<?xml version="1.0" encoding="UTF-8"?>
|
<!--
|
! CDDL HEADER START
|
!
|
! The contents of this file are subject to the terms of the
|
! Common Development and Distribution License, Version 1.0 only
|
! (the "License"). You may not use this file except in compliance
|
! with the License.
|
!
|
! You can obtain a copy of the license at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE
|
! or https://OpenDS.dev.java.net/OpenDS.LICENSE.
|
! See the License for the specific language governing permissions
|
! and limitations under the License.
|
!
|
! When distributing Covered Code, include this CDDL HEADER in each
|
! file and include the License file at
|
! trunk/opends/resource/legal-notices/OpenDS.LICENSE. If applicable,
|
! add the following below this CDDL HEADER, with the fields enclosed
|
! by brackets "[]" replaced with your own identifying information:
|
! Portions Copyright [yyyy] [name of copyright owner]
|
!
|
! CDDL HEADER END
|
!
|
!
|
! Portions Copyright 2007 Sun Microsystems, Inc.
|
! -->
|
|
<adm:managed-object name="global" plural-name="globals"
|
package="org.opends.server.admin.std"
|
xmlns:adm="http://www.opends.org/admin"
|
xmlns:ldap="http://www.opends.org/admin-ldap">
|
<adm:synopsis>
|
The global configuration contains properties that affect the overall
|
operation of the
|
<adm:product-name />
|
.
|
</adm:synopsis>
|
<adm:tag name="core"/>
|
|
<adm:profile name="ldap">
|
<ldap:object-class>
|
<ldap:oid>1.3.6.1.4.1.26027.1.2.13</ldap:oid>
|
<ldap:name>ds-cfg-root-config</ldap:name>
|
<ldap:superior>top</ldap:superior>
|
</ldap:object-class>
|
</adm:profile>
|
|
<adm:property name="check-schema" mandatory="true">
|
<adm:synopsis>
|
Indicates whether schema enforcement is active.
|
</adm:synopsis>
|
<adm:description>
|
This property indicates whether the
|
<adm:product-name />
|
should ensure that all operations result in entries that are valid
|
according to the defined server schema. It is strongly recommended
|
that this option be left enabled to prevent the inadvertent
|
addition of invalid data into the server.
|
</adm:description>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.24</ldap:oid>
|
<ldap:name>ds-cfg-check-schema</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="default-password-policy" mandatory="true">
|
<adm:synopsis>
|
Specifies the DN of the configuration entry for the password policy that
|
will be in effect for users whose entries do not specify an alternate
|
password policy (either via a real or virtual attribute).
|
</adm:synopsis>
|
<adm:syntax>
|
<adm:dn>
|
<adm:base>cn=Password Policies,cn=config</adm:base>
|
</adm:dn>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.202</ldap:oid>
|
<ldap:name>ds-cfg-default-password-policy</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="add-missing-rdn-attributes" mandatory="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should automatically add any
|
attribute values contained in the entry's RDN into that entry when
|
processing an add request.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
true
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.142</ldap:oid>
|
<ldap:name>ds-cfg-add-missing-rdn-attributes</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="allow-attribute-name-exceptions" mandatory="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should allow the use of underscores
|
in attribute names, and should allow attribute names to begin with
|
numeric digits (both of which are violations of the LDAP standards).
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
false
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.5</ldap:oid>
|
<ldap:name>ds-cfg-allow-attribute-name-exceptions</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="invalid-attribute-syntax-behavior" mandatory="false">
|
<adm:synopsis>
|
Specifies how the Directory Server should handle operations which would
|
result in an attribute value that violates the associated attribute
|
syntax.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
reject
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="accept">
|
<adm:synopsis>
|
The Directory Server will silently accept attribute values that are
|
invalid according to their associated syntax. Matching operations
|
targeting those values may not behave as expected.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="reject">
|
<adm:synopsis>
|
The Directory Server will reject attribute values that are invalid
|
according to their associated syntax.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="warn">
|
<adm:synopsis>
|
The Directory Server will accept attribute values that are invalid
|
according to their associated syntax, but will also log a warning
|
message to the error log. Matching operations targeting those
|
values may not behave as expected.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.44</ldap:oid>
|
<ldap:name>ds-cfg-invalid-attribute-syntax-behavior</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="server-error-result-code" mandatory="false">
|
<adm:synopsis>
|
Specifies the numeric value of the result code that should be used for
|
cases in which request processing fails due to an internal server error.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
80
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.143</ldap:oid>
|
<ldap:name>ds-cfg-server-error-result-code</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="single-structural-objectclass-behavior" mandatory="false">
|
<adm:synopsis>
|
Specifies how the Directory Server should handle operations which would
|
result in an entry without any structural object class, or that would
|
result in an entry containing multiple structural classes.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
reject
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="accept">
|
<adm:synopsis>
|
The Directory Server will silently accept entries that do not
|
contain exactly one structural object class. Certain schema
|
features that depend on the entry's structural class may not behave
|
as expected.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="reject">
|
<adm:synopsis>
|
The Directory Server will reject entries that do not contain exactly
|
one structural object class.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="warn">
|
<adm:synopsis>
|
The Directory Server will accept entries that do not contain exactly
|
one structural object class, but will also log a warning message to
|
the error log. Certain schema features that depend on the entry's
|
structural class may not behave
|
as expected.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.117</ldap:oid>
|
<ldap:name>ds-cfg-single-structural-objectclass-behavior</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="notify-abandoned-operations" mandatory="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should send a response to any
|
operation that is interrupted via an abandon request. The LDAP
|
specification states that abandoned operations should not receive any
|
response, but this may cause problems with client applications that
|
always expect to receive a response to each request.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
false
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.71</ldap:oid>
|
<ldap:name>ds-cfg-notify-abandoned-operations</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="size-limit" mandatory="false">
|
<adm:synopsis>
|
Specifies the maximum number of entries that the Directory Server should
|
return to the client in the course of processing a search operation. A
|
value of 0 indicates that no size limit will be enforced. Note that this
|
is the default server-wide limit, but it may be overridden on a per-user
|
basis using the ds-rlim-size-limit operational attribute.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
1000
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.118</ldap:oid>
|
<ldap:name>ds-cfg-size-limit</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="time-limit" mandatory="false">
|
<adm:synopsis>
|
Specifies the maximum length of time that the Directory Server should
|
spend procesing a search operation. A value of 0 seconds indicates that
|
no time limit will be enforced. Note that this is the default server-wide
|
time limit, but it may be overridden on a per-user basis using the
|
ds-rlim-time-limit operational attribute.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
60 seconds
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:duration base-unit="s" lower-limit="0" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.150</ldap:oid>
|
<ldap:name>ds-cfg-time-limit</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="proxied-authorization-identity-mapper-dn"
|
mandatory="true">
|
<adm:synopsis>
|
Specifies the DN of the configuration entry for the identity mapper that
|
will be used to map authorization ID values (using the "u:" form) provided
|
in the proxied authorization control to the corresponding user entry.
|
</adm:synopsis>
|
<adm:syntax>
|
<adm:dn>
|
<adm:base>cn=Identity Mappers,cn=config</adm:base>
|
</adm:dn>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.149</ldap:oid>
|
<ldap:name>ds-cfg-proxied-authorization-identity-mapper-dn</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="writability-mode" mandatory="false">
|
<adm:synopsis>
|
Specifies which kinds of write operations the Directory Server should
|
attempt to process.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
enabled
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:enumeration>
|
<adm:value name="enabled">
|
<adm:synopsis>
|
The Directory Server will attempt to process all write operations
|
that are requested of it, regardless of their origin.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="disabled">
|
<adm:synopsis>
|
The Directory Server will reject all write operations that are
|
requested of it, regardless of their origin.
|
</adm:synopsis>
|
</adm:value>
|
<adm:value name="internal-only">
|
<adm:synopsis>
|
The Directory Server will attempt to process write operations
|
requested as internal operations or through synchronization, but
|
will reject any such operations requested from external clients.
|
</adm:synopsis>
|
</adm:value>
|
</adm:enumeration>
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.161</ldap:oid>
|
<ldap:name>ds-cfg-writability-mode</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="reject-unauthenticated-requests" mandatory="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should reject any request (other
|
than bind or StartTLS requests) received from a client that has not yet
|
authenticated, whose last authentication attempt was unsuccessful, or
|
whose last authentication attempt used anonymous authentication.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
false
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.301</ldap:oid>
|
<ldap:name>ds-cfg-reject-unauthenticated-requests</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="bind-with-dn-requires-password" mandatory="false">
|
<adm:synopsis>
|
Indicates whether the Directory Server should reject any simple bind
|
request that contains a DN but no password. Although such bind requests
|
are technically allowed by the LDAPv3 specification (and should be treated
|
as anonymous simple authentication), they may introduce security problems
|
in applications that do not verify that the client actually provided a
|
password.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
true
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:boolean />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.163</ldap:oid>
|
<ldap:name>ds-cfg-bind-with-dn-requires-password</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
<adm:property name="lookthrough-limit" mandatory="false">
|
<adm:synopsis>
|
Specifies the maximum number of entries that the Directory Server should
|
"look through" in the course of processing a search request. This
|
includes any entry that the server must examine in the course of
|
processing the request, regardless of whether it actually matches the
|
search criteria. A value of 0 indicates that no lookthrough limit will
|
be enforced. Note that this is the default server-wide limit, but it may
|
be overridden on a per-user basis using the ds-rlim-lookthrough-limit
|
operational attribute.
|
</adm:synopsis>
|
<adm:default-behavior>
|
<adm:defined>
|
<adm:value>
|
5000
|
</adm:value>
|
</adm:defined>
|
</adm:default-behavior>
|
<adm:syntax>
|
<adm:integer lower-limit="0" />
|
</adm:syntax>
|
<adm:profile name="ldap">
|
<ldap:attribute>
|
<ldap:oid>1.3.6.1.4.1.26027.1.1.285</ldap:oid>
|
<ldap:name>ds-cfg-lookthrough-limit</ldap:name>
|
</ldap:attribute>
|
</adm:profile>
|
</adm:property>
|
|
</adm:managed-object>
|
