<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
The contents of this file are subject to the terms of the Common Development and
|
Distribution License (the License). You may not use this file except in compliance with the
|
License.
|
|
You can obtain a copy of the License at legal/CDDLv1.0.txt. See the License for the
|
specific language governing permission and limitations under the License.
|
|
When distributing Covered Software, include this CDDL Header Notice in each file and include
|
the License file at legal/CDDLv1.0.txt. If applicable, add the following below the CDDL
|
Header, with the fields enclosed by brackets [] replaced by your own identifying
|
information: "Portions Copyright [year] [name of copyright owner]".
|
|
Copyright 2007-2009 Sun Microsystems, Inc.
|
Portions Copyright 2011-2016 ForgeRock AS.
|
! -->
|
<adm:package name="org.forgerock.opendj.server.config"
|
xmlns:adm="http://opendj.forgerock.org/admin"
|
xmlns:ldap="http://opendj.forgerock.org/admin-ldap">
|
<adm:synopsis>
|
Core <adm:product-name /> directory server administrative components.
|
</adm:synopsis>
|
<adm:property name="listen-port" mandatory="true">
|
<adm:synopsis>
|
Specifies the port number on which the
|
<adm:user-friendly-name />
|
will listen for connections from clients.
|
</adm:synopsis>
|
<adm:description>
|
Only a single port number may be provided.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:syntax>
|
<adm:integer lower-limit="1" upper-limit="65535" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-listen-port</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="use-ssl">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should use SSL.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the
|
<adm:user-friendly-name />
|
will use SSL to encrypt communication with the clients.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>false</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-use-ssl</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="ssl-cert-nickname" multi-valued="true">
|
<adm:TODO>Need a better default description.</adm:TODO>
|
<adm:synopsis>
|
Specifies the nicknames (also called the aliases) of the keys or key pairs
|
that the
|
<adm:user-friendly-name />
|
should use when performing SSL communication. The property can be used multiple times
|
(referencing different nicknames) when server certificates
|
with different public key algorithms are used in parallel
|
(for example, RSA, DSA, and ECC-based algorithms).
|
When a nickname refers to an asymmetric (public/private) key pair,
|
the nickname for the public key certificate and associated private key entry must match exactly.
|
A single nickname is used to retrieve both the public key and the private key.
|
</adm:synopsis>
|
<adm:description>
|
This is only applicable when the
|
<adm:user-friendly-name />
|
is configured to use SSL.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>Let the server decide.</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string></adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-ssl-cert-nickname</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="key-store-pin">
|
<adm:synopsis>
|
Specifies the clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-key-store-pin</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="key-store-pin-property">
|
<adm:TODO>Better syntax for property name?</adm:TODO>
|
<adm:synopsis>
|
Specifies the name of the Java property that contains the
|
clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string>
|
<adm:pattern>
|
<adm:regex>.*</adm:regex>
|
<adm:usage>STRING</adm:usage>
|
<adm:synopsis>
|
The name of a defined Java property.
|
</adm:synopsis>
|
</adm:pattern>
|
</adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-key-store-pin-property</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="key-store-pin-environment-variable">
|
<adm:synopsis>
|
Specifies the name of the environment variable that contains the
|
clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string>
|
<adm:pattern>
|
<adm:regex>.*</adm:regex>
|
<adm:usage>STRING</adm:usage>
|
<adm:synopsis>
|
The name of a defined environment variable that contains the
|
clear-text PIN required to access the contents of the key store.
|
</adm:synopsis>
|
</adm:pattern>
|
</adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-key-store-pin-environment-variable</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="key-store-pin-file">
|
<adm:TODO>Should use a file-based property definition?</adm:TODO>
|
<adm:synopsis>
|
Specifies the path to the text file whose only contents should be
|
a single line containing the clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string>
|
<adm:pattern>
|
<adm:regex>.*</adm:regex>
|
<adm:usage>FILE</adm:usage>
|
<adm:synopsis>
|
A path to an existing file that is readable by the server.
|
</adm:synopsis>
|
</adm:pattern>
|
</adm:string>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-key-store-pin-file</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="trust-store-pin">
|
<adm:synopsis>
|
Specifies the clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-trust-store-pin</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="trust-store-pin-property">
|
<adm:TODO>Better syntax for property name?</adm:TODO>
|
<adm:synopsis>
|
Specifies the name of the Java property that contains the
|
clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-trust-store-pin-property</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="trust-store-pin-environment-variable">
|
<adm:synopsis>
|
Specifies the name of the environment variable that contains the
|
clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>
|
ds-cfg-trust-store-pin-environment-variable
|
</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="trust-store-pin-file">
|
<adm:TODO>Should use a file-based property definition?</adm:TODO>
|
<adm:synopsis>
|
Specifies the path to the text file whose only contents should be
|
a single line containing the clear-text PIN needed to access the
|
<adm:user-friendly-name />
|
.
|
</adm:synopsis>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property will take effect the next time that
|
the
|
<adm:user-friendly-name />
|
is accessed.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-trust-store-pin-file</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="include-filter" multi-valued="true">
|
<adm:synopsis>
|
The set of filters that define the entries that should be included
|
in the cache.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-include-filter</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="exclude-filter" multi-valued="true">
|
<adm:synopsis>
|
The set of filters that define the entries that should be excluded
|
from the cache.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:undefined />
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:string />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-exclude-filter</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allowed-client" multi-valued="true">
|
<adm:synopsis>
|
Specifies a set of host names or address masks that determine the
|
clients that are allowed to establish connections to this
|
<adm:user-friendly-name/>.
|
</adm:synopsis>
|
<adm:description>
|
Valid values include a host name, a fully qualified domain name, a
|
domain name, an IP address, or a subnetwork with subnetwork mask.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property take effect immediately and do not
|
interfere with connections that may have already been
|
established.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
All clients with addresses that do not match an address on the
|
deny list are allowed. If there is no deny list, then all
|
clients are allowed.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:ip-address-mask />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allowed-client</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="denied-client" multi-valued="true">
|
<adm:synopsis>
|
Specifies a set of host names or address masks that determine
|
the clients that are not allowed to establish connections to this
|
<adm:user-friendly-name/>.
|
</adm:synopsis>
|
<adm:description>
|
Valid values include a host name, a fully qualified domain name, a
|
domain name, an IP address, or a subnetwork with subnetwork mask.
|
If both allowed and denied client masks are defined and a client
|
connection matches one or more masks in both lists, then the
|
connection is denied. If only a denied list is specified,
|
then any client not matching a mask in that list is allowed.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:none>
|
<adm:synopsis>
|
Changes to this property take effect immediately and do not
|
interfere with connections that may have already been
|
established.
|
</adm:synopsis>
|
</adm:none>
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:alias>
|
<adm:synopsis>
|
If an allow list is specified, then only clients with
|
addresses on the allow list are allowed. Otherwise, all
|
clients are allowed.
|
</adm:synopsis>
|
</adm:alias>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:ip-address-mask />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-denied-client</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="use-tcp-keep-alive" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should use TCP keep-alive.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the SO_KEEPALIVE socket option is used to indicate that TCP
|
keepalive messages should periodically be sent to the client to
|
verify that the associated connection is still valid. This may
|
also help prevent cases in which intermediate network hardware
|
could silently drop an otherwise idle client connection, provided
|
that the keepalive interval configured in the underlying operating
|
system is smaller than the timeout enforced by the network
|
hardware.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-use-tcp-keep-alive</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="use-tcp-no-delay" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should use TCP no-delay.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the TCP_NODELAY socket option is used to ensure
|
that response messages to the client are sent immediately rather
|
than potentially waiting to determine whether additional response
|
messages can be sent in the same packet. In most cases, using the
|
TCP_NODELAY socket option provides better performance and
|
lower response times, but disabling it may help for some cases in
|
which the server sends a large number of entries to a client
|
in response to a search request.
|
</adm:description>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-use-tcp-no-delay</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
<adm:property name="allow-tcp-reuse-address" advanced="true">
|
<adm:synopsis>
|
Indicates whether the
|
<adm:user-friendly-name />
|
should reuse socket descriptors.
|
</adm:synopsis>
|
<adm:description>
|
If enabled, the SO_REUSEADDR socket option is used on the
|
server listen socket to potentially allow the reuse of socket
|
descriptors for clients in a TIME_WAIT state. This may help the
|
server avoid temporarily running out of socket descriptors in
|
cases in which a very large number of short-lived connections have
|
been established from the same client system.
|
</adm:description>
|
<adm:requires-admin-action>
|
<adm:component-restart />
|
</adm:requires-admin-action>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>true</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:name>ds-cfg-allow-tcp-reuse-address</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
</adm:package>
|
