1.8. Setting Directory Server Configuration Parameters

Directory Server stores its configuration in the cn=config directory entry. Each configuration parameter is an LDAP attribute and the parameter's value is the value set in this attribute.

1.8.1. Managing Configuration Parameters

You can set, update, and delete configuration parameters by:
  • Using the dsconf utility:

    Note

    Red Hat recommends using the dsconf utility to manage the Directory Server configuration.

    Example 1.1. Setting a Configuration Parameter Using dsconf

    For example, to set the error log level to 16384, update the nsslapd-errorlog-level parameter using the dsconf utility:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-errorlog-level=16384
    For further details about using dsconf, see the dsconf(8) man page.
  • Using the LDAP interface:

    Example 1.2. Setting a Configuration Parameter using the LDAP Interface

    For example, to set the error log level to 16384, update the nsslapd-errorlog-level parameter using the LDAP interface:
    # ldapmodify -D "cn=Directory Manager" -W -x -H ldap://server.example.com:389
    
    dn: cn=config
    replace: nsslapd-errorlog-level
    nsslapd-errorlog-level: 16384
  • Editing the /etc/dirsrv/slapd-instance_name/dse.ldif file.

    Warning

    As long as an instance starts successfully, do not manually edit this file because this can cause Directory Server to not work as expected, or the instance can fail to start.

1.8.2. Where Directory Server Stores its Configuration

Directory Server stores the configuration from the cn=config entry in the /etc/dirsrv/slapd-instance_name/dse.ldif file. The server stores only parameters you modified in this file. Attributes that are not listed, use their default value. This enables you to identify all configuration parameters you set in this instance by displaying the /etc/dirsrv/slapd-instance_name/dse.ldif file.

Important

Do not manually edit the /etc/dirsrv/slapd-instance_name/dse.ldif file as long as the instance starts successfully.
For details about how you can edit configuration parameters, see Section 1.8.1, “Managing Configuration Parameters”.

1.8.3. Benefits of Using Default Values

If a parameter is not set, Directory Server uses the default value of this parameter. Using the default value has the benefit that new versions often provide optimized settings and increased security.
For example, if you do not set the passwordStorageScheme attribute, Directory Server automatically uses the strongest supported password storage scheme available. If a future update changes the default value to increase security, passwords will be automatically encrypted using the new storage scheme when a user sets a password.

1.8.3.1. Removing a Parameter to Use the Default Value

If a parameter is set and you want to use the default value instead, delete the parameter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config delete parameter_name

Important

You cannot delete certain parameters, such as nsslapd-secureport to reset them to default. If you try to delete them, the server rejects the request with a Server is unwilling to perform (53) error.

1.8.4. The dsconf config backend command limitations

The dsconf config backend command retrieves and sets backends configuration. The command has the following arguments:
  • get
  • set
The dsconf config backend get command retrieves all server backend configuration attributes with set values, for example:
# dsconf -D "cn=Directory Manager" ldap://server.example.com:389 backend config get

nsslapd-lookthroughlimit: 5000
nsslapd-mode: 600
nsslapd-idlistscanlimit: 2147483646
…

Note

You can get only the full set of attribute values by using the dsconf config backend get command, not a value for a specified attribute.
The dsconf config backend set command sets backends configuration attributes individually. To set a value, specify an option that matches the LDAP attribute name, for example:
# dsconf -D "cn=Directory Manager"  ldap://server.example.com:389 backend config set --lookthroughlimit 4000  --cache-autosize-split 24
The following is the dsconf backend config set command options and LDAP attribute names mapping:

Table 1.1.  Mapping of the dsconf backend config set command options and LDAP attribute names

The dsconf backend config set command options LDAP attribute names
--lookthroughlimit nsslapd-lookthroughlimit
--mode nsslapd-mode
--idlistscanlimit nsslapd-idlistscanlimit
--directory nsslapd-directory
--dbcachesize nsslapd-dbcachesize
--logdirectory nsslapd-db-logdirectory
--txn-wait nsslapd-db-transaction-wait
--checkpoint-interval nsslapd-db-checkpoint-interval
--compactdb-interval nsslapd-db-compactdb-interval
--compactdb-time nsslapd-db-compactdb-time
--txn-batch-val nsslapd-db-transaction-batch-val
--txn-batch-min nsslapd-db-transaction-batch-min-wait
--txn-batch-max nsslapd-db-transaction-batch-max-wait
--logbufsize nsslapd-db-logbuf-size
--locks nsslapd-db-locks
--locks-monitoring-enabled nsslapd-db-locks-monitoring-enabled
--locks-monitoring-threshold nsslapd-db-locks-monitoring-threshold
--locks-monitoring-pause nsslapd-db-locks-monitoring-pause
--import-cache-autosize nsslapd-import-cache-autosize
--import-cachesize nsslapd-import-cachesize
--cache-autosize nsslapd-cache-autosize
--cache-autosize-split nsslapd-cache-autosize-split
--exclude-from-export nsslapd-exclude-from-export
--pagedlookthroughlimit nsslapd-pagedlookthroughlimit
--pagedidlistscanlimit nsslapd-pagedidlistscanlimit
--rangelookthroughlimit nsslapd-rangelookthroughlimit
--backend-opt-level nsslapd-backend-opt-level
--deadlock-policy nsslapd-db-deadlock-policy
--db-home-directory nsslapd-db-home-directory
--db-lib nsslapd-backend-implement