1.9. Managing Core Server Attributes

The Directory Server configuration itself is stored in the dse.ldif file, which contains the server configuration entries like cn=config. The server entry itself is defined through a finite and strict set of attributes called core server configuration attributes. Although these attributes can be changed, no attributes can be added to the core server configuration and none can be deleted (except under very limited circumstances, as described in Section 1.9.2, “Configuration Attributes Which Can Be Deleted”).
This is described in more detail in the overview sections of the "Server Instance File Reference" chapter in the Directory Server Configuration and Command-Line Tool Reference.
This section provides details on how to check which core server attributes require that the server be restarted and how to check or change which core server configuration attributes can be deleted.

1.9.1. Configuration Attributes Requiring Server Restart

Some configuration attributes cannot be altered while the server is running. In these cases, for the changes to take effect, the server needs to be shut down and restarted. The modifications should be made either through the Directory Server Console or by manually editing the dse.ldif file when the dirsrv service is stopped.
Some of the attributes that require a server restart for any changes to take effect are listed below. This list is not exhaustive; to see a complete list, run ldapsearch and search for the nsslapd-requiresrestart attribute. For example:
ldapsearch -D "cn=directory manager" -W -p 389 -h server.example.com -b "cn=config" -s sub -x "(objectclass=*)" | grep nsslapd-requiresrestart
nsslapd-cachesize nsslapd-certdir nsslapd-dbcachesize
nsslapd-dbncache nsslapd-plugin nsslapd-changelogdir
nsslapd-changelogmaxage nsslapd-changelogmaxentries nsslapd-port
nsslapd-schemadir nsslapd-saslpath nsslapd-secureport
nsslapd-tmpdir nsSSL2 nsSSL3
nsTLS1 nsSSLclientauth nsSSLSessionTimeout
nsslapd-conntablesize nsslapd-lockdir nsslapd-maxdescriptors
nsslapd-reservedescriptors nsslapd-listenhost nsslapd-schema-ignore-trailing-spaces
nsslapd-securelistenhost nsslapd-workingdir nsslapd-return-exact-case
nsslapd-maxbersize[a] nsslapd-allowed-to-delete-attrs
[a] Although this attribute requires a restart, it is not returned in the search.

1.9.2. Configuration Attributes Which Can Be Deleted

Core server configuration attributes cannot be deleted, by default. All core configuration attributes are present, even if they are not written in the dse.ldif file, because they all have default values used by the server. Deleting any of those attributes is generally not allowed because the server requires that those attributes be present for it to run.
The nsslapd-allowed-to-delete-attrs parameter lists core configuration attributes which are allowed to be deleted from the configuration. Delete operations for those attributes will succeed.
The value of nsslapd-allowed-to-delete-attrs is a space-separated list of attribute names. By default, only two attributes are listed:
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost
This can be changed using ldapmodify to add attributes to the list. Since this is a single-valued attribute, the entire list must be given in the modify statement; the modify operation overwrites the previous value, it does not append new values to it.
ldapmodify -D "cn=directory manager" -W -p 389 -h server.example.com -x

dn: cn=config
changetype: modify
replace: nsslapd-allowed-to-delete-attrs
nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost nsslapd-rewrite-rfc1274

Warning

Be extremely cautious about adding core server configuration attributes to the list of deletable attributes. Some attributes are critical for the server to operate, and deleting those attributes could cause the server not to run.
To return the list of attributes which can be deleted, use grep:
# egrep nsslapd-allowed-to-delete-attrs /etc/dirsrv/slapd-instance_name/dse.ldif

nsslapd-allowed-to-delete-attrs: nsslapd-listenhost nsslapd-securelistenhost nsslapd-rewrite-rfc1274