2.2. Directory Server Instance-specific Files and Directories
server.example.com, the default instance name is
|Backup files|| |
|Configuration files|| |
|Certificate and key databases|| |
|Database files|| |
|LDIF files|| |
|Lock files|| |
|Log files|| |
|PID file|| |
|Instance-specific scripts [a]|| |
|Systemd unit files|| |
2.2.1. Configuration Files
18.104.22.168. Overview of the Directory Server Configuration
cn=config. When the server is started, the contents of the
cn=configsubtree are read from a file (
dse.ldif) in LDIF format. This
dse.ldiffile contains all of the server configuration information. The latest version of this file is called
dse.ldif, the version prior to the last modification is called
dse.ldif.bak, and the latest file with which the server successfully started is called
cn=plugins,cn=config. For example, the configuration of the Telephone Syntax Plug-in is contained in this entry:
cn=ldbm database,cn=plugins,cn=configfor local databases and
cn=chaining database,cn=plugins,cn=configfor database links.
cn=configdirectory information tree.
Figure 2.1. Directory Information Tree Showing Configuration Data
22.214.171.124.1. LDIF and Schema Configuration Files
/etc/dirsrv/slapd-instancedirectory. Thus, if a server identifier is
phonebook, then for a Directory Server on Red Hat Enterprise Linux 7, the configuration LDIF files are all stored under
Table 2.1. Directory Server LDIF Configuration Files
126.96.36.199.2. How the Server Configuration Is Organized
dse.ldiffile contains all configuration information including directory-specific entries created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or DSE, named by
"") and the contents of
dse.ldiffile, it lists the entries in hierarchical order in the order that the entries appear in the directory under
cn=config, which is usually the same order in which an LDAP search of subtree scope for base
cn=configreturns the entries.
dse.ldifalso contains the
cn=monitorentry, which is mostly read-only, but can have ACIs set on it.
dse.ldiffile does not contain every attribute in
cn=config. If the attribute has not been set by the administrator and has a default value, the server will not write it to
dse.ldif. To see every attribute in
188.8.131.52.2.1. Configuration Attributes
dse.ldiffile for a Directory Server. The example shows, among other things, that schema checking has been enabled; this is represented by the attribute
nsslapd-schemacheck, which takes the value
dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: off nsslapd-localhost: phonebook.example.com nsslapd-schemacheck: on nsslapd-port: 389 nsslapd-localuser: dirsrv ...
184.108.40.206.2.2. Configuration of Plug-in Functionality
cn=plugins,cn=config. The following code sample is an example of the configuration entry for an example plug-in, the Telephone Syntax plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
220.127.116.11.2.3. Configuration of Databases
cn=UserRootsubtrees under the database plug-in entry contain configuration data for the databases containing the
o=NetscapeRootsuffix and the default suffix created during setup, such as
18.104.22.168.2.4. Configuration of Indexes
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
22.214.171.124. Accessing and Modifying Server Configuration
126.96.36.199.1. Access Control for Configuration Entries
cn=config. The following code sample is an example of these default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators,u=Groups,ou=TopologyManagement,o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all) groupdn = "ldap:///ou=Directory Administrators,dc=example,dc=com";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-phonebook,cn=Red Hat Directory Server, cn=Server Group,cn=phonebook.example.com,dc=example,dc=com,o=NetscapeRoot";)
- Members of the Configuration Administrators group.
- The user acting as the administrator, the
adminaccount that was configured at setup. By default, this is the same user account which is logged into the Console.
- Members of local Directory Administrators group.
- The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions process the main console.
188.8.131.52.2. Changing Configuration Attributes
ldapmodifycommands, or by manually editing the
dse.ldiffile, the server must be stopped; otherwise, the changes are lost. Editing the
dse.ldiffile is recommended only for changes to attributes which cannot be altered dynamically. See Section 184.108.40.206.2.3, “Configuration Changes Requiring Server Restart” for further information.
220.127.116.11.2.1. Modifying Configuration Entries Using LDAP
ldapmodifyoperations in the same way as other directory entries. The advantage of using LDAP to modify entries is changes can be made while the server is running.
cn=configsubtree as this risks affecting Directory Server functionality.
ldapsearchoperation on the
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)"
- bindDN is the DN chosen for the Directory Manager when the server was installed (
cn=Directory Managerby default).
- password is the password chosen for the Directory Manager.
ldapmodifyto edit the
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off
18.104.22.168.2.2. Restrictions to Modifying Configuration Entries and Attributes
cn=monitorentry and its child entries are read-only and cannot be modified, except to manage ACIs.
- If an attribute is added to
cn=config, the server ignores it.
- If an invalid value is entered for an attribute, the server ignores it.
ldapdeleteis used for deleting an entire entry, use
ldapmodifyto remove an attribute from an entry.
22.214.171.124.2.3. Configuration Changes Requiring Server Restart
dse.ldiffile. Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run
ldapsearchand search for the
nsslapd-requiresrestartattribute. For example:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
| || |
| || |
| || |
| || |
| || |
| || |
| || |
| || |
| || |
| || |
| || |
| || |
| || |
[a] Although this attribute requires a restart, it is not returned in the search.
126.96.36.199.2.4. Deleting Configuration Attributes
/etc/dirsrv/slapd-instance-name/dse.ldiffile, because they all have default values used by the server.
2.2.2. Database Files
/var/lib/dirsrv/slapd-instance/dbdirectory for storing all of the database files. The following is a sample listing of the
Example 2.1. Database Directory Contents
__db.001 __db.003 __db.005 NetscapeRoot/ __db.002 __db.004 DBVERSION log.0000000007 userRoot/
db.00xfiles — Used internally by the database and should not be moved, deleted, or modified in any way.
log.xxxxxxxxxxfiles — Used to store the transaction logs per database.
DBVERSION— Used for storing the version of the database.
NetscapeRoot— Stores the
o=NetscapeRootdatabase created by default when the
setup-ds-admin.plscript is run.
userRoot— Stores the user-defined suffix (user-defined databases) created at setup; for example,
testRoot) to store the directory tree under a new suffix, the directory named
testRootalso appears in the
Example 2.2. NetscapeRoot Database Directory Contents
./ entrydn.db* parentid.db* ../ givenName.db* sn.db* DBVERSION* id2entry.db* uid.db* aci.db* nsUniqueId.db* uniquemember.db* ancestorid.db* numsubordinates.db* cn.db* objectclass.db*
NetscapeRootsubdirectories contain an
index_name.dbfile for every index currently defined in the database. In addition to these files, the
userRootsubdirectories contain the following files:
ancestorid.db— Contains a list of IDs to find the ID of the entry's ancestor.
entrydn.db— Contains a list of full DNs to find any ID.
nsuniqueid.db— Contains a list of unique IDs to find any ID.
numsubordinates.db— Contains IDs that have child entries.
objectclass.db— Contains a list of IDs which have a particular object class.
parentid.db— Contains a list of IDs to find the ID of the parent.
2.2.3. LDIF Files
/var/lib/dirsrv/slapd-instance/ldifdirectory for storing LDIF-related files. Example 2.3, “LDIF Directory Contents” lists the
Example 2.3. LDIF Directory Contents
European.ldif Example.ldif Example-roles.ldif Example-views.ldif
European.ldif— Contains European character samples.
Example.ldif— Is a sample LDIF file.
Example-roles.ldif— Is a sample LDIF file similar to
Example.ldif, except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators.
db2ldif.plscripts in the instance directory are stored in
2.2.4. Lock Files
/var/lock/dirsrv/slapd-instancedirectory for storing lock-related files. The following is a sample listing of the
Example 2.4. Lock Directory Contents
exports/ imports/ server/
imports/directory to prevent any other
ldif2db(another import), or
db2ldif(export) operations from running. If the server is running as normal, there is a lock in the
server/directory, which prevents import operations (but not export operations), while if there is an export operation, the lock in the
exports/directory allows normal server operations but prevents import operations.
nsslapd-db-locksattribute. Tuning that attribute value is described in the Performance Tuning Guide.
2.2.5. Log Files
/var/log/dirsrv/slapd-instancedirectory for storing log files. The following is a sample listing of the
Example 2.5. Log Directory Contents
access access.20200228-171925 errors access.20200221-162824 access.rotationinfo errors.20200221-162824 access.20200223-171949 audit errors.rotationinfo access.20200227-171818 audit.rotationinfo slapd.stats
- The content of the
errorlog files is dependent on the log configuration.
slapd.statsfile is a memory-mapped file which cannot be read by an editor. It contains data collected by the Directory Server SNMP data collection component. This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.
2.2.6. PID Files
slapd-serverID.startpidfiles are created in the
/var/run/dirsrvdirectory when the server is up and running. Both files store the server's process ID.
Example 2.6. /bin Contents
dbscan ldif dbscan-bin ldif-bin
Example 2.7. /sbin Contents
ds_removal migrate-ds-admin.pl remove-ds.pl setup-ds-admin.pl ds_unregister register-ds-admin.pl remove-ds-admin.pl setup-ds.pl
/usr/sbin/directory. Use the
-Z instance_nameoption with the commands in order to set the instance the script should be executed on.
/usr/lib64/dirsrv/slapd-instance/directory previously used for command-line scripts is deprecated. However, until the instance-specific scripts are removed in a future Directory Server release, existing scripts in this directory are updated when running the
2.2.9. Backup Files
/var/lib/dirsrv/slapd-instance/bak— This contains a directory dated with the instance, time and date of the database backup, such as
instance-2020_05_02_16_56_05/, which in turn holds the database backup copy.
/etc/dirsrv/slapd-instance/dse_original.ldif— This is a backup copy of the
dse.ldifconfiguration file from the time of installation.