" "DN"...`. However, to check for UID attribute uniqueness when adding or updating entries with the `requiredObjectClass`, enter `attribute="uid" MarkerObjectclass = "ObjectClassName"` and, optionally `requiredObjectClass = "ObjectClassName"`. This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the `MarkerObjectClass` attribute.
Dependencies	Database
Performance-Related Information	Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes. See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide for more information about the Attribute Uniqueness Plug-in. The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance.
Further Information	See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide.

4.1.8. Auto Membership Plug-in

Plug-in Parameter	Description
Plug-in ID	Auto Membership
DN of Configuration Entry	cn=Auto Membership,cn=plugins,cn=config
Description	Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically.
Type	preoperation
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group.
Dependencies	Database
Performance-Related Information	None.
Further Information	See the "Automatically Adding Entries to Specified Groups" section in the Red Hat Directory Server Administration Guide.

4.1.9. Binary Syntax Plug-in

Warning

Binary syntax is deprecated. Use Octet String syntax instead.

Plug-in Parameter	Description
Plug-in ID	bin-syntax
DN of Configuration Entry	cn=Binary Syntax,cn=plugins,cn=config
Description	Syntax for handling binary data.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information

4.1.10. Bit String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	bitstring-syntax
DN of Configuration Entry	cn=Bit String Syntax,cn=plugins,cn=config
Description	Supports bit string syntax values and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.11. Bitwise Plug-in

Plug-in Parameter	Description
Plug-in ID	bitwise
DN of Configuration Entry	cn=Bitwise Plugin,cn=plugins,cn=config
Description	Matching rule for performing bitwise operations against the LDAP server
Type	matchingrule
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	See the "Finding Directory Entries" chapter in the Administration Guide for performing searches using bitwise filters.

4.1.12. Boolean Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	boolean-syntax
DN of Configuration Entry	cn=Boolean Syntax,cn=plugins,cn=config
Description	Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.13. Case Exact String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	ces-syntax
DN of Configuration Entry	cn=Case Exact String Syntax,cn=plugins,cn=config
Description	Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This is not a case-exact syntax; this plug-in provides case-sensitive matching rules for different string syntaxes.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information

4.1.14. Case Ignore String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	directorystring-syntax
DN of Configuration Entry	cn=Case Ignore String Syntax,cn=plugins,cn=config
Description	Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This is not a case-insensitive syntax; this plug-in provides case-sensitive matching rules for different string syntaxes.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information

4.1.15. Chaining Database Plug-in

Plug-in Parameter	Description
Plug-in ID	chaining database
DN of Configuration Entry	cn=Chaining database,cn=plugins,cn=config
Description	Enables back end databases to be linked
Type	database
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	There are many performance related tuning parameters involved with the chaining database. See the "Maintaining Database Links" section in the Red Hat Directory Server Administration Guide.
Further Information	A chaining database is also known as a database link. Database links are described in the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.

4.1.16. Class of Service Plug-in

Plug-in Parameter

Description

Plug-in ID

cos

DN of Configuration Entry

cn=Class of Service,cn=plugins,cn=config

Description

Allows for sharing of attributes between entries

Type

object

Configurable Options

on | off

Default Setting

Configurable Arguments

None

Dependencies

Type: Database

Named: State Change Plug-in

Named: Views Plug-in

Performance-Related Information

Do not modify the configuration of this plug-in. Leave this plug-in running at all times.

Further Information

See the "Managing Dynamic Attributes" chapter in the Red Hat Directory Server Administration Guide.

4.1.17. Content Synchronization Plug-in

Plug-in Parameter	Description
Plug-in ID	content-sync-plugin
DN of Configuration Entry	cn=Content Synchronization,cn=plugins,cn=config
Description	Enables support for the `SyncRepl` protocol in Directory Server according to RFC 4533.
Type	object
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	None
Dependencies	Retro Changelog Plug-in
Performance-Related Information	If you know which back end or subtree clients access to synchronize data, limit the scope of the `Retro Changelog` plug-in accordingly.
Further Information	See the corresponding sections in the Red Hat Directory Administration Guide.

4.1.18. Country String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	countrystring-syntax
DN of Configuration Entry	cn=Country String Syntax,cn=plugins,cn=config
Description	Supports country naming syntax values and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.19. Delivery Method Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	delivery-syntax
DN of Configuration Entry	cn=Delivery Method Syntax,cn=plugins,cn=config
Description	Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.20. deref Plug-in

Plug-in Parameter	Description
Plug-in ID	Dereference
DN of Configuration Entry	cn=deref,cn=plugins,cn=config
Description	For dereference controls in directory searches
Type	preoperation
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	Database
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	See the "Finding Directory Entries" chapter in the Administration Guide for performing searches using dereference controls.

4.1.21. Distinguished Name Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	dn-syntax
DN of Configuration Entry	cn=Distinguished Name Syntax,cn=plugins,cn=config
Description	Supports DN value syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.22. Distributed Numeric Assignment Plug-in

Plug-in Information	Description
Plug-in ID	Distributed Numeric Assignment
Configuration Entry DN	cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
Description	Distributed Numeric Assignment plugin
Type	preoperation
Configurable Options	on \| off
Default Setting	off
Configurable Arguments
Dependencies	Database
Performance-Related Information	None
Further Information

4.1.23. Enhanced Guide Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	enhancedguide-syntax
DN of Configuration Entry	cn=Enhanced Guide Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.24. Facsimile Telephone Number Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	facsimile-syntax
DN of Configuration Entry	cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for fax numbers; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.25. Fax Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	fax-syntax
DN of Configuration Entry	cn=Fax Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for storing images of faxed objects; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.26. Generalized Time Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	time-syntax
DN of Configuration Entry	cn=Generalized Time Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for dealing with dates, times and time zones; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	The Generalized Time String consists of a four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second, and a time zone indication. Red Hat strongly recommends using the Z time zone indication, which indicates Greenwich Mean Time. See also RFC 4517.

4.1.27. Guide Syntax Plug-in

Warning

This syntax is deprecated. Use Enhanced Guide syntax instead.

Plug-in Parameter	Description
Plug-in ID	guide-syntax
DN of Configuration Entry	cn=Guide Syntax,cn=plugins,cn=config
Description	Syntax for creating complex criteria, based on attributes and filters, to build searches
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	This syntax is obsolete. The Enhanced Guide Syntax should be used instead.

4.1.28. HTTP Client Plug-in

Plug-in Parameter	Description
Plug-in ID	http-client
DN of Configuration Entry	cn=HTTP Client,cn=plugins,cn=config
Description	HTTP client plug-in
Type	preoperation
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	Database
Performance-Related Information
Further Information

4.1.29. Integer Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	int-syntax
DN of Configuration Entry	cn=Integer Syntax,cn=plugins,cn=config
Description	Supports integer syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.30. Internationalization Plug-in

Plug-in Parameter	Description
Plug-in ID	orderingrule
DN of Configuration Entry	cn=Internationalization Plugin,cn=plugins,cn=config
Description	Enables internationalized strings to be ordered in the directory
Type	matchingrule
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	The Internationalization Plug-in has one argument, which must not be modified, which specifies the location of the `/etc/dirsrv/config/slapd-collations.conf` file. This file stores the collation orders and locales used by the Internationalization Plug-in.
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	See the "Internationalization" appendix and the section on "Searching an Internationalized Directory" in the "Finding Directory Entries" appendix in the Red Hat Directory Server Administration Guide.

4.1.31. JPEG Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	jpeg-syntax
DN of Configuration Entry	cn=JPEG Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for JPEG image data; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.32. ldbm database Plug-in

Plug-in Parameter

Description

Plug-in ID

ldbm-backend

DN of Configuration Entry

cn=ldbm database,cn=plugins,cn=config

Description

Implements local databases

Type

database

Configurable Options

Default Setting

Configurable Arguments

None

Dependencies

Syntax

matchingRule

Performance-Related Information

See Section 4.4, “Database Plug-in Attributes” for further information on database configuration.

Further Information

See the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.

4.1.33. Linked Attributes Plug-in

Plug-in Parameter Description

Plug-in ID Linked Attributes

DN of Configuration Entry cn=Linked Attributes,cn=plugins,cn=config

Description Container entry for linked-managed attribute configuration entries. Each configuration entry under the container links one attribute to another, so that when one entry is updated (such as a manager entry), then any entry associated with that entry (such as a custom directReports attribute) are automatically updated with a user-specified corresponding attribute.

Type preoperation

Configurable Options on | off

Default Setting off

Configurable Arguments

None for the main plug-in entry. Each plug-in instance has three possible attributes:

linkType, which sets the primary attribute for the plug-in to monitor

managedType, which sets the attribute which will be managed dynamically by the plug-in whenever the attribute in linkType is modified

linkScope, which restricts the plug-in activity to a specific subtree within the directory tree

Dependencies Database

Performance-Related Information Any attribute set in linkType must only allow values in a DN format. Any attribute set in managedType must be multi-valued.

Further Information See the "Managing Attributes" chapter in the Red Hat Directory Server Administration Guide and Section 4.11, “Linked Attributes Plug-in Attributes”.

4.1.34. Managed Entries Plug-in

Plug-in Information

Description

Plug-in ID

Managed Entries

Configuration Entry DN

cn=Managed Entries,cn=plugins,cn=config

Description

Container entry for automatically generated directory entries. Each configuration entry defines a target subtree and a template entry. When a matching entry in the target subtree is created, then the plug-in automatically creates a new, related entry based on the template.

Type

preoperation

Configurable Options

on | off

Default Setting

off

Configurable Arguments

None for the main plug-in entry. Each plug-in instance has four possible attributes:

originScope, which sets the search base

originFilter, which sets the search base for matching entries

managedScope, which sets the subtree under which to create new managed entries

managedTemplate, which is the template entry used to create the managed entries

Dependencies

Database

Performance-Related Information

None

Further Information

4.1.35. MemberOf Plug-in

Plug-in Information Description

Plug-in ID memberOf

Configuration Entry DN cn=MemberOf Plugin,cn=plugins,cn=config

Description Manages the memberOf attribute on user entries, based on the member attributes in the group entry.

Type postoperation

Configurable Options on | off

Default Setting off

Configurable Arguments

memberOfAttr sets the attribute to generate in people's entries to show their group membership.

memberOfGroupAttr sets the attribute to use to identify group member's DNs.

Dependencies Database

Performance-Related Information None

Further Information

4.1.36. Multi-master Replication Plug-in

Plug-in Parameter

Description

Plug-in ID

replication-multimaster

DN of Configuration Entry

cn=Multimaster Replication plugin,cn=plugins,cn=config

Description

Enables replication between two current Directory Servers

Type

object

Configurable Options

on | off

Default Setting

Configurable Arguments

None

Dependencies

Named: ldbm database

Named: DES

Named: Class of Service

Performance-Related Information

Further Information

Turn this plug-in off if one server will never replicate. See the "Managing Replication" chapter in the Red Hat Directory Server Administration Guide.

4.1.37. Name and Optional UID Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	nameoptuid-syntax
DN of Configuration Entry	cn=Name And Optional UID Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules to store and search for a DN with an optional unique ID; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	The optional UID is used to distinguish between entries which may have identical DNs or naming attributes. See also RFC 4517.

4.1.38. Numeric String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	numstr-syntax
DN of Configuration Entry	cn=Numeric String Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for strings of numbers and spaces; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.39. Octet String Syntax Plug-in

Note

Use the Octet String syntax instead of Binary, which is deprecated.

Plug-in Parameter	Description
Plug-in ID	octetstring-syntax
DN of Configuration Entry	cn=Octet String Syntax,cn=plugins,cn=config
Description	Supports octet string syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.40. OID Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	oid-syntax
DN of Configuration Entry	cn=OID Syntax,cn=plugins,cn=config
Description	Supports object identifier (OID) syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.41. PAM Pass Through Auth Plug-in

Plug-in Parameter	Description
Plug-in ID	pam_passthruauth
DN of Configuration Entry	cn=PAM Pass Through Auth,cn=plugins,cn=config
Description	Enables pass-through authentication for PAM, meaning that a PAM service can use the Directory Server as its user authentication store.
Type	preoperation
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	Database
Performance-Related Information
Further Information	See the "Using PAM Pass-through Authentication" section in the Red Hat Directory Server Administration Guide.

4.1.42. Pass Through Authentication Plug-in

Plug-in Parameter	Description
Plug-in ID	passthruauth
DN of Configuration Entry	cn=Pass Through Authentication,cn=plugins,cn=config
Description	Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests.
Type	preoperation
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	ldap://example.com:389/o=example
Dependencies	Database
Performance-Related Information	Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See the "Using Pass-through Authentication" chapter in the Red Hat Directory Server Administration Guide.
Further Information	See the "Using the Pass-through Authentication Plug-in" chapter in the Red Hat Directory Server Administration Guide.

4.1.43. Password Storage Schemes

Directory Server implements the password storage schemes as plug-ins. However, the cn=Password Storage Schemes,cn=plugins,cn=config entry itself is just a container, not a plug-in entry. All password storage scheme plug-ins are stored as a subentry of this container.

To display all password storage schemes plug-ins, enter:

# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
     -b "cn=Password Storage Schemes,cn=plugins,cn=config" -s sub "(objectclass=*)" dn

Warning

Red Hat recommends not disabling the password scheme plug-ins nor to change the configurations of the plug-ins to prevent unpredictable authentication behavior.

Strong Password Storage Schemes

Red Hat recommends using only the following strong password storage schemes (strongest first):

PBKDF2_SHA256
The password-based key derivation function 2 (PBKDF2) was designed to expend resources to counter brute force attacks. PBKDF2 supports a variable number of iterations to apply the hashing algorithm. Higher iterations improve security but require more hardware resources. In Directory Server, the PBKDF2_SHA256 scheme is implemented using 30,000 iterations to apply the SHA256 algorithm. This value is hard-coded and will be increased in future versions of Directory Server without requiring interaction by an administrator.
Note
The network security service (NSS) database in Red Hat Enterprise Linux 6 does not support PBKDF2. Therefore you cannot use this password scheme in a replication topology with Directory Server 9.
SSHA512 (default)
The salted secure hashing algorithm (SSHA) implements an enhanced version of the secure hashing algorithm (SHA), that uses a randomly generated salt to increase the security of the hashed password. SSHA512 implements the hashing algorithm using 512 bits.

Weak Password Storage Schemes

Besides the recommended strong password storage schemes, Directory Server supports the following weak schemes for backward compatibility:

`AES`	`CLEAR`	`CRYPT`
`CRYPT-MD5`	`CRYPT-SHA256`	`CRYPT-SHA512`
`DES`	`MD5`	`NS-MTA-MD5` ^[a]
`SHA` ^[b]	`SHA256`	`SHA384`
`SHA512`	`SMD5`	`SSHA` ^[b]
`SSHA256`	`SSHA384`
^[a] Directory Server only supports authentication using this scheme. You can no longer use it to encrypt passwords. ^[b] 160 bit

Important

Only continue using a weak scheme over a short time frame, as it increases security risks.

4.1.44. Posix Winsync API Plug-in

Plug-in Parameter	Description
Plug-in ID	posix-winsync-plugin
DN of Configuration Entry	cn=Posix Winsync API,cn=plugins,cn=config
Description	Enables and configures Windows synchronization for Posix attributes set on Active Directory user and group entries.
Type	preoperation
Configurable Arguments	on \| off memberUID mapping (groups) converting and sorting memberUID values in lower case (groups) memberOf fix-up tasks with sync operations use Windows 2003 Posix schema
Default Setting	off
Configurable Arguments	None
Dependencies	database

4.1.45. Postal Address String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	postaladdress-syntax
DN of Configuration Entry	cn=Postal Address Syntax,cn=plugins,cn=config
Description	Supports postal address syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.46. Printable String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	printablestring-syntax
DN of Configuration Entry	cn=Printable String Syntax,cn=plugins,cn=config
Description	Supports syntaxes and matching rules for alphanumeric and select punctuation strings (for strings which conform to printable strings as defined in RFC 4517).
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.47. Referential Integrity Postoperation Plug-in

Plug-in Parameter	Description
Plug-in ID	referint
DN of Configuration Entry	cn=Referential Integrity Postoperation,cn=plugins,cn=config
Description	Enables the server to ensure referential integrity
Type	postoperation
Configurable Options	All configuration and on \| off
Default Setting	off
Configurable Arguments	When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the `member`, `uniquemember`, `owner`, and `seeAlso` attributes immediately after a delete or rename operation. The plug-in can be configured to perform integrity checks on all other attributes. For details, see the corresponding section in the Directory Server Administration Guide.
Dependencies	Database
Performance-Related Information	The Referential Integrity Plug-in should be enabled only on one master in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality.
Further Information	See the "Managing Indexes" chapter for information about how to index attributes used for referential integrity checking and the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.

4.1.48. Retro Changelog Plug-in

Plug-in Parameter Description

Plug-in ID retrocl

DN of Configuration Entry cn=Retro Changelog Plugin,cn=plugins,cn=config

Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the cn=changelog suffix to clients, so that clients can use this suffix with or without persistent search for simple sync applications.

Type object

Configurable Options on | off

Default Setting off

Configurable Arguments See Section 4.16, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in.

Dependencies

Type: Database

Named: Class of Service

Performance-Related Information May slow down Directory Server update performance.

Further Information See the "Managing Replication" chapter in the Red Hat Directory Server Administration Guide.

4.1.49. Roles Plug-in

Plug-in Parameter

Description

Plug-in ID

roles

DN of Configuration Entry

cn=Roles Plugin,cn=plugins,cn=config

Description

Enables the use of roles in the Directory Server

Type

object

Configurable Options

on | off

Default Setting

Configurable Arguments

None

Dependencies

Type: Database

Named: State Change Plug-in

Named: Views Plug-in

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

See the "Advanced Entry Management" chapter in the Red Hat Directory Server Administration Guide.

4.1.50. RootDN Access Control Plug-in

Plug-in Parameter	Description
Plug-in ID	rootdn-access-control
DN of Configuration Entry	cn=RootDN Access Control,cn=plugins,cn=config
Description	Enables and configures access controls to use for the root DN entry.
Type	internalpreoperation
Configurable Options	on \| off
Default Setting	off
Configurable Attributes	rootdn-open-time and rootdn-close-time for time-based access controls rootdn-days-allowed for day-based access controls rootdn-allow-host, rootdn-deny-host, rootdn-allow-ip, and rootdn-deny-ip for host-based access controls
Dependencies	None
Further Information	See the "Access Control" sections in the Red Hat Directory Server Administration Guide.

4.1.51. Schema Reload Plug-in

Plug-in Information	Description
Plug-in ID	schemareload
Configuration Entry DN	cn=Schema Reload,cn=plugins,cn=config
Description	Task plug-in to reload schema files
Type	object
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information
Further Information

4.1.52. Space Insensitive String Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	none
DN of Configuration Entry	cn=Space Insensitive String Syntax,cn=plugins,cn=config
Description	Syntax for handling space-insensitive values
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	This plug-in enables the Directory Server to support space and case insensitive values. This allows applications to search the directory using entries with ASCII space characters. For example, a search or compare operation that uses `jOHN Doe` will match entries that contain `johndoe`, `john doe`, and `John Doe` if the attribute's schema has been configured to use the space insensitive syntax. For more information about finding directory entries, see the "Finding Directory Entries" chapter in the Red Hat Directory Server Administration Guide.

4.1.53. State Change Plug-in

Plug-in Parameter	Description
Plug-in ID	statechange
DN of Configuration Entry	cn=State Change Plugin,cn=plugins,cn=config
Description	Enables state-change-notification service
Type	postoperation
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information
Further Information

4.1.54. Syntax Validation Task Plug-in

Plug-in Parameter	Description
Plug-in ID	none
DN of Configuration Entry	cn=Syntax Validation Task,cn=plugins,cn=config
Description	Enables syntax validation for attribute values
Type	object
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information
Further Information	This plug-in implements syntax validation tasks. The actual process that carries out syntax validation is performed by each specific syntax plug-in.

4.1.55. Telephone Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	tele-syntax
DN of Configuration Entry	cn=Telephone Syntax,cn=plugins,cn=config
Description	Supports telephone number syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.56. Teletex Terminal Identifier Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	teletextermid-syntax
DN of Configuration Entry	cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config
Description	Supports international telephone number syntaxes and related matching rules from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.57. Telex Number Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	telex-syntax
DN of Configuration Entry	cn=Telex Number Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for the telex number, country code, and answerback code of a telex terminal; from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.58. URI Syntax Plug-in

Plug-in Parameter	Description
Plug-in ID	none
DN of Configuration Entry	cn=URI Syntax,cn=plugins,cn=config
Description	Supports syntaxes and related matching rules for unique resource identifiers (URIs), including unique resource locators (URLs); from RFC 4517.
Type	syntax
Configurable Options	on \| off
Default Setting	on
Configurable Arguments	None
Dependencies	None
Performance-Related Information	Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information	RFC 4517

4.1.59. USN Plug-in

Plug-in Parameter	Description
Plug-in ID	USN
DN of Configuration Entry	cn=USN,cn=plugins,cn=config
Description	Sets an update sequence number (USN) on an entry, for every entry in the directory, whenever there is a modification, including adding and deleting entries and modifying attribute values.
Type	object
Configurable Options	on \| off
Default Setting	off
Configurable Arguments	None
Dependencies	Database
Performance-Related Information	For replication, it is recommended that the `entryUSN` configuration attribute be excluded using fractional replication.
Further Information

4.1.60. Views Plug-in

Plug-in Parameter

Description

Plug-in ID

views

DN of Configuration Entry

cn=Views,cn=plugins,cn=config

Description

Enables the use of views in the Directory Server databases.

Type

object

Configurable Options

on | off

Default Setting

Configurable Arguments

None

Dependencies

Type: Database

Named: State Change Plug-in

Performance-Related Information

Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.

Further Information

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.