Chapter 4. Plug-in Implemented Server Functionality Reference

This chapter contains reference information on Red Hat Directory Server plug-ins.
The configuration for each part of Directory Server plug-in functionality has its own separate entry and set of attributes under the subtree cn=plugins,cn=config.
dn: cn=Telephone Syntax,cn=plugins,cn=config
objectclass: top
objectclass: nsSlapdPlugin
objectclass: extensibleObject
cn: Telephone Syntax
nsslapd-pluginPath: libsyntax-plugin
nsslapd-pluginInitfunc: tel_init
nsslapd-pluginType: syntax
nsslapd-pluginEnabled: on
Some of these attributes are common to all plug-ins while others may be particular to a specific plug-in. Check which attributes are currently being used by a given plug-in by performing an ldapsearch on the cn=config subtree.
All plug-ins are instances of the nsSlapdPlugin object class, which in turn inherits from the extensibleObject object class. For plug-in configuration attributes to be taken into account by the server, both of these object classes (in addition to the top object class) must be present in the entry, as shown in the following example:
dn:cn=ACL Plugin,cn=plugins,cn=config
objectclass:top
objectclass:nsSlapdPlugin
objectclass:extensibleObject

4.1. Server Plug-in Functionality Reference

The following tables provide a quick overview of the plug-ins provided with Directory Server, along with their configurable options, configurable arguments, default setting, dependencies, general performance-related information, and further reading. These tables assist in weighing plug-in performance gains and costs and choose the optimal settings for the deployment. The Further Information section cross-references further reading, where this is available.

4.1.1. 7-bit Check Plug-in

Plug-in Parameter Description
Plug-in ID NS7bitAtt
DN of Configuration Entry cn=7-bit check,cn=plugins,cn=config
Description Checks certain attributes are 7-bit clean
Type preoperation
Configurable Options on | off
Default Setting on
Configurable Arguments List of attributes (uid mail userpassword) followed by "," and then suffixes on which the check is to occur.
Dependencies Database
Performance-Related Information None
Further Information If the Directory Server uses non-ASCII characters, such as Japanese, turn this plug-in off.

4.1.2. ACL Plug-in

Plug-in Parameter Description
Plug-in ID acl
DN of Configuration Entry cn=ACL Plugin,cn=plugins,cn=config
Description ACL access check plug-in
Type accesscontrol
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies Database
Performance-Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.
Further Information See the "Managing Access Control" chapter in the Red Hat Directory Server Administration Guide.

4.1.3. ACL Preoperation Plug-in

Plug-in Parameter Description
Plug-in ID acl
DN of Configuration Entry cn=ACL preoperation,cn=plugins,cn=config
Description ACL access check plug-in
Type preoperation
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies Database
Performance-Related Information Access control incurs a minimal performance hit. Leave this plug-in enabled since it is the primary means of access control for the server.
Further Information See the "Managing Access Control" chapter in the Red Hat Directory Server Administration Guide.

4.1.4. Account Policy Plug-in

Plug-in Parameter Description
Plug-in ID none
DN of Configuration Entry cn=Account Policy Plugin,cn=plugins,cn=config
Description Defines a policy to lock user accounts after a certain expiration period or inactivity period.
Type object
Configurable Options on | off
Default Setting off
Configurable Arguments A pointer to a configuration entry which contains the global account policy settings.
Dependencies Database
Performance-Related Information None
Further Information This plug-in configuration points to a configuration entry which is used for server-wide settings on account inactivity and expiration data. Individual (subtree-level or user-level) account policies can be defined as directory entries, as instances of the acctPolicySubentry object class. These configuration entries can then be applied to users or roles through classes of service.

4.1.5. Account Usability Plug-in

Plug-in Parameter Description
Plug-in ID acctusability
DN of Configuration Entry cn=Account Usability Plugin,cn=plugins,cn=config
Description Checks the authentication status, or usability, of an account without actually authenticating as the given user
Type preoperation
Configurable Options on | off
Default Setting on
Dependencies Database
Performance-Related Information None

4.1.6. AD DN Plug-in

Plug-in Parameter Description
Plug-in ID addn
DN of Configuration Entry cn=addn,cn=plugins,cn=config
Description Enables the usage of Active Directory-formatted user names, such as user_name and user_name@domain, for bind operations.
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments addn_default_domain: Sets the default domain that is automatically appended to user names without domain.
Dependencies None
Performance-Related Information None

4.1.7. Attribute Uniqueness Plug-in

Plug-in Parameter Description
Plug-in ID NSUniqueAttr
DN of Configuration Entry cn=Attribute Uniqueness,cn=plugins,cn=config
Description Checks that the values of specified attributes are unique each time a modification occurs on an entry. For example, most sites require that a user ID and email address be unique.
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments To check for UID attribute uniqueness in all listed subtrees, enter uid "DN" "DN".... However, to check for UID attribute uniqueness when adding or updating entries with the requiredObjectClass, enter attribute="uid" MarkerObjectclass = "ObjectClassName" and, optionally requiredObjectClass = "ObjectClassName". This starts checking for the required object classes from the parent entry containing the ObjectClass as defined by the MarkerObjectClass attribute.
Dependencies Database
Performance-Related Information
Directory Server provides the UID Uniqueness Plug-in by default. To ensure unique values for other attributes, create instances of the Attribute Uniqueness Plug-in for those attributes. See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide for more information about the Attribute Uniqueness Plug-in.
The UID Uniqueness Plug-in is off by default due to operation restrictions that need to be addressed before enabling the plug-in in a multi-master replication environment. Turning the plug-in on may slow down Directory Server performance.
Further Information See the "Using the Attribute Uniqueness Plug-in" section in the Red Hat Directory Server Administration Guide.

4.1.8. Auto Membership Plug-in

Plug-in Parameter Description
Plug-in ID Auto Membership
DN of Configuration Entry cn=Auto Membership,cn=plugins,cn=config
Description Container entry for automember definitions. Automember definitions search new entries and, if they match defined LDAP search filters and regular expression conditions, add the entry to a specified group automatically.
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments None for the main plug-in entry. The definition entry must specify an LDAP scope, LDAP filter, default group, and member attribute format. The optional regular expression child entry can specify inclusive and exclusive expressions and a different target group.
Dependencies Database
Performance-Related Information None.
Further Information See the "Automatically Adding Entries to Specified Groups" section in the Red Hat Directory Server Administration Guide.

4.1.9. Binary Syntax Plug-in

Warning

Binary syntax is deprecated. Use Octet String syntax instead.
Plug-in Parameter Description
Plug-in ID bin-syntax
DN of Configuration Entry cn=Binary Syntax,cn=plugins,cn=config
Description Syntax for handling binary data.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information

4.1.10. Bit String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID bitstring-syntax
DN of Configuration Entry cn=Bit String Syntax,cn=plugins,cn=config
Description Supports bit string syntax values and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.11. Bitwise Plug-in

Plug-in Parameter Description
Plug-in ID bitwise
DN of Configuration Entry cn=Bitwise Plugin,cn=plugins,cn=config
Description Matching rule for performing bitwise operations against the LDAP server
Type matchingrule
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information See the "Finding Directory Entries" chapter in the Administration Guide for performing searches using bitwise filters.

4.1.12. Boolean Syntax Plug-in

Plug-in Parameter Description
Plug-in ID boolean-syntax
DN of Configuration Entry cn=Boolean Syntax,cn=plugins,cn=config
Description Supports boolean syntax values (TRUE or FALSE) and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.13. Case Exact String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID ces-syntax
DN of Configuration Entry cn=Case Exact String Syntax,cn=plugins,cn=config
Description Supports case-sensitive matching or Directory String, IA5 String, and related syntaxes. This is not a case-exact syntax; this plug-in provides case-sensitive matching rules for different string syntaxes.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information

4.1.14. Case Ignore String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID directorystring-syntax
DN of Configuration Entry cn=Case Ignore String Syntax,cn=plugins,cn=config
Description Supports case-insensitive matching rules for Directory String, IA5 String, and related syntaxes. This is not a case-insensitive syntax; this plug-in provides case-sensitive matching rules for different string syntaxes.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information

4.1.15. Chaining Database Plug-in

Plug-in Parameter Description
Plug-in ID chaining database
DN of Configuration Entry cn=Chaining database,cn=plugins,cn=config
Description Enables back end databases to be linked
Type database
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information There are many performance related tuning parameters involved with the chaining database. See the "Maintaining Database Links" section in the Red Hat Directory Server Administration Guide.
Further Information A chaining database is also known as a database link. Database links are described in the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.

4.1.16. Class of Service Plug-in

Plug-in Parameter Description
Plug-in ID cos
DN of Configuration Entry cn=Class of Service,cn=plugins,cn=config
Description Allows for sharing of attributes between entries
Type object
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies
Type: Database
Named: State Change Plug-in
Named: Views Plug-in
Performance-Related Information Do not modify the configuration of this plug-in. Leave this plug-in running at all times.
Further Information See the "Managing Dynamic Attributes" chapter in the Red Hat Directory Server Administration Guide.

4.1.17. Content Synchronization Plug-in

Plug-in Parameter Description
Plug-in ID content-sync-plugin
DN of Configuration Entry cn=Content Synchronization,cn=plugins,cn=config
Description Enables support for the SyncRepl protocol in Directory Server according to RFC 4533.
Type object
Configurable Options on | off
Default Setting off
Configurable Arguments None
Dependencies Retro Changelog Plug-in
Performance-Related Information If you know which back end or subtree clients access to synchronize data, limit the scope of the Retro Changelog plug-in accordingly.
Further Information See the corresponding sections in the Red Hat Directory Administration Guide.

4.1.18. Country String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID countrystring-syntax
DN of Configuration Entry cn=Country String Syntax,cn=plugins,cn=config
Description Supports country naming syntax values and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.19. Delivery Method Syntax Plug-in

Plug-in Parameter Description
Plug-in ID delivery-syntax
DN of Configuration Entry cn=Delivery Method Syntax,cn=plugins,cn=config
Description Supports values that are lists of preferred deliver methods and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.20. deref Plug-in

Plug-in Parameter Description
Plug-in ID Dereference
DN of Configuration Entry cn=deref,cn=plugins,cn=config
Description For dereference controls in directory searches
Type preoperation
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies Database
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information See the "Finding Directory Entries" chapter in the Administration Guide for performing searches using dereference controls.

4.1.21. Distinguished Name Syntax Plug-in

Plug-in Parameter Description
Plug-in ID dn-syntax
DN of Configuration Entry cn=Distinguished Name Syntax,cn=plugins,cn=config
Description Supports DN value syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.22. Distributed Numeric Assignment Plug-in

Plug-in Information Description
Plug-in ID Distributed Numeric Assignment
Configuration Entry DN cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
Description Distributed Numeric Assignment plugin
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments
Dependencies Database
Performance-Related Information None
Further Information

4.1.23. Enhanced Guide Syntax Plug-in

Plug-in Parameter Description
Plug-in ID enhancedguide-syntax
DN of Configuration Entry cn=Enhanced Guide Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for creating complex criteria, based on attributes and filters, to build searches; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.24. Facsimile Telephone Number Syntax Plug-in

Plug-in Parameter Description
Plug-in ID facsimile-syntax
DN of Configuration Entry cn=Facsimile Telephone Number Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for fax numbers; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.25. Fax Syntax Plug-in

Plug-in Parameter Description
Plug-in ID fax-syntax
DN of Configuration Entry cn=Fax Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for storing images of faxed objects; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.26. Generalized Time Syntax Plug-in

Plug-in Parameter Description
Plug-in ID time-syntax
DN of Configuration Entry cn=Generalized Time Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for dealing with dates, times and time zones; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information
The Generalized Time String consists of a four digit year, two digit month (for example, 01 for January), two digit day, two digit hour, two digit minute, two digit second, an optional decimal part of a second, and a time zone indication. Red Hat strongly recommends using the Z time zone indication, which indicates Greenwich Mean Time.
See also RFC 4517.

4.1.27. Guide Syntax Plug-in

Warning

This syntax is deprecated. Use Enhanced Guide syntax instead.
Plug-in Parameter Description
Plug-in ID guide-syntax
DN of Configuration Entry cn=Guide Syntax,cn=plugins,cn=config
Description Syntax for creating complex criteria, based on attributes and filters, to build searches
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information This syntax is obsolete. The Enhanced Guide Syntax should be used instead.

4.1.28. HTTP Client Plug-in

Plug-in Parameter Description
Plug-in ID http-client
DN of Configuration Entry cn=HTTP Client,cn=plugins,cn=config
Description HTTP client plug-in
Type preoperation
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies Database
Performance-Related Information
Further Information

4.1.29. Integer Syntax Plug-in

Plug-in Parameter Description
Plug-in ID int-syntax
DN of Configuration Entry cn=Integer Syntax,cn=plugins,cn=config
Description Supports integer syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.30. Internationalization Plug-in

Plug-in Parameter Description
Plug-in ID orderingrule
DN of Configuration Entry cn=Internationalization Plugin,cn=plugins,cn=config
Description Enables internationalized strings to be ordered in the directory
Type matchingrule
Configurable Options on | off
Default Setting on
Configurable Arguments The Internationalization Plug-in has one argument, which must not be modified, which specifies the location of the /etc/dirsrv/config/slapd-collations.conf file. This file stores the collation orders and locales used by the Internationalization Plug-in.
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information See the "Internationalization" appendix and the section on "Searching an Internationalized Directory" in the "Finding Directory Entries" appendix in the Red Hat Directory Server Administration Guide.

4.1.31. JPEG Syntax Plug-in

Plug-in Parameter Description
Plug-in ID jpeg-syntax
DN of Configuration Entry cn=JPEG Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for JPEG image data; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.32. ldbm database Plug-in

Plug-in Parameter Description
Plug-in ID ldbm-backend
DN of Configuration Entry cn=ldbm database,cn=plugins,cn=config
Description Implements local databases
Type database
Configurable Options
Default Setting on
Configurable Arguments None
Dependencies
Syntax
matchingRule
Performance-Related Information See Section 4.4, “Database Plug-in Attributes” for further information on database configuration.
Further Information See the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.

4.1.33. Linked Attributes Plug-in

Plug-in Parameter Description
Plug-in ID Linked Attributes
DN of Configuration Entry cn=Linked Attributes,cn=plugins,cn=config
Description Container entry for linked-managed attribute configuration entries. Each configuration entry under the container links one attribute to another, so that when one entry is updated (such as a manager entry), then any entry associated with that entry (such as a custom directReports attribute) are automatically updated with a user-specified corresponding attribute.
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments None for the main plug-in entry. Each plug-in instance has three possible attributes:
linkType, which sets the primary attribute for the plug-in to monitor
managedType, which sets the attribute which will be managed dynamically by the plug-in whenever the attribute in linkType is modified
linkScope, which restricts the plug-in activity to a specific subtree within the directory tree
Dependencies Database
Performance-Related Information Any attribute set in linkType must only allow values in a DN format. Any attribute set in managedType must be multi-valued.
Further Information See the "Managing Attributes" chapter in the Red Hat Directory Server Administration Guide and Section 4.11, “Linked Attributes Plug-in Attributes”.

4.1.34. Managed Entries Plug-in

Plug-in Information Description
Plug-in ID Managed Entries
Configuration Entry DN cn=Managed Entries,cn=plugins,cn=config
Description Container entry for automatically generated directory entries. Each configuration entry defines a target subtree and a template entry. When a matching entry in the target subtree is created, then the plug-in automatically creates a new, related entry based on the template.
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments None for the main plug-in entry. Each plug-in instance has four possible attributes:
originScope, which sets the search base
originFilter, which sets the search base for matching entries
managedScope, which sets the subtree under which to create new managed entries
managedTemplate, which is the template entry used to create the managed entries
Dependencies Database
Performance-Related Information None
Further Information

4.1.35. MemberOf Plug-in

Plug-in Information Description
Plug-in ID memberOf
Configuration Entry DN cn=MemberOf Plugin,cn=plugins,cn=config
Description Manages the memberOf attribute on user entries, based on the member attributes in the group entry.
Type postoperation
Configurable Options on | off
Default Setting off
Configurable Arguments
memberOfAttr sets the attribute to generate in people's entries to show their group membership.
memberOfGroupAttr sets the attribute to use to identify group member's DNs.
Dependencies Database
Performance-Related Information None
Further Information

4.1.36. Multi-master Replication Plug-in

Plug-in Parameter Description
Plug-in ID replication-multimaster
DN of Configuration Entry cn=Multimaster Replication plugin,cn=plugins,cn=config
Description Enables replication between two current Directory Servers
Type object
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies
Named: ldbm database
Named: DES
Named: Class of Service
Performance-Related Information
Further Information Turn this plug-in off if one server will never replicate. See the "Managing Replication" chapter in the Red Hat Directory Server Administration Guide.

4.1.37. Name and Optional UID Syntax Plug-in

Plug-in Parameter Description
Plug-in ID nameoptuid-syntax
DN of Configuration Entry cn=Name And Optional UID Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules to store and search for a DN with an optional unique ID; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information
The optional UID is used to distinguish between entries which may have identical DNs or naming attributes.
See also RFC 4517.

4.1.38. Numeric String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID numstr-syntax
DN of Configuration Entry cn=Numeric String Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for strings of numbers and spaces; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.39. Octet String Syntax Plug-in

Note

Use the Octet String syntax instead of Binary, which is deprecated.
Plug-in Parameter Description
Plug-in ID octetstring-syntax
DN of Configuration Entry cn=Octet String Syntax,cn=plugins,cn=config
Description Supports octet string syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.40. OID Syntax Plug-in

Plug-in Parameter Description
Plug-in ID oid-syntax
DN of Configuration Entry cn=OID Syntax,cn=plugins,cn=config
Description Supports object identifier (OID) syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.41. PAM Pass Through Auth Plug-in

Plug-in Parameter Description
Plug-in ID pam_passthruauth
DN of Configuration Entry cn=PAM Pass Through Auth,cn=plugins,cn=config
Description Enables pass-through authentication for PAM, meaning that a PAM service can use the Directory Server as its user authentication store.
Type preoperation
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies Database
Performance-Related Information
Further Information See the "Using PAM Pass-through Authentication" section in the Red Hat Directory Server Administration Guide.

4.1.42. Pass Through Authentication Plug-in

Plug-in Parameter Description
Plug-in ID passthruauth
DN of Configuration Entry cn=Pass Through Authentication,cn=plugins,cn=config
Description Enables pass-through authentication, the mechanism which allows one directory to consult another to authenticate bind requests.
Type preoperation
Configurable Options on | off
Default Setting off
Configurable Arguments ldap://example.com:389/o=example
Dependencies Database
Performance-Related Information Pass-through authentication slows down bind requests a little because they have to make an extra hop to the remote server. See the "Using Pass-through Authentication" chapter in the Red Hat Directory Server Administration Guide.
Further Information See the "Using the Pass-through Authentication Plug-in" chapter in the Red Hat Directory Server Administration Guide.

4.1.43. Password Storage Schemes

Directory Server implements the password storage schemes as plug-ins. However, the cn=Password Storage Schemes,cn=plugins,cn=config entry itself is just a container, not a plug-in entry. All password storage scheme plug-ins are stored as a subentry of this container.
To display all password storage schemes plug-ins, enter:
# ldapsearch -D "cn=Directory Manager" -W -p 389 -h server.example.com -x \
     -b "cn=Password Storage Schemes,cn=plugins,cn=config" -s sub "(objectclass=*)" dn

Warning

Red Hat recommends not disabling the password scheme plug-ins nor to change the configurations of the plug-ins to prevent unpredictable authentication behavior.

Strong Password Storage Schemes

Red Hat recommends using only the following strong password storage schemes (strongest first):
  • PBKDF2_SHA256
    The password-based key derivation function 2 (PBKDF2) was designed to expend resources to counter brute force attacks. PBKDF2 supports a variable number of iterations to apply the hashing algorithm. Higher iterations improve security but require more hardware resources. In Directory Server, the PBKDF2_SHA256 scheme is implemented using 30,000 iterations to apply the SHA256 algorithm. This value is hard-coded and will be increased in future versions of Directory Server without requiring interaction by an administrator.

    Note

    The network security service (NSS) database in Red Hat Enterprise Linux 6 does not support PBKDF2. Therefore you cannot use this password scheme in a replication topology with Directory Server 9.
  • SSHA512 (default)
    The salted secure hashing algorithm (SSHA) implements an enhanced version of the secure hashing algorithm (SHA), that uses a randomly generated salt to increase the security of the hashed password. SSHA512 implements the hashing algorithm using 512 bits.

Weak Password Storage Schemes

Besides the recommended strong password storage schemes, Directory Server supports the following weak schemes for backward compatibility:
AES
CLEAR
CRYPT
CRYPT-MD5
CRYPT-SHA256
CRYPT-SHA512
DES
MD5
NS-MTA-MD5
[a]
SHA
[b]
SHA256
SHA384
SHA512
SMD5
SSHA
[b]
SSHA256
SSHA384
[a] Directory Server only supports authentication using this scheme. You can no longer use it to encrypt passwords.
[b] 160 bit

Important

Only continue using a weak scheme over a short time frame, as it increases security risks.

4.1.44. Posix Winsync API Plug-in

Plug-in Parameter Description
Plug-in ID posix-winsync-plugin
DN of Configuration Entry cn=Posix Winsync API,cn=plugins,cn=config
Description Enables and configures Windows synchronization for Posix attributes set on Active Directory user and group entries.
Type preoperation
Configurable Arguments
  • on | off
  • memberUID mapping (groups)
  • converting and sorting memberUID values in lower case (groups)
  • memberOf fix-up tasks with sync operations
  • use Windows 2003 Posix schema
Default Setting off
Configurable Arguments None
Dependencies database

4.1.45. Postal Address String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID postaladdress-syntax
DN of Configuration Entry cn=Postal Address Syntax,cn=plugins,cn=config
Description Supports postal address syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.46. Printable String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID printablestring-syntax
DN of Configuration Entry cn=Printable String Syntax,cn=plugins,cn=config
Description Supports syntaxes and matching rules for alphanumeric and select punctuation strings (for strings which conform to printable strings as defined in RFC 4517).
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.47. Referential Integrity Postoperation Plug-in

Plug-in Parameter Description
Plug-in ID referint
DN of Configuration Entry cn=Referential Integrity Postoperation,cn=plugins,cn=config
Description Enables the server to ensure referential integrity
Type postoperation
Configurable Options All configuration and on | off
Default Setting off
Configurable Arguments When enabled, the post-operation Referential Integrity Plug-in performs integrity updates on the member, uniquemember, owner, and seeAlso attributes immediately after a delete or rename operation. The plug-in can be configured to perform integrity checks on all other attributes. For details, see the corresponding section in the Directory Server Administration Guide.
Dependencies Database
Performance-Related Information The Referential Integrity Plug-in should be enabled only on one master in a multi-master replication environment to avoid conflict resolution loops. When enabling the plug-in on chained servers, be sure to analyze the performance resource and time needs as well as integrity needs; integrity checks can be time consuming and demanding on memory and CPU. All attributes specified must be indexed for both presence and equality.
Further Information See the "Managing Indexes" chapter for information about how to index attributes used for referential integrity checking and the "Configuring Directory Databases" chapter in the Red Hat Directory Server Administration Guide.

4.1.48. Retro Changelog Plug-in

Plug-in Parameter Description
Plug-in ID retrocl
DN of Configuration Entry cn=Retro Changelog Plugin,cn=plugins,cn=config
Description Used by LDAP clients for maintaining application compatibility with Directory Server 4.x versions. Maintains a log of all changes occurring in the Directory Server. The retro changelog offers the same functionality as the changelog in the 4.x versions of Directory Server. This plug-in exposes the cn=changelog suffix to clients, so that clients can use this suffix with or without persistent search for simple sync applications.
Type object
Configurable Options on | off
Default Setting off
Configurable Arguments See Section 4.16, “Retro Changelog Plug-in Attributes” for further information on the two configuration attributes for this plug-in.
Dependencies
Type: Database
Named: Class of Service
Performance-Related Information May slow down Directory Server update performance.
Further Information See the "Managing Replication" chapter in the Red Hat Directory Server Administration Guide.

4.1.49. Roles Plug-in

Plug-in Parameter Description
Plug-in ID roles
DN of Configuration Entry cn=Roles Plugin,cn=plugins,cn=config
Description Enables the use of roles in the Directory Server
Type object
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies
Type: Database
Named: State Change Plug-in
Named: Views Plug-in
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information See the "Advanced Entry Management" chapter in the Red Hat Directory Server Administration Guide.

4.1.50. RootDN Access Control Plug-in

Plug-in Parameter Description
Plug-in ID rootdn-access-control
DN of Configuration Entry cn=RootDN Access Control,cn=plugins,cn=config
Description Enables and configures access controls to use for the root DN entry.
Type internalpreoperation
Configurable Options on | off
Default Setting off
Configurable Attributes
  • rootdn-open-time and rootdn-close-time for time-based access controls
  • rootdn-days-allowed for day-based access controls
  • rootdn-allow-host, rootdn-deny-host, rootdn-allow-ip, and rootdn-deny-ip for host-based access controls
Dependencies None
Further Information See the "Access Control" sections in the Red Hat Directory Server Administration Guide.

4.1.51. Schema Reload Plug-in

Plug-in Information Description
Plug-in ID schemareload
Configuration Entry DN cn=Schema Reload,cn=plugins,cn=config
Description Task plug-in to reload schema files
Type object
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information
Further Information

4.1.52. Space Insensitive String Syntax Plug-in

Plug-in Parameter Description
Plug-in ID none
DN of Configuration Entry cn=Space Insensitive String Syntax,cn=plugins,cn=config
Description Syntax for handling space-insensitive values
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information
This plug-in enables the Directory Server to support space and case insensitive values. This allows applications to search the directory using entries with ASCII space characters.
For example, a search or compare operation that uses jOHN Doe will match entries that contain johndoe, john doe, and John Doe if the attribute's schema has been configured to use the space insensitive syntax.
For more information about finding directory entries, see the "Finding Directory Entries" chapter in the Red Hat Directory Server Administration Guide.

4.1.53. State Change Plug-in

Plug-in Parameter Description
Plug-in ID statechange
DN of Configuration Entry cn=State Change Plugin,cn=plugins,cn=config
Description Enables state-change-notification service
Type postoperation
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information
Further Information

4.1.54. Syntax Validation Task Plug-in

Plug-in Parameter Description
Plug-in ID none
DN of Configuration Entry cn=Syntax Validation Task,cn=plugins,cn=config
Description Enables syntax validation for attribute values
Type object
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information
Further Information This plug-in implements syntax validation tasks. The actual process that carries out syntax validation is performed by each specific syntax plug-in.

4.1.55. Telephone Syntax Plug-in

Plug-in Parameter Description
Plug-in ID tele-syntax
DN of Configuration Entry cn=Telephone Syntax,cn=plugins,cn=config
Description Supports telephone number syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.56. Teletex Terminal Identifier Syntax Plug-in

Plug-in Parameter Description
Plug-in ID teletextermid-syntax
DN of Configuration Entry cn=Teletex Terminal Identifier Syntax,cn=plugins,cn=config
Description Supports international telephone number syntaxes and related matching rules from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.57. Telex Number Syntax Plug-in

Plug-in Parameter Description
Plug-in ID telex-syntax
DN of Configuration Entry cn=Telex Number Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for the telex number, country code, and answerback code of a telex terminal; from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.58. URI Syntax Plug-in

Plug-in Parameter Description
Plug-in ID none
DN of Configuration Entry cn=URI Syntax,cn=plugins,cn=config
Description Supports syntaxes and related matching rules for unique resource identifiers (URIs), including unique resource locators (URLs); from RFC 4517.
Type syntax
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies None
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information RFC 4517

4.1.59. USN Plug-in

Plug-in Parameter Description
Plug-in ID USN
DN of Configuration Entry cn=USN,cn=plugins,cn=config
Description Sets an update sequence number (USN) on an entry, for every entry in the directory, whenever there is a modification, including adding and deleting entries and modifying attribute values.
Type object
Configurable Options on | off
Default Setting off
Configurable Arguments None
Dependencies Database
Performance-Related Information For replication, it is recommended that the entryUSN configuration attribute be excluded using fractional replication.
Further Information

4.1.60. Views Plug-in

Plug-in Parameter Description
Plug-in ID views
DN of Configuration Entry cn=Views,cn=plugins,cn=config
Description Enables the use of views in the Directory Server databases.
Type object
Configurable Options on | off
Default Setting on
Configurable Arguments None
Dependencies
Type: Database
Named: State Change Plug-in
Performance-Related Information Do not modify the configuration of this plug-in. Red Hat recommends leaving this plug-in running at all times.
Further Information