1.11. Creating and Using a .dsrc File to Set Default Options for Directory Server Command-line Utilities

A ~/.dsrc file simplifies commands that use the Directory Server command-line utilities. By default, these utilities require that you pass, for example, an LDAP URL or bind distinguished name (DN) to the command. If you store these settings in a ~/dsrc file, you can use the command-line utilities without specifying these settings each time.

1.11.1. How a .dsrc File Simplifies Commands

The following is an example of a ~/.dsrc file that specifies the LDAP URL of an instance and a bind DN:
[server1]
uri = ldap://server1.example.com
binddn = cn=Directory Manager
basedn = dc=example,dc=com
With these settings, you can use shorter Directory Server commands. For example, to create a user account:
# dsidm server1 user create
Without the ~/.dsrc file, you must specify the bind DN, LDAP URL, and base DN in the command:
# dsidm -D cn=Directory Manager ldap://server1.example.com -b "dc=example,dc=com" user create

1.11.2. Using the dsctl Utility to Create a .dsrc File

Instead of manually creating a ~/.dsrc file, you can use the dsctl utility to create it:
# dsctl instance_name dsrc create ...
You can pass the following options to the command:
  • --uri: Sets the URL to the instance in the format protocol://host_name_or_IP_address_or_socket.
    Examples:
    • --uri ldap://server.example.com
    • --uri = ldaps://server.example.com
    • --uri = ldapi://%%2fvar%%2frun%%2fslapd-instance_name.socket
      If you set the path to an Directory Server socket, use %%02 instead of slashes (/) in the path.

      Important

      If you use an ldapi URL, the server identifies the user ID (UID) and group ID (GID) of the user who runs the Directory Server command-line utility. If you run the command as the root user, both UID and GID are 0 and Directory Server automatically authenticates you as cn=Directory Manager without entering the corresponding password.
  • --starttls: Sets configures the utilities to connect to an LDAP port and then send the STARTTLS command to switch to an encrypted connection.
  • --basedn: Sets the base distinguished name (DN). For example: --basedn dc=example,dc=com
  • --binddn: Sets the bind DN. For example: --binddn cn=Directory Manager
  • --pwdfile: Sets the path to a file that contains the password of bind DN. For example: --pwdfile /root/rhds.pwd
  • --tls-cacertdir: When you use an LDAPS connection, the path set in this parameter defines the directory with the certificate authority (CA) certificate that is required to verify the server's certificate. For example: --tls-cacertdir /etc/pki/CA/certs/
    Note that you must use the c_rehash /etc/pki/CA/certs/ command after you copied the CA certificate to the specified directory.
  • --tls-cert: Sets the absolute path to the server's certificate. For example: --tls-cert /etc/dirsrv/slapd-instance_name/Server-Cert.crt
  • --tls-key: Sets the absolute path to the server's private key. For example: --tls-key /etc/dirsrv/slapd-instance_name/Server-Cert.key
  • --tls-reqcert: Sets what checks the client utilities perform on server certificates in a TLS session. For example: --tls-reqcert hard
    The following parameters are available:
    • never: The utilities do not request or check the server certificate.
    • allow: The utilities ignore certificate errors and the connection is established anyway.
    • hard: The utilities terminate the connection on certificate errors.
  • --saslmech: Sets the SASL mechanism to use to PLAIN or EXTERNAL. For example: --saslmech PLAIN

1.11.3. Remote and Local Connection Resolution When Using Directory Server Utilities

When securing the Directory Server connection, it is important to distinguish between calling Directory Server commands remotely and locally.
When you run a Directory Server command with an LDAP URL specified, the server considers it as a remote connection and checks the /etc/openldap/ldap.conf configuration file along with system-wide settings to proceed with the command.
When you run a Directory Server command with an instance name specified, the server checks if the ~/.dsrc file is present and applies the following logic to proceed:
  • If the ~/.dsrc file exists and contains both the instance name and the LDAP URL, Directory Server considers it as a remote connection and checks /etc/openldap/ldap.conf configuration file and system-wide settings.
  • If the ~/.dsrc file exists and contains only the specified instance name, or if the ~/.dsrc file does not exist, Directory Server considers it as a local connection and uses the nsslapd-certdir setting from the local dse.ldif file to secure the connection. If nsslapd-certdir is not present, the server uses the default path /etc/dirsrv/slapd-instance_name/ to store the Network Security Services (NSS) database of the instance.
For more information about nsslapd-certdir parameter refer to nsslapd-certdir (Certificate and Key Database Directory) section.