1.8. Setting Directory Server Configuration Parameters

Directory Server stores its configuration in the cn=config directory entry. Each configuration parameter is an LDAP attribute and the parameter's value is the value set in this attribute.

1.8.1. Managing Configuration Parameters

You can set, update, and delete configuration parameters by:
  • Using the dsconf utility:

    Note

    Red Hat recommends using the dsconf utility to manage the Directory Server configuration.

    Example 1.1. Setting a Configuration Parameter Using dsconf

    For example, to set the error log level to 16384, update the nsslapd-errorlog-level parameter using the dsconf utility:
    # dsconf -D "cn=Directory Manager" ldap://server.example.com config replace nsslapd-errorlog-level=16384
    For further details about using dsconf, see the dsconf(8) man page.
  • Using the LDAP interface:

    Example 1.2. Setting a Configuration Parameter using the LDAP Interface

    For example, to set the error log level to 16384, update the nsslapd-errorlog-level parameter using the LDAP interface:
    # ldapmodify -D "cn=Directory Manager" -W -x -H ldap://server.example.com:389
    
    dn: cn=config
    replace: nsslapd-errorlog-level
    nsslapd-errorlog-level: 16384
  • Editing the /etc/dirsrv/slapd-instance_name/dse.ldif file.

    Warning

    As long as an instance starts successfully, do not manually edit this file because this can cause Directory Server to not work as expected, or the instance can fail to start.

1.8.2. Where Directory Server Stores its Configuration

Directory Server stores the configuration from the cn=config entry in the /etc/dirsrv/slapd-instance_name/dse.ldif file. The server stores only parameters you modified in this file. Attributes that are not listed, use their default value. This enables you to identify all configuration parameters you set in this instance by displaying the /etc/dirsrv/slapd-instance_name/dse.ldif file.

Important

Do not manually edit the /etc/dirsrv/slapd-instance_name/dse.ldif file as long as the instance starts successfully.
For details about how you can edit configuration parameters, see Section 1.8.1, “Managing Configuration Parameters”.

1.8.3. Benefits of Using Default Values

If a parameter is not set, Directory Server uses the default value of this parameter. Using the default value has the benefit that new versions often provide optimized settings and increased security.
For example, if you do not set the passwordStorageScheme attribute, Directory Server automatically uses the strongest supported password storage scheme available. If a future update changes the default value to increase security, passwords will be automatically encrypted using the new storage scheme when a user sets a password.

1.8.3.1. Removing a Parameter to Use the Default Value

If a parameter is set and you want to use the default value instead, delete the parameter:
# dsconf -D "cn=Directory Manager" ldap://server.example.com config delete parameter_name
Note that you cannot delete certain parameters, such as nsslapd-secureport to reset them to their default. If you try to delete them, the server rejects the request with a Server is unwilling to perform (53) error.