Backport CR-3283 Fix for Server docs patch for OPENDJ-980: Allow copy/ past...

Mark Craig

31.17.2014 ae57abea41b1a1c805fee27ffcfeabc0ae07e969

Backport CR-3283 Fix for Server docs patch for OPENDJ-980: Allow copy/ paste of formatted shell commands; OPENDJ-1376: Add <userinput> and potential <computeroutput> to <screen> content

 opends/src/main/docbkx/admin-guide/chap-account-lockout.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-account-lockout'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Implementing Account Lockout &amp; Notification</title>
 
 <para>OpenDJ directory server supports automatic account lockout.
@@ -69,68 +69,75 @@
  the server configuration, you must manually apply the changes to each
  replica in a replication topology.</para>
  
  <screen>$ dsconfig
 set-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy" 
 --set lockout-failure-count:3
 --set lockout-duration:5m 
 --set lockout-failure-expiration-interval:5m
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set lockout-failure-count:3 \
 --set lockout-duration:5m \
 --set lockout-failure-expiration-interval:5m \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>Users having the default password policy are then locked out after
  three failed attempts in succession.</para>
  
  <screen>$ ldapsearch
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword hifalutin
 --baseDN dc=example,dc=com
 uid=bjensen
 mail
dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword hifalutin \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 mail</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com</computeroutput>

$ ldapsearch
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword fatfngrs
 --baseDN dc=example,dc=com
 uid=bjensen
 mail
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
$ ldapsearch
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword fatfngrs
 --baseDN dc=example,dc=com
 uid=bjensen
 mail
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
$ ldapsearch
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword fatfngrs
 --baseDN dc=example,dc=com
 uid=bjensen
 mail
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)
$ ldapsearch
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword hifalutin
 --baseDN dc=example,dc=com
 uid=bjensen
 mail
The simple bind attempt failed
Result Code:  49 (Invalid Credentials)</screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword fatfngrs \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 mail</userinput>
<computeroutput>The simple bind attempt failed
Result Code:  49 (Invalid Credentials)</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword fatfngrs \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 mail</userinput>
<computeroutput>The simple bind attempt failed
Result Code:  49 (Invalid Credentials)</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword fatfngrs \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 mail</userinput>
<computeroutput>The simple bind attempt failed
Result Code:  49 (Invalid Credentials)</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword hifalutin \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 mail</userinput>
<computeroutput>The simple bind attempt failed
Result Code:  49 (Invalid Credentials)</computeroutput>
  </screen>
 </section>
 
 <section xml:id="manage-accounts">
@@ -143,44 +150,59 @@
  <para>For the following examples, the directory admin user, Kirsten Vaughan,
  has <literal>ds-privilege-name: password-reset</literal>, and the following
  ACI on <literal>ou=People,dc=example,dc=com</literal>.</para>
  <literallayout class="monospaced">(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
version 3.0;acl "Admins can run amok"; allow(all) groupdn =
"ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)</literallayout>

  <programlisting language="aci">
(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
 version 3.0;acl "Admins can run amok"; allow(all) groupdn =
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
  </programlisting>
  
  <procedure xml:id="disable-account">
   <title>To Disable an Account</title>
   <indexterm><primary>Accounts</primary><secondary>Disabling</secondary></indexterm>
   <indexterm>
    <primary>Accounts</primary>
    <secondary>Disabling</secondary>
   </indexterm>

   <step>
    <para>Set the account status to disabled with the
    <command>manage-account</command> command.</para>
    
    <screen>$ manage-account
 set-account-is-disabled
 --port 4444
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --operationValue true
 --targetDN uid=bjensen,ou=people,dc=example,dc=com
 --trustAll
Account Is Disabled:  true</screen>
    <screen>
$ <userinput>manage-account \
 set-account-is-disabled \
 --port 4444 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --operationValue true \
 --targetDN uid=bjensen,ou=people,dc=example,dc=com \
 --trustAll</userinput>
<computeroutput>Account Is Disabled:  true</computeroutput>
    </screen>
   </step>
  </procedure>
  
  <procedure xml:id="reactivate-account">
   <title>To Activate a Disabled Account</title>
   <indexterm><primary>Accounts</primary><secondary>Activating</secondary></indexterm>
   <indexterm>
    <primary>Accounts</primary>
    <secondary>Activating</secondary>
   </indexterm>

   <step>
    <para>Clear the disabled status using the <command>manage-account</command>
    command.</para>
    
    <screen>$ manage-account
 clear-account-is-disabled
 --port 4444
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --targetDN uid=bjensen,ou=people,dc=example,dc=com
 --trustAll
Account Is Disabled:  false</screen>
    <screen>
$ <userinput>manage-account \
 clear-account-is-disabled \
 --port 4444 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --targetDN uid=bjensen,ou=people,dc=example,dc=com \
 --trustAll</userinput>
<computeroutput>Account Is Disabled:  false</computeroutput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -191,6 +213,7 @@
   <primary>Accounts</primary>
   <secondary>Status notifications</secondary>
  </indexterm>

  <para>OpenDJ can send mail about account status changes. OpenDJ needs an
  SMTP server to send messages, and needs templates for the mail it sends.
  By default, message templates are in English, under
@@ -209,7 +232,7 @@
  automatically scan entries to send password expiry notifications. OpenDJ does
  implement controls that you can pass in an LDAP search to determine whether a
  user's password is about to expire. See the appendix on
  <link xlink:href="admin-guide#appendix-controls"
  <link xlink:href="admin-guide#appendix-controls" xlink:show="new"
  xlink:role="http://docbook.org/xlink/role/olink"><citetitle>LDAP
  Controls</citetitle></link> for a list. You can send notifications then
  based on the results of your search.</para>
@@ -223,30 +246,37 @@
   
   <step>
    <para>Identify the SMTP server to which OpenDJ sends messages.</para>
    <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set smtp-server:smtp.example.com
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set smtp-server:smtp.example.com \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   
   <step>
    <para>Set up OpenDJ to be able to mail users about account status.</para>
    <screen>$ dsconfig
 set-account-status-notification-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "SMTP Handler"
 --set enabled:true
 --set email-address-attribute-type:mail
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-account-status-notification-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "SMTP Handler" \
 --set enabled:true \
 --set email-address-attribute-type:mail \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>Notice that OpenDJ finds the user's mail address on the attribute
    on the user's entry, specified by
    <literal>email-address-attribute-type</literal>.</para>
@@ -261,16 +291,19 @@
   <step>
    <para>Adjust applicable password policies to use the account status
    notification handler you configured.</para>
    <screen>$ dsconfig
 set-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --set account-status-notification-handler:"SMTP Handler"
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set account-status-notification-handler:"SMTP Handler" \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
  </procedure>
  

 opends/src/main/docbkx/admin-guide/chap-attribute-uniqueness.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-attribute-uniqueness'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Implementing Attribute Value Uniqueness</title>
 
 <para>Some attribute values ought to remain unique. If you are using
@@ -79,78 +79,91 @@
  <step>
   <para>Set the base DN where <literal>uid</literal> should have unique
   values, and enable the plugin.</para>
   <screen>$ dsconfig
 set-plugin-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "UID Unique Attribute"
 --set base-dn:ou=people,dc=example,dc=com
 --set enabled:true
 --trustAll
 --no-prompt</screen>

   <screen>
$ <userinput>dsconfig \
 set-plugin-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "UID Unique Attribute" \
 --set base-dn:ou=people,dc=example,dc=com \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>Alternatively, you can specify multiple base DNs for unique values
   across multiple suffixes.</para>
   <screen>$ dsconfig
 set-plugin-prop
 --port 4444
 --hostname opendj.example.com
 --bindDn "cn=Directory Manager"
 --bindPassword password
 --plugin-name "UID Unique Attribute"
 --set enabled:true
 --add base-dn:ou=people,dc=example,dc=com
 --add base-dn:ou=people,dc=example,dc=org
 --trustAll
 --no-prompt</screen>

   <screen>
$ <userinput>dsconfig \
 set-plugin-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDn "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "UID Unique Attribute" \
 --set enabled:true \
 --add base-dn:ou=people,dc=example,dc=com \
 --add base-dn:ou=people,dc=example,dc=org \
 --trustAll \
 --no-prompt</userinput>
   </screen>
  </step>

  <step>
   <para>Check that the plugin is working correctly.</para>
   <screen>$ cat bjensen.ldif 
dn: uid=ajensen,ou=People,dc=example,dc=com

   <screen>
$ <userinput>cat bjensen.ldif</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
changetype: modify
add: uid
uid: bjensen
uid: bjensen</computeroutput>

$ ldapmodify
 --defaultAdd
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename bjensen.ldif
Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
$ <userinput>ldapmodify \
 --defaultAdd \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename bjensen.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
MODIFY operation failed
Result Code:  19 (Constraint Violation)
Additional Information:  A unique attribute conflict was detected for \
Additional Information:  A unique attribute conflict was detected for
 attribute uid:  value bjensen already exists in entry
 uid=bjensen,ou=People,dc=example,dc=com</screen>
 uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
   </screen>

   <para>If you have set up multiple suffixes, you might try something like
   this.</para>
   <screen>$ cat bjensen.ldif 
dn: uid=bjensen,ou=People,dc=example,dc=org

   <screen>
$ <userinput>cat bjensen.ldif</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: Babs
sn: Jensen
uid: bjensen
uid: bjensen</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename bjensen.ldif
Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename bjensen.ldif</userinput>
<computeroutput>Processing ADD request for uid=bjensen,ou=People,dc=example,dc=org
ADD operation failed
Result Code:  19 (Constraint Violation)
Additional Information:  A unique attribute conflict was detected for attribute
 uid:  value bjensen already exists in entry
 uid=bjensen,ou=People,dc=example,dc=com</screen>
 uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
   </screen>
  </step>
 </procedure>
 
@@ -192,42 +205,48 @@
     configuration, do so as shown in the following example which uses the
     plugin configuration from <xref linkend="enable-unique-uids" />.</para>

     <screen>$ dsconfig
 set-plugin-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "UID Unique Attribute"
 --add type:mobile
 --trustAll
 --no-prompt</screen>
     <screen>
$ <userinput>dsconfig \
 set-plugin-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "UID Unique Attribute" \
 --add type:mobile \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>

    <step>
     <para>If you want to create a new plugin configuration, do so as shown in
     the following example.</para>

     <screen>$ dsconfig
 create-plugin
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "Unique mobile numbers"
 --type unique-attribute
 --set enabled:true
 --set base-dn:ou=people,dc=example,dc=com
 --set type:mobile
 --trustAll
 --no-prompt</screen>
     <screen>
 $ <userinput>dsconfig \
 create-plugin \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "Unique mobile numbers" \
 --type unique-attribute \
 --set enabled:true \
 --set base-dn:ou=people,dc=example,dc=com \
 --set type:mobile \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>
   </stepalternatives>
  </step>
  <step>
   <para>Check that the plugin is working correctly.</para>
   <screen>$ cat mobile.ldif
dn: uid=ajensen,ou=People,dc=example,dc=com

   <screen>
$ <userinput>cat mobile.ldif</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
changetype: modify
add: mobile
mobile: +1 828 555 1212
@@ -235,22 +254,23 @@
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
add: mobile
mobile: +1 828 555 1212
mobile: +1 828 555 1212</computeroutput>

$ ldapmodify
 --defaultAdd
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename mobile.ldif 
Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
$ <userinput>ldapmodify \
 --defaultAdd \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename mobile.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com
Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation failed
Result Code:  19 (Constraint Violation)
Additional Information:  A unique attribute conflict was detected for
 attribute mobile:  value +1 828 555 1212 already exists in entry
 uid=ajensen,ou=People,dc=example,dc=com</screen>
 uid=ajensen,ou=People,dc=example,dc=com</computeroutput>
   </screen>
  </step>
 </procedure>

@@ -282,39 +302,43 @@
   <para>For each base DN, set up a configuration entry that ensures the
   target attribute values are unique.</para>

   <screen>$ dsconfig
 create-plugin
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "Unique Example.com UIDs"
 --type unique-attribute
 --set enabled:true
 --set base-dn:dc=example,dc=com
 --set type:uid
 --trustAll
 --no-prompt
$ dsconfig
 create-plugin
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "Unique Example.org UIDs"
 --type unique-attribute
 --set enabled:true
 --set base-dn:dc=example,dc=org
 --set type:uid
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-plugin \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "Unique Example.com UIDs" \
 --type unique-attribute \
 --set enabled:true \
 --set base-dn:dc=example,dc=com \
 --set type:uid \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 create-plugin \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "Unique Example.org UIDs" \
 --type unique-attribute \
 --set enabled:true \
 --set base-dn:dc=example,dc=org \
 --set type:uid \
 --trustAll \
 --no-prompt</userinput>
   </screen>
  </step>

  <step>
   <para>Check that the plugin is working correctly.</para>

   <screen>$ cat uniq-ids.ldif
dn: uid=unique,ou=People,dc=example,dc=com
   <screen>
$ <userinput>cat uniq-ids.ldif</userinput>
<computeroutput>dn: uid=unique,ou=People,dc=example,dc=com
uid: unique
givenName: Unique
objectClass: person
@@ -346,15 +370,15 @@
objectClass: top
cn: Copycat Person
sn: Person
userPassword: copycopy
userPassword: copycopy</computeroutput>

$ ldapmodify
 --defaultAdd
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename uniq-ids.ldif
Processing ADD request for uid=unique,ou=People,dc=example,dc=com
$ <userinput>ldapmodify \
 --defaultAdd \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename uniq-ids.ldif</userinput>
<computeroutput>Processing ADD request for uid=unique,ou=People,dc=example,dc=com
ADD operation successful for DN uid=unique,ou=People,dc=example,dc=com
Processing ADD request for uid=unique,ou=People,dc=example,dc=org
ADD operation successful for DN uid=unique,ou=People,dc=example,dc=org
@@ -363,7 +387,8 @@
Result Code:  19 (Constraint Violation)
Additional Information:  A unique attribute conflict was detected for
 attribute uid:  value unique already exists in entry
 uid=unique,ou=People,dc=example,dc=com</screen>
 uid=unique,ou=People,dc=example,dc=com</computeroutput>
   </screen>
  </step>
 </procedure>


 opends/src/main/docbkx/admin-guide/chap-backup-restore.xml

@@ -95,22 +95,27 @@
      <para>The following example requests an online backup task that
      starts immediately, backing up only the <literal>userRoot</literal>
      backend.</para>
      <screen>$ backup
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backendID userRoot
 --backupDirectory /path/to/opendj/bak
 --start 0
Backup task 20110613143715983 scheduled to start Jun 13, 2011 2:37:15 PM CEST</screen>

      <screen>
$ <userinput>backup \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backendID userRoot \
 --backupDirectory /path/to/opendj/bak \
 --start 0</userinput>
<computeroutput>Backup task 20110613143715983 scheduled to start Jun 13, 2011 2:37:15 PM CEST</computeroutput>
      </screen>
     </step>
     <step>
      <para>Stop the server to back up Example.com data offline.</para>

      <para>The following example stops OpenDJ, runs offline backup, and
      starts the server after backup has completed.</para>
      <screen>$ stop-ds 
Stopping Server...

      <screen>
$ <userinput>stop-ds</userinput>
<computeroutput>Stopping Server...

[13/Jun/2011:14:31:00 +0200] category=BACKEND severity=NOTICE msgID=9896306
 msg=The backend userRoot is now taken offline
@@ -122,23 +127,27 @@
[13/Jun/2011:14:33:48 +0200] category=JEB severity=NOTICE msgID=8847446
 msg=Archived: 00000000.jdb
[13/Jun/2011:14:33:48 +0200] category=TOOLS severity=NOTICE msgID=10944795
 msg=The backup process completed successfully
$ start-ds
... The Directory Server has started successfully</screen>
 msg=The backup process completed successfully</computeroutput>
$ <userinput>start-ds</userinput>
<computeroutput>... The Directory Server has started successfully</computeroutput>
      </screen>
     </step>
     <step>
      <para>Back up all user data on the server.</para>

      <para>The following example requests an online backup task that
      starts immediately, backing up all backends.</para>
      <screen>$ backup
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backUpAll
 --backupDirectory /path/to/opendj/bak
 --start 0
Backup task 20110613143801866 scheduled to start Jun 13, 2011 2:38:01 PM CEST</screen>

      <screen>
$ <userinput>backup \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backUpAll \
 --backupDirectory /path/to/opendj/bak \
 --start 0</userinput>
<computeroutput>Backup task 20110613143801866 scheduled to start Jun 13, 2011 2:38:01 PM CEST</computeroutput>
      </screen>
     </step>
    </stepalternatives>
   </step>
@@ -153,17 +162,20 @@
   <step>
    <para>Back up all user data every night at 2 AM, and notify
    diradmin@example.com when finished, or on error.</para>
    <screen>$ backup
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backUpAll
 --backupDirectory /path/to/opendj/bak
 --recurringTask "00 02 * * *"
 --completionNotify diradmin@example.com
 --errorNotify diradmin@example.com
Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
scheduled successfully</screen>

    <screen>
$ <userinput>backup \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backUpAll \
 --backupDirectory /path/to/opendj/bak \
 --recurringTask "00 02 * * *" \
 --completionNotify diradmin@example.com \
 --errorNotify diradmin@example.com</userinput>
<computeroutput>Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
scheduled successfully</computeroutput>
    </screen>
   </step>
  </procedure>

@@ -185,18 +197,18 @@
    </para>

    <screen>
$ backup
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backupDirectory /path/to/opendj/bak
 --backendID userRoot
 --incremental
 --recurringTask "00 03 * * *"
 --completionNotify diradmin@example.com
 --errorNotify diradmin@example.com
Recurring Backup task BackupTask-6988c19d-9afc-4f50-89b7-d3e167255d3e
scheduled successfully
$ <userinput>backup \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backupDirectory /path/to/opendj/bak \
 --backendID userRoot \
 --incremental \
 --recurringTask "00 03 * * *" \
 --completionNotify diradmin@example.com \
 --errorNotify diradmin@example.com</userinput>
<computeroutput>Recurring Backup task BackupTask-6988c19d-9afc-4f50-89b7-d3e167255d3e
scheduled successfully</computeroutput>
    </screen>
   </step>
  </procedure>
@@ -233,41 +245,47 @@
      <para>The following example stops OpenDJ, restores data offline from
      one of the available backups, and then starts the server after the
      restore is complete.</para>
      <screen>$ stop-ds
Stopping Server...

      <screen>
$ <userinput>stop-ds</userinput>
<computeroutput>Stopping Server...

[13/Jun/2011:15:44:06 +0200] category=BACKEND severity=NOTICE msgID=9896306
 msg=The backend userRoot is now taken offline
[13/Jun/2011:15:44:06 +0200] category=CORE severity=NOTICE msgID=458955
 msg=The Directory Server is now stopped
$ restore --backupDirectory /path/to/opendj/bak --listBackups
Backup ID:          20110613080032
 msg=The Directory Server is now stopped</computeroutput>
$ <userinput>restore --backupDirectory /path/to/opendj/bak --listBackups</userinput>
<computeroutput>Backup ID:          20110613080032
Backup Date:        13/Jun/2011:08:00:45 +0200
Is Incremental:     false
Is Compressed:      false
Is Encrypted:       false
Has Unsigned Hash:  false
Has Signed Hash:    false
Dependent Upon:     none
$ restore --backupDirectory /path/to/opendj/bak --backupID 20110613080032
[13/Jun/2011:15:47:41 +0200] category=JEB severity=NOTICE msgID=8847445
 msg=Restored: 00000000.jdb (size 341835)
$ start-ds
... The Directory Server has started successfully</screen>
Dependent Upon:     none</computeroutput>
$ <userinput>restore --backupDirectory /path/to/opendj/bak --backupID 20110613080032</userinput>
<computeroutput>[13/Jun/2011:15:47:41 +0200] category=JEB severity=NOTICE msgID=8847445
 msg=Restored: 00000000.jdb (size 341835)</computeroutput>
$ <userinput>start-ds</userinput>
<computeroutput>... The Directory Server has started successfully</computeroutput>
      </screen>
     </step>
     <step>
      <para>Schedule the restore as a task to begin immediately.</para>

      <para>The following example requests an online restore task, scheduled
      to start immediately.</para>
      <screen>$ restore
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backupDirectory /path/to/opendj/bak
 --backupID 20110613080032
 --start 0
Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST</screen>

      <screen>
$ <userinput>restore \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backupDirectory /path/to/opendj/bak \
 --backupID 20110613080032 \
 --start 0</userinput>
<computeroutput>Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST</computeroutput>
      </screen>
     </step>
    </stepalternatives>
   </step>
@@ -299,35 +317,39 @@
   the backup you use is newer than the last purge of the replication change
   log (default: 3 days). If all your backups are older than the replication
   purge delay, do not restore from a backup, but instead initialize a new
   replica as described in <link xlink:href="admin-guide#init-repl"
   xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Initializing
   replica as described in <link
    xlink:show="new"
    xlink:href="admin-guide#init-repl"
    xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Initializing
   Replicas</citetitle></link>.</para>

   <step>
    <para>Restore the server database from the backup archive that you are
    sure is newer than the last purge of the replication change log.</para>

    <screen>$ stop-ds
Stopping Server...
    <screen>
$ <userinput>stop-ds</userinput>
<computeroutput>Stopping Server...

[13/Jun/2011:15:44:06 +0200] category=BACKEND severity=NOTICE msgID=9896306
 msg=The backend userRoot is now taken offline
[13/Jun/2011:15:44:06 +0200] category=CORE severity=NOTICE msgID=458955
 msg=The Directory Server is now stopped
$ restore --backupDirectory /path/to/opendj/bak --listBackups
Backup ID:          20110613080032
 msg=The Directory Server is now stopped</computeroutput>
$ <userinput>restore --backupDirectory /path/to/opendj/bak --listBackups</userinput>
<computeroutput>Backup ID:          20110613080032
Backup Date:        13/Jun/2011:08:00:45 +0200
Is Incremental:     false
Is Compressed:      false
Is Encrypted:       false
Has Unsigned Hash:  false
Has Signed Hash:    false
Dependent Upon:     none
$ restore --backupDirectory /path/to/opendj/bak --backupID 20110613080032
[13/Jun/2011:15:47:41 +0200] category=JEB severity=NOTICE msgID=8847445
 msg=Restored: 00000000.jdb (size 341835)
$ start-ds
... The Directory Server has started successfully</screen>
Dependent Upon:     none</computeroutput>
$ <userinput>restore --backupDirectory /path/to/opendj/bak --backupID 20110613080032</userinput>
<computeroutput>[13/Jun/2011:15:47:41 +0200] category=JEB severity=NOTICE msgID=8847445
 msg=Restored: 00000000.jdb (size 341835)</computeroutput>
$ <userinput>start-ds</userinput>
<computeroutput>... The Directory Server has started successfully</computeroutput>
    </screen>
   </step>

  </procedure>

 opends/src/main/docbkx/admin-guide/chap-change-certs.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2013 ForgeRock AS
  !      Copyright 2013-2014 ForgeRock AS
  !
-->
<chapter xml:id='chap-change-certs'
         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
         xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'
         xmlns:xinclude='http://www.w3.org/2001/XInclude'>
         xsi:schemaLocation='http://docbook.org/ns/docbook
                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Changing Server Certificates</title>
 <indexterm><primary>Certificates</primary></indexterm>

@@ -154,25 +154,27 @@
  <step>
   <para>Check the alias of the key pair and certificate copy to replace.</para>

   <screen>$ cd /path/to/opendj/config
$ keytool -list -keystore admin-keystore -storepass `cat admin-keystore.pin`
   <screen>
$ <userinput>cd /path/to/opendj/config</userinput>
$ <userinput>keytool -list -keystore admin-keystore -storepass `cat admin-keystore.pin`</userinput>

Keystore type: JKS
<computeroutput>Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

admin-cert, Mar 15, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E
$ keytool -list -keystore admin-truststore -storepass `cat admin-keystore.pin`
Certificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</computeroutput>
$ <userinput>keytool -list -keystore admin-truststore -storepass `cat admin-keystore.pin`</userinput>

Keystore type: JKS
<computeroutput>Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

admin-cert, Mar 15, 2013, trustedCertEntry,
Certificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</screen>
Certificate fingerprint (SHA1): 54:9F:C3:F8:7B:B6:...:0A:98:D0:17:8E</computeroutput>
   </screen>

   <para>This alias is also stored in the server configuration.</para>
  </step>
@@ -180,31 +182,36 @@
  <step>
   <para>Remove the key pair and certificate copy to replace.</para>

   <screen>$ keytool
 -delete
 -alias admin-cert
 -keystore admin-keystore
 -storepass `cat admin-keystore.pin`
$ keytool
 -delete
 -alias admin-cert
 -keystore admin-truststore
 -storepass `cat admin-keystore.pin`</screen>
   <screen>
$ <userinput>keytool \
 -delete \
 -alias admin-cert \
 -keystore admin-keystore \
 -storepass `cat admin-keystore.pin`</userinput>

$ <userinput>keytool \
 -delete \
 -alias admin-cert \
 -keystore admin-truststore \
 -storepass `cat admin-keystore.pin`</userinput>
   </screen>
  </step>

  <step>
   <para>Generate a new key pair in the key store.</para>

   <screen width="83">$ keytool
 -genkey
 -alias admin-cert
 -keyalg RSA
 -validity 7300
 -keysize 2048
 -dname "CN=opendj.example.com, O=Administration Connector Self-Signed Certificate"
 -keystore admin-keystore
 -storepass `cat admin-keystore.pin`
 -keypass `cat admin-keystore.pin`</screen>
   <screen width="85">
$ <userinput>keytool \
 -genkey \
 -alias admin-cert \
 -keyalg RSA \
 -validity 7300 \
 -keysize 2048 \
 -dname "CN=opendj.example.com, O=Administration Connector Self-Signed Certificate" \
 -keystore admin-keystore \
 -storepass `cat admin-keystore.pin` \
 -keypass `cat admin-keystore.pin`</userinput>
   </screen>

   <para>Notice that the <option>-alias</option> option takes the same alias
   as before. This is because the <literal>ssl-cert-nickname</literal> for
@@ -222,11 +229,13 @@
    <step>
     <para>Self-sign the certificate.</para>

     <screen>$ keytool
 -selfcert
 -alias admin-cert
 -keystore admin-keystore
 -storepass `cat admin-keystore.pin`</screen>
     <screen>
$ <userinput>keytool \
 -selfcert \
 -alias admin-cert \
 -keystore admin-keystore \
 -storepass `cat admin-keystore.pin`</userinput>
     </screen>
    </step>

    <step>
@@ -245,34 +254,37 @@
  <step>
   <para>Export a copy of the certificate from the key store.</para>

   <screen>$ keytool
 -export
 -alias admin-cert
 -keystore admin-keystore
 -storepass `cat admin-keystore.pin`
 -file admin-cert.crt
Certificate stored in file &lt;admin-cert.crt&gt;</screen>
   <screen>
$ <userinput>keytool \
 -export \
 -alias admin-cert \
 -keystore admin-keystore \
 -storepass `cat admin-keystore.pin` \
 -file admin-cert.crt</userinput>
<computeroutput>Certificate stored in file &lt;admin-cert.crt&gt;</computeroutput>
   </screen>
  </step>

  <step>
   <para>Import the copy of the certificate into the trust store.</para>

   <screen width="81">$ keytool
 -import
 -alias admin-cert
 -keystore admin-truststore
 -storepass `cat admin-keystore.pin`
 -file admin-cert.crt
Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
   <screen width="81">
$ <userinput>keytool \
 -import \
 -alias admin-cert \
 -keystore admin-truststore \
 -storepass `cat admin-keystore.pin` \
 -file admin-cert.crt</userinput>
<computeroutput>Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
Issuer: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
Serial number: 904fc2b
Valid from: Fri Mar 15 15:15:20 CET 2013 until: Thu Jun 13 16:15:20 CEST 2013
Certificate fingerprints:
     MD5:  DD:2A:A1:3A:39:87:DF:02:15:A4:8A:9D:77:89:F1:E4
     SHA1: E1:99:82:92:D7:9B:28:B7:93:D2:B5:5B:C9:DA:4E:D2:62:C2:E7:B0
     SHA256: C5:34:9C:04:E2:87:A9:B1:72:B5:...:99:86:3A:02:28:D0:AB:02:5F:F4:BE
     Signature algorithm name: SHA256withRSA
     Version: 3
  MD5:  DD:2A:A1:3A:39:87:DF:02:15:A4:8A:9D:77:89:F1:E4
  SHA1: E1:99:82:92:D7:9B:28:B7:93:D2:B5:5B:C9:DA:4E:D2:62:C2:E7:B0
  SHA256: C5:34:9C:04:E2:87:A9:B1:72:B5:...:99:86:3A:02:28:D0:AB:02:5F:F4:BE
  Signature algorithm name: SHA256withRSA
  Version: 3

Extensions:

@@ -284,15 +296,18 @@
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
   </screen>
  </step>

  <step>
   <para>Restart OpenDJ to make sure it reloads the key stores.</para>

   <screen>$ cd /path/to/opendj/bin
$ stop-ds --restart</screen>
   <screen>
$ <userinput>cd /path/to/opendj/bin</userinput>
$ <userinput>stop-ds --restart</userinput>
   </screen>
  </step>

  <step>
@@ -327,17 +342,19 @@
    <step>
     <para>Delete the <literal>ads-certificate</literal> entry.</para>

     <screen>$ ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
     <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
changetype: delete

Processing DELETE request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
DELETE operation successful for DN ds-cfg-key-id=ads-certificate,
 cn=ads-truststore</screen>
 cn=ads-truststore</computeroutput>
     </screen>
   </step>

   <step>
@@ -347,28 +364,31 @@
    <para>You do this by adding an <literal>ads-certificate</literal> entry
    with object class <literal>ds-cfg-self-signed-cert-request</literal>.</para>

    <screen>$ ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
changetype: add
objectclass: ds-cfg-self-signed-cert-request

Processing ADD request for ds-cfg-key-id=ads-certificate,cn=ads-truststore
ADD operation successful for DN ds-cfg-key-id=ads-certificate,cn=ads-truststore</screen>
ADD operation successful for DN ds-cfg-key-id=ads-certificate,cn=ads-truststore</computeroutput>
    </screen>
   </step>

   <step>
    <para>Retrieve the <literal>ads-certificate</literal> entry.</para>

    <screen>$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN cn=ads-truststore
 "(ds-cfg-key-id=ads-certificate)"
dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN cn=ads-truststore \
 "(ds-cfg-key-id=ads-certificate)"</userinput>
<computeroutput>dn: ds-cfg-key-id=ads-certificate,cn=ads-truststore
ds-cfg-key-id: ads-certificate
ds-cfg-public-key-certificate;binary:: MIIB6zCCAVSgAwIBAgIEDKSUFjANBgkqhkiG9w0BA
 QUFADA6MRswGQYDVQQKExJPcGVuREogQ2VydGlmaWNhdGUxGzAZBgNVBAMTEm9wZW5hbS5leGFtcGxl
@@ -380,7 +400,8 @@
 7IvpE7jGVZh6KvM0m5sBNX3wPbTVJQNij3TDm8nx6yhi6DUkpiAZfz/OBL5k+WSw80TjpIZ2+klhP1s
 srsST4Um4fHzDZXOXHR6NM83XxZBsR6MazYecL8CiGwnYW2AeBapzbAnGn1J831q1q
objectClass: top
objectClass: ds-cfg-instance-key</screen>
objectClass: ds-cfg-instance-key</computeroutput>
    </screen>
   </step>

   <step>
@@ -390,13 +411,14 @@
    <para>In this example, the MD5 fingerprint is
    <literal>07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C</literal>.</para>

    <screen>$ keytool
 -list
 -v
 -alias ads-certificate
 -keystore /path/to/opendj/config/ads-truststore
 -storepass `cat /path/to/opendj/config/ads-truststore.pin`
Alias name: ads-certificate
    <screen>
$ <userinput>keytool \
 -list \
 -v \
 -alias ads-certificate \
 -keystore /path/to/opendj/config/ads-truststore \
 -storepass `cat /path/to/opendj/config/ads-truststore.pin`</userinput>
<computeroutput>Alias name: ads-certificate
Creation date: Feb 7, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
@@ -406,11 +428,12 @@
Serial number: ca49416
Valid from: Thu Feb 07 11:30:33 CET 2013 until: Wed Feb 02 11:30:33 CET 2033
Certificate fingerprints:
     MD5:  07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C
     SHA1: 56:30:F6:79:AA:C0:BD:61:88:3E:FB:38:38:9D:84:70:0B:E4:43:57
     SHA256: A8:4B:81:EE:30:2A:0C:09:2E:...:C1:41:F5:AB:19:C6:EE:AB:50:64
     Signature algorithm name: SHA1withRSA
     Version: 3</screen>
  MD5:  07:35:80:D8:F3:CE:E1:39:9C:D0:73:DB:6C:FA:CC:1C
  SHA1: 56:30:F6:79:AA:C0:BD:61:88:3E:FB:38:38:9D:84:70:0B:E4:43:57
  SHA256: A8:4B:81:EE:30:2A:0C:09:2E:...:C1:41:F5:AB:19:C6:EE:AB:50:64
  Signature algorithm name: SHA1withRSA
  Version: 3</computeroutput>
    </screen>
   </step>

   <step>
@@ -418,8 +441,9 @@
    to update <literal>cn=admin data</literal> with the new server
    certificate.</para>

    <screen>$ cat /path/to/update-server-cert.ldif
dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys,
    <screen>
$ <userinput>cat /path/to/update-server-cert.ldif</userinput>
<computeroutput>dn: ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,cn=instance keys,
 cn=admin data
changetype: add
ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C
@@ -439,8 +463,8 @@
changetype: modify
replace: ds-cfg-key-id
ds-cfg-key-id: 073580D8F3CEE1399CD073DB6CFACC1C

</screen>
</computeroutput>
     </screen>
    </step>

    <step>
@@ -448,20 +472,22 @@
     copy of the new <literal>ads-certificate</literal> with its MD5 signature
     as the alias in the <filename>ads-truststore</filename>.</para>

     <screen>$ ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename /path/to/update-server-cert.ldif
Processing ADD request for ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
     <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename /path/to/update-server-cert.ldif</userinput>
<computeroutput>Processing ADD request for ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
 cn=instance keys,cn=admin data
ADD operation successful for DN ds-cfg-key-id=073580D8F3CEE1399CD073DB6CFACC1C,
 cn=instance keys,cn=admin data
Processing MODIFY request for cn=opendj.example.com:4444,cn=Servers,
 cn=admin data
MODIFY operation successful for DN cn=opendj.example.com:4444,cn=Servers,
 cn=admin data</screen>
 cn=admin data</computeroutput>
     </screen>
    </step>
   </substeps>
  </step>
@@ -472,28 +498,32 @@

   <para>Stop replication temporarily and then start it again as described
   in the <citetitle>Administration Guide</citetitle> section on <link
   xlink:href="admin-guide#configure-repl"
   xlink:role="http://docbook.org/xlink/role/olink"
    xlink:show="new"
    xlink:href="admin-guide#configure-repl"
    xlink:role="http://docbook.org/xlink/role/olink"
   ><citetitle>Configuring Replication</citetitle></link>.</para>

   <screen>$ dsconfig
 set-synchronization-provider-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --set enabled:false
 --no-prompt
$ dsconfig
 set-synchronization-provider-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --set enabled:true
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 set-synchronization-provider-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --set enabled:false \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-synchronization-provider-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --set enabled:true \
 --no-prompt</userinput>
   </screen>
  </step>
 </procedure>
</chapter>

 opends/src/main/docbkx/admin-guide/chap-connection-handlers.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-connection-handlers'
         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
         xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'
         xmlns:xinclude='http://www.w3.org/2001/XInclude'>
         xsi:schemaLocation='http://docbook.org/ns/docbook
                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Configuring Connection Handlers</title>
 <indexterm><primary>Ports</primary><secondary>Configuring</secondary></indexterm>
 <para>This chapter shows you how to configure OpenDJ directory server to
@@ -55,42 +55,50 @@
   <step>
    <para>Change the port number using the <command>dsconfig</command>
    command.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAP Connection Handler"
 --set listen-port:11389
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAP Connection Handler" \
 --set listen-port:11389 \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>This example changes the port number to 11389 in the configuration.</para>
   </step>
   <step>
    <para>Restart the connection handler so the change takes effect.</para>
    <para> To restart the connection handler, you disable it, then enable
    it again.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAP Connection Handler"
 --set enabled:false
 --trustAll
 --no-prompt
$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAP Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAP Connection Handler" \
 --set enabled:false \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAP Connection Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -128,11 +136,14 @@
  certificates from many well-known CAs.<footnote><para><filename
   >$JAVA_HOME/jre/lib/security/cacerts</filename> holds the CA certificates.
   To read the full list, use the following command.</para>
   <screen>$ keytool
 -list
 -v
 -keystore $JAVA_HOME/jre/lib/security/cacerts
 -storepass changeit</screen></footnote> If your client uses a valid

   <screen>
$ <userinput>keytool \
 -list \
 -v \
 -keystore $JAVA_HOME/jre/lib/security/cacerts \
 -storepass changeit</userinput>
   </screen></footnote> If your client uses a valid
  certificate signed by one of these CAs, then OpenDJ can verify the
  certificate without additional configuration, because OpenDJ can find
  the CA certificate in the Java CA certificate trust store. Likewise if
@@ -164,22 +175,23 @@
  the signing certificate. Notice that the Owner and the Issuer are the
  same.)</para>

  <screen>$ keytool
 -import
 -alias myapp-cert
 -file myapp-cert.crt
 -keystore /path/to/opendj/config/truststore
 -storepass `cat /path/to/opendj/config/keystore.pin`
Owner: CN=My App, OU=Apps, DC=example, DC=com
  <screen>
$ <userinput>keytool \
 -import \
 -alias myapp-cert \
 -file myapp-cert.crt \
 -keystore /path/to/opendj/config/truststore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>
<computeroutput>Owner: CN=My App, OU=Apps, DC=example, DC=com
Issuer: CN=My App, OU=Apps, DC=example, DC=com
Serial number: 5ae2277
Valid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033
Certificate fingerprints:
     MD5:  48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
     SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
     SHA256: 2D:B1:58:CD:33:40:E9:ED:...:EA:C9:FF:6A:19:93:FE:E4:84:E3
     Signature algorithm name: SHA256withRSA
     Version: 3
  MD5:  48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
  SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
  SHA256: 2D:B1:58:CD:33:40:E9:ED:...:EA:C9:FF:6A:19:93:FE:E4:84:E3
  Signature algorithm name: SHA256withRSA
  Version: 3

Extensions:

@@ -191,8 +203,9 @@
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
  </screen>

  <para>When working with a certificate in printable encoding format (.pem)
  rather than binary format, use the <option>-rfc</option> option, too.</para>
@@ -208,13 +221,15 @@
  <para>The following example shows the <command>keytool</command> command
  to export the OpenDJ self-signed certificate in binary format.</para>

  <screen>$ keytool
 -export
 -alias server-cert
 -file server-cert.crt
 -keystore /path/to/opendj/config/keystore
 -storepass `cat /path/to/opendj/config/keystore.pin`
Certificate stored in file &lt;server-cert.crt&gt;</screen>
  <screen>
$ <userinput>keytool \
 -export \
 -alias server-cert \
 -file server-cert.crt \
 -keystore /path/to/opendj/config/keystore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>
<computeroutput>Certificate stored in file &lt;server-cert.crt&gt;</computeroutput>
  </screen>

  <para>Importing the server certificate is similar to importing the client
  certificate, as shown above.</para>
@@ -238,14 +253,16 @@
    <para>The CN attribute value is the FQDN for OpenDJ directory server, which
    you can see under Server Details in the OpenDJ Control Panel.</para>

    <screen>$ keytool
 -genkey
 -alias server-cert
 -keyalg rsa
 -dname "CN=opendj.example.com,O=Example Corp,C=FR"
 -keystore /path/to/opendj/config/keystore
 -storepass changeit
 -keypass changeit</screen>
    <screen>
$ <userinput>keytool \
 -genkey \
 -alias server-cert \
 -keyalg rsa \
 -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
 -keystore /path/to/opendj/config/keystore \
 -storepass changeit \
 -keypass changeit</userinput>
    </screen>

    <note><para>Notice that the <option>-storepass</option> and
    <option>-keypass</option> options take identical password arguments.
@@ -257,12 +274,14 @@
    <para>Create a certificate signing request file for the certificate you
    generated.</para>

    <screen>$ keytool
 -certreq
 -alias server-cert
 -keystore /path/to/opendj/config/keystore
 -storepass changeit
 -file server-cert.csr</screen>
    <screen>
$ <userinput>keytool \
 -certreq \
 -alias server-cert \
 -keystore /path/to/opendj/config/keystore \
 -storepass changeit \
 -file server-cert.csr</userinput>
    </screen>
   </step>

   <step>
@@ -333,22 +352,23 @@
    <command>openssl</command> documentation for instructions on creating CAs
    and on signing other certificates with the CA you created.</para>

    <screen>$ keytool
 -import
 -keystore /path/to/opendj/config/keystore
 -file ca.crt
 -alias ca-cert
 -storepass changeit
Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
    <screen>
$ <userinput>keytool \
 -import \
 -keystore /path/to/opendj/config/keystore \
 -file ca.crt \
 -alias ca-cert \
 -storepass changeit</userinput>
<computeroutput>Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
Issuer: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
Serial number: d4586ea05c878b0c
Valid from: Tue Jan 29 09:30:31 CET 2013 until: Mon Jan 24 09:30:31 CET 2033
Certificate fingerprints:
     MD5:  8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
     SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
     SHA256: 5D:20:F1:86:CC:CD:64:50:...:DF:15:43:07:69:44:00:FB:36:CF
     Signature algorithm name: SHA1withRSA
     Version: 3
  MD5:  8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
  SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
  SHA256: 5D:20:F1:86:CC:CD:64:50:...:DF:15:43:07:69:44:00:FB:36:CF
  Signature algorithm name: SHA1withRSA
  Version: 3

Extensions:

@@ -376,8 +396,9 @@
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
    </screen>
   </step>

   <step>
@@ -387,15 +408,17 @@
    <para>In this example the certificate from the reply is
    <filename>~/Downloads/server-cert.crt</filename>.</para>

    <screen>$ keytool
 -import
 -trustcacerts
 -alias server-cert
 -file ~/Downloads/server-cert.crt
 -keystore /path/to/opendj/config/keystore
 -storepass changeit
 -keypass changeit
Certificate reply was installed in keystore</screen>
    <screen>
$ <userinput>keytool \
 -import \
 -trustcacerts \
 -alias server-cert \
 -file ~/Downloads/server-cert.crt \
 -keystore /path/to/opendj/config/keystore \
 -storepass changeit \
 -keypass changeit</userinput>
<computeroutput>Certificate reply was installed in keystore</computeroutput>
    </screen>
   </step>

   <step>
@@ -403,36 +426,40 @@
    name and key store PIN that you set up with the <command>keytool</command>
    command.</para>

    <screen>$ dsconfig
 set-key-manager-provider-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name JKS
 --set enabled:true
 --set key-store-pin:changeit
 --remove key-store-pin-file:config/keystore.pin
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-key-manager-provider-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name JKS \
 --set enabled:true \
 --set key-store-pin:changeit \
 --remove key-store-pin-file:config/keystore.pin \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>

   <step>
    <para>Configure the File Based Trust Manager Provider for JKS to use the
    key store and PIN as well.</para>

    <screen>$ dsconfig
 set-trust-manager-provider-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name JKS
 --set enabled:true
 --set trust-store-file:config/keystore
 --set trust-store-pin:changeit
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-trust-manager-provider-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name JKS \
 --set enabled:true \
 --set trust-store-file:config/keystore \
 --set trust-store-pin:changeit \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>At this point, OpenDJ directory server can use your new CA-signed
    certificate, for example for StartTLS and LDAPS connection handlers.</para>
@@ -475,14 +502,17 @@
   <step>
    <para>Generate the server certificate using the Java
    <command>keytool</command> command.</para>
    <screen>$ keytool
 -genkey
 -alias server-cert
 -keyalg rsa
 -dname "CN=opendj.example.com,O=Example Corp,C=FR"
 -keystore /path/to/opendj/config/keystore
 -storepass changeit
 -keypass changeit</screen>

    <screen>
$ <userinput>keytool \
 -genkey \
 -alias server-cert \
 -keyalg rsa \
 -dname "CN=opendj.example.com,O=Example Corp,C=FR" \
 -keystore /path/to/opendj/config/keystore \
 -storepass changeit \
 -keypass changeit</userinput>
    </screen>

    <para>In this example, OpenDJ is running on a system with fully qualified
    host name <literal>opendj.example.com</literal>. The Java Key Store (JKS)
@@ -501,11 +531,14 @@
   </step>
   <step>
    <para>Self-sign the server certificate.</para>
    <screen>$ keytool
 -selfcert
 -alias server-cert
 -keystore /path/to/opendj/config/keystore
 -storepass changeit</screen>

    <screen>
$ <userinput>keytool \
 -selfcert \
 -alias server-cert \
 -keystore /path/to/opendj/config/keystore \
 -storepass changeit</userinput>
    </screen>
   </step>
   <step>
    <para>Configure the File Based Key Manager Provider for JKS to access the
@@ -518,20 +551,22 @@
    reusing the <literal>server-cert</literal> alias and password stored in
    <filename>keystore.pin</filename>, then you can skip this step.</para>

    <screen>$ echo changeit > /path/to/opendj/config/keystore.pin
$ chmod 600 /path/to/opendj/config/keystore.pin
$ dsconfig
 set-key-manager-provider-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name JKS
 --set enabled:true
 --set key-store-file:config/keystore
 --set key-store-pin-file:config/keystore.pin
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>echo changeit > /path/to/opendj/config/keystore.pin</userinput>
$ <userinput>chmod 600 /path/to/opendj/config/keystore.pin</userinput>
$ <userinput>dsconfig \
 set-key-manager-provider-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name JKS \
 --set enabled:true \
 --set key-store-file:config/keystore \
 --set key-store-pin-file:config/keystore.pin \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   <step>
    <para>Configure the File Based Trust Manager Provider for JKS to use the
@@ -539,18 +574,20 @@

    <para>If you skipped the previous step, you can also skip this step.</para>

    <screen>$ dsconfig
 set-trust-manager-provider-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name JKS
 --set enabled:true
 --set trust-store-file:config/keystore
 --set trust-store-pin-file:config/keystore.pin
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-trust-manager-provider-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name JKS \
 --set enabled:true \
 --set trust-store-file:config/keystore \
 --set trust-store-pin-file:config/keystore.pin \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>At this point, OpenDJ directory server can use your new self-signed
    certificate, for example for StartTLS and LDAPS or HTTPS connection
@@ -573,29 +610,34 @@
   <step>
    <para>Make sure you have a server certificate installed.</para>

    <screen>$ keytool
 -list
 -alias server-cert
 -keystore /path/to/opendj/config/keystore
 -storepass `cat /path/to/opendj/config/keystore.pin`
server-cert, Jun 17, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F
    <screen>
$ <userinput>keytool \
 -list \
 -alias server-cert \
 -keystore /path/to/opendj/config/keystore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>
<computeroutput>server-cert, Jun 17, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F</computeroutput>
    </screen>
   </step>
   <step>
    <para>Activate StartTLS on the current LDAP port.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAP Connection Handler"
 --set allow-start-tls:true
 --set key-manager-provider:JKS
 --set trust-manager-provider:JKS
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAP Connection Handler" \
 --set allow-start-tls:true \
 --set key-manager-provider:JKS \
 --set trust-manager-provider:JKS \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>The change takes effect. No need to restart the server.</para>
   </step>
  </procedure>
@@ -620,29 +662,35 @@
   <step>
    <para>Make sure you have a server certificate installed.</para>

    <screen>$ keytool
 -list
 -alias server-cert
 -keystore /path/to/opendj/config/keystore
 -storepass `cat /path/to/opendj/config/keystore.pin`
server-cert, Jun 17, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F
    <screen>
$ <userinput>keytool \
 -list \
 -alias server-cert \
 -keystore /path/to/opendj/config/keystore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>
<computeroutput>server-cert, Jun 17, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): 92:B7:4C:4F:2E:24:...:EB:7C:22:3F</computeroutput>
    </screen>
   </step>

   <step>
    <para>Configure the server to activate LDAPS access.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set listen-port:1636
 --set enabled:true
 --set use-ssl:true
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAPS Connection Handler" \
 --set listen-port:1636 \
 --set enabled:true \
 --set use-ssl:true \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>This example changes the port number to 1636 in the configuration.</para>
   </step>
  </procedure>
@@ -653,42 +701,50 @@
   <step>
    <para>Change the port number using the <command>dsconfig</command>
    command.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set listen-port:11636
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAPS Connection Handler" \
 --set listen-port:11636 \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>This example changes the port number to 11636 in the configuration.</para>
   </step>
   <step>
    <para>Restart the connection handler so the change takes effect.</para>
    <para> To restart the connection handler, you disable it, then enable
    it again.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set enabled:false
 --trustAll
 --no-prompt
$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAPS Connection Handler" \
 --set enabled:false \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAPS Connection Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -718,14 +774,17 @@
     <para>Whether the directory server should reject any simple bind request
     that contains a DN but no password. Default: <literal>true</literal></para>
     <para>To change this setting use the following command.</para>
     <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set bind-with-dn-requires-password:false
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set bind-with-dn-requires-password:false \
 --no-prompt</userinput>
     </screen>
    </listitem>
   </varlistentry>

@@ -735,14 +794,17 @@
     <para>Restricts the number of concurrent client connections to the
     directory server. Default: 0, meaning no limit is set</para>
     <para>To set a limit of 32768 use the following command.</para>
     <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set max-allowed-client-connections:32768
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set max-allowed-client-connections:32768 \
 --no-prompt</userinput>
     </screen>
    </listitem>
   </varlistentry>

@@ -754,14 +816,17 @@
     authentication attempt was unsuccessful, or whose last authentication
     attempt used anonymous authentication. Default: <literal>false</literal></para>
     <para>To shut down anonymous binds use the following command.</para>
     <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set reject-unauthenticated-requests:true
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set reject-unauthenticated-requests:true \
 --no-prompt</userinput>
     </screen>
    </listitem>
   </varlistentry>

@@ -774,14 +839,17 @@
     written to the server errors log. Default: <literal>false</literal></para>
     <para>To have OpenDJ return additional information about why a bind failed
     use the following command.</para>
     <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set return-bind-error-messages:true
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set return-bind-error-messages:true \
 --no-prompt</userinput>
     </screen>
    </listitem>
   </varlistentry>
  </variablelist>
@@ -806,10 +874,10 @@
  <literal>supportedTLSCiphers</literal> attributes of the root DSE. Install
  unlimited strength Java cryptography extensions for stronger ciphers.</para>

  <screen
  >$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)"
 supportedTLSCiphers supportedTLSProtocols
dn:
  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" \
 supportedTLSCiphers supportedTLSProtocols</userinput>
<computeroutput>dn:
supportedTLSCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
supportedTLSCiphers: TLS_RSA_WITH_AES_128_CBC_SHA256
@@ -842,8 +910,8 @@
supportedTLSProtocols: SSLv3
supportedTLSProtocols: TLSv1
supportedTLSProtocols: TLSv1.1
supportedTLSProtocols: TLSv1.2
</screen>
supportedTLSProtocols: TLSv1.2</computeroutput>
  </screen>

  <para>You can restrict the list of protocols and cipher suites used by setting
  the <literal>ssl-protocol</literal> and <literal>ssl-cipher-suite</literal>
@@ -856,17 +924,19 @@
  set-connection-handler-prop</command> command as shown in the following
  example.</para>

  <screen>$ dsconfig
   set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAPS Connection Handler"
 --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV
 --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA
 --no-prompt
 --trustAll</screen>
  <screen>
$ <userinput>dsconfig \
   set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAPS Connection Handler" \
 --add ssl-cipher-suite:TLS_EMPTY_RENEGOTIATION_INFO_SCSV \
 --add ssl-cipher-suite:TLS_RSA_WITH_AES_256_CBC_SHA \
 --no-prompt \
 --trustAll</userinput>
  </screen>
 </section>

 <section xml:id="setup-rest2ldap">
@@ -919,31 +989,35 @@
   <step>
    <para>Enable the connection handler.</para>

    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "HTTP Connection Handler"
 --set enabled:true
 --no-prompt
 --trustAll</screen>
    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "HTTP Connection Handler" \
 --set enabled:true \
 --no-prompt \
 --trustAll</userinput>
    </screen>
   </step>

   <step>
    <para>Enable the HTTP access log.</para>

    <screen>$ dsconfig
 set-log-publisher-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based HTTP Access Logger"
 --set enabled:true
 --no-prompt
 --trustAll</screen>
    <screen>
$ <userinput>dsconfig \
 set-log-publisher-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based HTTP Access Logger" \
 --set enabled:true \
 --no-prompt \
 --trustAll</userinput>
    </screen>

    <para>This enables the HTTP access log,
    <filename>opendj/logs/http-access</filename>. For details on the
@@ -959,9 +1033,9 @@
    <para>The HTTP connection handler paths start by default at the root
    context, as shown in the following example.</para>

    <screen>$ curl http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen
 ?_prettyPrint=true
{
    <screen width="88">
$ <userinput>curl http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000315fb731",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "manager" : [ {
@@ -979,7 +1053,8 @@
  },
  "userName" : "bjensen@example.com",
  "displayName" : "Barbara Jensen"
}</screen>
}</computeroutput>
    </screen>
   </step>

   <step performance="optional">
@@ -999,45 +1074,50 @@
    Secure Communications</citetitle></link> for additional instructions
    including how to import a CA-signed certificate.</para>

    <screen>$ dsconfig
 set-trust-manager-provider-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Blind Trust"
 --set enabled:true
 --no-prompt
 --trustAll
$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "HTTP Connection Handler"
 --set listen-port:8443
 --set use-ssl:true
 --set key-manager-provider:JKS
 --set trust-manager-provider:"Blind Trust"
 --no-prompt
 --trustAll
$ stop-ds --restart
Stopping Server...
.... The Directory Server has started successfully
$ keytool
 -export
 -rfc
 -alias server-cert
 -keystore /path/to/opendj/config/keystore
 -storepass `cat /path/to/opendj/config/keystore.pin`
 -file server-cert.pem
Certificate stored in file &lt;server-cert.pem&gt;
$ curl
 --cacert server-cert.pem
 --user bjensen:hifalutin
 https://opendj.example.com:8443/users/bjensen?_prettyPrint=true
{
    <screen>
$ <userinput>dsconfig \
 set-trust-manager-provider-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Blind Trust" \
 --set enabled:true \
 --no-prompt \
 --trustAll</userinput>

$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "HTTP Connection Handler" \
 --set listen-port:8443 \
 --set use-ssl:true \
 --set key-manager-provider:JKS \
 --set trust-manager-provider:"Blind Trust" \
 --no-prompt \
 --trustAll</userinput>

$ <userinput>stop-ds --restart</userinput>
<computeroutput>Stopping Server...
.... The Directory Server has started successfully</computeroutput>

$ <userinput>keytool \
 -export \
 -rfc \
 -alias server-cert \
 -keystore /path/to/opendj/config/keystore \
 -storepass `cat /path/to/opendj/config/keystore.pin` \
 -file server-cert.pem</userinput>
<computeroutput>Certificate stored in file &lt;server-cert.pem&gt;</computeroutput>

$ <userinput>curl \
 --cacert server-cert.pem \
 --user bjensen:hifalutin \
 https://opendj.example.com:8443/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "0000000018c8b685",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -1055,7 +1135,15 @@
    "_id" : "trigden",
    "displayName" : "Torrey Rigden"
  } ]
}</screen>
}</computeroutput>
    </screen>

    <para>
     Notice the <option>--cacert server-cert.pem</option> option
     used with the <command>curl</command> command.
     This is the way to specify a self-signed server certificate
     when using HTTPS.
    </para>
   </step>
  </procedure>

@@ -1219,21 +1307,28 @@
   
   <step>
    <para>Configure the server to activate JMX access.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "JMX Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "JMX Connection Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>This example uses the default port number, 1689.</para>
   </step>
   <step>
    <para>Restart the server so the change takes effect.</para>
    <screen>$ stop-ds --restart</screen>

    <screen>
$ <userinput>stop-ds --restart</userinput>
    </screen>
   </step>
  </procedure>

@@ -1303,21 +1398,29 @@
   
   <step>
    <para>Activate LDIF file access.</para>
    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDIF Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDIF Connection Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>The change takes effect immediately.</para>
   </step>
   <step>
    <para>Add the directory where you put LDIF to be processed.</para>
    <screen>$ mkdir /path/to/opendj/config/auto-process-ldif</screen>

    <screen>
$ <userinput>mkdir /path/to/opendj/config/auto-process-ldif</userinput>
    </screen>

    <para>This example uses the default value of the
    <literal>ldif-directory</literal> property for the LDIF connection
    handler.</para>

 opends/src/main/docbkx/admin-guide/chap-groups.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-groups'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Working With Groups of Entries</title>

 <para>OpenDJ supports several methods of grouping entries in the directory.
@@ -52,18 +52,20 @@
  generated data during setup and did not create an organizational unit for
  groups yet, create the entry before you try the examples.</para>

  <screen>$ ldapmodify
 --defaultAdd
 --port 1389
 --bindDN "cn=Directory Manager"
  <screen>
$ <userinput>ldapmodify \
 --defaultAdd \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Groups

Processing ADD request for ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Groups,dc=example,dc=com</screen>
</userinput>
<computeroutput>Processing ADD request for ou=Groups,dc=example,dc=com
ADD operation successful for DN ou=Groups,dc=example,dc=com</computeroutput>
  </screen>
 </tip>

 <section xml:id="static-groups">
@@ -102,8 +104,9 @@
  <para>To create a static group, add a group entry such as the following
  to the directory.</para>

  <screen>$ cat static.ldif 
dn: cn=My Static Group,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>cat static.ldif</userinput>
<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
cn: My Static Group
objectClass: groupOfNames
objectClass: top
@@ -111,38 +114,43 @@
member: uid=ahunter,ou=People,dc=example,dc=com
member: uid=bjensen,ou=People,dc=example,dc=com
member: uid=tmorris,ou=People,dc=example,dc=com
</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename static.ldif 
Processing ADD request for cn=My Static Group,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename static.ldif</userinput>
<computeroutput>Processing ADD request for cn=My Static Group,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=My Static Group,ou=Groups,dc=example,dc=com</computeroutput>
  </screen>
  
  <para>To change group membership, modify the values of the membership
  attribute.</para>
  
  <screen>$ cat add2grp.ldif 
dn: cn=My Static Group,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>cat add2grp.ldif</userinput>
<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
changetype: modify
add: member
member: uid=scarter,ou=People,dc=example,dc=com
</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename add2grp.ldif 
Processing MODIFY request for cn=My Static Group,ou=Groups,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename add2grp.ldif</userinput>
<computeroutput>Processing MODIFY request for cn=My Static Group,ou=Groups,dc=example,dc=com
MODIFY operation successful for DN
 cn=My Static Group,ou=Groups,dc=example,dc=com
$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 "(cn=My Static Group)"
dn: cn=My Static Group,ou=Groups,dc=example,dc=com
</computeroutput>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(cn=My Static Group)"</userinput>
<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
ou: Groups
objectClass: groupOfNames
objectClass: top
@@ -150,7 +158,8 @@
member: uid=bjensen,ou=People,dc=example,dc=com
member: uid=tmorris,ou=People,dc=example,dc=com
member: uid=scarter,ou=People,dc=example,dc=com
cn: My Static Group</screen>
cn: My Static Group</computeroutput>
  </screen>

  <para>RFC 4519 says a <literal>groupOfNames</literal> entry must have
  at least one member. Although OpenDJ allows you to create a
@@ -159,25 +168,27 @@
  <literal>groupOfEntries</literal> object class as shown in the following
  example.</para>

  <screen>$ cat group-of-entries.ldif
dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>cat group-of-entries.ldif</userinput>
<computeroutput>dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
cn: Initially Empty Static Group
objectClass: groupOfEntries
objectClass: top
ou: Groups

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename group-of-entries.ldif
Processing ADD request for
</computeroutput>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename group-of-entries.ldif</userinput>
<computeroutput>Processing ADD request for
 cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
ADD operation successful for DN
 cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
$ cat add-members.ldif
# Now add some members to the group.
</computeroutput>
$ <userinput>cat add-members.ldif</userinput>
<computeroutput># Now add some members to the group.
dn: cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
changetype: modify
add: member
@@ -185,16 +196,17 @@
member: uid=bjensen,ou=People,dc=example,dc=com
member: uid=tmorris,ou=People,dc=example,dc=com
member: uid=scarter,ou=People,dc=example,dc=com

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename add-members.ldif
Processing MODIFY request for
</computeroutput>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename add-members.ldif</userinput>
<computeroutput>Processing MODIFY request for
 cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com
MODIFY operation successful for DN
 cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com</screen>
 cn=Initially Empty Static Group,ou=Groups,dc=example,dc=com</computeroutput>
  </screen>
 </section>

 <section xml:id="dynamic-groups">
@@ -220,62 +232,66 @@
  is Cupertino). Change the filter if your data is different, and so no
  entries have <literal>l: Cupertino</literal>.</para>

  <screen>$ cat dynamic.ldif
dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>cat dynamic.ldif</userinput>
<computeroutput>dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
cn: My Dynamic Group
objectClass: top
objectClass: groupOfURLs
ou: Groups
memberURL: ldap:///ou=People,dc=example,dc=com??sub?l=Cupertino

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename dynamic.ldif 
Processing ADD request for cn=My Dynamic Group,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=My Dynamic Group,ou=Groups,dc=example,dc=com</screen>
</computeroutput>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename dynamic.ldif</userinput>
<computeroutput>Processing ADD request for cn=My Dynamic Group,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
  </screen>
  
  <para>Group membership changes dynamically as entries change to match the
  <literal>memberURL</literal> values.</para>
  
  <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 "(&amp;(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))"
 mail
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen width="81">
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(&amp;(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
 mail</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com

dn: uid=rjensen,ou=People,dc=example,dc=com
mail: rjensen@example.com

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
dn: uid=ajensen,ou=People,dc=example,dc=com
</computeroutput>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
changetype: modify
replace: l
l: Cupertino

Processing MODIFY request for uid=ajensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com
^D
$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 "(&amp;(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))"
 mail
dn: uid=ajensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=ajensen,ou=People,dc=example,dc=com</computeroutput>
<userinput>^D</userinput>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(&amp;(uid=*jensen)(isMemberOf=cn=My Dynamic Group,ou=Groups,dc=example,dc=com))" \
 mail</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
mail: ajensen@example.com

dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com

dn: uid=rjensen,ou=People,dc=example,dc=com
mail: rjensen@example.com</screen>
mail: rjensen@example.com</computeroutput>
  </screen>
 </section>

 <section xml:id="virtual-static-groups">
@@ -303,38 +319,42 @@
  <literal>Virtual Static member</literal> or
  <literal>Virtual Static uniqueMember</literal> property.</para>
  
  <screen>$ dsconfig
 set-virtual-attribute-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --name "Virtual Static member"
 --set allow-retrieving-membership:true
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-virtual-attribute-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --name "Virtual Static member" \
 --set allow-retrieving-membership:true \
 --trustAll \
 --no-prompt</userinput>
  </screen>
  
  <para>The following example creates a virtual static group, and reads the
  group entry with all members.</para>
  
  <screen>$ cat virtual.ldif 
dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>cat virtual.ldif</userinput>
<computeroutput>dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
cn: Virtual Static
objectclass: top
objectclass: groupOfNames
objectclass: ds-virtual-static-group
ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com
</computeroutput>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename virtual.ldif</userinput>
<computeroutput>Processing ADD request for cn=Virtual Static,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=Virtual Static,ou=Groups,dc=example,dc=com</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename virtual.ldif
Processing ADD request for cn=Virtual Static,ou=Groups,dc=example,dc=com
ADD operation successful for DN cn=Virtual Static,ou=Groups,dc=example,dc=com
$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Virtual Static)"
dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Virtual Static)"</userinput>
<computeroutput>dn: cn=Virtual Static,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: ds-virtual-static-group
objectClass: top
@@ -374,7 +394,8 @@
member: uid=abergin,ou=People,dc=example,dc=com
member: uid=mschneid,ou=People,dc=example,dc=com
cn: Virtual Static
ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</screen>
ds-target-group-dn: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
  </screen>
 </section>

 <section xml:id="group-membership">
@@ -387,15 +408,17 @@
  <para>OpenDJ lets you look up which groups a user belongs to by using the
  <literal>isMemberOf</literal> attribute.</para>
  
  <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=bjensen
 isMemberOf
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 isMemberOf</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
isMemberOf: cn=My Static Group,ou=Groups,dc=example,dc=com
isMemberOf: cn=Virtual Static,ou=Groups,dc=example,dc=com
isMemberOf: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</screen>
isMemberOf: cn=My Dynamic Group,ou=Groups,dc=example,dc=com</computeroutput>
  </screen>
  
  <para>You must request <literal>isMemberOf</literal> explicitly.</para>
 </section>
@@ -416,21 +439,25 @@
  referential integrity plugin is disabled by default. To enable the plugin,
  use the <command>dsconfig</command> command.</para>
  
  <screen>$ dsconfig
 set-plugin-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "Referential Integrity"
 --set enabled:true
 --trustAll --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-plugin-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "Referential Integrity" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>With the plugin enabled, you can see OpenDJ referential integrity
  resolving group membership automatically.</para>
  
  <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"
dn: cn=My Static Group,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"</userinput>
<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
ou: Groups
objectClass: groupOfNames
objectClass: top
@@ -439,23 +466,25 @@
member: uid=tmorris,ou=People,dc=example,dc=com
member: uid=scarter,ou=People,dc=example,dc=com
cn: My Static Group
</computeroutput>
$ <userinput>ldapdelete \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 uid=scarter,ou=People,dc=example,dc=com</userinput>
<computeroutput>Processing DELETE request for uid=scarter,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=scarter,ou=People,dc=example,dc=com</computeroutput>

$ ldapdelete
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 uid=scarter,ou=People,dc=example,dc=com
Processing DELETE request for uid=scarter,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=scarter,ou=People,dc=example,dc=com
$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"
dn: cn=My Static Group,ou=Groups,dc=example,dc=com
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=My Static Group)"</userinput>
<computeroutput>dn: cn=My Static Group,ou=Groups,dc=example,dc=com
ou: Groups
objectClass: groupOfNames
objectClass: top
cn: My Static Group
member: uid=ahunter,ou=People,dc=example,dc=com
member: uid=bjensen,ou=People,dc=example,dc=com
member: uid=tmorris,ou=People,dc=example,dc=com</screen>
member: uid=tmorris,ou=People,dc=example,dc=com</computeroutput>
  </screen>

 <para>By default the referential integrity plugin is configured to manage
 <literal>member</literal> and <literal>uniqueMember</literal> attributes.

 opends/src/main/docbkx/admin-guide/chap-import-export.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-import-export'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Importing &amp; Exporting LDIF Data</title>
 <indexterm><primary>Provisioning</primary></indexterm>
 <indexterm><primary>Importing data</primary></indexterm>
@@ -110,15 +110,18 @@
   <step>
    <para>Run the <command>make-ldif</command> command to generate your
    LDIF file.</para>
    <screen>$ make-ldif
 --randomSeed 0
 --templateFile /path/to/my.template
 --ldifFile /path/to/generated.ldif
Processed 1000 entries

    <screen>
$ <userinput>make-ldif \
 --randomSeed 0 \
 --templateFile /path/to/my.template \
 --ldifFile /path/to/generated.ldif</userinput>
<computeroutput>Processed 1000 entries
Processed 2000 entries
...
Processed 10000 entries
LDIF processing complete.  10003 entries written</screen>
LDIF processing complete.  10003 entries written</computeroutput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -153,23 +156,31 @@
      <para>If you want to speed up the process&#8212;for example because you
      have millions of directory entries to import&#8212;first shut down the
      server, and then run the <command>import-ldif</command> command.</para>
      <screen>$ stop-ds
$ import-ldif
 --includeBranch dc=example,dc=org
 --backendID userRoot
 --ldifFile /path/to/generated.ldif</screen>

      <screen>
$ <userinput>stop-ds</userinput>
$ <userinput>import-ldif \
 --includeBranch dc=example,dc=org \
 --backendID userRoot \
 --ldifFile /path/to/generated.ldif</userinput>
      </screen>
     </step>

     <step>
      <para>If not, schedule a task to import the data while online.</para>
      <screen>$ import-ldif
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --includeBranch dc=example,dc=org
 --backendID userRoot
 --ldifFile /path/to/generated.ldif
 --trustAll</screen>

      <screen>
$ <userinput>import-ldif \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --includeBranch dc=example,dc=org \
 --backendID userRoot \
 --ldifFile /path/to/generated.ldif \
 --trustAll</userinput>
      </screen>

     <para>Notice that the task is scheduled through communication over SSL on
     the administration port, by default <literal>4444</literal>. You can
     schedule the import task to start at a particular time using the
@@ -191,24 +202,32 @@
    <step>
     <para>If you want to speed up export, first shut down the server, and then
     export data using the <command>export-ldif</command> command.</para>
     <screen>$ stop-ds
$ export-ldif
 --includeBranch dc=example,dc=org
 --backendID userRoot
 --ldifFile /path/to/backup.ldif</screen>

     <screen>
$ <userinput>stop-ds</userinput>
$ <userinput>export-ldif \
 --includeBranch dc=example,dc=org \
 --backendID userRoot \
 --ldifFile /path/to/backup.ldif</userinput>
     </screen>
     </step>

     <step>
      <para>If not, schedule a task to export the data while online.</para>
     <screen>$ export-ldif
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --includeBranch dc=example,dc=org
 --backendID userRoot
 --ldifFile /path/to/backup.ldif
 --start 20111221230000
 --trustAll</screen>

     <screen>
$ <userinput>export-ldif \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --includeBranch dc=example,dc=org \
 --backendID userRoot \
 --ldifFile /path/to/backup.ldif \
 --start 20111221230000 \
 --trustAll</userinput>
     </screen>

      <para>The <option>--start 20111221230000</option> option tells OpenDJ to
      start the export at 11 PM on December 21, 2012.</para>
      <para>If OpenDJ is stopped at this time, then when you start OpenDJ again,
@@ -236,13 +255,15 @@
   in a similar way to how you search LDAP directories with the
   <command>ldapsearch</command> command.</para>
   
   <screen>$ ldifsearch
 --baseDN dc=example,dc=org
 --ldifFile generated.ldif
 "(sn=Grenier)"
 mobile
dn: uid=user.4630,ou=People,dc=example,dc=org
mobile: +1 728 983 6669</screen>
   <screen>
$ <userinput>ldifsearch \
 --baseDN dc=example,dc=org \
 --ldifFile generated.ldif \
 "(sn=Grenier)" \
 mobile</userinput>
<computeroutput>dn: uid=user.4630,ou=People,dc=example,dc=org
mobile: +1 728 983 6669</computeroutput>
   </screen>

   <para>The <option>--ldifFile <replaceable>ldif-file</replaceable></option>
   option replaces the <option>--hostname</option> and <option>--port</option>
@@ -256,19 +277,21 @@
   <para>The <command>ldifmodify</command> command lets you apply changes to
   LDIF files, generating a new, changed version of the original file.</para>
   
   <screen>$ cat changes.ldif 
dn: uid=user.0,ou=People,dc=example,dc=org
   <screen>
$ <userinput>cat changes.ldif</userinput>
<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=org
changetype: modify
replace: description
description: This is the new description for Aaccf Amar.
-
replace: initials
initials: AAA

$ ldifmodify
 --sourceLDIF generated.ldif
 --changesLDIF changes.ldif
 --targetLDIF new.ldif</screen>
</computeroutput>
$ <userinput>ldifmodify \
 --sourceLDIF generated.ldif \
 --changesLDIF changes.ldif \
 --targetLDIF new.ldif</userinput>
   </screen>

   <para>Notice that the resulting new LDIF file is likely to be about the
   same size as the source LDIF file.</para>
@@ -280,8 +303,9 @@
   <para>The <command>ldif-diff</command> command reports differences between
   two LDIF files in LDIF format.</para>
   
   <screen>$ ldif-diff --sourceLDIF old.ldif --targetLDIF new.ldif
dn: uid=user.0,ou=People,dc=example,dc=org
   <screen>
$ <userinput>ldif-diff --sourceLDIF old.ldif --targetLDIF new.ldif</userinput>
<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=org
changetype: modify
add: initials
initials: AAA
@@ -294,8 +318,8 @@
-
delete: description
description: This is the description for Aaccf Amar.

</screen>
</computeroutput>
   </screen>

   <para>As the <command>ldif-diff</command> command reads both files into
   memory, constructing tree maps to perform the comparison, the command
@@ -317,10 +341,11 @@
  <literal>userRoot</literal>. You can create new backends using the
  <command>dsconfig</command> command. The following example creates a
  local backend named <literal>testData</literal>.</para>
  <screen>$ dsconfig create-backend --backend-name testData --type local-db
  <screen>
$ <userinput>dsconfig create-backend --backend-name testData --type local-db</userinput>


&gt;&gt;&gt;&gt; Configuring the "base-dn" property
<computeroutput>
>>>> Configuring the "base-dn" property

    Specifies the base DN(s) for the data that the backend handles.

@@ -333,12 +358,12 @@

    Syntax:  DN

Enter a value for the "base-dn" property: dc=example,dc=org

Enter a value for the "base-dn" property:</computeroutput> <userinput>dc=example,dc=org</userinput>
<computeroutput>
Enter another value for the "base-dn" property [continue]: 


&gt;&gt;&gt;&gt; Configuring the "enabled" property
>>>> Configuring the "enabled" property

    Indicates whether the backend is enabled in the server.

@@ -353,10 +378,10 @@
    ?)  help
    q)  quit

Enter choice: 1
Enter choice:</computeroutput> <userinput>1</userinput>
<computeroutput>


&gt;&gt;&gt;&gt; Configure the properties of the Local DB Backend
>>>> Configure the properties of the Local DB Backend

        Property           Value(s)
        --------------------------------------
@@ -376,9 +401,11 @@

Enter choice [f]: 

The Local DB Backend was created successfully</screen>
The Local DB Backend was created successfully</computeroutput>
  </screen>

  <para>Alternatively, you can create a new backend in OpenDJ Control Panel
  (Directory Data &gt; New Base DN... &gt; Backend &gt; New Backend:
  (Directory Data > New Base DN > Backend > New Backend:
  <replaceable>backend-name</replaceable>).</para>
 </section>


 opends/src/main/docbkx/admin-guide/chap-indexing.xml

@@ -75,10 +75,12 @@
   allows clients to find people even when they misspell names as in the
   following example.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn~=Babs Jansen)" cn
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn~=Babs Jansen)" cn</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen</screen>
cn: Babs Jensen</computeroutput>
   </screen>
  </section>
  
  <section xml:id="indexes-equality">
@@ -93,9 +95,11 @@
   the search filter. An equality index requires clients to match values
   without wildcards or misspellings.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)" mail
dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com</screen>
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)" mail</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com</computeroutput>
   </screen>
  </section>
  
  <section xml:id="indexes-ordering">
@@ -112,9 +116,10 @@
   
   <para>The following example shows a search that specifies ranges.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com
 "(&amp;(uidNumber&gt;=1120)(roomNumber&gt;=4500))" uid
dn: uid=charvey,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com \
 "(&amp;(uidNumber&gt;=1120)(roomNumber&gt;=4500))" uid</userinput>
<computeroutput>dn: uid=charvey,ou=People,dc=example,dc=com
uid: charvey

dn: uid=eward,ou=People,dc=example,dc=com
@@ -124,7 +129,8 @@
uid: mvaughan

dn: uid=pchassin,ou=People,dc=example,dc=com
uid: pchassin</screen>
uid: pchassin</computeroutput>
   </screen>
  </section>
  
  <section xml:id="indexes-presence">
@@ -139,10 +145,12 @@
   attribute is indexed for presence by default to allow quick retrieval
   of entries with ACIs.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(aci=*)" -
dn: dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(aci=*)" -</userinput>
<computeroutput>dn: dc=example,dc=com

dn: ou=People,dc=example,dc=com</screen>
dn: ou=People,dc=example,dc=com</computeroutput>
   </screen>
  </section>
  
  <section xml:id="indexes-substring">
@@ -156,8 +164,9 @@
   in the filter. Substring indexes can be expensive to maintain, especially
   for large attribute values.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Barb*)" cn
dn: uid=bfrancis,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(cn=Barb*)" cn</userinput>
<computeroutput>dn: uid=bfrancis,ou=People,dc=example,dc=com
cn: Barbara Francis

dn: uid=bhal2,ou=People,dc=example,dc=com
@@ -171,7 +180,8 @@
cn: Babs Jensen

dn: uid=bmaddox,ou=People,dc=example,dc=com
cn: Barbara Maddox</screen>
cn: Barbara Maddox</computeroutput>
   </screen>
  </section>
  
  <section xml:id="indexes-vlv">
@@ -221,16 +231,18 @@
  <para>A simple way of checking the indexes that match a search is to request
  the <literal>debugsearchindex</literal> attribute in your results.</para>

  <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 "(uid=user.1000)"
 debugsearchindex
dn: cn=debugsearch
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 "(uid=user.1000)" \
 debugsearchindex</userinput>
<computeroutput>dn: cn=debugsearch
debugsearchindex: filter=(uid=user.1000)[INDEX:uid.equality][COUNT:1] final=[COU
 NT:1]</screen>
 NT:1]</computeroutput>
  </screen>

  <para>When you request the <literal>debugsearchindex</literal> attribute,
  instead of performing the search, OpenDJ returns debug information indicating
@@ -240,32 +252,37 @@
  <para>A less exact search requires more work from OpenDJ. In the following
  example OpenDJ would have to return over 10,000 entries.</para>

  <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 "(uid=*)"
 debugsearchindex
dn: cn=debugsearch
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 "(uid=*)" \
 debugsearchindex</userinput>
<computeroutput>dn: cn=debugsearch
debugsearchindex: filter=(uid=*)[NOT-INDEXED] scope=wholeSubtree[LIMIT-EXCEEDED:
 10002] final=[NOT-INDEXED]</screen>
 10002] final=[NOT-INDEXED]</computeroutput>
</screen>

  <para>By default OpenDJ rejects unindexed searches when the number of
  candidate entries goes beyond the search or look-though limit.</para>

  <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=*)"
SEARCH operation failed
  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=*)"</userinput>
<computeroutput>SEARCH operation failed
Result Code:  50 (Insufficient Access Rights)
Additional Information:  You do not have sufficient privileges to perform
 an unindexed search</screen>
 an unindexed search</computeroutput>
  </screen>

  <para>When an unindexed search is performed, it shows up in the access
  log with the <literal>unindexed</literal> label.</para>

  <programlisting language="none"
  >...SEARCH RES ... result=50 message="You do not have sufficient privileges
 to perform an unindexed search" nentries=0 unindexed etime=1</programlisting>
  <programlisting language="none">
...SEARCH RES ... result=50 message="You do not have sufficient privileges
 to perform an unindexed search" nentries=0 unindexed etime=1
  </programlisting>

  <para>If directory users tell you their client applications are getting this
  error, then you can work with them either to help them make their search
@@ -293,8 +310,9 @@
  shows up in the access log with the label <literal>unindexed</literal>,
  usually with a large etime as well.</para>

  <programlisting language="none"
  >...SEARCH RES conn=11 op=1 msgID=2 result=0 nentries=10000 unindexed etime=1129</programlisting>
  <programlisting language="none">
...SEARCH RES conn=11 op=1 msgID=2 result=0 nentries=10000 unindexed etime=1129
  </programlisting>

  <para>There is a trade off between the cost of maintaining an index and the
  value the index has in speeding up searches. Although monitoring index use
@@ -303,36 +321,40 @@
  activate index analysis using the <command>dsconfig set-backend-prop</command>
  command.</para>

  <screen>$ dsconfig
 set-backend-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --set index-filter-analyzer-enabled:true
 --no-prompt
 --trustAll</screen>
  <screen>
$ <userinput>dsconfig \
 set-backend-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --set index-filter-analyzer-enabled:true \
 --no-prompt \
 --trustAll</userinput>
  </screen>

  <para>The command causes OpenDJ to analyze filters used and keep the results
  in memory, so that you can read them through the <literal>cn=monitor</literal>
  interface.</para>

  <screen>$ ldapsearch
 --port 1389
 --baseDN "cn=userRoot Database Environment,cn=monitor"
 --bindDN "cn=Directory Manager"
 --bindPassword password
 "(objectclass=*)"
 filter-use
dn: cn=userRoot Database Environment,cn=monitor
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN "cn=userRoot Database Environment,cn=monitor" \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 "(objectclass=*)" \
 filter-use</userinput>
<computeroutput>dn: cn=userRoot Database Environment,cn=monitor
filter-use: (mail=aa*@maildomain.net) hits:1 maxmatches:0 message:
filter-use: (objectClass=*) hits:1 maxmatches:-1 message:presence index type is
 disabled for the objectClass attribute
filter-use: (uid=user.1000) hits:2 maxmatches:1 message:
filter-use: (uid=user.1001) hits:1 maxmatches:1 message:
filter-use: (cn=aa*) hits:1 maxmatches:10 message:
filter-use: (cn=b*) hits:1 maxmatches:834 message:</screen>
filter-use: (cn=b*) hits:1 maxmatches:834 message:</computeroutput>
  </screen>

  <para>The <literal>filter-use</literal> values consist of the filter, followed
  by <literal>hits</literal> being the number of times the filter was used,
@@ -342,16 +364,18 @@
  <para>You can turn off index analysis with the <command>dsconfig
  set-backend-prop</command> command as well.</para>

  <screen>$ dsconfig
 set-backend-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --set index-filter-analyzer-enabled:false
 --no-prompt
 --trustAll</screen>
  <screen>
$ <userinput>dsconfig \
 set-backend-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --set index-filter-analyzer-enabled:false \
 --no-prompt \
 --trustAll</userinput>
  </screen>
 </section>

 <section xml:id="configure-indexes">
@@ -388,17 +412,19 @@
    <para>The following example creates a new substring index for
    <literal>description</literal>.</para>
    
    <screen>$ dsconfig
 create-local-db-index
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --index-name description
 --set index-type:substring
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 create-local-db-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --index-name description \
 --set index-type:substring \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </example>
   
   <example xml:id="approx-index-example">
@@ -411,17 +437,19 @@
    <para>The following example configures an approximate index for
    <literal>cn</literal> (common name).</para>
    
    <screen>$ dsconfig
 set-local-db-index-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --index-name cn
 --set index-type:approximate
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-local-db-index-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --index-name cn \
 --set index-type:approximate \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </example>

   <example xml:id="extensible-match-index-example">
@@ -439,19 +467,21 @@
    index for "later than" and "earlier than" generalized time matching on
    a <literal>lastLoginTime</literal> attribute.</para>

    <screen>$ dsconfig
 create-local-db-index
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --set index-type:extensible
 --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.5
 --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.6
 --index-name lastLoginTime
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 create-local-db-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --set index-type:extensible \
 --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.5 \
 --set index-extensible-matching-rule:1.3.6.1.4.1.26027.1.4.6 \
 --index-name lastLoginTime \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </example>
  </section>
  
@@ -462,14 +492,20 @@
    <secondary>Virtual list view (browsing)</secondary>
   </indexterm>
   
   <para>In the OpenDJ Control Panel, select Manage Indexes &gt;
   New VLV Index..., and then set up your VLV index using the New VLV
   <para>In the OpenDJ Control Panel, select Manage Indexes >
   New VLV Index, and then set up your VLV index using the New VLV
   Index window.</para>
  
   <mediaobject xml:id="figure-create-vlv-index">
    <alt>New VLV Index window</alt>
    <imageobject>
     <imagedata fileref="images/create-vlv-index.png" format="PNG" />
    </imageobject>
    <textobject>
     <para>
      The New VLV Index window helps you to configure a browsing index.
     </para>
    </textobject>
   </mediaobject>

   <para>After you finish configuring your index and click OK, the Control
@@ -479,20 +515,22 @@
   <para>You can also create the equivalent index configuration using the
   <command>dsconfig</command> command.</para>
   
   <screen>$ dsconfig
 create-local-db-vlv-index
 --port 4444
 --hostname opendj.example.com
 --bindDn "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --index-name people-by-last-name
 --set base-dn:ou=People,dc=example,dc=com
 --set filter:"(|(givenName=*)(sn=*))"
 --set scope:single-level
 --set sort-order:"+sn +givenName"
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-local-db-vlv-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDn "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --index-name people-by-last-name \
 --set base-dn:ou=People,dc=example,dc=com \
 --set filter:"(|(givenName=*)(sn=*))" \
 --set scope:single-level \
 --set sort-order:"+sn +givenName" \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <note>
    <para>When referring to a virtual list view (VLV) index after creation, you
@@ -525,15 +563,17 @@
    <para>The following example rebuilds the <literal>cn</literal> index
    immediately with the server online.</para>
    
    <screen>$ rebuild-index
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN dc=example,dc=com
 --index cn
 --start 0
Rebuild Index task 20110607171639867 scheduled to start Jun 7, 2011 5:16:39 PM</screen>
    <screen>
$ <userinput>rebuild-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 --index cn \
 --start 0</userinput>
<computeroutput>Rebuild Index task 20110607171639867 scheduled to start Jun 7, 2011 5:16:39 PM</computeroutput>
    </screen>
   </example>

   <example xml:id="rebuild-degraded-indexes-example">
@@ -542,14 +582,15 @@
    <para>The following example rebuilds degraded indexes immediately with
    the server online.</para>

    <screen>$ rebuild-index
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN dc=example,dc=com
 --rebuildDegraded
...
    <screen>
$ <userinput>rebuild-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 --rebuildDegraded</userinput>
<computeroutput>...
[31/Jan/2012:16:43:25 +0100] severity="NOTICE" msgCount=7 msgID=8847510
 message="Due to changes in the configuration, index
 dc_example_dc_com_description is currently operating in a degraded state
@@ -562,7 +603,8 @@
 message="Rebuild complete. Processed 160 entries in 0 seconds (average
 rate 1860.5/sec)"
...
Rebuild Index task 20120131164324838 has been successfully completed</screen>
Rebuild Index task 20120131164324838 has been successfully completed</computeroutput>
    </screen>
   </example>

   <example xml:id="clear-degraded-indexes-example">
@@ -583,33 +625,37 @@
    is shown in the following example, where an index has just been created
    for <literal>newUnusedAttribute</literal>.</para>

    <screen>$ dbtest
 list-index-status
 --backendID userRoot
 --baseDN dc=example,dc=com
 | grep newUnusedAttribute
newUnusedAttribute.equality   Index  ...newUnusedAttribute.equality   false...
    <screen>
$ <userinput>dbtest \
 list-index-status \
 --backendID userRoot \
 --baseDN dc=example,dc=com \
 | grep newUnusedAttribute</userinput>
<computeroutput>newUnusedAttribute.equality   Index  ...newUnusedAttribute.equality   false...
newUnusedAttribute.presence   Index  ...newUnusedAttribute.presence   false...
newUnusedAttribute.substring  Index  ...newUnusedAttribute.substring  false...
$ rebuild-index
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN dc=example,dc=com
 --clearDegradedState
 --index newUnusedAttribute
 --start 0
Rebuild Index task 20130211175925012 scheduled to start Feb 11, 2013 5:59:25
 PM CET
$ dbtest
 list-index-status
 --backendID userRoot
 --baseDN dc=example,dc=com
 | grep newUnusedAttribute
newUnusedAttribute.equality   Index  ...newUnusedAttribute.equality   true...
newUnusedAttribute.substring  Index  ...newUnusedAttribute.substring  false...</computeroutput>

$ <userinput>rebuild-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 --clearDegradedState \
 --index newUnusedAttribute \
 --start 0</userinput>
<computeroutput>Rebuild Index task 20130211175925012 scheduled to start Feb 11, 2013 5:59:25
 PM CET</computeroutput>

$ <userinput>dbtest \
 list-index-status \
 --backendID userRoot \
 --baseDN dc=example,dc=com \
 | grep newUnusedAttribute</userinput>
<computeroutput>newUnusedAttribute.equality   Index  ...newUnusedAttribute.equality   true...
newUnusedAttribute.presence   Index  ...newUnusedAttribute.presence   true...
newUnusedAttribute.substring  Index  ...newUnusedAttribute.substring  true...</screen>
newUnusedAttribute.substring  Index  ...newUnusedAttribute.substring  true...</computeroutput>
    </screen>

    <para>If the newly indexed attribute has already been used, rebuild indexes
    instead.</para>
@@ -650,8 +696,9 @@
   maintained. The "Undefined keys" are then listed below.</para>

   <informalexample><?dbfo pgwide="1"?>
    <screen>$ dbtest list-index-status --backendID userRoot --baseDN dc=example,dc=com
Index Name                 Index Type  JE Database Name                             Index Valid  Record Count  Undefined  95%  90%  85%
    <screen width="136">
$ <userinput>dbtest list-index-status --backendID userRoot --baseDN dc=example,dc=com</userinput>
<computeroutput>Index Name                 Index Type  JE Database Name                             Index Valid  Record Count  Undefined  95%  90%  85%
---------------------------------------------------------------------------------------------------------------------------------------
id2children                Index       dc_example_dc_com_id2children                true         2             1          0    0    0
id2subtree                 Index       dc_example_dc_com_id2subtree                 true         2             2          0    0    0
@@ -686,7 +733,8 @@
Undefined keys: [.net] [@maild] [aildom] [ain.ne] [domain] [et] [ildoma] [in.net] [ldomai] [maildo] [main.n] [n.net] [net] [omain.] [t]

Index: id2subtree
Undefined keys: [1] [2]</screen>
Undefined keys: [1] [2]</computeroutput>
    </screen>
   </informalexample>

   <para>In this case (for a directory with only about 10,000 entries) the
@@ -721,26 +769,29 @@
     production.</para>
    </important>

    <screen>$ dsconfig
 set-local-db-index-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --index-name objectClass
 --set index-entry-limit:5000
 --trustAll
 --no-prompt
$ rebuild-index
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN dc=example,dc=com
 --index objectclass
 --start 0
Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM</screen>
    <screen>
$ <userinput>dsconfig \
 set-local-db-index-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --index-name objectClass \
 --set index-entry-limit:5000 \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>rebuild-index \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 --index objectclass \
 --start 0</userinput>
<computeroutput>Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM</computeroutput>
    </screen>
   </example>
   
   <para>Alternatively, you can configure the index entry limit for all
@@ -769,12 +820,13 @@
   <para>The following example verifies the <literal>cn</literal> (common
   name) index for completeness and for errors.</para>

   <screen>$ verify-index
 --baseDN dc=example,dc=com
 --index cn
 --clean
 --countErrors
[07/Jun/2011:16:06:50 +0200] category=BACKEND severity=INFORMATION
   <screen>
$ <userinput>verify-index \
 --baseDN dc=example,dc=com \
 --index cn \
 --clean \
 --countErrors</userinput>
<computeroutput>[07/Jun/2011:16:06:50 +0200] category=BACKEND severity=INFORMATION
 msgID=9437595 msg=Local DB backend userRoot does not specify the number of
 lock tables: defaulting to 97
[07/Jun/2011:16:06:50 +0200] category=BACKEND severity=INFORMATION
@@ -791,7 +843,8 @@
 msgID=8388712 msg=Average number of entries referenced is 1.58/record
[07/Jun/2011:16:06:51 +0200] category=JEB severity=INFORMATION
 msgID=8388713 msg=Maximum number of entries referenced by any
 record is 32</screen>
 record is 32</computeroutput>
   </screen>

   <para>Ignore the messages regarding lock tables and cleaner threads. The
   important information is whether any errors are found in the indexes.</para>

 opends/src/main/docbkx/admin-guide/chap-ldap-operations.xml

@@ -67,7 +67,9 @@
  visiting the <literal>GNB00</literal> office and are looking for a
  printer.</para>
  
  <screen>$ ldapsearch --baseDN ou=Printers,dc=example,dc=com "(printerLocation=GNB00)"</screen>
  <screen>
$ <userinput>ldapsearch --baseDN ou=Printers,dc=example,dc=com "(printerLocation=GNB00)"</userinput>
  </screen>
  
  <para>In the example, the LDAP filter indicates to the directory that you
  want to lookup printer entries where the <literal>printerLocation</literal>
@@ -101,8 +103,9 @@
   (<literal>uid</literal>) containing <literal>jensen</literal>, returning
   only DNs and user ID values.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=*jensen*)" uid
dn: uid=ajensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=*jensen*)" uid</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
uid: ajensen

dn: uid=bjensen,ou=People,dc=example,dc=com
@@ -124,7 +127,8 @@
uid: tjensen


Result Code:  0 (Success)</screen>
Result Code:  0 (Success)</computeroutput>
   </screen>
  </example>
  
  <example xml:id="complex-filter-search">
@@ -135,12 +139,13 @@
   command returns the attributes associated with the <literal>person</literal>
   object class.</para>
   
   <screen>$ ldapsearch
 --port 1389
 --baseDN ou=people,dc=example,dc=com
 "(&amp;(uid=*jensen*)(l=Santa Clara))"
 @person
dn: uid=ajensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN ou=people,dc=example,dc=com \
 "(&amp;(uid=*jensen*)(l=Santa Clara))" \
 @person</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
@@ -179,7 +184,7 @@
cn: Ted Jensen
telephoneNumber: +1 408 555 8622
sn: Jensen

</computeroutput>
</screen>
   
   <para>Complex filters can use both "and" syntax,
@@ -195,15 +200,17 @@
   to return all operational attributes. Alternatively, specify operational
   attributes by name.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen +
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen +</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
numSubordinates: 0
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=bjensen,ou=people,dc=example,dc=com
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c</screen>
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c</computeroutput>
   </screen>
  </example>
  
  <example xml:id="attr-desc-list-search">
@@ -213,8 +220,9 @@
   attribute list after the filter to return the attributes associated with
   a particular object class.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen @person
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen @person</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
@@ -223,7 +231,8 @@
cn: Barbara Jensen
cn: Babs Jensen
telephoneNumber: +1 408 555 1862
sn: Jensen</screen>
sn: Jensen</computeroutput>
   </screen>
  </example>

  <example xml:id="escape-characters-in-filter">
@@ -259,10 +268,13 @@

   <para>The following example shows a filter with escaped characters matching
   an actual value.</para>
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com
 "(description=\28*\5c*\2a\29)" description
dn: uid=bjensen,ou=People,dc=example,dc=com
description: (A \great\ description*)</screen>

   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com \
 "(description=\28*\5c*\2a\29)" description</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
description: (A \great\ description*)</computeroutput>
   </screen>
  </example>

  <example xml:id="extensible-match-search"><?dbfo keep-together="auto"?>
@@ -273,8 +285,9 @@
   you can do with standard LDAP. One specific matching rule of this type that
   OpenDJ supports is the generalized time based "later than" and "earlier
   than" matching rules. See the example, <link
   xlink:role="http://docbook.org/xlink/role/olink"
   xlink:href="admin-guide#extensible-match-index-example"><citetitle>Configure
    xlink:show="new"
    xlink:role="http://docbook.org/xlink/role/olink"
    xlink:href="admin-guide#extensible-match-index-example"><citetitle>Configure
   an Extensible Match Index</citetitle></link>, showing how to build an index
   for these matching rules.</para>

@@ -284,10 +297,11 @@
   <para>First set up an attribute to store a last login timestamp.
   You can do this by adding a schema file for the attribute.</para>

   <screen>$ ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
   <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: cn=schema
changetype: modify
@@ -301,12 +315,11 @@
  SINGLE-VALUE
  NO-USER-MODIFICATION
  USAGE directoryOperation
  X-ORIGIN 'OpenDJ example documentation' )
  X-ORIGIN 'OpenDJ example documentation' )</userinput>

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema

</screen>
<computeroutput>Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema</computeroutput>
   </screen>

   <para>Configure the applicable password policy to write the last login
   timestamp when a user authenticates. The following command configures the
@@ -314,32 +327,36 @@
   to the <literal>lastLoginTime</literal> operational attribute on the user's
   entry.</para>

   <screen>$ dsconfig
 set-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --set last-login-time-attribute:lastLoginTime
 --set last-login-time-format:"yyyyMMddHH'Z'"
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 set-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set last-login-time-attribute:lastLoginTime \
 --set last-login-time-format:"yyyyMMddHH'Z'" \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>Wait a while for users to authenticate again (or test it yourself) so
   that OpenDJ writes the timestamps. The following search then returns users
   who have authenticated in the last three months (13 weeks) after you
   configured OpenDJ to keep the last login timestamps.</para>

   <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 "(lastLoginTime:1.3.6.1.4.1.26027.1.4.6:=13w)" mail
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(lastLoginTime:1.3.6.1.4.1.26027.1.4.6:=13w)" mail</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
mail: bjensen@example.com

dn: uid=kvaughan,ou=People,dc=example,dc=com
mail: kvaughan@example.com</screen>
mail: kvaughan@example.com</computeroutput>
   </screen>
  </example>

  <example xml:id="localized-search"><?dbfo keep-together="auto"?>
@@ -356,15 +373,17 @@
   <command>base64</command> command provided with OpenDJ directory server to
   decode the attribute value.</para>

   <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 "(givenName:fr:=Fréderique)" cn\;lang-fr
dn: uid=fdupont,ou=People,dc=example,dc=com
cn;lang-fr:: RnJlZMOpcmlxdWUgRHVwb250
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(givenName:fr:=Fréderique)" cn\;lang-fr</userinput>
<computeroutput>dn: uid=fdupont,ou=People,dc=example,dc=com
cn;lang-fr:: RnJlZMOpcmlxdWUgRHVwb250</computeroutput>

$ base64 decode -d RnJlZMOpcmlxdWUgRHVwb250
Fredérique Dupont</screen>
$ <userinput>base64 decode -d RnJlZMOpcmlxdWUgRHVwb250</userinput>
<computeroutput>Fredérique Dupont</computeroutput>
   </screen>

   <itemizedlist>
    <para>At the end of the OID or language subtype, you further specify the
@@ -408,17 +427,19 @@
   <para>In this example, Kirsten Vaughan checks whether the hashed password
   value matches the stored value on <literal>authPassword</literal>.</para>

   <screen>$ <userinput>ldapcompare
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 'authPassword:MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q=='
   <screen>
$ <userinput>ldapcompare \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 'authPassword:MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q==' \
 uid=kvaughan,ou=people,dc=example,dc=com</userinput>
Comparing type authPassword with value
<computeroutput>Comparing type authPassword with value
 MD5$dFHgpDxXUT8=$qlC4xMXvmVlusJLz9/WJ5Q== in entry
 uid=kvaughan,ou=people,dc=example,dc=com
Compare operation returned true for entry
 uid=kvaughan,ou=people,dc=example,dc=com</screen>
 uid=kvaughan,ou=people,dc=example,dc=com</computeroutput>
   </screen>
  </example>
 </section>
 
@@ -439,8 +460,9 @@
   <example xml:id="add-two-users">
   <title>Add: Two New Users</title>
   
   <screen>$ cat new-users.ldif 
dn: cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
   <screen>
$ <userinput>cat new-users.ldif</userinput>
<computeroutput>dn: cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
objectClass: person
objectClass: top
cn: Arsene Lupin
@@ -452,20 +474,21 @@
objectClass: top
cn: Horace Velmont
telephoneNumber: +33 1 12 23 34 45
sn: Velmont
sn: Velmont</computeroutput>

$ ldapmodify
 --defaultAdd
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --filename new-users.ldif
Processing ADD request for cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
$ <userinput>ldapmodify \
 --defaultAdd \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --filename new-users.ldif</userinput>
<computeroutput>Processing ADD request for cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
ADD operation successful for DN
 cn=Arsene Lupin,ou=Special Users,dc=example,dc=com
Processing ADD request for cn=Horace Velmont,ou=Special Users,dc=example,dc=com
ADD operation successful for DN
 cn=Horace Velmont,ou=Special Users,dc=example,dc=com</screen>
 cn=Horace Velmont,ou=Special Users,dc=example,dc=com</computeroutput>
   </screen>
  </example> 
 </section>

@@ -482,22 +505,24 @@
   <para>The following example adds a description and JPEG photo to Sam
   Carter's entry.</para>
   
   <screen>$ cat scarter-mods.ldif 
dn: uid=scarter,ou=people,dc=example,dc=com
   <screen>
$ <userinput>cat scarter-mods.ldif</userinput>
<computeroutput>dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
add: description
description: Accounting Manager
-
add: jpegphoto
jpegphoto:&lt;file:///tmp/Samantha-Carter.jpg
jpegphoto:&lt;file:///tmp/Samantha-Carter.jpg</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --filename scarter-mods.ldif
Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --filename scarter-mods.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com</computeroutput>
   </screen>
  </example>

  <example xml:id="modify-replace-attribute">
@@ -506,19 +531,21 @@
   <para>The following example replaces the description on Sam Carter's
   entry.</para>
   
   <screen>$ cat scarter-newdesc.ldif
dn: uid=scarter,ou=people,dc=example,dc=com
   <screen>
$ <userinput>cat scarter-newdesc.ldif</userinput>
<computeroutput>dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
replace: description
description: Accounting Director
description: Accounting Director</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --filename scarter-newdesc.ldif 
Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --filename scarter-newdesc.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com</computeroutput>
   </screen>
  </example>

  <example xml:id="modify-delete-attribute">
@@ -527,18 +554,20 @@
   <para>The following example deletes the JPEG photo on Sam Carter's
   entry.</para>
   
   <screen>$ cat /path/to/scarter-deljpeg.ldif 
dn: uid=scarter,ou=people,dc=example,dc=com
   <screen>
$ <userinput>cat /path/to/scarter-deljpeg.ldif</userinput>
<computeroutput>dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modify
delete: jpegphoto
delete: jpegphoto</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --filename scarter-deljpeg.ldif 
Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --filename scarter-deljpeg.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=scarter,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=scarter,ou=people,dc=example,dc=com</computeroutput>
   </screen>
  </example>

   <example xml:id="modify-optimistic-concurrency"><?dbfo keep-together="auto"?>
@@ -597,27 +626,29 @@
    ETag value has changed. Your application tries the equivalent of the
    following commands with Bob's updates.</para>

    <screen>$ cat /path/to/bobs.ldif
dn: uid=bjensen,ou=People,dc=example,dc=com
    <screen>
$ <userinput>cat /path/to/bobs.ldif</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: l
l: Grenoble
-
add: description
description: Employee of the Month
description: Employee of the Month</computeroutput>

$ ldapmodify
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --port 1389
 --filename /path/to/bobs.ldif
 --assertionFilter "(ETag=000000007a1999df)"
Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
$ <userinput>ldapmodify \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --port 1389 \
 --filename /path/to/bobs.ldif \
 --assertionFilter "(ETag=000000007a1999df)"</userinput>
<computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation failed
Result Code:  122 (Assertion Failed)
Additional Information:  Entry uid=bjensen,ou=People,dc=example,dc=com
 cannot be modified because the request contained an LDAP assertion control
 and the associated filter did not match the contents of the that entry</screen>
 and the associated filter did not match the contents of the that entry</computeroutput>
    </screen>

    <para>Your application therefore reloads Babs's entry, also getting the new
    ETag value, <literal>00000000aec2c1e9</literal>, and lets Bob try again.
@@ -659,23 +690,25 @@
    attributes to <literal>mail</literal> attributes. First, configure the
    attribute cleanup plugin to rename the inbound attribute.</para>
    
    <screen>$ dsconfig
 create-plugin
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --type attribute-cleanup
 --plugin-name "Rename email to mail"
 --set enabled:true
 --set rename-inbound-attributes:email:mail
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 create-plugin \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --type attribute-cleanup \
 --plugin-name "Rename email to mail" \
 --set enabled:true \
 --set rename-inbound-attributes:email:mail \
 --trustAll \
 --no-prompt</userinput>
    </screen>
    
    <para>Next, see that it works as expected.</para>
    
    <screen>$ cat email.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com
    <screen>$ <userinput>cat email.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
@@ -685,19 +718,21 @@
sn: User
ou: People
email: newuser@example.com
userPassword: changeme
userPassword: changeme</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename email.ldif
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=newuser mail
dn: uid=newuser,ou=People,dc=example,dc=com
mail: newuser@example.com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename email.ldif</userinput>
<computeroutput>Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>

$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=newuser mail</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
mail: newuser@example.com</computeroutput>
    </screen>
   </example>
   
   <example xml:id="attr-cleanup-remove">
@@ -709,26 +744,29 @@
    and <literal>modifyTimestamp</literal> attributes. First, set up the
    attribute cleanup plugin.</para>
    
    <screen>$ dsconfig
 create-plugin
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --type attribute-cleanup
 --plugin-name "Remove attrs"
 --set enabled:true
 --set remove-inbound-attributes:creatorsName
 --set remove-inbound-attributes:createTimestamp
 --set remove-inbound-attributes:modifiersName
 --set remove-inbound-attributes:modifyTimestamp
 --trustAll
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 create-plugin \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --type attribute-cleanup \
 --plugin-name "Remove attrs" \
 --set enabled:true \
 --set remove-inbound-attributes:creatorsName \
 --set remove-inbound-attributes:createTimestamp \
 --set remove-inbound-attributes:modifiersName \
 --set remove-inbound-attributes:modifyTimestamp \
 --trustAll \
 --no-prompt</userinput>
    </screen>
    
    <para>Next, see that it works as expected.</para>
    
    <screen>$ cat badattrs.ldif 
dn: uid=badattr,ou=People,dc=example,dc=com
    <screen>
$ <userinput>cat badattrs.ldif</userinput>
<computeroutput>dn: uid=badattr,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
@@ -742,18 +780,19 @@
creatorsName: cn=Bad Attr
createTimestamp: Never in a million years.
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
modifyTimestamp: 20110930164937Z
modifyTimestamp: 20110930164937Z</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename badattrs.ldif
Processing ADD request for uid=badattr,ou=People,dc=example,dc=com
ADD operation successful for DN uid=badattr,ou=People,dc=example,dc=com
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=badattr +
dn: uid=badattr,ou=People,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename badattrs.ldif</userinput>
<computeroutput>Processing ADD request for uid=badattr,ou=People,dc=example,dc=com
ADD operation successful for DN uid=badattr,ou=People,dc=example,dc=com</computeroutput>

$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=badattr +</userinput>
<computeroutput>dn: uid=badattr,ou=People,dc=example,dc=com
numSubordinates: 0
structuralObjectClass: inetOrgPerson
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config
@@ -763,7 +802,8 @@
entryUUID: 35e5cb0e-e929-49d8-a50f-2df036d60db9
pwdChangedTime: 20110930165959.135Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
createTimestamp: 20110930165959Z</screen>
createTimestamp: 20110930165959Z</computeroutput>
    </screen>
   </example>
  </section>

@@ -794,8 +834,9 @@
    be removed. (Setting <literal>deleteoldrdn: 0</literal> instead would
    preserve <literal>uid: scarter</literal> on the entry.)</para>
    
    <screen>$ cat /path/to/scarter-sjensen.ldif
dn: uid=scarter,ou=people,dc=example,dc=com
    <screen>
$ <userinput>cat /path/to/scarter-sjensen.ldif</userinput>
<computeroutput>dn: uid=scarter,ou=people,dc=example,dc=com
changetype: modrdn
newrdn: uid=sjensen
deleteoldrdn: 1
@@ -812,17 +853,18 @@
homeDirectory: /home/sjensen
-
replace: mail
mail: sjensen@example.com
mail: sjensen@example.com</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --filename /path/to/scarter-sjensen.ldif 
Processing MODIFY DN request for uid=scarter,ou=people,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --filename /path/to/scarter-sjensen.ldif</userinput>
<computeroutput>Processing MODIFY DN request for uid=scarter,ou=people,dc=example,dc=com
MODIFY DN operation successful for DN uid=scarter,ou=people,dc=example,dc=com
Processing MODIFY request for uid=sjensen,ou=people,dc=example,dc=com
MODIFY operation successful for DN uid=sjensen,ou=people,dc=example,dc=com</screen>
MODIFY operation successful for DN uid=sjensen,ou=people,dc=example,dc=com</computeroutput>
    </screen>
   </example>
  </section>

@@ -857,59 +899,65 @@
    old RDNs, in this case <literal>uid</literal> attribute values, should
    be preserved.</para>
    
    <screen>$ cat move-customers.ldif 
dn: ou=Customers,dc=example,dc=com
    <screen>
$ <userinput>cat move-customers.ldif</userinput>
<computeroutput>dn: ou=Customers,dc=example,dc=com
changetype: modrdn
newrdn: ou=People
deleteoldrdn: 1
newsuperior: dc=example,dc=com
newsuperior: dc=example,dc=com</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename move-customers.ldif 
Processing MODIFY DN request for ou=Customers,dc=example,dc=com
MODIFY DN operation successful for DN ou=Customers,dc=example,dc=com
$ cat move-employees.pl 
#!/usr/bin/perl -w
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename move-customers.ldif</userinput>
<computeroutput>Processing MODIFY DN request for ou=Customers,dc=example,dc=com
MODIFY DN operation successful for DN ou=Customers,dc=example,dc=com</computeroutput>

$ <userinput>cat move-employees.pl</userinput>
<computeroutput>#!/usr/bin/perl -w

# For each employee, construct a spec to move under ou=People.
while (&lt;&gt;)
while (&lt;>)
{
    # Next line folded for readability only. Should not be split.
    $_ =~ s/dn: (.*?)(,.*)/dn: $1$2\nchangetype: moddn\nnewrdn: $1\n
     deleteoldrdn: 0\nnewsuperior: ou=People,dc=example,dc=com/;
    print;
}
$ ldapsearch --port 1389 --baseDN ou=Employees,dc=example,dc=com uid=* - |
 move-employees.pl > /tmp/move-employees.ldif
$ head -n 6 /tmp/move-employees.ldif 
dn: uid=abarnes,ou=Employees,dc=example,dc=com
}</computeroutput>

$ <userinput>ldapsearch --port 1389 --baseDN ou=Employees,dc=example,dc=com uid=* - \
 | move-employees.pl > /tmp/move-employees.ldif</userinput>

$ <userinput>head -n 6 /tmp/move-employees.ldif</userinput>
<computeroutput>dn: uid=abarnes,ou=Employees,dc=example,dc=com
changetype: moddn
newrdn: uid=abarnes
deleteoldrdn: 0
newsuperior: ou=People,dc=example,dc=com
newsuperior: ou=People,dc=example,dc=com</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename /tmp/move-employees.ldif
Processing MODIFY DN request for uid=abarnes,ou=Employees,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename /tmp/move-employees.ldif</userinput>
<computeroutput>Processing MODIFY DN request for uid=abarnes,ou=Employees,dc=example,dc=com
MODIFY DN operation successful for DN uid=abarnes,ou=Employees,dc=example,dc=com
Processing MODIFY DN request for uid=abergin,ou=Employees,dc=example,dc=com
MODIFY DN operation successful for DN uid=abergin,ou=Employees,dc=example,dc=com
...
Processing MODIFY DN request for uid=wlutz,ou=Employees,dc=example,dc=com
MODIFY DN operation successful for DN uid=wlutz,ou=Employees,dc=example,dc=com
$ ldapdelete
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 ou=Employees,dc=example,dc=com
Processing DELETE request for ou=Employees,dc=example,dc=com
DELETE operation successful for DN ou=Employees,dc=example,dc=com</screen>
MODIFY DN operation successful for DN uid=wlutz,ou=Employees,dc=example,dc=com</computeroutput>

$ <userinput>ldapdelete \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 ou=Employees,dc=example,dc=com</userinput>
<computeroutput>Processing DELETE request for ou=Employees,dc=example,dc=com
DELETE operation successful for DN ou=Employees,dc=example,dc=com</computeroutput>
    </screen>
   </example>
  </section>

@@ -925,13 +973,15 @@
    <para>The following example uses the subtree delete option to remove
    all Special Users from the directory.</para>
    
    <screen>$ ldapdelete
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --deleteSubtree "ou=Special Users,dc=example,dc=com"
Processing DELETE request for ou=Special Users,dc=example,dc=com
DELETE operation successful for DN ou=Special Users,dc=example,dc=com</screen>
    <screen>
$ <userinput>ldapdelete \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --deleteSubtree "ou=Special Users,dc=example,dc=com"</userinput>
<computeroutput>Processing DELETE request for ou=Special Users,dc=example,dc=com
DELETE operation successful for DN ou=Special Users,dc=example,dc=com</computeroutput>
    </screen>
   </example>
  </section>
 </section>
@@ -953,14 +1003,16 @@
   password. Kirsten has the appropriate privilege to reset Sam's
   password.</para>
   
   <screen>$ ldappasswordmodify
 --useStartTLS
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --authzID "dn:uid=scarter,ou=people,dc=example,dc=com"
 --newPassword ChangeMe
The LDAP password modify operation was successful</screen>
   <screen>
$ <userinput>ldappasswordmodify \
 --useStartTLS \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --authzID "dn:uid=scarter,ou=people,dc=example,dc=com" \
 --newPassword ChangeMe</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
   </screen>

   <tip>
    <para>
@@ -997,8 +1049,10 @@
     with an authorization ID but without performing a bind,
     or use proxied authorization.
     For instructions on using proxied authorization, see the section on
     <link xlink:href="admin-guide#proxied-authz"
           xlink:role="http://docbook.org/xlink/role/olink"
     <link
      xlink:show="new"
      xlink:href="admin-guide#proxied-authz"
      xlink:role="http://docbook.org/xlink/role/olink"
     ><citetitle>Configuring Proxied Authorization</citetitle></link>.
    </para>
   </tip>
@@ -1007,13 +1061,14 @@
   but <command>set-password-is-reset</command> is a hidden option, supported
   only for testing.</para>
   
   <screen>$ manage-account
 set-password-is-reset
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --targetDN uid=scarter,ou=people,dc=example,dc=com
 --operationValue true
Password Is Reset:  true</screen>
   <screen>
$ <userinput>manage-account \
 set-password-is-reset \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --targetDN uid=scarter,ou=people,dc=example,dc=com \
 --operationValue true</userinput>
<computeroutput>Password Is Reset:  true</computeroutput></screen>
  </example>
  
  <example xml:id="change-own-password">
@@ -1022,22 +1077,26 @@
   <para>You can use the <command>ldappasswordmodify</command> command to
   change your password, as long as you know your current password.</para>
   
   <screen>$ ldappasswordmodify
 --port 1389
 --authzID "dn:uid=bjensen,ou=people,dc=example,dc=com"
 --currentPassword hifalutin
 --newPassword secret12
The LDAP password modify operation was successful</screen>
   <screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --authzID "dn:uid=bjensen,ou=people,dc=example,dc=com" \
 --currentPassword hifalutin \
 --newPassword secret12</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
   </screen>
   
   <para>The same operation works for <literal>cn=Directory
   Manager</literal>.</para>
   
   <screen>$ ldappasswordmodify
 --port 1389
 --authzID "dn:cn=Directory Manager"
 --currentPassword password
 --newPassword secret12
The LDAP password modify operation was successful</screen>
   <screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --authzID "dn:cn=Directory Manager" \
 --currentPassword password \
 --newPassword secret12</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
   </screen>
  </example>

  <example xml:id="non-ascii-password">
@@ -1046,26 +1105,29 @@
   <para>OpenDJ expects passwords to be UTF-8 encoded (base64 encoded when
   included in LDIF).</para>

   <screen>$ echo $LANG
en_US.utf8
$ ldappasswordmodify
 --port 1389
 --bindDN uid=bjensen,ou=People,dc=example,dc=com
 --bindPassword hifalutin
 --currentPassword hifalutin
 --newPassword pàsswȏrd
The LDAP password modify operation was successful
$ ldapsearch
 --port 1389
 --bindDN uid=bjensen,ou=People,dc=example,dc=com
 --bindPassword pàsswȏrd
 --baseDN dc=example,dc=com
 "(uid=bjensen)" cn
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>echo $LANG</userinput>
<computeroutput>en_US.utf8</computeroutput>

$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN uid=bjensen,ou=People,dc=example,dc=com \
 --bindPassword hifalutin \
 --currentPassword hifalutin \
 --newPassword pàsswȏrd</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN uid=bjensen,ou=People,dc=example,dc=com \
 --bindPassword pàsswȏrd \
 --baseDN dc=example,dc=com \
 "(uid=bjensen)" cn</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {SSHA}k0eEeCxj9YRXUp8yJn0Z/mwqe+wrcFb1N1gg2g==
cn: Barbara Jensen
cn: Babs Jensen
</screen>
cn: Babs Jensen</computeroutput>
   </screen>
  </example>
 </section>

@@ -1165,18 +1227,20 @@
  to read her password.) Notice the authentication ID is her user ID,
  <literal>u:bjensen</literal>, rather than the DN of her entry.</para>

  <screen>$ ldapsearch
 --port 1389
 --useStartTLS
 --baseDN dc=example,dc=com
 --saslOption mech=PLAIN
 --saslOption authid=u:bjensen
 --bindPassword hifalutin
 "(cn=Babs Jensen)" cn userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --useStartTLS \
 --baseDN dc=example,dc=com \
 --saslOption mech=PLAIN \
 --saslOption authid=u:bjensen \
 --bindPassword hifalutin \
 "(cn=Babs Jensen)" cn userPassword</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==</screen>
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==</computeroutput>
  </screen>

  <para>The Exact Match identity mapper searches for a match between the string
  provided (here, <literal>bjensen</literal>) and the value of a specified
@@ -1185,38 +1249,42 @@
  exact match identity mapper for email addresses, and then use that for PLAIN
  SASL authentication as in the following example.</para>

  <screen>$ dsconfig
 create-identity-mapper
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --mapper-name "Email Mapper"
 --type exact-match
 --set match-attribute:mail
 --set enabled:true
 --no-prompt
$ dsconfig
 set-sasl-mechanism-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name PLAIN
 --set identity-mapper:"Email Mapper"
 --no-prompt
$ ldapsearch
 --port 1389
 --useStartTLS
 --baseDN dc=example,dc=com
 --saslOption mech=PLAIN
 --saslOption authid=u:bjensen@example.com
 --bindPassword hifalutin
 "(cn=Babs Jensen)" cn userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>dsconfig \
 create-identity-mapper \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --mapper-name "Email Mapper" \
 --type exact-match \
 --set match-attribute:mail \
 --set enabled:true \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-sasl-mechanism-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name PLAIN \
 --set identity-mapper:"Email Mapper" \
 --no-prompt</userinput>

$ <userinput>ldapsearch \
 --port 1389 \
 --useStartTLS \
 --baseDN dc=example,dc=com \
 --saslOption mech=PLAIN \
 --saslOption authid=u:bjensen@example.com \
 --bindPassword hifalutin \
 "(cn=Babs Jensen)" cn userPassword</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==</screen>
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==</computeroutput>
  </screen>

  <para>The Regular Expression identity mapper uses a regular expression to
  extract a substring from the string provided, and then searches for a match
@@ -1228,27 +1296,30 @@
  <literal>^([^@]+)@.+$</literal>, and the part of the identity string matching
  <literal>([^@]+)</literal> is used to find the entry by user ID.</para>

  <screen>$ dsconfig
 set-sasl-mechanism-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name PLAIN
 --set identity-mapper:"Regular Expression"
 --no-prompt
$ ldapsearch
 --port 1389
 --useStartTLS
 --baseDN dc=example,dc=com
 --saslOption mech=PLAIN
 --saslOption authid=u:bjensen@example.com
 --bindPassword hifalutin
 "(cn=Babs Jensen)" cn userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>dsconfig \
 set-sasl-mechanism-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name PLAIN \
 --set identity-mapper:"Regular Expression" \
 --no-prompt</userinput>

$ <userinput>ldapsearch \
 --port 1389 \
 --useStartTLS \
 --baseDN dc=example,dc=com \
 --saslOption mech=PLAIN \
 --saslOption authid=u:bjensen@example.com \
 --bindPassword hifalutin \
 "(cn=Babs Jensen)" cn userPassword</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==</screen>
userPassword: {SSHA}7S4Si+vPE513cYQ7otiqb8hjiCzU7XNTv0RPBA==</computeroutput>
  </screen>

  <para>Try the <command>dsconfig</command> command interactively to experiment
  with <literal>match-pattern</literal> and <literal>replace-pattern</literal>
@@ -1286,48 +1357,59 @@
   <title>To Set Up Proxied Authorization</title>
   <step>
    <para>Grant access to applications that can use proxied authorization.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: dc=example,dc=com
changetype: modify
add: aci
aci: (target="ldap:///dc=example,dc=com") (targetattr ="*
 ")(version 3.0; acl "Allow apps proxied auth"; allow(all, proxy
 )(userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");)
 )(userdn = "ldap:///cn=*,ou=Apps,dc=example,dc=com");)</userinput>

Processing MODIFY request for dc=example,dc=com
MODIFY operation successful for DN dc=example,dc=com</screen>
<computeroutput>Processing MODIFY request for dc=example,dc=com
MODIFY operation successful for DN dc=example,dc=com</computeroutput>
    </screen>
   </step>

   <step>
    <para>Grant the privilege to use proxied authorization to My App.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: cn=My App,ou=Apps,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: proxied-auth
ds-privilege-name: proxied-auth</userinput>

Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com</screen>
<computeroutput>Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com</computeroutput>
    </screen>
   </step>

   <step>
    <para>Test that My App can use proxied authorization.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=My App,ou=Apps,dc=example,dc=com"
 --bindPassword password

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=My App,ou=Apps,dc=example,dc=com" \
 --bindPassword password \
 --proxyAs "dn:uid=kvaughan,ou=People,dc=example,dc=com"
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Changed through proxied auth
description: Changed through proxied auth</userinput>

Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>
<computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
    </screen>
   </step>
  </procedure>

@@ -1386,14 +1468,16 @@
    <para>Create a certificate using the DN of the client entry as the
    distinguished name string.</para>

    <screen>$ keytool
 -genkey
 -alias myapp-cert
 -keyalg rsa
 -dname "cn=My App,ou=Apps,dc=example,dc=com"
 -keystore keystore
 -storepass changeit
 -keypass changeit</screen>
    <screen>
$ <userinput>keytool \
 -genkey \
 -alias myapp-cert \
 -keyalg rsa \
 -dname "cn=My App,ou=Apps,dc=example,dc=com" \
 -keystore keystore \
 -storepass changeit \
 -keypass changeit</userinput>
    </screen>
   </step>

   <step>
@@ -1402,13 +1486,15 @@
    <para>If you cannot get the certificate signed by a Certificate Authority,
    self-sign the certificate.</para>

    <screen>$ keytool
 -selfcert
 -alias myapp-cert
 -validity 7300
 -keystore keystore
 -storepass changeit
 -keypass changeit</screen>
    <screen>
$ <userinput>keytool \
 -selfcert \
 -alias myapp-cert \
 -validity 7300 \
 -keystore keystore \
 -storepass changeit \
 -keypass changeit</userinput>
    </screen>
   </step>

   <step>
@@ -1417,13 +1503,15 @@
    <para>Later in this procedure you update the client application entry with
    the MD5 fingerprint, which in this example is
    <literal>48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37</literal>.</para>
    <screen>$ keytool
 -list
 -v
 -alias myapp-cert
 -keystore keystore
 -storepass changeit
Alias name: myapp-cert

    <screen>
$ <userinput>keytool \
 -list \
 -v \
 -alias myapp-cert \
 -keystore keystore \
 -storepass changeit</userinput>
<computeroutput>Alias name: myapp-cert
Creation date: Jan 18, 2013
Entry type: PrivateKeyEntry
Certificate chain length: 1
@@ -1433,11 +1521,11 @@
Serial number: 5ae2277
Valid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033
Certificate fingerprints:
     MD5:  48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
     SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
     SHA256: 2D:B1:58:CD:33:40:E9:...:FD:61:EA:C9:FF:6A:19:93:FE:E4:84:E3
     Signature algorithm name: SHA256withRSA
     Version: 3
  MD5:  48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
  SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
  SHA256: 2D:B1:58:CD:33:40:E9:...:FD:61:EA:C9:FF:6A:19:93:FE:E4:84:E3
  Signature algorithm name: SHA256withRSA
  Version: 3

Extensions:

@@ -1447,20 +1535,23 @@
0000: 54 C0 C5 9C 73 37 85 4B   F2 3B D3 37 FD 45 0A AB  T...s7.K.;.7.E..
0010: C9 6B 32 95                                        .k2.
]
]</screen>
]</computeroutput>
    </screen>
   </step>

   <step>
    <para>Export the certificate to a file in binary format.</para>

    <screen>$ keytool
 -export
 -alias myapp-cert
 -keystore keystore
 -storepass changeit
 -keypass changeit
 -file myapp-cert.crt
Certificate stored in file &lt;/path/to/myapp-cert.crt&gt;</screen>
    <screen>
$ <userinput>keytool \
 -export \
 -alias myapp-cert \
 -keystore keystore \
 -storepass changeit \
 -keypass changeit \
 -file myapp-cert.crt</userinput>
<computeroutput>Certificate stored in file &lt;/path/to/myapp-cert.crt&gt;</computeroutput>
    </screen>
   </step>

   <step>
@@ -1477,8 +1568,9 @@
    <para>If you want to map the certificate subject DN to an attribute of the
    entry, use <literal>ds-certificate-subject-dn</literal>.</para>

    <screen>$ cat addcert.ldif
dn: cn=My App,ou=Apps,dc=example,dc=com
    <screen>
$ <userinput>cat addcert.ldif</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com
changetype: modify
add: objectclass
objectclass: ds-certificate-user
@@ -1490,27 +1582,29 @@
ds-certificate-subject-dn: CN=My App, OU=Apps, DC=example, DC=com
-
add: userCertificate;binary
userCertificate;binary:&lt;file:///path/to/myapp-cert.crt
userCertificate;binary:&lt;file:///path/to/myapp-cert.crt</computeroutput>

$ ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename addcert.ldif
Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename addcert.ldif</userinput>
<computeroutput>Processing MODIFY request for cn=My App,ou=Apps,dc=example,dc=com
MODIFY operation successful for DN cn=My App,ou=Apps,dc=example,dc=com</computeroutput>
    </screen>
   </step>

   <step>
    <para>Check your work.</para>

    <screen>$ ldapsearch
    <screen>
$ <userinput>ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 "(cn=My App)"
dn: cn=My App,ou=Apps,dc=example,dc=com
 "(cn=My App)"</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com
ds-certificate-fingerprint: 4B:F5:CF:2C:2D:B3:86:14:FF:43:A8:37:17:DD:E7:55
userCertificate;binary:: MIIDOzCCAiOgAwIBAgIESfC6IjANBgkqhkiG9w0BAQsFADBOMRMwEQY
 KCZImiZPyLGQBGRYDY29tMRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTENMAsGA1UECxMEQXBwczEPMA
@@ -1534,7 +1628,8 @@
objectClass: top
ds-certificate-subject-dn: CN=My App, OU=Apps, DC=example, DC=com
cn: My App
sn: App</screen>
sn: App</computeroutput>
    </screen>
   </step>

   <step>
@@ -1546,22 +1641,23 @@
    connection. If OpenDJ cannot trust the client certificate, it cannot
    establish a secure connection.</para>

    <screen>$ keytool
 -import
 -alias myapp-cert
 -file /path/to/myapp-cert.crt
 -keystore /path/to/opendj/config/truststore
 -storepass `cat /path/to/opendj/config/keystore.pin`
Owner: CN=My App, OU=Apps, DC=example, DC=com
    <screen>
$ <userinput>keytool \
 -import \
 -alias myapp-cert \
 -file /path/to/myapp-cert.crt \
 -keystore /path/to/opendj/config/truststore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>
<computeroutput>Owner: CN=My App, OU=Apps, DC=example, DC=com
Issuer: CN=My App, OU=Apps, DC=example, DC=com
Serial number: 5ae2277
Valid from: Fri Jan 18 18:27:09 CET 2013 until: Thu Jan 13 18:27:09 CET 2033
Certificate fingerprints:
     MD5:  48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
     SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
     SHA256: 2D:B1:58:CD:33:40:E9:...:FD:61:EA:C9:FF:6A:19:93:FE:E4:84:E3
     Signature algorithm name: SHA256withRSA
     Version: 3
  MD5:  48:AC:F9:13:11:E0:AB:C4:65:A2:83:9E:DB:FE:0C:37
  SHA1: F9:61:54:37:AA:C1:BC:92:45:07:64:4B:23:6C:BC:C9:CD:1D:44:0F
  SHA256: 2D:B1:58:CD:33:40:E9:...:FD:61:EA:C9:FF:6A:19:93:FE:E4:84:E3
  Signature algorithm name: SHA256withRSA
  Version: 3

Extensions:

@@ -1573,8 +1669,9 @@
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
    </screen>
   </step>

   <step>
@@ -1583,30 +1680,34 @@
     <para><filename>$JAVA_HOME/jre/lib/security/cacerts</filename> holds the
     certificates for many CAs. To get the full list, use the following
     command.</para>
     <screen>$ keytool
 -list
 -v
 -keystore $JAVA_HOME/jre/lib/security/cacerts
 -storepass changeit</screen></footnote>, import the CA certificate either

     <screen>
$ <userinput>keytool \
 -list \
 -v \
 -keystore $JAVA_HOME/jre/lib/security/cacerts \
 -storepass changeit</userinput>
     </screen></footnote>, import the CA certificate either
     into the Java runtime environment trust store, or into the OpenDJ trust
     store as shown in the following example.</para>

    <screen>$ keytool
 -import
 -alias ca-cert
 -file ca.crt
 -keystore /path/to/opendj/config/truststore
 -storepass `cat /path/to/opendj/config/keystore.pin`
Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
    <screen>
$ <userinput>keytool \
 -import \
 -alias ca-cert \
 -file ca.crt \
 -keystore /path/to/opendj/config/truststore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>
<computeroutput>Owner: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
Issuer: EMAILADDRESS=admin@example.com, CN=Example CA, O=Example Corp, C=FR
Serial number: d4586ea05c878b0c
Valid from: Tue Jan 29 09:30:31 CET 2013 until: Mon Jan 24 09:30:31 CET 2033
Certificate fingerprints:
     MD5:  8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
     SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
     SHA256: 5D:20:F1:86:CC:CD:64:50:1E:54:...:DF:15:43:07:69:44:00:FB:36:CF
     Signature algorithm name: SHA1withRSA
     Version: 3
  MD5:  8A:83:61:9B:E7:18:A2:21:CE:92:94:96:59:68:60:FA
  SHA1: 01:99:18:38:3A:57:D7:92:7B:D6:03:8C:7B:E4:1D:37:45:0E:29:DA
  SHA256: 5D:20:F1:86:CC:CD:64:50:1E:54:...:DF:15:43:07:69:44:00:FB:36:CF
  Signature algorithm name: SHA1withRSA
  Version: 3

Extensions:

@@ -1634,8 +1735,9 @@
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
    </screen>
   </step>

   <step>
@@ -1643,10 +1745,12 @@
    OpenDJ to make sure it reads the updated trust store and can recognize the
    certificate.</para>

    <screen>$ stop-ds --restart
Stopping Server...
    <screen>
$ <userinput>stop-ds --restart</userinput>
<computeroutput>Stopping Server...
...
... The Directory Server has started successfully</screen>
... The Directory Server has started successfully</computeroutput>
    </screen>
   </step>
  </procedure>

@@ -1705,52 +1809,59 @@
   <step>
    <para>List the certificate mappers to retrieve the correct name.</para>

    <screen width="83">$ dsconfig
 list-certificate-mappers
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password

    <screen width="83">
$ <userinput>dsconfig \
 list-certificate-mappers \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>
Certificate Mapper                  : Type                                : enabled
------------------------------------:-------------------------------------:--------
Fingerprint Mapper                  : fingerprint                         : true
Subject Attribute to User Attribute : subject-attribute-to-user-attribute : true
Subject DN to User Attribute        : subject-dn-to-user-attribute        : true
Subject Equals DN                   : subject-equals-dn                   : true</screen>
Subject Equals DN                   : subject-equals-dn                   : true
</computeroutput>
    </screen>
   </step>

   <step>
    <para>Examine the current configuration.</para>

    <screen>$ dsconfig
 get-certificate-mapper-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --mapper-name "Fingerprint Mapper"

    <screen>
$ <userinput>dsconfig \
 get-certificate-mapper-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --mapper-name "Fingerprint Mapper"</userinput>
<computeroutput>
Property              : Value(s)
----------------------:---------------------------
enabled               : true
fingerprint-algorithm : md5
fingerprint-attribute : ds-certificate-fingerprint
user-base-dn          : -</screen>
user-base-dn          : -</computeroutput>
    </screen>
   </step>

   <step>
    <para>Change the configuration as necessary.</para>

    <screen>$ dsconfig
 set-certificate-mapper-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --mapper-name "Fingerprint Mapper"
 --set fingerprint-algorithm:sha1
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-certificate-mapper-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --mapper-name "Fingerprint Mapper" \
 --set fingerprint-algorithm:sha1 \
 --no-prompt</userinput>
    </screen>
   </step>

   <step>
@@ -1761,15 +1872,17 @@
    to have OpenDJ set the authorization identifier based on the entry that
    matches the client certificate.</para>

    <screen>$ dsconfig
 set-sasl-mechanism-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name External
 --set certificate-mapper:"Fingerprint Mapper"
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-sasl-mechanism-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name External \
 --set certificate-mapper:"Fingerprint Mapper" \
 --no-prompt</userinput>
    </screen>
   </step>
  </procedure>

@@ -1786,8 +1899,10 @@
   as described above. Next, create a password .pin file for your client key
   store.</para>

   <screen>$ echo changeit &gt; keystore.pin
$ chmod 400 keystore.pin</screen>
   <screen>
$ <userinput>echo changeit > keystore.pin</userinput>
$ <userinput>chmod 400 keystore.pin</userinput>
   </screen>

   <para>Also, if OpenDJ directory server uses a certificate for StartTLS that
   was not signed by a well-known CA, import the appropriate certificate into
@@ -1795,140 +1910,153 @@
   if OpenDJ uses a self-signed certificate, import the server certificate into
   the key store.</para>

   <screen>$ keytool
 -export
 -alias server-cert
 -file server-cert.crt
 -keystore /path/to/opendj/config/keystore
 -storepass `cat /path/to/opendj/config/keystore.pin`
$ keytool
 -import
 -trustcacerts
 -alias server-cert
 -file server-cert.crt
 -keystore keystore
 -storepass `cat keystore.pin`</screen>
   <screen>
$ <userinput>keytool \
 -export \
 -alias server-cert \
 -file server-cert.crt \
 -keystore /path/to/opendj/config/keystore \
 -storepass `cat /path/to/opendj/config/keystore.pin`</userinput>

$ <userinput>keytool \
 -import \
 -trustcacerts \
 -alias server-cert \
 -file server-cert.crt \
 -keystore keystore \
 -storepass `cat keystore.pin`</userinput>
   </screen>

   <para>If OpenDJ directory server uses a CA-signed certificate, but the CA is
   not well known, import the CA certificate into your keystore.</para>

   <screen>$ keytool
 -import
 -trustcacerts
 -alias ca-cert
 -file ca-cert.crt
 -keystore keystore
 -storepass `cat keystore.pin`</screen>
   <screen>
$ <userinput>keytool \
 -import \
 -trustcacerts \
 -alias ca-cert \
 -file ca-cert.crt \
 -keystore keystore \
 -storepass `cat keystore.pin`</userinput>
   </screen>

   <para>Now that you can try the example, notice that OpenDJ does not return
   the <literal>userPassword</literal> value for an anonymous search.</para>

   <screen>$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 --useStartTLS
 --trustStorePath keystore
 --trustStorePasswordFile keystore.pin
 "(cn=My App)" userPassword
dn: cn=My App,ou=Apps,dc=example,dc=com
</screen>
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 --useStartTLS \
 --trustStorePath keystore \
 --trustStorePasswordFile keystore.pin \
 "(cn=My App)" userPassword</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com</computeroutput>
   </screen>

   <para>OpenDJ does let users read the values of their own
   <literal>userPassword</literal> attributes after they bind
   successfully.</para>

   <screen>$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 --useStartTLS
 --useSASLExternal
 --certNickName myapp-cert
 --keyStorePath keystore
 --keyStorePasswordFile keystore.pin
 --trustStorePath keystore
 --trustStorePasswordFile keystore.pin
 "(cn=My App)" userPassword
dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==</screen>
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 --useStartTLS \
 --useSASLExternal \
 --certNickName myapp-cert \
 --keyStorePath keystore \
 --keyStorePasswordFile keystore.pin \
 --trustStorePath keystore \
 --trustStorePasswordFile keystore.pin \
 "(cn=My App)" userPassword</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==</computeroutput>
   </screen>

   <para>You can also try the same test with other certificate mappers.</para>

   <screen># Fingerprint mapper
$ dsconfig
 set-sasl-mechanism-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name External
 --set certificate-mapper:"Fingerprint Mapper"
 --no-prompt
$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 --useStartTLS
 --useSASLExternal
 --certNickName myapp-cert
 --keyStorePath keystore
 --keyStorePasswordFile keystore.pin
 --trustStorePath keystore
 --trustStorePasswordFile keystore.pin
 "(cn=My App)" userPassword
dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==
   <screen>
# Fingerprint mapper
$ <userinput>dsconfig \
 set-sasl-mechanism-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name External \
 --set certificate-mapper:"Fingerprint Mapper" \
 --no-prompt</userinput>

$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 --useStartTLS \
 --useSASLExternal \
 --certNickName myapp-cert \
 --keyStorePath keystore \
 --keyStorePasswordFile keystore.pin \
 --trustStorePath keystore \
 --trustStorePasswordFile keystore.pin \
 "(cn=My App)" userPassword</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==</computeroutput>

# Subject Attribute to User Attribute mapper
$ dsconfig
 set-sasl-mechanism-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name External
 --set certificate-mapper:"Subject Attribute to User Attribute"
 --no-prompt
$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 --useStartTLS
 --useSASLExternal
 --certNickName myapp-cert
 --keyStorePath keystore
 --keyStorePasswordFile keystore.pin
 --trustStorePath keystore
 --trustStorePasswordFile keystore.pin
 "(cn=My App)" userPassword
dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==
$ <userinput>dsconfig \
 set-sasl-mechanism-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name External \
 --set certificate-mapper:"Subject Attribute to User Attribute" \
 --no-prompt</userinput>

$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 --useStartTLS \
 --useSASLExternal \
 --certNickName myapp-cert \
 --keyStorePath keystore \
 --keyStorePasswordFile keystore.pin \
 --trustStorePath keystore \
 --trustStorePasswordFile keystore.pin \
 "(cn=My App)" userPassword</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==</computeroutput>

# Subject DN to User Attribute mapper
$ dsconfig
 set-sasl-mechanism-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name External
 --set certificate-mapper:"Subject DN to User Attribute"
 --no-prompt
$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 --useStartTLS
 --useSASLExternal
 --certNickName myapp-cert
 --keyStorePath keystore
 --keyStorePasswordFile keystore.pin
 --trustStorePath keystore
 --trustStorePasswordFile keystore.pin
 "(cn=My App)" userPassword
dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==</screen>
$ <userinput>dsconfig \
 set-sasl-mechanism-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name External \
 --set certificate-mapper:"Subject DN to User Attribute" \
 --no-prompt</userinput>

$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 --useStartTLS \
 --useSASLExternal \
 --certNickName myapp-cert \
 --keyStorePath keystore \
 --keyStorePasswordFile keystore.pin \
 --trustStorePath keystore \
 --trustStorePasswordFile keystore.pin \
 "(cn=My App)" userPassword</userinput>
<computeroutput>dn: cn=My App,ou=Apps,dc=example,dc=com
userPassword: {SSHA}vy/vTthOQoV/wH3MciTOBKKR4OX+0dSN/a09Ew==</computeroutput>
   </screen>
  </example>
 </section>
</chapter>

 opends/src/main/docbkx/admin-guide/chap-monitoring.xml

@@ -53,8 +53,9 @@
  xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
  >Evolving</link></para>

  <screen>$ ldapsearch --port 1389 --baseDN cn=monitor "(cn=userRoot backend)"
dn: cn=userRoot backend,cn=Disk Space Monitor,cn=monitor
  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN cn=monitor "(cn=userRoot backend)"</userinput>
<computeroutput>dn: cn=userRoot backend,cn=Disk Space Monitor,cn=monitor
disk-state: normal
objectClass: top
objectClass: ds-monitor-entry
@@ -73,8 +74,8 @@
ds-backend-entry-count: 163
ds-backend-id: userRoot
ds-base-dn-entry-count: 163 dc=example,dc=com
ds-backend-base-dn: dc=example,dc=com
</screen>
ds-backend-base-dn: dc=example,dc=com</computeroutput>
  </screen>

  <para>You can set global ACIs on the Access Control Handler if you want
  to limit read access under <literal>cn=monitor</literal>.</para>
@@ -102,7 +103,9 @@

  <para>To run the OpenDMK installer, use the self-extracting .jar.</para>

  <screen>$ java -jar ~/Downloads/opendmk-1.0-b02-*.jar</screen>
  <screen>
$ <userinput>java -jar ~/Downloads/opendmk-1.0-b02-*.jar</userinput>
  </screen>

  <para>If you install under <filename>/path/to</filename>, then the runtime
  library needed for SNMP is
@@ -112,66 +115,74 @@
  for SNMP by enabling the connection handler, and pointing OpenDJ to your
  installation of the OpenDMK <filename>jdmkrt.jar</filename> library.</para>
  
  <screen>$ dsconfig
 set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "SNMP Connection Handler"
 --set enabled:true
 --set opendmk-jarfile:/path/to/OpenDMK-bin/lib/jdmkrt.jar
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "SNMP Connection Handler" \
 --set enabled:true \
 --set opendmk-jarfile:/path/to/OpenDMK-bin/lib/jdmkrt.jar \
 --trustAll \
 --no-prompt</userinput>
  </screen>
  
  <para>By default, the SNMP Connection Handler listens on port 161 and uses
  port 162 for traps. On UNIX and Linux systems, only root can normally open
  these ports. Therefore if you install as a normal user, you might want
  to change the listen and trap ports.</para>
  
  <screen>$ dsconfig
 set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "SNMP Connection Handler"
 --set listen-port:11161
 --set trap-port:11162
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "SNMP Connection Handler" \
 --set listen-port:11161 \
 --set trap-port:11162 \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>Restart the SNMP Connection Handler to take the port number changes
  into account.</para>
  <para> To restart the connection handler, you disable it, then enable
  it again.</para>

  <screen>$ dsconfig
 set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "SNMP Connection Handler"
 --set enabled:false
 --trustAll
 --no-prompt
$ dsconfig
 set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "SNMP Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "SNMP Connection Handler" \
 --set enabled:false \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "SNMP Connection Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>Use a command such as <command>snmpwalk</command> to check that the
  SNMP listen port works.</para>

  <screen>$ snmpwalk -v 2c -c OpenDJ@OpenDJ localhost:11161
SNMPv2-SMI::mib-2.66.1.1.1.1 = STRING: "OpenDJ <?eval ${docTargetVersion}?>..."
  <screen>
$ <userinput>snmpwalk -v 2c -c OpenDJ@OpenDJ localhost:11161</userinput>
SNMPv2-SMI::mib-2.66.1.1.1.1 = STRING: "OpenDJ ${docTargetVersion}..."
SNMPv2-SMI::mib-2.66.1.1.2.1 = STRING: "/path/to/opendj"
...</screen>

@@ -192,31 +203,35 @@
  xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
  >Evolving</link></para>

  <screen>$ dsconfig
 set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "JMX Connection Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "JMX Connection Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>By default, no users have privileges to access the JMX connection. The
  following command adds JMX privileges for Directory Manager.</para>

  <screen>$ dsconfig
 set-root-dn-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --add default-root-privilege-name:jmx-notify
 --add default-root-privilege-name:jmx-read
 --add default-root-privilege-name:jmx-write
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-root-dn-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --add default-root-privilege-name:jmx-notify \
 --add default-root-privilege-name:jmx-read \
 --add default-root-privilege-name:jmx-write \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>You must also configure security to login remotely. See the section on
  <citetitle>Using SSL</citetitle> in <link
@@ -227,9 +242,11 @@
  <para>Alternatively, you can connect to a local server process by using the
  server process identifier.</para>

  <screen>$ cat ../logs/server.pid
3363
$ jvisualvm --openpid 3363 &amp;</screen>
  <screen>
$ <userinput>cat ../logs/server.pid</userinput>
<computeroutput>3363</computeroutput>
$ <userinput>jvisualvm --openpid 3363 &amp;</userinput>
  </screen>
 </section>

 <section xml:id="monitoring-status-and-tasks">
@@ -243,8 +260,9 @@
  
  <para>The <command>status</command> command takes administrative credentials
  to read the configuration, as does the Control Panel.</para>
  <screen>$ status --bindDN "cn=Directory Manager" --bindPassword password

  <screen>
$ <userinput>status --bindDN "cn=Directory Manager" --bindPassword password</userinput>
<computeroutput>
          --- Server Status ---
Server Run Status:        Started
Open Connections:         1
@@ -253,8 +271,8 @@
Host Name:                localhost
Administrative Users:     cn=Directory Manager
Installation Path:        /path/to/opendj
Version:                  OpenDJ <?eval ${docTargetVersion}?>
Java Version:             1.6.0_24
Version:                  OpenDJ ${docTargetVersion}
Java Version:             <replaceable>version</replaceable>
Administration Connector: Port 4444 (LDAPS)

          --- Connection Handlers ---
@@ -269,24 +287,27 @@
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     163
Replication: Disabled</screen>
Replication: Disabled</computeroutput>
  </screen>

  <para>The <command>manage-tasks</command> command connects over the
  administration port, and so can connect to both local and remote
  servers.</para>
  
  <screen>$ manage-tasks
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --trustAll
 --no-prompt

  <screen>
$ <userinput>manage-tasks \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>
ID                         Type    Status
--------------------------------------------------------
example                    Backup  Recurring
example-20110623030000000  Backup  Waiting on start time</screen>
example-20110623030000000  Backup  Waiting on start time</computeroutput>
  </screen>
 </section>

 <section xml:id="logging">
@@ -313,7 +334,8 @@
    message.</para>
    <para>The following access log excerpt shows a search operation from the
    local host, with the first three lines wrapped for readability.</para>
    <screen>

    <programlisting language="none">
[21/Jun/2011:08:01:53 +0200] CONNECT conn=4 from=127.0.0.1:49708
 to=127.0.0.1:1389 protocol=LDAP
[21/Jun/2011:08:01:53 +0200] SEARCH REQ conn=4 op=0 msgID=1
@@ -321,7 +343,8 @@
[21/Jun/2011:08:01:53 +0200] SEARCH RES conn=4 op=0 msgID=1
 result=0 nentries=1 etime=3
[21/Jun/2011:08:01:53 +0200] UNBIND REQ conn=4 op=1 msgID=2
[21/Jun/2011:08:01:53 +0200] DISCONNECT conn=4 reason="Client Unbind"</screen>
[21/Jun/2011:08:01:53 +0200] DISCONNECT conn=4 reason="Client Unbind"
    </programlisting>

    <para>
     Notice that by default OpenDJ directory server logs a message
@@ -349,7 +372,8 @@
    conditions, and warnings, categorized and identified by severity.</para>
    <para>The following errors log excerpt shows log entries about a
    backup task, with lines wrapped for readability.</para>
    <screen>

    <programlisting language="none">
[22/Jun/2011:12:32:23 +0200] category=BACKEND severity=NOTICE msgID=9896349
 msg=Backup task 20110622123224088 started execution
[22/Jun/2011:12:32:23 +0200] category=TOOLS severity=NOTICE msgID=10944792
@@ -359,7 +383,8 @@
[22/Jun/2011:12:32:24 +0200] category=TOOLS severity=NOTICE msgID=10944795
 msg=The backup process completed successfully
[22/Jun/2011:12:32:24 +0200] category=BACKEND severity=NOTICE msgID=9896350
 msg=Backup task 20110622123224088 finished execution</screen>
 msg=Backup task 20110622123224088 finished execution
    </programlisting>
   </listitem>

   <listitem>
@@ -463,7 +488,8 @@
    the default configuration. Lines are folded and space reformatted for the
    printed page.</para>

    <screen>-  192.168.0.15  bjensen   22/May/2013:10:06:18 +0200
    <programlisting language="none">
-  192.168.0.15  bjensen   22/May/2013:10:06:18 +0200
  GET  /users/bjensen?_prettyPrint=true                      HTTP/1.1    200
  curl/7.21.4  3    40
-  192.168.0.15  bjensen   22/May/2013:10:06:52 +0200
@@ -476,8 +502,9 @@
  GET  /users/missing?_prettyPrint=true                      HTTP/1.1    401
  curl/7.21.4  6     0
-  192.168.0.15  kvaughan  22/May/2013:10:09:10 +0200
  POST /users?_action=create&amp;_prettyPrint=true               HTTP/1.1    200
  curl/7.21.4  7   120</screen>
  POST /users?_action=create&amp;_prettyPrint=true           HTTP/1.1    200
  curl/7.21.4  7   120
    </programlisting>

    <para>You can configure the <literal>log-format</literal> for the access log
    using the <command>dsconfig</command> command. In addition to the default
@@ -515,7 +542,8 @@
    <para>The <firstterm>replication log</firstterm> traces replication
    events, with entries similar to the errors log. The following excerpt has
    lines wrapped for readability.</para>
    <screen>

    <programlisting language="none">
[22/Jun/2011:14:37:34 +0200] category=SYNC severity=NOTICE msgID=15139026
 msg=Finished total update: exported domain "dc=example,dc=com" from this
 directory server DS(24065) to all remote directory servers. 
@@ -525,7 +553,9 @@
 server will now try to connect to another replication server in order to
 receive changes for the domain "dc=example,dc=com"
[22/Jun/2011:14:37:35 +0200] category=SYNC severity=NOTICE msgID=15138894
 msg=The generation ID for domain "dc=example,dc=com" has been reset to 3679640</screen>
 msg=The generation ID for domain "dc=example,dc=com" has been reset to 3679640
    </programlisting>

    <para>Notice that the replication log does not trace replication operations.
    Use the external change log instead to get notifications about changes to
    directory data over protocol. You can alternatively configure an audit
@@ -564,54 +594,60 @@
   <para>For example, view the log rotation policies with the following
   command.</para>

   <screen width="101">$ dsconfig
 list-log-rotation-policies
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password

   <screen width="101">
$ <userinput>dsconfig \
 list-log-rotation-policies \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>

Log Rotation Policy                 : Type       : file-size-limit : rotation-interval : time-of-day
------------------------------------:------------:-----------------:-------------------:------------
24 Hours Time Limit Rotation Policy : time-limit : -               : 1 d               : -
7 Days Time Limit Rotation Policy   : time-limit : -               : 1 w               : -
Fixed Time Rotation Policy          : fixed-time : -               : -                 : 2359
Size Limit Rotation Policy          : size-limit : 100 mb          : -                 : -</screen>
Size Limit Rotation Policy          : size-limit : 100 mb          : -                 : -</computeroutput>
   </screen>

   <para>View the log retention policies with the following command.</para>

   <screen width="105">$ dsconfig
 list-log-retention-policies
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password

   <screen width="105">
$ <userinput>dsconfig \
 list-log-retention-policies \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>

Log Retention Policy             : Type            : disk-space-used : free-disk-space : number-of-files
---------------------------------:-----------------:-----------------:-----------------:----------------
File Count Retention Policy      : file-count      : -               : -               : 10
Free Disk Space Retention Policy : free-disk-space : -               : 500 mb          : -
Size Limit Retention Policy      : size-limit      : 500 mb          : -               : -</screen>
Size Limit Retention Policy      : size-limit      : 500 mb          : -               : -</computeroutput>
   </screen>

   <para>Use the <command>dsconfig get-log-publisher-prop</command> command to
   examine the policies that apply to a particular logger.</para>

   <screen>$ dsconfig
 get-log-publisher-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Access Logger"
 --property retention-policy
 --property rotation-policy
Property         : Value(s)
   <screen>
$ <userinput>dsconfig \
 get-log-publisher-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Access Logger" \
 --property retention-policy \
 --property rotation-policy</userinput>
<computeroutput>Property         : Value(s)
-----------------:-------------------------------------------------------------
retention-policy : File Count Retention Policy
rotation-policy  : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
                 : Policy</screen>
                 : Policy</computeroutput>
   </screen>

   <para>In other words, by default OpenDJ keeps 10 access log files, rotating
   the access log each day, or when the log size reaches 100 MB.</para>
@@ -692,48 +728,57 @@
    due to administrative connections over LDAPS on ports 1636 and 4444.</para>
    
    <para>Create access log filtering criteria rules.</para>
    <screen>$ dsconfig
 create-access-log-filtering-criteria
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Access Logger"
 --criteria-name "Exclude LDAPS on 1636 and 4444"
 --type generic
 --set connection-port-equal-to:1636
 --set connection-port-equal-to:4444
 --set connection-protocol-equal-to:ldaps
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 create-access-log-filtering-criteria \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Access Logger" \
 --criteria-name "Exclude LDAPS on 1636 and 4444" \
 --type generic \
 --set connection-port-equal-to:1636 \
 --set connection-port-equal-to:4444 \
 --set connection-protocol-equal-to:ldaps \
 --trustAll \
 --no-prompt</userinput>
    </screen>
    
    <para>Activate filtering to exclude messages from the default access log
    according to the criteria you specified.</para>
    <screen>$ dsconfig
 set-log-publisher-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Access Logger"
 --set filtering-policy:exclusive
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-log-publisher-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Access Logger" \
 --set filtering-policy:exclusive \
 --trustAll \
 --no-prompt</userinput>
    </screen>
    
    <para>At this point, OpenDJ filters out connections over LDAPS to ports
    1636 and 4444. While performing operations in OpenDJ Control Panel, if
    you perform a simple <command>ldapsearch --port 1389 --baseDN
    dc=example,dc=com uid=bjensen cn</command>, then all you see in the access
    log is the effect of the <command>ldapsearch</command> command.</para>
    <screen>$ tail -f /path/to/opendj/logs/access
[19/Oct/2011:16:37:16 +0200] CONNECT conn=8 from=127.0.0.1:54165

    <screen>
$ <userinput>tail -f /path/to/opendj/logs/access</userinput>
<computeroutput>[19/Oct/2011:16:37:16 +0200] CONNECT conn=8 from=127.0.0.1:54165
 to=127.0.0.1:1389 protocol=LDAP
[19/Oct/2011:16:37:16 +0200] SEARCH REQ conn=8 op=0 msgID=1
 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="cn"
[19/Oct/2011:16:37:16 +0200] SEARCH RES conn=8 op=0 msgID=1 result=0 nentries=1
 etime=14
[19/Oct/2011:16:37:16 +0200] UNBIND REQ conn=8 op=1 msgID=2
[19/Oct/2011:16:37:16 +0200] DISCONNECT conn=8 reason="Client Unbind"</screen>
[19/Oct/2011:16:37:16 +0200] DISCONNECT conn=8 reason="Client Unbind"</computeroutput>
    </screen>
   </example>
   
   <para>In addition to the filtering policy, you can also adjust how OpenDJ
@@ -756,45 +801,50 @@
  events. Yet alert notifications are not enabled by default. You can use
  the <command>dsconfig</command> command to enable alert notifications.</para>
  
  <screen>$ dsconfig
 set-alert-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "JMX Alert Handler"
 --set enabled:true
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-alert-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "JMX Alert Handler" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>OpenDJ can also send mail over SMTP instead of JMX notifications.
  Before you set up the SMTP-based alert handler, you must identify an SMTP
  server to which OpenDJ sends messages.</para>
  
  <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set smtp-server:smtp.example.com
 --trustAll
 --no-prompt
$ dsconfig
 create-alert-handler
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "SMTP Alert Handler"
 --type smtp
 --set enabled:true
 --set message-subject:"OpenDJ Alert, Type: %%alert-type%%, ID: %%alert-id%%"
 --set message-body:"%%alert-message%%"
 --set recipient-address:kvaughan@example.com
 --set sender-address:opendj@example.com
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set smtp-server:smtp.example.com \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 create-alert-handler \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "SMTP Alert Handler" \
 --type smtp \
 --set enabled:true \
 --set message-subject:"OpenDJ Alert, Type: %%alert-type%%, ID: %%alert-id%%" \
 --set message-body:"%%alert-message%%" \
 --set recipient-address:kvaughan@example.com \
 --set sender-address:opendj@example.com \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <variablelist xml:id="alert-types">
   <title>Alert Types</title>

 opends/src/main/docbkx/admin-guide/chap-mv-servers.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-mv-servers'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Moving Servers</title>
 <indexterm><primary>Moving servers</primary></indexterm>
 
@@ -100,28 +100,33 @@
   <step>
    <para>Prevent the server from accepting updates from client
    applications.</para>
    <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set writability-mode:internal-only
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set writability-mode:internal-only \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   <step>
    <para>Disable replication for the server.</para>
    <screen>$ dsreplication
 disable
 --disableAll
 --port 4444
 --hostname opendj2.example.com
 --adminUID admin
 --adminPassword password
 --trustAll
 --no-prompt
Establishing connections ..... Done.

    <screen>
$ <userinput>dsreplication \
 disable \
 --disableAll \
 --port 4444 \
 --hostname opendj2.example.com \
 --adminUID admin \
 --adminPassword password \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>Establishing connections ..... Done.
Disabling replication on base DN dc=example,dc=com of server
 opendj2.example.com:4444 ..... Done.
Disabling replication on base DN cn=admin data of server
@@ -134,16 +139,20 @@

See
/var/.../opends-replication-3173475478874782719.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
    </screen>
   </step>
   <step>
    <para>With the server no longer receiving traffic or accepting updates
    from clients, and no longer replicating to other servers, you can shut it
    down in preparation for the move.</para>
    <screen>$ stop-ds
Stopping Server...

... msg=The Directory Server is now stopped</screen>
    <screen>
$ <userinput>stop-ds</userinput>
<computeroutput>Stopping Server...

... msg=The Directory Server is now stopped</computeroutput>
    </screen>
   </step>
   <step performance="optional">
    <para>You might also choose to remove extra log files from the server
@@ -179,29 +188,35 @@
   </step>
   <step>
    <para>Start the server.</para>
    <screen>$ start-ds
... The Directory Server has started successfully</screen>

    <screen>
$ <userinput>start-ds</userinput>
<computeroutput>... The Directory Server has started successfully</computeroutput>
    </screen>

   </step>
   <step>
    <para>Enable and initialize replication.</para>
    <screen>$ dsreplication
 enable
 --adminUID admin
 --bindPassword password
 --baseDN dc=example,dc=com
 --host1 opendj.example.com
 --port1 4444
 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password
 --replicationPort1 8989
 --host2 opendj2.example.com
 --port2 4444
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password
 --replicationPort2 8989
 --trustAll
 --no-prompt

    <screen>
$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 --host1 opendj.example.com \
 --port1 4444 \
 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password \
 --replicationPort1 8989 \
 --host2 opendj2.example.com \
 --port2 4444 \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password \
 --replicationPort2 8989 \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>
Establishing connections ..... Done.
Checking registration information ..... Done.
Configuring Replication port on server opendj.example.com:4444 ..... Done.
@@ -228,17 +243,17 @@
 (use dsreplication initialize to do so).

See /tmp/opends-replication-1476402020764482023.log for a detailed log of this
operation.
operation.</computeroutput>

$ dsreplication
 pre-external-initialization
 --adminUID admin
 --bindPassword password
 --port 4444
 --baseDN dc=example,dc=com
 --trustAll
 --no-prompt

$ <userinput>dsreplication \
 pre-external-initialization \
 --adminUID admin \
 --bindPassword password \
 --port 4444 \
 --baseDN dc=example,dc=com \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>
Preparing base DN dc=example,dc=com to be initialized externally ..... Done.

Now you can proceed to the initialization of the contents of the base DN's on
@@ -247,31 +262,36 @@

When the initialization is completed you must use the subcommand
 'post-external-initialization' for replication to work with the new base DN's
 contents.
$ dsreplication
 post-external-initialization
 --adminUID admin
 --bindPassword password
 --port 4444
 --baseDN dc=example,dc=com
 --trustAll
 --no-prompt
 contents.</computeroutput>

$ <userinput>dsreplication \
 post-external-initialization \
 --adminUID admin \
 --bindPassword password \
 --port 4444 \
 --baseDN dc=example,dc=com \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>
Updating replication information on base DN dc=example,dc=com ..... Done.

Post initialization procedure completed successfully.</screen>
Post initialization procedure completed successfully.</computeroutput>
    </screen>
   </step>
   <step>
    <para>Accept updates from client applications.</para>
    <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set writability-mode:enabled
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set writability-mode:enabled \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   <step>
    <para>Direct client applications to the server.</para>

 opends/src/main/docbkx/admin-guide/chap-privileges-acis.xml

@@ -76,7 +76,8 @@
  access to all attributes except passwords, and allow read-write access
  for directory administrators under <literal>dc=example,dc=com</literal>.</para>
  
  <programlisting language="ldif">dn: dc=example,dc=com
  <programlisting language="ldif">
dn: dc=example,dc=com
objectClass: domain
objectClass: top
dc: example
@@ -615,7 +616,9 @@
      <para>For example, the ACI required to allow
      <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to add an entry
      is:</para>
      <programlisting language="ldif">aci: (version 3.0;acl "Add entry"; allow (add)(userdn =

      <programlisting language="ldif">
aci: (version 3.0;acl "Add entry"; allow (add)(userdn =
 "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
      </programlisting>
     </listitem>
@@ -640,7 +643,9 @@
      <para>For example, the ACI required to allow
      <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to compare
      values against the <literal>sn</literal> attribute is:</para>
      <programlisting language="ldif">aci: (targetattr = "sn")(version 3.0;acl "Compare surname";

      <programlisting language="ldif">
aci: (targetattr = "sn")(version 3.0;acl "Compare surname";
 allow (compare)(userdn =
 "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
      </programlisting>
@@ -656,7 +661,9 @@
      <para>For example, the ACI required to allow
      <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to delete an
      entry is:</para>
      <programlisting language="ldif">aci: (version 3.0;acl "Delete entry"; allow (delete)

      <programlisting language="ldif">
aci: (version 3.0;acl "Delete entry"; allow (delete)
 (userdn = "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
      </programlisting>
     </listitem>
@@ -672,7 +679,9 @@
      <para>For example, the ACI required to allow
      <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to modify the 
      <literal>description</literal> attribute in an entry is:</para>
      <programlisting language="ldif">aci: (targetattr = "description")(version 3.0;

      <programlisting language="ldif">
aci: (targetattr = "description")(version 3.0;
 acl "Modify description"; allow (write)(userdn =
 "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
      </programlisting>
@@ -694,7 +703,9 @@
      <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to rename
      entries named with the <literal>uid</literal> attribute to new
      locations:</para>
      <programlisting language="ldif">aci: (targetattr = "uid")(version 3.0;acl "Rename uid= entries";

      <programlisting language="ldif">
aci: (targetattr = "uid")(version 3.0;acl "Rename uid= entries";
 allow (write, import, export)(userdn =
 "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
      </programlisting>
@@ -715,7 +726,9 @@
      <literal>uid=bjensen,ou=People,dc=example,dc=com</literal> to search for
      <literal>uid</literal> attributes, and also to read that attribute in
      matching entries is:</para>
      <programlisting language="ldif">aci: (targetattr = "uid")(version 3.0;acl "Search and read uid";

      <programlisting language="ldif">
aci: (targetattr = "uid")(version 3.0;acl "Search and read uid";
 allow (search, read)(userdn =
 "ldap:///uid=bjensen,ou=People,dc=example,dc=com");)
      </programlisting>
@@ -901,11 +914,14 @@
   
   <step>
    <para>Start <command>dsconfig</command> in interactive mode.</para>
    <screen>$ dsconfig
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password</screen>

    <screen>
$ <userinput>dsconfig \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
   </screen>
   </step>
   <step>
    <para>Select the Root DN menu.</para>
@@ -930,13 +946,16 @@
   
   <step>
    <para>Determine the privileges to add.</para>
    <screen>$ cat privilege.ldif 
dn: uid=kvaughan,ou=People,dc=example,dc=com

    <screen>
$ <userinput>cat privilege.ldif</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: config-read
ds-privilege-name: password-reset
</screen>
ds-privilege-name: password-reset</computeroutput>
    </screen>

    <para>This example lets the user read the server configuration, and reset
    user passwords. In order for the user to be able to change a user password,
    you must also allow the modification using ACIs. For this example, Kirsten
@@ -945,56 +964,68 @@
    <para>Prior to having the privileges, Kirsten gets messages about
    insufficent access when trying to read the server configuration, or
    reset a user password.</para>
    <screen>$ ldapsearch
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --baseDN cn=config
 "(objectclass=*)"
SEARCH operation failed

    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --baseDN cn=config \
 "(objectclass=*)"</userinput>
<computeroutput>SEARCH operation failed
Result Code:  50 (Insufficient Access Rights)
Additional Information:  You do not have sufficient privileges to perform
 search operations in the Directory Server configuration
$ ldappasswordmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --authzID "dn:uid=scarter,ou=People,dc=example,dc=com"
 --newPassword changeit
The LDAP password modify operation failed with result code 50
 search operations in the Directory Server configuration</computeroutput>

$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
 --newPassword changeit</userinput>
<computeroutput>The LDAP password modify operation failed with result code 50
Error Message:  You do not have sufficient privileges to perform password
reset operations</screen>
reset operations</computeroutput>
    </screen>
   </step>
   <step>
    <para>Apply the change as a user with the
    <literal>privilege-change</literal> privilege.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename privilege.ldif
Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com</screen>

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename privilege.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=kvaughan,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=kvaughan,ou=People,dc=example,dc=com</computeroutput>
    </screen>

    <para>At this point, Kirsten can perform the operations requiring
    privileges.</para>
    <screen>$ ldapsearch

    <screen>
$ <userinput>ldapsearch
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --baseDN cn=config
 "(objectclass=*)"
dn: cn=config
 "(objectclass=*)"</userinput>
<computeroutput>dn: cn=config
ds-cfg-return-bind-error-messages: false
ds-cfg-default-password-policy: cn=Default Password Policy,cn=Password Policies,
 cn=config
&#8230;
$ ldappasswordmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --authzID "dn:uid=scarter,ou=People,dc=example,dc=com"
 --newPassword changeit
The LDAP password modify operation was successful</screen>
&#8230;</computeroutput>

$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
 --newPassword changeit</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
    </screen>
   </step>
  </procedure>
  
@@ -1016,8 +1047,10 @@
   
   <step>
    <para>Create an LDAP subentry that specifies the collective attributes.</para>
    <screen>$ cat collective.ldif 
dn: cn=Administrator Privileges,dc=example,dc=com

    <screen>
$ <userinput>cat collective.ldif</userinput>
<computeroutput>dn: cn=Administrator Privileges,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
@@ -1030,28 +1063,33 @@
ds-privilege-name;collective: password-reset
ds-privilege-name;collective: proxied-auth
subtreeSpecification: {base "ou=people", specificationFilter
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename collective.ldif
Processing ADD request for cn=Administrator Privileges,dc=example,dc=com
ADD operation successful for DN cn=Administrator Privileges,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename collective.ldif</userinput>
<computeroutput>Processing ADD request for cn=Administrator Privileges,dc=example,dc=com
ADD operation successful for DN cn=Administrator Privileges,dc=example,dc=com</computeroutput>
    </screen>

    <para>The Directory Administrators group for Example.com includes members
    like Kirsten Vaughan.</para>
   </step>
   <step>
    <para>Observe that the change takes effect immediately.</para>
    <screen>$ ldappasswordmodify
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword bribery
 --authzID "dn:uid=scarter,ou=People,dc=example,dc=com"
 --newPassword changeit
The LDAP password modify operation was successful</screen>

    <screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword bribery \
 --authzID "dn:uid=scarter,ou=People,dc=example,dc=com" \
 --newPassword changeit</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -1125,7 +1163,7 @@
  changes.</para>

  <para>For hints on updating directory entries with
  <command>ldapmodify</command>, see the section on <link
  <command>ldapmodify</command>, see the section on <link xlink:show="new"
  xlink:role="http://docbook.org/xlink/role/olink"
  xlink:href="admin-guide#modify-ldap"><citetitle>Modifying Entry
  Attributes</citetitle></link>, keeping in mind that the name of the ACI
@@ -1137,7 +1175,9 @@
   
   <para>This works when the only attributes you do not want world-readable
   are password attributes.</para>
   <programlisting language="ldif">aci: (target ="ldap:///dc=example,dc=com")(targetattr !=

   <programlisting language="ldif">
aci: (target ="ldap:///dc=example,dc=com")(targetattr !=
 "authPassword || userPassword")(version 3.0;acl "Anonymous read-search access";
 allow (read, search, compare)(userdn = "ldap:///anyone");)
 </programlisting>
@@ -1164,13 +1204,15 @@
   you can read by using the
   <command>dsconfig get-access-control-handler-prop</command> command.</para>

   <screen>$ dsconfig
 get-access-control-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --property global-aci</screen>
   <screen>
$ <userinput>dsconfig \
 get-access-control-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --property global-aci</userinput>
   </screen>

   <para>
    You can disable anonymous access either
@@ -1199,12 +1241,13 @@
    and also allow anonymous users access to some controls and extended operations.
   </para>

   <screen>$ dsconfig
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --commandFilePath /tmp/captured-global-aci-edits.sh
   <screen>
$ <userinput>dsconfig \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --commandFilePath /tmp/captured-global-aci-edits.sh</userinput>

# The dsconfig command runs interactively.

@@ -1214,7 +1257,7 @@

# To make this change, you first remove the existing values,
# then add the edited values, and finally apply the changes.
</screen>
   </screen>

   <para>
    Make sure that you also set appropriate ACIs on any data that you import.
@@ -1224,15 +1267,19 @@
    At this point, clients must authenticate to view search results for example.
   </para>

   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
$ ldapsearch --bindDN uid=bjensen,ou=people,dc=example,dc=com
 --bindPassword hifalutin --port 1389 --baseDN dc=example,dc=com
 "(uid=bjensen)" cn uid
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"</userinput>
$ <userinput>ldapsearch  \
 --bindDN uid=bjensen,ou=people,dc=example,dc=com \
 --bindPassword hifalutin  \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(uid=bjensen)" cn uid</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
cn: Barbara Jensen
cn: Babs Jensen
uid: bjensen
</screen>
uid: bjensen</computeroutput>
   </screen>

   <para>
    You can download an example of the captured command,
@@ -1245,26 +1292,30 @@
    set <literal>reject-unauthenticated-requests:true</literal>.
   </para>

   <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --trustAll
 --no-prompt
 --set reject-unauthenticated-requests:true</screen>
   <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll \
 --no-prompt \
 --set reject-unauthenticated-requests:true</userinput>
   </screen>

   <para>
    Once you set the property, anonymous clients trying to search for example
    get an <literal>Unwilling to Perform</literal> response from OpenDJ.
   </para>

   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"
SEARCH operation failed
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=bjensen)"</userinput>
<computeroutput>SEARCH operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  Rejecting the requested operation
 because the connection has not been authenticated</screen>
 because the connection has not been authenticated</computeroutput>
   </screen>

   <para>
    In both cases, notice that the changes apply to
@@ -1279,11 +1330,14 @@
   
   <para>Directory Administrators need privileges as well for full access to
   administrative operations.</para>
   <programlisting language="ldif">aci: (target="ldap:///dc=example,dc=com") (targetattr =

   <programlisting language="ldif">
aci: (target="ldap:///dc=example,dc=com") (targetattr =
 "* || +")(version 3.0;acl "Admins can run amok"; allow(
 all, proxy, import, export) groupdn =
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
 </programlisting>

   <para>Notice both <literal>targetattr = "* || +"</literal>, which permits
   access to both all user attributes and all operational attributes, and
   <literal>allow(all, proxy, import, export)</literal>, which permits not
@@ -1295,9 +1349,12 @@
   <title>ACI: Change Own Password</title>
   
   <para>By default this capability is set in a global ACI.</para>
   <programlisting language="ldif">aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =

   <programlisting language="ldif">
aci: (target ="ldap:///ou=People,dc=example,dc=com")(targetattr =
 "authPassword || userPassword")(version 3.0;acl "Allow users to change pass
 words"; allow (write)(userdn = "ldap:///self");)</programlisting>
 words"; allow (write)(userdn = "ldap:///self");)
   </programlisting>
  </example>

  <example xml:id="access-control-selfwrite-group">
@@ -1305,31 +1362,41 @@
   
   <para>For some static groups such as carpoolers and social club members,
   you might choose to let users manage their own memberships.</para>
   <programlisting language="ldif">aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(

   <programlisting language="ldif">
aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
 targetattr = "member")(version 3.0;acl "Self registration"; allow(selfwrite)(
 userdn = "ldap:///uid=*,ou=People,dc=example,dc=com");)</programlisting>
 userdn = "ldap:///uid=*,ou=People,dc=example,dc=com");)
   </programlisting>
  </example>

  <example xml:id="access-control-self-service-group">
   <title>ACI: Manage Self Service Groups</title>
   
   <para>Let users create and delete self-managed groups.</para>
   <programlisting language="ldif">aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(

   <programlisting language="ldif">
aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(
 targattrfilters="add=objectClass:(objectClass=groupOfNames)")(version 3.0;
 acl "All can create self service groups"; allow (add)(userdn= "
 ldap:///uid=*,ou=People,dc=example,dc=com");)
aci: (target ="ldap:///ou=Self Service,ou=Groups,dc=example,dc=com")(version 3
 .0; acl "Owner can delete self service groups"; allow (delete)(userattr= "
 owner#USERDN");)</programlisting>
 owner#USERDN");)
   </programlisting>
  </example>
 
  <example xml:id="access-control-loopback-only">
   <title>ACI: Permit Clear Text Access Over Loopback Only</title>
   
   <para>This ACI uses IP address and Security Strength Factor subjects.</para>
   <programlisting language="ldif">aci: (target = "ldap:///dc=example,dc=com")(targetattr =

   <programlisting language="ldif">
aci: (target = "ldap:///dc=example,dc=com")(targetattr =
 "*")(version 3.0;acl "Use loopback only for LDAP in the clear"; deny (all)(
 ip != "127.0.0.1" and ssf &lt;= "1");)</programlisting>
 ip != "127.0.0.1" and ssf &lt;= "1");)
   </programlisting>

   <para>The <literal>ssf</literal> is one for example when using SSL but you
   have not configured a cipher, so the packets are checksummed for integrity
   checking by all content is nevertheless sent in clear text.</para>
@@ -1359,50 +1426,53 @@
  <para>In this example, Babs Jensen is the owner of a small group of people
  who are willing to carpool.</para>
  
  <screen>$ ldapsearch
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword hifalutin
 --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com"
 "cn=*" 
dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword hifalutin \
 --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
 "cn=*"</userinput>
<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
objectClass: groupOfNames
objectClass: top
member: uid=bjensen,ou=People,dc=example,dc=com
description: People who are willing to carpool
owner: uid=bjensen,ou=People,dc=example,dc=com
cn: Carpoolers
</screen>
cn: Carpoolers</computeroutput>
  </screen>

  <para>Performing the same search with the get effective rights control, and
  asking for the <literal>aclRights</literal> attribute, shows what rights
  Babs has on the entry.</para>
  
  <screen>$ ldapsearch
 --control effectiverights
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword hifalutin
 --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com"
 "cn=*"
 aclRights
dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0
</screen>
  <screen>
$ <userinput>ldapsearch \
 --control effectiverights \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword hifalutin \
 --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
 "cn=*" \
 aclRights</userinput>
<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
aclRights;entryLevel: add:0,delete:1,read:1,write:0,proxy:0</computeroutput>
  </screen>

  <para>Requesting the <literal>aclRightsInfo</literal> attribute results in
  information about the ACIs applied to arrive at the results.</para>
  
  <screen>$ ldapsearch
 --control effectiverights
 --port 1389
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com"
 --bindPassword hifalutin
 --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com"
 "cn=*"
 aclRights
 aclRightsInfo
dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --control effectiverights \
 --port 1389 \
 --bindDN "uid=bjensen,ou=people,dc=example,dc=com" \
 --bindPassword hifalutin \
 --baseDN "ou=Self Service,ou=Groups,dc=example,dc=com" \
 "cn=*" \
 aclRights \
 aclRightsInfo</userinput>
<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
 ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
 s) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: evaluat
@@ -1423,8 +1493,8 @@
aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
 ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
 ) to (uid=bjensen,ou=People,dc=example,dc=com) (not proxied) ( reason: no acis 
 matched the subject )
</screen>
 matched the subject )</computeroutput>
  </screen>

  <para>You can also request the effective rights for another user by using the
  <option>--getEffectiveRightsAuthzid</option> (short form: <option>-g</option>)
@@ -1433,14 +1503,15 @@
  user rights to the same entry. Notice that the authorization identity for an
  anonymous user is expressed as <literal>"dn:"</literal>.</para>

  <screen>$ ldapsearch
 --getEffectiveRightsAuthzid "dn:"
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com"
 "cn=*" aclRightsInfo
dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --getEffectiveRightsAuthzid "dn:" \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
 "cn=*" aclRightsInfo</userinput>
<computeroutput>dn: cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com
aclRightsInfo;logs;entryLevel;read: acl_summary(main): access allowed(read) on e
 ntry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, objectClas
 s) to (anonymous) (not proxied) ( reason: evaluated allow , deciding_aci: Anony
@@ -1456,7 +1527,8 @@
 LL) to (anonymous) (not proxied) ( reason: no acis matched the subject )
aclRightsInfo;logs;entryLevel;proxy: acl_summary(main): access not allowed(proxy
 ) on entry/attr(cn=Carpoolers,ou=Self Service,ou=Groups,dc=example,dc=com, NULL
 ) to (anonymous) (not proxied) ( reason: no acis matched the subject )</screen>
 ) to (anonymous) (not proxied) ( reason: no acis matched the subject )</computeroutput>
  </screen>

  <para>When you need to check access to an attribute that might not yet exist
  on the entry, you can further use the
@@ -1466,23 +1538,25 @@
  access to the description attribute for the Self Service groups organizational
  unit entry. The description attribute is not present on the entry, yet.</para>

  <screen>$ ldapsearch
 --port 1389
 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com"
 "ou=Self Service" description
dn: ou=Self Service,ou=Groups,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
 "ou=Self Service" description</userinput>
<computeroutput>dn: ou=Self Service,ou=Groups,dc=example,dc=com</computeroutput>

$ ldapsearch
 --getEffectiveRightsAuthzid "dn:"
 --getEffectiveRightsAttribute description
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com"
 "ou=Self Service" aclRights
dn: ou=Self Service,ou=Groups,dc=example,dc=com
$ <userinput>ldapsearch \
 --getEffectiveRightsAuthzid "dn:" \
 --getEffectiveRightsAttribute description \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN "ou=Self Service,ou=groups,dc=example,dc=com" \
 "ou=Self Service" aclRights</userinput>
<computeroutput>dn: ou=Self Service,ou=Groups,dc=example,dc=com
aclRights;attributeLevel;description: search:1,read:1,compare:1,write:0,selfwrit
 e_add:0,selfwrite_delete:0,proxy:0
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0</screen>
aclRights;entryLevel: add:0,delete:0,read:1,write:0,proxy:0</computeroutput>
  </screen>
 </section>
</chapter>

 opends/src/main/docbkx/admin-guide/chap-pta.xml

@@ -20,15 +20,14 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-pta'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <title>Configuring Pass Through Authentication</title>
 <indexterm><primary>Pass through authentication</primary></indexterm>
 
@@ -101,50 +100,36 @@
    <para>Export the server certificate from the authentication server.</para>
    <para>How you perform this step depends on the authentication directory
    server. With OpenDJ, you can export the certificate as shown here.</para>
    <screen>$ cd /path/to/PTA-Server/config
$ keytool
 -exportcert
 -rfc
 -alias server-cert
 -keystore keystore
 -storepass `cat keystore.pin`
 &gt; /tmp/pta-srv-cert.pem</screen>

    <screen>
$ <userinput>cd /path/to/PTA-Server/config</userinput>
$ <userinput>keytool \
 -exportcert \
 -rfc \
 -alias server-cert \
 -keystore keystore \
 -storepass `cat keystore.pin` \
 > /tmp/pta-srv-cert.pem</userinput>
    </screen>
   </step>

   <step>
    <para>Make note of the host name used in the certificate.</para>
    <para>You use the host name when configuring the SSL connection. With
    OpenDJ, you can view the certificate details as shown here.</para>
    <screen>$ keytool
 -list
 -v
 -alias server-cert
 -keystore keystore
 -storepass `cat keystore.pin`
Alias name: server-cert

    <screen>
$ <userinput>keytool \
 -list \
 -v \
 -alias server-cert \
 -keystore keystore \
 -storepass `cat keystore.pin`</userinput>
<computeroutput>Alias name: server-cert
Creation date: Sep 12, 2011
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=<emphasis role="strong">pta-server.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
Issuer: CN=<emphasis role="strong">pta-server.example.com</emphasis>, O=OpenDJ Self-Signed Certificate
Serial number: 4e6dc429
Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
Certificate fingerprints:
  MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
  SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
  Signature algorithm name: SHA1withRSA
  Version: 3</screen>
   </step>
   <step>
    <para>Import the authentication server certificate into OpenDJ's
    key store.</para>
    <screen>$ cd /path/to/opendj/config
$ keytool
 -importcert
 -alias pta-cert
 -keystore truststore
 -storepass `cat keystore.pin`
 -file /tmp/pta-srv-cert.pem
Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
Serial number: 4e6dc429
@@ -153,9 +138,34 @@
  MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
  SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
  Signature algorithm name: SHA1withRSA
  Version: 3</computeroutput>
    </screen>
   </step>

   <step>
    <para>Import the authentication server certificate into OpenDJ's
    key store.</para>

    <screen>
$ <userinput>cd /path/to/opendj/config</userinput>
$ <userinput>keytool \
 -importcert \
 -alias pta-cert \
 -keystore truststore \
 -storepass `cat keystore.pin` \
 -file /tmp/pta-srv-cert.pem</userinput>
<computeroutput>Owner: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
Issuer: CN=pta-server.example.com, O=OpenDJ Self-Signed Certificate
Serial number: 4e6dc429
Valid from: Mon Sep 12 10:34:49 CEST 2011 until: Wed Sep 11 10:34:49 CEST 2013
Certificate fingerprints:
  MD5:  B6:EE:1C:A0:71:12:EF:6F:21:24:B9:50:EF:8B:4E:6A
  SHA1: 7E:A1:C9:07:D2:86:56:31:24:14:F7:07:A8:6B:3E:A1:39:63:F4:0E
  Signature algorithm name: SHA1withRSA
  Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
    </screen>
   </step>
  </procedure>
  
@@ -169,22 +179,26 @@
   <step>
    <para>Set up an authentication policy for pass through
    authentication to the authentication server.</para>
    <screen>$ dsconfig
 create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --type ldap-pass-through
 --policy-name "PTA Policy"
 --set primary-remote-ldap-server:pta-server.example.com:636
 --set mapped-attribute:uid
 --set mapped-search-base-dn:"dc=PTA Server,dc=com"
 --set mapping-policy:mapped-search
 --set use-ssl:true
 --set trust-manager-provider:JKS
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --type ldap-pass-through \
 --policy-name "PTA Policy" \
 --set primary-remote-ldap-server:pta-server.example.com:636 \
 --set mapped-attribute:uid \
 --set mapped-search-base-dn:"dc=PTA Server,dc=com" \
 --set mapping-policy:mapped-search \
 --set use-ssl:true \
 --set trust-manager-provider:JKS \
 --trustAll \
 --no-prompt</userinput>
    </screen>

    <para>The policy shown here maps identities having this password policy
    to identities under <literal>dc=PTA Server,dc=com</literal>. Users must
    have the same <literal>uid</literal> values on both servers. The policy
@@ -192,19 +206,22 @@
   </step>
   <step>
    <para>Check that your policy has been added to the list.</para>
    <screen>$ dsconfig
 list-password-policies
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --property use-ssl

    <screen>
$ <userinput>dsconfig \
 list-password-policies \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --property use-ssl</userinput>
<computeroutput>
Password Policy         : Type              : use-ssl
------------------------:-------------------:--------
Default Password Policy : password-policy   : -
PTA Policy              : ldap-pass-through : true
Root Password Policy    : password-policy   : -</screen>
Root Password Policy    : password-policy   : -</computeroutput>
    </screen>
   </step>
  </procedure>
  
@@ -233,23 +250,25 @@
   enable the user with <literal>cn=LDAP PTA User</literal> on OpenDJ
   authenticate through to Active Directory.</para>
   
   <screen>$ ldapsearch
 --hostname opendj.example.com
 --baseDN dc=example,dc=com
 uid=ldapptauser
 cn
dn: uid=ldapptauser,ou=People,dc=example,dc=com
cn: LDAP PTA User
   <screen>
$ <userinput>ldapsearch \
 --hostname opendj.example.com \
 --baseDN dc=example,dc=com \
 uid=ldapptauser \
 cn</userinput>
<computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
cn: LDAP PTA User</computeroutput>

$ ldapsearch
 --hostname ad.example.com
 --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com"
 --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com"
 --bindPassword password
 "(cn=LDAP PTA User)"
 cn
dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
cn: LDAP PTA User</screen>
$ <userinput>ldapsearch \
 --hostname ad.example.com \
 --baseDN "CN=Users,DC=internal,DC=forgerock,DC=com" \
 --bindDN "cn=administrator,cn=Users,DC=internal,DC=forgerock,DC=com" \
 --bindPassword password \
 "(cn=LDAP PTA User)" \
 cn</userinput>
<computeroutput>dn: CN=LDAP PTA User,CN=Users,DC=internal,DC=forgerock,DC=com
cn: LDAP PTA User</computeroutput>
   </screen>
   
   <para>OpenDJ must map its
   <literal>uid=ldapptauser,ou=People,dc=example,dc=com</literal> entry to the
@@ -292,14 +311,16 @@
   </step>
   <step>
    <para>Import the server certificate into OpenDJ's key store.</para>
    <screen>$ cd /path/to/opendj/config
$ keytool
 -importcert
 -alias ad-cert
 -keystore truststore
 -storepass `cat keystore.pin`
 -file ~/Downloads/windows.cer 
Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com

    <screen>
$ <userinput>cd /path/to/opendj/config</userinput>
$ <userinput>keytool \
 -importcert \
 -alias ad-cert \
 -keystore truststore \
 -storepass `cat keystore.pin` \
 -file ~/Downloads/windows.cer</userinput>
<computeroutput>Owner: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
Issuer: CN=internal-ACTIVEDIRECTORY-CA, DC=internal, DC=forgerock, DC=com
Serial number: 587465257200a7b14a6976cb47916b32
Valid from: Tue Sep 20 11:14:24 CEST 2011 until: Tue Sep 20 11:24:23 CEST 2016
@@ -327,66 +348,79 @@
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A3 3E C0 E3 B2 76 15 DC   97 D0 B3 C0 2E 77 8A 11  .&gt;...v.......w..
0000: A3 3E C0 E3 B2 76 15 DC   97 D0 B3 C0 2E 77 8A 11  .>...v.......w..
0010: 24 62 70 0A                                        $bp.
]
]

#4: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false

Trust this certificate? [no]:  yes
Certificate was added to keystore</screen>
Trust this certificate? [no]:</computeroutput>  <userinput>yes</userinput>
<computeroutput>Certificate was added to keystore</computeroutput>
    </screen>

    <para>At this point OpenDJ can connect to Active Directory over SSL.</para>
   </step>
   <step>
    <para>Set up an authentication policy for OpenDJ users to authenticate
    to Active Directory.</para>
    <screen>$ dsconfig
 create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --type ldap-pass-through
 --policy-name "AD PTA Policy"
 --set primary-remote-ldap-server:ad.example.com:636
 --set mapped-attribute:cn
 --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com"
 --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal,DC=forgerock
 ,DC=com"
 --set mapped-search-bind-password:password
 --set mapping-policy:mapped-search
 --set trust-manager-provider:JKS
 --set use-ssl:true
 --trustAll --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --type ldap-pass-through \
 --policy-name "AD PTA Policy" \
 --set primary-remote-ldap-server:ad.example.com:636 \
 --set mapped-attribute:cn \
 --set mapped-search-base-dn:"CN=Users,DC=internal,DC=forgerock,DC=com" \
 --set mapped-search-bind-dn:"cn=administrator,cn=Users,DC=internal, \
  DC=forgerock,DC=com" \
 --set mapped-search-bind-password:password \
 --set mapping-policy:mapped-search \
 --set trust-manager-provider:JKS \
 --set use-ssl:true \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   <step>
    <para>Assign the authentication policy to a test user.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: uid=ldapptauser,ou=People,dc=example,dc=com
changetype: modify
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config
ds-pwp-password-policy-dn: cn=AD PTA Policy,cn=Password Policies,cn=config</userinput>

Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com</screen>
<computeroutput>Processing MODIFY request for uid=ldapptauser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=ldapptauser,ou=People,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Check that the user can bind using pass through authentication to
    Active Directory.</para>
    <screen>$ ldapsearch
 --hostname opendj.example.com
 --port 1389
 --baseDN dc=example,dc=com
 --bindDN uid=ldapptauser,ou=People,dc=example,dc=com
 --bindPassword password
 "(cn=LDAP PTA User)"
 userpassword cn
dn: uid=ldapptauser,ou=People,dc=example,dc=com
cn: LDAP PTA User</screen>

    <screen>
$ <userinput>ldapsearch \
 --hostname opendj.example.com \
 --port 1389 \
 --baseDN dc=example,dc=com \
 --bindDN uid=ldapptauser,ou=People,dc=example,dc=com \
 --bindPassword password \
 "(cn=LDAP PTA User)" \
 userpassword cn</userinput>
<computeroutput>dn: uid=ldapptauser,ou=People,dc=example,dc=com
cn: LDAP PTA User</computeroutput>
    </screen>

    <para>Notice that to complete the search, the user authenticated with a
    password to Active Directory, though no <literal>userpassword</literal>
    value is present on the entry on the OpenDJ side.</para>
@@ -407,12 +441,14 @@
   not in fact a password policy. Therefore, the user with a pass through
   authentication policy does not have a value for the operational attribute
   <literal>pwdPolicySubentry</literal>.</para>
   <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=user.0
 pwdPolicySubentry
dn: uid=user.0,ou=People,dc=example,dc=com

   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=user.0 \
 pwdPolicySubentry</userinput>
<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com</computeroutput>
</screen>
  </note>
  
@@ -427,7 +463,8 @@
   user's password on the authentication server is
   <literal>password</literal>.</para>
   
   <programlisting language="ldif">dn: uid=user.0,ou=People,dc=example,dc=com
   <programlisting language="ldif">
dn: uid=user.0,ou=People,dc=example,dc=com
cn: Aaccf Amar
description: This is the description for Aaccf Amar.
employeeNumber: 0
@@ -458,51 +495,59 @@
   
   <step>
    <para>Prevent users from changing their own password policies.</para>
    <screen>$ cat protect-pta.ldif 
dn: ou=People,dc=example,dc=com

    <screen>
$ <userinput>cat protect-pta.ldif</userinput>
<computeroutput>dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
 "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
 word policy";deny (write)(userdn = "ldap:///self");)
 word policy";deny (write)(userdn = "ldap:///self");)</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename protect-pta.ldif
Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename protect-pta.ldif</userinput>
<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
    attribute.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: uid=user.0,ou=People,dc=example,dc=com
changetype: modify 
add: ds-pwp-password-policy-dn
ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config
ds-pwp-password-policy-dn: cn=PTA Policy,cn=Password Policies,cn=config</userinput>

Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com</screen>
<computeroutput>Processing MODIFY request for uid=user.0,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=user.0,ou=People,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Check that the user can authenticate through to the authentication
    server.</para>
    <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 --bindDN uid=user.0,ou=People,dc=example,dc=com
 --bindPassword password
 uid=user.0
 cn sn
dn: uid=user.0,ou=People,dc=example,dc=com

    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 --bindDN uid=user.0,ou=People,dc=example,dc=com \
 --bindPassword password \
 uid=user.0 \
 cn sn</userinput>
<computeroutput>dn: uid=user.0,ou=People,dc=example,dc=com
cn: Aaccf Amar
sn: Amar
</screen>
sn: Amar</computeroutput>
    </screen>
   </step>
  </procedure>
  
@@ -519,8 +564,9 @@
    <literal>ds-pwp-password-policy-dn</literal> attribute for group
    members' entries.</para>
    
    <screen>$ cat pta-coll.ldif 
dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
    <screen>
$ <userinput>cat pta-coll.ldif</userinput>
<computeroutput>dn: cn=PTA Policy for Dir Admins,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
@@ -529,16 +575,17 @@
ds-pwp-password-policy-dn;collective: cn=PTA Policy,cn=Password Policies,
 cn=config
subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
 cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
 cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename pta-coll.ldif
Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
ADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename pta-coll.ldif</userinput>
<computeroutput>Processing ADD request for cn=PTA Policy for Dir Admins,dc=example,dc=com
ADD operation successful for DN cn=PTA Policy for Dir Admins,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Check that OpenDJ has applied the policy.</para>
@@ -546,13 +593,15 @@
     <step>
      <para>Make sure you can bind as the user on the authentication
      server.</para>
      <screen>$ ldapsearch
 --port 2389
 --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com"
 --bindPassword password
 --baseDN "dc=PTA Server,dc=com"
 uid=kvaughan
dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com

      <screen>
$ <userinput>ldapsearch \
 --port 2389 \
 --bindDN "uid=kvaughan,ou=People,dc=PTA Server,dc=com" \
 --bindPassword password \
 --baseDN "dc=PTA Server,dc=com" \
 uid=kvaughan</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=PTA Server,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
@@ -563,22 +612,25 @@
sn: Vaughan
userPassword: {SSHA}x1BdtrJyRTw63kBSJFDvgvd4guzk66CV8L+t8w==
ou: People
mail: jvaughan@example.com
</screen>
mail: jvaughan@example.com</computeroutput>
      </screen>
     </step>
     <step>
      <para>Check that the user can authenticate through to the authentication
      server from OpenDJ.</para>
      <screen>$ ldapsearch
 --port 1389
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
 --bindPassword password
 --baseDN dc=example,dc=com
 uid=kvaughan
 cn sn
dn: uid=kvaughan,ou=People,dc=example,dc=com

      <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "uid=kvaughan,ou=people,dc=example,dc=com" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 uid=kvaughan \
 cn sn</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
cn: Kirsten Vaughan
sn: Vaughan</screen>
sn: Vaughan</computeroutput>
      </screen>
     </step>
    </substeps>
   </step>

 opends/src/main/docbkx/admin-guide/chap-pwd-policy.xml

@@ -67,15 +67,16 @@
   policy settings using the <command>dsconfig</command> command as
   follows.</para>
   
   <screen>$ dsconfig
 get-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --advanced
Property                                  : Value(s)
   <screen>
$ <userinput>dsconfig \
 get-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --advanced</userinput>
<computeroutput>Property                                  : Value(s)
------------------------------------------:--------------------------
account-status-notification-handler       : -
allow-expired-password-changes            : false
@@ -109,7 +110,8 @@
require-secure-authentication             : false
require-secure-password-changes           : false
skip-validation-for-administrators        : false
state-update-failure-policy               : reactive</screen>
state-update-failure-policy               : reactive</computeroutput>
   </screen>

   <para>See the <citetitle>OpenDJ Configuration Reference</citetitle> page
   on <link xlink:show="new"
@@ -131,15 +133,17 @@
   value. Even the directory manager cannot see the plain text value of a user's
   password.</para>
   
   <screen>$ ldapsearch
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN dc=example,dc=com
 uid=bjensen
 userpassword
dn: uid=bjensen,ou=People,dc=example,dc=com
userpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==</screen>
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 userpassword</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
userpassword: {SSHA}QWAtw8ch/9850HNFRRqLNMIQc1YhxCnOoGmk1g==</computeroutput>
   </screen>
   
   <para>In addition, users can change their passwords provided you have
   granted them access to do so. OpenDJ uses the <literal>userPassword</literal>
@@ -282,8 +286,8 @@
    Both are enabled in the default OpenDJ directory server configuration.
   </para>

   <programlisting language="ldif"
   >dn: cn=Subentry Password Policy with Validators,dc=example,dc=com
   <programlisting language="ldif">
dn: cn=Subentry Password Policy with Validators,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: pwdPolicy
@@ -302,7 +306,7 @@
subtreeSpecification: {base "ou=people", specificationFilter
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }

</programlisting>
   </programlisting>

   <para>
    If a referenced password validator cannot be found,
@@ -325,9 +329,11 @@
   <para>The password policy that applies to a user is identified by the
   operational attribute, <literal>pwdPolicySubentry</literal>.</para>
   
   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry
dn: uid=bjensen,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</screen>
   <screen width="81">
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen pwdPolicySubentry</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</computeroutput>
   </screen>
  </section>
 </section>

@@ -355,45 +361,52 @@
   password policy.</para>
   <step>
    <para>Enable the appropriate password validator.</para>
    <screen>$ dsconfig
 set-password-validator-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --validator-name Dictionary
 --set enabled:true
 --set check-substrings:true
 --set min-substring-length:4
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-password-validator-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --validator-name Dictionary \
 --set enabled:true \
 --set check-substrings:true \
 --set min-substring-length:4 \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   <step>
    <para>Apply the changes to the default password policy.</para>
    <screen>$ dsconfig
 set-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --set max-password-age:90d
 --set min-password-age:4w
 --set password-history-count:7
 --set password-validator:Dictionary
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set max-password-age:90d \
 --set min-password-age:4w \
 --set password-history-count:7 \
 --set password-validator:Dictionary \
 --trustAll \
 --no-prompt</userinput></screen>
   </step>
   <step>
    <para>Check your work.</para>
    <screen>$ dsconfig
 get-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
Property                                  : Value(s)

    <screen>
$ <userinput>dsconfig \
 get-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy"</userinput>
<computeroutput>Property                                  : Value(s)
------------------------------------------:--------------------------
account-status-notification-handler       : -
allow-expired-password-changes            : false
@@ -423,7 +436,8 @@
previous-last-login-time-format           : -
require-change-by-time                    : -
require-secure-authentication             : false
require-secure-password-changes           : false</screen>
require-secure-password-changes           : false</computeroutput>
    </screen>
   </step>
  </procedure>

@@ -434,30 +448,35 @@
   yet used their credentials to bind.</para>
   <step>
    <para>Create the new password policy.</para>
    <screen>$ dsconfig
 create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "New Account Password Policy"
 --set default-password-storage-scheme:"Salted SHA-1"
 --set force-change-on-add:true
 --set password-attribute:userPassword
 --type password-policy
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "New Account Password Policy" \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set force-change-on-add:true \
 --set password-attribute:userPassword \
 --type password-policy \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
   <step>
    <para>Check your work.</para>
    <screen>$ dsconfig
 get-password-policy-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "New Account Password Policy"
Property                                  : Value(s)

    <screen>
$ <userinput>dsconfig \
 get-password-policy-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "New Account Password Policy"</userinput>
<computeroutput>Property                                  : Value(s)
------------------------------------------:-------------
account-status-notification-handler       : -
allow-expired-password-changes            : false
@@ -487,7 +506,8 @@
previous-last-login-time-format           : -
require-change-by-time                    : -
require-secure-authentication             : false
require-secure-password-changes           : false</screen>
require-secure-password-changes           : false</computeroutput>
    </screen>

    <para>If you use a password policy like this, you might want to change the
    user's policy again when the new user successfully updates the
@@ -502,8 +522,10 @@
   
   <step>
    <para>Create the entry that specifies the password policy.</para>
    <screen>$ cat /path/to/subentry-pwp.ldif 
dn: cn=Subentry Password Policy,dc=example,dc=com

    <screen>
$ <userinput>cat /path/to/subentry-pwp.ldif</userinput>
<computeroutput>dn: cn=Subentry Password Policy,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: pwdPolicy
@@ -516,18 +538,22 @@
pwdAllowUserChange: TRUE
pwdSafeModify: TRUE
subtreeSpecification: {base "ou=people", specificationFilter
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</screen>
  "(isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>
    </screen>
   </step>
   <step>
    <para>Add the policy to the directory.</para>
    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename /path/to/subentry-pwp.ldif 
Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com
ADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com</screen>

    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename /path/to/subentry-pwp.ldif</userinput>
<computeroutput>Processing ADD request for cn=Subentry Password Policy,dc=example,dc=com
ADD operation successful for DN cn=Subentry Password Policy,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Check that the policy applies as specified.</para>
@@ -535,21 +561,24 @@
    while a normal user has the default password policy. Here, Kirsten Vaughan
    is a member of the Directory Administrators group, and Babs Jensen is not
    a member.</para>
    <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=kvaughan
 pwdPolicySubentry
dn: uid=kvaughan,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com

$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=bjensen
 pwdPolicySubentry
dn: uid=bjensen,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</screen>
    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=kvaughan \
 pwdPolicySubentry</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Subentry Password Policy,dc=example,dc=com</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 pwdPolicySubentry</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Default Password Policy,cn=Password Policies,cn=config</computeroutput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -575,28 +604,31 @@
   <step>
    <para>Prevent users from selecting their own password policy.</para>
    
    <screen>$ cat protectpwp.ldif 
dn: ou=People,dc=example,dc=com
    <screen>
$ <userinput>cat protectpwp.ldif</userinput>
<computeroutput>dn: ou=People,dc=example,dc=com
changetype: modify
add: aci
aci: (target ="ldap:///uid=*,ou=People,dc=example,dc=com")(targetattr =
 "ds-pwp-password-policy-dn")(version 3.0;acl "Cannot choose own pass
 word policy";deny (write)(userdn = "ldap:///self");)
 word policy";deny (write)(userdn = "ldap:///self");)</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename protectpwp.ldif
Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename protectpwp.ldif</userinput>
<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Update the user's <literal>ds-pwp-password-policy-dn</literal>
    attribute.</para>
    
    <screen>$ cat newuser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com
    <screen>
$ <userinput>cat newuser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
@@ -608,28 +640,32 @@
mail: newuser@example.com
userPassword: changeme
ds-pwp-password-policy-dn: cn=New Account Password Policy,cn=Password Policies,
 cn=config
 cn=config</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename newuser.ldif
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename newuser.ldif</userinput>
<computeroutput>Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>
    </screen>
   </step>
   <step>
    <para>Check your work.</para>
    <screen>$ ldapsearch
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN dc=example,dc=com
 uid=newuser
 pwdPolicySubentry
dn: uid=newuser,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config</screen>

    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN dc=example,dc=com \
 uid=newuser \
 pwdPolicySubentry</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=New Account Password Policy,cn=Password Policies,cn=config</computeroutput>
    </screen>
   </step>
  </procedure>

@@ -641,8 +677,9 @@
    <literal>ds-pwp-password-policy-dn</literal> attribute for group
    members' entries.</para>
    
    <screen>$ cat pwp-coll.ldif
dn: cn=Password Policy for Dir Admins,dc=example,dc=com
    <screen>
$ <userinput>cat pwp-coll.ldif</userinput>
<computeroutput>dn: cn=Password Policy for Dir Admins,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
@@ -651,28 +688,30 @@
ds-pwp-password-policy-dn;collective: cn=Root Password Policy,cn=Pass
 word Policies,cn=config
subtreeSpecification: { base "ou=People", specificationFilter "(isMemberOf=
 cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}
 cn=Directory Administrators,ou=Groups,dc=example,dc=com)"}</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename pwp-coll.ldif
Processing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename pwp-coll.ldif</userinput>
<computeroutput>Processing ADD request for cn=Password Policy for Dir Admins,dc=example,dc=com
ADD operation successful for DN cn=Password Policy for Dir
 Admins,dc=example,dc=com</screen>
 Admins,dc=example,dc=com</computeroutput></screen>
   </step>
   <step>
    <para>Check your work.</para>
    
    <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=kvaughan
 pwdPolicySubentry
dn: uid=kvaughan,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config</screen>
    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=kvaughan \
 pwdPolicySubentry</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=Root Password Policy,cn=Password Policies,cn=config</computeroutput>
    </screen>
   </step>
  </procedure>

@@ -696,8 +735,9 @@
     under <literal>ou=People,dc=example,dc=com</literal>.
    </para>

    <screen>$ cat collective-pwp.ldif
dn: cn=People Password Policy,dc=example,dc=com
    <screen>
$ <userinput>cat collective-pwp.ldif</userinput>
<computeroutput>dn: cn=People Password Policy,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: pwdPolicy
@@ -719,19 +759,20 @@
cn: Assign People Password Policy
ds-pwp-password-policy-dn;collective: cn=People Password Policy,dc=example,dc=com
subtreeSpecification: { base "ou=people" }
</computeroutput>


$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename collective-pwp.ldif
Processing ADD request for cn=People Password Policy,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename collective-pwp.ldif</userinput>
<computeroutput>Processing ADD request for cn=People Password Policy,dc=example,dc=com
ADD operation successful for DN cn=People Password Policy,dc=example,dc=com
Processing ADD request for cn=Assign People Password Policy,dc=example,dc=com
ADD operation successful for DN
 cn=Assign People Password Policy,dc=example,dc=com</screen>
 cn=Assign People Password Policy,dc=example,dc=com</computeroutput>
    </screen>

    <para>
     Notice the subtree specification used to assign the policy,
@@ -752,13 +793,15 @@
     Check your work.
    </para>

    <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 "(uid=alutz)"
 pwdPolicySubentry
dn: uid=alutz,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=People Password Policy,dc=example,dc=com</screen>
    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 "(uid=alutz)" \
 pwdPolicySubentry</userinput>
<computeroutput>dn: uid=alutz,ou=People,dc=example,dc=com
pwdPolicySubentry: cn=People Password Policy,dc=example,dc=com</computeroutput>
    </screen>

    <para>
     If everything is correctly configured,
@@ -781,26 +824,29 @@
  a directory administrator resetting a user's password can have OpenDJ
  directory server generate the new password.</para>

  <screen>$ ldappasswordmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --authzID "u:bjensen"
The LDAP password modify operation was successful
Generated Password:  eak77qdi</screen>
  <screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --authzID "u:bjensen"</userinput>
<computeroutput>The LDAP password modify operation was successful
Generated Password:  eak77qdi</computeroutput>
  </screen>

  <para>The default password policy shown in <xref linkend="default-pwp" /> uses
  the Random Password Generator.</para>

  <screen>$ dsconfig
 get-password-policy-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --property password-generator
Property           : Value(s)
  <screen>
$ <userinput>dsconfig \
 get-password-policy-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --property password-generator</userinput>
<computeroutput>Property           : Value(s)
-------------------:--------------------------
password-generator : Random Password Generator
$ dsconfig
@@ -815,7 +861,8 @@
-----------------------:-----------------------------------------------------
enabled                : true
password-character-set : alpha:abcdefghijklmnopqrstuvwxyz, numeric:0123456789
password-format        : "alpha:3,numeric:2,alpha:3"</screen>
password-format        : "alpha:3,numeric:2,alpha:3"</computeroutput>
  </screen>

  <para>Notice that the default configuration for the Random Password Generator
  defines two <literal>password-character-set</literal> values, and then uses
@@ -833,27 +880,30 @@
  changes the Random Password Generator configuration, and then demonstrates a
  password being generated upon reset.</para>

  <screen>$ dsconfig
 set-password-generator-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --generator-name "Random Password Generator"
 --remove password-character-set:alpha:abcdefghijklmnopqrstuvwxyz
 --add
  password-character-set:alpha:ABCDEFGHIJKLMNOPQRSTUVWabcdefghijklmnopqrstuvwxyz
 --add password-character-set:punct:,./\`!@#\$%^&amp;*:\;[]\"\'\(\)+=-_~\\
 --set
  password-format:alpha:3,punct:1,numeric:2,punct:2,numeric:3,alpha:3,punct:2
 --no-prompt
$ ldappasswordmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --authzID "u:bjensen"
The LDAP password modify operation was successful
Generated Password:  pld^06:)529HTq$'</screen>
  <screen width="81">
$ <userinput>dsconfig \
 set-password-generator-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --generator-name "Random Password Generator" \
 --remove password-character-set:alpha:abcdefghijklmnopqrstuvwxyz \
 --add \
  password-character-set:alpha:ABCDEFGHIJKLMNOPQRSTUVWabcdefghijklmnopqrstuvwxyz \
 --add password-character-set:punct:,./\`!@#\$%^&amp;*:\;[]\"\'\(\)+=-_~\\ \
 --set \
  password-format:alpha:3,punct:1,numeric:2,punct:2,numeric:3,alpha:3,punct:2 \
 --no-prompt</userinput>

$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --authzID "u:bjensen"</userinput>
<computeroutput>The LDAP password modify operation was successful
Generated Password:  pld^06:)529HTq$'</computeroutput>
  </screen>

  <para>If you also set up a password validator in the password policy as
  shown in <xref linkend="default-pwp" /> and further described in
@@ -878,13 +928,14 @@
  schemes. Some schemes make it easy to recover the clear-text password,
  whereas others aim to make it computationally hard to do so.</para>

  <screen>$ dsconfig
 list-password-storage-schemes
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password

  <screen>
$ <userinput>dsconfig \
 list-password-storage-schemes \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>
<computeroutput>
Password Storage Scheme : Type          : enabled
------------------------:---------------:--------
3DES                    : triple-des    : true
@@ -901,7 +952,8 @@
Salted SHA-256          : salted-sha256 : true
Salted SHA-384          : salted-sha384 : true
Salted SHA-512          : salted-sha512 : true
SHA-1                   : sha1          : true</screen>
SHA-1                   : sha1          : true</computeroutput>
  </screen>

  <para>As shown in <xref linkend="default-pwp" />, the default password storage
  scheme for users in Salted SHA-1. When you add users or import user entries
@@ -914,15 +966,17 @@
  changing the applicable password policy, as shown in the following
  example.</para>

  <screen>$ dsconfig
 set-password-policy-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --set default-password-storage-scheme:pbkdf2
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-password-policy-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set default-password-storage-scheme:pbkdf2 \
 --no-prompt</userinput>
  </screen>

   <para>Notice that the change in default password storage scheme does not
   cause OpenDJ to update any stored password values. By default, OpenDJ only
@@ -934,33 +988,38 @@
   After the default password storage scheme is changed to PBKDF2, old user
   passwords remain encoded with Salted SHA-1.</para>

   <screen>$ ldapsearch
 --port 1389
 --bindDN uid=bjensen,ou=people,dc=example,dc=com
 --bindPassword hifalutin
 --baseDN dc=example,dc=com
 "(uid=bjensen)" userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==</screen>
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN uid=bjensen,ou=people,dc=example,dc=com \
 --bindPassword hifalutin \
 --baseDN dc=example,dc=com \
 "(uid=bjensen)" userPassword</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {SSHA}Rc3tkAj1qP5zGiRkwDIWDFxrxpGgO8Fwh3aibg==</computeroutput>
   </screen>

   <para>When the password is changed, the new default password storage scheme
   takes effect, as shown in the following example.</para>

   <screen>$ ldappasswordmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --authzID "u:bjensen"
 --newPassword changeit
The LDAP password modify operation was successful
$ ldapsearch
 --port 1389
 --bindDN uid=bjensen,ou=people,dc=example,dc=com
 --bindPassword changeit
 --baseDN dc=example,dc=com
 "(uid=bjensen)" userPassword
dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==</screen>
   <screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --authzID "u:bjensen" \
 --newPassword changeit</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN uid=bjensen,ou=people,dc=example,dc=com \
 --bindPassword changeit \
 --baseDN dc=example,dc=com \
 "(uid=bjensen)" userPassword</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
userPassword: {PBKDF2}10000:O3V6G7y7n7AefOkRGNKQ5ukrMuO5uf+iEQ9ZLg==</computeroutput>
   </screen>

   <para>When you change the password storage scheme for users, realize that
   the user passwords must change in order for OpenDJ to encode them with
@@ -975,32 +1034,35 @@
   migration for active users without forcing users to change their
   passwords.</para>

   <screen>$ ldapsearch
 --port 1389
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com
 --bindPassword bribery
 --baseDN dc=example,dc=com
 "(uid=kvaughan)" userPassword
dn: uid=kvaughan,ou=People,dc=example,dc=com
userPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==
   <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
 --bindPassword bribery \
 --baseDN dc=example,dc=com \
 "(uid=kvaughan)" userPassword</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
userPassword: {SSHA}hDgK44F2GhIIZj913b+29Ak7phb9oU3Lz4ogkg==</computeroutput>

$ dsconfig
 set-password-policy-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --set deprecated-password-storage-scheme:"Salted SHA-1"
 --no-prompt
$ ldapsearch
 --port 1389
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com
 --bindPassword bribery
 --baseDN dc=example,dc=com
 "(uid=kvaughan)" userPassword
dn: uid=kvaughan,ou=People,dc=example,dc=com
userPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==</screen>
$ <userinput>dsconfig \
 set-password-policy-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set deprecated-password-storage-scheme:"Salted SHA-1" \
 --no-prompt</userinput>

$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN uid=kvaughan,ou=people,dc=example,dc=com \
 --bindPassword bribery \
 --baseDN dc=example,dc=com \
 "(uid=kvaughan)" userPassword</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
userPassword: {PBKDF2}10000:L4dCYqSsNnf47YZ3a6aC8K2E3DChhHHhpcoUzg==</computeroutput>
   </screen>

   <para>Notice that with <literal>deprecated-password-storage-scheme</literal>
   set appropriately, Kirsten Vaughan's password was hashed again after she
@@ -1020,14 +1082,15 @@
  characters, or that it is not in the history. OpenDJ directory server
  provides a variety of password validators.</para>

  <screen>$ dsconfig
 list-password-validators
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
  <screen>
$ <userinput>dsconfig \
 list-password-validators \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password</userinput>


<computeroutput>
Password Validator                  : Type                : enabled
------------------------------------:---------------------:--------
Attribute Value                     : attribute-value     : true
@@ -1036,7 +1099,8 @@
Length-Based Password Validator     : length-based        : true
Repeated Characters                 : repeated-characters : true
Similarity-Based Password Validator : similarity-based    : true
Unique Characters                   : unique-characters   : true</screen>
Unique Characters                   : unique-characters   : true</computeroutput>
  </screen>

  <para>The password policy for a user specifies the set of password validators
  that should be used whenever that user provides a new password. By default
@@ -1071,39 +1135,41 @@
  The initial <literal>0:</literal> means the set is optional, whereas
  <literal>1:</literal> would mean the set is required.</para>

  <screen>$ dsconfig
 create-password-validator
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --validator-name "Custom Character Set Password Validator"
 --set allow-unclassified-characters:true
 --set enabled:true
 --set character-set:0:abcdefghijklmnopqrstuvwxyz
 --set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ
 --set character-set:0:0123456789
 --set character-set:0:!\"#\$%&amp;\'\(\)*+,-./:\;\\&lt;=\&gt;?@[\\]^_\`{\|}~
 --set min-character-sets:3
 --type character-set
 --no-prompt
  <screen>
$ <userinput>dsconfig \
 create-password-validator \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --validator-name "Custom Character Set Password Validator" \
 --set allow-unclassified-characters:true \
 --set enabled:true \
 --set character-set:0:abcdefghijklmnopqrstuvwxyz \
 --set character-set:0:ABCDEFGHIJKLMNOPQRSTUVWXYZ \
 --set character-set:0:0123456789 \
 --set character-set:0:!\"#\$%&amp;\'\(\)*+,-./:\;\\&lt;=\&gt;?@[\\]^_\`{\|}~ \
 --set min-character-sets:3 \
 --type character-set \
 --no-prompt</userinput>

$ dsconfig
 set-password-policy-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Default Password Policy"
 --set password-validator:"Custom Character Set Password Validator"
 --no-prompt
$ <userinput>dsconfig \
 set-password-policy-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Default Password Policy" \
 --set password-validator:"Custom Character Set Password Validator" \
 --no-prompt</userinput>

$ ldappasswordmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --authzID "u:bjensen"
 --newPassword '!ABcd$%^'</screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --authzID "u:bjensen" \
 --newPassword '!ABcd$%^'</userinput>
  </screen>

  <para>In the preceding example, the character set of ASCII punctuation,
  <literal>!\"#\$%&amp;\'\(\)*+,-./:\;\\&lt;=\&gt;?@[\\]^_\`{\|}~</literal>,
@@ -1116,17 +1182,19 @@
  <para>An attempt to set an invalid password fails as shown in the following
  example.</para>

  <screen>$ ldappasswordmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --authzID "u:bjensen"
 --newPassword hifalutin
 The LDAP password modify operation failed with result code 19
  <screen>
$ <userinput>ldappasswordmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --authzID "u:bjensen" \
 --newPassword hifalutin</userinput>
<computeroutput>The LDAP password modify operation failed with result code 19
Error Message:  The provided new password failed the validation checks defined
in the server:  The provided password did not contain characters from at least
3 of the following character sets or ranges: 'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
'!"#$%&amp;'()*+,-./:;&lt;=\&gt;?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'</screen>
'!"#$%&amp;'()*+,-./:;&lt;=\&gt;?@[\]^_`{|}~', '0123456789', 'abcdefghijklmnopqrstuvwxyz'</computeroutput>
  </screen>

  <para>Validation does not affect existing passwords, but only takes effect
  when the password is updated.</para>
@@ -1200,20 +1268,23 @@
    on consecutive changes.
   </para>

   <screen>$ dsconfig create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Enforce Regular Password Changes"
 --type password-policy
 --set default-password-storage-scheme:"Salted SHA-1"
 --set password-attribute:userPassword
 --set max-password-age:13w
 --set min-password-age:4w
 --set password-history-count:7
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig  \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Enforce Regular Password Changes" \
 --type password-policy \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set password-attribute:userPassword \
 --set max-password-age:13w \
 --set min-password-age:4w \
 --set password-history-count:7 \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>
    See also <xref linkend="assign-pwp" /> for instructions on using the policy.
@@ -1238,10 +1309,11 @@
    ><citetitle>Search: List Active Accounts</citetitle></link>.
   </para>

   <screen>$ ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
   <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password
dn: cn=schema
changetype: modify
@@ -1255,29 +1327,33 @@
  SINGLE-VALUE
  NO-USER-MODIFICATION
  USAGE directoryOperation
  X-ORIGIN 'OpenDJ example documentation' )
  X-ORIGIN 'OpenDJ example documentation' )</userinput>

Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema</screen>
<computeroutput>Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema</computeroutput>
   </screen>

   <para>
    Next, create the password policy that causes OpenDJ directory server
    to write the timestamp to the attribute on successful login.
   </para>

   <screen>$ dsconfig create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Track Last Login Time"
 --type password-policy
 --set default-password-storage-scheme:"Salted SHA-1"
 --set password-attribute:userPassword
 --set last-login-time-attribute:lastLoginTime
 --set last-login-time-format:"yyyyMMddHH'Z'"
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Track Last Login Time" \
 --type password-policy \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set password-attribute:userPassword \
 --set last-login-time-attribute:lastLoginTime \
 --set last-login-time-format:"yyyyMMddHH'Z'" \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>
    See also <xref linkend="assign-pwp" /> for instructions on using the policy.
@@ -1297,21 +1373,24 @@
    to hash or to encrypt passwords when a password changes.
   </para>

   <screen>$ dsconfig create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Deprecate a Password Storage Scheme"
 --type password-policy
 --set deprecated-password-storage-scheme:Crypt
 --set default-password-storage-scheme:"Salted SHA-1"
 --set password-attribute:userPassword
 --set max-password-age:13w
 --set min-password-age:4w
 --set password-history-count:7
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Deprecate a Password Storage Scheme" \
 --type password-policy \
 --set deprecated-password-storage-scheme:Crypt \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set password-attribute:userPassword \
 --set max-password-age:13w \
 --set min-password-age:4w \
 --set password-history-count:7 \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>
    See also <xref linkend="assign-pwp" /> for instructions on using the policy.
@@ -1333,20 +1412,23 @@
    in order for OpenDJ directory server to accept this new password policy.
   </para>

   <screen>$ dsconfig create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Lock Idle Accounts"
 --type password-policy
 --set default-password-storage-scheme:"Salted SHA-1"
 --set password-attribute:userPassword
 --set last-login-time-attribute:lastLoginTime
 --set last-login-time-format:"yyyyMMddHH'Z'"
 --set idle-lockout-interval:13w
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Lock Idle Accounts" \
 --type password-policy \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set password-attribute:userPassword \
 --set last-login-time-attribute:lastLoginTime \
 --set last-login-time-format:"yyyyMMddHH'Z'" \
 --set idle-lockout-interval:13w \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>
    See also <xref linkend="assign-pwp" />,
@@ -1366,18 +1448,21 @@
    in order to choose a new password.
   </para>

   <screen>$ dsconfig create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Allow Grace Login"
 --type password-policy
 --set default-password-storage-scheme:"Salted SHA-1"
 --set password-attribute:userPassword
 --set grace-login-count:2
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Allow Grace Login" \
 --type password-policy \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set password-attribute:userPassword \
 --set grace-login-count:2 \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>
    See also <xref linkend="assign-pwp" /> for instructions on using the policy.
@@ -1396,19 +1481,22 @@
    after their password is reset.
   </para>

   <screen>$ dsconfig create-password-policy
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --policy-name "Require Password Change on Add or Reset"
 --type password-policy
 --set default-password-storage-scheme:"Salted SHA-1"
 --set password-attribute:userPassword
 --set force-change-on-add:true
 --set force-change-on-reset:true
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-password-policy \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --policy-name "Require Password Change on Add or Reset" \
 --type password-policy \
 --set default-password-storage-scheme:"Salted SHA-1" \
 --set password-attribute:userPassword \
 --set force-change-on-add:true \
 --set force-change-on-reset:true \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>
    See also <xref linkend="assign-pwp" /> for instructions on using the policy.

 opends/src/main/docbkx/admin-guide/chap-referrals.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-referrals'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Working With Referrals</title>
 <indexterm><primary>Referrals</primary></indexterm>
 
@@ -80,79 +80,87 @@
  <literal>ref</literal> attribute with an LDAP URL to an existing entry.
  This section demonstrates use of the latter approach.</para>
  
  <screen>$ cat referral.ldif 
dn: ou=People,dc=example,dc=com
  <screen>
$ <userinput>cat referral.ldif</userinput>
<computeroutput>dn: ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: extensibleObject
-
add: ref
ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com
ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename referral.ldif
Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename referral.ldif</userinput>
<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>
  </screen>

  <para>The example above adds a referral to
  <literal>ou=People,dc=example,dc=com</literal>. OpenDJ can now return
  a referral for operations under the People organizational unit.</para>
  
  <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen description

  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen description</userinput>
<computeroutput>
SearchReference(referralURLs=
 {ldap://opendj.example.com:2389/ou=People,dc=example,dc=com??sub?})

$ ldapsearch --port 1389 --baseDN dc=example,dc=com ou=people

</computeroutput>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com ou=people</userinput>
<computeroutput>
SearchReference(referralURLs=
 {ldap://opendj.example.com:2389/ou=People,dc=example,dc=com??sub?})</screen>
 {ldap://opendj.example.com:2389/ou=People,dc=example,dc=com??sub?})</computeroutput>
  </screen>
 
  <para>To access the entry instead of the referral, use the Manage DSAIT
  control.</para>
  
  <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 --control ManageDSAIT:true
 ou=people
 ref
dn: ou=People,dc=example,dc=com
ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 --control ManageDSAIT:true \
 ou=people \
 ref</userinput>
<computeroutput>dn: ou=People,dc=example,dc=com
ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com</computeroutput>

$ cat people.ldif 
dn: ou=People,dc=example,dc=com
$ <userinput>cat people.ldif</userinput>
<computeroutput>dn: ou=People,dc=example,dc=com
changetype: modify
delete: ref
ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com
ref: ldap://opendj.example.com:2389/ou=People,dc=example,dc=com</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename people.ldif 
Processing MODIFY request for ou=People,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename people.ldif</userinput>
<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com
A referral entry ou=People,dc=example,dc=com indicates that the operation must
 be processed at a different server
[ldap://opendj.example.com:2389/ou=People,dc=example,dc=com]
$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --control ManageDSAIT
 --filename people.ldif
Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com
$ ldapsearch --port 1389 --baseDN dc=example,dc=com ou=people
dn: ou=People,dc=example,dc=com
[ldap://opendj.example.com:2389/ou=People,dc=example,dc=com]</computeroutput>

$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --control ManageDSAIT \
 --filename people.ldif</userinput>
<computeroutput>Processing MODIFY request for ou=People,dc=example,dc=com
MODIFY operation successful for DN ou=People,dc=example,dc=com</computeroutput>

$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com ou=people</userinput>
<computeroutput>dn: ou=People,dc=example,dc=com
ou: People
objectClass: organizationalunit
objectClass: extensibleObject
objectClass: top</screen>
objectClass: top</computeroutput>
  </screen>

  <para>The example above shows how to remove the referral using the Manage
  DSAIT control with the <command>ldapmodify</command> command.</para>

 opends/src/main/docbkx/admin-guide/chap-replication.xml

@@ -342,25 +342,25 @@
   <para>You can start the replication process by using the
   <command>dsreplication enable</command> command.</para>
   
   <screen>$ dsreplication
 enable
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --host1 opendj.example.com
 --port1 4444
 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password
 --replicationPort1 8989
 --host2 opendj2.example.com
 --port2 4444
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password
 --replicationPort2 8989
 --trustAll
 --no-prompt
   <screen>$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --host1 opendj.example.com \
 --port1 4444 \
 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password \
 --replicationPort1 8989 \
 --host2 opendj2.example.com \
 --port2 4444 \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password \
 --replicationPort2 8989 \
 --trustAll \
 --no-prompt</userinput>

Establishing connections ..... Done.
<computeroutput>Establishing connections ..... Done.
Checking registration information ..... Done.
Updating remote references on server opendj.example.com:4444 ..... Done.
Configuring Replication port on server opendj2.example.com:4444 ..... Done.
@@ -387,7 +387,8 @@

See
/var/.../opends-replication-7958637258600693490.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
   </screen>
   
   <para>To enable secure connections for replication use the
   <option>--secureReplication1</option> and
@@ -450,23 +451,25 @@
     <para>Start replication with the <command>dsreplication
     initialize-all</command> command.</para>
     
     <screen>$ dsreplication
 initialize-all
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --hostname opendj.example.com
 --port 4444
 --trustAll
 --no-prompt
     <screen>
$ <userinput>dsreplication \
 initialize-all \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --hostname opendj.example.com \
 --port 4444 \
 --trustAll \
 --no-prompt</userinput>

Initializing base DN dc=example,dc=com with the contents from
<computeroutput>Initializing base DN dc=example,dc=com with the contents from
 opendj.example.com:4444: 160 entries processed (100 % complete).
Base DN initialized successfully.

See
/var/.../opends-replication-5020375834904394170.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>
    </step>
   </procedure>

@@ -523,25 +526,26 @@
    <step>
     <para>Enable replication on the new replica.</para>

     <screen>$ dsreplication
 enable
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --host1 opendj.example.com
 --port1 4444
 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password
 --replicationPort1 8989
 --host2 opendj3.example.com
 --port2 4444
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password
 --replicationPort2 8989
 --trustAll
 --no-prompt
     <screen>
$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --host1 opendj.example.com \
 --port1 4444 \
 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password \
 --replicationPort1 8989 \
 --host2 opendj3.example.com \
 --port2 4444 \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password \
 --replicationPort2 8989 \
 --trustAll \
 --no-prompt</userinput>

Establishing connections ..... Done.
<computeroutput>Establishing connections ..... Done.
Checking registration information ..... Done.
Updating remote references on server opendj.example.com:4444 ..... Done.
Configuring Replication port on server opendj3.example.com:4444 ..... Done.
@@ -573,7 +577,8 @@

See
/var/.../opends-replication-1672058070147419978.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>

     <para>Contrary to the message from the command, you do not need to use
     the <command>dsreplication initialize</command> command at this
@@ -619,30 +624,37 @@

    <step>
     <para>Disable the multimaster synchronization provider.</para>
     <screen>$ dsconfig
 set-synchronization-provider-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --set enabled:false
 --trustAll
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-synchronization-provider-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --set enabled:false \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>

    <step performance="optional">
     <para>When you are ready to resume replication, enable the multimaster
     synchronization provider.</para>
     <screen>$ dsconfig
 set-synchronization-provider-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --set enabled:true
 --trustAll
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-synchronization-provider-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>
   </procedure>
   
@@ -656,16 +668,18 @@
    <step>
     <para>Stop replication using the <command>dsreplication disable</command>
     command.</para>
     <screen>$ dsreplication
 disable
 --disableAll
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --adminPassword password
 --trustAll
 --no-prompt
Establishing connections ..... Done.

     <screen>
$ <userinput>dsreplication \
 disable \
 --disableAll \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --adminPassword password \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>Establishing connections ..... Done.
Disabling replication on base DN cn=admin data of server
 opendj2.example.com:4444 ..... Done.
Disabling replication on base DN dc=example,dc=com of server
@@ -679,10 +693,13 @@

See
/var/.../opends-replication-125248191132797765.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>

     <para>The <command>dsreplication disable</command> as shown completely
     removes the replication configuration information from the server.</para>
    </step>

    <step performance="optional">
     <para>If you want to restart replication for the server, you need to run
     the <command>dsreplication enable</command> and <command>dsreplication
@@ -787,25 +804,27 @@
     <para>Enable replication with the appropriate
     <option>--noReplicationServer</option> and
     <option>--onlyReplicationServer</option> options.</para>
     <screen>$ dsreplication
 enable
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --host1 opendj.example.com
 --port1 4444
 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password
 --noReplicationServer1
 --host2 rs.example.com
 --port2 4444
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password
 --replicationPort2 8989
 --onlyReplicationServer2
 --trustAll
 --no-prompt
Establishing connections ..... Done.

     <screen>
$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --host1 opendj.example.com \
 --port1 4444 \
 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password \
 --noReplicationServer1 \
 --host2 rs.example.com \
 --port2 4444 \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password \
 --replicationPort2 8989 \
 --onlyReplicationServer2 \
 --trustAll \
 --no-prompt</userinput>
<computeroutput>Establishing connections ..... Done.
Only one replication server will be defined for the following base DN's:
dc=example,dc=com
It is recommended to have at least two replication servers (two changelogs) to
@@ -830,28 +849,28 @@

See
/var/.../opends-replication-1720959352638609971.log
for a detailed log of this operation.
for a detailed log of this operation.</computeroutput>

$ dsreplication
 enable
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --host1 opendj2.example.com
 --port1 4444
 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password
 --noReplicationServer1
 --host2 rs.example.com
 --port2 4444
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password
 --replicationPort2 8989
 --onlyReplicationServer2
 --trustAll
 --no-prompt
$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --host1 opendj2.example.com \
 --port1 4444 \
 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password \
 --noReplicationServer1 \
 --host2 rs.example.com \
 --port2 4444 \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password \
 --replicationPort2 8989 \
 --onlyReplicationServer2 \
 --trustAll \
 --no-prompt</userinput>

Establishing connections ..... Done.
<computeroutput>Establishing connections ..... Done.
Only one replication server will be defined for the following base DN's:
dc=example,dc=com
It is recommended to have at least two replication servers (two changelogs) to
@@ -882,27 +901,32 @@

See
/var/folders/.../opends-replication-5893037538856033562.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>
    </step>

    <step>
     <para>Initialize replication from one of the directory servers.</para>
     <screen>$ dsreplication
 initialize-all
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --hostname opendj.example.com
 --port 4444
 --trustAll
 --no-prompt

Initializing base DN dc=example,dc=com with the contents from
     <screen>
$ <userinput>dsreplication \
 initialize-all \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --hostname opendj.example.com \
 --port 4444 \
 --trustAll \
 --no-prompt</userinput>

<computeroutput>Initializing base DN dc=example,dc=com with the contents from
 opendj.example.com:4444: 160 entries processed (100 % complete).
Base DN initialized successfully.

See
/var/.../opends-replication-7677303986403997574.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>
    </step>
   </procedure>
  </section>
@@ -963,23 +987,24 @@
      <option>--noReplicationServer</option> option.
     </para>

     <screen>$ dsreplication
 enable
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --host1 master.example.com
 --port1 4444 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password
 --host2 ds-only.example.com
 --port2 4444
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password
 --noReplicationServer2
 --trustAll
 --no-prompt
     <screen>
$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --host1 master.example.com \
 --port1 4444 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password \
 --host2 ds-only.example.com \
 --port2 4444 \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password \
 --noReplicationServer2 \
 --trustAll \
 --no-prompt</userinput>

Establishing connections ..... Done.
<computeroutput>Establishing connections ..... Done.
Checking registration information ..... Done.
Updating remote references on server master.example.com:4444 ..... Done.
Updating replication configuration for baseDN dc=example,dc=com
@@ -1012,7 +1037,8 @@

See
/var/.../opendj-replication-859181866587327450.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>

     <para>
      Here the existing server is both directory server and replication server.
@@ -1027,19 +1053,20 @@
      Initialize data on the new directory server replica.
     </para>

     <screen>$ dsreplication
 initialize
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --hostSource master.example.com
 --portSource 4444
 --hostDestination ds-only.example.com
 --portDestination 4444
 --trustAll
 --no-prompt
     <screen>
$ <userinput>dsreplication \
 initialize \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --hostSource master.example.com \
 --portSource 4444 \
 --hostDestination ds-only.example.com \
 --portDestination 4444 \
 --trustAll \
 --no-prompt</userinput>

Initializing base DN dc=example,dc=com with the contents
<computeroutput>Initializing base DN dc=example,dc=com with the contents
 from master.example.com:4444:
0 entries processed (0 % complete).
176 entries processed (100 % complete).
@@ -1047,7 +1074,8 @@

See
/var/.../opendj-replication-4326340645155418876.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
     </screen>
    </step>

    <step>
@@ -1099,52 +1127,60 @@
    <step>
     <para>Set the group ID for each group by replication domain on the
     directory servers.</para>
     <screen>$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set group-id:1
 --trustAll
 --no-prompt

$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set group-id:2
 --trustAll
 --no-prompt</screen>
     <screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set group-id:1 \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set group-id:2 \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>

    <step>
     <para>Set the group ID for each group on the replication servers.</para>
     <screen>$ dsconfig
 set-replication-server-prop
 --port 4444
 --hostname rs.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --set group-id:1
 --trustAll
 --no-prompt
$ dsconfig
 set-replication-server-prop
 --port 4444
 --hostname rs2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --set group-id:2
 --trustAll
 --no-prompt</screen>

     <screen>
$ <userinput>dsconfig \
 set-replication-server-prop \
 --port 4444 \
 --hostname rs.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --set group-id:1 \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-replication-server-prop \
 --port 4444 \
 --hostname rs2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --set group-id:2 \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>
   </procedure>
  </section>
@@ -1161,15 +1197,17 @@
   from the replication protocol, and refuse updates from client
   applications.</para>

   <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set writability-mode:internal-only
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set writability-mode:internal-only \
 --trustAll \
 --no-prompt</userinput>
   </screen>
  </section>

  <section xml:id="repl-assured">
@@ -1208,31 +1246,33 @@
     <para>For each directory server, set safe data mode for the replication
     domain, and also set the safe data level.</para>
     
     <screen>$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set assured-type:safe-data
 --set assured-sd-level:1
 --trustAll
 --no-prompt
     <screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set assured-type:safe-data \
 --set assured-sd-level:1 \
 --trustAll \
 --no-prompt</userinput>

$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set assured-type:safe-data
 --set assured-sd-level:1
 --trustAll
 --no-prompt</screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set assured-type:safe-data \
 --set assured-sd-level:1 \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>
   </procedure>
   
@@ -1246,29 +1286,31 @@
     <para>For each directory server, set safe read mode for the replication
     domain.</para>
     
     <screen>$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set assured-type:safe-read
 --trustAll
 --no-prompt
     <screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set assured-type:safe-read \
 --trustAll \
 --no-prompt</userinput>

$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj2.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set assured-type:safe-read
 --trustAll
 --no-prompt</screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj2.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set assured-type:safe-read \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </step>
   </procedure>
   
@@ -1331,33 +1373,37 @@
   fractional replica to include only some <literal>inetOrgPerson</literal>
   attributes.</para>
   
   <screen>$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --trustAll
 --no-prompt
 --set
 fractional-include:inetorgperson:cn,givenname,mail,mobile,sn,telephonenumber</screen>
   <screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --trustAll \
 --no-prompt \
 --set \
 fractional-include:inetorgperson:cn,givenname,mail,mobile,sn,telephonenumber</userinput>
   </screen>
   
   <para>As another example, you might exclude a custom attribute called
   <literal>sessionToken</literal> from being replicated.</para>
   
   <screen>$ dsconfig
 set-replication-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name "dc=example,dc=com"
 --set fractional-exclude:*:sessionToken
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 set-replication-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name "dc=example,dc=com" \
 --set fractional-exclude:*:sessionToken \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>This last example only works if you first define a
   <literal>sessionToken</literal> attribute in the directory server
@@ -1402,15 +1448,16 @@
    the publicly visible data available before any changes have been
    made.</para>
    
    <screen>$ ldapsearch --baseDN cn=changelog --port 1389 "(objectclass=*)" \* +
dn: cn=changelog
    <screen>
$ <userinput>ldapsearch --baseDN cn=changelog --port 1389 "(objectclass=*)" \* +</userinput>
<computeroutput>dn: cn=changelog
cn: changelog
objectClass: top
objectClass: container
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: cn=changelog
</screen>
entryDN: cn=changelog</computeroutput>
    </screen>
   </step>
  </procedure>
  
@@ -1439,15 +1486,16 @@
    <para>Notice the value of the <literal>changeLogCookie</literal> attribute
    for the last of the two changes.</para>
    
    <screen>$ ldapsearch
 --baseDN cn=changelog
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --control "1.3.6.1.4.1.26027.1.5.4:false"
 "(objectclass=*)"
 \* +
dn: cn=changelog
    <screen>
$ <userinput>ldapsearch \
 --baseDN cn=changelog \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --control "1.3.6.1.4.1.26027.1.5.4:false" \
 "(objectclass=*)" \
 \* +</userinput>
<computeroutput>dn: cn=changelog
cn: changelog
objectClass: top
objectClass: container
@@ -1498,13 +1546,13 @@
replicationCSN: 0000013087cbc34a12d100000002
numSubordinates: 0
replicaIdentifier: 4817
<emphasis>changeLogCookie: dc=example,dc=com:0000013087cbc34a12d100000002;</emphasis>
changeLogCookie: dc=example,dc=com:0000013087cbc34a12d100000002;
changeInitiatorsName: cn=Directory Manager,cn=Root DNs,cn=config
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: replicationCSN=0000013087cbc34a12d100000002,dc=example,dc=com,cn=change
 log
</screen>
 log</computeroutput>
    </screen>
    
    <para>In this example, two new users were added to another replica
    before the change log request was made.</para>
@@ -1512,15 +1560,16 @@
    <para>Here the changes are base64 encoded, so you can decode them using
    the <command>base64</command> command.</para>
    
    <screen>$ base64 decode --encodedData b2JqZW...ZmlnCg==
objectClass: person
    <screen>
$ <userinput>base64 decode --encodedData b2JqZW...ZmlnCg==</userinput>
<computeroutput>objectClass: person
objectClass: top
cn: Horace Velmont
telephoneNumber: +33 1 12 23 34 45
sn: Velmont
entryUUID: 6b22440a-76d0-4031-94b7-35b1d86f067e
createTimestamp: 20110613065855Z
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config
creatorsName: cn=Directory Manager,cn=Root DNs,cn=config</computeroutput>
    </screen>
   </step>
   
@@ -1530,16 +1579,17 @@
   
    <para>In this example, a description was added to Babs Jensen's entry.</para>
   
    <screen>$ ldapsearch
 --baseDN cn=changelog
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --control "1.3.6.1.4.1.26027.1.5.4:false:
 dc=example,dc=com:0000013087cbc34a12d100000002;"
 "(objectclass=*)"
 \* +
dn: cn=changelog
    <screen>
$ <userinput>ldapsearch \
 --baseDN cn=changelog \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --control "1.3.6.1.4.1.26027.1.5.4:false:dc=example, \
  dc=com:0000013087cbc34a12d100000002;" \
 "(objectclass=*)" \
 \* +</userinput>
<computeroutput>dn: cn=changelog
cn: changelog
objectClass: top
objectClass: container
@@ -1569,13 +1619,14 @@
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: replicationCSN=0000013087d7e27f12d100000003,dc=example,dc=com,cn=change
 log
 log</computeroutput>
    </screen>
    
    <para>If we base64-decode the changes, we see the following.</para>
    
    <screen>$ base64 decode --encodedData YWRkO...gotCg==
add: description
    <screen>
$ <userinput>base64 decode --encodedData YWRkO...gotCg==</userinput>
<computeroutput>add: description
description: A third change
-
replace: modifiersName
@@ -1583,9 +1634,10 @@
-
replace: modifyTimestamp
modifyTimestamp: 20110613071210Z
-
</screen>
-</computeroutput>
    </screen>
   </step>

   <step>
    <para>If for some reason you lose the cookie, you can start over from
    the earliest available change by sending a search request with no
@@ -1606,33 +1658,40 @@
   <step>
    <para>Set the attributes to include for all update operations with
    <literal>ecl-include</literal>.</para>
    <screen>$ dsconfig
 set-external-changelog-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name dc=example,dc=com
 --set ecl-include:"@person"
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-external-changelog-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name dc=example,dc=com \
 --set ecl-include:"@person" \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>

   <step>
    <para>Set the attributes to include for deletes with
    <literal>ecl-include-for-deletes</literal>.</para>
    <screen>$ dsconfig
 set-external-changelog-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name dc=example,dc=com
 --add ecl-include-for-deletes:"*"
 --add ecl-include-for-deletes:"+"
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-external-changelog-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name dc=example,dc=com \
 --add ecl-include-for-deletes:"*" \
 --add ecl-include-for-deletes:"+" \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
  </procedure>
  
@@ -1645,17 +1704,20 @@
   
   <step>
    <para>Prevent OpenDJ from logging changes by disabling the domain.</para>
    <screen>$ dsconfig
 set-external-changelog-domain-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --provider-name "Multimaster Synchronization"
 --domain-name dc=example,dc=com
 --set enabled:false
 --trustAll
 --no-prompt</screen>

    <screen>
$ <userinput>dsconfig \
 set-external-changelog-domain-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --provider-name "Multimaster Synchronization" \
 --domain-name dc=example,dc=com \
 --set enabled:false \
 --trustAll \
 --no-prompt</userinput>
    </screen>
   </step>
  </procedure>
  

 opends/src/main/docbkx/admin-guide/chap-resource-limits.xml

@@ -94,26 +94,31 @@
   <title>To Set Search Limits For a User</title>
   <step>
    <para>Change the user entry to set the limits to override.</para>
    <screen>$ cat limit.ldif
dn: uid=bjensen,ou=People,dc=example,dc=com

    <screen>
$ <userinput>cat limit.ldif</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
add: ds-rlim-size-limit
ds-rlim-size-limit: 10
ds-rlim-size-limit: 10</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename limit.ldif
Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename limit.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</computeroutput>
    </screen>

    <para>Now when Babs Jensen performs a search returning more than 10
    entries, she sees the following message.</para>
    
    <screen>Result Code:  4 (Size Limit Exceeded)
    <programlisting language="none">
Result Code:  4 (Size Limit Exceeded)
Additional Information:  This search operation has sent the maximum of
 10 entries to the client</screen>
 10 entries to the client
    </programlisting>
   </step>
  </procedure>

@@ -122,8 +127,10 @@
   <step>
    <para>Create an LDAP subentry to specify the limits using collective
    attributes.</para>
    <screen>$ cat grouplim.ldif 
dn: cn=Remove Administrator Search Limits,dc=example,dc=com

    <screen>
$ <userinput>cat grouplim.ldif</userinput>
<computeroutput>dn: cn=Remove Administrator Search Limits,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
objectClass: subentry
@@ -133,25 +140,30 @@
ds-rlim-size-limit;collective: 0
ds-rlim-time-limit;collective: 0
subtreeSpecification: {base "ou=people", specificationFilter "
 (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }
 (isMemberOf=cn=Directory Administrators,ou=Groups,dc=example,dc=com)" }</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename grouplim.ldif
Processing ADD request for
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename grouplim.ldif</userinput>
<computeroutput>Processing ADD request for
 cn=Remove Administrator Search Limits,dc=example,dc=com
ADD operation successful for DN
 cn=Remove Administrator Search Limits,dc=example,dc=com</screen>
 cn=Remove Administrator Search Limits,dc=example,dc=com</computeroutput>
    </screen>
   </step>

   <step>
    <para>Check the results.</para>
    <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim
ds-rlim-lookthrough-limit: 0

    <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=kvaughan +|grep ds-rlim</userinput>
<computeroutput>ds-rlim-lookthrough-limit: 0
ds-rlim-time-limit: 0
ds-rlim-size-limit: 0</screen>
ds-rlim-size-limit: 0</computeroutput>
    </screen>
   </step>
  </procedure>
 </section>
@@ -181,15 +193,17 @@
   <para>OpenDJ does not enforce idle timeout for persistent searches.</para>
  </note>

  <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set idle-time-limit:24h
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set idle-time-limit:24h \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>The example shown sets the idle time limit to 24 hours.</para>
 </section>
@@ -204,16 +218,18 @@
  add groups with large numbers of members, those add requests can go beyond
  the 5 MB limit.</para>
  
  <screen>$ dsconfig
 set-connection-handler-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "LDAP Connection Handler"
 --set max-request-size:20mb
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "LDAP Connection Handler" \
 --set max-request-size:20mb \
 --trustAll \
 --no-prompt</userinput>
  </screen>
  
  <para>The example shown sets the maximum request size on the LDAP connection
  handler to 20 MB.</para>

 opends/src/main/docbkx/admin-guide/chap-rest-operations.xml

@@ -38,11 +38,19 @@
 This chapter demonstrates basic RESTful client operations using the
 default configuration and sample directory data imported into OpenDJ from
 <link xlink:show="new" xlink:href="http://opendj.forgerock.org/Example.ldif"
 >Example.ldif</link>. Before trying the examples, enable HTTP access to
 OpenDJ directory server as described in procedure, <link xlink:show="new"
 xlink:href="admin-guide#setup-rest2ldap-connection-handler"
 xlink:role="http://docbook.org/xlink/role/olink"><citetitle>To Set Up REST
 Access to OpenDJ Directory Server</citetitle></link>.</para>
 >Example.ldif</link>.</para>

 <para>
  Before trying the examples, enable HTTP access to
  OpenDJ directory server as described in procedure,
  <link
   xlink:show="new"
   xlink:href="admin-guide#setup-rest2ldap-connection-handler"
   xlink:role="http://docbook.org/xlink/role/olink"
  ><citetitle>To Set Up REST Access to OpenDJ Directory Server</citetitle></link>.
  The examples in this chapter use HTTP,
  but the procedure also shows how to set up HTTPS access to the server.
 </para>

 <para>Interface stability: <link xlink:href="admin-guide#interface-stability"
 xlink:show="new" xlink:role="http://docbook.org/xlink/role/olink"
@@ -136,28 +144,32 @@
  entry with an anonymous search, you might be surprised that you must
  authenticate.</para>

  <screen>$ curl http://opendj.example.com:8080/users/bjensen?_prettyPrint=true
{
  <screen>
$ <userinput>curl http://opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "code" : 401,
  "reason" : "Unauthorized",
  "message" : "Unauthorized"
}</screen>
}</computeroutput>
  </screen>

  <para>HTTP status code 401 tells your HTTP client that the request requires
  user authentication. You can change this behavior by setting the HTTP
  connection handler property, <literal>authentication-required</literal>,
  to <literal>false</literal>.</para>

  <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "HTTP Connection Handler"
 --set authentication-required:false
 --no-prompt
 --trustAll</screen>
  <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "HTTP Connection Handler" \
 --set authentication-required:false \
 --no-prompt \
 --trustAll</userinput>
  </screen>

  <para>Out of the box both the HTTP Connection Handler and also the REST LDAP
  gateway are configured to allow HTTP Basic authentication and HTTP header
@@ -172,8 +184,10 @@
  attribute. For example, the DN and user ID for Babs Jensen are as
  follows.</para>

  <programlisting language="ldif">dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen</programlisting>
  <programlisting language="ldif">
dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
  </programlisting>

  <para>Given this pattern in the user entries, the default REST to LDAP
  configuration assumes that the user name on the HTTP side is the value of
@@ -185,35 +199,41 @@

  <para>With HTTP Basic authentication, it looks like this.</para>

  <screen>$ curl
 --user bjensen:hifalutin
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --user bjensen:hifalutin \
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "0000000016cbb68c",
  ...
}</screen>
}</computeroutput>
  </screen>

  <para>Or, using the HTTP Basic
  <replaceable>username</replaceable>:<replaceable>password</replaceable>@ form
  in the URL, it looks like this.</para>

  <screen>$ curl
http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen?_prettyPrint=true
{
  <screen width="81">
$ <userinput>curl \
 http://bjensen:hifalutin@opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "0000000016cbb68c",
  ...
}</screen>
}</computeroutput>
  </screen>

  <para>With HTTP header based authentication, it looks like this.</para>

  <screen>$ curl
 --header "X-OpenIDM-Username: bjensen"
 --header "X-OpenIDM-Password: hifalutin"
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --header "X-OpenIDM-Username: bjensen" \
 --header "X-OpenIDM-Password: hifalutin" \
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "0000000016cbb68c",
  ...
}</screen>
}</computeroutput>
  </screen>

  <para>If your directory data are laid out differently, or if your user names
  are email addresses rather than user IDs for example, then you must update
@@ -244,31 +264,32 @@
    <para>The following example creates a new user entry with ID
    <literal>newuser</literal>.</para>

    <screen>$ curl
 --request PUT
 --user kvaughan:bribery
 --header "Content-Type: application/json"
 --header "If-None-Match: *"
 --data '{
  "_id": "newuser",
  "contactInformation": {
    "telephoneNumber": "+1 408 555 1212",
    "emailAddress": "newuser@example.com"
  },
  "name": {
    "familyName": "New",
    "givenName": "User"
  },
  "displayName": "New User",
  "manager": [
    {
      "_id": "kvaughan",
      "displayName": "Kirsten Vaughan"
    }
  ]
 }'
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true
{
    <screen>
$ <userinput>curl \
 --request PUT \
 --user kvaughan:bribery \
 --header "Content-Type: application/json" \
 --header "If-None-Match: *" \
 --data '{ \
  "_id": "newuser", \
  "contactInformation": { \
    "telephoneNumber": "+1 408 555 1212", \
    "emailAddress": "newuser@example.com" \
  }, \
  "name": { \
    "familyName": "New", \
    "givenName": "User" \
  }, \
  "displayName": "New User", \
  "manager": [ \
    { \
      "_id": "kvaughan", \
      "displayName": "Kirsten Vaughan" \
    } \
  ] \
 }' \
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "000000005b337348",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -289,7 +310,8 @@
    "_id" : "kvaughan",
    "displayName" : "Kirsten Vaughan"
  } ]
}</screen>
}</computeroutput>
    </screen>
   </listitem>

   <listitem>
@@ -305,11 +327,12 @@

  <para>To read a resource, perform an HTTP GET.</para>

  <screen>$ curl
 --request GET
 --user kvaughan:bribery
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --request GET \
 --user kvaughan:bribery \
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "000000005b337348",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -330,7 +353,8 @@
    "_id" : "kvaughan",
    "displayName" : "Kirsten Vaughan"
  } ]
}</screen>
}</computeroutput>
  </screen>
 </section>

 <section xml:id="update-rest">
@@ -342,35 +366,36 @@

  <para>The following example adds a manager for Sam Carter.</para>

  <screen>$ curl
 --request PUT
 --user kvaughan:bribery
 --header "Content-Type: application/json"
 --data '{
   "contactInformation": {
     "telephoneNumber": "+1 408 555 4798",
     "emailAddress": "scarter@example.com"
   },
   "name": {
     "familyName": "Carter",
     "givenName": "Sam"
   },
   "userName": "scarter@example.com",
   "displayName": "Sam Carter",
   "groups": [
     {
       "_id": "Accounting Managers"
     }
   ],
   "manager": [
     {
       "_id": "trigden",
       "displayName": "Torrey Rigden"
     }
   ]
 }'
 http://opendj.example.com:8080/users/scarter?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --request PUT \
 --user kvaughan:bribery \
 --header "Content-Type: application/json" \
 --data '{ \
   "contactInformation": { \
     "telephoneNumber": "+1 408 555 4798", \
     "emailAddress": "scarter@example.com" \
   }, \
   "name": { \
     "familyName": "Carter", \
     "givenName": "Sam" \
   }, \
   "userName": "scarter@example.com", \
   "displayName": "Sam Carter", \
   "groups": [ \
     { \
       "_id": "Accounting Managers" \
     } \
   ], \
   "manager": [ \
     { \
       "_id": "trigden", \
       "displayName": "Torrey Rigden" \
     } \
   ] \
 }' \
 http://opendj.example.com:8080/users/scarter?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000a1923db2",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -394,46 +419,49 @@
  "groups" : [ {
    "_id" : "Accounting Managers"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <para>To update a resource only if the resource matches a particular version,
  use an <literal>If-Match: <replaceable>revision</replaceable></literal>
  header.</para>

  <screen> $ curl
 --user kvaughan:bribery
 http://opendj.example.com:8080/users/scarter?_fields=_rev
<emphasis>{"_rev":"00000000b017c5b8"}</emphasis>
$ curl
 --request PUT
 --user kvaughan:bribery
 <emphasis>--header "If-Match: 00000000b017c5b8"</emphasis>
 --header "Content-Type: application/json"
 --data '{
   "contactInformation": {
     "telephoneNumber": "+1 408 555 1212",
     "emailAddress": "scarter@example.com"
   },
   "name": {
     "familyName": "Carter",
     "givenName": "Sam"
   },
   "userName": "scarter@example.com",
   "displayName": "Sam Carter",
   "groups": [
     {
       "_id": "Accounting Managers"
     }
   ],
   "manager": [
     {
       "_id": "trigden",
       "displayName": "Torrey Rigden"
     }
   ]
 }'
 http://opendj.example.com:8080/users/scarter?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --user kvaughan:bribery \
 http://opendj.example.com:8080/users/scarter?_fields=_rev</userinput>
<computeroutput>{"_rev":"00000000b017c5b8"}</computeroutput>

$ <userinput>curl \
 --request PUT \
 --user kvaughan:bribery \
--header "If-Match: 00000000b017c5b8" \
 --header "Content-Type: application/json" \
 --data '{ \
   "contactInformation": { \
     "telephoneNumber": "+1 408 555 1212", \
     "emailAddress": "scarter@example.com" \
   }, \
   "name": { \
     "familyName": "Carter", \
     "givenName": "Sam" \
   }, \
   "userName": "scarter@example.com", \
   "displayName": "Sam Carter", \
   "groups": [ \
     { \
       "_id": "Accounting Managers" \
     } \
   ], \
   "manager": [ \
     { \
       "_id": "trigden", \
       "displayName": "Torrey Rigden" \
     } \
   ] \
 }' \
 http://opendj.example.com:8080/users/scarter?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000a1ee3da3",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -457,7 +485,8 @@
    "_id" : "trigden",
    "displayName" : "Torrey Rigden"
  } ]
}</screen>
}</computeroutput>
  </screen>
 </section>

 <section xml:id="delete-rest">
@@ -466,11 +495,12 @@
  <para>To delete a resource, perform an HTTP DELETE on the resource URL.
  On success, the operation returns the resource you deleted.</para>

  <screen>$ curl
 --request DELETE
 --user kvaughan:bribery
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --request DELETE \
 --user kvaughan:bribery \
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "000000003a5f3cb2",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -491,22 +521,24 @@
    "_id" : "kvaughan",
    "displayName" : "Kirsten Vaughan"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <para>To delete a resource only if the resource matches a particular version,
  use an <literal>If-Match: <replaceable>revision</replaceable></literal>
  header.</para>

  <screen>$ curl
  <screen>$ <userinput>curl
 --user kvaughan:bribery
 http://opendj.example.com:8080/users/newuser?_fields=_rev
{"_rev":"000000006d8d7358"}
$ curl
 --request DELETE
 --user kvaughan:bribery
 --header "If-Match: 000000006d8d7358"
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true
{
 http://opendj.example.com:8080/users/newuser?_fields=_rev</userinput>
<computeroutput>{"_rev":"000000006d8d7358"}</computeroutput>

$ <userinput>curl \
 --request DELETE \
 --user kvaughan:bribery \
 --header "If-Match: 000000006d8d7358" \
 http://opendj.example.com:8080/users/newuser?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000383f3cae",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -527,7 +559,8 @@
    "_id" : "kvaughan",
    "displayName" : "Kirsten Vaughan"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <orderedlist>
   <para>To delete a resource and all its children, you must change the
@@ -539,12 +572,14 @@
   <para>In this case the LDAP view of the user to delete shows two child
   entries.</para>

   <screen>$ ldapsearch --port 1389 --baseDN uid=nbohr,ou=people,dc=example,dc=com "(&amp;)" dn
dn: uid=nbohr,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN uid=nbohr,ou=people,dc=example,dc=com "(&amp;)" dn</userinput>
<computeroutput>dn: uid=nbohr,ou=People,dc=example,dc=com

dn: cn=quantum dot,uid=nbohr,ou=People,dc=example,dc=com

dn: cn=qubit generator,uid=nbohr,ou=People,dc=example,dc=com</screen>
dn: cn=qubit generator,uid=nbohr,ou=People,dc=example,dc=com</computeroutput>
   </screen>

   <listitem>
    <para>In the configuration file for the HTTP Connection Handler, by default
@@ -560,35 +595,39 @@
   <listitem>
    <para>Force the HTTP Connection Handler to reread its configuration.</para>

    <screen>$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "HTTP Connection Handler"
 <emphasis>--set enabled:false</emphasis>
 --no-prompt
$ dsconfig
 set-connection-handler-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --handler-name "HTTP Connection Handler"
 <emphasis>--set enabled:true</emphasis>
 --no-prompt</screen>
    <screen>
$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "HTTP Connection Handler" \
 --set enabled:false \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-connection-handler-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --handler-name "HTTP Connection Handler" \
 --set enabled:true \
 --no-prompt</userinput>
    </screen>
   </listitem>

   <listitem>
    <para>Delete as a user who has rights to perform a subtree delete on
    the resource.</para>

    <screen>$ curl
 --request DELETE
 --user kvaughan:bribery
 http://opendj.example.com:8080/users/nbohr?_prettyPrint=true
{
    <screen>
$ <userinput>curl \
 --request DELETE \
 --user kvaughan:bribery \
 http://opendj.example.com:8080/users/nbohr?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "000000003d912113",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -602,7 +641,8 @@
  },
  "userName" : "nbohr@example.com",
  "displayName" : "Niels Bohr"
}</screen>
}</computeroutput>
    </screen>
   </listitem>
  </orderedlist>
 </section>
@@ -623,19 +663,20 @@
  itself an array, since you could patch more than one part of the resource by
  using a set of patch operations in the same request.</para>

  <screen>$ curl
 --user kvaughan:bribery
 --request PATCH
 --header "Content-Type: application/json"
 --data '[
  {
    "operation": "replace",
    "field": "/contactInformation/emailAddress",
    "value": "babs@example.com"
  }
 ]'
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true
{
  <screen>
$ <userinput>curl \
 --user kvaughan:bribery \
 --request PATCH \
 --header "Content-Type: application/json" \
 --data '[ \
  { \
    "operation": "replace", \
    "field": "/contactInformation/emailAddress", \
    "value": "babs@example.com" \
  } \
 ]' \
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000f3fdd370",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -656,7 +697,8 @@
    "_id" : "trigden",
    "displayName" : "Torrey Rigden"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <variablelist>
   <para>OpenDJ supports four types of patch operation.</para>
@@ -736,24 +778,24 @@
  example, you can include Barbara Jensen in a group by adding her to the set
  of members.</para>

  <screen>$ curl
 --user kvaughan:bribery
 --request PATCH
 --header "Content-Type: application/json"
 --data '[
  {
    "operation": "add",
    "field": "/members",
    "value": [
      {
        "_id": "bjensen"
      }
    ]
  }
 ]'
 http://opendj.example.com:8080/groups/Directory%20Administrators
 ?_prettyPrint=true
{
  <screen width="83">
$ <userinput>curl \
 --user kvaughan:bribery \
 --request PATCH \
 --header "Content-Type: application/json" \
 --data '[ \
  { \
    "operation": "add", \
    "field": "/members", \
    "value": [ \
      { \
        "_id": "bjensen" \
      } \
    ] \
  } \
 ]' \
 http://opendj.example.com:8080/groups/Directory%20Administrators?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000b70c881a",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "_id" : "Directory Administrators",
@@ -774,28 +816,29 @@
    "_id" : "hmiller",
    "displayName" : "Harry Miller"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <para>Removing her from the group is similar.</para>

  <screen>$ curl
 --user kvaughan:bribery
 --request PATCH
 --header "Content-Type: application/json"
 --data '[
  {
    "operation": "remove",
    "field": "/members",
    "value": [
      {
        "_id": "bjensen"
      }
    ]
  }
 ]'
 http://opendj.example.com:8080/groups/Directory%20Administrators
 ?_prettyPrint=true
{
  <screen width="83">
$ <userinput>curl \
 --user kvaughan:bribery \
 --request PATCH \
 --header "Content-Type: application/json" \
 --data '[ \
  { \
    "operation": "remove", \
    "field": "/members", \
    "value": [ \
      { \
        "_id": "bjensen" \
      } \
    ] \
  } \
 ]' \
 http://opendj.example.com:8080/groups/Directory%20Administrators?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000e241797e",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "_id" : "Directory Administrators",
@@ -813,32 +856,35 @@
    "_id" : "hmiller",
    "displayName" : "Harry Miller"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <para>You can use resource revision numbers in <literal>If-Match:
  <replaceable>revision</replaceable></literal> headers to patch the resource
  only if the resource matches a particular version.</para>

  <screen>$ curl
 --user kvaughan:bribery
 "http://opendj.example.com:8080/users/bjensen?_prettyPrint=true&amp;_fields=_rev"
{
  <screen>
$ <userinput>curl \
 --user kvaughan:bribery \
 "http://opendj.example.com:8080/users/bjensen?_prettyPrint=true&amp;_fields=_rev"</userinput>
<computeroutput>{
  "_rev" : "00000000c1b6d4c7"
}
$ curl
 --user kvaughan:bribery
 --request PATCH
 --header "If-Match: 00000000c1b6d4c7"
 --header "Content-Type: application/json"
 --data '[
  {
    "operation": "add",
    "field": "/contactInformation/emailAddress",
    "value": "babs@example.com"
  }
 ]'
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true
{
}</computeroutput>

$ <userinput>curl \
 --user kvaughan:bribery \
 --request PATCH \
 --header "If-Match: 00000000c1b6d4c7" \
 --header "Content-Type: application/json" \
 --data '[ \
  { \
    "operation": "add", \
    "field": "/contactInformation/emailAddress", \
    "value": "babs@example.com" \
  } \
 ]' \
 http://opendj.example.com:8080/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "00000000f946d377",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -859,7 +905,8 @@
    "_id" : "trigden",
    "displayName" : "Torrey Rigden"
  } ]
}</screen>
}</computeroutput>
  </screen>

  <para>The resource revision changes after you successfully perform the patch
  operation.</para>
@@ -876,30 +923,31 @@

  <para>The following example creates a new user entry.</para>

  <screen width="82">$ curl
 --request POST
 --user kvaughan:bribery
 --header "Content-Type: application/json"
 --data '{
  "_id": "newuser",
  "contactInformation": {
    "telephoneNumber": "+1 408 555 1212",
    "emailAddress": "newuser@example.com"
  },
  "name": {
    "familyName": "New",
    "givenName": "User"
  },
  "displayName": "New User",
  "manager": [
    {
      "_id": "kvaughan",
      "displayName": "Kirsten Vaughan"
    }
  ]
 }'
 "http://opendj.example.com:8080/users?_action=create&amp;_prettyPrint=true"
{
  <screen width="82">
$ <userinput>curl \
 --request POST \
 --user kvaughan:bribery \
 --header "Content-Type: application/json" \
 --data '{ \
  "_id": "newuser", \
  "contactInformation": { \
    "telephoneNumber": "+1 408 555 1212", \
    "emailAddress": "newuser@example.com" \
  }, \
  "name": { \
    "familyName": "New", \
    "givenName": "User" \
  }, \
  "displayName": "New User", \
  "manager": [ \
    { \
      "_id": "kvaughan", \
      "displayName": "Kirsten Vaughan" \
    } \
  ] \
 }' \
 "http://opendj.example.com:8080/users?_action=create&amp;_prettyPrint=true"</userinput>
<computeroutput>{
  "_rev" : "0000000034a23ca7",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -920,7 +968,8 @@
    "_id" : "kvaughan",
    "displayName" : "Kirsten Vaughan"
  } ]
}</screen>
}</computeroutput>
  </screen>
 </section>

 <section xml:id="query-rest">
@@ -956,9 +1005,11 @@
        <para>Matches when the pointer equals the value, as in the following
        example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+eq+"bjensen@example.com"&amp;_prettyPrint=true'
{
        <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+eq+"bjensen@example.com"'</userinput>
<computeroutput>{
  "result" : [ {
    "_rev" : "00000000315fb731",
    "schemas" : [ "urn:scim:schemas:core:1.0" ],
@@ -981,7 +1032,8 @@
  "resultCount" : 1,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>

@@ -991,9 +1043,11 @@
        <para>Matches when the pointer contains the value, as in the following
        example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+co+"jensen"&amp;_fields=userName&amp;_prettyPrint=true'
{
        <screen width="91"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+co+"jensen"&amp;_fields=userName'</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "ajensen@example.com"
  }, {
@@ -1012,7 +1066,8 @@
  "resultCount" : 7,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>

@@ -1022,9 +1077,11 @@
        <para>Matches when the pointer starts with the value, as in the
        following example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+sw+"ab"&amp;_fields=userName&amp;_prettyPrint=true'
{
        <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+sw+"ab"&amp;_fields=userName'</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "abarnes@example.com"
  }, {
@@ -1033,7 +1090,8 @@
  "resultCount" : 2,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>

@@ -1043,9 +1101,11 @@
        <para>Matches when the pointer is less than the value, as in the
        following example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+lt+"ac"&amp;_fields=userName&amp;_prettyPrint=true'
{
        <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+lt+"ac"&amp;_fields=userName'</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "abarnes@example.com"
  }, {
@@ -1054,7 +1114,8 @@
  "resultCount" : 2,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>

@@ -1064,9 +1125,11 @@
        <para>Matches when the pointer is less than or equal to the value, as
        in the following example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+le+"ad"&amp;_fields=userName&amp;_prettyPrint=true'
{
        <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+le+"ad"&amp;_fields=userName'</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "abarnes@example.com"
  }, {
@@ -1077,7 +1140,8 @@
  "resultCount" : 3,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>

@@ -1087,9 +1151,11 @@
        <para>Matches when the pointer is greater than the value, as in the
        following example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+gt+"tt"&amp;_fields=userName&amp;_prettyPrint=true'
{
        <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+gt+"tt"&amp;_fields=userName'</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "ttully@example.com"
  }, {
@@ -1100,7 +1166,8 @@
  "resultCount" : 3,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>

@@ -1110,9 +1177,11 @@
        <para>Matches when the pointer is greater than or equal to the value,
        as in the following example.</para>

        <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName+ge+"tw"&amp;_fields=userName&amp;_prettyPrint=true'
{
        <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName+ge+"tw"&amp;_fields=userName'</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "tward@example.com"
  }, {
@@ -1121,7 +1190,8 @@
  "resultCount" : 2,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
        </screen>
       </listitem>
      </varlistentry>
     </variablelist>
@@ -1135,9 +1205,11 @@
     any resource on which the <replaceable>json-pointer</replaceable> is
     present, as in the following example.</para>

     <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=userName%20pr&amp;_prettyPrint=true'
{
     <screen><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=userName%20pr'</userinput>
<computeroutput>{
  "result" : [ {
    "_rev" : "000000002210a544",
    "schemas" : [ "urn:scim:schemas:core:1.0" ],
@@ -1171,7 +1243,8 @@
  "resultCount" : 152,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
     </screen>
    </listitem>
   </varlistentry>

@@ -1184,9 +1257,11 @@
     <para>In other words you can list all resources in a collection as in the
     following example.</para>

     <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /groups?_queryFilter=true&amp;_fields=displayName&amp;_prettyPrint=true'
{
     <screen><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/groups?_queryFilter=true&amp;_fields=displayName'</userinput>
<computeroutput>{
  "result" : [ {
    "displayName" : "Accounting Managers"
  }, {
@@ -1201,7 +1276,8 @@
  "resultCount" : 5,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
     </screen>
    </listitem>
   </varlistentry>

@@ -1219,10 +1295,12 @@
     nested inside the <literal>name</literal> and <literal>manager</literal>
     objects.</para>

     <screen>$ curl --user kvaughan:bribery 'http://opendj.example.com:8080
 /users?_queryFilter=(userName+co+"jensen"+and+manager/displayName+sw+"Sam")
 &amp;_fields=displayName&amp;_prettyPrint=true'
{
     <screen><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user kvaughan:bribery \
 'http://opendj.example.com:8080/users?_queryFilter=\
(userName+co+"jensen"+and+manager/displayName+sw+"Sam")&amp;_fields=displayName'</userinput>
<computeroutput>{
  "result" : [ {
    "displayName" : "Jody Jensen"
  }, {
@@ -1231,7 +1309,8 @@
  "resultCount" : 2,
  "pagedResultsCookie" : null,
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
     </screen>
    </listitem>
   </varlistentry>
  </variablelist>
@@ -1341,9 +1420,11 @@
      after the last page of results specified by the cookie.
     </para>

     <screen>$ curl "http://bjensen:hifalutin@opendj.example.com:8080/users
 ?_queryFilter=true&amp;_fields=userName&amp;_prettyPrint=true&amp;_pageSize=5"
{
     <screen width="87"><!-- Dropped _prettyPrint=true param for spacing. -->
$ <userinput>curl \
 --user bjensen:hifalutin \
 "http://opendj.example.com:8080/users?_queryFilter=true&amp;_fields=userName&amp;_pageSize=5"</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "abarnes@example.com"
  }, {
@@ -1358,12 +1439,13 @@
  "resultCount" : 5,
  "pagedResultsCookie" : "AAAAAAAAAA8=",
  "remainingPagedResults" : -1
}
}</computeroutput>

$ curl "http://bjensen:hifalutin@opendj.example.com:8080/users
 ?_queryFilter=true&amp;_fields=userName&amp;_prettyPrint=true&amp;_pageSize=5
 &amp;_pagedResultsCookie=AAAAAAAAAA8="
{
$ <userinput>curl \
 --user bjensen:hifalutin \
 "http://opendj.example.com:8080/users?_queryFilter=true&amp;_fields=userName&amp;_pageSize=5\
&amp;_pagedResultsCookie=AAAAAAAAAA8="</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "ahunter@example.com"
  }, {
@@ -1378,12 +1460,13 @@
  "resultCount" : 5,
  "pagedResultsCookie" : "AAAAAAAAABQ=",
  "remainingPagedResults" : -1
}
}</computeroutput>

$ curl "http://bjensen:hifalutin@opendj.example.com:8080/users
 ?_queryFilter=true&amp;_fields=userName&amp;_prettyPrint=true&amp;_pageSize=5
 &amp;_pagedResultsCookie=AAAAAAAAAA8=&amp;_pagedResultsOffset=10"
{
$ <userinput>curl \
 --user bjensen:hifalutin \
 "http://opendj.example.com:8080/users?_queryFilter=true&amp;_fields=userName&amp;_pageSize=5\
&amp;_pagedResultsCookie=AAAAAAAAAA8=&amp;_pagedResultsOffset=10"</userinput>
<computeroutput>{
  "result" : [ {
    "userName" : "gtriplet@example.com"
  }, {
@@ -1398,7 +1481,8 @@
  "resultCount" : 5,
  "pagedResultsCookie" : "AAAAAAAAAEY=",
  "remainingPagedResults" : -1
}</screen>
}</computeroutput>
     </screen>

     <para>
      Notice that <literal>"remainingPagedResults" : -1</literal> in each case

 opends/src/main/docbkx/admin-guide/chap-samba.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-samba'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Samba Password Synchronization</title>
 <indexterm><primary>Samba</primary></indexterm>
 
@@ -80,8 +80,10 @@
  
  <step>
   <para>Create or choose an account for the Samba Administrator.</para>
   <screen>$ cat samba.ldif 
dn: uid=samba-admin,ou=Special Users,dc=example,dc=com

   <screen>
$ <userinput>cat samba.ldif</userinput>
<computeroutput>dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
cn: Samba Administrator
givenName: Samba
mail: samba@example.com
@@ -91,22 +93,26 @@
objectClass: top
sn: Administrator
uid: samba-admin
userPassword: password
userPassword: password</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename samba.ldif
Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename samba.ldif</userinput>
<computeroutput>Processing ADD request for uid=samba-admin,ou=Special Users,dc=example,dc=com
ADD operation successful for DN uid=samba-admin,ou=Special Users,
 dc=example,dc=com</screen>
 dc=example,dc=com</computeroutput>
   </screen>
  </step>

  <step>
   <para>Ensure the Samba Administrator can reset user passwords.</para>
   <screen>$ cat samba-rights.ldif
dn: uid=samba-admin,ou=Special Users,dc=example,dc=com

   <screen>
$ <userinput>cat samba-rights.ldif</userinput>
<computeroutput>dn: uid=samba-admin,ou=Special Users,dc=example,dc=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: password-reset
@@ -116,18 +122,19 @@
add: aci
aci: (target="ldap:///dc=example,dc=com") (targetattr ="*")(version 3.0; acl "
 Samba Admin user rights"; allow(all) groupdn ="ldap:///uid=samba-user,ou=
 Special Users,dc=example,dc=com";)
 Special Users,dc=example,dc=com";)</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename samba-rights.ldif
Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename samba-rights.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=samba-admin,ou=Special Users,dc=example,dc=com
MODIFY operation successful for DN
 uid=samba-admin,ou=Special Users,dc=example,dc=com
Processing MODIFY request for dc=example,dc=com
MODIFY operation successful for DN dc=example,dc=com</screen>
MODIFY operation successful for DN dc=example,dc=com</computeroutput>
   </screen>
  </step>
 </procedure>
 
@@ -140,48 +147,58 @@
   (<literal>sync-nt-password</literal>), based on how you set up Samba
   in your environment.</para>
  </step>

  <step>
   <para>Enable the plugin.</para>
   <screen>$ dsconfig
 create-plugin
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --plugin-name "Samba Password Synchronisation"
 --type samba-password
 --set enabled:true
 --set pwd-sync-policy:sync-nt-password
 --set
 samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com"
 --trustAll
 --no-prompt</screen>

   <screen>
$ <userinput>dsconfig \
 create-plugin \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --plugin-name "Samba Password Synchronisation" \
 --type samba-password \
 --set enabled:true \
 --set pwd-sync-policy:sync-nt-password \
 --set \
 samba-administrator-dn:"uid=samba-admin,ou=Special Users,dc=example,dc=com" \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>At this point the Samba Password plugin is active.</para>
  </step>

  <step performance="optional">
   <para>When troubleshooting Samba Password plugin issues, you can turn on
   debug logging as follows.</para>
   <screen>$ dsconfig
 create-debug-target
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Debug Logger"
 --target-name org.opends.server.plugins.SambaPasswordPlugin
 --set debug-level:all
 --trustAll
 --no-prompt
$ dsconfig
 set-log-publisher-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Debug Logger"
 --set enabled:true
 --trustAll
 --no-prompt</screen>

   <screen>
$ <userinput>dsconfig \
 create-debug-target \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Debug Logger" \
 --target-name org.opends.server.plugins.SambaPasswordPlugin \
 --set debug-level:all \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>dsconfig \
 set-log-publisher-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Debug Logger" \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
   </screen>
  </step>
 </procedure>
</chapter>

 opends/src/main/docbkx/admin-guide/chap-schema.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-schema'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Managing Schema</title>
 <indexterm><primary>Schema</primary></indexterm>
 
@@ -64,10 +64,14 @@
    of directory entries, such as <literal>givenName</literal> or
    <literal>mail</literal>.</para>
    <para>Here is an example of an attribute type definition.</para>
    <programlisting language="ldif"># Attribute type definition

    <programlisting language="ldif">
# Attribute type definition
attributeTypes: ( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' )
  EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' )</programlisting>
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} X-ORIGIN 'RFC 4524' )
    </programlisting>

    <para>Attribute type definitions start with an object identifier (OID),
    and generally a short name or names that are easier to remember than the
    OID. The attribute type definition can specify how attribute values
@@ -83,10 +87,14 @@
    object classes include <literal>person</literal> and
    <literal>organizationalUnit</literal>.</para>
    <para>Here is an example of an object class definition.</para>
    <programlisting language="ldif"># Object class definition

    <programlisting language="ldif">
# Object class definition
objectClasses: ( 2.5.6.6 NAME 'person' SUP top STRUCTURAL MUST ( sn $ cn )
  MAY ( userPassword $ telephoneNumber $ seeAlso $ description )
  X-ORIGIN 'RFC 4519' )</programlisting>
  X-ORIGIN 'RFC 4519' )
    </programlisting>

    <para>Entries all have an attribute identifying their object classes,
    called <literal>objectClass</literal>.</para>
    <para>Object class definitions start with an object identifier (OID), and
@@ -155,10 +163,11 @@
    <para>OpenDJ has the following schema definition for the user ID
    attribute.</para>

    <programlisting language="ldif"
    >attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )
    <programlisting language="ldif">
attributeTypes: ( 0.9.2342.19200300.100.1.1 NAME ( 'uid' 'userid' )
 EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} X-ORIGIN 'RFC 4519' )</programlisting>
 SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} X-ORIGIN 'RFC 4519' )
    </programlisting>

    <para>When finding an equality match for your search, OpenDJ uses the
    <literal>caseIgnoreMatch</literal> matching rule to check for user ID
@@ -171,7 +180,7 @@
    in languages other than English. You can also list matching rules by
    using the <command>dsconfig</command> command.</para>

    <para>As you can read in examples like, <link
    <para>As you can read in examples like, <link xlink:show="new"
    xlink:href="admin-guide#extensible-match-search"
    xlink:role="http://docbook.org/xlink/role/olink"><citetitle>Search: List
    Active Accounts</citetitle></link>, OpenDJ matching rules enable
@@ -254,8 +263,9 @@
  apply the definitions in production by adapting the content for use with the
  <command>ldapmodify</command> command, for example.</para>
  
  <screen>$ cat config/schema/99-user.ldif 
dn: cn=schema
  <screen>
$ <userinput>cat config/schema/99-user.ldif</userinput>
<computeroutput>dn: cn=schema
objectClass: top
objectClass: ldapSubentry
objectClass: subschema
@@ -266,36 +276,38 @@
objectClasses: ( temporary-fake-oc-id NAME 'myCustomObjClass
 ' SUP top AUXILIARY MAY myCustomAttribute )
modifiersName: cn=Directory Manager,cn=Root DNs,cn=config
modifyTimestamp: 20110620095948Z
modifyTimestamp: 20110620095948Z</computeroutput>
</screen>

  <para>To test your schema definition, add the object class and attribute
  to an entry.</para>
  
  <screen>$ cat custom-attr.ldif 
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>cat custom-attr.ldif</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
add: objectClass
objectClass: myCustomObjClass
-
add: myCustomAttribute
myCustomAttribute: Testing 1, 2, 3...
myCustomAttribute: Testing 1, 2, 3...</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename custom-attr.ldif
Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com
$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=bjensen
 myCustomAttribute
dn: uid=bjensen,ou=People,dc=example,dc=com
myCustomAttribute: Testing 1, 2, 3...
</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename custom-attr.ldif</userinput>
<computeroutput>Processing MODIFY request for uid=bjensen,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=bjensen,ou=People,dc=example,dc=com</computeroutput>

$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 myCustomAttribute</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
myCustomAttribute: Testing 1, 2, 3...</computeroutput>
  </screen>

  <para>In addition to supporting the standard schema definitions that are
  described in <link xlink:href="http://tools.ietf.org/html/rfc4512#section-4.1"
@@ -345,9 +357,11 @@
     <para>Used to define a syntax that is an enumeration of values. The
     following attribute syntax description defines a syntax allowing four
     possible attribute values for example.</para>
     <programlisting language="ldif"
     >ldapSyntaxes: ( security-label-syntax-oid DESC 'Security Label'
 X-ENUM ( 'top-secret' 'secret' 'confidential' 'unclassified' ) )</programlisting>

     <programlisting language="ldif">
ldapSyntaxes: ( security-label-syntax-oid DESC 'Security Label'
 X-ENUM ( 'top-secret' 'secret' 'confidential' 'unclassified' ) )
     </programlisting>
    </listitem>
   </varlistentry>

@@ -360,9 +374,11 @@
     ><literal>java.util.regex.Pattern</literal></link>. The following attribute
     syntax description defines a simple, lenient SIP phone URI syntax
     check.</para>
     <programlisting language="ldif"
     >ldapSyntaxes: ( simple-sip-uri-syntax-oid DESC 'Lenient SIP URI Syntax'
 X-PATTERN '^sip:[a-zA-Z0-9.]+@[a-zA-Z0-9.]+(:[0-9]+)?$' )</programlisting>

     <programlisting language="ldif">
ldapSyntaxes: ( simple-sip-uri-syntax-oid DESC 'Lenient SIP URI Syntax'
 X-PATTERN '^sip:[a-zA-Z0-9.]+@[a-zA-Z0-9.]+(:[0-9]+)?$' )
     </programlisting>
    </listitem>
   </varlistentry>

@@ -373,9 +389,11 @@
     OpenDJ does not implement. The following example substitutes Directory
     String syntax, which has OID 1.3.6.1.4.1.1466.115.121.1.15, for a syntax
     that OpenDJ does not implement.</para>
     <programlisting language="ldif"
     >ldapSyntaxes: ( non-implemented-syntax-oid DESC 'Not Implemented in OpenDJ'
 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )</programlisting>

     <programlisting language="ldif">
ldapSyntaxes: ( non-implemented-syntax-oid DESC 'Not Implemented in OpenDJ'
 X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
     </programlisting>
    </listitem>
   </varlistentry>
  </variablelist>
@@ -417,28 +435,32 @@
  classes defined per entry, you can relax schema checking to warn rather
  than reject entries having this issue.</para>
  
  <screen>$ dsconfig
 set-global-configuration-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set single-structural-objectclass-behavior:warn
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set single-structural-objectclass-behavior:warn \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>You can allow attribute values that do not respect the defined syntax
  with the <command>dsconfig</command> command as well.</para>
  
  <screen>$ dsconfig
 set-global-configuration-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set invalid-attribute-syntax-behavior:warn
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set invalid-attribute-syntax-behavior:warn \
 --trustAll \
 --no-prompt</userinput>
  </screen>

  <para>You can even turn off schema checking altogether, although turning
  off schema checking only really makes sense when you are absolutely sure
@@ -446,15 +468,17 @@
  you simply want to turn off schema checking temporarily to speed up import
  processing.</para>
  
  <screen>$ dsconfig
 set-global-configuration-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set check-schema:false
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set check-schema:false \
 --trustAll \
 --no-prompt</userinput>
  </screen>
 </section>

 <section xml:id="standard-schema">

 opends/src/main/docbkx/admin-guide/chap-server-process.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-server-process'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Managing Server Processes</title>
 <para>Using the OpenDJ Control Panel, you can start and stop local servers.
 You can also start and stop OpenDJ using command-line tools, and use the
@@ -49,9 +49,15 @@
   <para>Use one of the following techniques.</para>
   <listitem>
    <para>Use the <command>start-ds</command> command.</para>
    <screen>$ start-ds</screen>
    <para>Alternatively, you can specify the --no-detach option to start
    the server in the foreground.</para>

    <screen>
$ <userinput>start-ds</userinput>
    </screen>

    <para>
     Alternatively, you can specify the <option>--no-detach</option>
     option to start the server in the foreground.
    </para>
   </listitem>

   <listitem>
@@ -60,11 +66,15 @@

    <para>Use the <command>service opendj start</command> command.</para>

    <screen>centos# service opendj start
Starting opendj (via systemctl):                           [  OK  ]</screen>
    <screen>
centos# <userinput>service opendj start</userinput>
<computeroutput>Starting opendj (via systemctl):                           [  OK  ]</computeroutput>
    </screen>

    <screen>ubuntu$ sudo service opendj start
$Starting opendj: > SUCCESS.</screen>
    <screen>
ubuntu$ <userinput>sudo service opendj start</userinput>
<computeroutput>$Starting opendj: > SUCCESS.</computeroutput>
    </screen>
   </listitem>

   <listitem>
@@ -73,15 +83,22 @@
    <para>Unless you run OpenDJ as root, use the --userName
    <replaceable>userName</replaceable> option to specify the user
    who installed OpenDJ.</para>
    <screen>$ sudo create-rc-script
 --outputFile /etc/init.d/opendj
 --userName mark
$ sudo /etc/init.d/opendj start</screen>

    <screen>
$ <userinput>sudo create-rc-script \
 --outputFile /etc/init.d/opendj \
 --userName mark</userinput>

$ <userinput>sudo /etc/init.d/opendj start</userinput>
    </screen>

    <para>For example, on Linux if you run OpenDJ as root, you can use the
    RC script to start the server at system boot, and stop the server at
    system shutdown.</para>
    <screen>$ sudo update-rc.d opendj defaults
update-rc.d: warning: /etc/init.d/opendj missing LSB information

    <screen>
$ <userinput>sudo update-rc.d opendj defaults</userinput>
<computeroutput>update-rc.d: warning: /etc/init.d/opendj missing LSB information
update-rc.d: see &lt;http://wiki.debian.org/LSBInitScripts&gt;
 Adding system startup for /etc/init.d/opendj ...
   /etc/rc0.d/K20opendj -> ../init.d/opendj
@@ -90,12 +107,16 @@
   /etc/rc2.d/S20opendj -> ../init.d/opendj
   /etc/rc3.d/S20opendj -> ../init.d/opendj
   /etc/rc4.d/S20opendj -> ../init.d/opendj
   /etc/rc5.d/S20opendj -> ../init.d/opendj</screen>
   /etc/rc5.d/S20opendj -> ../init.d/opendj</computeroutput>
    </screen>
   </listitem>
   <listitem>
    <para>(Windows) Register OpenDJ as a Windows Service, and then manage
    the service through Windows administration tools.</para>
    <screen>C:\path\to\opendj\bat&gt; windows-service.bat --enableService</screen>

    <screen>
C:\path\to\opendj\bat> <userinput>windows-service.bat --enableService</userinput>
    </screen>
   </listitem>
  </itemizedlist>

@@ -126,25 +147,36 @@

    <para>Use the <command>service opendj stop</command> command.</para>

    <screen>centos# service opendj stop
Stopping opendj (via systemctl):                           [  OK  ]</screen>
    <screen>
centos# <userinput>service opendj stop</userinput>
<computeroutput>Stopping opendj (via systemctl):                           [  OK  ]</computeroutput>
    </screen>

    <screen>ubuntu$ sudo service opendj stop
$Stopping opendj: ... > SUCCESS.</screen>
    <screen>
ubuntu$ <userinput>sudo service opendj stop</userinput>
<computeroutput>$Stopping opendj: ... > SUCCESS.</computeroutput>
    </screen>
   </listitem>

   <listitem>
    <para>(UNIX) Create an RC script, and then use the script to stop
    the server.</para>
    <screen>$ sudo create-rc-script
 --outputFile /etc/init.d/opendj
 --userName mark
$ sudo /etc/init.d/opendj stop</screen>

    <screen>
$ <userinput>sudo create-rc-script \
 --outputFile /etc/init.d/opendj \
 --userName mark</userinput>

$ <userinput>sudo /etc/init.d/opendj stop</userinput>
    </screen>
   </listitem>
   <listitem>
    <para>(Windows) Register OpenDJ as a Windows Service, and then manage
    the service through Windows administration tools.</para>
    <screen>C:\path\to\opendj\bat&gt; windows-service.bat --enableService</screen>

    <screen>
C:\path\to\opendj\bat> <userinput>windows-service.bat --enableService</userinput>
    </screen>
   </listitem>
  </itemizedlist>
 </section>
@@ -157,7 +189,10 @@
   <para>Use one of the following techniques.</para>
   <listitem>
    <para>Use the <command>stop-ds</command> command.</para>
    <screen>$ stop-ds --restart</screen>

    <screen>
$ <userinput>stop-ds --restart</userinput>
    </screen>
   </listitem>

   <listitem>
@@ -166,27 +201,38 @@

    <para>Use the <command>service opendj restart</command> command.</para>

    <screen>centos# service opendj restart
Restarting opendj (via systemctl):                         [  OK  ]</screen>
    <screen>
centos# <userinput>service opendj restart</userinput>
<computeroutput>Restarting opendj (via systemctl):                         [  OK  ]</computeroutput>
    </screen>

    <screen>ubuntu$ sudo service opendj restart
$Stopping opendj: ... > SUCCESS.
    <screen>
ubuntu$ <userinput>sudo service opendj restart</userinput>
<computeroutput>$Stopping opendj: ... > SUCCESS.

$Starting opendj: > SUCCESS.</screen>
$Starting opendj: > SUCCESS.</computeroutput>
    </screen>
   </listitem>

   <listitem>
    <para>(UNIX) Create an RC script, and then use the script to stop
    the server.</para>
    <screen>$ sudo create-rc-script
 --outputFile /etc/init.d/opendj
 --userName mark
$ /etc/init.d/opendj restart</screen>

    <screen>
$ <userinput>sudo create-rc-script \
 --outputFile /etc/init.d/opendj \
 --userName mark</userinput>

$ <userinput>/etc/init.d/opendj restart</userinput>
    </screen>
   </listitem>
   <listitem>
    <para>(Windows) Register OpenDJ as a Windows Service, and then manage
    the service through Windows administration tools.</para>
    <screen>C:\path\to\opendj\bat&gt; windows-service.bat --enableService</screen>

    <screen>
C:\path\to\opendj\bat> <userinput>windows-service.bat --enableService</userinput>
    </screen>
   </listitem>
  </itemizedlist>
 </section>
@@ -208,11 +254,13 @@
  shows two example messages from that log, the first written at the beginning
  of the recovery process, the second written at the end of the process.</para>
  
  <screen>111104 10:23:48:967 CONFIG [/path/to/opendj/db/userRoot]Recovery
  <programlisting language="none">
111104 10:23:48:967 CONFIG [/path/to/opendj/db/userRoot]Recovery
 underway, found end of log
...
111104 10:23:49:015 CONFIG [/path/to/opendj/db/userRoot]Recovery finished:
 Recovery Info ...</screen>
 Recovery Info ...
  </programlisting>
  
  <para>What can take some time during server startup is preloading database
  content into memory when the server starts. Objects cached in memory do not

 opends/src/main/docbkx/admin-guide/chap-troubleshooting.xml

@@ -20,16 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-troubleshooting'
         xmlns='http://docbook.org/ns/docbook'
         version='5.0' xml:lang='en'
         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
         xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'
        >
         xsi:schemaLocation='http://docbook.org/ns/docbook
                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Troubleshooting Server Problems</title>
 <indexterm><primary>Troubleshooting</primary></indexterm>
 
@@ -103,14 +103,20 @@
   <step>
    <para>Generate the encoded version of the new password using the OpenDJ
    <command>encode-password</command> command.</para>
    <screen>$ encode-password --storageScheme SSHA512 --clearPassword password
Encoded Password:  "{SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg
 NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt"</screen>

    <screen>
$ <userinput>encode-password --storageScheme SSHA512 --clearPassword password</userinput>
<computeroutput>Encoded Password:  "{SSHA512}yWqHnYV4a5llPvE7WHLe5jzK27oZQWLIlVcs9gySu4TyZJMg
 NQNRtnR/Xx2xces1wu1dVLI9jVVtl1W4BVsmOKjyjr0rWrHt"</computeroutput>
    </screen>
   </step>

   <step>
    <para>Stop OpenDJ directory server while you edit the configuration.</para>
    <screen>$ stop-ds</screen>

    <screen>
$ <userinput>stop-ds</userinput>
    </screen>
   </step>

   <step>
@@ -120,8 +126,9 @@
    replace the <literal>userpassword</literal> attribute value with the
    encoded version of the new password, taking care not to leave any
    whitespace at the end of the line.</para>
    <programlisting language="ldif"
    >dn: cn=Directory Manager,cn=Root DNs,cn=config

    <programlisting language="ldif">
dn: cn=Directory Manager,cn=Root DNs,cn=config
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
@@ -138,27 +145,34 @@
ds-rlim-time-limit: 0
ds-rlim-lookthrough-limit: 0
ds-rlim-idle-time-limit: 0
ds-rlim-size-limit: 0</programlisting>
ds-rlim-size-limit: 0
    </programlisting>
   </step>

   <step>
    <para>Start OpenDJ directory server again.</para>
    <screen>$ start-ds</screen>

    <screen>
$ <userinput>start-ds</userinput>
    </screen>
   </step>

   <step>
    <para>Verify that you can administer the server as Directory Manager using
    the new password.</para>
    <screen>$ dsconfig -p 4444 -h opendj.example.com -D "cn=Directory Manager" -w password

    <screen>
$ <userinput>dsconfig -p 4444 -h opendj.example.com -D "cn=Directory Manager" -w password</userinput>

&gt;&gt;&gt;&gt; OpenDJ configuration console main menu
<computeroutput>
>>>> OpenDJ configuration console main menu

What do you want to configure?

...

Enter choice: q</screen>
Enter choice:</computeroutput> <userinput>q</userinput>
    </screen>
   </step>
  </procedure>

@@ -179,15 +193,18 @@
   <step>
    <para>Use the <command>ldappasswordmodify</command> command to reset the
    global administrator's password</para>
    <screen>$ ldappasswordmodify
 --useStartTLS
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --authzID "cn=admin,cn=Administrators,cn=admin data"
 --newPassword password
The LDAP password modify operation was successful</screen>

    <screen>
$ <userinput>ldappasswordmodify \
 --useStartTLS \
 --port 1389 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --authzID "cn=admin,cn=Administrators,cn=admin data" \
 --newPassword password</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
    </screen>
   </step>

   <step>
@@ -215,17 +232,19 @@
    <para>Enable the debug log, <filename>opendj/logs/debug</filename>, which
    is not enabled by default.</para>

    <screen>$ dsconfig
 set-log-publisher-prop
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Debug Logger"
 --set enabled:true
 --set default-debug-level:all
 --no-prompt
 --trustAll</screen>
    <screen>
$ <userinput>dsconfig \
 set-log-publisher-prop \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Debug Logger" \
 --set enabled:true \
 --set default-debug-level:all \
 --no-prompt \
 --trustAll</userinput>
    </screen>

    <para>You can set <literal>default-debug-level</literal> to a less verbose
    level if necessary.</para>
@@ -236,46 +255,52 @@

    <para>No debug targets are enabled by default.</para>

    <screen>$ dsconfig
 list-debug-targets
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Debug Logger"
 --no-prompt
 --trustAll

    <screen>
$ <userinput>dsconfig \
 list-debug-targets \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Debug Logger" \
 --no-prompt \
 --trustAll</userinput>
<computeroutput>
Debug Target : debug-level : debug-category
-------------:-------------:---------------

$ </screen>
</computeroutput>
$
    </screen>

    <para>A debug target specifies a fully-qualified OpenDJ Java package,
    class, or method for which to log debug messages at the level you
    specify.</para>

    <screen>$ dsconfig
 create-debug-target
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Debug Logger"
 --type generic
 --target-name org.opends.server.api
 --set debug-level:all
 --no-prompt
 --trustAll</screen>
    <screen>
$ <userinput>dsconfig \
 create-debug-target \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Debug Logger" \
 --type generic \
 --target-name org.opends.server.api \
 --set debug-level:all \
 --no-prompt \
 --trustAll</userinput>
    </screen>
   </step>

   <step>
    <para>Restart OpenDJ to see debug messages in the log.</para>

    <screen>$ /path/to/opendj/bin/stop-ds --restart
    <screen>
$ <userinput>/path/to/opendj/bin/stop-ds --restart</userinput>
...
$ tail -f /path/to/opendj/logs/debug
...</screen>
$ <userinput>tail -f /path/to/opendj/logs/debug</userinput>
...
    </screen>

    <para>If you have set <literal>debug-level:all</literal>, OpenDJ generates
    a great deal of output in the debug log file. Use debug logging very
@@ -303,21 +328,23 @@
  the modify operation is performed over the loopback address (accessing
  OpenDJ on the local host).</para>

  <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
  <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd
dn: ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks
objectClass: top
objectClass: ds-task
ds-task-id: Enter Lockdown Mode
ds-task-class-name: org.opends.server.tasks.EnterLockdownModeTask
ds-task-class-name: org.opends.server.tasks.EnterLockdownModeTask</userinput>

Processing ADD request for
<computeroutput>Processing ADD request for
 ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks
ADD operation successful for DN
 ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks</screen>
 ds-task-id=Enter Lockdown Mode,cn=Scheduled Tasks,cn=tasks</computeroutput>
  </screen>

  <para>OpenDJ logs a notice message in <filename>logs/errors</filename>
  when lockdown mode takes effect.</para>
@@ -329,30 +356,34 @@
  <para>Client applications that request operations get a message concerning
  lockdown mode.</para>

  <screen>$ ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" +
SEARCH operation failed
  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN "" --searchScope base "(objectclass=*)" +</userinput>
<computeroutput>SEARCH operation failed
Result Code:  53 (Unwilling to Perform)
Additional Information:  Rejecting the requested operation because the server
 is in lockdown mode and will only accept requests from root users over
 loopback connections</screen>
 loopback connections</computeroutput>
  </screen>

  <para>You also leave lockdown mode by using a task.</para>

  <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
  <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd
dn: ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks
objectClass: top
objectClass: ds-task
ds-task-id: Leave Lockdown Mode
ds-task-class-name: org.opends.server.tasks.LeaveLockdownModeTask
ds-task-class-name: org.opends.server.tasks.LeaveLockdownModeTask</userinput>

Processing ADD request for
<computeroutput>Processing ADD request for
 ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks
ADD operation successful for DN
 ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks</screen>
 ds-task-id=Leave Lockdown Mode,cn=Scheduled Tasks,cn=tasks</computeroutput>
  </screen>

  <para>OpenDJ also logs a notice message when leaving lockdown.</para>

@@ -380,15 +411,17 @@
  <literal>single-structural-objectclass-behavior:warn</literal> as
  follows.</para>
  
  <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set single-structural-objectclass-behavior:warn
 --trustAll
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set single-structural-objectclass-behavior:warn \
 --trustAll \
 --no-prompt</userinput>
  </screen>
  
  <para>By default, OpenDJ also checks syntax for a number of attribute types.
  You can relax this behavior as well by using the <command>dsconfig
@@ -415,8 +448,9 @@
  software. For example, the Java environment is distributed with a key store
  holding many CA certificates.</para>
  
  <screen>$ keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
 | wc -l
  <screen>
$ <userinput>keytool -list -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit \
 | wc -l</userinput>
     334</screen>
  
  <para>The self-signed server certificates that can be configured during
@@ -431,7 +465,9 @@
  debug traces from <literal>javax.net.debug</literal> into the
  <filename>logs/server.out</filename> file.</para>
  
  <screen>OPENDJ_JAVA_ARGS="-Djavax.net.debug=all" start-ds</screen>
  <screen>
$ <userinput>OPENDJ_JAVA_ARGS="-Djavax.net.debug=all" start-ds</userinput>
  </screen>
  
  <section xml:id="troubleshoot-certificate-authentication">
   <title>Troubleshooting Certificates &amp; SSL Authentication</title>
@@ -441,10 +477,12 @@
   to SSL handshake errors. This leads to error log messages such as the
   following.</para>
   
   <screen>[21/Nov/2011:13:03:20 -0600] category=SYNC severity=NOTICE
   <programlisting language="none">
[21/Nov/2011:13:03:20 -0600] category=SYNC severity=NOTICE
 msgID=15138921 msg=SSL connection attempt from myserver (123.456.789.012)
 failed: Remote host closed connection during handshake</screen>
  
 failed: Remote host closed connection during handshake
   </programlisting>

  <itemizedlist>
   <para>Notice these problem characteristics in the message above.</para>
   <listitem>
@@ -479,38 +517,47 @@
    <para>Make sure each OpenDJ server uses only fully qualified host names in
    the replication configuration. You can obtain a quick summary by running
    the following command against each server's configuration.</para>
    <screen>$ grep ds-cfg-replication-server: config/config.ldif | sort | uniq</screen>

    <screen>
$ <userinput>grep ds-cfg-replication-server: config/config.ldif | sort | uniq</userinput>
    </screen>

   </listitem>
   <listitem>
    <para>Make sure that the host names in OpenDJ certificates also contain
    fully qualified host names, and correspond to the host names found in the
    previous step.</para>
    <screen># Examine the certificates used for the administration connector.
$ keytool -list -v -keystore config/admin-truststore
 -storepass `cat config/admin-keystore.pin` |grep "^Owner:"

    <screen>
# Examine the certificates used for the administration connector.
$ <userinput>keytool -list -v -keystore config/admin-truststore \
 -storepass `cat config/admin-keystore.pin` |grep "^Owner:"</userinput>

# Examine the certificates used for replication.
$ keytool -list -v -keystore config/ads-truststore
 -storepass `cat config/ads-truststore.pin`| grep "^Owner:"
$ <userinput>keytool -list -v -keystore config/ads-truststore \
 -storepass `cat config/ads-truststore.pin`| grep "^Owner:"</userinput>
    </screen>
   </listitem>
  </orderedlist>
  
  <para>Sample output for a server on host <literal>opendj.example.com</literal>
  follows.</para>
  <screen>$ grep ds-cfg-replication-server: config/config.ldif |sort | uniq
ds-cfg-replication-server: opendj.example.com:8989
ds-cfg-replication-server: opendj.example.com:9989

$ keytool -list -v -keystore config/admin-truststore
-storepass `cat config/admin-keystore.pin` | grep "^Owner:"
Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate
  <screen>
$ <userinput>grep ds-cfg-replication-server: config/config.ldif |sort | uniq</userinput>
<computeroutput>ds-cfg-replication-server: opendj.example.com:8989
ds-cfg-replication-server: opendj.example.com:9989</computeroutput>

$ keytool -list -v -keystore config/ads-truststore
 -storepass `cat config/ads-truststore.pin`| grep "^Owner:"
$ <userinput>keytool -list -v -keystore config/admin-truststore
-storepass `cat config/admin-keystore.pin` | grep "^Owner:"</userinput>
<computeroutput>Owner: CN=opendj.example.com, O=Administration Connector Self-Signed Certificate</computeroutput>

$ <userinput>keytool -list -v -keystore config/ads-truststore \
 -storepass `cat config/ads-truststore.pin`| grep "^Owner:"</userinput>
<computeroutput>Owner: CN=opendj.example.com, O=OpenDJ Certificate
Owner: CN=opendj.example.com, O=OpenDJ Certificate
Owner: CN=opendj.example.com, O=OpenDJ Certificate
Owner: CN=opendj.example.com, O=OpenDJ Certificate</screen>
Owner: CN=opendj.example.com, O=OpenDJ Certificate</computeroutput>
  </screen>

   <itemizedlist>
    <para>Unfortunately there is no easy solution to badly configured host
@@ -538,15 +585,18 @@
    <para>If you cannot reinstall the server, follow these steps.</para>
    <listitem>
     <para>Disable replication in each replica.</para>
     <screen>$ dsreplication
 disable
 --disableAll
 --port <replaceable>adminPort</replaceable>
 --hostname <replaceable>hostName</replaceable>
 --bindDN "cn=Directory Manager"
 --adminPassword <replaceable>password</replaceable>
 --trustAll
 --no-prompt</screen>

     <screen>
$ <userinput>dsreplication \
 disable \
 --disableAll \
 --port <replaceable>adminPort</replaceable> \
 --hostname <replaceable>hostName</replaceable> \
 --bindDN "cn=Directory Manager" \
 --adminPassword <replaceable>password</replaceable> \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </listitem>
    <listitem>
     <para>Stop and restart each server in order to clear the in-memory ADS
@@ -555,23 +605,26 @@
    <listitem>
     <para>Enable replication making certain that fully qualified host names
     are used throughout</para>
     <screen>$ dsreplication
 enable
 --adminUID admin
 --adminPassword <replaceable>password</replaceable>
 --baseDN dc=example,dc=com
 --host1 <replaceable>hostName1</replaceable>
 --port1 <replaceable>adminPort1</replaceable>
 --bindDN1 "cn=Directory Manager"
 --bindPassword1 <replaceable>password</replaceable>
 --replicationPort1 <replaceable>replPort1</replaceable>
 --host2 <replaceable>hostName2</replaceable>
 --port2 <replaceable>adminPort2</replaceable>
 --bindDN2 "cn=Directory Manager"
 --bindPassword2 <replaceable>password</replaceable>
 --replicationPort2 <replaceable>replPort2</replaceable>
 --trustAll
 --no-prompt</screen>

     <screen>
$ <userinput>dsreplication \
 enable \
 --adminUID admin \
 --adminPassword <replaceable>password</replaceable> \
 --baseDN dc=example,dc=com \
 --host1 <replaceable>hostName1</replaceable> \
 --port1 <replaceable>adminPort1</replaceable> \
 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 <replaceable>password</replaceable> \
 --replicationPort1 <replaceable>replPort1</replaceable> \
 --host2 <replaceable>hostName2</replaceable> \
 --port2 <replaceable>adminPort2</replaceable> \
 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 <replaceable>password</replaceable> \
 --replicationPort2 <replaceable>replPort2</replaceable> \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </listitem>
    <listitem>
     <para>Repeat the previous step for each remaining replica. In other words,
@@ -580,27 +633,33 @@
    </listitem>
    <listitem>
     <para>Initialize all remaining replica with the data from host1.</para>
     <screen>$ dsreplication
 initialize-all
 --adminUID admin
 --adminPassword password
 --baseDN dc=example,dc=com
 --hostname <replaceable>hostName1</replaceable>
 --port 4444
 --trustAll
 --no-prompt</screen>

     <screen>
$ <userinput>dsreplication \
 initialize-all \
 --adminUID admin \
 --adminPassword password \
 --baseDN dc=example,dc=com \
 --hostname <replaceable>hostName1</replaceable> \
 --port 4444 \
 --trustAll \
 --no-prompt</userinput>
     </screen>
    </listitem>
    <listitem>
     <para>Check that the host names are correct in the configuration and in
     the key stores by following the steps you used to check for host name
     problems. The only broken host name remaining should be in the key and
     trust stores for the administration connector.</para>
     <screen>$ keytool -list -v -keystore config/admin-truststore
 -storepass `cat config/admin-keystore.pin` |grep "^Owner:"</screen>

     <screen>
$ <userinput>keytool -list -v -keystore config/admin-truststore \
 -storepass `cat config/admin-keystore.pin` |grep "^Owner:"</userinput>
     </screen>
    </listitem>
    <listitem>
     <para>Stop each server, and then fix the remaining admin connector
     certificate as described here in the procedure <link
     certificate as described here in the procedure <link xlink:show="new"
     xlink:href="admin-guide#replace-key-pair"
     xlink:role="http://docbook.org/xlink/role/olink"><citetitle>To Replace a
     Server Key Pair</citetitle></link>.</para>
@@ -665,13 +724,15 @@
       <literal>opendj.example.com</literal> with administration port
       <literal>4444</literal>.</para>

       <screen>$ ldapsearch
 --port 1389
 --hostname opendj.example.com
 --baseDN "cn=admin data"
 "(cn=opendj.example.com:4444)" ds-cfg-key-id
dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data
ds-cfg-key-id: 4F2F97979A7C05162CF64C9F73AF66ED</screen>
       <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --hostname opendj.example.com \
 --baseDN "cn=admin data" \
 "(cn=opendj.example.com:4444)" ds-cfg-key-id</userinput>
<computeroutput>dn: cn=opendj.example.com:4444,cn=Servers,cn=admin data
ds-cfg-key-id: 4F2F97979A7C05162CF64C9F73AF66ED</computeroutput>
       </screen>

       <para>The key ID, <literal>4F2F97979A7C05162CF64C9F73AF66ED</literal>, is
       the RDN of the key entry.</para>
@@ -686,7 +747,8 @@
       time. In the following example, the key pair was compromised at 8:34 AM
       UTC on March 21, 2013.</para>

       <screen width="81">$ ldapmodify
       <screen width="81">
$ <userinput>ldapmodify
 --port 1389
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
@@ -694,12 +756,13 @@
dn: ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED,cn=instance keys,cn=admin data
changetype: modify
add: ds-cfg-key-compromised-time
ds-cfg-key-compromised-time: 201303210834Z
ds-cfg-key-compromised-time: 201303210834Z</userinput>

Processing MODIFY request for ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED,
<computeroutput>Processing MODIFY request for ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED,
 cn=instance keys,cn=admin data
MODIFY operation successful for DN ds-cfg-key-id=4F2F97979A7C05162CF64C9F73AF66ED
 ,cn=instance keys,cn=admin data</screen>
 ,cn=instance keys,cn=admin data</computeroutput>
       </screen>
      </listitem>

      <listitem>
@@ -712,20 +775,22 @@
       in the administrative data whose <literal>ds-cfg-symmetric-key</literal>
       starts with the key ID of the compromised key.</para>

       <screen>$ ldapsearch
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --baseDN "cn=secret keys,cn=admin data"
 "(ds-cfg-symmetric-key=4F2F97979A7C05162CF64C9F73AF66ED*)" dn
dn: ds-cfg-key-id=fba16e59-2ce1-4619-96e7-8caf33f916c8,cn=secret keys,cn=admin d
       <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --baseDN "cn=secret keys,cn=admin data" \
 "(ds-cfg-symmetric-key=4F2F97979A7C05162CF64C9F73AF66ED*)" dn</userinput>
<computeroutput>dn: ds-cfg-key-id=fba16e59-2ce1-4619-96e7-8caf33f916c8,cn=secret keys,cn=admin d
 ata

dn: ds-cfg-key-id=57bd8b8b-9cc6-4a29-b42f-fb7a9e48d713,cn=secret keys,cn=admin d
 ata

dn: ds-cfg-key-id=f05e2e6a-5c4b-44d0-b2e8-67a36d304f3a,cn=secret keys,cn=admin d
 ata</screen>
 ata</computeroutput>
       </screen>

       <para>For each such key, mark the entry with
       <literal>ds-cfg-key-compromised-time</literal> as shown above for the
@@ -760,14 +825,16 @@
  <literal>uid=bjensen</literal> as traced in the LDAP access log. In the access
  log itself, each line starts with a time stamp.</para>
  
  <screen>[27/Jun/2011:17:23:00 +0200] CONNECT conn=19 from=127.0.0.1:56641
  <programlisting language="none">
[27/Jun/2011:17:23:00 +0200] CONNECT conn=19 from=127.0.0.1:56641
 to=127.0.0.1:1389 protocol=LDAP
[27/Jun/2011:17:23:00 +0200] SEARCH REQ conn=19 op=0 msgID=1
 base="dc=example,dc=com" scope=wholeSubtree filter="(uid=bjensen)" attrs="ALL"
[27/Jun/2011:17:23:00 +0200] SEARCH RES conn=19 op=0 msgID=1
 result=0 nentries=1 etime=3
[27/Jun/2011:17:23:00 +0200] UNBIND REQ conn=19 op=1 msgID=2
[27/Jun/2011:17:23:00 +0200] DISCONNECT conn=19 reason="Client Unbind"</screen>
[27/Jun/2011:17:23:00 +0200] DISCONNECT conn=19 reason="Client Unbind"
  </programlisting>
  
  <para>As you see, each client connection and set of LDAP operations are
  traced, starting with a time stamp and information about the operation
@@ -788,14 +855,17 @@
  field of the user <literal>newuser</literal>, which is handled by connection 4
  as shown in <filename>logs/http-access</filename>.</para>

  <screen>-  192.168.0.12  bjensen  22/May/2013:16:27:52 +0200
  <programlisting language="none">
-  192.168.0.12  bjensen  22/May/2013:16:27:52 +0200
  GET  /users/newuser?_fields=_id  HTTP/1.1  200
  curl/7.21.4  4  12</screen>
  curl/7.21.4  4  12
  </programlisting>

  <para>With internal operations logged in <filename>logs/access</filename>,
  log lines for the related operations have <literal>conn=4</literal>.</para>

  <screen>[22/May/2013:16:27:52 +0200] CONNECT conn=4
  <programlisting language="none">
[22/May/2013:16:27:52 +0200] CONNECT conn=4
  from=192.168.0.12:63593 to=192.168.0.12:8080 protocol=HTTP/1.1
[22/May/2013:16:27:52 +0200] SEARCH REQ conn=4
  op=0 msgID=0 base="ou=people,dc=example,dc=com" scope=wholeSubtree
@@ -816,7 +886,8 @@
[22/May/2013:16:27:52 +0200] UNBIND REQ conn=4
   op=3 msgID=3
[22/May/2013:16:27:52 +0200] DISCONNECT conn=4
   reason="Client Unbind"</screen>
   reason="Client Unbind"
  </programlisting>

  <para>To help diagnose errors due to access permissions, OpenDJ supports the
  get effective rights control. The control OID,
@@ -839,20 +910,21 @@
   control</link> without authenticating. By default, OpenDJ includes a global
   ACI to allow only authenticated users to use the control.</para>

   <screen>$ dsconfig
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword "password"
 get-access-control-handler-prop

   <screen>
$ <userinput>dsconfig \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword "password" \
 get-access-control-handler-prop</userinput>
<computeroutput>
Property   : Value(s)
-----------:-------------------------------------------------------------------
enabled    : true
global-aci : (extop="1.3.6.1.4.1.26027.1.6.1 || 1.3.6.1.4.1.26027.1.6.3 ||
...
           : (targetcontrol="1.3.6.1.1.12 || 1.3.6.1.1.13.1 || 1.3.6.1.1.13.2
           : || <emphasis role="strong">1.2.840.113556.1.4.319</emphasis> || 1.2.826.0.1.3344810.2.3 ||
           : || 1.2.840.113556.1.4.319 || 1.2.826.0.1.3344810.2.3 ||
           : 2.16.840.1.113730.3.4.18 || 2.16.840.1.113730.3.4.9 ||
           : 1.2.840.113556.1.4.473 || 1.3.6.1.4.1.42.2.27.9.5.9") (version
           : 3.0; acl "Authenticated users control access"; allow(read)
@@ -860,30 +932,33 @@
           : 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
           : 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
           : 2.16.840.1.113730.3.4.16") (version 3.0; acl "Anonymous control
           : access"; allow(read) userdn="ldap:///anyone";)</screen>
           : access"; allow(read) userdn="ldap:///anyone";)</computeroutput>
   </screen>

   <para>To grant anonymous (unauthenticated) user access to the control,
   add the OID for the simple paged results control to the list of those in
   the <literal>Anonymous control access</literal> global ACI.</para>

   <screen>$ dsconfig
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword "password"
 set-access-control-handler-prop
 --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 ||
 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
 2.16.840.1.113730.3.4.16\") (version 3.0; acl \"Anonymous control access\";
 allow(read) userdn=\"ldap:///anyone\";)"
 --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 ||
 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 ||
 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 ||
 2.16.840.1.113730.3.4.16 || <emphasis role="strong">1.2.840.113556.1.4.319</emphasis>\")
 (version 3.0; acl \"Anonymous control access\"; allow(read)
 userdn=\"ldap:///anyone\";)"
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword "password" \
 set-access-control-handler-prop \
 --remove global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || \
 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || \
 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || \
 2.16.840.1.113730.3.4.16\") (version 3.0; acl \"Anonymous control access\"; \
 allow(read) userdn=\"ldap:///anyone\";)" \
 --add global-aci:"(targetcontrol=\"2.16.840.1.113730.3.4.2 || \
 2.16.840.1.113730.3.4.17 || 2.16.840.1.113730.3.4.19 || \
 1.3.6.1.4.1.4203.1.10.2 || 1.3.6.1.4.1.42.2.27.8.5.1 || \
 2.16.840.1.113730.3.4.16 || 1.2.840.113556.1.4.319\") \
 (version 3.0; acl \"Anonymous control access\"; allow(read) \
 userdn=\"ldap:///anyone\";)" \
 --no-prompt</userinput>
   </screen>

   <para>Alternatively, stop OpenDJ, edit the corresponding ACI carefully in
   <filename>/path/to/opendj/config/config.ldif</filename>, and restart OpenDJ.
@@ -916,12 +991,14 @@
  have <literal>category=SYNC</literal>. The messages have the following form.
  Here the line is folded for readability.</para>
  
  <screen>[27/Jun/2011:14:37:48 +0200] category=SYNC severity=INFORMATION msgID=14680169
  <programlisting language="none">
[27/Jun/2011:14:37:48 +0200] category=SYNC severity=INFORMATION msgID=14680169
 msg=Replication server accepted a connection from 10.10.0.10/10.10.0.10:52859
 to local address 0.0.0.0/0.0.0.0:8989 but the SSL handshake failed. This is
 probably benign, but may indicate a transient network outage or a
 misconfigured client application connecting to this replication server.
 The error was: Remote host closed connection during handshake</screen>
 The error was: Remote host closed connection during handshake
  </programlisting>
 
  <para>OpenDJ maintains historical information about changes in order to
  bring replicas up to date, and to resolve replication conflicts. To prevent
@@ -942,9 +1019,11 @@
  of OpenDJ you use to reproduce the problem. The version includes both a
  version number and also a build time stamp.</para>
  
  <screen>$ dsconfig --version
OpenDJ <?eval ${docTargetVersion}?>
Build <replaceable>yyyymmddhhmmss</replaceable>Z</screen>
  <screen>
$ <userinput>dsconfig --version</userinput>
<computeroutput>OpenDJ ${docTargetVersion}
Build <replaceable>yyyymmddhhmmss</replaceable>Z</computeroutput>
  </screen>
  
  <itemizedlist>
  

 opends/src/main/docbkx/admin-guide/chap-tuning.xml

@@ -242,14 +242,16 @@
  change elapsed processing time resolution from milliseconds (default) to
  nanoseconds.</para>

  <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set etime-resolution:nanoseconds
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set etime-resolution:nanoseconds \
 --no-prompt</userinput>
  </screen>
 </section>
 
 <section xml:id="perf-tweaking">
@@ -355,26 +357,29 @@
   you change the settings. Instead, to force OpenDJ to compress all entries,
   import the data from LDIF.</para></footnote></para>
   
   <screen>$ dsconfig
 set-backend-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --set entries-compressed:true
 --trustAll
 --no-prompt
$ import-ldif
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --ldifFile /path/to/Example.ldif
 --backendID userRoot
 --includeBranch dc=example,dc=com
 --start 0
Import task 20120917100628767 scheduled to start Sep 17, 2012 10:06:28 AM CEST</screen>
   <screen>
$ <userinput>dsconfig \
 set-backend-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --set entries-compressed:true \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>import-ldif \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --ldifFile /path/to/Example.ldif \
 --backendID userRoot \
 --includeBranch dc=example,dc=com \
 --start 0</userinput>
<computeroutput>Import task 20120917100628767 scheduled to start Sep 17, 2012 10:06:28 AM CEST</computeroutput>
   </screen>
  </section>
  
  <section xml:id="perf-import">
@@ -428,16 +433,18 @@
   JVM. Test database pre-load on startup by setting the
   <literal>preload-time-limit</literal> for the backend.</para>
   
   <screen>$ dsconfig
 set-backend-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --backend-name userRoot
 --set preload-time-limit:30m
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 set-backend-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --backend-name userRoot \
 --set preload-time-limit:30m \
 --trustAll \
 --no-prompt</userinput>
   </screen>
   
   <para>Database pre-load is single-threaded, and loads each database one
   at a time.</para>
@@ -458,32 +465,36 @@
   you have a few large static groups and applications that regularly check
   group membership, you could cache your group entries.</para>
   
   <screen>$ dsconfig
 create-entry-cache
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --cache-name "Large Group Entry Cache"
 --type fifo
 --set cache-level:1
 --set include-filter:"(ou=Large Static Groups)"
 --set max-entries:10
 --set enabled:true
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 create-entry-cache \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --cache-name "Large Group Entry Cache" \
 --type fifo \
 --set cache-level:1 \
 --set include-filter:"(ou=Large Static Groups)" \
 --set max-entries:10 \
 --set enabled:true \
 --trustAll \
 --no-prompt</userinput>
   </screen>

   <para>You can use the global setting, <literal>entry-cache-preload</literal>,
   to force OpenDJ to load the entry cache as part of server startup.</para>

  <screen>$ dsconfig
 set-global-configuration-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --set entry-cache-preload:true
 --no-prompt</screen>
  <screen>
$ <userinput>dsconfig \
 set-global-configuration-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --set entry-cache-preload:true \
 --no-prompt</userinput>
  </screen>

   <para>By default, OpenDJ does not pre-load the entry cache.</para>
  </section>
@@ -503,16 +514,18 @@
   performance bottleneck, as each client request results in multiple access log
   messages. Consider disabling the access log in such cases.</para>
   
   <screen>$ dsconfig
 set-log-publisher-prop
 --port 4444
 --hostname opendj.example.com
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --publisher-name "File-Based Access Logger"
 --set enabled:false
 --trustAll
 --no-prompt</screen>
   <screen>
$ <userinput>dsconfig \
 set-log-publisher-prop \
 --port 4444 \
 --hostname opendj.example.com \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --publisher-name "File-Based Access Logger" \
 --set enabled:false \
 --trustAll \
 --no-prompt</userinput>
   </screen>
  </section>
 </section>
</chapter>

 opends/src/main/docbkx/admin-guide/chap-understanding-ldap.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-understanding-ldap'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Understanding Directory Services</title>
 <indexterm>
  <primary>Directory services</primary>
@@ -117,7 +117,8 @@
  for words in the dictionary, or for subscriber names in the phone book.
  A sample entry follows.</para>

  <programlisting language="LDIF">dn: uid=bjensen,ou=People,dc=example,dc=com
  <programlisting language="LDIF">
dn: uid=bjensen,ou=People,dc=example,dc=com
uid: bjensen
cn: Babs Jensen
cn: Barbara Jensen
@@ -138,7 +139,7 @@
sn: Jensen
telephoneNumber: +1 408 555 1862
uidNumber: 1076
</programlisting>
  </programlisting>

  <para>Barbara Jensen's entry has a number of attributes, such as
  <literal>uid: bjensen</literal>,
@@ -165,8 +166,10 @@
  attributes.<footnote><para>Sometimes your distinguished names include
  characters that you must escape. The following example shows an entry that
  includes escaped characters in the DN.</para>
  <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=escape)"
dn: cn=\" # \+ \, \; \&lt; = \&gt; \\ DN Escape Characters,dc=example,dc=com

  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com "(uid=escape)"</userinput>
<computeroutput>dn: cn=\" # \+ \, \; \&lt; = \&gt; \\ DN Escape Characters,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
@@ -175,7 +178,8 @@
uid: escape
cn: " # + , ; &lt; = &gt; \ DN Escape Characters
sn: DN Escape Characters
mail: escape@example.com</screen></footnote></para>
mail: escape@example.com</computeroutput>
  </screen></footnote></para>
  
  <para>LDAP entries are arranged hierarchically in the directory. The
  hierarchical organization resembles a file system on a PC or a web server,

 opends/src/main/docbkx/admin-guide/chap-virtual-attrs-collective-attrs.xml

@@ -20,15 +20,15 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-virtual-attrs-collective-attrs'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <title>Working With Virtual and Collective Attributes</title>

 <para>OpenDJ supports virtual attributes with dynamically generated values.
@@ -134,16 +134,18 @@
  <para>These virtual attributes are typically operational, so you get them
  back from a search only when you request them.</para>
  
  <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com dc=example
dn: dc=example,dc=com
  <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com dc=example</userinput>
<computeroutput>dn: dc=example,dc=com
dc: example
objectClass: domain
objectClass: top
objectClass: top</computeroutput>

$ ldapsearch --port 1389 --baseDN dc=example,dc=com dc=example numSubordinates
dn: dc=example,dc=com
numSubordinates: 4
</screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com dc=example numSubordinates</userinput>
<computeroutput>dn: dc=example,dc=com
numSubordinates: 4</computeroutput>
   </screen>

  <indexterm>
   <primary>Replication</primary>
   <secondary>Not for virtual attributes</secondary>
@@ -155,24 +157,26 @@
  attribute is defined by the server configuration, which is not
  replicated.</para>
  
  <screen>$ dsconfig
 create-virtual-attribute
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --name "Served By Description"
 --type user-defined
 --set enabled:true
 --set attribute-type:description
 --set base-dn:dc=example,dc=com
 --set value:"Served by OpenDJ.Example.com"
 --trustAll
 --no-prompt
$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen description
dn: uid=bjensen,ou=People,dc=example,dc=com
description: Served by OpenDJ.Example.com
</screen>
  <screen>
$ <userinput>dsconfig \
 create-virtual-attribute \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --name "Served By Description" \
 --type user-defined \
 --set enabled:true \
 --set attribute-type:description \
 --set base-dn:dc=example,dc=com \
 --set value:"Served by OpenDJ.Example.com" \
 --trustAll \
 --no-prompt</userinput>

$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen description</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
description: Served by OpenDJ.Example.com</computeroutput>
  </screen>
  
  <para>Collective attributes cover many use cases better than virtual
  attributes.</para>
@@ -258,8 +262,9 @@
    and adjust the definition of the <literal>cos</literal> object class to
    allow the two quota attributes.</para>

    <screen>$ cat quotas.ldif 
dn: cn=schema
    <screen>
$ <userinput>cat quotas.ldif</userinput>
<computeroutput>dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( example-class-of-service-attribute-type NAME 'classOfService
@@ -282,20 +287,22 @@
add: objectClasses
objectClasses: ( example-class-of-service-object-class NAME 'cos' SUP top AUX
 ILIARY MAY ( classOfService $ diskQuota $ mailQuota ) X-ORIGIN 'OpenDJ Doc
 umentation Examples' )
 umentation Examples' )</computeroutput>

$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --filename quotas.ldif
Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema</screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --filename quotas.ldif</userinput>
<computeroutput>Processing MODIFY request for cn=schema
MODIFY operation successful for DN cn=schema</computeroutput>
    </screen>

    <para>Use the following collective attribute definitions to set the quotas
    depending on class of service.</para>

    <programlisting language="ldif"># cos.ldif: quotas by class of service
    <programlisting language="ldif">
# cos.ldif: quotas by class of service
dn: cn=Bronze Class of Service,dc=example,dc=com
objectClass: collectiveAttributeSubentry
objectClass: extensibleObject
@@ -328,56 +335,60 @@
mailQuota;collective: 10 GB
subtreeSpecification: { base "ou=People", specificationFilter "(classOfService=
 gold)" }
</programlisting>
    </programlisting>

    <para>You can add the collective attribute subentries by using the
    <command>ldapmodify</command> command.</para>

    <screen>$ ldapmodify
 --port 1389
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --defaultAdd
 --filename cos.ldif
Processing ADD request for cn=Bronze Class of Service,dc=example,dc=com
    <screen>
$ <userinput>ldapmodify \
 --port 1389 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --defaultAdd \
 --filename cos.ldif</userinput>
<computeroutput>Processing ADD request for cn=Bronze Class of Service,dc=example,dc=com
ADD operation successful for DN cn=Bronze Class of Service,dc=example,dc=com
Processing ADD request for cn=Silver Class of Service,dc=example,dc=com
ADD operation successful for DN cn=Silver Class of Service,dc=example,dc=com
Processing ADD request for cn=Gold Class of Service,dc=example,dc=com
ADD operation successful for DN cn=Gold Class of Service,dc=example,dc=com</screen>
ADD operation successful for DN cn=Gold Class of Service,dc=example,dc=com</computeroutput>
    </screen>

    <para>With the collective attributes defined, you can see the results on
    user entries.</para>

    <screen>$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=bjensen
 classOfService mailQuota diskQuota
dn: uid=bjensen,ou=People,dc=example,dc=com
    <screen>
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=bjensen \
 classOfService mailQuota diskQuota</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
mailQuota: 1 GB
classOfService: bronze
diskQuota: 10 GB
diskQuota: 10 GB</computeroutput>

$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=kvaughan
 classOfService mailQuota diskQuota
dn: uid=kvaughan,ou=People,dc=example,dc=com
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=kvaughan \
 classOfService mailQuota diskQuota</userinput>
<computeroutput>dn: uid=kvaughan,ou=People,dc=example,dc=com
mailQuota: 5 GB
classOfService: silver
diskQuota: 50 GB
diskQuota: 50 GB</computeroutput>

$ ldapsearch
 --port 1389
 --baseDN dc=example,dc=com
 uid=scarter
 classOfService mailQuota diskQuota
dn: uid=scarter,ou=People,dc=example,dc=com
$ <userinput>ldapsearch \
 --port 1389 \
 --baseDN dc=example,dc=com \
 uid=scarter \
 classOfService mailQuota diskQuota</userinput>
<computeroutput>dn: uid=scarter,ou=People,dc=example,dc=com
mailQuota: 10 GB
classOfService: gold
diskQuota: 100 GB</screen>
diskQuota: 100 GB</computeroutput>
    </screen>
  </example>

  <example xml:id="example-dept-from-manager"><?dbfo keep-together="auto"?>
@@ -398,8 +409,8 @@
   <para>The collective attribute subentry that specifies the relationship
   looks like this:</para>

   <programlisting language="ldif"
   >dn: cn=Inherit Department Number From Manager,dc=example,dc=com
   <programlisting language="ldif">
dn: cn=Inherit Department Number From Manager,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: inheritedCollectiveAttributeSubentry
@@ -409,7 +420,7 @@
inheritFromDNAttribute: manager
inheritAttribute: departmentNumber

</programlisting>
   </programlisting>

   <para>This entry specifies that users inherit department number from their
   manager.</para>
@@ -417,20 +428,25 @@
   <para>As seen in <filename>Example.ldif</filename>, Babs Jensen's manager
   is Torrey Rigden.</para>

   <programlisting language="ldif">dn: uid=bjensen,ou=People,dc=example,dc=com
manager: uid=trigden, ou=People, dc=example,dc=com</programlisting>
   <programlisting language="ldif">
dn: uid=bjensen,ou=People,dc=example,dc=com
manager: uid=trigden, ou=People, dc=example,dc=com
   </programlisting>

   <para>Torrey's department number is 3001.</para>

   <programlisting language="ldif">dn: uid=trigden,ou=People,dc=example,dc=com
departmentNumber: 3001</programlisting>
   <programlisting language="ldif">
dn: uid=trigden,ou=People,dc=example,dc=com
departmentNumber: 3001
   </programlisting>

   <para>Babs inherits her department number from Torrey.</para>

   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen
 departmentNumber
dn: uid=bjensen,ou=People,dc=example,dc=com
departmentNumber: 3001</screen>
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen departmentNumber</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
departmentNumber: 3001</computeroutput>
   </screen>
  </example>

  <example xml:id="example-inherit-from-locality"><?dbfo keep-together="auto"?>
@@ -446,8 +462,8 @@
   The collective attribute subentry specifies how to construct the RDN of the
   object holding the attribute values to inherit.</para>

   <programlisting language="ldif"
   >dn: cn=Inherit From Locality,dc=example,dc=com
   <programlisting language="ldif">
dn: cn=Inherit From Locality,dc=example,dc=com
objectClass: top
objectClass: subentry
objectClass: inheritedCollectiveAttributeSubentry
@@ -461,7 +477,7 @@
inheritAttribute: street
collectiveConflictBehavior: real-overrides-virtual

</programlisting>
   </programlisting>

   <para>This specifies that the RDN of the entry from which to inherit
   attributes is like <literal>l=<replaceable
@@ -474,7 +490,8 @@
   <literal>l=Bristol,ou=Locations</literal>. The actual entry looks like
   this:</para>

   <programlisting language="ldif">dn: l=Bristol,ou=Locations,dc=example,dc=com
   <programlisting language="ldif">
dn: l=Bristol,ou=Locations,dc=example,dc=com
objectClass: top
objectClass: locality
objectClass: extensibleObject
@@ -482,7 +499,7 @@
street: 60 Queen Square
preferredLanguage: en-gb

</programlisting>
   </programlisting>

   <para>The subentry also specifies two attributes to inherit for preferred
   language and street address.</para>
@@ -514,33 +531,41 @@
   <para>Sam Carter is located in Bristol. Sam has specified no preferred
   languages.</para>

   <programlisting language="ldif">dn: uid=scarter,ou=People,dc=example,dc=com
l: Bristol</programlisting>
   <programlisting language="ldif">
dn: uid=scarter,ou=People,dc=example,dc=com
l: Bristol
   </programlisting>

   <para>Sam inherits both the street address and also preferred language from
   the Bristol locality.</para>

   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=scarter
 preferredLanguage street
dn: uid=scarter,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=scarter \
 preferredLanguage street</userinput>
<computeroutput>dn: uid=scarter,ou=People,dc=example,dc=com
preferredLanguage: en-gb
street: 60 Queen Square</screen>
street: 60 Queen Square</computeroutput>
   </screen>

   <para>Babs's locality is San Francisco. Babs prefers English, but also knows
   Korean.</para>

   <programlisting language="ldif">dn: uid=bjensen,ou=People,dc=example,dc=com
   <programlisting language="ldif">
dn: uid=bjensen,ou=People,dc=example,dc=com
preferredLanguage: en, ko;q=0.8
l: San Francisco</programlisting>
l: San Francisco
   </programlisting>

   <para>Babs inherits the street address from the San Francisco locality, but
   keeps her language preferences.</para>

   <screen>$ ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen
 preferredLanguage street
dn: uid=bjensen,ou=People,dc=example,dc=com
   <screen>
$ <userinput>ldapsearch --port 1389 --baseDN dc=example,dc=com uid=bjensen \
 preferredLanguage street</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
preferredLanguage: en, ko;q=0.8
street: 500 3rd Street</screen>
street: 500 3rd Street</computeroutput>
   </screen>
  </example>
 </section>
</chapter>

 opends/src/main/docbkx/admin-guide/man-backup.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='backup-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>backup</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -330,29 +329,39 @@
  <title>Examples</title>
  <para>The following example backs up all user data while the server is
  online.</para>
  <screen>$ backup -p 4444 -D "cn=Directory Manager" -w password
 -a -d /path/to/opendj/bak -t 0
Backup task 20110613143801866 scheduled to start Jun 13, 2011 2:38:01 PM CEST</screen>

  <screen>
$ <userinput>backup -p 4444 -D "cn=Directory Manager" -w password \
 -a -d /path/to/opendj/bak -t 0</userinput>
<computeroutput>Backup task 20110613143801866 scheduled to start Jun 13, 2011 2:38:01 PM CEST</computeroutput>
  </screen>

  <para>The following example schedules back up of all user data every night at
  2 AM when the server is online, and notifies diradmin@example.com when
  finished, or on error.</para>
  <screen>$ backup -p 4444 -D "cn=Directory Manager" -w password -a
 -d /path/to/opendj/bak --recurringTask "00 02 * * *"
 --completionNotify diradmin@example.com --errorNotify diradmin@example.com
Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
scheduled successfully</screen>

  <screen>
$ <userinput>backup -p 4444 -D "cn=Directory Manager" -w password -a \
 -d /path/to/opendj/bak --recurringTask "00 02 * * *" \
 --completionNotify diradmin@example.com --errorNotify diradmin@example.com</userinput>
<computeroutput>Recurring Backup task BackupTask-988d6adf-4d65-44bf-8546-6ea74a2480b0
scheduled successfully</computeroutput>
  </screen>

  <para>The following example backs up all user data while the server is
  offline.</para>
  <screen>$ stop-ds
Stopping Server...
...
$ backup --backupAll --backupDirectory /path/to/opendj/bak
...
[28/Sep/2012:12:14:22 +0200] ... msg=The backup process completed successfully
$ start-ds
[28/Sep/2012:12:15:48 +0200] ... The Directory Server has started successfully
</screen>

  <screen>
$ <userinput>stop-ds</userinput>
<computeroutput>Stopping Server...
...</computeroutput>

$ <userinput>backup --backupAll --backupDirectory /path/to/opendj/bak</userinput>
<computeroutput>...
[28/Sep/2012:12:14:22 +0200] ... msg=The backup process completed successfully</computeroutput>

$ <userinput>start-ds</userinput>
<computeroutput>[28/Sep/2012:12:15:48 +0200] ... The Directory Server has started successfully</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-base64.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='base64-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>base64</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -156,11 +155,13 @@
  <title>Examples</title>
  <para>The following command shows the changes from the external change log
  in human-readable format.</para>
  <screen>$ base64 decode -d YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UK
LQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2V
yLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW
1lc3RhbXA6IDIwMTEwNjEzMDcxMjEwWgotCg==
add: description

  <screen>
$ <userinput>base64 decode -d YWRkOiBkZXNjcmlwdGlvbgpkZXNjcmlwdGlvbjogQSB0aGlyZCBjaGFuZ2UK\
LQpyZXBsYWNlOiBtb2RpZmllcnNOYW1lCm1vZGlmaWVyc05hbWU6IGNuPURpcmVjdG9yeSBNYW5hZ2V\
yLGNuPVJvb3QgRE5zLGNuPWNvbmZpZwotCnJlcGxhY2U6IG1vZGlmeVRpbWVzdGFtcAptb2RpZnlUaW\
1lc3RhbXA6IDIwMTEwNjEzMDcxMjEwWgotCg==</userinput>
<computeroutput>add: description
description: A third change
-
replace: modifiersName
@@ -168,7 +169,7 @@
-
replace: modifyTimestamp
modifyTimestamp: 20110613071210Z
-
</screen>
-</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-control-panel.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='control-panel-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>control-panel</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -154,6 +153,8 @@
  <title>Examples</title>
  <para>The following example starts the Control Panel on a remote host.</para>
  
  <screen>$ control-panel -r -h opendj.example.com -p 4444 &amp;</screen>
  <screen>
$ <userinput>control-panel -r -h opendj.example.com -p 4444 &amp;</userinput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-create-rc-script.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='create-rc-script-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>create-rc-script</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -123,7 +122,11 @@
  <para>The following example adds a script to start OpenDJ at boot time
  on a Debian-based system, and then updates the runlevel system to use the
  script.</para>
  <screen>$ sudo create-rc-script -f /etc/init.d/opendj -u mark
$ sudo update-rc.d opendj</screen>

  <screen>
$ <userinput>sudo create-rc-script -f /etc/init.d/opendj -u mark</userinput>
$ <userinput>sudo update-rc.d opendj</userinput>
  </screen>

 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-dbtest.xml

@@ -248,9 +248,11 @@
  <title>Examples</title>
  <para>The following example displays debugging information about the
  equality index for <literal>sudoUser</literal>.</para>
  <screen>$ dbtest dump-database-container -n userRoot -b dc=example,dc=com
 -d sudoUser.equality
Indexed Value (6 bytes): %admin

  <screen>
$ <userinput>dbtest dump-database-container -n userRoot -b dc=example,dc=com \
 -d sudoUser.equality</userinput>
<computeroutput>Indexed Value (6 bytes): %admin
Entry ID List (8 bytes): 165 

Indexed Value (5 bytes): %sudo
@@ -262,6 +264,7 @@

Total Records: 3
Total / Average Key Size: 13 bytes / 4 bytes
Total / Average Data Size: 24 bytes / 8 bytes</screen>
Total / Average Data Size: 24 bytes / 8 bytes</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-dsconfig.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='dsconfig-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>dsconfig</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -400,14 +400,15 @@
  log publisher, which you can find by using the
  <command>list-log-publishers</command> subcommand.</para>

  <screen>$ dsconfig
 list-log-publishers
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --trustAll

  <screen>
$ <userinput>dsconfig \
 list-log-publishers \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll</userinput>
<computeroutput>
Log Publisher                 : Type                   : enabled
------------------------------:------------------------:--------
File-Based Access Logger      : file-based-access      : true
@@ -415,21 +416,22 @@
File-Based Debug Logger       : file-based-debug       : false
File-Based Error Logger       : file-based-error       : true
File-Based HTTP Access Logger : file-based-http-access : false
Replication Repair Logger     : file-based-error       : true
Replication Repair Logger     : file-based-error       : true</computeroutput>

$ dsconfig
 get-log-publisher-prop
 --publisher-name "File-Based Access Logger"
 --property rotation-policy
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --trustAll
Property        : Value(s)
$ <userinput>dsconfig \
 get-log-publisher-prop \
 --publisher-name "File-Based Access Logger" \
 --property rotation-policy \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --trustAll</userinput>
<computeroutput>Property        : Value(s)
----------------:--------------------------------------------------------------
rotation-policy : 24 Hours Time Limit Rotation Policy, Size Limit Rotation
                : Policy</screen>
                : Policy</computeroutput>
  </screen>

  <para>To find documentation for specific component properties, also see the
  <link xlink:show="new" xlink:href="${configRefBase}"><citetitle>OpenDJ
@@ -5519,9 +5521,11 @@

  <para>The following example starts <command>dsconfig</command> in interactive,
  menu-driven mode on the default port of the current host.</para>
  <screen>$ dsconfig -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password

&gt;&gt;&gt;&gt; OpenDJ configuration console main menu
  <screen>
$ <userinput>dsconfig -h opendj.example.com -p 4444 -D "cn=Directory Manager" -w password</userinput>
<computeroutput>
>>>> OpenDJ configuration console main menu

What do you want to configure?

@@ -5548,20 +5552,23 @@

    q)   quit

Enter choice: </screen>
Enter choice:</computeroutput>
  </screen>

  <para>The following examples demonstrates generating a batch file that
  corresponds to an interactive session enabling the debug log. The example
  then demonstrates using a modified batch file to disable the debug log.</para>
  <screen>$ dsconfig
 --hostname opendj.example.com
 --port 4444
 --bindDN "cn=Directory Manager"
 --bindPassword password
 --commandFilePath ~/enable-debug-log.batch

  <screen>
$ <userinput>dsconfig \
 --hostname opendj.example.com \
 --port 4444 \
 --bindDN "cn=Directory Manager" \
 --bindPassword password \
 --commandFilePath ~/enable-debug-log.batch</userinput>
 ...
$ cat ~/enable-debug-log.batch
# dsconfig session start date: 19/Oct/2011:08:52:22 +0000
$ <userinput>cat ~/enable-debug-log.batch</userinput>
<computeroutput># dsconfig session start date: 19/Oct/2011:08:52:22 +0000

# Session operation number: 1
# Operation date: 19/Oct/2011:08:55:06 +0000
@@ -5573,12 +5580,12 @@
          --trustStorePath /path/to/opendj/config/admin-truststore \
          --bindDN cn=Directory\ Manager \
          --bindPassword ****** \
          --no-prompt
          --no-prompt</computeroutput>

$ cp ~/enable-debug-log.batch ~/disable-debug-log.batch
$ vi ~/disable-debug-log.batch
$ cat ~/disable-debug-log.batch
set-log-publisher-prop \
$ <userinput>cp ~/enable-debug-log.batch ~/disable-debug-log.batch</userinput>
$ <userinput>vi ~/disable-debug-log.batch</userinput>
$ <userinput>cat ~/disable-debug-log.batch</userinput>
<computeroutput>set-log-publisher-prop \
          --publisher-name File-Based\ Debug\ Logger \
          --set enabled:false \
          --hostname opendj.example.com \
@@ -5586,10 +5593,10 @@
          --trustStorePath /path/to/opendj/config/admin-truststore \
          --bindDN cn=Directory\ Manager \
          --bindPassword password \
          --no-prompt
          --no-prompt</computeroutput>

$ dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt
set-log-publisher-prop
$ <userinput>dsconfig --batchFilePath ~/disable-debug-log.batch --no-prompt</userinput>
<computeroutput>set-log-publisher-prop
--publisher-name
File-Based Debug Logger
--set
@@ -5604,9 +5611,11 @@
cn=Directory Manager
--bindPassword
password
--no-prompt
--no-prompt</computeroutput>

$</screen>
$
  </screen>

  <para>Notice that the original command file looks like a shell script with
  the bind password value replaced by asterisks. To pass the content as a batch
  file to <command>dsconfig</command>, strip <literal>dsconfig</literal>

 opends/src/main/docbkx/admin-guide/man-dsjavaproperties.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='dsjavaproperties-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>dsjavaproperties</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -106,9 +105,12 @@
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <screen>$ dsjavaproperties 
The operation was successful.  The server commands will use the java arguments

  <screen>
$ <userinput>dsjavaproperties</userinput>
<computeroutput>The operation was successful.  The server commands will use the java arguments
 and java home specified in the properties file located in
 /path/to/opendj/config/java.properties</screen>
 /path/to/opendj/config/java.properties</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-dsreplication.xml

@@ -1015,13 +1015,14 @@
  for a new replica on <literal>opendj2.example.com</literal> from an existing
  replica on <literal>opendj.example.com</literal>.</para>
  
  <screen>$ dsreplication enable -I admin -w password -X -n -b dc=example,dc=com
 --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager"
 --bindPassword1 password --replicationPort1 8989
 --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager"
 --bindPassword2 password --replicationPort2 8989
  <screen>
$ <userinput>dsreplication enable -I admin -w password -X -n -b dc=example,dc=com \
 --host1 opendj.example.com --port1 4444 --bindDN1 "cn=Directory Manager" \
 --bindPassword1 password --replicationPort1 8989 \
 --host2 opendj2.example.com --port2 4444 --bindDN2 "cn=Directory Manager" \
 --bindPassword2 password --replicationPort2 8989</userinput>

Establishing connections ..... Done.
<computeroutput>Establishing connections ..... Done.
Checking registration information ..... Done.
Updating remote references on server opendj.example.com:4444 ..... Done.
Configuring Replication port on server opendj2.example.com:4444 ..... Done.
@@ -1048,16 +1049,18 @@

See
/var/.../opends-replication-7958637258600693490.log
for a detailed log of this operation.
$ dsreplication initialize-all -I admin -w password -X -n -b dc=example,dc=com
 -h opendj.example.com -p 4444
for a detailed log of this operation.</computeroutput>

Initializing base DN dc=example,dc=com with the contents from
$ <userinput>dsreplication initialize-all -I admin -w password -X -n -b dc=example,dc=com \
 -h opendj.example.com -p 4444</userinput>

<computeroutput>Initializing base DN dc=example,dc=com with the contents from
 opendj.example.com:4444: 160 entries processed (100 % complete).
Base DN initialized successfully.

See
/var/.../opends-replication-5020375834904394170.log
for a detailed log of this operation.</screen>
for a detailed log of this operation.</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-encode-password.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='encode-password-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>encode-password</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -163,8 +162,10 @@
  <title>Examples</title>
  <para>The following example encodes a password, and also shows comparison
  of a password with the encoded value.</para>
  <screen>$ encode-password -l
3DES

  <screen>
$ <userinput>encode-password -l</userinput>
<computeroutput>3DES
AES
BASE64
BLOWFISH
@@ -177,12 +178,16 @@
SSHA
SSHA256
SSHA384
SSHA512
$ encode-password -c secret12 -s CRYPT
Encoded Password:  "{CRYPT}ZulJ6Dy3TFnrE"
$ encode-password -c secret12 -s CRYPT -e "{CRYPT}ZulJ6Dy3TFnrE" -r
The provided clear-text and encoded passwords match
$ echo $?
6</screen>
SSHA512</computeroutput>

$ <userinput>encode-password -c secret12 -s CRYPT</userinput>
<computeroutput>Encoded Password:  "{CRYPT}ZulJ6Dy3TFnrE"</computeroutput>

$ <userinput>encode-password -c secret12 -s CRYPT -e "{CRYPT}ZulJ6Dy3TFnrE" -r</userinput>
<computeroutput>The provided clear-text and encoded passwords match</computeroutput>

$ <userinput>echo $?</userinput>
<computeroutput>6</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-export-ldif.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='export-ldif-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>export-ldif</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -343,8 +342,11 @@
  <title>Examples</title>
  <para>The following example exports data to a file,
  <filename>Example.ldif</filename>, with the server offline.</para>
  <screen>$ export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif
[21/Jun/2011:13:40:49 +0200] category=BACKEND severity=INFORMATION ...
...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)</screen>

  <screen>
$ <userinput>export-ldif -b dc=example,dc=com -n userRoot -l ../ldif/Example.ldif</userinput>
<computeroutput>[21/Jun/2011:13:40:49 +0200] category=BACKEND severity=INFORMATION ...
...Exported 160 entries and skipped 0 in 0 seconds (average rate 1428.6/sec)</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-import-ldif.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='import-ldif-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>import-ldif</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -411,9 +410,11 @@
  <title>Examples</title>
  <para>The following example imports the content of the LDIF file,
  <filename>Example.ldif</filename>, with the server offline.</para>

  <screen>
  $ import-ldif -b dc=example,dc=com -n userRoot -l /path/to/Example.ldif
  [21/Jun/2011:13:38:03 +0200] category=RUNTIME_INFORMATION severity=NOTICE...
  ... msg=Import LDIF environment close took 0 seconds</screen>
$ <userinput>import-ldif -b dc=example,dc=com -n userRoot -l /path/to/Example.ldif</userinput>
<computeroutput>[21/Jun/2011:13:38:03 +0200] category=RUNTIME_INFORMATION severity=NOTICE...
... msg=Import LDIF environment close took 0 seconds</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldapcompare.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldapcompare-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldapcompare</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -317,7 +317,9 @@
  <para>You can use <filename>~/.opendj/tools.properties</filename> to set
  the defaults for bind DN, host name, and port number as in the following
  example.</para>
  <programlisting language="ini">hostname=directory.example.com

  <programlisting language="ini">
hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

@@ -325,22 +327,30 @@
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389</programlisting>
ldapsearch.port=1389
  </programlisting>
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <para>The following examples demonstrate comparing Babs Jensen's UID.</para>
  <para>The following example uses a matching UID value.</para>
  <screen>$ ldapcompare -p 1389 uid:bjensen uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value bjensen in entry

  <screen>
$ <userinput>ldapcompare -p 1389 uid:bjensen uid=bjensen,ou=people,dc=example,dc=com</userinput>
<computeroutput>Comparing type uid with value bjensen in entry
uid=bjensen,ou=people,dc=example,dc=com
Compare operation returned true for entry
uid=bjensen,ou=people,dc=example,dc=com</screen>
uid=bjensen,ou=people,dc=example,dc=com</computeroutput>
  </screen>

  <para>The following example uses a UID value that does not match.</para>
  <screen>$ ldapcompare -p 1389 uid:beavis uid=bjensen,ou=people,dc=example,dc=com
Comparing type uid with value beavis in entry

  <screen>
$ <userinput>ldapcompare -p 1389 uid:beavis uid=bjensen,ou=people,dc=example,dc=com</userinput>
<computeroutput>Comparing type uid with value beavis in entry
uid=bjensen,ou=people,dc=example,dc=com
Compare operation returned false for entry
uid=bjensen,ou=people,dc=example,dc=com</screen>
uid=bjensen,ou=people,dc=example,dc=com</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldapdelete.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldapdelete-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldapdelete</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -303,7 +303,8 @@
  <para>You can use <filename>~/.opendj/tools.properties</filename> to set
  the defaults for bind DN, host name, and port number as in the following
  example.</para>
  <programlisting language="ini">hostname=directory.example.com
  <programlisting language="ini">
hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

@@ -316,15 +317,22 @@
 <refsect1>
  <title>Examples</title>
  <para>The following command deletes a user entry from the directory.</para>
  <screen>$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password
 uid=bjensen,ou=people,dc=example,dc=com
Processing DELETE request for uid=bjensen,ou=people,dc=example,dc=com
DELETE operation successful for DN uid=bjensen,ou=people,dc=example,dc=com</screen>

  <screen>
$ <userinput>ldapdelete -p 1389 -D "cn=Directory Manager" -w password \
 uid=bjensen,ou=people,dc=example,dc=com</userinput>
<computeroutput>Processing DELETE request for uid=bjensen,ou=people,dc=example,dc=com
DELETE operation successful for DN uid=bjensen,ou=people,dc=example,dc=com</computeroutput>
  </screen>

  <para>The following command deletes the ou=Groups entry and all entries
  underneath ou=Groups.</para>
  <screen>$ ldapdelete -p 1389 -D "cn=Directory Manager" -w password -x
 ou=groups,dc=example,dc=com
Processing DELETE request for ou=groups,dc=example,dc=com
DELETE operation successful for DN ou=groups,dc=example,dc=com</screen>

  <screen>
$ <userinput>ldapdelete -p 1389 -D "cn=Directory Manager" -w password -x \
 ou=groups,dc=example,dc=com</userinput>
<computeroutput>Processing DELETE request for ou=groups,dc=example,dc=com
DELETE operation successful for DN ou=groups,dc=example,dc=com</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldapmodify.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldapmodify-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldapmodify</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -324,7 +324,8 @@
  <para>You can use <filename>~/.opendj/tools.properties</filename> to set
  the defaults for bind DN, host name, and port number as in the following
  example.</para>
  <programlisting language="ini">hostname=directory.example.com
  <programlisting language="ini">
hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

@@ -332,14 +333,17 @@
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389</programlisting>
ldapsearch.port=1389
  </programlisting>
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <para>The following example demonstrates use of the command to add an entry
  to the directory.</para>
  <screen>$ cat newuser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com

  <screen>
$ <userinput>cat newuser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
facsimileTelephoneNumber: +1 408 555 1213
objectClass: person
@@ -359,47 +363,57 @@
l: South Pole
ou: Product Development
ou: People
gidNumber: 10636
gidNumber: 10636</computeroutput>

$ ldapmodify -p 1389 -a -f newuser.ldif
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify -p 1389 -a -f newuser.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery</userinput>
<computeroutput>Processing ADD request for uid=newuser,ou=People,dc=example,dc=com
ADD operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>
  </screen>

 <para>The following example demonstrates adding a Description attribute
 to the new user's entry.</para>
 <screen>$ cat newdesc.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com

 <screen>
$ <userinput>cat newdesc.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: description
description: A new user's entry
description: A new user's entry</computeroutput>

$ ldapmodify -p 1389 -f newdesc.ldif
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify -p 1389 -f newdesc.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery</userinput>
<computeroutput>Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>
 </screen>
 
 <para>The following example demonstrates changing the Description attribute
 for the new user's entry.</para>
 <screen>$ cat moddesc.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com

 <screen>
$ <userinput>cat moddesc.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
replace: description
description: Another description
description: Another description</computeroutput>

$ ldapmodify -p 1389 -f moddesc.ldif
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
$ <userinput>ldapmodify -p 1389 -f moddesc.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery</userinput>
<computeroutput>Processing MODIFY request for uid=newuser,ou=People,dc=example,dc=com
MODIFY operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>
 </screen>
 
 <para>The following example demonstrates deleting the new user's entry.</para>
 <screen>$ cat deluser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com
changetype: delete

$ ldapmodify -p 1389 -f deluser.ldif
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com</screen>
 <screen>
$ <userinput>cat deluser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
changetype: delete</computeroutput>

$ <userinput>ldapmodify -p 1389 -f deluser.ldif \
 -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery</userinput>
<computeroutput>Processing DELETE request for uid=newuser,ou=People,dc=example,dc=com
DELETE operation successful for DN uid=newuser,ou=People,dc=example,dc=com</computeroutput>
 </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldappasswordmodify.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldappasswordmodify-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldappasswordmodify</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -294,7 +294,8 @@
  <para>You can use <filename>~/.opendj/tools.properties</filename> to set
  the defaults for bind DN, host name, and port number as in the following
  example.</para>
  <programlisting language="ini">hostname=directory.example.com
  <programlisting language="ini">
hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

@@ -302,17 +303,22 @@
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389</programlisting>
ldapsearch.port=1389
  </programlisting>
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <para>The following example demonstrates a user changing the password
  for her entry.</para>
  <screen>$ cat /tmp/currpwd.txt /tmp/newpwd.txt
bribery
secret12
$ ldappasswordmodify -p 1389 -C /tmp/currpwd.txt -N /tmp/newpwd.txt
-A -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery
The LDAP password modify operation was successful</screen>

  <screen>
$ <userinput>cat /tmp/currpwd.txt /tmp/newpwd.txt</userinput>
<computeroutput>bribery
secret12</computeroutput>

$ <userinput>ldappasswordmodify -p 1389 -C /tmp/currpwd.txt -N /tmp/newpwd.txt \
-A -D uid=kvaughan,ou=people,dc=example,dc=com -w bribery</userinput>
<computeroutput>The LDAP password modify operation was successful</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldapsearch.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldapsearch-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldapsearch</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -533,7 +533,8 @@
  <para>You can use <filename>~/.opendj/tools.properties</filename> to set
  the defaults for bind DN, host name, and port number as in the following
  example.</para>
  <programlisting language="ini">hostname=directory.example.com
  <programlisting language="ini">
hostname=directory.example.com
port=1389
bindDN=uid=kvaughan,ou=People,dc=example,dc=com

@@ -541,14 +542,17 @@
ldapdelete.port=1389
ldapmodify.port=1389
ldappasswordmodify.port=1389
ldapsearch.port=1389</programlisting>
ldapsearch.port=1389
  </programlisting>
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <para>The following example searches for entries with UID containing
  <literal>jensen</literal>, returning only DNs and uid values.</para>
  <screen>$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid
dn: uid=ajensen,ou=People,dc=example,dc=com

  <screen>
$ <userinput>ldapsearch -p 1389 -b dc=example,dc=com "(uid=*jensen*)" uid</userinput>
<computeroutput>dn: uid=ajensen,ou=People,dc=example,dc=com
uid: ajensen

dn: uid=bjensen,ou=People,dc=example,dc=com
@@ -570,7 +574,8 @@
uid: tjensen


Result Code:  0 (Success)</screen>
Result Code:  0 (Success)</computeroutput>
  </screen>

  <para>You can also use <literal>@<replaceable
  >objectclass</replaceable></literal> notation in the attribute list to return
@@ -578,8 +583,9 @@
  how to return attributes of the <literal>inetOrgPerson</literal> object
  class.</para>

  <screen>$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" @inetorgperson</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
givenName: Barbara
objectClass: person
objectClass: organizationalPerson
@@ -596,13 +602,15 @@
l: Cupertino
ou: Product Development
ou: People
facsimileTelephoneNumber: +1 408 555 1992</screen>
facsimileTelephoneNumber: +1 408 555 1992</computeroutput>
  </screen>

  <para>You can use <literal>+</literal> in the attribute list to return
  all operational attributes, as in the following example.</para>

  <screen>$ ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>ldapsearch -p 1389 -b dc=example,dc=com "(uid=bjensen)" +</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
numSubordinates: 0
structuralObjectClass: inetOrgPerson
etag: 0000000073c29972
@@ -610,6 +618,7 @@
subschemaSubentry: cn=schema
hasSubordinates: false
entryDN: uid=bjensen,ou=people,dc=example,dc=com
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c</screen>
entryUUID: fc252fd9-b982-3ed6-b42a-c76d2546312c</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldif-diff.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldif-diff-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldif-diff</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -164,8 +163,10 @@
  <title>Examples</title>
  <para>The following example demonstrates use of the command with two
  small LDIF files.</para>
  <screen>$ cat /path/to/newuser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com

  <screen>
$ <userinput>cat /path/to/newuser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
@@ -175,10 +176,10 @@
sn: User
ou: People
mail: newuser@example.com
userPassword: changeme
userPassword: changeme</computeroutput>

$ cat /path/to/neweruser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com
$ <userinput>cat /path/to/neweruser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
@@ -189,10 +190,10 @@
ou: People
mail: newuser@example.com
userPassword: secret12
description: A new description.
description: A new description.</computeroutput>

$ ldif-diff -s /path/to/newuser.ldif -t /path/to/neweruser.ldif
dn: uid=newuser,ou=People,dc=example,dc=com
$ <userinput>ldif-diff -s /path/to/newuser.ldif -t /path/to/neweruser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: secret12
@@ -201,7 +202,7 @@
userPassword: changeme
-
add: description
description: A new description.
</screen>
description: A new description.</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldifmodify.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldifmodify-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldifmodify</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -107,8 +106,10 @@
 <refsect1>
  <title>Examples</title>
  <para>The following example demonstrates use of the command.</para>
  <screen>$ cat /path/to/newuser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com

  <screen>
$ <userinput>cat /path/to/newuser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
uid: newuser
objectClass: person
objectClass: organizationalPerson
@@ -118,10 +119,10 @@
sn: User
ou: People
mail: newuser@example.com
userPassword: changeme
userPassword: changeme</computeroutput>
  
$ cat /path/to/newdiff.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com
$ <userinput>cat /path/to/newdiff.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: secret12
@@ -130,11 +131,12 @@
userPassword: changeme
-
add: description
description: A new description.
description: A new description.</computeroutput>

$ ldifmodify -s /path/to/newuser.ldif -m /path/to/newdiff.ldif -t neweruser.ldif
$ cat neweruser.ldif 
dn: uid=newuser,ou=People,dc=example,dc=com
$ <userinput>ldifmodify -s /path/to/newuser.ldif -m /path/to/newdiff.ldif -t neweruser.ldif</userinput>

$ <userinput>cat neweruser.ldif</userinput>
<computeroutput>dn: uid=newuser,ou=People,dc=example,dc=com
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
@@ -145,8 +147,8 @@
sn: User
userPassword: secret12
mail: newuser@example.com
ou: People
ou: People</computeroutput>

</screen>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-ldifsearch.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='ldifsearch-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>ldifsearch</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -195,8 +194,10 @@
 <refsect1>
  <title>Examples</title>
  <para>The following example demonstrates use of the command.</para>
  <screen>$ ldifsearch -l /path/to/Example.ldif -b dc=example,dc=com uid=bjensen
dn: uid=bjensen,ou=People,dc=example,dc=com

  <screen>
$ <userinput>ldifsearch -l /path/to/Example.ldif -b dc=example,dc=com uid=bjensen</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
@@ -217,8 +218,8 @@
ou: Product Development
ou: People
uidNumber: 1076
gidNumber: 1000
</screen>
gidNumber: 1000</computeroutput>
  </screen>

  <para>You can also use <literal>@<replaceable
  >objectclass</replaceable></literal> notation in the attribute list to return
@@ -226,9 +227,10 @@
  how to return attributes of the <literal>posixAccount</literal> object
  class.</para>

  <screen>$ ldifsearch --ldifFile /path/to/Example.ldif
 --baseDN dc=example,dc=com "(uid=bjensen)" @posixaccount
dn: uid=bjensen,ou=People,dc=example,dc=com
  <screen>
$ <userinput>ldifsearch --ldifFile /path/to/Example.ldif \
 --baseDN dc=example,dc=com "(uid=bjensen)" @posixaccount</userinput>
<computeroutput>dn: uid=bjensen,ou=People,dc=example,dc=com
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
@@ -240,6 +242,7 @@
cn: Babs Jensen
homeDirectory: /home/bjensen
uidNumber: 1076
gidNumber: 1000</screen>
gidNumber: 1000</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-list-backends.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='list-backends-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>list-backends</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -100,8 +99,10 @@
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <screen>$ list-backends 
Backend ID         : Base DN

  <screen>
$ <userinput>list-backends</userinput>
<computeroutput>Backend ID         : Base DN
-------------------:----------------------
adminRoot          : cn=admin data
ads-truststore     : cn=ads-truststore
@@ -113,6 +114,7 @@
replicationChanges : dc=replicationChanges
schema             : cn=schema
tasks              : cn=tasks
userRoot           : "dc=example,dc=com"</screen>
userRoot           : "dc=example,dc=com"</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-make-ldif-template.xml

@@ -20,16 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2012-2013 ForgeRock AS
  !      Copyright 2012-2014 ForgeRock AS
  !    
-->
<refentry xml:id='make-ldif-template-5'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2012-2013</year><holder>ForgeRock AS</holder></copyright></info>
 <info><copyright><year>2012-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>make-ldif.template</refentrytitle><manvolnum>5</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>

 opends/src/main/docbkx/admin-guide/man-make-ldif.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='make-ldif-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>make-ldif</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -109,12 +109,15 @@
 <refsect1>
  <title>Examples</title>
  <para>The following example uses the default template to generate LDIF.</para>
  <screen>$ make-ldif -t ../config/MakeLDIF/example.template -o ../ldif/generated.ldif
Processed 1000 entries

  <screen>
$ <userinput>make-ldif -t ../config/MakeLDIF/example.template -o ../ldif/generated.ldif</userinput>
<computeroutput>Processed 1000 entries
Processed 2000 entries
...
Processed 10000 entries
LDIF processing complete.  10003 entries written</screen>
LDIF processing complete.  10003 entries written</computeroutput>
  </screen>
 </refsect1>
 <refsect1>
  <title>See Also</title>

 opends/src/main/docbkx/admin-guide/man-manage-account.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='manage-account-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>manage-account</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -355,18 +354,29 @@
  <para>For the following examples, the directory admin user, Kirsten Vaughan,
  has <literal>ds-privilege-name: password-reset</literal>, and the following
  ACI on <literal>ou=People,dc=example,dc=com</literal>.</para>
  <literallayout class="monospaced">(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(

  <programlisting language="aci">
(target="ldap:///ou=People,dc=example,dc=com") (targetattr ="*||+")(
 version 3.0;acl "Admins can run amok"; allow(all) groupdn =
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)</literallayout>
 "ldap:///cn=Directory Administrators,ou=Groups,dc=example,dc=com";)
  </programlisting>

  <para>The following command locks a user account.</para>
  <screen>$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com"
 -w bribery set-account-is-disabled -O true
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  true</screen>

  <screen>
$ <userinput>manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery set-account-is-disabled -O true \
 -b uid=bjensen,ou=people,dc=example,dc=com -X</userinput>
<computeroutput>Account Is Disabled:  true</computeroutput>
  </screen>

  <para>The following command unlocks a user account.</para>
  <screen>$ manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com"
 -w bribery clear-account-is-disabled
 -b uid=bjensen,ou=people,dc=example,dc=com -X
Account Is Disabled:  false</screen>

  <screen>
$ <userinput>manage-account -p 4444 -D "uid=kvaughan,ou=people,dc=example,dc=com" \
 -w bribery clear-account-is-disabled \
 -b uid=bjensen,ou=people,dc=example,dc=com -X</userinput>
<computeroutput>Account Is Disabled:  false</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-manage-tasks.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='manage-tasks-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>manage-tasks</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -241,13 +240,15 @@
  <title>Examples</title>
  <para>The following example demonstrates use of the command with a server
  that does daily backups at 2:00 AM.</para>
  <screen>$ manage-tasks -p 4444 -h opendj.example.com -D "cn=Directory Manager"
 -w password -s

  <screen>
$ <userinput>manage-tasks -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
 -w password -s</userinput>
<computeroutput>
  ID                                Type    Status
  ---------------------------------------------------------------
  example-backup                    Backup  Recurring
  example-backup-20110622020000000  Backup  Waiting on start time
</screen>
  example-backup-20110622020000000  Backup  Waiting on start time</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-rebuild-index.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='rebuild-index-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>rebuild-index</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -322,8 +321,10 @@
  <para>The following example schedules a task to start immediately that
  rebuilds the <literal>cn</literal> (common name) index.</para>
  
  <screen>$ rebuild-index -p 4444 -h opendj.example.com -D "cn=Directory Manager"
 -w password -b dc=example,dc=com -i cn -t 0
Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM</screen>
  <screen>
$ <userinput>rebuild-index -p 4444 -h opendj.example.com -D "cn=Directory Manager" \
 -w password -b dc=example,dc=com -i cn -t 0</userinput>
<computeroutput>Rebuild Index task 20110607160349596 scheduled to start Jun 7, 2011 4:03:49 PM</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-restore.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='restore-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>restore</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -294,29 +293,37 @@
  <title>Examples</title>
  <para>The following example schedules a restore as a task to begin
  immediately while OpenDJ directory server is online.</para>
  <screen>$ restore -p 4444 -D "cn=Directory Manager" -w password

  <screen>
$ restore -p 4444 -D "cn=Directory Manager" -w password
 -d /path/to/opendj/bak -I 20110613080032 -t 0
Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST</screen>
Restore task 20110613155052932 scheduled to start Jun 13, 2011 3:50:52 PM CEST
  </screen>

  <para>The following example restores data while OpenDJ is offline.</para>
  <screen>$ stop-ds
Stopping Server...
...
$ restore --backupDirectory /path/to/opendj/bak/userRoot
 --listBackups
Backup ID:          20120928102414Z

  <screen>
$ <userinput>stop-ds</userinput>
<computeroutput>Stopping Server...
...</computeroutput>

$ <userinput>restore --backupDirectory /path/to/opendj/bak/userRoot \
 --listBackups</userinput>
<computeroutput>Backup ID:          20120928102414Z
Backup Date:        28/Sep/2012:12:24:17 +0200
Is Incremental:     false
Is Compressed:      false
Is Encrypted:       false
Has Unsigned Hash:  false
Has Signed Hash:    false
Dependent Upon:     none
Dependent Upon:     none</computeroutput>

$ restore --backupDirectory /path/to/opendj/bak/userRoot
 --backupID 20120928102414Z
[28/Sep/2012:12:26:20 +0200] ... msg=Restored: 00000000.jdb (size 355179)
$ start-ds
[28/Sep/2012:12:27:29 +0200] ... The Directory Server has started successfully</screen>
$ <userinput>restore --backupDirectory /path/to/opendj/bak/userRoot \
 --backupID 20120928102414Z</userinput>
<computeroutput>[28/Sep/2012:12:26:20 +0200] ... msg=Restored: 00000000.jdb (size 355179)</computeroutput>

$ <userinput>start-ds</userinput>
<computeroutput>[28/Sep/2012:12:27:29 +0200] ... The Directory Server has started successfully</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-setup.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='setup-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>setup</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -325,11 +324,13 @@
  <title>Examples</title>
  <para>The following command installs OpenDJ directory server, enabling
  StartTLS and importing 100 example entries without interaction.</para>
  <screen>$ /path/to/opendj/setup --cli -b dc=example,dc=com -d 100
 -D "cn=Directory Manager" -w password -h opendj.example.com -p 1389
 --generateSelfSignedCertificate --enableStartTLS -n 

OpenDJ <?eval ${docTargetVersion}?>
  <screen>
<userinput>$ /path/to/opendj/setup --cli -b dc=example,dc=com -d 100 \
 -D "cn=Directory Manager" -w password -h opendj.example.com -p 1389 \
 --generateSelfSignedCertificate --enableStartTLS -n</userinput>

<computeroutput>OpenDJ <?eval ${docTargetVersion}?>
Please wait while the setup program initializes...

See /var/.../opends-setup-484...561.log for a detailed log of this operation.
@@ -340,6 +341,7 @@
Starting Directory Server .......... Done.

To see basic server configuration status and configuration you can launch
 /path/to/opendj/bin/status</screen>
 /path/to/opendj/bin/status</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-start-ds.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='start-ds-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>start-ds</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -130,6 +129,9 @@
  <title>Examples</title>
  <para>The following command starts the server without displaying
  information about the startup process.</para>
  <screen>$ start-ds -Q</screen>

  <screen>
$ <userinput>start-ds -Q</userinput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-status.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='status-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>status</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -209,8 +208,10 @@
 </refsect1>
 <refsect1>
  <title>Examples</title>
  <screen>$ status -D "cn=Directory Manager" -w password

  <screen>
$ <userinput>status -D "cn=Directory Manager" -w password</userinput>
<computeroutput>
          --- Server Status ---
Server Run Status:        Started
Open Connections:         1
@@ -220,7 +221,7 @@
Administrative Users:     cn=Directory Manager
Installation Path:        /path/to/opendj
Version:                  OpenDJ <?eval ${docTargetVersion}?>
Java Version:             1.6.0_29
Java Version:             <replaceable>version</replaceable>
Administration Connector: Port 4444 (LDAPS)

          --- Connection Handlers ---
@@ -249,7 +250,7 @@
Base DN:     o=myOrg
Backend ID:  myOrgRoot
Entries:     3
Replication: Disabled
</screen>
Replication: Disabled</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-stop-ds.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='stop-ds-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>stop-ds</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -247,9 +246,12 @@
 <refsect1>
  <title>Examples</title>
  <para>The following example restarts OpenDJ directory server.</para>
  <screen>$ stop-ds --restart
Stopping Server...

...The Directory Server has started successfully</screen>
  <screen>
$ <userinput>stop-ds --restart</userinput>
<computeroutput>Stopping Server...

...The Directory Server has started successfully</computeroutput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-uninstall.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='uninstall-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>uninstall</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -288,16 +287,20 @@
  <title>Examples</title>
  <para>The following command removes OpenDJ directory server without
  interaction.</para>
  <screen>$ /path/to/opendj/uninstall -a --cli -I admin -w password -n

Stopping Directory Server ..... Done.
  <screen>
$ <userinput>/path/to/opendj/uninstall -a --cli -I admin -w password -n</userinput>

<computeroutput>Stopping Directory Server ..... Done.
Deleting Files under the Installation Path ..... Done.

The Uninstall Completed Successfully.
To complete the uninstallation, you must delete manually the following files
and directories:
/path/to/opendj/lib
See /var/.../opends-uninstall-3...0.log for a detailed log of this operation.
$ rm -rf opendj</screen>
See /var/.../opends-uninstall-3...0.log for a detailed log of this operation.</computeroutput>

$ <userinput>rm -rf /path/to/opendj</userinput>
  </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-upgrade.xml

@@ -20,17 +20,17 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !
-->
<refentry xml:id='upgrade-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2013</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>upgrade</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>

 opends/src/main/docbkx/admin-guide/man-verify-index.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2012 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<refentry xml:id='verify-index-1'
 xmlns='http://docbook.org/ns/docbook'
 version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2011-2012</year><holder>ForgeRock AS</holder></copyright></info>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2011-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>verify-index</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -137,8 +136,9 @@
  <para>The following example verifies the <literal>cn</literal> (common
   name) index for completeness and for errors.</para>

   <screen>$ verify-index -b dc=example,dc=com -i cn --clean --countErrors
[07/Jun/2011:16:06:50 +0200] category=BACKEND severity=INFORMATION
   <screen>
$ <userinput>verify-index -b dc=example,dc=com -i cn --clean --countErrors</userinput>
<computeroutput>[07/Jun/2011:16:06:50 +0200] category=BACKEND severity=INFORMATION
 msgID=9437595 msg=Local DB backend userRoot does not specify the number of
 lock tables: defaulting to 97
[07/Jun/2011:16:06:50 +0200] category=BACKEND severity=INFORMATION
@@ -155,6 +155,7 @@
 msgID=8388712 msg=Average number of entries referenced is 1.58/record
[07/Jun/2011:16:06:51 +0200] category=JEB severity=INFORMATION
 msgID=8388713 msg=Maximum number of entries referenced by any
 record is 32</screen>
 record is 32</computeroutput>
   </screen>
 </refsect1>
</refentry>

 opends/src/main/docbkx/admin-guide/man-windows-service.xml

@@ -20,17 +20,16 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2013 ForgeRock AS
  !      Copyright 2013-2014 ForgeRock AS
  !
-->
<refentry xml:id='windows-service'
          xmlns='http://docbook.org/ns/docbook'
          version='5.0' xml:lang='en'
          xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
          xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
          xmlns:xlink='http://www.w3.org/1999/xlink'
          xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <info><copyright><year>2013</year><holder>ForgeRock AS</holder></copyright></info>
          xsi:schemaLocation='http://docbook.org/ns/docbook
                              http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <info><copyright><year>2013-2014</year><holder>ForgeRock AS</holder></copyright></info>
 <refmeta>
  <refentrytitle>windows-service</refentrytitle><manvolnum>1</manvolnum>
  <refmiscinfo class="software">OpenDJ</refmiscinfo>
@@ -135,9 +134,11 @@
  <para>The following command registers OpenDJ directory server as a Windows
  Service.</para>

  <screen>C:\path\to\opendj\bat&gt; windows-service.bat --enableService</screen>
  <screen>
C:\path\to\opendj\bat> <userinput>windows-service.bat --enableService</userinput>
  </screen>

  <para>After running this command, you can manage the service using Windows
  administration tools</para>
  administration tools.</para>
 </refsect1>
</refentry>

 opends/src/main/docbkx/install-guide/chap-install-cli.xml

@@ -20,13 +20,14 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !
-->
<chapter xml:id='chap-install-cli'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <title>Installing OpenDJ From the Command Line</title>
@@ -178,8 +179,9 @@
   GUI installer with your local version of software, as does
   Java WebStart with a remote version of the software.</para>

   <screen>$ /path/to/opendj/setup --cli
READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY. BY DOWNLOADING OR INSTALLING
   <screen>
$ <userinput>/path/to/opendj/setup --cli</userinput>
<computeroutput>READ THIS SOFTWARE LICENSE AGREEMENT CAREFULLY. BY DOWNLOADING OR INSTALLING
THE FORGEROCK SOFTWARE, YOU, ON BEHALF OF YOURSELF AND YOUR COMPANY, AGREE TO
BE BOUND BY THIS SOFTWARE LICENSE AGREEMENT. IF YOU DO NOT AGREE TO THESE
TERMS, DO NOT DOWNLOAD OR INSTALL THE FORGEROCK SOFTWARE.
@@ -189,9 +191,9 @@
Please read the License Agreement above.
You must accept the terms of the agreement before continuing with the
installation.
Accept the license (Yes/No) [No]:Yes
Accept the license (Yes/No) [No]:</computeroutput><userinput>Yes</userinput>

What would you like to use as the initial root user DN for the Directory
<computeroutput>What would you like to use as the initial root user DN for the Directory
Server? [cn=Directory Manager]:
Please provide the password to use for the initial root user:
Please re-enter the password for confirmation:
@@ -216,12 +218,12 @@
    3)  Import data from an LDIF file
    4)  Load automatically-generated sample data

Enter choice [1]: 3
Enter choice [1]:</computeroutput> <userinput>3</userinput>

Please specify the path to the LDIF file containing the data to import: \
/path/to/Example.ldif
<computeroutput>Please specify the path to the LDIF file containing the data to import: \</computeroutput>
<userinput>/path/to/Example.ldif</userinput>

Do you want to enable SSL? (yes / no) [no]:
<computeroutput>Do you want to enable SSL? (yes / no) [no]:

Do you want to enable Start TLS? (yes / no) [no]:

@@ -257,7 +259,8 @@
Starting Directory Server ........... Done.

To see basic server configuration status and configuration you can launch \
/path/to/opendj/bin/status</screen>
/path/to/opendj/bin/status</computeroutput>
   </screen>

   <variablelist>
    <para>Some notes on the options follow.</para>
@@ -381,8 +384,9 @@
   <para>Run the <command>status</command> command to make sure your OpenDJ
   server is working as expected.</para>

   <screen>$ /path/to/opendj/bin/status

   <screen>
$ <userinput>/path/to/opendj/bin/status</userinput>
<computeroutput>
>>>> Specify OpenDJ LDAP connection parameters

Administrator user bind DN [cn=Directory Manager]:
@@ -414,7 +418,8 @@
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     160
Replication: Disabled</screen>
Replication: Disabled</computeroutput>
   </screen>
  </step>
 </procedure>

@@ -434,14 +439,17 @@
   <para>Before you install OpenDJ, install a Java runtime environment if none
   is installed yet.</para>

   <screen>$ sudo apt-get install default-jre</screen>
   <screen>
$ <userinput>sudo apt-get install default-jre</userinput>
   </screen>
  </step>

  <step>
   <para>Install the OpenDJ directory server package.</para>

   <screen>$ sudo dpkg -i opendj_<?eval ${docTargetVersion}?>-1_all.deb
Selecting previously unselected package opendj.
   <screen>
$ <userinput>sudo dpkg -i opendj_<?eval ${docTargetVersion}?>-1_all.deb</userinput>
<computeroutput>Selecting previously unselected package opendj.
(Reading database ... 185569 files and directories currently installed.)
Unpacking opendj (from opendj_<?eval ${docTargetVersion}?>-1_all.deb) ...

@@ -456,8 +464,9 @@
   /etc/rc5.d/S20opendj -> ../init.d/opendj

Processing triggers for ureadahead ...
ureadahead will be reprofiled on next reboot
$</screen>
ureadahead will be reprofiled on next reboot</computeroutput>
$
   </screen>

   <para>The .deb installs OpenDJ directory server in the directory
   <filename>/opt/opendj</filename>, generates service management scripts, and
@@ -471,20 +480,23 @@
   <para>Configure OpenDJ directory server by using the command
   <command>sudo /opt/opendj/setup</command>.</para>

   <screen>$ sudo /opt/opendj/setup --cli
...
   <screen>
$ <userinput>sudo /opt/opendj/setup --cli</userinput>
<computeroutput>...
To see basic server configuration status and configuration you can launch
 /opt/opendj/bin/status</screen>
 /opt/opendj/bin/status</computeroutput>
   </screen>
  </step>

  <step performance="optional">
   <para>Check OpenDJ directory server status.</para>

   <screen>$ service opendj status
$opendj status: > Running.
$ sudo /opt/opendj/bin/status
   <screen>
$ <userinput>service opendj status</userinput>
<computeroutput>$opendj status: > Running.</computeroutput>
$ <userinput>sudo /opt/opendj/bin/status</userinput>


<computeroutput>
>>>> Specify OpenDJ LDAP connection parameters

Administrator user bind DN [cn=Directory Manager]:
@@ -517,7 +529,8 @@
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     2002
Replication: </screen>
Replication: </computeroutput>
   </screen>
  </step>
 </procedure>

@@ -531,9 +544,11 @@
  <step>
   <para>Log in as superuser to install the software.</para>

   <screen>$ su
Password:
# </screen>
   <screen>
$ <userinput>su</userinput>
<computeroutput>Password:</computeroutput>
#
   </screen>
  </step>

  <step performance="optional">
@@ -544,17 +559,21 @@
   environment, and then install it using the <command>rpm</command>
   command.</para>

   <screen># rpm -ivh jre-*.rpm</screen>
   <screen>
# <userinput>rpm -ivh jre-*.rpm</userinput>
   </screen>
  </step>

  <step>
   <para>Install the OpenDJ directory server package.</para>

   <screen># rpm -i opendj-<?eval ${docTargetVersion}?>-1.noarch.rpm
Pre Install - initial install
Post Install - initial install
   <screen>
# <userinput>rpm -i opendj-<?eval ${docTargetVersion}?>-1.noarch.rpm</userinput>
<computeroutput>Pre Install - initial install
Post Install - initial install</computeroutput>

#</screen>
#
   </screen>

   <para>The .rpm installs OpenDJ directory server in the directory
   <filename>/opt/opendj</filename>, generates service management scripts, and
@@ -569,20 +588,23 @@
   <para>Configure OpenDJ directory server by using the command
   <command>/opt/opendj/setup</command>.</para>

   <screen># /opt/opendj/setup --cli
...
   <screen>
# <userinput>/opt/opendj/setup --cli</userinput>
<computeroutput>...
To see basic server configuration status and configuration you can launch
 /opt/opendj/bin/status</screen>
 /opt/opendj/bin/status</computeroutput>
   </screen>
  </step>

  <step performance="optional">
   <para>Check OpenDJ directory server status.</para>

   <screen># service opendj status
opendj status: > Running.
# /opt/opendj/bin/status
   <screen>
# <userinput>service opendj status</userinput>
<computeroutput>opendj status: > Running.</computeroutput>
# <userinput>/opt/opendj/bin/status</userinput>


<computeroutput>
>>>> Specify OpenDJ LDAP connection parameters

Administrator user bind DN [cn=Directory Manager]:
@@ -615,13 +637,16 @@
Base DN:     dc=example,dc=com
Backend ID:  userRoot
Entries:     2002
Replication: </screen>
Replication: </computeroutput>
   </screen>

   <para>By default OpenDJ starts in run levels 2, 3, 4, and 5.</para>

   <screen># chkconfig --list | grep opendj
...
opendj         0:off    1:off    2:on    3:on    4:on    5:on    6:off</screen>
   <screen>
# <userinput>chkconfig --list | grep opendj</userinput>
<computeroutput>...
opendj         0:off    1:off    2:on    3:on    4:on    5:on    6:off</computeroutput>
   </screen>
  </step>
 </procedure>

@@ -651,7 +676,8 @@

   <para>This procedure uses the following example properties file.</para>

   <programlisting language="ini">#
   <programlisting language="ini">
#
# Sample properties file to set up OpenDJ directory server
#
hostname                        =opendj.example.com
@@ -665,7 +691,8 @@
rootUserPassword                =password
baseDN                          =dc=example,dc=com
ldifFile                        =/net/install/dj/Example.ldif
#sampleData                     =2000</programlisting>
#sampleData                     =2000
   </programlisting>

   <para>If you have multiple servers to install, consider scripting creation
   of the properties files.</para>
@@ -674,19 +701,22 @@
  <step>
   <para>Prepare an installation script.</para>

   <screen>$ cat /net/install/dj/1/setup.sh
#!/bin/sh
   <screen>
$ <userinput>cat /net/install/dj/1/setup.sh</userinput>
<computeroutput>#!/bin/sh

unzip -d /path/to /net/install/dj/OpenDJ-<?eval ${docTargetVersion}?>.zip &amp;&amp; cd /path/to/opendj
./setup --cli --propertiesFilePath /net/install/dj/1/setup.props \
  --acceptLicense --no-prompt</screen>
  --acceptLicense --no-prompt</computeroutput>
   </screen>
  </step>

  <step>
   <para>Run your installation script.</para>

   <screen>$ /net/install/dj/1/setup.sh
Archive:  /net/install/dj/OpenDJ-<?eval ${docTargetVersion}?>.zip
   <screen>
$ <userinput>/net/install/dj/1/setup.sh</userinput>
<computeroutput>Archive:  /net/install/dj/OpenDJ-<?eval ${docTargetVersion}?>.zip
   creating: /path/to/opendj
...
  inflating: /path/to/opendj/setup
@@ -709,7 +739,8 @@
Starting Directory Server ....... Done.

To see basic server configuration status and configuration you can launch
 /path/to/opendj/bin/status</screen>
 /path/to/opendj/bin/status</computeroutput>
   </screen>

   <para>At this point you can use OpenDJ directory server, or you can perform
   additional configuration.</para>
@@ -786,10 +817,9 @@
   <para>The following command reads Babs Jensen's entry through the gateway
   to the backend holding data from <filename>Example.ldif</filename>.</para>

   <screen
   >$ curl http://bjensen:hifalutin@opendj.example.com:8080/rest2ldap/users/bjensen
 ?_prettyPrint=true
{
   <screen width="98">
$ <userinput>curl http://bjensen:hifalutin@opendj.example.com:8080/rest2ldap/users/bjensen?_prettyPrint=true</userinput>
<computeroutput>{
  "_rev" : "000000002ee3b764",
  "schemas" : [ "urn:scim:schemas:core:1.0" ],
  "contactInformation" : {
@@ -807,7 +837,8 @@
    "_id" : "trigden",
    "displayName" : "Torrey Rigden"
  } ]
}</screen>
}</computeroutput>
   </screen>

   <para>If you generated example data, Babs Jensen's entry is not included.
   Try a URL such as

 opends/src/main/docbkx/install-guide/chap-install-gui.xml

@@ -20,14 +20,14 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !
-->
<chapter xml:id='chap-install-gui'
         xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
         xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
         xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xlink='http://www.w3.org/1999/xlink'
         xsi:schemaLocation='http://docbook.org/ns/docbook
                             http://docbook.org/xml/5.0/xsd/docbook.xsd'
         xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <title>Installing OpenDJ With the QuickSetup Wizard</title>
 <indexterm><primary>Downloading OpenDJ</primary></indexterm>
@@ -66,8 +66,10 @@
 <command>javaws</command> command in a terminal window to start the
 installer.</para>

 <screen>$ export PATH=/path/to/java/bin:$PATH
$ javaws <replaceable>URL-to-QuickSetup-Installer</replaceable></screen>
 <screen>
$ <userinput>export PATH=/path/to/java/bin:$PATH</userinput>
$ <userinput>javaws <replaceable>URL-to-QuickSetup-Installer</replaceable></userinput>
 </screen>

 <para>The WebStart installer corresponds to what you start if you download
 OpenDJ-<?eval ${docTargetVersion}?>.zip, unzip the file, and then run

 opends/src/main/docbkx/install-guide/chap-uninstall.xml

@@ -20,15 +20,14 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !    
-->
<chapter xml:id='chap-uninstall'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'>
 <title>Removing OpenDJ Servers</title>
 <indexterm><primary>Uninstalling</primary></indexterm>
 
@@ -88,8 +87,9 @@
   <command>uninstall</command> options to specify choices for the options.
   See <command>uninstall --help</command> for more information.</para>
   
   <screen>$ /path/to/opendj/uninstall --cli
Do you want to remove all components of the server or select the components to
   <screen>
$ <userinput>/path/to/opendj/uninstall --cli</userinput>
<computeroutput>Do you want to remove all components of the server or select the components to
remove?

    1)  Remove all components
@@ -110,14 +110,17 @@
To complete the uninstallation, you must delete manually the following files
and directories:
/path/to/opendj/lib
See /var/....log for a detailed log of this operation.</screen>
See /var/....log for a detailed log of this operation.</computeroutput>
   </screen>
  </step>

  <step>
   <para>If the command output tells you to delete files manually, then remove
   those remaining files to complete the process.</para>
 
   <screen>$ rm -rf /path/to/opendj</screen>
   <screen>
$ <userinput>rm -rf /path/to/opendj</userinput>
   </screen>
  </step>
 </procedure>

@@ -131,8 +134,9 @@
  <step>
   <para>Remove the package from your system.</para>

   <screen>$ sudo dpkg -r opendj
(Reading database ... 185725 files and directories currently installed.)
   <screen>
$ <userinput>sudo dpkg -r opendj</userinput>
<computeroutput>(Reading database ... 185725 files and directories currently installed.)
Removing opendj ...
*Stopping OpenDJ server...
Stopping Server...
@@ -141,7 +145,7 @@
[03/Jun/2013:10:00:49 +0200] category=CORE severity=NOTICE
 msgID=458955 msg=The Directory Server is now stopped

*OpenDJ successfully removed
*OpenDJ successfully removed</computeroutput>

$ </screen>

@@ -161,16 +165,18 @@
  <step>
   <para>Remove the package from your system.</para>

   <screen># rpm -e opendj
Pre Uninstall - uninstall
   <screen>
# <userinput>rpm -e opendj</userinput>
<computeroutput>Pre Uninstall - uninstall
Stopping Server...
[03/Jun/2013:10:42:46 +0200] category=BACKEND severity=NOTICE
 msgID=9896306 msg=The backend userRoot is now taken offline
[03/Jun/2013:10:42:46 +0200] category=CORE severity=NOTICE
 msgID=458955 msg=The Directory Server is now stopped
Post Uninstall - uninstall
OpenDJ successfully removed.
# </screen>
OpenDJ successfully removed.</computeroutput>
#
   </screen>

   <para>Removing the package does not remove your data or configuration.
   You must remove <filename>/opt/opendj</filename> manually to get rid of

 opends/src/main/docbkx/install-guide/chap-upgrade.xml

@@ -20,13 +20,14 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2011-2013 ForgeRock AS
  !      Copyright 2011-2014 ForgeRock AS
  !
-->
<chapter xml:id='chap-upgrade'
 xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
 xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
 xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xsi:schemaLocation='http://docbook.org/ns/docbook
                     http://docbook.org/xml/5.0/xsd/docbook.xsd'
 xmlns:xlink='http://www.w3.org/1999/xlink'
 xmlns:xinclude='http://www.w3.org/2001/XInclude'>
 <title>Upgrading to OpenDJ <?eval ${docTargetVersion}?></title>

 opends/src/main/docbkx/shared/screen-upgrade.xml

@@ -18,25 +18,24 @@
  !
  ! CCPL HEADER END
  !
  !      Copyright 2013 ForgeRock AS
  !      Copyright 2013-2014 ForgeRock AS
  !
-->
 <screen xml:id="upgrade-earliest-supported"
          xmlns='http://docbook.org/ns/docbook' version='5.0' xml:lang='en'
          xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
          xsi:schemaLocation='http://docbook.org/ns/docbook http://docbook.org/xml/5.0/xsd/docbook.xsd'
          xmlns:xlink='http://www.w3.org/1999/xlink'
          xmlns:xinclude='http://www.w3.org/2001/XInclude'
>$ /path/to/OpenDJ-2.4.5/bin/stop-ds --quiet
          xsi:schemaLocation='http://docbook.org/ns/docbook
                              http://docbook.org/xml/5.0/xsd/docbook.xsd'
 >$ <userinput>/path/to/OpenDJ-2.4.5/bin/stop-ds --quiet</userinput>
... msg=The backend userRoot is now taken offline
... msg=The Directory Server is now stopped
$ cd /path/to
$ zip -rq OpenDJ-backup.zip OpenDJ-2.4.5
$ unzip -q ~/Downloads/OpenDJ-2.6.0.zip
$ cp -r opendj/* OpenDJ-2.4.5/
$ rm -rf opendj
$ mv OpenDJ-2.4.5 opendj
$ /path/to/opendj/upgrade --no-prompt --acceptLicense
$ <userinput>cd /path/to</userinput>
$ <userinput>zip -rq OpenDJ-backup.zip OpenDJ-2.4.5</userinput>
$ <userinput>unzip -q ~/Downloads/OpenDJ-2.6.0.zip</userinput>
$ <userinput>cp -r opendj/* OpenDJ-2.4.5/</userinput>
$ <userinput>rm -rf opendj</userinput>
$ <userinput>mv OpenDJ-2.4.5 opendj</userinput>
$ <userinput>/path/to/opendj/upgrade --no-prompt --acceptLicense</userinput>

>>>> OpenDJ Upgrade Utility

@@ -93,5 +92,5 @@
>>>> OpenDJ was successfully upgraded from version 2.4.5.7743 to 2.6.0.9086

 * See '/path/to/opendj/upgrade.log' for a detailed log of this operation
$ /path/to/opendj/bin/start-ds --quiet
$ <userinput>/path/to/opendj/bin/start-ds --quiet</userinput>
$ </screen>