<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CCPL HEADER START
|
!
|
! This work is licensed under the Creative Commons
|
! Attribution-NonCommercial-NoDerivs 3.0 Unported License.
|
! To view a copy of this license, visit
|
! http://creativecommons.org/licenses/by-nc-nd/3.0/
|
! or send a letter to Creative Commons, 444 Castro Street,
|
! Suite 900, Mountain View, California, 94041, USA.
|
!
|
! You can also obtain a copy of the license at
|
! trunk/opendj3/legal-notices/CC-BY-NC-ND.txt.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! If applicable, add the following below this CCPL HEADER, with the fields
|
! enclosed by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CCPL HEADER END
|
!
|
! Copyright 2011 ForgeRock AS
|
!
|
-->
|
<refentry xml:id='dsconfig-1'
|
xmlns='http://docbook.org/ns/docbook'
|
version='5.0' xml:lang='en'
|
xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
|
xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
|
xmlns:xlink='http://www.w3.org/1999/xlink'
|
xmlns:xinclude='http://www.w3.org/2001/XInclude'>
|
<refmeta>
|
<refentrytitle>dsconfig</refentrytitle><manvolnum>1</manvolnum>
|
</refmeta>
|
<refnamediv>
|
<refname>dsconfig</refname>
|
<refpurpose>manage OpenDJ directory server configuration</refpurpose>
|
</refnamediv>
|
<refsynopsisdiv>
|
<cmdsynopsis>
|
<command>dsconfig <replaceable>subcommand</replaceable></command>
|
<arg choice="req">options</arg>
|
</cmdsynopsis>
|
</refsynopsisdiv>
|
<refsect1>
|
<title>Description</title>
|
<para>This utility serves to configure a running directory server.</para>
|
|
<para>The <command>dsconfig</command> command is the primary command-line tool
|
for viewing and editing OpenDJ configuration. When started without arguments,
|
<command>dsconfig</command> prompts you for administration connection
|
information, including the host name, administration port number,
|
administrator bind DN and administrator password. The
|
<command>dsconfig</command> command then connects securely to the directory
|
server over the administration port. Once connected it presents you with a
|
menu-driven interface to the server configuration.</para>
|
|
<para>When you pass connection information, subcommands, and additional
|
options to <command>dsconfig</command>, the command runs in script mode and
|
so is not interactive, though it can prompt you to ask whether to apply
|
changes and whether to trust certificates (unless you use the
|
<option>--no-prompt</option> and <option>--trustAll</option> options,
|
respectively).</para>
|
|
<para>You can prepare <command>dsconfig</command> batch scripts by running
|
the tool with the <option>--commandFilePath</option> option in interactive
|
mode, then reading from the batch file with the <option>--batchFile</option>
|
option in script mode. Batch files can be useful when you have many
|
<command>dsconfig</command> commands to run and want to avoid starting
|
the JVM and setting up a new connection for each command.</para>
|
|
<para>The <command>dsconfig</command> command categorizes directory server
|
configuration by <firstterm>components</firstterm>, also called
|
<firstterm>managed objects</firstterm>. Actual components often inherit from
|
a parent component type. For example, one component is a Connection Handler.
|
An LDAP Connection Handler is a type of Connection Handler. You configure the
|
LDAP Connection Handler component to specify how OpenDJ directory server
|
handles LDAP connections coming from client applications.</para>
|
|
<para>Configuration components have <firstterm>properties</firstterm>.
|
For example, the LDAP Connection Handler component has properties such as
|
<literal>listen-port</literal> and <literal>allow-start-tls</literal>. You
|
can set the component's <literal>listen-port</literal> property to
|
<literal>389</literal> to use the default LDAP port number. You can set the
|
component's <literal>allow-start-tls</literal> property to
|
<literal>true</literal> to permit LDAP client applications to use StartTLS.
|
Much of the configuration you do with <command>dsconfig</command> involves
|
setting component properties. The <citetitle>OpenDJ Configuration
|
Reference</citetitle> covers all <command>dsconfig</command> component
|
properties in detail, drawing on the documentation you also view when
|
getting help through the <command>dsconfig</command> command.</para>
|
<!-- TODO: Add olink to configuration reference -->
|
</refsect1>
|
<refsect1 xml:id="dsconfig-getting-help">
|
<title>Getting Help</title>
|
|
<para>The <command>dsconfig</command> command provides many subcommands.
|
Use the following options to view help for subcommands.</para>
|
|
<para>See <link linkend="dsconfig-subcommands-ref"><citetitle>dsconfig
|
Subcommands</citetitle></link> for details of individual subcommands.</para>
|
|
<variablelist>
|
<varlistentry>
|
<term><command>dsconfig --help-all</command></term>
|
<listitem>
|
<para>Display all subcommands</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><command>dsconfig --help-core-server</command></term>
|
<listitem>
|
<para>Display subcommands relating to core server</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><command>dsconfig --help-database</command></term>
|
<listitem>
|
<para>Display subcommands relating to caching and back-ends</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><command>dsconfig --help-logging</command></term>
|
<listitem>
|
<para>Display subcommands relating to logging</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><command>dsconfig --help-replication</command></term>
|
<listitem>
|
<para>Display subcommands relating to replication</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><command>dsconfig --help-security</command></term>
|
<listitem>
|
<para>Display subcommands relating to authentication and authorization</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><command>dsconfig --help-user-management</command></term>
|
<listitem>
|
<para>Display subcommands relating to user management</para>
|
</listitem>
|
</varlistentry>
|
</variablelist>
|
|
<para>For help with individual subcommands, either use <command>dsconfig
|
<replaceable>subcommand</replaceable> --help</command>, or start
|
<command>dsconfig</command> in interactive mode, without specifying a
|
subcommand.</para>
|
|
<para>To view component properties, use the <command>dsconfig
|
list-properties</command> command.</para>
|
</refsect1>
|
<refsect1 xml:id="dsconfig-general-options">
|
<title>Generally Applicable Options</title>
|
<para>The following options are supported for all <command>dsconfig</command>
|
subcommands.</para>
|
<variablelist>
|
<varlistentry>
|
<term><option>--advanced</option></term>
|
<listitem>
|
<para>Allows the configuration of advanced components and properties</para>
|
</listitem>
|
</varlistentry>
|
</variablelist>
|
<refsect2>
|
<title>LDAP Connection Options</title>
|
<variablelist>
|
<varlistentry>
|
<term><option>--connectTimeout {timeout}</option></term>
|
<listitem>
|
<para>Maximum length of time (in milliseconds) that can be taken to
|
establish a connection. Use '0' to specify no time out.</para>
|
<para>Default value: 30000</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-h, --hostname {host}</option></term>
|
<listitem>
|
<para>Directory server hostname or IP address</para>
|
<para>Default value: localhost.localdomain</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-I, --adminUID {adminUID}</option></term>
|
<listitem>
|
<para>User ID of the global administrator to use to bind to the server.
|
For the <command>enable</command> subcommand, if no global administrator
|
was defined previously for any servers, the global administrator will be
|
created using the UID provided.</para>
|
<para>Default value: admin</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-j, --adminPasswordFile {bindPasswordFile}</option></term>
|
<listitem>
|
<para>Global administrator password file</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-K, --keyStorePath {keyStorePath}</option></term>
|
<listitem>
|
<para> Certificate key store path</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-N, --certNickname {nickname}</option></term>
|
<listitem>
|
<para>Nickname of certificate for SSL client authentication</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-o, --saslOption {name=value}</option></term>
|
<listitem>
|
<para>SASL bind options</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-p, --port {port}</option></term>
|
<listitem>
|
<para>Directory server administration port number</para>
|
<para>Default value: 4444</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-P, --trustStorePath {trustStorePath}</option></term>
|
<listitem>
|
<para>Certificate trust store path</para>
|
<para>Default value: /path/to/OpenDJ/config/admin-truststore</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-T, --trustStorePassword {trustStorePassword}</option></term>
|
<listitem>
|
<para>Certificate trust store PIN</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-u, --keyStorePasswordFile {keyStorePasswordFile}</option></term>
|
<listitem>
|
<para>Certificate key store PIN file</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-U, --trustStorePasswordFile {path}</option></term>
|
<listitem>
|
<para>Certificate trust store PIN file</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-w, --adminPassword {bindPassword}</option></term>
|
<listitem>
|
<para>Password for the global administrator</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-W, --keyStorePassword {keyStorePassword}</option></term>
|
<listitem>
|
<para>Certificate key store PIN</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-X, --trustAll</option></term>
|
<listitem>
|
<para>Trust all server SSL certificates</para>
|
</listitem>
|
</varlistentry>
|
</variablelist>
|
</refsect2>
|
<refsect2>
|
<title>Utility Input/Output Options</title>
|
<variablelist>
|
<varlistentry>
|
<term><option>--commandFilePath {path}</option></term>
|
<listitem>
|
<para>The full path to the file where the equivalent non-interactive
|
commands will be written when this command is run in interactive
|
mode.</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>--displayCommand</option></term>
|
<listitem>
|
<para>Display the equivalent non-interactive option on standard output
|
when this command is run in interactive mode.</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-F, --batchFilePath {batchFilePath}</option></term>
|
<listitem>
|
<para>Path to a batch file containing a set of dsconfig commands to be
|
executed</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-n, --no-prompt</option></term>
|
<listitem>
|
<para>Use non-interactive mode. If data in the command is missing, the
|
user is not prompted and the command exits with an error.</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>--noPropertiesFile</option></term>
|
<listitem>
|
<para>No properties file will be used to get default command line
|
argument values</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>--propertiesFilePath {propertiesFilePath}</option></term>
|
<listitem>
|
<para>Path to the file containing default property values used for
|
command line arguments</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-Q, --quiet</option></term>
|
<listitem>
|
<para>Do not write progress information to standard output</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-s, --script-friendly</option></term>
|
<listitem>
|
<para>Use script-friendly mode</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-v, --verbose</option></term>
|
<listitem>
|
<para>Use verbose mode</para>
|
</listitem>
|
</varlistentry>
|
</variablelist>
|
</refsect2>
|
<refsect2>
|
<title>General Options</title>
|
<variablelist>
|
<varlistentry>
|
<term><option>--version</option></term>
|
<listitem>
|
<para>Display version information</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term><option>-?, -H, --help</option></term>
|
<listitem>
|
<para>Display usage information</para>
|
</listitem>
|
</varlistentry>
|
</variablelist>
|
</refsect2>
|
</refsect1>
|
<refsect1 xml:id="dsconfig-subcommands-ref">
|
<title>dsconfig Subcommands</title>
|
<para>This section covers individual <command>dsconfig</command>
|
subcommands.</para>
|
|
<para>Subcommands let you create, list, and delete entire configuration
|
components, and also let you get and set component properties. Subcommands
|
therefore have names that reflect these five actions.</para>
|
<itemizedlist>
|
<listitem><para>create-<replaceable>component</replaceable></para></listitem>
|
<listitem><para>list-<replaceable>component</replaceable>s</para></listitem>
|
<listitem><para>delete-<replaceable>component</replaceable></para></listitem>
|
<listitem><para>get-<replaceable>component</replaceable>-prop</para></listitem>
|
<listitem><para>set-<replaceable>component</replaceable>-prop</para></listitem>
|
</itemizedlist>
|
|
<!-- TODO: OPENDJ-321: Expand dsconfig reference with more examples and descriptions of subcommands -->
|
</refsect1>
|
<refsect1>
|
<title>Exit Codes</title>
|
<variablelist>
|
<varlistentry>
|
<term>0</term>
|
<listitem>
|
<para>The command completed successfully.</para>
|
</listitem>
|
</varlistentry>
|
<varlistentry>
|
<term>> 0</term>
|
<listitem>
|
<para>An error occurred.</para>
|
</listitem>
|
</varlistentry>
|
</variablelist>
|
</refsect1>
|
<refsect1>
|
<title>Examples</title>
|
<para>Much of the <citetitle>OpenDJ Administration Guide</citetitle> consists
|
of <command>dsconfig</command> examples with text in between. This section
|
therefore remains short.</para>
|
|
<para>The following example starts <command>dsconfig</command> in interactive,
|
menu-driven mode on the default port of the current host.</para>
|
<screen>$ dsconfig -h `hostname` -p 4444 -D "cn=Directory Manager" -w password
|
|
>>>> OpenDJ configuration console main menu
|
|
What do you want to configure?
|
|
1) Access Control Handler 23) Log Rotation Policy
|
2) Account Status Notification Handler 24) Matching Rule
|
3) Administration Connector 25) Monitor Provider
|
4) Alert Handler 26) Network Group
|
5) Attribute Syntax 27) Network Group QOS Policy
|
6) Backend 28) Password Generator
|
7) Certificate Mapper 29) Password Policy
|
8) Connection Handler 30) Password Storage Scheme
|
9) Crypto Manager 31) Password Validator
|
10) Debug Target 32) Plugin
|
11) Entry Cache 33) Plugin Root
|
12) Extended Operation Handler 34) Replication Domain
|
13) Extension 35) Replication Server
|
14) External Changelog Domain 36) Root DN
|
15) Global Configuration 37) Root DSE Backend
|
16) Group Implementation 38) SASL Mechanism Handler
|
17) Identity Mapper 39) Synchronization Provider
|
18) Key Manager Provider 40) Trust Manager Provider
|
19) Local DB Index 41) Virtual Attribute
|
20) Local DB VLV Index 42) Work Queue
|
21) Log Publisher 43) Workflow
|
22) Log Retention Policy 44) Workflow Element
|
|
q) quit
|
|
Enter choice: </screen>
|
|
<para>The following examples demonstrates generating a batch file that
|
corresponds to an interactive session enabling the debug log. The example
|
then demonstates using a modified batch file to disable the debug log.</para>
|
<screen>$ dsconfig
|
--hostname `hostname`
|
--port 4444
|
--bindDN "cn=Directory Manager"
|
--bindPassword password
|
--commandFilePath ~/enable-debug-log.batch
|
...
|
$ cat ~/enable-debug-log.batch
|
# dsconfig session start date: 19/Oct/2011:08:52:22 +0000
|
|
# Session operation number: 1
|
# Operation date: 19/Oct/2011:08:55:06 +0000
|
dsconfig set-log-publisher-prop \
|
--publisher-name File-Based\ Debug\ Logger \
|
--set enabled:true \
|
--hostname opendj.example.com \
|
--port 4444 \
|
--trustStorePath /path/to/OpenDJ/config/admin-truststore \
|
--bindDN cn=Directory\ Manager \
|
--bindPassword ****** \
|
--no-prompt
|
|
$ cp ~/enable-debug-log.batch ~/disable-debug-log.batch
|
$ vi ~/disable-debug-log.batch
|
$ cat ~/disable-debug-log.batch
|
set-log-publisher-prop \
|
--publisher-name File-Based\ Debug\ Logger \
|
--set enabled:false \
|
--hostname opendj.example.com \
|
--port 4444 \
|
--trustStorePath /path/to/OpenDJ/config/admin-truststore \
|
--bindDN cn=Directory\ Manager \
|
--bindPassword password \
|
--no-prompt
|
|
$ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt
|
set-log-publisher-prop
|
--publisher-name
|
File-Based Debug Logger
|
--set
|
enabled:false
|
--hostname
|
Mark-Craigs-iMac.local
|
--port
|
4444
|
--trustStorePath
|
/path/to/OpenDJ/config/admin-truststore
|
--bindDN
|
cn=Directory Manager
|
--bindPassword
|
password
|
--no-prompt
|
|
$</screen>
|
<para>Notice that the original command file looks like a shell script with
|
the bind password value replaced by asterisks. To pass the content as batch
|
file to <command>dsconfig</command>, strip <literal>dsconfig</literal>
|
itself, and include the bind password for the administrative user (or
|
replace that option with an alternative, such as reading the password from
|
a file).</para>
|
</refsect1>
|
</refentry>
|
