external-software/github_OpenIdentityPlatform_OpenDJ.git

Commiting configuration XML files after adding info from the old config gui...

rhaggard

06.09.2008 952ce880317825f16c256fb716167eb7fddeda49

 opends/src/admin/defn/org/opends/server/admin/std/AnonymousSASLMechanismHandlerConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="anonymous-sasl-mechanism-handler"
  plural-name="anonymous-sasl-mechanism-handlers"
@@ -31,11 +31,19 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to perform all processing related to SASL ANONYMOUS
    authentication.
    The ANONYMOUS SASL mechanism provides the ability for clients to 
    perform an anonymous bind using a SASL mechanism. 
  </adm:synopsis>
  <adm:description>
    The only real 
    benefit that this provides over a normal anonymous bind (that is, 
    using simple authentication with no password) is that the ANONYMOUS 
    SASL mechanism also allows the client to include a trace string in 
    the request. This trace string can help identify the application that 
    performed the bind (although since there is no authentication, 
    there is no assurance that some other client did not spoof that 
    trace string).
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-anonymous-sasl-mechanism-handler</ldap:name>

 opends/src/admin/defn/org/opends/server/admin/std/AttributeValuePasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="attribute-value-password-validator"
  plural-name="attribute-value-password-validators"
@@ -33,9 +33,14 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable based
    on whether the given password value appears the user's entry.
    attempts to determine whether a proposed password is acceptable 
    for use by determining whether that password is contained in any 
    attribute within the user's entry. 
  </adm:synopsis>
  <adm:description>
    It can be configured to look 
    in all attributes or in a specified subset of attributes.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-attribute-value-password-validator</ldap:name>
@@ -51,15 +56,13 @@
      </adm:defined>
    </adm:default-behavior>
  </adm:property-override>
  <adm:property name="match-attribute" multi-valued="true">
  <adm:property name="match-attribute" multi-valued="true" >
    <adm:synopsis>
      Specifies the name(s) of the attribute(s) whose values should be
      checked to determine whether they match the provided password.
      If no values are provided, then the server checks if the proposed 
      password matches the value of any attribute in the user's entry.
    </adm:synopsis>
    <adm:description>
      If this is not provided, then all attributes in the user's entry
      will be checked.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>

 opends/src/admin/defn/org/opends/server/admin/std/BlindTrustManagerProviderConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="blind-trust-manager-provider"
  plural-name="blind-trust-manager-providers"
@@ -31,12 +31,15 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    provides a mechanism for blindly trusting any certificate presented
    to it without performing any kind of validation, including ignoring
    the validity dates included within the certificate.
    The blind trust manager provider always trusts any certificate that 
    is presented to it, regardless of its issuer, subject, and validity 
    dates. 
  </adm:synopsis>
  <adm:description>
    Use the blind trust manager provider only for testing 
    purposes, because it allows clients to use forged certificates 
    and authenticate as virtually any user in the server.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-blind-trust-manager-provider</ldap:name>

 opends/src/admin/defn/org/opends/server/admin/std/CharacterSetPasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="character-set-password-validator"
  plural-name="character-set-password-validators"
@@ -33,12 +33,16 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable by
    determining whether it contains a sufficient number of characters
    from one or more user-defined character sets (e.g., passwords must
    have at least one lowercase letter, one uppercase letter, one digit,
    and one symbol).
    determines whether a proposed password is acceptable by
    checking whether it contains a sufficient number of characters
    from one or more user-defined character sets. 
  </adm:synopsis>
  <adm:description>
    For example, 
    the validator can ensure that passwords must
    have at least one lowercase letter, one uppercase letter, one digit,
    and one symbol.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-character-set-password-validator</ldap:name>
@@ -64,11 +68,11 @@
    <adm:description>
      Each value must be an integer (indicating the minimum required
      characters from the set) followed by a colon and the characters to
      include in that set (e.g., "3:abcdefghijklmnopqrstuvwxyz"
      include in that set (for example, "3:abcdefghijklmnopqrstuvwxyz"
      indicates that a user password must contain at least three
      characters from the set of lowercase ASCII letters). Multiple
      character sets may be defined in separate values, although no
      character may appear in more than one character set.
      character sets can be defined in separate values, although no
      character can appear in more than one character set.
    </adm:description>
    <adm:syntax>
      <adm:string case-insensitive="false" />
@@ -87,7 +91,8 @@
    </adm:synopsis>
    <adm:description>
      If this is "false", then only those characters in the user-defined
      character sets may be used in passwords.
      character sets may be used in passwords. Any password containing a 
      character not included in any character set will be rejected.
    </adm:description>
    <adm:syntax>
      <adm:boolean />

 opends/src/admin/defn/org/opends/server/admin/std/CramMD5SASLMechanismHandlerConfiguration.xml

@@ -31,11 +31,26 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to perform all processing related to SASL CRAM-MD5
    authentication.
    The CRAM-MD5 SASL mechanism provides the ability for clients to 
    perform password-based authentication in a manner that does not 
    expose their password in the clear. 
  </adm:synopsis>
  <adm:description>
    Rather than including the 
    password in the bind request, the CRAM-MD5 mechanism uses a 
    two-step process in which the client needs only to prove that it 
    knows the password. The server sends randomly-generated data to 
    the client that is to be used in the process, which makes it 
    resistant to replay attacks. The one-way message digest 
    algorithm ensures that the original clear-text password is not 
    exposed.  Note that the algorithm used by the CRAM-MD5 mechanism 
    requires that both the client and the server have access to the 
    clear-text password (or potentially a value that is derived from 
    the clear-text password). In order to authenticate to the server 
    using CRAM-MD5, the password for a user's account must be encoded 
    using a reversible password storage scheme that allows the server 
    to have access to the clear-text value. 
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-cram-md5-sasl-mechanism-handler</ldap:name>
@@ -53,8 +68,10 @@
  </adm:property-override>
  <adm:property name="identity-mapper" mandatory="true">
    <adm:synopsis>
      Specifies the name of the identity mapper that should be used to
      match the client authentication ID to a user entry.
      Specifies the name of the identity mapper used
      with this SASL mechanism handler to match the authentication 
      ID included in the SASL bind request to the corresponding 
      user in the directory.
    </adm:synopsis>
    <adm:syntax>
      <adm:aggregation relation-name="identity-mapper"

 opends/src/admin/defn/org/opends/server/admin/std/DictionaryPasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="dictionary-password-validator"
  plural-name="dictionary-password-validators"
@@ -33,10 +33,16 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable based
    determines whether a proposed password is acceptable based
    on whether the given password value appears in a provided dictionary
    file.
    file. 
  </adm:synopsis>
  <adm:description>
    A large dictionary file is provided with the server, but the 
    administrator can supply an alternate dictionary. In this case, 
    then the dictionary must be a plain-text file with 
    one word per line.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-dictionary-password-validator</ldap:name>
@@ -54,17 +60,34 @@
  </adm:property-override>
  <adm:property name="dictionary-file" mandatory="true">
    <adm:synopsis>
      Specifies the path to the file containing a list of words that may
      not be used as passwords.
      Specifies the path to the file containing a list of words that 
      cannot be used as passwords.
    </adm:synopsis>
    <adm:description>
      It should be formatted with one word per line. The value may be an
      absolute path, or a path that is relative to the
      It should be formatted with one word per line. The value can be an
      absolute path or a path that is relative to the
      <adm:product-name />
      instance root.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>
          For Unix and Linux systems: config/wordlist.txt. 
          For Windows systems: config\\wordlist.txt
        </adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>FILE</adm:usage>
          <adm:synopsis>
          The path to any text file contained on the system that is 
          readable by the server.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -74,16 +97,19 @@
  </adm:property>
  <adm:property name="case-sensitive-validation" mandatory="true">
    <adm:synopsis>
      Indicates whether this password validator should treat password
      Indicates whether this password validator is to treat password
      characters in a case-sensitive manner.
    </adm:synopsis>
    <adm:description>
      A value of false indicates that any differences in capitalization
      should be ignored when looking for consecutive characters in the
      password. A value of true indicates that a character should only
      be considered repeating if all consecutive occurrences use the
      same capitalization.
      If it is set to true, then the validator rejects a password only 
      if it appears in the dictionary with exactly the 
      same capitalization as provided by the user. 
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>false</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:boolean />
    </adm:syntax>
@@ -95,10 +121,21 @@
  </adm:property>
  <adm:property name="test-reversed-password" mandatory="true">
    <adm:synopsis>
      Indicates whether this password validator should test the reversed
      Indicates whether this password validator is to test the reversed
      value of the provided password as well as the order in which it
      was given.
      was given. 
    </adm:synopsis>
    <adm:description>
      For example, if the user provides a new password of 
      "password" and this configuration attribute is set to true, then 
      the value "drowssap" is also tested against attribute values 
      in the user's entry.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>true</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:boolean />
    </adm:syntax>

 opends/src/admin/defn/org/opends/server/admin/std/DigestMD5SASLMechanismHandlerConfiguration.xml

@@ -31,11 +31,22 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    The DIGEST-MD5 SASL mechanism
    is used to perform all processing related to SASL DIGEST-MD5
    authentication.
    authentication. 
  </adm:synopsis>
  <adm:description>
    The DIGEST-MD5 SASL mechanism is very similar 
    to the CRAM-MD5 mechanism in that it allows for password-based 
    authentication without exposing the password in the clear 
    (although it does require that both the client and the server 
    have access to the clear-text password). Like the CRAM-MD5 
    mechanism, it uses data that is randomly generated by the server 
    to make it resistant to replay attacks, but it also includes 
    randomly-generated data from the client, which makes it also 
    resistant to problems resulting from weak server-side random 
    number generation.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-digest-md5-sasl-mechanism-handler</ldap:name>
@@ -53,34 +64,45 @@
  </adm:property-override>
  <adm:property name="realm">
    <adm:synopsis>
      Specifies the realm that should be used by the server for
      Specifies the realm that is to be used by the server for
      DIGEST-MD5 authentication.
    </adm:synopsis>
    <adm:description>
      If this is not provided, then the server will default to using a
      If this value is not provided, then the server defaults to use a
      set of realm names that correspond to the defined suffixes.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will default to a set of realm names that
          The server defaults to a set of realm names that
          correspond to the defined suffixes.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>STRING</adm:usage>
          <adm:synopsis>
            Any realm string. As needed, it be a DN or matched 
            to a realm already in use for another service.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-realm</ldap:name>
      </ldap:attribute>
    </adm:profile>
  </adm:property>
  <adm:property name="identity-mapper" mandatory="true">
  </adm:property> <adm:property name="identity-mapper" mandatory="true">
    <adm:synopsis>
      Specifies the name of the identity mapper that should be used to
      match client authentication and authorization IDs to user entries.
      Specifies the name of the identity mapper that is to be used
      with this SASL mechanism handler to match the authentication
      or authorization
      ID included in the SASL bind request to the corresponding
      user in the directory.
    </adm:synopsis>
    <adm:syntax>
      <adm:aggregation relation-name="identity-mapper"
@@ -109,23 +131,39 @@
  <adm:property name="server-fqdn">
    <adm:synopsis>
      Specifies the DNS-resolvable fully-qualified domain name for the
      system.
      server that is used when validating the digest-uri parameter during 
      the authentication process. 
    </adm:synopsis>
    <adm:description>
      This is the value expected to be present in the host field of the
      digest-uri-value element.
      If this configuration attribute is 
      present, then the server expects that clients use a digest-uri equal 
      to "ldap/" followed by the value of this attribute. For example, if 
      the attribute has a value of "directory.example.com", then the 
      server expects clients to use a digest-uri of 
      "ldap/directory.example.com". If no value is provided, then the 
      server does not attempt to validate the digest-uri provided by the 
      client and accepts any value.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will attempt to dynamically determine the
          fully-qualified domain name.
          The server attempts to determine the
          fully-qualified domain name dynamically.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
    </adm:syntax>
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>STRING</adm:usage>
          <adm:synopsis>
            The fully-qualified address that is expected for clients to use 
            when connecting to the server and authenticating via DIGEST-MD5.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax> 
    <adm:profile name="ldap">
      <ldap:attribute>
        <ldap:name>ds-cfg-server-fqdn</ldap:name>

 opends/src/admin/defn/org/opends/server/admin/std/EntryDNVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-20008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="entry-dn-virtual-attribute"
  plural-name="entry-dn-virtual-attributes"
@@ -33,11 +33,14 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    may be used to generate the entryDN operational attribute, which
    contains a normalized form of the entry's DN.
    generates the entryDN operational attribute in directory entries, 
    which contains a normalized form of the entry's DN.
  </adm:synopsis>
  <adm:description>
    This provides the ability to use search filters containing the
    This attribute is defined in the draft-zeilenga-ldap-entrydn 
    Internet Draft and contains the DN of the entry in which it is 
    contained. 
    This component provides the ability to use search filters containing the
    entry's DN.
  </adm:description>
  <adm:profile name="ldap">

 opends/src/admin/defn/org/opends/server/admin/std/EntryUUIDPluginConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="entry-uuid-plugin"
  plural-name="entry-uuid-plugins" package="org.opends.server.admin.std"
@@ -32,9 +32,29 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to generate values for the entryUUID operational attribute
    generates values for the entryUUID operational attribute
    whenever an entry is added via protocol or imported from LDIF.
  </adm:synopsis>
  <adm:description>
    The entryUUID plug-in ensures that all entries 
    added to the server, whether through an LDAP add operation or via 
    an LDIF import, are assigned an entryUUID operational attribute if 
    they do not already have one. The entryUUID attribute contains a 
    universally unique identifier that can be used to identify an entry 
    in a manner that does not change (even in the event of a modify DN 
    operation). This plug-in generates a random UUID for entries created 
    by an add operation, but the UUID is constructed from the DN of the 
    entry during an LDIF import (which means that the same LDIF file 
    can be imported on different systems but still get the same value 
    for the entryUUID attribute). This behavior is based on the 
    specification contained in RFC 4530. The implementation for the 
    entry UUID plug-in is contained in the 
    org.opends.server.plugins.EntryUUIDPlugin class. It must be 
    configured with the preOperationAdd and ldifImport plug-in types, 
    but it does not have any other custom configuration. This 
    plug-in must be enabled in any directory that is intended to be used 
    in a synchronization environment.  
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-entry-uuid-plugin</ldap:name>

 opends/src/admin/defn/org/opends/server/admin/std/EntryUUIDVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="entry-uuid-virtual-attribute"
  plural-name="entry-uuid-virtual-attributes"
@@ -33,14 +33,14 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    may be used to ensure that all entries contained in private backends
    will have values for the entryUUID operational attribute.
    ensures that all entries contained in private backends
    have values for the entryUUID operational attribute.
  </adm:synopsis>
  <adm:description>
    The entryUUID values will be generated based on a normalized
    representation of the entry's DN, which should not cause a
    consistency problem because we do not allow modify DN operations to
    be performed in private backends.
    The entryUUID values are generated based on a normalized
    representation of the entry's DN, which does not cause a
    consistency problem because OpenDS does not allow modify DN 
    operations to be performed in private backends.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>

 opends/src/admin/defn/org/opends/server/admin/std/ExternalSASLMechanismHandlerConfiguration.xml

@@ -33,7 +33,7 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to perform all processing related to SASL EXTERNAL
    performs all processing related to SASL EXTERNAL
    authentication.
  </adm:synopsis>
  <adm:profile name="ldap">
@@ -86,11 +86,11 @@
  </adm:property>
  <adm:property name="certificate-attribute">
    <adm:synopsis>
      Specifies the name of the attribute that should hold user
      Specifies the name of the attribute to hold user
      certificates.
    </adm:synopsis>
    <adm:description>
      This must specify the name of a valid attribute type defined in
      This property must specify the name of a valid attribute type defined in
      the server schema.
    </adm:description>
    <adm:default-behavior>

 opends/src/admin/defn/org/opends/server/admin/std/FileBasedTrustManagerProviderConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="file-based-trust-manager-provider"
  plural-name="file-based-trust-manager-providers"
@@ -31,13 +31,14 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    provider accesses key information in a file on the local filesystem.
    The file-based trust manager provider determines whether to trust a 
    presented certificate based on whether that certificate exists in a 
    server trust store file. 
  </adm:synopsis>
  <adm:description>
    Multiple file formats may be supported, depending on the providers
    supported by the underlying Java runtime.
    The trust store file can be in either JKS 
    (the default Java key store format) or PKCS#12 (a standard 
    certificate format) form.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -58,16 +59,24 @@
    <adm:TODO>Should use a file-based property definition?</adm:TODO>
    <adm:synopsis>
      Specifies the path to the file containing the trust information.
      It may be an absolute path, or a path that is relative to the
      It can be an absolute path or a path that is relative to the
      <adm:product-name />
      instance root.
    </adm:synopsis>
    <adm:description>
      Changes to this configuration attribute will take effect the next
      Changes to this configuration attribute take effect the next
      time that the trust manager is accessed.
    </adm:description>
    <adm:syntax>
      <adm:string />
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>STRING</adm:usage>
          <adm:synopsis>
            An absolute path or a path that is relative to the OpenDS Directory Server instance root.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -84,17 +93,25 @@
      Specifies the format for the data in the trust store file.
    </adm:synopsis>
    <adm:description>
      Valid values should always include 'JKS' and 'PKCS12', but
      different implementations may allow other values as well. If no
      value is provided, then the JVM-default value will be used.
      Changes to this configuration attribute will take effect the next
      time that the trust manager is accessed.
      Valid values always include 'JKS' and 'PKCS12', but different 
      implementations can allow other values as well. If no value is 
      provided, then the JVM default value is used. Changes to this 
      configuration attribute take effect the next time that the 
      trust manager is accessed.  
    </adm:description>
    <adm:default-behavior>
      <adm:undefined />
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
        <adm:syntax>
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>STRING</adm:usage>
          <adm:synopsis>
            Any key store format supported by the Java runtime environment. The "JKS" and "PKCS12" formats are typically available in Java environments.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>

 opends/src/admin/defn/org/opends/server/admin/std/GSSAPISASLMechanismHandlerConfiguration.xml

@@ -31,11 +31,17 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to perform all processing related to SASL GSSAPI
    The GSSAPI SASL mechanism 
    performs all processing related to SASL GSSAPI
    authentication using Kerberos V5.
  </adm:synopsis>
  <adm:description>
    The GSSAPI SASL mechanism provides the ability for clients 
    to authenticate themselves to the server using existing 
    authentication in a Kerberos environment. This mechanism 
    provides the ability to achieve single sign-on for 
    Kerberos-based clients.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-gssapi-sasl-mechanism-handler</ldap:name>
@@ -53,12 +59,12 @@
  </adm:property-override>
  <adm:property name="realm">
    <adm:synopsis>
      Specifies the realm that should be used for GSSAPI authentication.
      Specifies the realm to be used for GSSAPI authentication.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will attempt to determine the realm from the
          The server attempts to determine the realm from the
          underlying system configuration.
        </adm:synopsis>
      </adm:alias>
@@ -74,16 +80,18 @@
  </adm:property>
  <adm:property name="kdc-address">
    <adm:synopsis>
      Specifies the address of the KDC that should be used for Kerberos
      Specifies the address of the KDC that is to be used for Kerberos
      processing.
    </adm:synopsis>
    <adm:description>
      If provided, this should be a fully-qualified DNS-resolvable name.
      If provided, this property must be a fully-qualified DNS-resolvable name.
      If this property is not provided, then the server attempts to determine it 
      from the system-wide Kerberos configuration.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will attempt to determine the KDC address from the
          The server attempts to determine the KDC address from the
          underlying system configuration.
        </adm:synopsis>
      </adm:alias>
@@ -103,13 +111,13 @@
      Kerberos processing.
    </adm:synopsis>
    <adm:description>
      If provided, this should be either an absolute path or one that is
      If provided, this is either an absolute path or one that is
      relative to the server instance root.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will attempt to use the system-wide default keytab.
          The server attempts to use the system-wide default keytab.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
@@ -130,8 +138,8 @@
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The server will attempt to dynamically determine the
          fully-qualified domain name.
          The server attempts to determine the
          fully-qualified domain name dynamically .
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
@@ -146,8 +154,11 @@
  </adm:property>
  <adm:property name="identity-mapper" mandatory="true">
    <adm:synopsis>
      Specifies the name of the identity mapper that should be used to
      match the Kerberos principal to a user entry.
      Specifies the name of the identity mapper that is to be used
      with this SASL mechanism handler 
      to match the Kerberos principal 
      included in the SASL bind request to the corresponding
      user in the directory.
    </adm:synopsis>
    <adm:syntax>
      <adm:aggregation relation-name="identity-mapper"

 opends/src/admin/defn/org/opends/server/admin/std/HasSubordinatesVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="has-subordinates-virtual-attribute"
  plural-name="has-subordinates-virtual-attributes"
@@ -33,7 +33,7 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    may be used to generate a virtual attribute that indicates whether
    generates a virtual attribute that indicates whether
    the entry has any subordinate entries.
  </adm:synopsis>
  <adm:profile name="ldap">

 opends/src/admin/defn/org/opends/server/admin/std/IsMemberOfVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="is-member-of-virtual-attribute"
  plural-name="is-member-of-virtual-attributes"
@@ -33,7 +33,8 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    may be used to generate a virtual attribute that contains the DNs of
    generates the isMemberOf operational attribute, 
    which contains the DNs of
    the groups in which the user is a member.
  </adm:synopsis>
  <adm:profile name="ldap">

 opends/src/admin/defn/org/opends/server/admin/std/LDAPAttributeDescriptionListPluginConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="ldap-attribute-description-list-plugin"
  plural-name="ldap-attribute-description-list-plugins"
@@ -31,15 +31,23 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    The 
    <adm:user-friendly-name />
    is used to provide the ability to request that search result entries
    include all attributes that are included by a specified object
    class.
    provides the ability for clients to include an attribute list in 
    a search request that names object classes instead of (or in 
    addition to) attributes. 
  </adm:synopsis>
  <adm:description>
    For example, including a requested attribute of "@person" has the
    effect of requesting all attributes in the person object class.
    For example, if a client wishes to 
    retrieve all of the attributes in the inetOrgPerson object class, 
    then that client can include "@inetOrgPerson" in the attribute 
    list rather than naming all of those attributes individually. 
    This behavior is based on the specification contained in RFC 4529.
    The implementation for the LDAP attribute description list plugin 
    is contained in the 
    org.opends.server.plugins.LDAPADListPlugin class. It must be 
    configured with the preParseSearch plugin type, but does not have 
    any other custom configuration.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>

 opends/src/admin/defn/org/opends/server/admin/std/LastModPluginConfiguration.xml

@@ -23,20 +23,28 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="last-mod-plugin"
  plural-name="last-mod-plugins" package="org.opends.server.admin.std"
  extends="plugin" xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    The 
    <adm:user-friendly-name />
    is used to ensure that the creatorsName and createTimestamp
    attributes are included in an entry whenever it is added to the
    server, and to ensure that the modifiersName and modifyTimestamp
    server and also to ensure that the modifiersName and modifyTimestamp
    attributes are updated whenever an entry is modified or renamed.
  </adm:synopsis>
  <adm:description>
    This behavior is described in RFC 4512. The implementation for 
    the LastMod plugin is contained in the 
    org.opends.server.plugins.LastModPlugin class. It must be 
    configured with the preOperationAdd, preOperationModify, and 
    preOperationModifyDN plugin types, but it does not have any 
    other custom configuration. 
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-last-mod-plugin</ldap:name>

 opends/src/admin/defn/org/opends/server/admin/std/LengthBasedPasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="length-based-password-validator"
  plural-name="length-based-password-validators"
@@ -39,8 +39,12 @@
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable based
    on whether the number of characters it contains falls within an
    acceptable range of values.
    acceptable range of values. 
  </adm:synopsis>
  <adm:description>
    Both upper and lower bounds may be 
    defined.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-length-based-password-validator</ldap:name>
@@ -58,12 +62,14 @@
  </adm:property-override>
  <adm:property name="max-password-length">
    <adm:synopsis>
      Specifies the maximum number of characters that may be included in
      a proposed password.
      Specifies the maximum number of characters that can be included in
      a proposed password. 
    </adm:synopsis>
    <adm:description>
      A value of zero indicates that there will be no upper bound
      enforced.
      enforced. If both minimum and maximum lengths 
      are defined, then the minimum length must be less than or equal to 
      the maximum length.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
@@ -71,7 +77,7 @@
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:integer lower-limit="0" />
      <adm:integer lower-limit="0" upper-limit="2147483647"/>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -82,19 +88,22 @@
  <adm:property name="min-password-length">
    <adm:synopsis>
      Specifies the minimum number of characters that must be included
      in a proposed password.
      in a proposed password. 
    </adm:synopsis>
    <adm:description>
      A value of zero indicates that there will be no lower bound
      enforced.
      enforced. 
      If both minimum and maximum lengths 
      are defined, then the minimum length must be less than or equal to 
      the maximum length.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>1</adm:value>
        <adm:value>6</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:integer lower-limit="0" />
      <adm:integer lower-limit="0" upper-limit="2147483647"/>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>

 opends/src/admin/defn/org/opends/server/admin/std/MemberVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="member-virtual-attribute"
  plural-name="user-defined-virtual-attributes"
@@ -33,14 +33,23 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to generate a member or uniqueMember attribute whose values
    are the DNs of the members of a specified group.
    generates a member or uniqueMember attribute whose values are 
    the DNs of the members of a specified virtual static group.
  </adm:synopsis>
  <adm:description>
    This is used to implement virtual static group functionality, in
    which it is possible to create an entry which looks like a static
    group but obtains all of its membership from a dynamic group (or
    some other type of group, including another static group).
    This component is used to implement virtual static group 
    functionality, in which it is possible to create an entry 
    that looks like a static group but obtains all of its 
    membership from a dynamic group (or some other type of 
    group, including another static group).
    This implementation is most efficient when attempting to 
    determine whether a given user is a member of a group 
    (for example, with a filter like 
    "(uniqueMember=uid=john.doe,ou=People,dc=example,dc=com)") 
    when the search does not actually return the membership 
    attribute. Although it works to generate the entire set of 
    values for the member or uniqueMember attribute, this can be 
    an expensive operation for a large group.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -70,10 +79,15 @@
      the virtual attribute.
    </adm:synopsis>
    <adm:description>
      This can be a very expensive operation in some cases, and is not
      in-line with the primary function of virtual static groups, which
      This operation can be very expensive in some cases and is not
      consistent with the primary function of virtual static groups, which
      is to make it possible to use static group idioms to determine
      whether a given user is a member.
      If this attribute is set to false, attempts to retrieve the entire 
      set of values receive an empty set, and only attempts to determine 
      whether the attribute has a specific value or set of values 
      (which is the primary anticipated use for virtual static groups) 
      are handled properly.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>

 opends/src/admin/defn/org/opends/server/admin/std/NumSubordinatesVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="num-subordinates-virtual-attribute"
  plural-name="num-subordinates-virtual-attributes"
@@ -33,7 +33,7 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    may be used to generate a virtual attribute that specifies the
    generates a virtual attribute that specifies the
    number of immediate child entries that exist below the entry.
  </adm:synopsis>
  <adm:profile name="ldap">

 opends/src/admin/defn/org/opends/server/admin/std/PasswordPolicyImportPluginConfiguration.xml

@@ -31,9 +31,9 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    The 
    <adm:user-friendly-name />
    is used to ensure that clear-text passwords contained in LDIF
    ensures that clear-text passwords contained in LDIF
    entries are properly encoded before they are stored in the
    appropriate Directory Server backend.
  </adm:synopsis>
@@ -69,19 +69,19 @@
  <adm:property name="default-user-password-storage-scheme"
    multi-valued="true">
    <adm:synopsis>
      Specifies the names of the password storage schemes that will be
      Specifies the names of the password storage schemes to be
      used for encoding passwords contained in attributes with the user
      password syntax for entries that do not include the
      ds-pwp-password-policy-dn attribute to specify which password
      policy should be used to govern them.
      ds-pwp-password-policy-dn attribute specifying which password
      policy is to be used to govern them.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          If the default password policy uses the attribute with the
          user password syntax, then the server will use the default
          user password syntax, then the server uses the default
          password storage schemes for that password policy. Otherwise,
          it will encode user password values using the "SSHA" scheme.
          it encodes user password values using the "SSHA" scheme.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
@@ -90,8 +90,7 @@
        parent-path="/">
        <adm:constraint>
          <adm:synopsis>
            The referenced password storage schemes must be enabled when
            the
            The referenced password storage schemes must be enabled when the 
            <adm:user-friendly-name />
            is enabled.
          </adm:synopsis>
@@ -115,19 +114,19 @@
  <adm:property name="default-auth-password-storage-scheme"
    multi-valued="true">
    <adm:synopsis>
      Specifies the names of password storage schemes that will be used
      Specifies the names of password storage schemes that to be used
      for encoding passwords contained in attributes with the auth
      password syntax for entries that do not include the
      ds-pwp-password-policy-dn attribute to specify which password
      ds-pwp-password-policy-dn attribute specifying which password
      policy should be used to govern them.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          If the default password policy uses an attribute with the auth
          password syntax, then the server will use the default password
          storage schemes for that password policy. Otherwise, it will
          encode auth password values using the "SHA1" scheme.
          password syntax, then the server uses the default password
          storage schemes for that password policy. Otherwise, it 
          encodes auth password values using the "SHA1" scheme.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
@@ -137,9 +136,7 @@
        <adm:constraint>
          <adm:synopsis>
            The referenced password storage schemes must be enabled when
            the
            <adm:user-friendly-name />
            is enabled.
            the Password Policy Import plug-in is enabled.
          </adm:synopsis>
          <adm:target-needs-enabling-condition>
            <adm:contains property="enabled" value="true" />

 opends/src/admin/defn/org/opends/server/admin/std/PasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="password-validator"
  plural-name="password-validators"
@@ -33,9 +33,21 @@
  xmlns:cli="http://www.opends.org/admin-cli">
  <adm:synopsis>
    <adm:user-friendly-plural-name />
    are responsible for determining whether proposed passwords are
    acceptable for use.
    are responsible for determining whether a proposed password is 
    acceptable for use and could include checks like ensuring it 
    meets minimum length requirements, that it has an appropriate 
    range of characters, or that it is not in the history. 
  </adm:synopsis>
  <adm:description>
    The password policy for a user specifies the set of password 
    validators that should be used whenever that user provides a 
    new password. In order to activate a password validator, the 
    corresponding configuration entry must be enabled, and the DN 
    of that entry should be included in the password-validator 
    attribute of the password policy in which you want that 
    validator active. All password validator configuration entries 
    must contain the password-validator structural objectclass.    
  </adm:description>
  <adm:tag name="user-management" />
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -48,9 +60,8 @@
  </adm:profile>
  <adm:property name="enabled" mandatory="true">
    <adm:synopsis>
      Indicate whether the
      <adm:user-friendly-name />
      is enabled for use.
      Indicates whether the
      password validator is enabled for use.
    </adm:synopsis>
    <adm:syntax>
      <adm:boolean />
@@ -63,10 +74,12 @@
  </adm:property>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
      Specifies the fully-qualified name of the Java class that provides the
      password validator implementation.
    </adm:synopsis>
    <adm:requires-admin-action>
      <adm:component-restart />
    </adm:requires-admin-action>
    <adm:syntax>
      <adm:java-class>
        <adm:instance-of>

 opends/src/admin/defn/org/opends/server/admin/std/PlainSASLMechanismHandlerConfiguration.xml

@@ -33,9 +33,19 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to perform all processing related to SASL PLAIN
    performs all processing related to SASL PLAIN
    authentication.
  </adm:synopsis>
  <adm:description>
    The PLAIN SASL mechanism provides the ability for clients to 
    authenticate using a username and password. This authentication 
    is very similar to standard LDAP simple authentication, with the 
    exception that it can authenticate based on an authentication ID 
    (for example, a username) rather than requiring a full DN, and 
    it can also include an authorization ID in addition to the 
    authentication ID. Note that the SASL PLAIN mechanism does not 
    make any attempt to protect the password.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-plain-sasl-mechanism-handler</ldap:name>
@@ -53,8 +63,10 @@
  </adm:property-override>
  <adm:property name="identity-mapper" mandatory="true">
    <adm:synopsis>
      Specifies the name of the identity mapper that should be used to
      match client authentication and authorization IDs to user entries.
      Specifies the name of the identity mapper that is to be used 
      with this SASL mechanism handler to match the authentication or 
      authorization ID included in the SASL bind request to the 
      corresponding user in the directory.
    </adm:synopsis>
    <adm:syntax>
      <adm:aggregation relation-name="identity-mapper"

 opends/src/admin/defn/org/opends/server/admin/std/PluginConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="plugin" plural-name="plugins"
  package="org.opends.server.admin.std"
@@ -49,9 +49,8 @@
  </adm:profile>
  <adm:property name="enabled" mandatory="true">
    <adm:synopsis>
      Indicate whether the
      <adm:user-friendly-name />
      is enabled for use.
      Indicates whether the
      plug-in is enabled for use.
    </adm:synopsis>
    <adm:syntax>
      <adm:boolean />
@@ -64,9 +63,8 @@
  </adm:property>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
      Specifies the fully-qualified name of the Java class that provides the
      plug-in implementation.
    </adm:synopsis>
    <adm:syntax>
      <adm:java-class>
@@ -84,8 +82,7 @@
  <adm:property name="plugin-type" mandatory="true"
    multi-valued="true">
    <adm:synopsis>
      The plugin types, which define the conditions under which this
      plugin should be invoked.
      Specifies the set of plug-in types for the plug-in, which specifies the times at which the plug-in is invoked. 
    </adm:synopsis>
    <adm:requires-admin-action>
      <adm:component-restart />
@@ -371,13 +368,13 @@
  </adm:property>
  <adm:property name="invoke-for-internal-operations" advanced="true">
    <adm:synopsis>
      Indicates whether the plugin should be invoked for internal
      Indicates whether the plug-in should be invoked for internal
      operations.
    </adm:synopsis>
    <adm:description>
      Note that any plugin which may be invoked for internal operations
      should be careful to ensure that they do not create any new
      internal operatons that can cause the same plugin to be
      Any plug-in that can be invoked for internal operations
      must ensure that it does not create any new
      internal operatons that can cause the same plug-in to be
      re-invoked.
    </adm:description>
    <adm:default-behavior>

 opends/src/admin/defn/org/opends/server/admin/std/ProfilerPluginConfiguration.xml

@@ -23,16 +23,15 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="profiler-plugin"
  plural-name="profiler-plugins" package="org.opends.server.admin.std"
  extends="plugin" xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to capture profiling information about operations performed
    The Profiler plug-in
    captures profiling information about operations performed
    inside the JVM while the Directory Server is running.
  </adm:synopsis>
  <adm:profile name="ldap">
@@ -66,19 +65,25 @@
  </adm:property-override>
  <adm:property name="profile-sample-interval" mandatory="true">
    <adm:synopsis>
      Specifies the sample interval that should be used when capturing
      profiling information in the server.
      Specifies the sample interval in milliseconds to be used when 
      capturing profiling information in the server. 
    </adm:synopsis>
    <adm:description>
      When capturing 
      data, the profiler thread sleeps for this length of time 
      between calls to obtain traces for all threads running in the 
      JVM.
    </adm:description>
    <adm:requires-admin-action>
      <adm:none>
        <adm:synopsis>
          Changes to this configuration attribute will take effect the
          Changes to this configuration attribute take effect the
          next time the profiler is started.
        </adm:synopsis>
      </adm:none>
    </adm:requires-admin-action>
    <adm:syntax>
      <adm:duration lower-limit="1" base-unit="ms" />
      <adm:duration lower-limit="1" upper-limit="2147483647" base-unit="ms" />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -88,15 +93,26 @@
  </adm:property>
  <adm:property name="profile-directory" mandatory="true">
    <adm:synopsis>
      Specifies the path to the directory into which profile information
      will be written.
      Specifies the path to the directory where profile information
      is to be written. This path may be either an absolute path or a path 
      that is relative to the root of the OpenDS Directory Server 
      instance.
    </adm:synopsis>
    <adm:description>
      The directory must exist and the Directory Server must have
      permission to create new files in it.
    </adm:description>
    <adm:syntax>
      <adm:string />
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>DIR</adm:usage>
          <adm:synopsis>
            The path to any directory that exists on the filesystem 
            and that can be read and written by the server user.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -106,12 +122,16 @@
  </adm:property>
  <adm:property name="enable-profiling-on-startup" mandatory="true">
    <adm:synopsis>
      Indicates whether the profiler plugin should start collecting data
      Indicates whether the profiler plug-in is to start collecting data
      automatically when the Directory Server is started.
    </adm:synopsis>
    <adm:description>
      This will only be read when the server is started, and any changes
      will take effect on the next restart.
      This property is read only when the server is 
      started, and any changes take effect on the next restart.
      This property is typically set to "false" unless startup 
      profiling is required, because otherwise the volume of data that 
      can be collected can cause the server to run out of memory if it 
      is not turned off in a timely manner.
    </adm:description>
    <adm:syntax>
      <adm:boolean />
@@ -127,12 +147,12 @@
      Specifies the action that should be taken by the profiler.
    </adm:synopsis>
    <adm:description>
      A value of "start" will cause the profiler thread to start
      A value of "start" causes the profiler thread to start
      collecting data if it is not already active. A value of "stop"
      will cause the profiler thread to stop collecting data and write
      it do disk, and a value of "cancel" will cause the profiler thread
      causes the profiler thread to stop collecting data and write
      it to disk, and a value of "cancel" causes the profiler thread
      to stop collecting data and discard anything that has been
      captured. These operations will occur immediately.
      captured. These operations occur immediately.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>

 opends/src/admin/defn/org/opends/server/admin/std/ReferentialIntegrityPluginConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="referential-integrity-plugin"
  plural-name="referential-integrity-plugins"
@@ -31,17 +31,18 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    The 
    <adm:user-friendly-name />
    is used to maintain referential integrity for DN valued attributes.
    maintains referential integrity for DN valued attributes.
  </adm:synopsis>
  <adm:description>
    The values of these attributes may reference entries that have been
    The values of these attributes can reference entries that have been
    deleted by a delete operation or renamed by a modify DN operation.
    The referential integrity plugin will remove stale references to
    deleted entries or update references to renamed entries. The
    referential integrity plugin allows the scope of this referential
    check to be limited to a set of base DNs if desired. It also can be
    The referential integrity plug-in either removes stale references to
    deleted entries or updates references to renamed entries. The
    plug-in allows the scope of this referential
    check to be limited to a set of base DNs if desired. The plug-in 
    also can be
    configured to perform the referential checking in the background
    mode specified intervals.
  </adm:description>
@@ -73,12 +74,12 @@
    multi-valued="true">
    <adm:synopsis>
      Specifies the attribute types for which referential integrity
      should be maintained.
      is to be maintained.
    </adm:synopsis>
    <adm:description>
      There must be at least one attribute type specified and the syntax
      of them must either be distinguished name
      (1.3.6.1.4.1.1466.115.121.1.12) or name and optional uid
      At least one attribute type must be specified, and the syntax
      of any attributes must be either a distinguished name
      (1.3.6.1.4.1.1466.115.121.1.12) or name and optional UID
      (1.3.6.1.4.1.1466.115.121.1.34).
    </adm:description>
    <adm:syntax>
@@ -92,13 +93,13 @@
  </adm:property>
  <adm:property name="base-dn" multi-valued="true">
    <adm:synopsis>
      Specifies the scope within which referential integrity will be
      maintained.
      Specifies the base DN that limits the scope within which 
      referential integrity is maintained.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          Referential integrity will be maintained in all public naming
          Referential integrity is maintained in all public naming
          contexts.
        </adm:synopsis>
      </adm:alias>
@@ -114,11 +115,11 @@
  </adm:property>
  <adm:property name="log-file">
    <adm:synopsis>
      Specifies the log file location where the update records will be
      written when the plugin is in background mode processing.
      Specifies the log file location where the update records are
      written when the plug-in is in background-mode processing.
    </adm:synopsis>
    <adm:description>
      The default location is in the logs directory of the server
      The default location is the logs directory of the server
      instance, using the file name "referint".
    </adm:description>
    <adm:default-behavior>
@@ -127,7 +128,15 @@
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>FILE</adm:usage>
          <adm:synopsis>
            A path to an existing file that is readable by the server.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -137,8 +146,8 @@
  </adm:property>
  <adm:property name="update-interval">
    <adm:synopsis>
      Specifies the interval, in seconds, when referential integrity
      updates will be made.
      Specifies the interval in seconds when referential integrity
      updates are made.
    </adm:synopsis>
    <adm:description>
      If this value is 0, then the updates are made synchronously in the

 opends/src/admin/defn/org/opends/server/admin/std/RepeatedCharactersPasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="repeated-characters-password-validator"
  plural-name="repeated-characters-password-validators"
@@ -35,8 +35,13 @@
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable based
    on the number of times any character may appear consecutively in a
    password value.
    password value. 
  </adm:synopsis>
  <adm:description>
    It ensures that user passwords do not contain strings 
    of the same character repeated several times, like "aaaaaa" or 
    "aaabbb".
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>
@@ -56,15 +61,20 @@
  </adm:property-override>
  <adm:property name="max-consecutive-length" mandatory="true">
    <adm:synopsis>
      Specifies the maximum number of times that any character may
      Specifies the maximum number of times that any character can
      appear consecutively in a password value.
    </adm:synopsis>
    <adm:description>
      A value of zero indicates that there will be no maximum limit
      enforced.
      enforced. 
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>2</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:integer lower-limit="0" />
      <adm:integer lower-limit="0" upper-limit="2147483647"/>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -78,12 +88,18 @@
      characters in a case-sensitive manner.
    </adm:synopsis>
    <adm:description>
      A value of false indicates that any differences in capitalization
      should be ignored when looking for consecutive characters in the
      password. A value of true indicates that a character should only
      be considered repeating if all consecutive occurrences use the
      same capitalization.
      If the value of this property is false, the validator ignores
      any differences in capitalization
      when looking for consecutive characters in the
      password. If the value is true, the validator considers a 
      character to be repeating only if all consecutive occurrences 
      use the same capitalization.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>false</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:boolean />
    </adm:syntax>

 opends/src/admin/defn/org/opends/server/admin/std/ReplicationDomainConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="replication-domain"
  plural-name="replication-domains"
@@ -74,8 +74,7 @@
  <adm:property name="server-id" mandatory="true" read-only="true">
    <adm:synopsis>
      Specifies a unique identifier for the Directory Server within the
      <adm:user-friendly-name />
      .
      <adm:user-friendly-name />.
    </adm:synopsis>
    <adm:description>
      Each Directory Server within the same
@@ -134,10 +133,10 @@
      use when communicating with Replication Servers.
    </adm:synopsis>
    <adm:description>
      The Directory Server will expect a regular heart-beat coming from
      The Directory Server expects a regular heart-beat coming from
      the Replication Server within the specified interval. If a
      heartbeat is not received within the interval, the Directory
      Server will close its connection and connect to another
      Server closes its connection and connects to another
      Replication Server.
    </adm:description>
    <adm:default-behavior>
@@ -172,10 +171,10 @@
          <adm:synopsis>
            Indicates that updates should be accepted even though it is
            not possible to send them to any Replication Server. Best
            effort will be made to re-send those updates to a
            effort is made to re-send those updates to a
            Replication Servers when one of them is available, however
            those changes will be at risk because they will only be
            available from the historical information. This mode may
            those changes are at risk because they are only 
            available from the historical information. This mode can
            also introduce high replication latency.
          </adm:synopsis>
        </adm:value>
@@ -183,7 +182,7 @@
          <adm:synopsis>
            Indicates that all updates attempted on this
            <adm:user-friendly-name />
            will be rejected when no Replication Server is available.
            are rejected when no Replication Server is available.
          </adm:synopsis>
        </adm:value>
      </adm:enumeration>

 opends/src/admin/defn/org/opends/server/admin/std/ReplicationServerConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="replication-server"
  plural-name="replication-servers"
@@ -32,7 +32,7 @@
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    <adm:user-friendly-plural-name />
    are used to publish updates to Directory Servers within a
    publish updates to Directory Servers within a
    Replication Domain.
  </adm:synopsis>
  <adm:tag name="replication" />
@@ -48,7 +48,7 @@
      <adm:user-friendly-plural-name />
      to which this
      <adm:user-friendly-name />
      should try to connect at startup time.
      tries to connect at startup time.
    </adm:synopsis>
    <adm:description>
      Addresses must be specified using the syntax: hostname:port
@@ -77,8 +77,7 @@
    read-only="true">
    <adm:synopsis>
      Specifies a unique identifier for the
      <adm:user-friendly-name />
      .
      <adm:user-friendly-name />.
    </adm:synopsis>
    <adm:description>
      Each
@@ -98,9 +97,8 @@
    <adm:synopsis>
      Specifies the window size that the
      <adm:user-friendly-name />
      will use when communicating with other
      <adm:user-friendly-plural-name />
      .
      uses when communicating with other
      <adm:user-friendly-plural-name />.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:defined>
@@ -118,7 +116,7 @@
  </adm:property>
  <adm:property name="queue-size" advanced="true">
    <adm:synopsis>
      Specifies the number of changes that will be kept in memory for
      Specifies the number of changes that are kept in memory for
      each Directory Server in the Replication Domain.
    </adm:synopsis>
    <adm:default-behavior>
@@ -140,7 +138,7 @@
    <adm:synopsis>
      The path where the
      <adm:user-friendly-name />
      will store all persistent information.
      stores all persistent information.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:defined>
@@ -160,7 +158,7 @@
    <adm:synopsis>
      The time (in seconds) after which the
      <adm:user-friendly-name />
      will erase all persistent information.
      erases all persistent information.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:defined>
@@ -180,7 +178,7 @@
    <adm:synopsis>
      The port on which this
      <adm:user-friendly-name />
      will wait for connections from other
      waits for connections from other
      <adm:user-friendly-plural-name />
      or Directory Servers.
    </adm:synopsis>

 opends/src/admin/defn/org/opends/server/admin/std/ReplicationSynchronizationProviderConfiguration.xml

@@ -35,7 +35,7 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to provide multi-master replication of data across multiple
    provides multi-master replication of data across multiple
    Directory Server instances.
  </adm:synopsis>
  <adm:profile name="ldap">
@@ -81,10 +81,10 @@
  </adm:property-override>
  <adm:property name="num-update-replay-threads" mandatory="false" read-only="false" advanced="true">
    <adm:synopsis>
      Specifies the number of update replay threads
      Specifies the number of update replay threads. 
    </adm:synopsis>
    <adm:description>
      This is the number of threads created for replaying every updates
      This value is the number of threads created for replaying every updates
      received for all the replication domains.
    </adm:description>
    <adm:default-behavior>

 opends/src/admin/defn/org/opends/server/admin/std/RootDNConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="root-dn" plural-name="root-dns"
  package="org.opends.server.admin.std"
@@ -34,7 +34,7 @@
    <adm:user-friendly-name />
    configuration contains all the Root DN Users defined in the
    Directory Server. In addition, it also defines the default set of
    privileges that Root DN Users will automatically inherit.
    privileges that Root DN Users automatically inherit.
  </adm:synopsis>
  <adm:tag name="core" />
  <adm:profile name="ldap">

 opends/src/admin/defn/org/opends/server/admin/std/RootDNUserConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="root-dn-user" plural-name="root-dn-users"
  package="org.opends.server.admin.std"
@@ -32,8 +32,8 @@
  <adm:synopsis>
    A
    <adm:user-friendly-name />
    are administrative users who may be granted special privileges which
    are not available to non-root users (e.g., the ability to bind to
    are administrative users who can granted special privileges that
    are not available to non-root users (for example, the ability to bind to
    the server in lockdown mode).
  </adm:synopsis>
  <adm:description>
@@ -51,13 +51,13 @@
  </adm:profile>
  <adm:property name="alternate-bind-dn" multi-valued="true">
    <adm:synopsis>
      Specifies one or more alternate DNs that may be used to bind to
      Specifies one or more alternate DNs that can be used to bind to
      the server as this root user.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          This root user will only be allowed to bind using the DN of
          This root user is allowed to bind only using the DN of
          the associated configuration entry.
        </adm:synopsis>
      </adm:alias>

 opends/src/admin/defn/org/opends/server/admin/std/RootDSEBackendConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="root-dse-backend"
  plural-name="root-dse-backends" package="org.opends.server.admin.std"
@@ -35,8 +35,8 @@
    contains the Directory Server root DSE.
  </adm:synopsis>
  <adm:description>
    This is a special meta-backend that will dynamically generate the
    root DSE entry for base-level searches, and will simply redirect to
    This is a special meta-backend that dynamically generates the
    root DSE entry for base-level searches and simply redirects to
    other backends for operations in other scopes.
  </adm:description>
  <adm:tag name="core" />
@@ -49,14 +49,14 @@
  </adm:profile>
  <adm:property name="subordinate-base-dn" multi-valued="true">
    <adm:synopsis>
      Specifies the set of base DNs that will be used for singleLevel,
      Specifies the set of base DNs used for singleLevel,
      wholeSubtree, and subordinateSubtree searches based at the root
      DSE.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The set of all user-defined suffixes will be used.
          The set of all user-defined suffixes is used.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
@@ -71,7 +71,7 @@
  </adm:property>
  <adm:property name="show-all-attributes" mandatory="true">
    <adm:synopsis>
      Indicates whether all attributes in the root DSE should be treated
      Indicates whether all attributes in the root DSE are to be treated
      like user attributes (and therefore returned to clients by
      default) regardless of the Directory Server schema configuration.
    </adm:synopsis>

 opends/src/admin/defn/org/opends/server/admin/std/SASLMechanismHandlerConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="sasl-mechanism-handler"
  plural-name="sasl-mechanism-handlers"
@@ -32,10 +32,16 @@
  xmlns:ldap="http://www.opends.org/admin-ldap"
  xmlns:cli="http://www.opends.org/admin-cli">
  <adm:synopsis>
    <adm:user-friendly-plural-name />
    are responsible for the processing associated with SASL bind
    operations.
   The SASL mechanism handler configuration entry is the parent 
   for all SASL mechanism handlers defined in the OpenDS 
   Directory Server. 
  </adm:synopsis>
  <adm:description>
    SASL mechanism handlers are responsible for 
   authenticating users during the course of processing a SASL 
   (Simple Authentication and Security Layer, as defined in 
   RFC 4422) bind. 
  </adm:description>
  <adm:tag name="security" />
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -48,9 +54,8 @@
  </adm:profile>
  <adm:property name="enabled" mandatory="true">
    <adm:synopsis>
      Indicate whether the
      <adm:user-friendly-name />
      is enabled for use.
      Indicates whether the
      SASL mechanism handler is enabled for use.
    </adm:synopsis>
    <adm:syntax>
      <adm:boolean />
@@ -63,10 +68,12 @@
  </adm:property>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
      Specifies the fully-qualified name of the Java class that provides the
      SASL mechanism handler implementation.
    </adm:synopsis>
    <adm:requires-admin-action>
      <adm:component-restart />
    </adm:requires-admin-action>
    <adm:syntax>
      <adm:java-class>
        <adm:instance-of>

 opends/src/admin/defn/org/opends/server/admin/std/SevenBitCleanPluginConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="seven-bit-clean-plugin"
  plural-name="seven-bit-clean-plugins"
@@ -31,18 +31,18 @@
  xmlns:adm="http://www.opends.org/admin"
  xmlns:ldap="http://www.opends.org/admin-ldap">
  <adm:synopsis>
    The
    The 
    <adm:user-friendly-name />
    may be used to ensure that values for a specified set of attributes
    ensures that values for a specified set of attributes
    are 7-bit clean.
  </adm:synopsis>
  <adm:description>
    That is, for those attributes, the values are not allowed to contain
    any bytes having the high-order bit set, which is used to indicate
    the presence of non-ASCII characters. Some applications may not
    the presence of non-ASCII characters. Some applications do not
    properly handle attribute values that contain non-ASCII characters,
    and this plugin may help ensure that attributes used by those
    applications do not contain characters which may cause problems in
    and this plug-in can help ensure that attributes used by those
    applications do not contain characters that can cause problems in
    those applications.
  </adm:description>
  <adm:profile name="ldap">
@@ -94,7 +94,7 @@
  </adm:property>
  <adm:property name="base-dn" multi-valued="true">
    <adm:synopsis>
      Specifies the base DN below which the checking will be performed.
      Specifies the base DN below which the checking is performed.
    </adm:synopsis>
    <adm:description>
      Any attempt to update a value for one of the configured attributes

 opends/src/admin/defn/org/opends/server/admin/std/SimilarityBasedPasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="similarity-based-password-validator"
  plural-name="similarity-based-password-validators"
@@ -33,10 +33,22 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable based
    on whether the number of characters it contains falls within an
    acceptable range of values.
    determines whether a proposed password is acceptable by measuring 
    how similar it is to the user's current password. 
  </adm:synopsis>
  <adm:description>  
    In particular, 
    it uses the Levenshtein Distance algorithm to determine the 
    minimum number of changes (where a change may be inserting, 
    deleting, or replacing a character) to transform one string into 
    the other. It can be used to prevent users from making only minor 
    changes to their current password when setting a new password. 
    Note that for this password validator to be effective, it is 
    necessary to have access to the user's current password. 
    Therefore, if this password validator is to be enabled, the 
    password-change-requires-current-password attribute in the 
    password policy configuration must also be set to true.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-similarity-based-password-validator</ldap:name>
@@ -57,11 +69,11 @@
      Specifies the minimum difference of new and old password.
    </adm:synopsis>
    <adm:description>
      A value of zero indicates that there will be no difference is
      A value of zero indicates that no difference between passwords is
      acceptable.
    </adm:description>
    <adm:syntax>
      <adm:integer lower-limit="0" />
      <adm:integer lower-limit="0" upper-limit="2147483647"/>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>

 opends/src/admin/defn/org/opends/server/admin/std/SubschemaSubentryVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="subschema-subentry-virtual-attribute"
  plural-name="subschema-subentry-virtual-attributes"
@@ -33,9 +33,9 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    may be used to generate a virtual attribute that specifies the
    location of the subschemaSubentry with the schema definitions in
    effect for the entry.
      generates a virtual attribute that specifies the location of the 
      subschemaSubentry with the schema definitions in effect for the 
      entry. This attribute is defined in RFC 4512.
  </adm:synopsis>
  <adm:profile name="ldap">
    <ldap:object-class>

 opends/src/admin/defn/org/opends/server/admin/std/SynchronizationProviderConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="synchronization-provider"
  plural-name="synchronization-providers"
@@ -33,9 +33,23 @@
  xmlns:cli="http://www.opends.org/admin-cli">
  <adm:synopsis>
    <adm:user-friendly-plural-name />
    are responsible for handling Synchronization of the Directory Server
    are responsible for handling synchronization of the Directory Server
    data with other OpenDS instances or other data repositories.
  </adm:synopsis>
  <adm:description>
    The OpenDS Directory Server takes a centralized approach to 
    replication, rather than the point-to-point approach taken by Sun 
    Java System Directory Server. In OpenDS, one or more replication 
    servers are created in the environment. The replication servers 
    typically do not store user data but keep a log of all changes made 
    within the topology. Each Directory Server instance in the topology 
    is pointed at the replication servers. This plan simplifies the 
    deployment and management of the environment. Although you can run 
    the replication server on the same system (or even in the same 
    instance) as the Directory Server, the two servers can be separated 
    onto different systems. This approach can provide better performance 
    or functionality in large environments.
  </adm:description>
  <adm:tag name="replication" />
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -48,7 +62,7 @@
  </adm:profile>
  <adm:property name="enabled" mandatory="true">
    <adm:synopsis>
      Indicate whether the
      Indicates whether the
      <adm:user-friendly-name />
      is enabled for use.
    </adm:synopsis>
@@ -63,7 +77,7 @@
  </adm:property>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      Specifies the fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
    </adm:synopsis>

 opends/src/admin/defn/org/opends/server/admin/std/TraditionalWorkQueueConfiguration.xml

@@ -37,6 +37,24 @@
    watch a queue and pick up an operation to process whenever one
    becomes available.
  </adm:synopsis>
  <adm:description>
    The traditional work queue is named that because its implementation 
    is similar to that used by the Sun Java System Directory Server. 
    The traditional work queue is a FIFO queue serviced by a fixed 
    number of worker threads. However, there are a couple of notable 
    differences in its design: 1) The number of worker threads is fixed, 
    but it can be changed on the fly and those changes take effect 
    immediately. In the Sun Java System Directory Server, changes to the 
    number of worker threads require a server restart to take effect. 
    2) The work queue in the Sun Java System Directory Server is 
    unbounded. If all threads are busy processing existing operations 
    and new requests arrive, they continue to accumulate in the work 
    queue and the server appears to be frozen. In the OpenDS Directory 
    Server, it is possible to place a size limit on the work queue. 
    When this number of operations are in the queue, waiting to be 
    picked up by threads, any new requests received are rejected with 
    an error message. 
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-traditional-work-queue</ldap:name>
@@ -54,11 +72,17 @@
  </adm:property-override>
  <adm:property name="num-worker-threads" mandatory="true">
    <adm:synopsis>
      The number of worker threads that should be used to process
      operations placed into the queue.
    </adm:synopsis>
      Specifies the number of worker threads to be used for processing
      operations placed in the queue. 
  </adm:synopsis>
  <adm:description>
      If the value is increased, 
      the additional worker threads are created immediately. If the 
      value is reduced, the appropriate number of threads are destroyed 
      as operations complete processing.
    </adm:description>
    <adm:syntax>
      <adm:integer lower-limit="1" />
      <adm:integer lower-limit="1" upper-limit="2147483647" />
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -68,23 +92,28 @@
  </adm:property>
  <adm:property name="max-work-queue-capacity">
    <adm:synopsis>
      The maximum number of queued operations that can be in the work
      Specifies the maximum number of queued operations that can be in the work
      queue at any given time.
    </adm:synopsis>
    <adm:description>
      If the work queue is already full and additional requests are
      received by the server, they will be rejected.
      received by the server, the requests are rejected.
      A value of zero indicates that there is no limit to the size 
      of the queue.
    </adm:description>
    <adm:requires-admin-action>
      <adm:server-restart />
    </adm:requires-admin-action>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The work queue will not impose any limit on the number of
          The work queue does not impose any limit on the number of
          operations that can be enqueued at any one time.
        </adm:synopsis>
      </adm:alias>
    </adm:default-behavior>
    <adm:syntax>
      <adm:integer lower-limit="0" />
      <adm:integer lower-limit="0" upper-limit="2147483647"/>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>

 opends/src/admin/defn/org/opends/server/admin/std/TrustManagerProviderConfiguration.xml

@@ -33,7 +33,7 @@
  xmlns:cli="http://www.opends.org/admin-cli">
  <adm:synopsis>
    <adm:user-friendly-plural-name />
    are responsible for determining whether to trust presented
    determine whether to trust presented
    certificates.
  </adm:synopsis>
  <adm:tag name="security" />

 opends/src/admin/defn/org/opends/server/admin/std/UniqueAttributePluginConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="unique-attribute-plugin"
  plural-name="unique-attribute-plugins"
@@ -33,7 +33,7 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used enforce constraints on the value of an attribute within a
    enforces constraints on the value of an attribute within a
    portion of the directory.
  </adm:synopsis>
  <adm:description>
@@ -83,12 +83,12 @@
  </adm:property>
  <adm:property name="base-dn" multi-valued="true">
    <adm:synopsis>
      Specifies a base DN that the attribute must be unique within.
      Specifies a base DN within which the attribute must be unique.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The plugin will use the server's public naming contexts in the
          The plug-in uses the server's public naming contexts in the
          searches.
        </adm:synopsis>
      </adm:alias>

 opends/src/admin/defn/org/opends/server/admin/std/UniqueCharactersPasswordValidatorConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="unique-characters-password-validator"
  plural-name="unique-characters-password-validators"
@@ -33,9 +33,13 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to determine whether a proposed password is acceptable based
    determines whether a proposed password is acceptable based
    on the number of unique characters that it contains.
  </adm:synopsis>
  <adm:description>
    This validator can be used to prevent simple passwords that contain only 
    a few characters like "aabbcc" or "abcabc".
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
      <ldap:name>ds-cfg-unique-characters-password-validator</ldap:name>
@@ -57,11 +61,16 @@
      will be allowed to contain.
    </adm:synopsis>
    <adm:description>
      A value of zero indicates that there will be no minimum value
      A value of zero indicates that no minimum value is
      enforced.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>5</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:integer lower-limit="0" />
      <adm:integer lower-limit="0" upper-limit="2147483647"/>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -75,12 +84,17 @@
      characters in a case-sensitive manner.
    </adm:synopsis>
    <adm:description>
      A value of true indicates that a capital letter should not be
      considered the same as its lower-case counterpart. A value of
      false indicates that differences in capitalization should be
      ignored when looking at the number of unique characters in the
      password.
      If the value of this property is true, then the validator does 
      not consider a capital letter to be the same as its lower-case 
      counterpart. If the value is false, the validator ignores 
      differences in capitalization when counting the number of 
      unique characters in the password.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>false</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:boolean />
    </adm:syntax>

 opends/src/admin/defn/org/opends/server/admin/std/UserDefinedVirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="user-defined-virtual-attribute"
  plural-name="user-defined-virtual-attributes"
@@ -33,13 +33,13 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is used to create virtual attributes with user-defined values in
    entries that match the criteria defined in the plugin's
    creates virtual attributes with user-defined values in
    entries that match the criteria defined in the plug-in's
    configuration.
  </adm:synopsis>
  <adm:description>
    This provides functionality that is similar to Class of Service
    (CoS) in the Sun Java System Directory Server.
    The functionality of these attributes is similar to Class 
    of Service (CoS) in the Sun Java System Directory Server.
  </adm:description>
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -58,7 +58,7 @@
  </adm:property-override>
  <adm:property name="value" mandatory="true" multi-valued="true">
    <adm:synopsis>
      Specifies the value(s) which should be included in virtual
      Specifies the values to be included in the virtual
      attribute.
    </adm:synopsis>
    <adm:syntax>

 opends/src/admin/defn/org/opends/server/admin/std/VirtualAttributeConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="virtual-attribute"
  plural-name="virtual-attributes" package="org.opends.server.admin.std"
@@ -32,9 +32,13 @@
  xmlns:cli="http://www.opends.org/admin-cli">
  <adm:synopsis>
    <adm:user-friendly-plural-name />
    are responsible for dynamically generating attribute values which
    are responsible for dynamically generating attribute values that
    appear in entries but are not persistently stored in the backend.
  </adm:synopsis>
  <adm:description>
    Virtual attributes are associated with a virtual attribute 
    provider, which contains the logic for generating the value.
  </adm:description>
  <adm:tag name="core" />
  <adm:profile name="ldap">
    <ldap:object-class>
@@ -47,10 +51,12 @@
  </adm:profile>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
      Specifies the fully-qualified name of the virtual attribute 
      provider class that generates the attribute values.
    </adm:synopsis>
    <adm:requires-admin-action>
      <adm:component-restart />
    </adm:requires-admin-action>
    <adm:syntax>
      <adm:java-class>
        <adm:instance-of>
@@ -66,7 +72,7 @@
  </adm:property>
  <adm:property name="enabled" mandatory="true">
    <adm:synopsis>
      Indicate whether the
      Indicates whether the
      <adm:user-friendly-name />
      is enabled for use.
    </adm:synopsis>
@@ -81,7 +87,7 @@
  </adm:property>
  <adm:property name="attribute-type" mandatory="true">
    <adm:synopsis>
      Specifies the attribute type for the attribute whose values should
      Specifies the attribute type for the attribute whose values are to
      be dynamically assigned by the virtual attribute.
    </adm:synopsis>
    <adm:syntax>
@@ -96,12 +102,16 @@
  <adm:property name="base-dn" multi-valued="true">
    <adm:synopsis>
      Specifies the base DNs for the branches containing entries that
      may be eligible to use this virtual attribute.
      are eligible to use this virtual attribute.
    </adm:synopsis>
    <adm:description>
      If no values are given, then the server generates virtual attributes 
      anywhere in the server.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          The location of the entry in the server will not be taken into
          The location of the entry in the server is not taken into
          account when determining whether an entry is eligible to use
          this virtual attribute.
        </adm:synopsis>
@@ -118,13 +128,19 @@
  </adm:property>
  <adm:property name="group-dn" multi-valued="true">
    <adm:synopsis>
      Specifies the DNs of the groups whose members may be eligible to
      Specifies the DNs of the groups whose members can be eligible to
      use this virtual attribute.
    </adm:synopsis>
    <adm:description>
      If no values are given, then group 
      membership is not taken into account when generating the virtual 
      attribute. If one or more group DNs are specified, then only 
      members of those groups are allowed to have the virtual attribute.
    </adm:description>
    <adm:default-behavior>
      <adm:alias>
        <adm:synopsis>
          Group membership will not be taken into account when
          Group membership is not taken into account when
          determining whether an entry is eligible to use this virtual
          attribute.
        </adm:synopsis>
@@ -141,16 +157,31 @@
  </adm:property>
  <adm:property name="filter" multi-valued="true">
    <adm:synopsis>
      Specifies the search filters for entries that may be eligible to
      use this virtual attribute.
      Specifies the search filters to be applied against entries to 
      determine if the virtual attribute is to be generated for those 
      entries. 
    </adm:synopsis>
    <adm:description>
      If no values are given, then any entry is eligible to 
      have the value generated. If one or more filters are specified, 
      then only entries that match at least one of those filters are 
      allowed to have the virtual attribute.
    </adm:description>
    <adm:default-behavior>
      <adm:defined>
        <adm:value>(objectClass=*)</adm:value>
      </adm:defined>
    </adm:default-behavior>
    <adm:syntax>
      <adm:string />
      <adm:string>
        <adm:pattern>
          <adm:regex>.*</adm:regex>
          <adm:usage>STRING</adm:usage>
          <adm:synopsis>
            Any valid search filter string.
          </adm:synopsis>
        </adm:pattern>
      </adm:string>
    </adm:syntax>
    <adm:profile name="ldap">
      <ldap:attribute>
@@ -160,8 +191,9 @@
  </adm:property>
  <adm:property name="conflict-behavior">
    <adm:synopsis>
      Specifies the behavior that the server should exhibit for entries
      that contain one or more real values for the associated attribute.
      Specifies the behavior that the server is to exhibit for entries
      that already contain one or more real values for the associated 
      attribute.
    </adm:synopsis>
    <adm:default-behavior>
      <adm:defined>
@@ -172,20 +204,23 @@
      <adm:enumeration>
        <adm:value name="real-overrides-virtual">
          <adm:synopsis>
            Any real values contained in the entry should be preserved
            and virtual values should not be generated.
            Indicates that any real values contained in the entry are 
            preserved and used, and virtual values are not generated.
          </adm:synopsis>
        </adm:value>
        <adm:value name="virtual-overrides-real">
          <adm:synopsis>
            Any real values contained in the entry should be suppressed
            and virtual values should be generated.
            Indicates that the virtual attribute provider suppresses
            any real values contained in the entry
            and generates virtual values and uses them.
          </adm:synopsis>
        </adm:value>
        <adm:value name="merge-real-and-virtual">
          <adm:synopsis>
            Any real values contained in the entry should be preserved
            and merged with the set of generated virtual values.
            Indicates that the virtual attribute provider 
            is to preserve any real values contained in the entry 
            and merge them with the set of generated virtual values
            so that both the real and virtual values are used.
          </adm:synopsis>
        </adm:value>
      </adm:enumeration>

 opends/src/admin/defn/org/opends/server/admin/std/WorkQueueConfiguration.xml

@@ -23,7 +23,7 @@
  ! CDDL HEADER END
  !
  !
  !      Portions Copyright 2007 Sun Microsystems, Inc.
  !      Portions Copyright 2007-2008 Sun Microsystems, Inc.
  ! -->
<adm:managed-object name="work-queue" plural-name="work-queues"
  package="org.opends.server.admin.std"
@@ -33,12 +33,14 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    provides the configuration for the server work queue and 
    is responsible for ensuring that requests received from clients are
    processed in a timely manner.
  </adm:synopsis>
  <adm:description>
    Only a single work queue can be defined in the server.
    Whenever a connection handler receives a client request, it should
    be placed in the work queue so that it may be processed
    place the request in the work queue to be processed
    appropriately.
  </adm:description>
  <adm:tag name="core" />
@@ -53,10 +55,13 @@
  </adm:profile>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      Specifies the fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
    </adm:synopsis>
    <adm:requires-admin-action>
      <adm:server-restart />
    </adm:requires-admin-action>
    <adm:syntax>
      <adm:java-class>
        <adm:instance-of>

 opends/src/admin/defn/org/opends/server/admin/std/WorkflowConfiguration.xml

@@ -32,7 +32,7 @@
  <adm:synopsis>
    The
    <adm:user-friendly-name />
    is a list of processing steps (Work Flow Elements) which are applied
    is a list of processing steps (Work Flow Elements) that are applied
    to data as it is retrieved from the Directory Server.
  </adm:synopsis>
  <adm:tag name="core" />
@@ -51,7 +51,7 @@
    <adm:description>
      If a
      <adm:user-friendly-name />
      is not enabled, then its contents will not be accessible when
      is not enabled, then its contents are not accessible when
      processing operations.
    </adm:description>
    <adm:syntax>
@@ -65,9 +65,8 @@
  </adm:property>
  <adm:property name="workflow-id" mandatory="true" read-only="true">
    <adm:synopsis>
      Provides a name that will be used to identify the
      <adm:user-friendly-name />
      .
      Provides a name that identifies the
      <adm:user-friendly-name />.
    </adm:synopsis>
    <adm:description>
      The name must be unique among all

 opends/src/admin/defn/org/opends/server/admin/std/WorkflowElementConfiguration.xml

@@ -37,11 +37,11 @@
  <adm:description>
    A
    <adm:user-friendly-name />
    may perform a task such as mapping DNs, renaming attributes,
    can perform a task such as mapping DNs, renaming attributes,
    filtering attributes, joining data sources, proxying, or
    load-balancing. The simplest
    <adm:user-friendly-name />
    is the Local Backend Work Flow Element which is used to route data
    is the Local Backend Work Flow Element, which routes data
    to a Backend.
  </adm:description>
  <adm:tag name="core" />
@@ -63,7 +63,7 @@
    <adm:description>
      If a
      <adm:user-friendly-name />
      is not enabled, then its contents will not be accessible when
      is not enabled, then its contents are not accessible when
      processing operations.
    </adm:description>
    <adm:syntax>
@@ -78,7 +78,7 @@
  <adm:property name="workflow-element-id" mandatory="true"
    read-only="true">
    <adm:synopsis>
      Provides a name that will be used to identify the associated
      Provides a name that identifies the associated
      <adm:user-friendly-name />
      .
    </adm:synopsis>
@@ -98,7 +98,7 @@
  </adm:property>
  <adm:property name="java-class" mandatory="true">
    <adm:synopsis>
      The fully-qualified name of the Java class that provides the
      Specifies the fully-qualified name of the Java class that provides the
      <adm:user-friendly-name />
      implementation.
    </adm:synopsis>

			@@ -23,7 +23,7 @@
			! CDDL HEADER END
			!
			!
			! Portions Copyright 2007 Sun Microsystems, Inc.
			! Portions Copyright 2007-2008 Sun Microsystems, Inc.
			! -->
			<adm:managed-object name="anonymous-sasl-mechanism-handler"
			plural-name="anonymous-sasl-mechanism-handlers"
			@@ -31,11 +31,19 @@
			xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to perform all processing related to SASL ANONYMOUS
			authentication.
			The ANONYMOUS SASL mechanism provides the ability for clients to
			perform an anonymous bind using a SASL mechanism.
			</adm:synopsis>
			<adm:description>
			The only real
			benefit that this provides over a normal anonymous bind (that is,
			using simple authentication with no password) is that the ANONYMOUS
			SASL mechanism also allows the client to include a trace string in
			the request. This trace string can help identify the application that
			performed the bind (although since there is no authentication,
			there is no assurance that some other client did not spoof that
			trace string).
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-anonymous-sasl-mechanism-handler</ldap:name>

			@@ -31,11 +31,26 @@
			xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to perform all processing related to SASL CRAM-MD5
			authentication.
			The CRAM-MD5 SASL mechanism provides the ability for clients to
			perform password-based authentication in a manner that does not
			expose their password in the clear.
			</adm:synopsis>
			<adm:description>
			Rather than including the
			password in the bind request, the CRAM-MD5 mechanism uses a
			two-step process in which the client needs only to prove that it
			knows the password. The server sends randomly-generated data to
			the client that is to be used in the process, which makes it
			resistant to replay attacks. The one-way message digest
			algorithm ensures that the original clear-text password is not
			exposed. Note that the algorithm used by the CRAM-MD5 mechanism
			requires that both the client and the server have access to the
			clear-text password (or potentially a value that is derived from
			the clear-text password). In order to authenticate to the server
			using CRAM-MD5, the password for a user's account must be encoded
			using a reversible password storage scheme that allows the server
			to have access to the clear-text value.
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-cram-md5-sasl-mechanism-handler</ldap:name>
			@@ -53,8 +68,10 @@
			</adm:property-override>
			<adm:property name="identity-mapper" mandatory="true">
			<adm:synopsis>
			Specifies the name of the identity mapper that should be used to
			match the client authentication ID to a user entry.
			Specifies the name of the identity mapper used
			with this SASL mechanism handler to match the authentication
			ID included in the SASL bind request to the corresponding
			user in the directory.
			</adm:synopsis>
			<adm:syntax>
			<adm:aggregation relation-name="identity-mapper"

			@@ -31,11 +31,22 @@
			xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			The DIGEST-MD5 SASL mechanism
			is used to perform all processing related to SASL DIGEST-MD5
			authentication.
			authentication.
			</adm:synopsis>
			<adm:description>
			The DIGEST-MD5 SASL mechanism is very similar
			to the CRAM-MD5 mechanism in that it allows for password-based
			authentication without exposing the password in the clear
			(although it does require that both the client and the server
			have access to the clear-text password). Like the CRAM-MD5
			mechanism, it uses data that is randomly generated by the server
			to make it resistant to replay attacks, but it also includes
			randomly-generated data from the client, which makes it also
			resistant to problems resulting from weak server-side random
			number generation.
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-digest-md5-sasl-mechanism-handler</ldap:name>
			@@ -53,34 +64,45 @@
			</adm:property-override>
			<adm:property name="realm">
			<adm:synopsis>
			Specifies the realm that should be used by the server for
			Specifies the realm that is to be used by the server for
			DIGEST-MD5 authentication.
			</adm:synopsis>
			<adm:description>
			If this is not provided, then the server will default to using a
			If this value is not provided, then the server defaults to use a
			set of realm names that correspond to the defined suffixes.
			</adm:description>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will default to a set of realm names that
			The server defaults to a set of realm names that
			correspond to the defined suffixes.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			<adm:syntax>
			<adm:string />
			<adm:string>
			<adm:pattern>
			<adm:regex>.*</adm:regex>
			<adm:usage>STRING</adm:usage>
			<adm:synopsis>
			Any realm string. As needed, it be a DN or matched
			to a realm already in use for another service.
			</adm:synopsis>
			</adm:pattern>
			</adm:string>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:name>ds-cfg-realm</ldap:name>
			</ldap:attribute>
			</adm:profile>
			</adm:property>
			<adm:property name="identity-mapper" mandatory="true">
			</adm:property> <adm:property name="identity-mapper" mandatory="true">
			<adm:synopsis>
			Specifies the name of the identity mapper that should be used to
			match client authentication and authorization IDs to user entries.
			Specifies the name of the identity mapper that is to be used
			with this SASL mechanism handler to match the authentication
			or authorization
			ID included in the SASL bind request to the corresponding
			user in the directory.
			</adm:synopsis>
			<adm:syntax>
			<adm:aggregation relation-name="identity-mapper"
			@@ -109,23 +131,39 @@
			<adm:property name="server-fqdn">
			<adm:synopsis>
			Specifies the DNS-resolvable fully-qualified domain name for the
			system.
			server that is used when validating the digest-uri parameter during
			the authentication process.
			</adm:synopsis>
			<adm:description>
			This is the value expected to be present in the host field of the
			digest-uri-value element.
			If this configuration attribute is
			present, then the server expects that clients use a digest-uri equal
			to "ldap/" followed by the value of this attribute. For example, if
			the attribute has a value of "directory.example.com", then the
			server expects clients to use a digest-uri of
			"ldap/directory.example.com". If no value is provided, then the
			server does not attempt to validate the digest-uri provided by the
			client and accepts any value.
			</adm:description>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will attempt to dynamically determine the
			fully-qualified domain name.
			The server attempts to determine the
			fully-qualified domain name dynamically.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			<adm:syntax>
			<adm:string />
			</adm:syntax>
			<adm:string>
			<adm:pattern>
			<adm:regex>.*</adm:regex>
			<adm:usage>STRING</adm:usage>
			<adm:synopsis>
			The fully-qualified address that is expected for clients to use
			when connecting to the server and authenticating via DIGEST-MD5.
			</adm:synopsis>
			</adm:pattern>
			</adm:string>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			<ldap:name>ds-cfg-server-fqdn</ldap:name>

			@@ -33,7 +33,7 @@
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to perform all processing related to SASL EXTERNAL
			performs all processing related to SASL EXTERNAL
			authentication.
			</adm:synopsis>
			<adm:profile name="ldap">
			@@ -86,11 +86,11 @@
			</adm:property>
			<adm:property name="certificate-attribute">
			<adm:synopsis>
			Specifies the name of the attribute that should hold user
			Specifies the name of the attribute to hold user
			certificates.
			</adm:synopsis>
			<adm:description>
			This must specify the name of a valid attribute type defined in
			This property must specify the name of a valid attribute type defined in
			the server schema.
			</adm:description>
			<adm:default-behavior>

			@@ -31,11 +31,17 @@
			xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to perform all processing related to SASL GSSAPI
			The GSSAPI SASL mechanism
			performs all processing related to SASL GSSAPI
			authentication using Kerberos V5.
			</adm:synopsis>
			<adm:description>
			The GSSAPI SASL mechanism provides the ability for clients
			to authenticate themselves to the server using existing
			authentication in a Kerberos environment. This mechanism
			provides the ability to achieve single sign-on for
			Kerberos-based clients.
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-gssapi-sasl-mechanism-handler</ldap:name>
			@@ -53,12 +59,12 @@
			</adm:property-override>
			<adm:property name="realm">
			<adm:synopsis>
			Specifies the realm that should be used for GSSAPI authentication.
			Specifies the realm to be used for GSSAPI authentication.
			</adm:synopsis>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will attempt to determine the realm from the
			The server attempts to determine the realm from the
			underlying system configuration.
			</adm:synopsis>
			</adm:alias>
			@@ -74,16 +80,18 @@
			</adm:property>
			<adm:property name="kdc-address">
			<adm:synopsis>
			Specifies the address of the KDC that should be used for Kerberos
			Specifies the address of the KDC that is to be used for Kerberos
			processing.
			</adm:synopsis>
			<adm:description>
			If provided, this should be a fully-qualified DNS-resolvable name.
			If provided, this property must be a fully-qualified DNS-resolvable name.
			If this property is not provided, then the server attempts to determine it
			from the system-wide Kerberos configuration.
			</adm:description>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will attempt to determine the KDC address from the
			The server attempts to determine the KDC address from the
			underlying system configuration.
			</adm:synopsis>
			</adm:alias>
			@@ -103,13 +111,13 @@
			Kerberos processing.
			</adm:synopsis>
			<adm:description>
			If provided, this should be either an absolute path or one that is
			If provided, this is either an absolute path or one that is
			relative to the server instance root.
			</adm:description>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will attempt to use the system-wide default keytab.
			The server attempts to use the system-wide default keytab.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			@@ -130,8 +138,8 @@
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The server will attempt to dynamically determine the
			fully-qualified domain name.
			The server attempts to determine the
			fully-qualified domain name dynamically .
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			@@ -146,8 +154,11 @@
			</adm:property>
			<adm:property name="identity-mapper" mandatory="true">
			<adm:synopsis>
			Specifies the name of the identity mapper that should be used to
			match the Kerberos principal to a user entry.
			Specifies the name of the identity mapper that is to be used
			with this SASL mechanism handler
			to match the Kerberos principal
			included in the SASL bind request to the corresponding
			user in the directory.
			</adm:synopsis>
			<adm:syntax>
			<adm:aggregation relation-name="identity-mapper"

			@@ -23,20 +23,28 @@
			! CDDL HEADER END
			!
			!
			! Portions Copyright 2007 Sun Microsystems, Inc.
			! Portions Copyright 2007-2008 Sun Microsystems, Inc.
			! -->
			<adm:managed-object name="last-mod-plugin"
			plural-name="last-mod-plugins" package="org.opends.server.admin.std"
			extends="plugin" xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			The
			<adm:user-friendly-name />
			is used to ensure that the creatorsName and createTimestamp
			attributes are included in an entry whenever it is added to the
			server, and to ensure that the modifiersName and modifyTimestamp
			server and also to ensure that the modifiersName and modifyTimestamp
			attributes are updated whenever an entry is modified or renamed.
			</adm:synopsis>
			<adm:description>
			This behavior is described in RFC 4512. The implementation for
			the LastMod plugin is contained in the
			org.opends.server.plugins.LastModPlugin class. It must be
			configured with the preOperationAdd, preOperationModify, and
			preOperationModifyDN plugin types, but it does not have any
			other custom configuration.
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-last-mod-plugin</ldap:name>

			@@ -31,9 +31,9 @@
			xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			The
			<adm:user-friendly-name />
			is used to ensure that clear-text passwords contained in LDIF
			ensures that clear-text passwords contained in LDIF
			entries are properly encoded before they are stored in the
			appropriate Directory Server backend.
			</adm:synopsis>
			@@ -69,19 +69,19 @@
			<adm:property name="default-user-password-storage-scheme"
			multi-valued="true">
			<adm:synopsis>
			Specifies the names of the password storage schemes that will be
			Specifies the names of the password storage schemes to be
			used for encoding passwords contained in attributes with the user
			password syntax for entries that do not include the
			ds-pwp-password-policy-dn attribute to specify which password
			policy should be used to govern them.
			ds-pwp-password-policy-dn attribute specifying which password
			policy is to be used to govern them.
			</adm:synopsis>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			If the default password policy uses the attribute with the
			user password syntax, then the server will use the default
			user password syntax, then the server uses the default
			password storage schemes for that password policy. Otherwise,
			it will encode user password values using the "SSHA" scheme.
			it encodes user password values using the "SSHA" scheme.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			@@ -90,8 +90,7 @@
			parent-path="/">
			<adm:constraint>
			<adm:synopsis>
			The referenced password storage schemes must be enabled when
			the
			The referenced password storage schemes must be enabled when the
			<adm:user-friendly-name />
			is enabled.
			</adm:synopsis>
			@@ -115,19 +114,19 @@
			<adm:property name="default-auth-password-storage-scheme"
			multi-valued="true">
			<adm:synopsis>
			Specifies the names of password storage schemes that will be used
			Specifies the names of password storage schemes that to be used
			for encoding passwords contained in attributes with the auth
			password syntax for entries that do not include the
			ds-pwp-password-policy-dn attribute to specify which password
			ds-pwp-password-policy-dn attribute specifying which password
			policy should be used to govern them.
			</adm:synopsis>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			If the default password policy uses an attribute with the auth
			password syntax, then the server will use the default password
			storage schemes for that password policy. Otherwise, it will
			encode auth password values using the "SHA1" scheme.
			password syntax, then the server uses the default password
			storage schemes for that password policy. Otherwise, it
			encodes auth password values using the "SHA1" scheme.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			@@ -137,9 +136,7 @@
			<adm:constraint>
			<adm:synopsis>
			The referenced password storage schemes must be enabled when
			the
			<adm:user-friendly-name />
			is enabled.
			the Password Policy Import plug-in is enabled.
			</adm:synopsis>
			<adm:target-needs-enabling-condition>
			<adm:contains property="enabled" value="true" />

			@@ -33,9 +33,19 @@
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to perform all processing related to SASL PLAIN
			performs all processing related to SASL PLAIN
			authentication.
			</adm:synopsis>
			<adm:description>
			The PLAIN SASL mechanism provides the ability for clients to
			authenticate using a username and password. This authentication
			is very similar to standard LDAP simple authentication, with the
			exception that it can authenticate based on an authentication ID
			(for example, a username) rather than requiring a full DN, and
			it can also include an authorization ID in addition to the
			authentication ID. Note that the SASL PLAIN mechanism does not
			make any attempt to protect the password.
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-plain-sasl-mechanism-handler</ldap:name>
			@@ -53,8 +63,10 @@
			</adm:property-override>
			<adm:property name="identity-mapper" mandatory="true">
			<adm:synopsis>
			Specifies the name of the identity mapper that should be used to
			match client authentication and authorization IDs to user entries.
			Specifies the name of the identity mapper that is to be used
			with this SASL mechanism handler to match the authentication or
			authorization ID included in the SASL bind request to the
			corresponding user in the directory.
			</adm:synopsis>
			<adm:syntax>
			<adm:aggregation relation-name="identity-mapper"

			@@ -23,16 +23,15 @@
			! CDDL HEADER END
			!
			!
			! Portions Copyright 2007 Sun Microsystems, Inc.
			! Portions Copyright 2007-2008 Sun Microsystems, Inc.
			! -->
			<adm:managed-object name="profiler-plugin"
			plural-name="profiler-plugins" package="org.opends.server.admin.std"
			extends="plugin" xmlns:adm="http://www.opends.org/admin"
			xmlns:ldap="http://www.opends.org/admin-ldap">
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to capture profiling information about operations performed
			The Profiler plug-in
			captures profiling information about operations performed
			inside the JVM while the Directory Server is running.
			</adm:synopsis>
			<adm:profile name="ldap">
			@@ -66,19 +65,25 @@
			</adm:property-override>
			<adm:property name="profile-sample-interval" mandatory="true">
			<adm:synopsis>
			Specifies the sample interval that should be used when capturing
			profiling information in the server.
			Specifies the sample interval in milliseconds to be used when
			capturing profiling information in the server.
			</adm:synopsis>
			<adm:description>
			When capturing
			data, the profiler thread sleeps for this length of time
			between calls to obtain traces for all threads running in the
			JVM.
			</adm:description>
			<adm:requires-admin-action>
			<adm:none>
			<adm:synopsis>
			Changes to this configuration attribute will take effect the
			Changes to this configuration attribute take effect the
			next time the profiler is started.
			</adm:synopsis>
			</adm:none>
			</adm:requires-admin-action>
			<adm:syntax>
			<adm:duration lower-limit="1" base-unit="ms" />
			<adm:duration lower-limit="1" upper-limit="2147483647" base-unit="ms" />
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			@@ -88,15 +93,26 @@
			</adm:property>
			<adm:property name="profile-directory" mandatory="true">
			<adm:synopsis>
			Specifies the path to the directory into which profile information
			will be written.
			Specifies the path to the directory where profile information
			is to be written. This path may be either an absolute path or a path
			that is relative to the root of the OpenDS Directory Server
			instance.
			</adm:synopsis>
			<adm:description>
			The directory must exist and the Directory Server must have
			permission to create new files in it.
			</adm:description>
			<adm:syntax>
			<adm:string />
			<adm:string>
			<adm:pattern>
			<adm:regex>.*</adm:regex>
			<adm:usage>DIR</adm:usage>
			<adm:synopsis>
			The path to any directory that exists on the filesystem
			and that can be read and written by the server user.
			</adm:synopsis>
			</adm:pattern>
			</adm:string>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			@@ -106,12 +122,16 @@
			</adm:property>
			<adm:property name="enable-profiling-on-startup" mandatory="true">
			<adm:synopsis>
			Indicates whether the profiler plugin should start collecting data
			Indicates whether the profiler plug-in is to start collecting data
			automatically when the Directory Server is started.
			</adm:synopsis>
			<adm:description>
			This will only be read when the server is started, and any changes
			will take effect on the next restart.
			This property is read only when the server is
			started, and any changes take effect on the next restart.
			This property is typically set to "false" unless startup
			profiling is required, because otherwise the volume of data that
			can be collected can cause the server to run out of memory if it
			is not turned off in a timely manner.
			</adm:description>
			<adm:syntax>
			<adm:boolean />
			@@ -127,12 +147,12 @@
			Specifies the action that should be taken by the profiler.
			</adm:synopsis>
			<adm:description>
			A value of "start" will cause the profiler thread to start
			A value of "start" causes the profiler thread to start
			collecting data if it is not already active. A value of "stop"
			will cause the profiler thread to stop collecting data and write
			it do disk, and a value of "cancel" will cause the profiler thread
			causes the profiler thread to stop collecting data and write
			it to disk, and a value of "cancel" causes the profiler thread
			to stop collecting data and discard anything that has been
			captured. These operations will occur immediately.
			captured. These operations occur immediately.
			</adm:description>
			<adm:default-behavior>
			<adm:defined>

			@@ -35,7 +35,7 @@
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is used to provide multi-master replication of data across multiple
			provides multi-master replication of data across multiple
			Directory Server instances.
			</adm:synopsis>
			<adm:profile name="ldap">
			@@ -81,10 +81,10 @@
			</adm:property-override>
			<adm:property name="num-update-replay-threads" mandatory="false" read-only="false" advanced="true">
			<adm:synopsis>
			Specifies the number of update replay threads
			Specifies the number of update replay threads.
			</adm:synopsis>
			<adm:description>
			This is the number of threads created for replaying every updates
			This value is the number of threads created for replaying every updates
			received for all the replication domains.
			</adm:description>
			<adm:default-behavior>

			@@ -37,6 +37,24 @@
			watch a queue and pick up an operation to process whenever one
			becomes available.
			</adm:synopsis>
			<adm:description>
			The traditional work queue is named that because its implementation
			is similar to that used by the Sun Java System Directory Server.
			The traditional work queue is a FIFO queue serviced by a fixed
			number of worker threads. However, there are a couple of notable
			differences in its design: 1) The number of worker threads is fixed,
			but it can be changed on the fly and those changes take effect
			immediately. In the Sun Java System Directory Server, changes to the
			number of worker threads require a server restart to take effect.
			2) The work queue in the Sun Java System Directory Server is
			unbounded. If all threads are busy processing existing operations
			and new requests arrive, they continue to accumulate in the work
			queue and the server appears to be frozen. In the OpenDS Directory
			Server, it is possible to place a size limit on the work queue.
			When this number of operations are in the queue, waiting to be
			picked up by threads, any new requests received are rejected with
			an error message.
			</adm:description>
			<adm:profile name="ldap">
			<ldap:object-class>
			<ldap:name>ds-cfg-traditional-work-queue</ldap:name>
			@@ -54,11 +72,17 @@
			</adm:property-override>
			<adm:property name="num-worker-threads" mandatory="true">
			<adm:synopsis>
			The number of worker threads that should be used to process
			operations placed into the queue.
			</adm:synopsis>
			Specifies the number of worker threads to be used for processing
			operations placed in the queue.
			</adm:synopsis>
			<adm:description>
			If the value is increased,
			the additional worker threads are created immediately. If the
			value is reduced, the appropriate number of threads are destroyed
			as operations complete processing.
			</adm:description>
			<adm:syntax>
			<adm:integer lower-limit="1" />
			<adm:integer lower-limit="1" upper-limit="2147483647" />
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>
			@@ -68,23 +92,28 @@
			</adm:property>
			<adm:property name="max-work-queue-capacity">
			<adm:synopsis>
			The maximum number of queued operations that can be in the work
			Specifies the maximum number of queued operations that can be in the work
			queue at any given time.
			</adm:synopsis>
			<adm:description>
			If the work queue is already full and additional requests are
			received by the server, they will be rejected.
			received by the server, the requests are rejected.
			A value of zero indicates that there is no limit to the size
			of the queue.
			</adm:description>
			<adm:requires-admin-action>
			<adm:server-restart />
			</adm:requires-admin-action>
			<adm:default-behavior>
			<adm:alias>
			<adm:synopsis>
			The work queue will not impose any limit on the number of
			The work queue does not impose any limit on the number of
			operations that can be enqueued at any one time.
			</adm:synopsis>
			</adm:alias>
			</adm:default-behavior>
			<adm:syntax>
			<adm:integer lower-limit="0" />
			<adm:integer lower-limit="0" upper-limit="2147483647"/>
			</adm:syntax>
			<adm:profile name="ldap">
			<ldap:attribute>

			@@ -33,7 +33,7 @@
			xmlns:cli="http://www.opends.org/admin-cli">
			<adm:synopsis>
			<adm:user-friendly-plural-name />
			are responsible for determining whether to trust presented
			determine whether to trust presented
			certificates.
			</adm:synopsis>
			<adm:tag name="security" />

			@@ -32,7 +32,7 @@
			<adm:synopsis>
			The
			<adm:user-friendly-name />
			is a list of processing steps (Work Flow Elements) which are applied
			is a list of processing steps (Work Flow Elements) that are applied
			to data as it is retrieved from the Directory Server.
			</adm:synopsis>
			<adm:tag name="core" />
			@@ -51,7 +51,7 @@
			<adm:description>
			If a
			<adm:user-friendly-name />
			is not enabled, then its contents will not be accessible when
			is not enabled, then its contents are not accessible when
			processing operations.
			</adm:description>
			<adm:syntax>
			@@ -65,9 +65,8 @@
			</adm:property>
			<adm:property name="workflow-id" mandatory="true" read-only="true">
			<adm:synopsis>
			Provides a name that will be used to identify the
			<adm:user-friendly-name />
			.
			Provides a name that identifies the
			<adm:user-friendly-name />.
			</adm:synopsis>
			<adm:description>
			The name must be unique among all

			@@ -37,11 +37,11 @@
			<adm:description>
			A
			<adm:user-friendly-name />
			may perform a task such as mapping DNs, renaming attributes,
			can perform a task such as mapping DNs, renaming attributes,
			filtering attributes, joining data sources, proxying, or
			load-balancing. The simplest
			<adm:user-friendly-name />
			is the Local Backend Work Flow Element which is used to route data
			is the Local Backend Work Flow Element, which routes data
			to a Backend.
			</adm:description>
			<adm:tag name="core" />
			@@ -63,7 +63,7 @@
			<adm:description>
			If a
			<adm:user-friendly-name />
			is not enabled, then its contents will not be accessible when
			is not enabled, then its contents are not accessible when
			processing operations.
			</adm:description>
			<adm:syntax>
			@@ -78,7 +78,7 @@
			<adm:property name="workflow-element-id" mandatory="true"
			read-only="true">
			<adm:synopsis>
			Provides a name that will be used to identify the associated
			Provides a name that identifies the associated
			<adm:user-friendly-name />
			.
			</adm:synopsis>
			@@ -98,7 +98,7 @@
			</adm:property>
			<adm:property name="java-class" mandatory="true">
			<adm:synopsis>
			The fully-qualified name of the Java class that provides the
			Specifies the fully-qualified name of the Java class that provides the
			<adm:user-friendly-name />
			implementation.
			</adm:synopsis>