Show Table of Contents
1.9. Managing Core Server Attributes
The Directory Server configuration itself is stored in the
dse.ldif file, which contains the server configuration entries like cn=config. The server entry itself is defined through a finite and strict set of attributes called core server configuration attributes. Although these attributes can be changed, no attributes can be added to the core server configuration and none can be deleted (except under very limited circumstances, as described in Section 1.9.2, “Configuration Attributes Which Can Be Deleted”).
This is described in more detail in the overview sections of the "Server Instance File Reference" chapter in the Directory Server Configuration and Command-Line Tool Reference.
This section provides details on how to check which core server attributes require that the server be restarted and how to check or change which core server configuration attributes can be deleted.
1.9.1. Configuration Attributes Requiring Server Restart
Some configuration attributes cannot be altered while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the
dse.ldif file when the dirsrv service is stopped.
Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run
ldapsearch and search for the nsslapd-requiresrestart attribute. For example:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
nsslapd-cachesize | nsslapd-certdir | nsslapd-dbcachesize |
nsslapd-dbncache | nsslapd-plugin | nsslapd-changelogdir |
nsslapd-changelogmaxage | nsslapd-changelogmaxentries | nsslapd-port |
nsslapd-schemadir | nsslapd-saslpath | nsslapd-secureport |
nsslapd-tmpdir | nsSSL2 | nsSSL3 |
nsTLS1 | nsSSLclientauth | nsSSLSessionTimeout |
nsslapd-conntablesize | nsslapd-lockdir | nsslapd-maxdescriptors |
nsslapd-reservedescriptors | nsslapd-listenhost | nsslapd-schema-ignore-trailing-spaces |
nsslapd-securelistenhost | nsslapd-workingdir | nsslapd-return-exact-case |
nsslapd-maxbersize[a] | nsslapd-allowed-to-delete-attrs | |
[a]
Although this attribute requires a restart, it is not returned in the search.
| ||
1.9.2. Configuration Attributes Which Can Be Deleted
Core server configuration attributes cannot be deleted, by default. All core configuration attributes are present, even if they are not written in the
dse.ldif file, because they all have default values used by the server. Deleting any of those attributes is generally not allowed because the server requires that those attributes be present for it to run.
The
nsslapd-allowed-to-delete-attrs parameter lists core configuration attributes which are allowed to be deleted from the configuration. Delete operations for those attributes will succeed.
The value of
nsslapd-allowed-to-delete-attrs is a space-separated list of attribute names. By default, only two attributes are listed:
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
This can be changed using
ldapmodify to add attributes to the list. Since this is a single-valued attribute, the entire list must be given in the modify statement; the modify operation overwrites the previous value, it does not append new values to it.
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x dn: cn=config changetype: modify replace: nsslapd-allowed-to-delete-attrs nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost nsslapd-rewrite-rfc1274
Warning
Be extremely cautious about adding core server configuration attributes to the list of deletable attributes. Some attributes are critical for the server to operate, and deleting those attributes could cause the server not to run.
To return the list of attributes which can be deleted, use grep:
# egrep nsslapd-allowed-to-delete-attrs /etc/dirsrv/slapd-instance_name/dse.ldif nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost nsslapd-rewrite-rfc1274
Where did the comment section go?
Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.