2.2. Directory Server Instance-specific Files and Directories
server.example.com
, the default instance name is server
.
Type | Location |
---|---|
Backup files | /var/lib/dirsrv/slapd-instance_name/bak/ |
Configuration files | /etc/dirsrv/slapd-instance_name/ |
Certificate and key databases | /etc/dirsrv/slapd-instance_name/ |
Database files | /var/lib/dirsrv/slapd-instance_name/db/ |
LDIF files | /var/lib/dirsrv/slapd-instance/ldif/ |
Lock files | /var/lock/dirsrv/slapd-instance_name/ |
Log files | /var/log/dirsrv/slapd-instance_name/ |
PID file | /var/run/dirsrv/instance_name.pid |
Instance-specific scripts [a] | /usr/lib64/dirsrv/slapd-instance_name/ |
Systemd unit files | /etc/systemd/system/dirsrv.target.wants/dirsrv@instance_name.service
|
[a]
Deprecated. For details, see Section 2.2.8, “Scripts”.
|
2.2.1. Configuration Files
/etc/dirsrv/slapd-instance
directory.
2.2.1.1. Overview of the Directory Server Configuration
cn=config
. When the server is started, the contents of the cn=config
subtree are read from a file (dse.ldif
) in LDIF format. This dse.ldif
file contains all of the server configuration information. The latest version of this file is called dse.ldif
, the version prior to the last modification is called dse.ldif.bak
, and the latest file with which the server successfully started is called dse.ldif.startOK
.
cn=plugins,cn=config
. For example, the configuration of the Telephone Syntax Plug-in is contained in this entry:
cn=Telephone Syntax,cn=plugins,cn=config
cn=ldbm database,cn=plugins,cn=config
for local databases and cn=chaining database,cn=plugins,cn=config
for database links.
cn=config
directory information tree.

Figure 2.1. Directory Information Tree Showing Configuration Data
2.2.1.1.1. LDIF and Schema Configuration Files
/etc/dirsrv/slapd-instance
directory. Thus, if a server identifier is phonebook
, then for a Directory Server on Red Hat Enterprise Linux 7, the configuration LDIF files are all stored under /etc/dirsrv/slapd-phonebook
.
/etc/dirsrv/schema
directory.
Table 2.1. Directory Server LDIF Configuration Files
2.2.1.1.2. How the Server Configuration Is Organized
dse.ldif
file contains all configuration information including directory-specific entries created by the directory at server startup, such as entries related to the database. The file includes the root Directory Server entry (or DSE, named by ""
) and the contents of cn=config
and cn=monitor
.
dse.ldif
file, it lists the entries in hierarchical order in the order that the entries appear in the directory under cn=config
, which is usually the same order in which an LDAP search of subtree scope for base cn=config
returns the entries.
dse.ldif
also contains the cn=monitor
entry, which is mostly read-only, but can have ACIs set on it.
Note
dse.ldif
file does not contain every attribute in cn=config
. If the attribute has not been set by the administrator and has a default value, the server will not write it to dse.ldif
. To see every attribute in cn=config
, use ldapsearch
.
2.2.1.1.2.1. Configuration Attributes
dse.ldif
file for a Directory Server. The example shows, among other things, that schema checking has been enabled; this is represented by the attribute nsslapd-schemacheck
, which takes the value on
.
dn: cn=config objectclass: top objectclass: extensibleObject objectclass: nsslapdConfig nsslapd-accesslog-logging-enabled: on nsslapd-enquote-sup-oc: off nsslapd-localhost: phonebook.example.com nsslapd-schemacheck: on nsslapd-port: 389 nsslapd-localuser: dirsrv ...
2.2.1.1.2.2. Configuration of Plug-in Functionality
cn=plugins,cn=config
. The following code sample is an example of the configuration entry for an example plug-in, the Telephone Syntax plug-in.
dn: cn=Telephone Syntax,cn=plugins,cn=config objectclass: top objectclass: nsSlapdPlugin objectclass: extensibleObject cn: Telephone Syntax nsslapd-pluginType: syntax nsslapd-pluginEnabled: on
ldapsearch
on the cn=config
subtree.
2.2.1.1.2.3. Configuration of Databases
o=NetscapeRoot
and cn=UserRoot
subtrees under the database plug-in entry contain configuration data for the databases containing the o=NetscapeRoot
suffix and the default suffix created during setup, such as dc=example,dc=com
.
2.2.1.1.2.4. Configuration of Indexes
cn=index,o=NetscapeRoot,cn=ldbm database,cn=plugins,cn=config
cn=index,cn=UserRoot,cn=ldbm database,cn=plugins,cn=config
cn=default indexes,cn=config,cn=ldbm database,cn=plugins,cn=config
2.2.1.2. Accessing and Modifying Server Configuration
2.2.1.2.1. Access Control for Configuration Entries
cn=config
. The following code sample is an example of these default ACIs.
aci: (targetattr = "*")(version 3.0; acl "Configuration Administrators Group"; allow (all) groupdn = "ldap:///cn=Configuration Administrators,u=Groups,ou=TopologyManagement,o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Configuration Administrator"; allow (all) userdn = "ldap:///uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot";) aci: (targetattr = "*")(version 3.0; acl "Local Directory Administrators Group"; allow (all) groupdn = "ldap:///ou=Directory Administrators,dc=example,dc=com";) aci: (targetattr = "*")(version 3.0; acl "SIE Group"; allow(all) groupdn = "ldap:///cn=slapd-phonebook,cn=Red Hat Directory Server, cn=Server Group,cn=phonebook.example.com,dc=example,dc=com,o=NetscapeRoot";)
- Members of the Configuration Administrators group.
- The user acting as the administrator, the
admin
account that was configured at setup. By default, this is the same user account which is logged into the Console. - Members of local Directory Administrators group.
- The SIE (Server Instance Entry) group, usually assigned using the Set Access Permissions process the main console.
2.2.1.2.2. Changing Configuration Attributes
ldapsearch
and ldapmodify
commands, or by manually editing the dse.ldif
file.
Note
dse.ldif
file, the server must be stopped; otherwise, the changes are lost. Editing the dse.ldif
file is recommended only for changes to attributes which cannot be altered dynamically. See Section 2.2.1.2.2.3, “Configuration Changes Requiring Server Restart” for further information.
2.2.1.2.2.1. Modifying Configuration Entries Using LDAP
ldapsearch
and ldapmodify
operations in the same way as other directory entries. The advantage of using LDAP to modify entries is changes can be made while the server is running.
Note
cn=config
subtree as this risks affecting Directory Server functionality.
ldapsearch
operation on the cn=config
subtree:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)"
- bindDN is the DN chosen for the Directory Manager when the server was installed (
cn=Directory Manager
by default). - password is the password chosen for the Directory Manager.
ldapmodify
to edit the nsslapd-pluginEnabled
attribute:
# ldapmodify -D "cn=Directory Manager" -W -p 389 -h server.example.com -x dn: cn=Telephone Syntax,cn=plugins,cn=config changetype: modify replace: nsslapd-pluginEnabled nsslapd-pluginEnabled: off
2.2.1.2.2.2. Restrictions to Modifying Configuration Entries and Attributes
- The
cn=monitor
entry and its child entries are read-only and cannot be modified, except to manage ACIs. - If an attribute is added to
cn=config
, the server ignores it. - If an invalid value is entered for an attribute, the server ignores it.
- Because
ldapdelete
is used for deleting an entire entry, useldapmodify
to remove an attribute from an entry.
2.2.1.2.2.3. Configuration Changes Requiring Server Restart
dse.ldif
file. Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run ldapsearch
and search for the nsslapd-requiresrestart
attribute. For example:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
nsslapd-cachesize | nsslapd-certdir |
nsslapd-dbcachesize | nsslapd-dbncache |
nsslapd-plugin | nsslapd-changelogdir |
nsslapd-changelogmaxage | nsslapd-changelogmaxentries |
nsslapd-port | nsslapd-schemadir |
nsslapd-saslpath | nsslapd-secureport |
nsslapd-tmpdir | nsSSL2 |
nsSSL3 | nsSSLclientauth |
nsSSLSessionTimeout | nsslapd-conntablesize |
nsslapd-lockdir | nsslapd-maxdescriptors |
nsslapd-reservedescriptors | nsslapd-listenhost |
nsslapd-schema-ignore-trailing-spaces | nsslapd-securelistenhost |
nsslapd-workingdir | nsslapd-return-exact-case |
nsslapd-maxbersize [a] | |
[a]
Although this attribute requires a restart, it is not returned in the search.
|
2.2.1.2.2.4. Deleting Configuration Attributes
/etc/dirsrv/slapd-instance-name/dse.ldif
file, because they all have default values used by the server.
2.2.2. Database Files
/var/lib/dirsrv/slapd-instance/db
directory for storing all of the database files. The following is a sample listing of the /var/lib/dirsrv/slapd-instance/db
directory contents.
Example 2.1. Database Directory Contents
__db.001 __db.003 __db.005 NetscapeRoot/ __db.002 __db.004 DBVERSION log.0000000007 userRoot/
db.00x
files — Used internally by the database and should not be moved, deleted, or modified in any way.log.xxxxxxxxxx
files — Used to store the transaction logs per database.DBVERSION
— Used for storing the version of the database.NetscapeRoot
— Stores theo=NetscapeRoot
database created by default when thesetup-ds-admin.pl
script is run.userRoot
— Stores the user-defined suffix (user-defined databases) created at setup; for example,dc=example,dc=com
.
Note
testRoot
) to store the directory tree under a new suffix, the directory named testRoot
also appears in the /var/lib/dirsrv/slapd-instance/db
directory.
NetscapeRoot
directory contents.
Example 2.2. NetscapeRoot Database Directory Contents
./ entrydn.db* parentid.db* ../ givenName.db* sn.db* DBVERSION* id2entry.db* uid.db* aci.db* nsUniqueId.db* uniquemember.db* ancestorid.db* numsubordinates.db* cn.db* objectclass.db*
NetscapeRoot
subdirectories contain an index_name.db
file for every index currently defined in the database. In addition to these files, the NetscapeRoot
and userRoot
subdirectories contain the following files:
ancestorid.db
— Contains a list of IDs to find the ID of the entry's ancestor.entrydn.db
— Contains a list of full DNs to find any ID.nsuniqueid.db
— Contains a list of unique IDs to find any ID.numsubordinates.db
— Contains IDs that have child entries.objectclass.db
— Contains a list of IDs which have a particular object class.parentid.db
— Contains a list of IDs to find the ID of the parent.
2.2.3. LDIF Files
/var/lib/dirsrv/slapd-instance/ldif
directory for storing LDIF-related files. Example 2.3, “LDIF Directory Contents” lists the /ldif
directory contents.
Example 2.3. LDIF Directory Contents
European.ldif Example.ldif Example-roles.ldif Example-views.ldif
European.ldif
— Contains European character samples.Example.ldif
— Is a sample LDIF file.Example-roles.ldif
— Is a sample LDIF file similar toExample.ldif
, except that it uses roles and class of service instead of groups for setting access control and resource limits for directory administrators.
Note
db2ldif
or db2ldif.pl
scripts in the instance directory are stored in /var/lib/dirsrv/slapd-instance/ldif
.
2.2.4. Lock Files
/var/lock/dirsrv/slapd-instance
directory for storing lock-related files. The following is a sample listing of the locks
directory contents.
Example 2.4. Lock Directory Contents
exports/ imports/ server/
imports/
directory to prevent any other ns-slapd
(normal), ldif2db
(another import), or db2ldif
(export) operations from running. If the server is running as normal, there is a lock in the server/
directory, which prevents import operations (but not export operations), while if there is an export operation, the lock in the exports/
directory allows normal server operations but prevents import operations.
nsslapd-db-locks
attribute. Tuning that attribute value is described in the Performance Tuning Guide.
2.2.5. Log Files
/var/log/dirsrv/slapd-instance
directory for storing log files. The following is a sample listing of the /logs
directory contents.
Example 2.5. Log Directory Contents
access access.20200228-171925 errors access.20200221-162824 access.rotationinfo errors.20200221-162824 access.20200223-171949 audit errors.rotationinfo access.20200227-171818 audit.rotationinfo slapd.stats
- The content of the
access
,audit
, anderror
log files is dependent on the log configuration. - The
slapd.stats
file is a memory-mapped file which cannot be read by an editor. It contains data collected by the Directory Server SNMP data collection component. This data is read by the SNMP subagent in response to SNMP attribute queries and is communicated to the SNMP master agent responsible for handling Directory Server SNMP requests.
2.2.6. PID Files
slapd-serverID.pid
and slapd-serverID.startpid
files are created in the /var/run/dirsrv
directory when the server is up and running. Both files store the server's process ID.
2.2.7. Tools
/usr/bin
/usr/sbin
Example 2.6. /bin Contents
dbscan ldif dbscan-bin ldif-bin
Example 2.7. /sbin Contents
ds_removal migrate-ds-admin.pl remove-ds.pl setup-ds-admin.pl ds_unregister register-ds-admin.pl remove-ds-admin.pl setup-ds.pl
2.2.8. Scripts
/usr/sbin/
directory. Use the -Z instance_name
option with the commands in order to set the instance the script should be executed on.
Note
/usr/lib64/dirsrv/slapd-instance/
directory previously used for command-line scripts is deprecated. However, until the instance-specific scripts are removed in a future Directory Server release, existing scripts in this directory are updated when running the setup-ds.pl --update
command.
2.2.9. Backup Files
/var/lib/dirsrv/slapd-instance/bak
— This contains a directory dated with the instance, time and date of the database backup, such asinstance-2020_05_02_16_56_05/
, which in turn holds the database backup copy./etc/dirsrv/slapd-instance/dse_original.ldif
— This is a backup copy of thedse.ldif
configuration file from the time of installation.